Skip to main content

Config-First Workflow

Keeptrusts is designed around declarative config. For most teams, policy-config.yaml is the primary artifact because it defines routing, policy evaluation, secrets references, tests, and the runtime behavior you later verify in the product.

The working rule

Use this default split:

  • If a change affects runtime AI behavior, put it in policy-config.yaml.
  • If a change stores secret material, reference it from config with secret_key_ref.env or secret_key_ref.store.
  • If a change versions, reviews, or rolls out config, use the console or CLI.
  • If a change is about users, teams, SSO, tokens, budgets, or billing controls, use the corresponding product surface rather than embedding it in runtime policy.

Minimal loop

kt init
kt policy lint --file policy-config.yaml
kt policy test --json
export KEEPTRUSTS_API_URL="https://api.keeptrusts.com"
export KEEPTRUSTS_API_TOKEN="kt_your_gateway_runtime_token"
kt gateway run --listen 127.0.0.1:41002 --agent docs-demo --policy-config policy-config.yaml

That loop is the core product experience: author config, validate it, run it, and improve it based on observed behavior.

What belongs where

ConcernPrimary surfaceWhy
Runtime policy behavior, routing, fallbacks, rate limits, and audit settingspolicy-config.yamlThis is the source of truth for request-time behavior
Provider credentials for local developmentEnvironment variables referenced by secret_key_ref.envKeeps credentials out of YAML
Provider credentials for centrally managed runtimesStored secrets referenced by secret_key_ref.storeKeeps the same config portable across environments
Version history, review, rollout, and rollbackConfigurations in the console or the matching CLI flowThese workflows move the same YAML safely
Runtime verification and investigationkt events or GET /v1/events with required since for request outcomes; the applicable Gateways, Inbox, Trail, Usage, or capture-enabled History console surfaceEach command, API, or console surface proves a different part of live behavior; History contains session content only when capture is enabled
Team access, SSO, tokens, budgets, and billingThe corresponding settings or billing surfacesThese are surrounding product controls, not request-time policy

For a single environment:

ai-governance/
├── policy-config.yaml
├── tests/
│ ├── allows-normal-request.yaml
│ ├── blocks-prompt-injection.yaml
│ └── redacts-pii.yaml
└── README.md

For multiple environments:

configs/
├── staging/policy-config.yaml
├── production/policy-config.yaml
└── regulated/policy-config.yaml

tests/
├── staging/
├── production/
└── regulated/

Keep each deployed environment explicit. Avoid hidden inheritance or manual runtime drift.

Start with these pages

  1. Quickstart
  2. Declarative Config Reference
  3. Policies Overview
  4. Configurations
  5. kt gateway run

Next steps