Status: IN
FTL2's policy engine provides complete pre-execution access control: enforcement runs before every module call with first-match-deny semantics, rules match on module/environment/host/parameter fields for granular control, and shell/command/raw modules are treated as policy-equivalent to prevent bypass through alternative command execution paths.