Get Started

Adding your first rule

Applies to: .NET SDK, Node.js SDK Last updated: 2026-06-11

Goal

Add a single authorisation rule and watch the SDK enforce it. Until you do this, your agent is in bootstrap mode and allows every message through.

Prerequisites

Step 1 — Check the current state

Before adding any rule, the SDK is in bootstrap mode:

// .NET
using HexaEight.Bridge;
using HexaEight.Bridge.Authorization;

var client = new Client();
Console.WriteLine($"Bootstrap mode: {client.Authorization.IsInBootstrapMode}");

Expected output:

Bootstrap mode: True

While bootstrap is true, every message is allowed regardless of who sent it.

Step 2 — Add an allow rule

Add a rule that allows anyone from example.com to send your agent a message:

// .NET
var policies = (CasbinAuthorizationProvider)client.Authorization;

await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      "*@example.com",
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

Step 3 — Verify bootstrap mode turned off

Console.WriteLine($"Bootstrap mode: {client.Authorization.IsInBootstrapMode}");
Bootstrap mode: False

Step 4 — Test that allowed senders get through

Encrypt a message from yourself to yourself. Because your own identity matches *@example.com (if you're using a test email-based identity) or doesn't match (if you're an agent identity), the result will differ:

// .NET
string envelope = await client.EncryptEnvelopeAsync(
    recipient: client.Name,
    body:      "test");

var msg = await client.DecryptEnvelopeAsync(envelope);
Console.WriteLine($"Authorized: {msg.Authorized}");
Console.WriteLine($"Body:       {msg.Body}");

If your identity matches the rule, output is:

Authorized: Allowed
Body:       test

If your identity does NOT match (e.g., you are an agent like web0-...), output is:

Authorized: Denied
Body:       redacted due to authorization enforcement

Step 5 — Add a rule for your own identity

If the previous step denied your message, add a second rule covering your actual identity:

// .NET
await policies.AddPolicyRuleAsync(new PolicyRule(
    Sender:      client.Name,        // your activated identity
    Destination: "self",
    Realm:       "default",
    Direction:   "inbound",
    Effect:      "allow"));

Now re-run the encrypt/decrypt round-trip. The message will be Allowed.

Where the rules are stored

Rules live in an encrypted file on disk — the bytes are HexaEight-encrypted under the agent's own SKey-derived ASK, so the file is unreadable to anything other than this agent identity. You will not see CSV rows by opening the file in a text editor; that is by design.

To inspect the rules at runtime, ask the provider directly:

foreach (var rule in policies.ListRules())
    Console.WriteLine(rule.ToCsv());

To modify rules, use the Bridge APIs — never edit the on-disk file:

The SDK persists every change atomically through the configured encryption func and reloads the in-memory enforcer.

Next steps

See also