InfracodebaseInfracodebase

Rulesets

Rulesets are how you make the agent's non-deterministic behavior controllable. A ruleset is a collection of rules organized around a specific concern, written in plain language, that the agent must follow when generating code and responding to conversations. For example, a "Terraform Configuration Guidelines" ruleset might contain rules about module sourcing, naming conventions, state management, and variable structure.

Each ruleset groups related rules together so they can be managed and toggled as a unit. Rulesets work at three levels.

  • Enterprise for org-wide standards that apply across all workspaces
  • Workspace for project-specific rules within a particular workspace
  • User for personal preferences that customize behavior within the boundaries set above

Creating a ruleset

From scratch. Click Create Ruleset and provide a name, a description of what the ruleset covers, and then add individual rules written in plain language.

With AI. Click Manage with AI to open a chat panel where you can create, update, and organize rulesets through conversation. The agent accepts URLs (and can deep crawl linked documentation), uploaded folders, and individual files of various types. It analyzes your content, identifies IaC-checkable rules, compares against your existing rulesets, and creates new rulesets for you.

Once approved, rulesets need to be enabled and added to the workspaces where they apply before they are included in compliance evaluations.

Reviewing and approving changes

When the AI agent creates or modifies rulesets, the changes go through a review process before going live.

After the agent finishes, you can choose to Submit for Review or Approve All directly.

  • Submit for Review stages the changes for someone with approval permissions to review. The changes appear in the Pending Review tab on the rulesets page.
  • Approve All applies the changes immediately to your live rulesets.

Pending Review tab

The Pending Review tab shows all staged changes waiting for approval. Click any item to open the review page where you can:

  • Review each rule's title and content
  • Edit rules before approving (click the pencil icon)
  • Remove individual rules you don't want (click the X icon)
  • Approve All or Reject All from the header

Changes only go live after explicit approval.

Enterprise rulesets

Enterprise rulesets let you set standards across your entire organization. When you create an enterprise ruleset, you control two things.

  • Enabled determines whether the ruleset is published and available to workspaces
  • Required determines whether workspaces can opt out

A ruleset that is both enabled and required is locked on for every workspace in the organization. No one can disable it. This is how you guarantee that all of your teams follow the same standards regardless of what they're working on.

A ruleset that is enabled but not required gives workspaces the flexibility to toggle it on or off based on their needs. This makes your enterprise rules more scalable. Instead of forcing every standard on every team, you can publish a library of rulesets that workspaces adopt when relevant.

Workspace rulesets

Workspace rulesets are rules that apply only within a specific workspace. They let you add project-specific standards on top of whatever enterprise rulesets are already active. For example, a workspace for a payments service might have rulesets about naming conventions, deployment patterns, or compliance requirements that are unique to that project.

In addition to creating workspace-specific rulesets, you can also enable optional enterprise rulesets for the workspace. If an enterprise administrator has published a ruleset but not marked it as required, you can toggle it on from the workspace settings to apply it to your project.

User rulesets

User rulesets are personal preferences that apply across all of your workspaces. They let you customize how the agent works for you individually.

Hierarchy

All active rulesets from all three levels are combined and used by the agent. When there is a conflict between levels, the agent follows this precedence.

  1. Enterprise rulesets always take priority
  2. Workspace rulesets apply unless they conflict with an enterprise ruleset
  3. User rulesets apply unless they conflict with an enterprise or workspace ruleset

This hierarchy means enterprise administrators can set guardrails with confidence. Required enterprise rulesets are guaranteed to be followed. Workspace and user rulesets can add specificity and personalization, but they cannot override organizational standards.

Best practices

  • Be specific. "Use t3.medium as the default EC2 instance type" beats "Use appropriate instance sizes"
  • Keep them focused. One ruleset per concern makes them easier to manage and toggle
  • Use plain language. Write rules as clear instructions, not code
  • Use required sparingly. Reserve it for true organizational standards. Make everything else optional so workspaces can adopt what's relevant to them
  • Use tags. Add tags like cloud:aws or scope:resource to organize rulesets. The AI agent reuses existing tag patterns when creating new rulesets.
Enterprise Configuration
Workflows
Enterprise Configuration
Secrets