Skip to main content

CJIS Mode

The cjis-mode policy runs in the input phase. It checks whether a request is considered authenticated and, when logging is enabled, writes a simple CJIS access-log line containing the user ID and block status.

Phase and verdicts

  • Phase: input
  • Possible verdicts: allow, block

Configuration

pack:
name: cjis-mode-example
version: 1.0.0
enabled: true
policies:
chain:
- cjis-mode
policy:
cjis-mode:
require_auth: true
access_logging: true
encryption_at_rest: true
session_timeout_minutes: 30

Fields

FieldTypeDefaultNotes
require_authbooleantrueBlocks when neither Authorization nor X-User-ID is present.
access_loggingbooleantrueWrites a [cjis-access-log] line to stderr with the derived user ID and block status.
encryption_at_restbooleantrueAccepted CJIS declaration; it does not currently inspect storage or alter this policy's verdict.
session_timeout_minutesinteger30Accepted range is 1–1440; it does not currently track idle sessions or alter this policy's verdict.

How it works

  1. The gateway checks for an Authorization header and an X-User-ID header.
  2. A request is treated as authenticated when either header is present.
  3. If require_auth is true and neither header is present, the policy returns block.
  4. If access_logging is true, the gateway emits a simple access log line showing user, authed, and blocked.

Behavior notes

  • The policy checks header presence, not full credential validation.
  • X-User-ID alone is sufficient for the current gate.
  • The access log is a simple structured stderr line, not a full SIEM integration object.
  • encryption_at_rest and session_timeout_minutes are declarations only in the current gateway; enforce storage encryption and session expiry in their owning platform layers.

Example scenarios

Require an authenticated caller signal

policy:
cjis-mode:
require_auth: true

Disable the stderr log line

policy:
cjis-mode:
require_auth: true
access_logging: false

Best practices

  • Pair cjis-mode with pii-detector when prompts can include criminal justice information.
  • Ensure upstream identity middleware sets Authorization or X-User-ID consistently before relying on this gate.
  • Use event-sink and Trail controls for audit retention outside this policy. audit-logger marks audit logging as active in the decision stream but does not configure retention.

Next steps