kt gateway
The kt gateway command group covers local supervisor definitions, runtime
inspection, reload or revert workflows, OS-level service management, and a
separate remote inventory view.
Preflight a runtime config
Resolve providers, credentials, routing, and the policy chain without starting a server:
kt gateway check --config policy-config.yaml
Use --verbose to expand provider-readiness details. The command reports the
config version and digest, active and inactive providers, routing strategy,
policy chain, and a final Ready or Not Ready result.
Run it with the same environment and secret-store access as the intended
service. gateway check does not start a process, send a provider inference,
deploy a config, or prove that application traffic reaches the gateway. See
Config Validation for the complete preflight
sequence.
Local definitions and inventory
Create a local supervisor definition
kt gateway create \
--name production \
--listen 127.0.0.1:41002 \
--upstream https://api.openai.com
create writes local supervisor state. It does not register a gateway in the
Keeptrusts control plane and does not start the process.
List local gateways
kt gateway list
List remote gateways
kt gateway list --remote
The local list reads supervisor state and needs no API token. --remote calls
GET /v1/gateways and requires API authentication.
Inspection and runtime state
Inspect a named gateway
kt gateway inspect --name keeptrusts-proxy
Read a running gateway config endpoint
kt gateway config --gateway-url http://127.0.0.1:41002
Use --expect-version or --expect-sha256 when you want the command to fail on an unexpected runtime version or digest.
If the runtime protects its admin endpoints, pass its admin bearer token with
--api-token.
Diff local service state
kt gateway diff --name keeptrusts-proxy
Reload a running gateway
kt gateway reload \
--name keeptrusts-proxy \
--gateway-url http://127.0.0.1:41002
Reload reads the definition's configured policy paths unless
--config-path is supplied. It records the current config as a rollback target,
posts the new YAML, verifies the active version and digest, and attempts an
automatic rollback if activation verification fails.
Revert a running gateway
kt gateway revert \
--name keeptrusts-proxy \
--gateway-url http://127.0.0.1:41002
Revert requires the named local definition to have a saved rollback target from an earlier reload.
Reconcile gateway state
kt gateway reconcile --name keeptrusts-proxy
Use --all to reconcile every known gateway, --apply-rollback to apply a pending rollback, or --cancel to cancel the pending action.
Service installation
Install a local service
kt gateway install \
--name keeptrusts-proxy \
--listen 127.0.0.1:41002 \
--upstream https://api.openai.com
If you install from policy-config.yaml, carry over the same runtime requirements as kt gateway run: bind the service to an agent and provide Keeptrusts API authentication.
Use --agent-id <id> for an exact binding or --agent-name <name> to resolve
by name. Prefer KEEPTRUSTS_API_TOKEN over putting a runtime token directly in
the command line. Installation targets a macOS launchd user service or Linux
systemd user service.
The examples bind only to loopback. Choose an all-interface listener only when the host has deliberate ingress, firewall, TLS, and application-token controls.
Start, stop, status, and uninstall
kt gateway start --name keeptrusts-proxy
kt gateway status --name keeptrusts-proxy
kt gateway stop --name keeptrusts-proxy
kt gateway uninstall --name keeptrusts-proxy
kt gateway status and kt gateway uninstall default to keeptrusts-proxy when --name is omitted, but including the name keeps scripts unambiguous.
Runtime binary upgrades
Upgrade operations work on an existing local supervisor definition. Record a plan, apply it, inspect the result, or return to the recorded rollback binary:
TARGET_BINARY=/opt/keeptrusts/kt-next
kt gateway upgrade plan \
--name keeptrusts-proxy \
--target-version next \
--binary-path "$TARGET_BINARY"
kt gateway upgrade apply --name keeptrusts-proxy
kt gateway upgrade status --name keeptrusts-proxy --json
kt gateway upgrade rollback --name keeptrusts-proxy
apply can also take the plan fields directly. Optional health checks run
after the service update; a failed check marks the upgrade failed. The current
commands do not prompt before plan, apply, or rollback, so review the target and
rollback paths before running them.