Documentation Index
Fetch the complete documentation index at: https://docs.superblocks.com/llms.txt
Use this file to discover all available pages before exploring further.
Custom Policy Agents are currently in beta. Contact support to get on the waitlist.
How it works
A Custom Policy Agent is an AI reviewer that runs against your application at publish time:- Admin creates the agent with a name, instructions, mode, and scope
- Builder publishes — the agent evaluates a frozen snapshot of the application
- Agent produces findings — structured results with evidence, locations, and severity
- Builder sees results in the publish readiness checklist with clear next actions
Creating an agent
Admins configure each Custom Policy Agent with:| Setting | Description |
|---|---|
| Name | Display name shown in publish readiness (e.g., “PHI Storage Agent”) |
| Instructions | The policy the agent enforces — written in natural language, as detailed as needed |
| Mode | Blocking (prevents publish until resolved) or Advisory (warns but allows) |
| Scope | Which applications the agent applies to — all apps, or a specific subset |
Writing effective instructions
Agent instructions work best when they are specific, concrete, and reference your organization’s actual standards. You can reference your organization’s Knowledge to give agents access to existing policies and documentation. Examples of effective instructions:- “Check that any application storing or transmitting patient health information (PHI) only writes to integrations on the approved PHI storage list. Flag any write operation to an unapproved destination as a blocking finding.”
- “Verify that all API endpoints that perform write operations include role-based access control checks. Any endpoint that modifies data without verifying the caller’s permissions should be flagged.”
- “Confirm that no application stores secrets or credentials in environment variables, local storage, or hardcoded values. All secrets must be referenced through Superblocks integrations.”
What the agent can access
Custom Policy Agents have read-only access to the application being reviewed:- Application source files and component structure
- Application metadata and configuration
- Integration references and connection details
- Findings from the built-in security scan (so agents can build on deterministic results)
Relationship to Clark
Custom Policy Agents and Clark serve distinct roles:| Custom Policy Agent | Clark | |
|---|---|---|
| Role | Reviewer — evaluates and reports | Fixer — remediates findings |
| When | Runs at publish time | Runs when builder clicks “Fix with Clark” |
| Access | Read-only app state | Read-write app state |
| Output | Structured findings | Code changes |
Example use cases
PHI storage compliance
“Flag any application that writes patient identifiers, diagnoses, or treatment records to an integration not on the approved PHI storage list. Reference the ‘Approved PHI Destinations’ knowledge document.”
Internal authentication standards
“Verify that every API endpoint performing data mutations checks the caller’s role against the required permission level. Flag endpoints that skip authorization checks.”
Data handling policies
“Check that applications do not export, log, or display raw payment card numbers. Ensure any refund or chargeback workflow includes approval steps and audit logging.”
What builders see
When a Custom Policy Agent completes, builders see it in their publish readiness checklist:- What the agent found — a clear explanation of the policy violation
- Evidence — the specific code, configuration, or pattern that triggered the finding
- Location — where in the application the issue exists
- Fix with Clark — one-click remediation for eligible findings