Skip to main content
Run after the capability executes. Inspect and control the output before it is returned.

Timing

An after_capability policy runs after the underlying function has completed and returned a result. The function has already executed. The policy inspects the output and decides whether to allow it through or block it.
Side effects already occurred. Use before policies to prevent unwanted side effects. Use after policies to inspect outputs and detect violations after execution.

Registration

Accessing the Output

In an after_capability policy, ctx.output contains the function’s return value.

Common Use Cases

Detect possible secret leakage:
Validate output shape:
Detect PII:

Deny Behavior

When an after policy denies:
  1. The function has already executed
  2. CapabilityDeniedError is raised
  3. The output is not returned to the caller

Future Decision Types

  • redact: strip or mask fields from the output before returning it
  • transform_output: mutate the output before returning it
  • log_only: allow the output through but flag the action for review

Before vs. After