Skip to main content

Policy examples

Protect secrets everywhere

termyte policy global add "Never allow agents to read .env files" --yes
Equivalent rule shape: 
version: 1
presets: []
rules:
  - name: "block-env-file-access"
    action: block
    match:
      semantic_ids:
        - "secret.access"
      paths:
        - ".env"
        - ".env.*"

Review authentication and payment changes

termyte policy local add "Ask before touching auth or payments" --yes
Use this in repositories where those directories require owner review.

Block force pushes

termyte policy local add "Never allow force push" --yes
Or enable the built-in Git preset directly: 
version: 1
presets:
  - "git-safe"
rules: []

Warn before publishing

termyte policy global add "Warn before npm publish" --yes

Block destructive database commands

termyte policy local add "Block destructive database commands" --yes

Ask before infrastructure paths

version: 1
presets:
  - "safe-default"
rules:
  - name: "ask-infrastructure-changes"
    description: "Require review for deployment and infrastructure files"
    action: ask
    match:
      paths:
        - ".github/workflows/**"
        - "terraform/**"
        - "k8s/**"
        - "Dockerfile"

Match semantic actions

version: 1
presets: []
rules:
  - name: "block-destructive-git-history"
    action: block
    match:
      semantic_ids:
        - "git.reset.*"
        - "git.clean.*"
        - "git.branch.delete.force"

Match exact command families

version: 1
presets: []
rules:
  - name: "ask-before-release"
    action: ask
    match:
      commands:
        - "npm publish"
        - "pnpm publish"
        - "yarn publish"

Test every policy change

termyte policy show
termyte policy test "git reset --hard HEAD~1"
termyte policy test "npm publish"
termyte policy test "cat .env"
Prefer semantic-ID rules for action families and path rules for repository ownership boundaries. Command matchers are most useful for a small, known set of exact command forms.