SpinupSpinup Docs
Features

Runtime Policies

Rules Spinup keeps with a Spinup Agent that govern what may be installed, projected, or accessed in the environment.

Runtime policies set the rules for what may be installed, projected, or accessed inside a Spinup Agent's environment. The policy model covers network access, package install scope, and which skills or MCP servers an agent may use where the current runtime fulfillment path supports enforcement. Policies sit with the agent, not with the active runtime instance, and Spinup applies them when it provisions or reconciles the environment.

What ships today

The shipped policy surface covers:

  • network policy: outbound network mode for the environment, such as allow_all, allowlist, or deny_all, with an explicit allow list when used.
  • package install scope: which package ecosystems and install locations are allowed by policy before runtime fulfillment attempts them.
  • skill and MCP allowance: which skills and MCP servers an agent is allowed to project, install, validate, or invoke through its capabilities where supported.

You set these through runtime policy and capability settings. Spinup stores them with the agent and projects the resulting constraints into the environment.

What is roadmap

More granular policy controls will arrive over time. Per-capability allow lists, signed policy versions, and policy review surfaces are not yet shipped and will be called out as they land.

Where to go next

  • See where policies are enforced in Environments.
  • See how capabilities sit under the same policy surface in Capabilities.

Secrets

Workspace credentials Spinup projects into a Spinup Agent environment under stable names, returning masked metadata to readers.

Evidence

Support-safe records that explain what a Spinup Agent run or setup turn used and saved, without exposing secrets or unbounded runtime output.

On this page

What ships todayWhat is roadmapWhere to go next