← c16c16 / wf1 - Agent Control Plane (persona-partitioned) / Policy Enforcement·control-plane-v1-v1 · 2026-06-03 · draft
Qpoint
QP
Policy & Enforcementagent-as-actor · govern what agents can do

Engineering · Policy & Enforcement

Govern what agents are allowed to do — start by watching, then assist, then automate.

Every agent is a capable actor: it runs tools, reads files, calls models, and acts on its own. Policy here is about behavior and capability first — who may do what, with which approvals, under which ceilings.

Enforcement mode

Audit live · Assist/Enforce projected

Audit

Observe every action. Build the inventory and surface what a policy would catch — no intervention.

live now

Assist

Warn and prompt for human approval on high-impact actions. Humans stay in the loop.

projected

Automate

Block disallowed capabilities, off-policy tools, and over-budget runs automatically.

projected

Dry run — what an enforcing policy would have intervened on

computed from live telemetry · 0 actually blocked

Today we only observe. These are the behaviors and capabilities a policy in Enforce mode would have gated — led by what agents are allowed to do.

3

Ungoverned agents

Acting without any registered policy binding.

would: require registration before run

2

Agents running as root

A compromised prompt would inherit full host privilege.

would: drop to low-privilege account

1

--yolo / sandbox bypassed

Approvals and sandbox disabled — any action, no gate.

would: force approval + sandbox

5

No tool-approval policy

High-impact tool calls fire with no human in the loop.

would: gate high-impact tools

1

Unbounded consumption

data-pipeline burned 9.2M tokens with no per-agent ceiling.

would: cap spend per agent

6

Sensitive-file reads

Secret / credential paths pulled into agent context.

would: deny credential paths

Policies — capability & action first

Tool / MCP allow-list

projected

Scope which tools and MCP servers each agent may call. Anything off-list is denied — the core of capability control.

scope per agent

Human-in-the-loop approvals

projected

Gate high-impact actions — writes, deploys, external calls — behind an explicit human approval before they run.

gate high-impact actions

Per-agent spend ceiling

projected

Set a token / cost ceiling per agent and alert or halt when it is reached. Stops unbounded consumption.

cap per agent

Egress allow-list

detection live

Minor, supporting control: restrict which network destinations an agent may reach. Detection is live; blocking is not yet built.

detection live · blocking projected

Kill switch

roadmap

Immediately revoke an agent's credentials and halt its runs across the fleet — a single action to stop a misbehaving actor. Not yet built.

Fields: agents.governed · agents.factors · agents.user · findings (LLM10 Unbounded Consumption) · dlp.sensitive_paths — from app/data/c16-fleet.ts (qcontrol /api shape). Enforcement actions are projected; audit is live.