Unreachable configuration

A configuration setting that can never take effect given the rest of the policy.

Unreachable configuration

This warning fires when a top-level policy configuration is logically contradicted by the rules below it, making it impossible to ever take effect.

The most common case: a policy sets default: deny and includes deny rules, but has no allow rules at all. Every request is denied by either the deny rules or the default. No request can ever be allowed. The configuration is internally consistent but effectively locks the agent out of all outbound calls.

Example

yaml

default: deny # blocks everything not matched by a rule

rules:
  - name: deny-sensitive-apis
    deny:
      url: "*.internal.example.com/**"
# no allow rules - all outbound calls are blocked

Fix

Add explicit allow rules for the API endpoints your agent legitimately needs to reach. With default: deny, only traffic that matches an allow rule can proceed:

yaml

default: deny

rules:
  - name: deny-sensitive-apis
    deny:
      url: "*.internal.example.com/**"
  - name: allow-openai
    allow:
      method: [POST]
      url: "api.openai.com/v1/**"