{"id":"policy-rules-match-fields","text":"Policy rules match on `module`, `environment`, `host`, and `param.*` fields; a `PolicyDeniedError` is raised when a rule blocks an action.","truth_value":"IN","source":"entries/2026/05/11/readme.md","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{"example":"# policy.yml\nrules:\n  - name: deny-rm-in-prod\n    module: command\n    environment: production\n    param.cmd: \"rm *\"\n    action: deny\n\n  - name: allow-file-ops\n    module: file\n    host: \"webservers\"\n    action: allow"},"explanation":{"steps":[{"node":"policy-rules-match-fields","truth_value":"IN","reason":"premise"}]}}