Restricted Tool-access — High-risk Decisions

policy "claims-investigation-tool-access" {
  scope agents { "claims-investigation-agent" }
  scope env    { "Lab", "Staging", "Production" }

  allow tool "claims-database.lookup_policy"
  allow tool "claims-database.get_claim_history"
  allow tool "policy-search"
  allow tool "coverage-calculator"
  allow tool "claims-photo-analysis-mcp"
  allow tool "notify-adjuster" with rate_limit(10, "1h")

  deny  tool "claims-database.write_*"
  deny  tool "payments.*"

  on_violation {
    pause_task()
    escalate "security-on-call"
    audit_log severity = "high"
  }
}