2026-02-02 · Authensor

SafeClaw Policy Recipe: Customer Support Agent

This policy is for AI agents handling customer support — answering questions from a knowledge base, looking up order status via API, and escalating complex issues. The agent can read knowledge base files and make requests to approved internal APIs. File system writes, shell commands, and unapproved network calls are blocked. Install SafeClaw with npx @authensor/safeclaw and paste this into safeclaw.config.yaml.

Use Case

A customer support agent answers customer inquiries by referencing FAQ documents, product guides, and policy pages stored in a knowledge base directory. It may also call internal APIs to check order status, account details, or ticket history. The risks: a support agent with broad access could leak internal documents, access customer PII beyond what the current query requires, make unauthorized API calls to modify accounts, or exfiltrate data through uncontrolled network requests. This policy restricts the agent to reading approved content and calling approved endpoints only.

The Policy

# safeclaw.config.yaml — Customer Support Agent For: Support chatbots, help desk agents, RAG-based Q&A systems Install: npx @authensor/safeclaw version: "1.0" agent: support-agent defaultAction: deny rules: # --- FILE READ RULES --- # Block reading any credential files - id: deny-read-env action: file_read target: "*/.env" decision: deny description: "Block reading environment files with API keys" # Block reading customer PII exports - id: deny-read-pii-exports action: file_read target: "/exports/" decision: deny description: "Block reading bulk customer data export files" # Block reading system files - id: deny-read-system action: file_read target: "/etc/**" decision: deny description: "Block reading system configuration" # Allow reading knowledge base articles - id: allow-read-kb action: file_read target: "./knowledge-base/**" decision: allow description: "Allow reading FAQ, product guides, policy docs" # Allow reading response templates - id: allow-read-templates action: file_read target: "./templates/**" decision: allow description: "Allow reading response template files" # Allow reading support procedures - id: allow-read-procedures action: file_read target: "./procedures/**" decision: allow description: "Allow reading escalation and troubleshooting procedures" # Allow reading product catalog - id: allow-read-catalog action: file_read target: "./catalog/**" decision: allow description: "Allow reading product information files" # --- FILE WRITE RULES --- # Block all file writes — support agents should not write files - id: deny-write-all action: file_write target: "**" decision: deny description: "Block all file system writes — support agent is read-only" # --- SHELL EXEC RULES --- # Block all shell execution - id: deny-shell-all action: shell_exec target: "*" decision: deny description: "Block all shell commands — no shell access for support" # --- NETWORK RULES --- # Allow internal order status API - id: allow-order-api action: network target: "https://api.internal.company.com/orders/*" decision: allow description: "Allow checking order status via internal API" # Allow internal account lookup API - id: allow-account-api action: network target: "https://api.internal.company.com/accounts/*" decision: allow description: "Allow looking up customer account details" # Allow internal ticket API - id: allow-ticket-api action: network target: "https://api.internal.company.com/tickets/*" decision: allow description: "Allow reading and creating support tickets" # Gate account modification API calls - id: gate-account-modify action: network target: "https://api.internal.company.com/accounts/*/modify" decision: require_approval description: "Require human approval to modify customer accounts" # Gate refund API calls - id: gate-refund-api action: network target: "https://api.internal.company.com/refunds/*" decision: require_approval description: "Require human approval to process refunds" # Gate escalation to external systems - id: gate-escalation action: network target: "https://api.internal.company.com/escalate/*" decision: require_approval description: "Require human approval for case escalation"

# Block all other network access - id: deny-network-default action: network target: "*" decision: deny description: "Block all external and unapproved network requests"

What This Policy Allows

Reading knowledge base articles, FAQs, and product guides
Reading response templates for consistent messaging
Reading support procedures and escalation workflows
Reading product catalog information
Calling the internal order status API
Calling the internal account lookup API
Calling the internal ticket API for reading and creating tickets

What This Policy Blocks

All file system writes (the support agent is completely read-only on disk)
All shell command execution
Reading .env files, credential files, or system configuration
Reading bulk customer PII export files
Network requests to any external domain
Direct access to production databases or admin panels

What Requires Approval

Account modification API calls (changing customer account details)
Refund processing API calls (issuing refunds)
Case escalation to external systems or higher-tier support
Each approval request appears in the SafeClaw dashboard at safeclaw.onrender.com

Customization Guide

Replace internal API domains. Update https://api.internal.company.com/ with your actual internal API base URL. If your services use different domains (e.g., separate order and account services), add individual allow rules for each.

Add knowledge base paths. If your knowledge base is stored in a database rather than files, remove the file_read allow rules and add network allow rules for your knowledge base API endpoint. If it spans multiple directories, add allow rules for each path.

Adjust the approval gates. You may want to allow low-value refunds automatically (e.g., under $10) by adding a more specific allow rule above the gate rule. Or you may want to gate all ticket creation, not just escalation — move the ticket API rule from allow to require_approval.

Example Session

1. ALLOW — Agent reads a knowledge base article:

{
  "actionType": "file_read",
  "target": "./knowledge-base/returns/return-policy.md",
  "agentId": "support-agent",
  "decision": "ALLOW",
  "rule": "allow-read-kb",
  "evaluationTime": "0.3ms"
}

2. ALLOW — Agent checks order status:

{
  "actionType": "network",
  "target": "https://api.internal.company.com/orders/ORD-98321",
  "agentId": "support-agent",
  "decision": "ALLOW",
  "rule": "allow-order-api",
  "evaluationTime": "0.2ms"
}

3. REQUIRE_APPROVAL — Agent attempts to issue a refund:

{
  "actionType": "network",
  "target": "https://api.internal.company.com/refunds/create",
  "agentId": "support-agent",
  "decision": "REQUIRE_APPROVAL",
  "rule": "gate-refund-api",
  "evaluationTime": "0.3ms"
}

4. DENY — Agent attempts to write a file:

{
  "actionType": "file_write",
  "target": "./customer_notes.txt",
  "agentId": "support-agent",
  "decision": "DENY",
  "rule": "deny-write-all",
  "evaluationTime": "0.2ms"
}

5. DENY — Agent attempts to call an external API:

{
  "actionType": "network",
  "target": "https://external-crm.com/api/export",
  "agentId": "support-agent",
  "decision": "DENY",
  "rule": "deny-network-default",
  "evaluationTime": "0.2ms"
}

All evaluations are recorded in SafeClaw's tamper-proof audit trail (SHA-256 hash chain). SafeClaw evaluates policies in sub-millisecond time, adding no perceptible latency to customer interactions. Use simulation mode to validate behavior before enforcing. The client is 100% open source (MIT license) with zero third-party dependencies, backed by 446 tests in TypeScript strict mode. Get started at safeclaw.onrender.com with a free tier key (7-day renewable, no credit card).

Cross-References

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw