> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mindfort.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Scope and Guardrails

> Define the authorized testing boundaries, rate limits, and agent behavior rules that tell MindFort what it can test and which actions require extra care.

Scope and guardrails tell MindFort what it is authorized to test and which actions require extra care. Configure them before starting assessments or Agents.

## What Scope Controls

Use scope configuration to define:

* primary domains and application URLs
* additional allowed domains or routes that are part of the same target
* in-scope systems agents should include
* out-of-scope systems agents should exclude
* important tenant, workspace, account, or environment values
* authentication context and credential role boundaries

Keep the target scope as specific as possible. A precise scope gives agents stronger context and reduces noisy exploration.

## Common Scope Patterns

| Pattern                        | Use When                                                                                                                                               |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Single application domain**  | The target lives under one domain such as `https://app.example.com`.                                                                                   |
| **Marketing plus app domain**  | Login begins on one domain and redirects into another application domain.                                                                              |
| **Tenant-specific app**        | The application requires an org slug, tenant ID, workspace ID, or account selector.                                                                    |
| **Authenticated-only areas**   | Sensitive routes should only be tested after the agent is signed in with an approved test credential.                                                  |
| **Excluded operational paths** | Routes such as billing, destructive admin actions, production email sends, or customer-impacting workflows must be excluded or constrained with rules. |

## Guardrail Types

MindFort agents use guardrails to keep testing inside approved boundaries:

* **Rate Limiting** controls agent request pacing with Auto, Aggressive, Reduced, and Extreme Stealth modes.
* **Scope** stores Include and Exclude entries for domains, IPs, CIDRs, routes, or other testing boundaries.
* **Rules** store additional constraints for agent behavior.
* **Custom Values** store target-specific context agents should know while testing.

## Configure Scope

1. Open **Target Inventory**.
2. Select the target.
3. Open the **Guardrails** tab.
4. Set **Rate Limiting** if the default automatic pacing is not appropriate.
5. Add **Include** entries for systems that agents should test.
6. Add **Exclude** entries for systems that agents must avoid.
7. Add **Rules** for behavior constraints such as avoiding destructive actions.
8. Add **Custom Values** for context such as `tenant_slug`, `workspace_id`, `organization_id`, or `environment`.
9. Save changes before starting an assessment or Agent.

The Scope modal supports bulk entry for Include and Exclude items. Add one domain, IP, CIDR, route, or other scoped item per line.

## Examples

### Tenant-Aware SaaS App

```text theme={null}
Target: https://app.example.com
Login route: https://app.example.com/login
Tenant slug: acme-security
Include: /dashboard, /settings, /api
Exclude: /billing, /admin/delete-account
Rule: Do not trigger production emails or payment flows.
```

### Multi-Domain Login Flow

```text theme={null}
Target: https://app.example.com
Login starts at: https://login.example.com
Include domains: app.example.com, login.example.com
Expected post-login page: https://app.example.com/dashboard
```

## Before Launch

Confirm:

* the target is verified
* stored credentials are dedicated test accounts
* login instructions include every redirect and required intermediate step
* include and exclude entries are current
* behavior rules cover sensitive workflows
* WAF allowlisting is complete if your infrastructure filters automated traffic

For authentication setup, see [Authentication & Credentials](/guides/authentication-credentials). For firewall setup, see [WAF Whitelisting](/guides/waf-whitelisting).
