SpinupSpinup Docs
Features

Runtime Policies

Rules Spinup keeps with a Spinup Agent that govern what may be installed, projected, or accessed in the environment.

Runtime policies set the rules for what may be installed, projected, or accessed inside a Spinup Agent's environment. Today they cover network access, package install scope, and which skills or MCP servers an agent may use. Policies sit with the agent, not with the active runtime instance, and Spinup enforces them when it provisions or reconciles the environment.

What ships today

The shipped policy surface covers:

  • network policy: outbound network mode for the environment, such as allow_all, allowlist, or deny_all, with an explicit allow list when used.
  • package install scope: which package ecosystems and install locations are allowed when reconciling runtime requirements.
  • skill and MCP allowance: which skills and MCP servers an agent is allowed to install or invoke through its capabilities.

You set these through runtime policy and capability settings. Spinup stores them with the agent and projects the resulting constraints into the environment.

What is roadmap

More granular policy controls will arrive over time. Per-capability allow lists, signed policy versions, and policy review surfaces are not yet shipped and will be called out as they land.

Where to go next

  • See where policies are enforced in Environments.
  • See how capabilities sit under the same policy surface in Capabilities.

Secrets

Workspace credentials Spinup projects into a Spinup Agent environment under stable names, returning masked metadata to readers.

Evidence

Support-safe records that explain what a Spinup Agent run or setup turn used and saved, without exposing secrets or unbounded runtime output.

On this page

What ships todayWhat is roadmapWhere to go next