Use Cases

1. Block dangerous shell commands

Scenario: Your OpenClaw agent can execute bash commands. You want to block destructive operations (rm -rf, shutdown, etc.) and require approval for others.

Simple policy:

• Bash: Ask (every shell command needs approval)

• File System: Allow (safe file operations)

Advanced YAML:

rules:
  - match:
      tool: bash
      params:
        command: "rm -rf|shutdown|reboot|mkfs|dd if="
    deny: true
    reason: "Destructive command blocked"
  - match:
      tool: bash
    require_approval: true
    reason: "Shell command requires approval"

rules:
  - match:
      tool: bash
      params:
        command: "rm -rf|shutdown|reboot|mkfs|dd if="
    deny: true
    reason: "Destructive command blocked"
  - match:
      tool: bash
    require_approval: true
    reason: "Shell command requires approval"

rules:
  - match:
      tool: bash
      params:
        command: "rm -rf|shutdown|reboot|mkfs|dd if="
    deny: true
    reason: "Destructive command blocked"
  - match:
      tool: bash
    require_approval: true
    reason: "Shell command requires approval"

2. Allow browsing, deny file writes

Scenario: Your agent browses the web for research but shouldn't write files.

Simple policy:

• Browser: Allow

• File System: Deny

• Network: Allow

• Bash: Deny

3. Require approval for payments

Scenario: Your agent processes Stripe payments. Any payment over $100 needs approval.

Advanced YAML:

rules:
  - match:
      tool: stripe
      op: charge
      amount_gt: 100
    require_approval: true
    risk: high
    reason: "Payment over $100 requires approval"
  - match:
      tool: stripe
      op: charge
    allow: true

rules:
  - match:
      tool: stripe
      op: charge
      amount_gt: 100
    require_approval: true
    risk: high
    reason: "Payment over $100 requires approval"
  - match:
      tool: stripe
      op: charge
    allow: true

rules:
  - match:
      tool: stripe
      op: charge
      amount_gt: 100
    require_approval: true
    risk: high
    reason: "Payment over $100 requires approval"
  - match:
      tool: stripe
      op: charge
    allow: true

4. Different policies per agent

Scenario: You have a research agent that browses freely, and a deployment agent that needs strict controls.

Simple policies:

• Research agent: Everything Allow except Bash (Ask)

• Deployment agent: Everything Ask except Browser (Deny)

Set per-agent policies via the dashboard or API:

faramesh policy set bash allow --agent-id research-agent
faramesh policy set bash ask --agent-id deploy-agent
faramesh policy set browser deny --agent-id

faramesh policy set bash allow --agent-id research-agent
faramesh policy set bash ask --agent-id deploy-agent
faramesh policy set browser deny --agent-id

faramesh policy set bash allow --agent-id research-agent
faramesh policy set bash ask --agent-id deploy-agent
faramesh policy set browser deny --agent-id

5. Audit compliance

Scenario: You need a complete audit trail of every AI agent action for compliance.

Faramesh records every decision, allow, ask, and deny with:

• Timestamp

• Agent ID

• Tool name and parameters

• Category

• Decision and reason

• Risk level

• Runtime ID (which machine)

• Policy version at the time of decision

Export via the dashboard (JSON/CSV) or query the API:

faramesh list --limit 1000 --json

faramesh list --limit 1000 --json

faramesh list --limit 1000 --json

6. Multi-machine fleet monitoring

Scenario: You have OpenClaw agents running on 5 VPS servers. You want to see all activity in one place.

Each plugin instance sends a runtime_id (hostname) with every action. The Fleet page in the dashboard shows all runtimes under your org account, with action counts and last-seen timestamps.