> ## Documentation Index
> Fetch the complete documentation index at: https://docs.charlemagnelabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Example Policies

> Ready-to-use policy templates for common organizational setups

## Global Baseline

A safe starting point for any org. Enables flow logging, sets DLP to warn mode, and tracks the most common URL categories.

```yaml theme={null}
# policies/global.yaml

- name: Global App Config
  type: app_config
  scope: global
  locked: false
  data:
    flow_logs_enabled: true
    suppress_frontend_ui: false
    telemetry_enabled: true

- name: Global Flow Config
  type: flow_config
  scope: global
  locked: false
  data:
    enabled: true
    categories:
      - SECURITY_BLOCK
      - BANKING
      - CRYPTO
      - EMAIL
      - SOCIAL_MEDIA
      - PRODUCTIVITY

- name: Global DLP
  type: dlp_config
  scope: global
  locked: false
  data:
    enabled: true
    targets:
      apply_to_all_apps: true
    detections:
      builtins: [credit_card, ssn_us, email, phone]
    actions:
      mode: warn
      allow_once_override: true
    ui:
      notify_on_warn: true
      toast_cooldown_sec: 30
```

***

## Finance Group — Strict DLP

Blocks paste of financial PII across all applications. Locked so devices cannot override locally.

```yaml theme={null}
# policies/finance.yaml

- name: Finance DLP
  type: dlp_config
  scope: group
  target: finance
  locked: true
  data:
    enabled: true
    targets:
      apply_to_all_apps: true
    detections:
      builtins: [credit_card, ssn_us, email, phone]
      custom_regex:
        - name: account_number
          pattern: '\b[0-9]{8,17}\b'
    actions:
      mode: block
      clear_clipboard_on_block: true
      allow_once_override: false
    ui:
      notify_on_block: true
      toast_cooldown_sec: 0
    slack_context:
      enabled: true
      categories: [external_shared, public_channel]
```

***

## Engineering Group — Relaxed DLP

Engineers paste tokens and keys legitimately. DLP warns instead of blocking, and developer tools are excluded from scanning.

```yaml theme={null}
# policies/engineering.yaml

- name: Engineering DLP
  type: dlp_config
  scope: group
  target: engineering
  locked: false
  data:
    enabled: true
    targets:
      apps_allowlist:
        - Terminal
        - iTerm2
        - Warp
        - Code
        - Cursor
        - Postman
        - TablePlus
    detections:
      builtins: [credit_card, ssn_us]
    actions:
      mode: warn
      allow_once_override: true
    ui:
      notify_on_warn: true
      toast_cooldown_sec: 60
```

***

## Restricted Group — Maximum Enforcement

For legal, HR, and executive roles with access to highly sensitive data. Blocks all PII with no override, including full Slack context coverage.

```yaml theme={null}
# policies/restricted.yaml

- name: Restricted DLP
  type: dlp_config
  scope: group
  target: restricted
  locked: true
  data:
    enabled: true
    targets:
      apply_to_all_apps: true
    detections:
      builtins: [credit_card, ssn_us, email, phone]
      custom_regex:
        - name: account_number
          pattern: '\b[0-9]{8,17}\b'
        - name: passport_number
          pattern: '[A-Z]{1,2}[0-9]{6,9}'
    actions:
      mode: block
      clear_clipboard_on_block: true
      allow_once_override: false
    ui:
      notify_on_block: true
      toast_cooldown_sec: 0
    slack_context:
      enabled: true
      categories:
        - public_channel
        - private_channel
        - external_shared
        - dm
        - group_dm
        - context_unavailable
```

***

## Silent / Stealth Mode

Deploy Agent Charley invisibly — no tray icon, no dashboard, no visible UI. Useful for security teams monitoring without alerting users.

```yaml theme={null}
# policies/stealth.yaml

- name: Stealth App Config
  type: app_config
  scope: global
  locked: true
  data:
    stealth_mode: true
    suppress_frontend_ui: true
    suppress_email_content_analysis: false
    flow_logs_enabled: true
    telemetry_enabled: true
```

***

## Full GitOps Setup

The recommended layout for a GitOps workflow:

```
charley/
├── groups.yaml
└── policies/
    ├── global.yaml
    ├── finance.yaml
    ├── engineering.yaml
    └── restricted.yaml
```

```yaml theme={null}
# charley/groups.yaml
- name: finance
  description: "Finance team"
  members:
    - finance-lead@yourcompany.com

- name: engineering
  description: "Engineering team"
  members:
    - eng-lead@yourcompany.com

- name: restricted
  description: "Legal, HR, executive"
  members:
    - legal@yourcompany.com
    - hr@yourcompany.com
```

```bash theme={null}
# Preview before merging to main
agent-charley-cli plan --file charley/policies/ --groups charley/groups.yaml

# Apply on merge
agent-charley-cli apply --file charley/policies/ --groups charley/groups.yaml --prune -y
```

```yaml theme={null}
# .github/workflows/agent-charley-cli.yml
name: Charley Policy

on:
  pull_request:
    paths: ['charley/**']
  push:
    branches: [main]
    paths: ['charley/**']

jobs:
  plan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: '3.12' }
      - run: pip install charley_policy-0.1.0-py3-none-any.whl
      - run: agent-charley-cli plan --file charley/policies/ --groups charley/groups.yaml
        env:
          CHARLEY_API_KEY: ${{ secrets.CHARLEY_API_KEY_RO }}

  apply:
    if: github.ref == 'refs/heads/main'
    needs: plan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: '3.12' }
      - run: pip install charley_policy-0.1.0-py3-none-any.whl
      - run: agent-charley-cli apply --file charley/policies/ --groups charley/groups.yaml --prune -y
        env:
          CHARLEY_API_KEY: ${{ secrets.CHARLEY_API_KEY }}
```

Use a `ck_ro_` (read-only) key for the plan job and a `ck_live_` (read-write) key for the apply job.
