Example Policies

Each example below includes an interactive editor — modify the policy and see the compiled output update in real-time. They are ordered from simplest to most complex.

Monitoring Bot

Read-only access using prefix matching, with a deny rule for sensitive data.

This policy:

• Allows any method starting with list or get, plus summary — using the ^ prefix operator
• Denies listdatastore via a global restriction (it contains sensitive data)
• Two restrictions work together: the allow (OR'd alternatives) and the deny (AND'd separately)

Payment App

A spending-limited rune for an app that can check balances and send payments.

This policy:

• Allows listfunds and getinfo for balance checks, plus xpay for payments
• Caps xpay payments at 100,000,000 msat (~1000 sats) — or allows invoice-embedded amounts (! = field absent)
• Rate limits xpay to 10 calls per minute

Channel Operator

A full policy combining peer restriction, tags, prefix matching, conditional constraints with grouping, and a global rate limit.

This policy:

• Locked to a specific commando peer by node public key
• Tagged with role and version for auditing (visible in showrunes output)
• Uses ^list prefix for all read methods, plus specific write methods
• Limits fundchannel to 1,000,000 sats
• Caps xpay at ~1000 sats with rate limiting — using parenthesized grouping (... or ...) and ...
• Forces close to send to a specific cold wallet address
• Global rate limit of 1 call per minute across all methods