> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Policy-as-Code

> Define guardrail configurations in YAML and manage them with git

<Info>
  Policy-as-Code lets you define your PromptGuard guardrail configuration in YAML files, version them in git, and apply them via the CLI. This enables code review, audit trails, and reproducible deployments for your security policies.
</Info>

## Overview

Instead of configuring guardrails through the dashboard UI, define them declaratively:

```yaml theme={"system"}
# policy.yaml
guardrails:
  prompt_injection:
    level: strict
  pii_detection:
    level: strict
    mode: redact
  data_exfiltration:
    level: moderate
  toxicity:
    threshold: 0.7
  secret_key_detection:
    level: moderate
```

## CLI Commands

### Export Current Config

Fetch the live guardrail config and output as YAML:

```bash theme={"system"}
promptguard policy export --project-id proj_abc123 > policy.yaml
```

### Preview Changes

Compare a YAML file against the live config to see what would change:

```bash theme={"system"}
promptguard policy diff policy.yaml --project-id proj_abc123
```

Output:

```
Comparing policy.yaml against live config...

Differences:

  prompt_injection.level:
    - "moderate"
    + "strict"
  toxicity.threshold:
    - 0.8
    + 0.7
```

### Apply Changes

Apply a YAML policy file to update the live config:

```bash theme={"system"}
# Preview first
promptguard policy apply policy.yaml --project-id proj_abc123 --dry-run

# Apply for real
promptguard policy apply policy.yaml --project-id proj_abc123
```

## Validation

The CLI validates your YAML before applying:

* **Level fields** must be `strict`, `moderate`, or `permissive`
* **PII mode** must be `redact`, `mask`, or `block`
* **Toxicity threshold** must be a number between 0.0 and 1.0
* **YAML syntax** is validated before any API calls

Invalid policies are rejected with clear error messages:

```
Policy validation failed:
  guardrails.prompt_injection.level: Must be one of {"strict", "moderate", "permissive"}
  guardrails.toxicity.threshold: Must be a number between 0.0 and 1.0
```

## Workflow

### Development Workflow

```bash theme={"system"}
# 1. Export current config as baseline
promptguard policy export --project-id proj_abc > policy.yaml

# 2. Edit policy.yaml in your editor
# 3. Review changes
promptguard policy diff policy.yaml --project-id proj_abc

# 4. Commit to git
git add policy.yaml
git commit -m "Tighten injection detection to strict"

# 5. Apply in CI/CD or manually
promptguard policy apply policy.yaml --project-id proj_abc
```

### CI/CD Integration

Apply policies automatically on merge:

```yaml theme={"system"}
# .github/workflows/policy.yml
name: Apply Security Policy
on:
  push:
    branches: [main]
    paths: ['policy.yaml']

jobs:
  apply:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install CLI
        run: curl -fsSL https://get.promptguard.co/cli | bash
      - name: Apply policy
        run: promptguard policy apply policy.yaml --project-id ${{ secrets.PROJECT_ID }}
        env:
          PROMPTGUARD_API_KEY: ${{ secrets.PROMPTGUARD_API_KEY }}
```

## Best Practices

1. **Version everything**: Keep `policy.yaml` in git alongside your application code
2. **Code review policies**: Require PR approval for policy changes
3. **Diff before apply**: Always run `policy diff` before `policy apply`
4. **Use dry-run in CI**: Validate policies in CI before merging
5. **Environment-specific configs**: Maintain separate policy files for staging and production

## Next Steps

<CardGroup cols={2}>
  <Card title="CLI Reference" icon="terminal" href="/tools/cli">
    Full CLI command reference
  </Card>

  <Card title="Security Overview" icon="shield" href="/security/overview">
    All security capabilities
  </Card>
</CardGroup>
