Skip to main content

kt policy lint

Validate a runtime policy configuration or an ABAC policy bundle before you publish it. Runtime mode applies the declarative configuration schema and semantic checks; ABAC mode validates policy statements.

Usage

kt policy lint [--file <path>] [--mode auto|runtime|abac]

Options

FlagDescription
--file <path>File to validate. Defaults to policy-config.yaml.
--mode <mode>auto (default), runtime, or abac. Auto detects ABAC bundles and otherwise uses runtime validation.

Examples

Valid configuration

kt policy lint --file policy-config.yaml

Success is silent and exits with code 0.

Invalid configuration

kt policy lint --file bad-config.yaml

The command writes deterministic diagnostics to stderr and ends with policy lint failed (<count> error(s)). Validation failures are user errors and exit with code 2.

What Lint Checks

CheckDescription
Schema validationYAML parses correctly and matches expected structure
Unknown top-level keysRejects keys that are not part of the current declarative schema
Unknown policy kindsEvery kind in chain must be recognized
Unknown fieldsKeys inside policy.<kind> must match schema
Required values and boundsChecks required fields, allowed enum values, numeric bounds, and cross-field requirements
ReferencesChecks policy-chain, provider, route, tool-server, secret, and test references where the schema requires them
ABAC statementsIn ABAC mode, validates effects, actions, resources, and conditions

Example Configurations

Minimal Valid Config

pack:
name: "my-project"
version: "0.1.0"
enabled: true

policies:
chain:
- prompt-injection

Full Config with Providers and Policies

pack:
name: multi-provider
version: 0.1.0
enabled: true

providers:
targets:
- id: openai-primary
provider: openai
model: your-openai-model
base_url: https://api.openai.com
secret_key_ref:
env: KEEPTRUSTS_OPENAI_API_KEY
- id: azure-fallback
provider: azure
provider_type: azure-openai
format: openai
model: your-azure-openai-model
base_url: https://replace-with-resource-name.openai.azure.com
secret_key_ref:
env: KEEPTRUSTS_AZURE_OPENAI_API_KEY
azure_api_version: your-supported-api-version
azure_deployment: your-azure-deployment

routing:
strategy: ordered

policies:
chain:
- prompt-injection
- pii-detector

Replace the model placeholders with IDs supported by the configured provider accounts before starting the gateway.

To override the default provider fallback classes, add the same canonical key that lint and runtime consume:

providers:
fallback:
trigger_on:
- rate_limit
- server_error
- timeout

See Multi-Provider Fallback before enabling cross-target retries for billable or side-effecting requests.

Next steps