Enable config policies for the CircleCI organization in the Organization Settings UI or via the CircleCI CLI; policies are evaluated on the server against every pipeline config before the pipeline starts
Write a Rego policy file that imports data.circleci.config and defines a hard_fail set containing violation messages when pipeline config violates organizational rules such as missing resource_class constraints or using deprecated executors
Push the policy to CircleCI using circleci policy push ./policies --owner-id <org-id>; the CLI validates the Rego syntax and uploads the policy bundle to CircleCI's policy service
Test the policy locally using circleci policy eval --input pipeline-config.yml --owner-id <org-id> to simulate server-side evaluation and confirm violation messages match expectations before pushing
Add a soft_fail decision set alongside hard_fail so policy violations that should warn without blocking can surface as annotations on the pipeline without stopping execution
Version control the policy repository separately from application code and set up a CI pipeline on the policy repo that runs circleci policy eval against a corpus of known-good and known-bad config fixtures to catch policy regressions
Known gotchas
CircleCI config policies are evaluated at pipeline creation time using the merged and expanded config; policies that reference orb-injected steps or executor definitions must account for orb expansion, as the raw config before orb resolution may not contain the fields the policy checks
The Rego package name must be data.circleci.config_policies for CircleCI to recognize the policy; using a non-standard package name causes the policy to be uploaded successfully but silently skipped during evaluation
Policy violations with hard_fail block pipeline creation entirely, not just individual jobs; a policy error in a developer's config will prevent any jobs from running, so overly strict policies cause significant developer friction and must be tested against a wide range of real-world configs before enforcement
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp