> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sigilcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sigil Warrant & warranty.md

> Define your agent's execution policy using Sigil Warrant. Every agent action is evaluated against this policy before it executes.

## Overview

A `warranty.md` file is a signed, operator-defined policy that tells Sigil Sign what your agent is and isn't allowed to do. It is the contract between you and your agent's execution layer.

Sigil Sign evaluates every agent intent against this file before allowing any action to proceed. If the action violates policy, it is denied before it executes — not audited after.

## Generate Your Policy

Use **Sigil Warrant** at [sigilcore.com/tools/warrant](https://sigilcore.com/tools/warrant) to generate, sign, and download your `warranty.md`. Two paths are available:

* **Warrant Builder** — guided step-by-step flow. No policy syntax required. Recommended for first-time operators.
* **Manual Warrant** — write your policy directly in the `warranty.md` format. Full control over every field. For developers familiar with the warranty.md schema.

Both paths produce an identical signed `warranty.md` that Sigil Sign accepts at boot.

## File Format

`warranty.md` uses a plain-text, typed-block format. Blocks are defined by `##` headers. At least one of `## evm`, `## tool_calls`, or `## custom` is required.

```markdown theme={null}
version: 1.0.0

## evm
max_transaction_eth: 5.0
allowed_chains: 1, 8453, 42161
allowed_actions: wallet.transfer, contract.call
consensus_threshold_eth: 3.0
consensus_require_hold: true

## tool_calls
allowed: bash, web_fetch, file_write, wallet_sign, email.send
bash.blocked_commands: rm -rf, curl, wget
web_fetch.blocked_domains: evil.com, malicious.io
file_write.blocked_paths: /etc, /root, ~/.ssh
email.require_approval: true

## custom
# Operator-defined rules — evaluated FIRST before all other checks
deny_if.intent.metadata.email_to contains "@competitor.com"
deny_string: "DROP TABLE"
deny_string: "OPENAI_API_KEY"

## soft_limits
daily_evm_limit_eth: 20.0
daily_tool_calls: 500

## signature
sigil-sig: <base64url>
```

## Policy Sections

### `## evm`

Controls EVM transaction execution — spend limits, allowed chains, allowed actions, and consensus hold thresholds.

| Field                     | Description                                                                   |
| ------------------------- | ----------------------------------------------------------------------------- |
| `max_transaction_eth`     | Maximum ETH value per transaction                                             |
| `allowed_chains`          | Comma-separated chain IDs                                                     |
| `allowed_actions`         | Permitted EVM actions                                                         |
| `chain_actions`           | Optional per-chain action overrides (takes precedence over `allowed_actions`) |
| `consensus_threshold_eth` | Transactions above this require human approval                                |
| `consensus_require_hold`  | Set `true` to enable the hold                                                 |

### `## tool_calls`

Controls non-EVM agent tool execution.

| Field                       | Description                            |
| --------------------------- | -------------------------------------- |
| `allowed`                   | Permitted tool types                   |
| `bash.blocked_commands`     | Substrings that trigger denial in bash |
| `web_fetch.blocked_domains` | Hostnames blocked for web requests     |
| `file_write.blocked_paths`  | Path prefixes blocked for file writes  |
| `email.require_approval`    | Hold all email.send for human approval |

### `## custom`

Operator-defined rules evaluated before all other checks. Two rule types:

```
# Block a specific field value
deny_if.<field_path> <operator> <value>

# Block any intent containing a string in any field
deny_string: <literal>
```

Operators: `contains`, `starts_with`, `ends_with`, `equals`, `not_equals`, `matches` (regex)

### `## soft_limits`

Informational limits flagged for audit but never hard-enforced. Included so the `policyHash` reflects the operator's stated intent.

### `## signature`

Ed25519 signature over all content above this block. Generated by Sigil Warrant. A missing or invalid signature causes Sigil Sign to reject the policy unconditionally at startup.

## Deployment

Place your signed `warranty.md` at `config/warranty.md` relative to `process.cwd()`, or set `WARRANTY_PATH` to its location:

```bash theme={null}
WARRANTY_PATH=/path/to/your/warranty.md
```

The file is loaded once at startup and cached. Changes require a process restart.

## Security

* The policy file is signed with your Ed25519 operator key
* The SHA-256 hash of the policy content is embedded in every Intent Attestation JWT (`policyHash` claim)
* If the file is modified after signing, Sigil Sign detects it at next startup and refuses to start
* Never commit your live `warranty.md` to version control — it contains your signing credentials

`config/warranty.md` is gitignored by default in the sigil-sign repo.