Quick Start

Setup

1. Clone and install

   git clone https://github.com/sasy-labs/sasy-demo.git
   cd sasy-demo
   make setup

2. Configure your keys

   cp .env.example .env

   Edit .env and add your keys:

   OPENAI_API_KEY=sk-...
   SASY_API_KEY=demo-key-your-key-here

   Your SASY API key is provided separately.

Run the Demo

The repo includes a pre-built Datalog policy (policy.dl). Run the demo to see enforcement in action:

All scenarios

make demo

Interactive

make demo-step

Press Enter between each stage.

Single scenario

make scenario-1

This uploads policy.dl to the SASY policy engine and runs 9 agent scenarios. You’ll see:

[Customer] Hi, I need to cancel reservation RKLA42.

  → get_reservation_details(reservation_id=RKLA42)
    [SASY] Consulting policy engine...
    [SASY] ✓ AUTHORIZED: get_reservation_details

  → cancel_reservation(reservation_id=RKLA42)
    [SASY] Consulting policy engine...
    [SASY] ✗ DENIED: cancel_reservation
    Reason: No insurance, not a gold member
    → Consider adding travel insurance

[Agent] I'm sorry, your reservation cannot be
  cancelled because you don't have travel insurance.

Translate a Policy

Write your policy in English and translate it to Datalog:

SDK

from sasy.policy import write_policy

with open("policy_english.md") as f:
    english = f.read()

result = write_policy(english=english)
result.print_summary()
result.save_datalog("policy_compiled.dl")

Makefile

make translate

Translation takes ~5-10 minutes. It produces two files in the repo root:

• policy_compiled.dl — the generated Datalog
• truth_table.tsv — every test scenario

Then run the demo with your translated policy:

make demo-compiled

See Translate a Policy for the full confidence report and verification details.

Enforce a Policy

Here’s how enforcement works in your own code.

1. Configure

import sasy
from sasy.auth import APIKeyAuthHook

sasy.configure(
    auth_hook=APIKeyAuthHook(api_key="demo-key-...")
)

Or just set SASY_API_KEY in .env — the SDK reads it automatically.

2. Upload

SDK

from sasy.policy import upload_policy

with open("policy.dl") as f:
    datalog = f.read()

resp = upload_policy(
    policy_source=datalog,
    hot_reload=True,
)
print("Uploaded!" if resp.accepted else resp.error_output)

Makefile

make upload            # uploads policy.dl
make upload-compiled   # uploads policy_compiled.dl

3. Check tool calls

Before executing any tool, check with the policy engine:

from sasy.reference_monitor import check_tool_call

auth = check_tool_call(
    fn_name="cancel_reservation",
    args='{"reservation_id": "RKLA42"}',
    input_node_ids=event_ids,
)

if auth.authorized:
    # Execute the tool
    result = cancel_reservation(reservation_id="RKLA42")
else:
    # Policy denied — show the reason
    print(f"Denied: {auth.denial_reasons}")
    print(f"Suggestions: {auth.suggestions}")

Every tool call your agent makes goes through this check. The policy engine evaluates it against the loaded Datalog and returns AUTHORIZED or DENIED with a human-readable reason.

Note

The demo code in src/customer_demo/agent.py shows the full integration — how tool calls are recorded in the dependency graph and checked against the policy.

4. Instrument (optional)

For automatic instrumentation of HTTP and agent frameworks:

import sasy

sasy.configure(
    auth_hook=APIKeyAuthHook(api_key="demo-key-...")
)
sasy.instrument()  # patches HTTP, Langroid, etc.

This wraps HTTP requests and agent tool calls so every action is automatically recorded and checked — no manual check_tool_call needed.

See How Enforcement Works for the full flow diagram.