The Keel authorization model andDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/quitohooded/keel-skills/llms.txt
Use this file to discover all available pages before exploring further.
AGENT_POLICY.md format are specified runtime-neutral in SPEC.md. Any implementation — an Agent SDK integration, a different harness, a CI gate, a pre-commit hook — can describe itself as Keel-compatible if it satisfies the Conformance section (§8 of the spec). The reference implementation is the Keel Skills plugin for Claude Code; other runtimes are actively encouraged.
Conformance requirements
An implementation is Keel-compatible if it satisfies all six of the following requirements from SPEC.md §8:- Reads
AGENT_POLICY.mdfrom the project root (or a path the user designates) and treats it as authoritative over the spec defaults. - Runs the four-step check (§3) before every action (§1) — every write, edit, commit, push, deploy, send, publish, charge, delete, or reconfigure.
- Treats every §4 default category as hot unless the policy concretely refines it. A vague refinement does not remove the default.
- Only lets a green light carry over through following-through when all four §5 conditions hold: no judgment needed, the decision states the scope, the change points back to the source decision, and the decision is still current. Miss one → needs a new green light.
- Never lets a subagent grant a green light (§6) if the implementation supports delegation. Permission always returns to the human.
- Resolves any doubt toward stopping and asking — the tie-breaker at every step of the four-step check is to treat the action as needing a green light.
Enforcing implementations (optional, stricter)
The conformance requirements above are satisfied by a reasoning implementation — one where the agent applies the four-step check itself. An implementation may additionally enforce the policy with deterministic code that intercepts actions before they run. SPEC.md §8.1 defines the requirements for an enforcing implementation:- Intercepts actions before they run and maps them to
allow/ask/deny, whereaskis the request for an explicit human-approval (a green light). - Treats the §4 defaults as hot even when no machine-readable block (§7.1) is present in
AGENT_POLICY.md. - In a non-interactive context (no human able to grant a green light), denies any action it would otherwise have asked about.
- Is understood to be a backstop, not a cage — it raises assurance against accident, drift, and hallucination, but cannot contain an adversarial agent. Real isolation (scoped credentials, sandboxing) is complementary, not replaced by enforcement.
PreToolUse hook (enforce-policy.cjs).
Spec version targeting
Implementations should declare which spec version they target. The current spec version is 0.2.SPEC.md uses MAJOR.MINOR versioning:
- A MINOR bump adds or clarifies requirements without breaking a conforming implementation. The 0.2 bump, for example, renamed the three permission levels (goal / method / green light) without changing how they work.
- A MAJOR bump may change required behavior and will require implementations to review their conformance.
How to get listed
If you build a Keel-compatible implementation for another runtime, open an issue on the GitHub repository so it can be listed in the README. Include the runtime or system it targets, the spec version it targets, and whether it is a reasoning implementation, an enforcing implementation, or both.SPEC.md is a draft (v0.2). If you encounter ambiguity or gaps while building an implementation, open an issue — real implementations are the best stress test of the spec.AGENT_POLICY.md format, see the Specification.