Skip to main content
A steering policy names who may steer agents through externally-sourced events — pull request comments and reviews, and issue-opened, PR-opened, or PR-labeled flight triggers. It combines a minimum author-association tier (how closely the author is tied to the repository) with a set of actor allowlists that admit named users regardless of tier. An event whose author fails the policy is recorded on the agent’s timeline as BLOCKED and is never delivered: no follow-up, no checklist task, no wake, no flight spawn. A steering policy controls who may initiate agent work from outside — not what the agent may do once it is working. In the dashboard, steering policies are managed under Organization Settings → Steering Policies.

Fields

NameTypeRequiredDescription
namestringyesUnique identifier within the tenant. DNS label format: [a-z][a-z0-9-]{0,62}. Names starting with murmur- are reserved for platform builtins.
descriptionstringnoHuman-readable description shown in the dashboard. Maximum 1024 bytes.
tierenumnoMinimum author association that may steer. See Tiers. Default STEERING_TIER_UNSPECIFIED inherits the tier of the visibility-selected builtin.
allowlistsstring[]noNames of actor-allowlist resources. Any author in the union of their usernames — matched within the event’s provider — may steer regardless of tier. Each name must resolve to an existing allowlist.

Tiers

The tier field sets the minimum GitHub author association that may steer. The tiers below run from broadest to narrowest — COLLABORATORS admits everyone MEMBERS does, plus repository collaborators.
TierWho may steer
STEERING_TIER_OPENAny author. The pre-steering-policy behavior and the private-repo default, where every commenter is already organization-vetted.
STEERING_TIER_COLLABORATORSOwners, members, and repository collaborators (a per-repo write or triage grant). The public-repo default.
STEERING_TIER_MEMBERSOrganization owners and members.
STEERING_TIER_ALLOWLIST_ONLYNo tier admission — only the referenced allowlists (and a user-owned agent’s own owner) steer.
STEERING_TIER_UNSPECIFIEDInherit the tier of the visibility-selected builtin. Lets a tenant policy contribute allowlists without restating a tier.

How a policy is selected

A steering policy is chosen per event, by the repository the event came from and — for service-profile agents — by the owning profile:
  • Per repositoryrepo-config.steering_policy names a policy explicitly. When unset, the platform selects by repository visibility: public repos use murmur-public-steering-policy, private repos use murmur-private-steering-policy. Both are platform builtins.
  • Per service profileservice-profile.steering_policy names a policy for agents running under that identity.
When both a repo policy and a profile policy apply, the author must pass both — the narrower one wins. An agent a developer owns directly can always be steered by that owner.

Examples

Require organization membership

name: members-only
description: "Only org owners and members may steer"
tier: STEERING_TIER_MEMBERS

cat <<'EOF' | murmur set steering-policy members-only
name: members-only
description: "Only org owners and members may steer"
tier: STEERING_TIER_MEMBERS
EOF

Allowlist-only, with trusted actors

Turn the tier check off and admit only the users named in an actor allowlist. 
cat <<'EOF' | murmur set steering-policy bots-only
name: bots-only
description: "Only allowlisted actors may steer"
tier: STEERING_TIER_ALLOWLIST_ONLY
allowlists:
  - trusted-actors
EOF

Members, plus an allowlist of outside contributors

cat <<'EOF' | murmur set steering-policy members-and-trusted
name: members-and-trusted
description: "Org members, plus a few trusted outside contributors"
tier: STEERING_TIER_MEMBERS
allowlists:
  - trusted-actors
EOF

Listing steering policies

murmur get steering-policy

NAME                  TIER                          ALLOWLISTS
members-only          STEERING_TIER_MEMBERS
bots-only             STEERING_TIER_ALLOWLIST_ONLY  trusted-actors
members-and-trusted   STEERING_TIER_MEMBERS         trusted-actors

Reading a single steering policy

murmur get steering-policy members-only

Errors

CodeMeaningWhat to do
INVALID_ARGUMENTname is requiredProvide a name.
INVALID_ARGUMENTname must match [a-z][a-z0-9-]{0,62}Use lowercase letters, digits, and hyphens, starting with a letter.
INVALID_ARGUMENTdescription exceeds 1024 byte limitShorten the description to 1024 bytes or fewer.
INVALID_ARGUMENTunknown tier value <n>Use a valid tier — see Tiers.
INVALID_ARGUMENTallowlists[N]: allowlist "<name>" does not existReference an existing actor-allowlist, or create it first.
FAILED_PRECONDITIONcannot delete steering-policy: referenced by service-profile or repo-configA service profile or repo config still names this policy. Update the reference before deleting.
  • actor-allowlist — usernames a policy admits regardless of tier
  • service-profile — references a steering policy for agents under that identity
  • repo-config — references a steering policy per repository
  • Events — the webhook events steering gates
  • murmur set — CLI command for creating and updating catalog resources
  • murmur get — CLI command for reading catalog resources