Status: IN
Policy rules match on `module`, `environment`, `host`, and `param.*` fields; a `PolicyDeniedError` is raised when a rule blocks an action.
Source: entries/2026/05/11/readme.md
# policy.yml
rules:
- name: deny-rm-in-prod
module: command
environment: production
param.cmd: "rm *"
action: deny
- name: allow-file-ops
module: file
host: "webservers"
action: allow