kt policy lint
Validate a runtime policy configuration or an ABAC policy bundle before you publish it. Runtime mode applies the declarative configuration schema and semantic checks; ABAC mode validates policy statements.
Usage
kt policy lint [--file <path>] [--mode auto|runtime|abac]
Options
| Flag | Description |
|---|---|
--file <path> | File to validate. Defaults to policy-config.yaml. |
--mode <mode> | auto (default), runtime, or abac. Auto detects ABAC bundles and otherwise uses runtime validation. |
Examples
Valid configuration
kt policy lint --file policy-config.yaml
Success is silent and exits with code 0.
Invalid configuration
kt policy lint --file bad-config.yaml
The command writes deterministic diagnostics to stderr and ends with
policy lint failed (<count> error(s)). Validation failures are user errors
and exit with code 2.
What Lint Checks
| Check | Description |
|---|---|
| Schema validation | YAML parses correctly and matches expected structure |
| Unknown top-level keys | Rejects keys that are not part of the current declarative schema |
| Unknown policy kinds | Every kind in chain must be recognized |
| Unknown fields | Keys inside policy.<kind> must match schema |
| Required values and bounds | Checks required fields, allowed enum values, numeric bounds, and cross-field requirements |
| References | Checks policy-chain, provider, route, tool-server, secret, and test references where the schema requires them |
| ABAC statements | In ABAC mode, validates effects, actions, resources, and conditions |
Example Configurations
Minimal Valid Config
pack:
name: "my-project"
version: "0.1.0"
enabled: true
policies:
chain:
- prompt-injection
Full Config with Providers and Policies
pack:
name: multi-provider
version: 0.1.0
enabled: true
providers:
targets:
- id: openai-primary
provider: openai
model: your-openai-model
base_url: https://api.openai.com
secret_key_ref:
env: KEEPTRUSTS_OPENAI_API_KEY
- id: azure-fallback
provider: azure
provider_type: azure-openai
format: openai
model: your-azure-openai-model
base_url: https://replace-with-resource-name.openai.azure.com
secret_key_ref:
env: KEEPTRUSTS_AZURE_OPENAI_API_KEY
azure_api_version: your-supported-api-version
azure_deployment: your-azure-deployment
routing:
strategy: ordered
policies:
chain:
- prompt-injection
- pii-detector
Replace the model placeholders with IDs supported by the configured provider accounts before starting the gateway.
To override the default provider fallback classes, add the same canonical key that lint and runtime consume:
providers:
fallback:
trigger_on:
- rate_limit
- server_error
- timeout
See Multi-Provider Fallback before enabling cross-target retries for billable or side-effecting requests.
Next steps
- kt policy test — Run behavioral tests against your policy chain
- kt gateway run — Start the gateway with a validated config
- Config-First Workflow — The recommended policy-as-code lifecycle
- CLI overview