Unreachable configuration

A configuration setting that can never take effect given the rest of the policy.

Unreachable configuration

This warning fires when a top-level policy configuration is logically contradicted by the rules below it, making it impossible to ever take effect.

The most common case: a policy sets default: deny and includes deny rules, but has no allow rules at all. Every request is denied by either the deny rules or the default — no request can ever be allowed. The configuration is internally consistent but effectively locks the agent out of all outbound calls.

Example

yaml

agent: my-agent
default: deny # blocks everything not matched by a rule

rules:
  - name: deny-sensitive-apis
    deny:
      url: "*.internal.example.com/**"
# no allow rules — all outbound calls are blocked

Fix

Add explicit allow rules for the API endpoints your agent legitimately needs to reach. With default: deny, only traffic that matches an allow rule can proceed:

yaml

agent: my-agent
default: deny

rules:
  - name: deny-sensitive-apis
    deny:
      url: "*.internal.example.com/**"
  - name: allow-openai
    allow:
      method: [POST]
      url: "api.openai.com/v1/**"