SafeClaw Policy Recipe: Multi-Agent System

This policy is for systems running multiple cooperating AI agents — an orchestrator that delegates tasks to specialized worker agents. Each agent gets its own policy scope with different permissions. The orchestrator can coordinate but not execute directly. Workers are confined to their specific roles. All agents share a single tamper-proof audit trail. Install SafeClaw with npx @authensor/safeclaw and paste this into safeclaw.config.yaml.

Use Case

A multi-agent system (built with CrewAI, AutoGen, LangGraph, or a custom framework) consists of an orchestrator agent that plans and delegates, plus specialized workers: a coder, a researcher, and a reviewer. The orchestrator should coordinate tasks but never directly access the file system or execute commands. The coder writes code. The researcher browses the web. The reviewer reads code but does not modify it. Without per-agent isolation, any agent could access any resource, and a compromised worker could escalate its privileges to the orchestrator's scope. SafeClaw's agent identity matching enforces distinct permission boundaries for each agent.

The Policy

# safeclaw.config.yaml — Multi-Agent System
For: CrewAI, AutoGen, LangGraph, custom orchestrated agents
Install: npx @authensor/safeclaw
version: "1.0"
agent: multi-agent-system
defaultAction: deny

rules:
  # ==============================================================
  # ORCHESTRATOR AGENT RULES
  # The orchestrator coordinates tasks. It should NOT directly
  # access files, execute commands, or make network requests.
  # ==============================================================

# Block orchestrator from all file reads
  - id: orch-deny-file-read
    action: file_read
    target: "**"
    agent: orchestrator
    decision: deny
    description: "Orchestrator cannot read files — delegates to workers"

# Block orchestrator from all file writes
  - id: orch-deny-file-write
    action: file_write
    target: "**"
    agent: orchestrator
    decision: deny
    description: "Orchestrator cannot write files — delegates to workers"

# Block orchestrator from shell execution
  - id: orch-deny-shell
    action: shell_exec
    target: "*"
    agent: orchestrator
    decision: deny
    description: "Orchestrator cannot execute shell commands"

# Allow orchestrator to call internal coordination API only
  - id: orch-allow-coordination-api
    action: network
    target: "https://localhost:/api/tasks/"
    agent: orchestrator
    decision: allow
    description: "Orchestrator can dispatch tasks via internal API"

# Block orchestrator from external network
  - id: orch-deny-network
    action: network
    target: "*"
    agent: orchestrator
    decision: deny
    description: "Orchestrator cannot make external network requests"

# ==============================================================
  # CODER AGENT RULES
  # The coder writes and tests code within the project directory.
  # ==============================================================

# Block coder from reading credentials
  - id: coder-deny-read-env
    action: file_read
    target: "*/.env"
    agent: coder
    decision: deny
    description: "Coder cannot read environment secret files"

# Block coder from reading SSH keys
  - id: coder-deny-read-ssh
    action: file_read
    target: "~/.ssh/**"
    agent: coder
    decision: deny
    description: "Coder cannot read SSH credentials"

# Allow coder to read source code
  - id: coder-allow-read-src
    action: file_read
    target: "./src/**"
    agent: coder
    decision: allow
    description: "Coder can read source files"

# Allow coder to read tests
  - id: coder-allow-read-tests
    action: file_read
    target: "./tests/**"
    agent: coder
    decision: allow
    description: "Coder can read test files"

# Allow coder to read project config
  - id: coder-allow-read-config
    action: file_read
    target: "./*.{json,yaml,yml,toml}"
    agent: coder
    decision: allow
    description: "Coder can read project configuration"

# Allow coder to write source code
  - id: coder-allow-write-src
    action: file_write
    target: "./src/**"
    agent: coder
    decision: allow
    description: "Coder can write source files"

# Allow coder to write tests
  - id: coder-allow-write-tests
    action: file_write
    target: "./tests/**"
    agent: coder
    decision: allow
    description: "Coder can write test files"

# Block coder from writing outside src/ and tests/
  - id: coder-deny-write-other
    action: file_write
    target: "**"
    agent: coder
    decision: deny
    description: "Coder cannot write outside src/ and tests/"

# Allow coder to run tests
  - id: coder-allow-test
    action: shell_exec
    target: "{npm,yarn,pnpm} test*"
    agent: coder
    decision: allow
    description: "Coder can run test suites"

