Agent Network Best Practices

1.0.x

broker-must-define-policies

general > broker-must-define-policies

Guidance

This rule validates that every broker in an Agent Network defines at least one policy binding in its specification. Policies establish governance, security controls, and compliance requirements within agent orchestration workflows. Without policies, brokers operate without oversight, exposing the network to security risks, compliance violations, and operational inconsistencies. Policy bindings connect brokers to specific policy definitions with their configurations. This enables enforcement of rate limiting, authentication, authorization, data protection, and other critical controls. This rule applies to all broker definitions in Agent Network specifications. It makes sure that orchestration agents follow established organizational standards and regulatory requirements.

Message

Broker must define policies in the Broker Spec. Add at least one PolicyBinding with a policy reference and configuration to ensure proper governance, security controls, and compliance requirements are enforced.

Examples

valid

schemaVersion: 1.0.0
brokers:
  weather-broker:
    card:
      protocolVersion: "0.3.0"
      name: "Weather Broker"
      description: "Handles weather-related requests"
      url: "https://weather-broker.example.com"
      version: "1.0.0"
      provider:
        organization: "Weather Corp"
        url: "https://weather-corp.com"
      capabilities:
        streaming: false
        pushNotifications: false
        stateTransitionHistory: false
        extensions: []
      defaultInputModes:
        - "application/json"
      defaultOutputModes:
        - "application/json"
      skills:
        - id: "weather-skill"
          name: "Weather Skill"
          description: "Get weather information"
          tags: ["weather"]
    spec:
      llm:
        ref:
          name: "openai-llm"
        configuration:
          model: "gpt-4"
      instructions:
        - "You are a weather assistant"
      links:
        - agent:
            ref:
              name: "weather-agent"
      policies:
        - ref:
            name: "security-policy"
          configuration:
            encryptionRequired: true

invalid

schemaVersion: 1.0.0
brokers:
  weather-broker:
    card:
      protocolVersion: "0.3.0"
      name: "Weather Broker"
      description: "Handles weather-related requests"
      url: "https://weather-broker.example.com"
      version: "1.0.0"
      provider:
        organization: "Weather Corp"
        url: "https://weather-corp.com"
      capabilities:
        streaming: false
        pushNotifications: false
        stateTransitionHistory: false
        extensions: []
      defaultInputModes:
        - "application/json"
      defaultOutputModes:
        - "application/json"
      skills:
        - id: "weather-skill"
          name: "Weather Skill"
          description: "Get weather information"
          tags: ["weather"]
    spec:
      llm:
        ref:
          name: "openai-llm"
        configuration:
          model: "gpt-4"
      instructions:
        - "You are a weather assistant"
      links:
        - agent:
            ref:
              name: "weather-agent"
      # NO POLICIES SECTION - this should fail validation

Applies to Broker

Constraint

Type: Declarative Validation
TypeRuleset
OrganizationMuleSoft
Published by
MuleSoft Organization
Published onNov 20, 2025

Asset versions for 1.0.x

Version
1.0.0

Tags

agent-network