Policy Guardrails

Your agent is fast. It reasons, calls tools, and responds without asking permission. That's the whole point.

But maybe it shouldn't have permission to do everything.

The problem with "we'll add safety later"

You won't. Nobody does. And when someone finally bolts on a content filter three sprints before launch, it runs as a second LLM call that doubles your latency and sometimes hallucinates its own violations. We've all seen it.

No shade. Okay, a little shade.

Swink Agent handles this differently. Policy guardrails are compiled into the agent loop itself. They run as native Rust code — not extra LLM calls, not a sidecar service, not a YAML file you'll forget to update. Every LLM call, every tool execution, every response passes through these gates before anything reaches the outside world.

How it actually works

The agent loop has four policy checkpoints. Each one can approve, modify, or halt the agent before the next stage runs. Think of them as bouncers at a very exclusive nightclub, except the nightclub is your production system.

Policy guardrails diagram showing four checkpoints wrapping the agent loop

Pre-Turn Guard Before the AI starts thinking. Budget checks, turn limits, injection detection. The "should we even let this happen?" gate.

Pre-Dispatch Guard Before a tool runs. Deny lists, sandboxing, path traversal checks. The "nice try" gate.

Post-Turn Guard After the AI responds, before delivery. PII redaction, content filtering, loop detection. The "let me fix that for you" gate.

Post-Loop Guard After everything's done. Checkpointing, audit logging. The "receipts" gate.

What's in the box

These ship with the framework. Enable what you need, ignore what you don't. Zero overhead when unused — we measured.

Policy	Checkpoint	What it does
Budget	Pre-Turn	Stops the agent when cost or tokens exceed your limit
Max Turns	Pre-Turn	Caps reasoning cycles so your agent doesn't monologue forever
Tool Deny List	Pre-Dispatch	Blocks specific tools. No, you may not call `rm -rf`
Sandbox	Pre-Dispatch	Restricts file access to approved directories. Path traversal? Denied
Loop Detection	Post-Turn	Catches the agent repeating itself in an existential spiral
Prompt Injection	Pre + Post	Detects attempts to override instructions. Both directions
PII Redactor	Post-Turn	Strips personally identifiable information before delivery
Content Filter	Post-Turn	Blocks responses matching prohibited patterns
Checkpoint	Post-Turn	Saves agent state after each turn for recovery and audit
Audit Logger	Post-Turn	Records everything. For compliance, or for when things get weird

The fine print (it's actually good)

Default-off No policies run unless you say so. Zero overhead when unused. We respect your CPU.

Composable Stack as many policies as you want at any checkpoint. If any one says stop, the agent stops. Democracy.

Isolated A buggy policy can't crash your agent. Panics are caught and the policy is auto-removed. It fires itself.

Extensible Write your own against the public trait. No forking required. We're not gatekeeping the gates.

The guardrails are built in. Ship with confidence.

github.com/SuperSwinkAI/Swink-Agent

← Back to Swink Agent