# Allow coder to run build
  - id: coder-allow-build
    action: shell_exec
    target: "{npm,yarn,pnpm} run build*"
    agent: coder
    decision: allow
    description: "Coder can run builds"

# Block coder from other shell commands
  - id: coder-deny-shell-other
    action: shell_exec
    target: "*"
    agent: coder
    decision: deny
    description: "Coder cannot run other shell commands"

# Block coder from network access
  - id: coder-deny-network
    action: network
    target: "*"
    agent: coder
    decision: deny
    description: "Coder has no network access"

# ==============================================================
  # RESEARCHER AGENT RULES
  # The researcher browses the web and writes notes. No file system
  # writes outside notes/, no shell access.
  # ==============================================================

# Allow researcher to read research notes
  - id: researcher-allow-read-notes
    action: file_read
    target: "./notes/**"
    agent: researcher
    decision: allow
    description: "Researcher can read existing notes"

# Allow researcher to read research prompts
  - id: researcher-allow-read-prompts
    action: file_read
    target: "./prompts/**"
    agent: researcher
    decision: allow
    description: "Researcher can read task prompts"

# Block researcher from reading source code
  - id: researcher-deny-read-src
    action: file_read
    target: "./src/**"
    agent: researcher
    decision: deny
    description: "Researcher cannot read application source code"

# Block researcher from reading credentials
  - id: researcher-deny-read-env
    action: file_read
    target: "*/.env"
    agent: researcher
    decision: deny
    description: "Researcher cannot read environment files"

# Allow researcher to write notes
  - id: researcher-allow-write-notes
    action: file_write
    target: "./notes/**"
    agent: researcher
    decision: allow
    description: "Researcher can write research notes"

# Block researcher from all other writes
  - id: researcher-deny-write-other
    action: file_write
    target: "**"
    agent: researcher
    decision: deny
    description: "Researcher cannot write outside notes/"

# Block researcher from shell execution
  - id: researcher-deny-shell
    action: shell_exec
    target: "*"
    agent: researcher
    decision: deny
    description: "Researcher cannot execute shell commands"

# Allow researcher to fetch approved web sources
  - id: researcher-allow-wikipedia
    action: network
    target: "https://.wikipedia.org/"
    agent: researcher
    decision: allow
    description: "Researcher can fetch Wikipedia"

# Allow researcher to fetch arXiv
  - id: researcher-allow-arxiv
    action: network
    target: "https://arxiv.org/*"
    agent: researcher
    decision: allow
    description: "Researcher can fetch arXiv papers"

# Gate researcher on unknown domains
  - id: researcher-gate-unknown
    action: network
    target: "https://*"
    agent: researcher
    decision: require_approval
    description: "Researcher needs approval for unlisted domains"

# Block researcher non-HTTPS
  - id: researcher-deny-http
    action: network
    target: "http://*"
    agent: researcher
    decision: deny
    description: "Researcher cannot use insecure HTTP"

# ==============================================================
  # REVIEWER AGENT RULES
  # The reviewer reads code and writes review comments only.
  # ==============================================================

# Allow reviewer to read all source code
  - id: reviewer-allow-read-src
    action: file_read
    target: "./src/**"
    agent: reviewer
    decision: allow
    description: "Reviewer can read source code"

# Allow reviewer to read tests
  - id: reviewer-allow-read-tests
    action: file_read
    target: "./tests/**"
    agent: reviewer
    decision: allow
    description: "Reviewer can read test files"

# Block reviewer from reading credentials
  - id: reviewer-deny-read-env
    action: file_read
    target: "*/.env"
    agent: reviewer
    decision: deny
    description: "Reviewer cannot read environment files"

# Allow reviewer to write review output only
  - id: reviewer-allow-write-reviews
    action: file_write
    target: "./reviews/**"
    agent: reviewer
    decision: allow
    description: "Reviewer can write review comments"

# Block reviewer from all other writes
  - id: reviewer-deny-write-other
    action: file_write
    target: "**"
    agent: reviewer
    decision: deny
    description: "Reviewer cannot modify source or test files"

# Block reviewer from shell execution
  - id: reviewer-deny-shell
    action: shell_exec
    target: "*"
    agent: reviewer
    decision: deny
    description: "Reviewer cannot execute shell commands"

