Skip to main content

What is Policy as Code?

Policy as Code (PaC) lets you define Charley security policies in YAML files, store them in Git, and deploy them automatically through CI/CD — the same way teams manage infrastructure as code. Instead of clicking through the dashboard, you declare policies in files, preview diffs before applying, and have a full audit trail in git history.
charley/
├── groups.yaml
└── policies/
    ├── global.yaml      # org-wide baseline
    ├── finance.yaml     # finance group overrides
    └── engineering.yaml # engineering group overrides

Why Use It?

DashboardPolicy as Code
Point-and-click, immediateDeclared in code, reviewed in PRs
No audit trail beyond logsEvery change is a git commit
Per-session changesIdempotent apply — same input = same result
Manual rollbackgit revert to any prior state
Good for one-offsScales to hundreds of groups and devices

How It Works

The agent-charley-cli CLI (and Python SDK) communicate with the Charley API using an API key — separate from your dashboard login. On each run:
  1. Plan — fetch current server state, diff against local files, print what would change
  2. Apply — apply the diff, skipping unchanged policies
Policies are idempotent: running apply twice produces the same result as running it once.

Scope Hierarchy

Policies merge from broadest to most specific:
global (org-wide)  →  group  →  device
Only the fields you explicitly set in a narrower scope override the broader scope. Unset fields fall through.

Getting Started

Install & First Policy

Install the CLI and deploy your first policy in 5 minutes

API Keys

Create and manage API keys for the CLI and SDK

Policy Reference

Full reference for all policy types and fields

Examples

Ready-to-use templates for common setups

CI/CD Integration

The most common setup runs plan on pull requests and apply on merge to main:
# .github/workflows/charley.yml
on:
  pull_request:
    paths: ['charley/**']
  push:
    branches: [main]
    paths: ['charley/**']

jobs:
  plan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install charley_policy-0.1.0-py3-none-any.whl
      - run: agent-charley-cli plan --file charley/policies/ --groups charley/groups.yaml
        env:
          CHARLEY_API_KEY: ${{ secrets.CHARLEY_API_KEY_RO }}

  apply:
    if: github.ref == 'refs/heads/main'
    needs: plan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install charley_policy-0.1.0-py3-none-any.whl
      - run: agent-charley-cli apply --file charley/policies/ --groups charley/groups.yaml --prune -y
        env:
          CHARLEY_API_KEY: ${{ secrets.CHARLEY_API_KEY }}
Use a read_only key (ck_ro_...) for the plan step and a read_write key (ck_live_...) for the apply step.