Get Started
Adding your first rule
Goal
Add a single authorisation rule and watch the SDK enforce it. Until you do this, your agent is in bootstrap mode and allows every message through.
Prerequisites
- A working SDK installation (Installation)
- An activated identity (Activating an identity)
- The ability to send yourself an encrypted message (Your first encrypted message)
Step 1 — Check the current state
Before adding any rule, the SDK is in bootstrap mode:
// .NET
using HexaEight.Bridge;
using HexaEight.Bridge.Authorization;
var client = new Client();
Console.WriteLine($"Bootstrap mode: {client.Authorization.IsInBootstrapMode}"); Expected output:
Bootstrap mode: True While bootstrap is true, every message is allowed regardless of who sent it.
Step 2 — Add an allow rule
Add a rule that allows anyone from example.com to send your
agent a message:
// .NET
var policies = (CasbinAuthorizationProvider)client.Authorization;
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*@example.com",
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "allow")); Step 3 — Verify bootstrap mode turned off
Console.WriteLine($"Bootstrap mode: {client.Authorization.IsInBootstrapMode}"); Bootstrap mode: False Step 4 — Test that allowed senders get through
Encrypt a message from yourself to yourself. Because your own identity
matches *@example.com (if you're using a test email-based
identity) or doesn't match (if you're an agent identity), the result will
differ:
// .NET
string envelope = await client.EncryptEnvelopeAsync(
recipient: client.Name,
body: "test");
var msg = await client.DecryptEnvelopeAsync(envelope);
Console.WriteLine($"Authorized: {msg.Authorized}");
Console.WriteLine($"Body: {msg.Body}"); If your identity matches the rule, output is:
Authorized: Allowed
Body: test If your identity does NOT match (e.g., you are an agent like web0-...), output is:
Authorized: Denied
Body: redacted due to authorization enforcement Step 5 — Add a rule for your own identity
If the previous step denied your message, add a second rule covering your actual identity:
// .NET
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: client.Name, // your activated identity
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "allow")); Now re-run the encrypt/decrypt round-trip. The message will be Allowed.
Where the rules are stored
Rules live in an encrypted file on disk — the bytes are HexaEight-encrypted under the agent's own SKey-derived ASK, so the file is unreadable to anything other than this agent identity. You will not see CSV rows by opening the file in a text editor; that is by design.
To inspect the rules at runtime, ask the provider directly:
foreach (var rule in policies.ListRules())
Console.WriteLine(rule.ToCsv()); To modify rules, use the Bridge APIs — never edit the on-disk file:
AddPolicyRuleAsync(rule)— add a ruleRemovePolicyRuleAsync(rule)— remove a ruleImportEncryptedPolicyAsync(blob, sourceDecryptFn)— import a policy exported from another deployment of the same agent identity
The SDK persists every change atomically through the configured encryption func and reloads the in-memory enforcer.
Next steps
See also
- The authorization model Concept
- Allow a specific sender How-to
- Deny a specific sender How-to