> ## Documentation Index > Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt > Use this file to discover all available pages before exploring further. # steering-policy > Catalog resource that names who may steer agents via externally-sourced events — a minimum repository-association tier plus actor allowlists. A **steering policy** names *who* may steer [agents](/concepts/agents) through externally-sourced events — pull request comments and reviews, and issue-opened, PR-opened, or PR-labeled [flight](/catalog/flight) triggers. It combines a minimum **author-association tier** (how closely the author is tied to the repository) with a set of [actor allowlists](/catalog/actor-allowlist) that admit named users regardless of tier. An event whose author fails the policy is recorded on the agent's timeline as **BLOCKED** and is never delivered: no follow-up, no checklist task, no wake, no flight spawn. A steering policy controls who may initiate agent work from outside — not what the agent may do once it is working. In the dashboard, steering policies are managed under **Organization Settings → Steering Policies**. ## Fields | Name | Type | Required | Description | | ------------- | --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `name` | string | yes | Unique identifier within the tenant. DNS label format: `[a-z][a-z0-9-]{0,62}`. Names starting with `murmur-` are reserved for platform builtins. | | `description` | string | no | Human-readable description shown in the dashboard. Maximum 1024 bytes. | | `tier` | enum | no | Minimum author association that may steer. See [Tiers](#tiers). Default `STEERING_TIER_UNSPECIFIED` inherits the tier of the visibility-selected builtin. | | `allowlists` | string\[] | no | Names of [actor-allowlist](/catalog/actor-allowlist) resources. Any author in the union of their usernames — matched within the event's provider — may steer regardless of `tier`. Each name must resolve to an existing allowlist. | ## Tiers The `tier` field sets the minimum GitHub author association that may steer. The tiers below run from broadest to narrowest — `COLLABORATORS` admits everyone `MEMBERS` does, plus repository collaborators. | Tier | Who may steer | | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | | `STEERING_TIER_OPEN` | Any author. The pre-steering-policy behavior and the private-repo default, where every commenter is already organization-vetted. | | `STEERING_TIER_COLLABORATORS` | Owners, members, and repository collaborators (a per-repo write or triage grant). The public-repo default. | | `STEERING_TIER_MEMBERS` | Organization owners and members. | | `STEERING_TIER_ALLOWLIST_ONLY` | No tier admission — only the referenced [allowlists](/catalog/actor-allowlist) (and a user-owned agent's own owner) steer. | | `STEERING_TIER_UNSPECIFIED` | Inherit the tier of the visibility-selected builtin. Lets a tenant policy contribute allowlists without restating a tier. | ## How a policy is selected A steering policy is chosen per event, by the repository the event came from and — for [service-profile](/catalog/service-profile) agents — by the owning profile: * **Per repository** — [`repo-config.steering_policy`](/catalog/repo-config) names a policy explicitly. When unset, the platform selects by repository visibility: public repos use `murmur-public-steering-policy`, private repos use `murmur-private-steering-policy`. Both are platform builtins. * **Per service profile** — [`service-profile.steering_policy`](/catalog/service-profile) names a policy for agents running under that identity. When both a repo policy and a profile policy apply, the author must pass **both** — the narrower one wins. An agent a developer owns directly can always be steered by that owner. ## Examples ### Require organization membership ```yaml theme={null} name: members-only description: "Only org owners and members may steer" tier: STEERING_TIER_MEMBERS ``` ```bash theme={null} cat <<'EOF' | murmur set steering-policy members-only name: members-only description: "Only org owners and members may steer" tier: STEERING_TIER_MEMBERS EOF ``` ### Allowlist-only, with trusted actors Turn the tier check off and admit only the users named in an [actor allowlist](/catalog/actor-allowlist). ```bash theme={null} cat <<'EOF' | murmur set steering-policy bots-only name: bots-only description: "Only allowlisted actors may steer" tier: STEERING_TIER_ALLOWLIST_ONLY allowlists: - trusted-actors EOF ``` ### Members, plus an allowlist of outside contributors ```bash theme={null} cat <<'EOF' | murmur set steering-policy members-and-trusted name: members-and-trusted description: "Org members, plus a few trusted outside contributors" tier: STEERING_TIER_MEMBERS allowlists: - trusted-actors EOF ``` ### Listing steering policies ```bash theme={null} murmur get steering-policy ``` ``` NAME TIER ALLOWLISTS members-only STEERING_TIER_MEMBERS bots-only STEERING_TIER_ALLOWLIST_ONLY trusted-actors members-and-trusted STEERING_TIER_MEMBERS trusted-actors ``` ### Reading a single steering policy ```bash theme={null} murmur get steering-policy members-only ``` ## Errors | Code | Meaning | What to do | | --------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | `INVALID_ARGUMENT` | `name is required` | Provide a `name`. | | `INVALID_ARGUMENT` | `name must match [a-z][a-z0-9-]{0,62}` | Use lowercase letters, digits, and hyphens, starting with a letter. | | `INVALID_ARGUMENT` | `description exceeds 1024 byte limit` | Shorten the `description` to 1024 bytes or fewer. | | `INVALID_ARGUMENT` | `unknown tier value ` | Use a valid tier — see [Tiers](#tiers). | | `INVALID_ARGUMENT` | `allowlists[N]: allowlist "" does not exist` | Reference an existing [actor-allowlist](/catalog/actor-allowlist), or create it first. | | `FAILED_PRECONDITION` | `cannot delete steering-policy: referenced by service-profile or repo-config` | A [service profile](/catalog/service-profile) or [repo config](/catalog/repo-config) still names this policy. Update the reference before deleting. | ## Related * [actor-allowlist](/catalog/actor-allowlist) — usernames a policy admits regardless of tier * [service-profile](/catalog/service-profile) — references a steering policy for agents under that identity * [repo-config](/catalog/repo-config) — references a steering policy per repository * [Events](/concepts/events) — the webhook events steering gates * [`murmur set`](/cli/set) — CLI command for creating and updating catalog resources * [`murmur get`](/cli/get) — CLI command for reading catalog resources