Policies are stored as OrganizationPolicy and WorkspacePolicy documents sharing fields from policyFields.js.
Common controls:
| Area | Examples |
|---|---|
| Sharing | Disable community browsing/import, share links |
| Export | Disable JSON/Markdown export |
| Playground / Refine | disablePlaygroundForRoles, disableRefineAgentForRoles |
| Publish | restrictPublishTo, requireScanBeforePublish |
| Creation | restrictOfficialCreationTo, requireMetadataFields |
| Approved prompts | lockApprovedPrompts — prevent edits after approval |
| Retention | Days for prompts, runs, audit logs; legal hold |
Effective policy = merge(org, workspace). APIs use enforcePolicy middleware on create, update, publish, export, run, refine.
Dashboard governance API also exposes read/update for org and workspace policy from the governance UI.