Agent policies

Control which coding agents and auth routes members can use.

The agent policy is a single checklist, in Settings > Organization, that narrows what members are allowed to select for themselves.

What it controls

Two independent checklists:

  • Allowed routes: Native (the harness's own sign-in), API key, and Gateway.
  • Allowed harnesses: Claude Code, Codex, OpenCode, Gemini CLI, and Grok CLI. (Cursor doesn't appear here since it only ever uses its own sign-in, there's no route to restrict.)

Leaving every box checked means no restriction. Uncheck a route or harness to stop members from selecting it going forward.

Settings > Organization, Agent policy section

The Agent policy card: two checklist columns, 'Allowed routes' (Native, API key, Gateway) and 'Allowed harnesses' (Claude Code, Codex, OpenCode, Gemini CLI, Grok CLI), each item a checkbox, with a Save policy button below.

How it's enforced

This is flagged, not blocked. Members can still have a selection that doesn't match the current policy (usually because they set it up before the policy changed); Proliferate surfaces those as conflicts in a table right below the checklist, listing the member, harness, surface, and route that's out of policy, so an admin can follow up.

Settings > Organization, Agent policy conflicts table

A table titled Conflicts below the policy checklist, with Member, Harness, Surface, and Route columns listing member selections that fall outside the saved policy.

Warning:

Editing the agent policy requires the organization to be on a paid plan. Anyone can still view the current policy and the conflicts list.

Examples

  • Turn off the API key route so no one pastes personal provider keys into a shared organization.
  • Turn off every route except Gateway to force all model spend through Proliferate's managed budget.
  • Turn off a harness your organization hasn't approved yet.

Keep policies understandable. If a member can't tell why their selection is flagged, the policy is too opaque.

On this page