Policy / rules endpoints
For the write paths see the collector's agentfw.proxy. The cloud currently exposes read-only access to the policy as published by each collector.
GET /policy
The currently active policy bundle, with per-rule hit counts in the last window:
json
{
"name": "default",
"version": "2026-05-13T21:33",
"default_action": "deny",
"default_hit_count": 4,
"rules": [
{
"name": "log_all_llm_calls",
"action": "log",
"match": { "action": "llm_prompt" },
"enabled": true,
"description": "Observability — record every LLM call.",
"hit_count": 1842,
"last_match": 1715519998.2
},
...
]
}→ Authoritative rule writes still go through the collector's API: PUT /policy/rules/{name}, POST /policy/rules, DELETE /policy/rules/{name}, POST /policy/rules/reorder. See agentfw/proxy.py for the contract.