Skip to main content

Per-Policy Configuration Catalog

Use this catalog to move from a customer requirement to the policy guide that owns its configuration and runtime boundaries. It inventories every key currently accepted under policy: by the public declarative schema.

Current schema inventory

The current PolicyBlocks schema exposes 39 policy kinds: 28 primarily request-side controls and 11 primarily output-side controls.

A schema-valid block is not enough to make a policy run. The kind must also be present in the effective global or route policies.chain:

policies:
chain:
- prompt-injection
- response-rewriter

policy:
prompt-injection:
response:
action: block
response-rewriter:
rules:
- name: add-review-note
replacement: "\n\nAI output — verify independently."
position: append

In this example both blocks run. If response-rewriter is removed from the chain but its block remains, that block is stored configuration only.

Understand the runtime labels

This catalog uses customer-facing execution positions:

LabelMeaning
requestEvaluated from request messages, headers, or JSON before the provider response is delivered.
toolGoverns tools or tool-related request fields. Exact invocation coverage is policy-specific.
preflightAdds an early marker/result without changing request content.
routingAcknowledged in the chain, with authoritative enforcement at provider selection.
pre-upstream rewriteDedicated transform applied before forwarding the request.
responseEvaluated against a supported provider response. Buffering and streaming support vary by policy.

These labels are more useful than assuming every control follows the same generic stage handler. Read the linked guide before relying on output, streaming, mutation, external-service, or compliance behavior.

Request-side policies

Policy kindPrimary runtime positionPrimary guide
prompt-injectionrequestprompt-injection
pii-detectorrequestpii-detector
hipaa-phi-detectorrequesthipaa-phi-detector
rbacrequestrbac
agent-firewalltoolagent-firewall
audit-loggerpreflightaudit-logger
cjis-moderequestcjis-mode
dlp-filterrequestdlp-filter
safety-filterrequestsafety-filter
student-privacyrequeststudent-privacy
case-privacyrequestcase-privacy
itar-ear-filterrequestitar-ear-filter
entity-list-filterrequestentity-list-filter
dual-use-filterrequestdual-use-filter
embedding-detectorrequestembedding-detector
data-routing-policyroutingdata-routing-policy
language-validatorrequestlanguage-validator
external-moderationrequestexternal-moderation
bot-detectorrequestbot-detector
content-extractorrequestcontent-extractor
document-analyzerrequestdocument-analyzer
code-sanitizerrequestcode-sanitation
tool-validationrequesttool-validation
tool-securityrequesttool-security
tool-budgetrequesttool-budget
gdpr-compliancerequestconfig-compliance-policies
eu-ai-actrequestconfig-compliance-policies
request-rewriterpre-upstream rewriterequest-rewriter

Output-side policies

Policy kindPrimary runtime positionPrimary guide
quality-scorerresponsequality-scorer
human-oversightresponsehuman-oversight
citation-verifierresponsecitation-verifier
financial-complianceresponsefinancial-compliance
healthcare-complianceresponsehealthcare-compliance
legal-privilegeresponselegal-privilege
upl-filterresponseupl-filter
mnpi-filterresponsemnpi-filter
bias-monitorresponsebias-monitor
flagged-reviewresponseconfig-flagged-review
response-rewriterresponseresponse-rewriter

Choose controls by outcome

Customer outcomeStart withAdd when needed
Block prompt attacksprompt-injectionembedding-detector for its documented similarity signals
Redact sensitive identifierspii-detectorhipaa-phi-detector, student-privacy, or case-privacy for their narrower domains
Protect organization-specific datadlp-filterdata-routing-policy to constrain eligible providers
Govern agent toolstool-validationtool-security, tool-budget, and agent-firewall for distinct checks
Require output quality or evidencequality-scorercitation-verifier and human-oversight
Transform prompts or responsesrequest-rewriterresponse-rewriter for supported non-streaming output
Add regulated-domain text controlsCompliance PoliciesRead each policy's limitations; these controls do not certify compliance
Record an audit markeraudit-loggerRuntime Events and Trail workflows for actual evidence, storage, and integrity

Adjacent controls are not interchangeable. For example, tool-budget checks a declared request token ceiling; it is not cumulative cost metering. audit-logger emits an allow-only marker; it does not configure retention.

Schema acceptance versus enforcement

Use three separate questions when reviewing a block:

  1. Is the YAML valid? The declarative schema answers this.
  2. Will the block run? The effective chain, route, conditions, and targeting answer this.
  3. What does the runtime enforce? The linked guide's exact inputs, verdicts, reason codes, transport support, and limitations answer this.

Important current examples:

  • audit-logger accepts immutability and retention fields, but its evaluator ignores them.
  • tool-budget.max_cost_usd is accepted, but the policy does not enforce it.
  • response-rewriter.preserve_structure is accepted and reported, while the supported JSON handler preserves structure regardless of the value.
  • student-privacy detects more input keywords than its output block path, and keyword-only redaction verdicts do not guarantee those words are replaced.
  • upl-filter and response-rewriter do not currently enforce their output behavior on SSE streaming responses.

Treat a green lint result as shape validation, not proof of those runtime capabilities.

Chain and route behavior

  • Chain order is observable. A blocking or escalating stage result prevents later entries in that stage from running.
  • Conditional when clauses can filter by path, exact header value, or model.
  • Targeting can scope entries to teams or gateways.
  • Route-owned chains can differ from the global chain.
  • Output policies inspect only the response formats their guides list.
  • Policies that need the complete response can add latency or be unavailable on a streaming path.

When behavior differs between two requests, first compare their route, applied configuration version, targeting context, request family, and stream value.

Validation and rollout

Run the narrow validation sequence on the exact pack:

kt policy lint --file policy-config.yaml
kt policy test --json
kt gateway run \
--listen 127.0.0.1:41002 \
--agent policy-verification \
--policy-config policy-config.yaml

kt policy test is useful for pre-request decisions and its documented fixture features. It is not a full transport simulation. Use representative live gateway requests for routing, external integrations, rewriting, response policies, redaction, and streaming.

Before broad rollout:

  1. Add positive, negative, boundary, and false-positive cases.
  2. Exercise every request family and streaming mode the application uses.
  3. Verify caller-visible status/body and nested policy results.
  4. Correlate the request ID with kt events tail --since 10m --json.
  5. Confirm the intended gateway is running the expected configuration version.

Troubleshooting

SymptomLikely causeWhat to check
Config lints but policy never appearsThe block is absent from the effective chain or is filtered by route, when, or targeting.Inspect the applied global/route chain and request context.
A valid field has no effectSchema acceptance can be broader than current enforcement.Read the policy's supported-fields and limitations sections.
Output policy works only for some clientsResponse JSON shape or streaming mode differs.Compare request family, stream, and the documented supported paths.
Expected later marker/result is absentAn earlier policy stopped the stage.Inspect chain order and the decisive block/escalate reason.
Pack tests pass but integration failsThe test runner does not simulate all gateway handlers and transport paths.Run the exact request through a controlled gateway/upstream.
Final reason is ok despite a policy-specific allow resultNested allow reasons do not necessarily replace the overall reason.Inspect policy_results[], not only the final envelope.

Next steps