AI makes mistakes! Undisk makes recovery instant: every write is versioned, every file is reversible.
See it heal →

What it does

Get, validate, or set the workspace policy. Use action ‘read’ to fetch path ACLs, size limits, extension rules, and rate limit rules. Use action ‘validate’ to preview whether a replace or merge update is valid without applying it. Use action ‘write’ to replace or incrementally merge-update rules. In merge mode (mode: ‘merge’), use add/remove fields to atomically modify individual rules without affecting the rest. Requires workspace owner access for ‘write’.

Parameters

ParameterTypeRequiredDescription
actionstringYesOperation: ‘read’ returns the current policy, ‘validate’ checks a proposed policy update without applying it, ‘write’ applies the update. Values: read, validate, write.
modestringNoUpdate mode for validate/write. ‘replace’ (default): replaces entire policy. ‘merge’: incrementally adds/removes rules via add and remove fields. Values: replace, merge.
pathAclsobject[]NoPath-based access control rules (used in replace mode, or within add/remove for merge mode). Each item: pattern (string, required), permission (string: read | read-write | append | none, required), agentId (string, optional).
sizeLimitsobject[]NoFile size limit rules. Each item: maxBytes (number, required).
extensionRulesobject[]NoFile extension rules. Each rule has allowed and/or denied arrays of extensions (include the dot, e.g. ‘.txt’). Each item: allowed (string[], optional), denied (string[], optional).
rateLimitsobject[]NoRate limiting rules. Each item: maxOps (number, required), windowSeconds (number, required), scope (string: agent | workspace, required).
secretScanningobjectNoSecret scanning config. In merge mode, fields provided here overwrite existing values. Fields: enabled (boolean, required), block (boolean, optional), allowPatterns (string[], optional).
addobjectNoRules to add (merge mode only). Fields: pathAcls (object[], optional), sizeLimits (object[], optional), extensionRules (object[], optional), rateLimits (object[], optional).
removeobjectNoRules to remove (merge mode only). Match by fields: pathAcls on pattern (+agentId), sizeLimits on maxBytes, rateLimits on scope+maxOps+windowSeconds. Fields: pathAcls (object[], optional), sizeLimits (object[], optional), extensionRules (object[], optional), rateLimits (object[], optional).