Agent policies
Control which coding agents and auth routes members can use.
The agent policy is a single checklist, in Settings > Organization, that narrows what members are allowed to select for themselves.
What it controls
Two independent checklists:
- Allowed routes: Native (the harness's own sign-in), API key, and Gateway.
- Allowed harnesses: Claude Code, Codex, OpenCode, Gemini CLI, and Grok CLI. (Cursor doesn't appear here since it only ever uses its own sign-in, there's no route to restrict.)
Leaving every box checked means no restriction. Uncheck a route or harness to stop members from selecting it going forward.
Settings > Organization, Agent policy section
The Agent policy card: two checklist columns, 'Allowed routes' (Native, API key, Gateway) and 'Allowed harnesses' (Claude Code, Codex, OpenCode, Gemini CLI, Grok CLI), each item a checkbox, with a Save policy button below.
How it's enforced
This is flagged, not blocked. Members can still have a selection that doesn't match the current policy (usually because they set it up before the policy changed); Proliferate surfaces those as conflicts in a table right below the checklist, listing the member, harness, surface, and route that's out of policy, so an admin can follow up.
Settings > Organization, Agent policy conflicts table
A table titled Conflicts below the policy checklist, with Member, Harness, Surface, and Route columns listing member selections that fall outside the saved policy.
Editing the agent policy requires the organization to be on a paid plan. Anyone can still view the current policy and the conflicts list.
Examples
- Turn off the API key route so no one pastes personal provider keys into a shared organization.
- Turn off every route except Gateway to force all model spend through Proliferate's managed budget.
- Turn off a harness your organization hasn't approved yet.
Keep policies understandable. If a member can't tell why their selection is flagged, the policy is too opaque.