CJIS Mode
The cjis-mode policy runs in the input phase. It checks whether a request is considered authenticated and, when logging is enabled, writes a simple CJIS access-log line containing the user ID and block status.
Phase and verdicts
- Phase:
input - Possible verdicts:
allow,block
Configuration
pack:
name: cjis-mode-example
version: 1.0.0
enabled: true
policies:
chain:
- cjis-mode
policy:
cjis-mode:
require_auth: true
access_logging: true
encryption_at_rest: true
session_timeout_minutes: 30
Fields
| Field | Type | Default | Notes |
|---|---|---|---|
require_auth | boolean | true | Blocks when neither Authorization nor X-User-ID is present. |
access_logging | boolean | true | Writes a [cjis-access-log] line to stderr with the derived user ID and block status. |
encryption_at_rest | boolean | true | Accepted CJIS declaration; it does not currently inspect storage or alter this policy's verdict. |
session_timeout_minutes | integer | 30 | Accepted range is 1–1440; it does not currently track idle sessions or alter this policy's verdict. |
How it works
- The gateway checks for an
Authorizationheader and anX-User-IDheader. - A request is treated as authenticated when either header is present.
- If
require_authistrueand neither header is present, the policy returnsblock. - If
access_loggingistrue, the gateway emits a simple access log line showinguser,authed, andblocked.
Behavior notes
- The policy checks header presence, not full credential validation.
X-User-IDalone is sufficient for the current gate.- The access log is a simple structured stderr line, not a full SIEM integration object.
encryption_at_restandsession_timeout_minutesare declarations only in the current gateway; enforce storage encryption and session expiry in their owning platform layers.
Example scenarios
Require an authenticated caller signal
policy:
cjis-mode:
require_auth: true
Disable the stderr log line
policy:
cjis-mode:
require_auth: true
access_logging: false
Best practices
- Pair
cjis-modewithpii-detectorwhen prompts can include criminal justice information. - Ensure upstream identity middleware sets
AuthorizationorX-User-IDconsistently before relying on this gate. - Use event-sink and Trail controls for audit retention outside this policy.
audit-loggermarks audit logging as active in the decision stream but does not configure retention.
Next steps
- Case Privacy policy — redact case identifiers alongside CJIS gating
- PII Detector policy — protect sensitive personal data
- Policies overview — policy chain architecture