# Allow reviewer to post to GitHub API
  - id: reviewer-allow-github
    action: network
    target: "https://api.github.com/*"
    agent: reviewer
    decision: allow
    description: "Reviewer can post PR review comments"

# Block reviewer from other network
  - id: reviewer-deny-network
    action: network
    target: "*"
    agent: reviewer
    decision: deny
    description: "Reviewer has no other network access"

What This Policy Allows

• Orchestrator: Internal coordination API calls only
• Coder: Read/write source and tests, run test and build commands
• Researcher: Read notes and prompts, write notes, fetch Wikipedia and arXiv
• Reviewer: Read source and tests, write review comments, post to GitHub API
• All agents share a single tamper-proof audit trail for complete traceability

What This Policy Blocks

• Orchestrator: All file access, all shell commands, all external network
• Coder: Credential reads, network access, shell commands beyond test/build
• Researcher: Source code access, shell commands, non-HTTPS requests
• Reviewer: All file writes except reviews, all shell commands, all non-GitHub network
• No agent can access another agent's write directories

What Requires Approval

• Researcher fetching HTTPS pages from domains not in the allow list
• All approvals appear in the SafeClaw dashboard at safeclaw.onrender.com
• Add require_approval rules for any agent's operations that need human oversight

Customization Guide

1. Add more worker agents. To add a "deployer" agent, add a new section of rules with agent: deployer that allows require_approval for deployment commands and denies everything else. Each agent identity string must match what your framework passes to SafeClaw.

1. Configure the agent identity mapping. In CrewAI, set each agent's agentId in the SafeClaw integration to match the agent field in these rules. In AutoGen, pass the agent name as the identity string. In LangGraph, use the node name.

1. Adjust the shared vs isolated boundaries. If you want the coder and reviewer to share read access to a ./shared/ directory, add read-allow rules for both agents targeting ./shared/**. If agents should not see each other's output, keep write directories separate (as configured above).

Example Session

1. DENY — Orchestrator tries to read a file directly:

{
  "actionType": "file_read",
  "target": "./src/index.ts",
  "agentId": "orchestrator",
  "decision": "DENY",
  "rule": "orch-deny-file-read",
  "evaluationTime": "0.2ms"
}

2. ALLOW — Coder writes a new module:

{
  "actionType": "file_write",
  "target": "./src/services/auth.ts",
  "agentId": "coder",
  "decision": "ALLOW",
  "rule": "coder-allow-write-src",
  "evaluationTime": "0.3ms"
}

3. ALLOW — Researcher fetches a Wikipedia article:

{
  "actionType": "network",
  "target": "https://en.wikipedia.org/wiki/OAuth",
  "agentId": "researcher",
  "decision": "ALLOW",
  "rule": "researcher-allow-wikipedia",
  "evaluationTime": "0.3ms"
}

4. DENY — Researcher tries to write to source code:

{
  "actionType": "file_write",
  "target": "./src/services/auth.ts",
  "agentId": "researcher",
  "decision": "DENY",
  "rule": "researcher-deny-write-other",
  "evaluationTime": "0.2ms"
}

5. ALLOW — Reviewer posts a review comment to GitHub:

{
  "actionType": "network",
  "target": "https://api.github.com/repos/org/repo/pulls/87/reviews",
  "agentId": "reviewer",
  "decision": "ALLOW",
  "rule": "reviewer-allow-github",
  "evaluationTime": "0.3ms"
}

All five agents' actions are recorded in a single tamper-proof audit trail (SHA-256 hash chain), giving complete visibility into which agent did what and when. SafeClaw uses deny-by-default architecture with first-match-wins evaluation — any action not explicitly allowed for a specific agent is denied. The 100% open source client (MIT license) runs with zero third-party dependencies and sub-millisecond evaluation time, verified across 446 tests in TypeScript strict mode. Set up at safeclaw.onrender.com with free tier keys (7-day renewable, no credit card).

Cross-References

• Pattern: Per-Agent Isolation
• CrewAI Per-Agent Policies Guide
• Threat Model: Multi-Agent Lateral Movement
• Use Case: Multi-Agent CrewAI
• SafeClaw Policy Rule Syntax Reference