Policy surface

Configure local write admission.

WriteFence alpha is configured with a YAML file plus optional CLI flag overrides. The current policy surface is intentionally small: users can tune built-in rules, but cannot define arbitrary custom rules yet.

Example

proxy:
  addr: "127.0.0.1:9622"
  upstream: "http://127.0.0.1:9621"
  state_file: "/tmp/writefence-alpha/session-state.json"
  violations_log: "/tmp/writefence-alpha/writefence-violations.jsonl"
  wal_log: "/tmp/writefence-alpha/writefence-wal.jsonl"
  quarantine_log: "/tmp/writefence-alpha/writefence-quarantine.jsonl"
  metrics_enabled: true

rules:
  english:
    threshold: 0.05
  prefix:
    allowed:
      - "[STATUS]"
      - "[DECISION]"
      - "[SETUP]"
      - "[CONFIG]"
      - "[RUNBOOK]"
  semantic_dedup:
    threshold: 0.98
    embed_url: "http://127.0.0.1:11434"
    embed_model: "qwen3-embedding:8b"
    qdrant_url: "http://127.0.0.1:6333"

Run with YAML

./bin/writefence --config ./writefence.yaml

CLI flags override YAML values when provided explicitly.

./bin/writefence --config ./writefence.yaml --addr 127.0.0.1:9622 --upstream http://127.0.0.1:9621

Proxy settings

Rule settings

english

threshold controls when mixed Cyrillic/English content becomes a hard block. Smaller amounts may be admitted with a warning.

prefix

allowed is the list of required document prefixes. This gives memory entries a predictable category before they become durable state.

semantic_dedup

Semantic deduplication is enabled only when both embed_url and qdrant_url are configured. If either dependency is absent, WriteFence keeps running with deterministic local rules.

Alpha boundary

The alpha validates the local write-admission loop: block, warn, quarantine, replay, and inspect decisions. Hosted policy management, multi-tenant auth, billing, a custom policy DSL, and broad adapter coverage are later product decisions.