{
  "policyName": "raven-agent-runtime-policy",
  "version": "1",
  "toolClass": "read_only_preflight",
  "requiresWalletAccess": false,
  "submitsTransactions": false,
  "summary": "Raven is a read-only preflight tool. It never needs your wallet, signer, or private keys; it never submits transactions, routes trades, or chooses allocation. Run it BEFORE any wallet-capable, swap-capable, listing-capable, or routing-capable tool.",
  "allowedNetworkTargets": [
    "https://raven-hosted-verifier.onrender.com (hosted)",
    "local MCP process (npx -y raven-verify-mcp)"
  ],
  "forbiddenInputs": [
    "rpcUrl (rejected 400)",
    "issuerIdentity (rejected 400)",
    "private keys / seed phrases (never send; never logged)"
  ],
  "forbiddenCapabilities": [
    "wallet signer access",
    "transaction submission",
    "trade routing",
    "allocation decisions",
    "arbitrary filesystem access (receipt storage path only)"
  ],
  "recommendedSandbox": "Network egress restricted to the verifier endpoint or local MCP; no wallet handles in the Raven tool's scope; receipt storage as the only write path.",
  "receiptStorageRequirement": "Store the exact signed receipt relied upon, per /receipt-schema.json (append-only).",
  "signatureVerificationRequirement": "Verify keyId + signature against /pubkey BEFORE using any verdict.",
  "humanEscalationTriggers": [
    "risk",
    "warning",
    "unknowable",
    "stale receipt before material action",
    "signature verification failure",
    "unsupported token program",
    "verifier unavailable"
  ],
  "ordering": "Raven runs first; decision policy (/decision-policy.json) applies after verification; re-verify before material delayed actions.",
  "disclaimer": "Not financial advice; no price prediction.",
  "minimumPermissions": [
    "call hosted verifier (or local MCP)",
    "call /pubkey and /healthz",
    "store signed receipts",
    "read local receipt fixtures for tests",
    "pass mint/tokenProgram/metadataAddress/poolAddress where available"
  ],
  "forbiddenPermissions": [
    "wallet signer access",
    "private key access",
    "transaction submission",
    "token transfer",
    "swap routing",
    "copy-trading / wallet-following",
    "arbitrary user-supplied RPC URL",
    "user-supplied issuerIdentity",
    "browser-exposed API keys",
    "secret logging",
    "using an LLM to override the deterministic verdict"
  ]
}