Per-Policy Configuration Catalog
Use this catalog to move from a customer requirement to the policy guide that
owns its configuration and runtime boundaries. It inventories every key
currently accepted under policy: by the public declarative schema.
Current schema inventory
The current PolicyBlocks schema exposes 39 policy kinds: 28 primarily
request-side controls and 11 primarily output-side controls.
A schema-valid block is not enough to make a policy run. The kind must also be
present in the effective global or route policies.chain:
policies:
chain:
- prompt-injection
- response-rewriter
policy:
prompt-injection:
response:
action: block
response-rewriter:
rules:
- name: add-review-note
replacement: "\n\nAI output — verify independently."
position: append
In this example both blocks run. If response-rewriter is removed from the
chain but its block remains, that block is stored configuration only.
Understand the runtime labels
This catalog uses customer-facing execution positions:
| Label | Meaning |
|---|---|
request | Evaluated from request messages, headers, or JSON before the provider response is delivered. |
tool | Governs tools or tool-related request fields. Exact invocation coverage is policy-specific. |
preflight | Adds an early marker/result without changing request content. |
routing | Acknowledged in the chain, with authoritative enforcement at provider selection. |
pre-upstream rewrite | Dedicated transform applied before forwarding the request. |
response | Evaluated against a supported provider response. Buffering and streaming support vary by policy. |
These labels are more useful than assuming every control follows the same generic stage handler. Read the linked guide before relying on output, streaming, mutation, external-service, or compliance behavior.
Request-side policies
| Policy kind | Primary runtime position | Primary guide |
|---|---|---|
prompt-injection | request | prompt-injection |
pii-detector | request | pii-detector |
hipaa-phi-detector | request | hipaa-phi-detector |
rbac | request | rbac |
agent-firewall | tool | agent-firewall |
audit-logger | preflight | audit-logger |
cjis-mode | request | cjis-mode |
dlp-filter | request | dlp-filter |
safety-filter | request | safety-filter |
student-privacy | request | student-privacy |
case-privacy | request | case-privacy |
itar-ear-filter | request | itar-ear-filter |
entity-list-filter | request | entity-list-filter |
dual-use-filter | request | dual-use-filter |
embedding-detector | request | embedding-detector |
data-routing-policy | routing | data-routing-policy |
language-validator | request | language-validator |
external-moderation | request | external-moderation |
bot-detector | request | bot-detector |
content-extractor | request | content-extractor |
document-analyzer | request | document-analyzer |
code-sanitizer | request | code-sanitation |
tool-validation | request | tool-validation |
tool-security | request | tool-security |
tool-budget | request | tool-budget |
gdpr-compliance | request | config-compliance-policies |
eu-ai-act | request | config-compliance-policies |
request-rewriter | pre-upstream rewrite | request-rewriter |
Output-side policies
| Policy kind | Primary runtime position | Primary guide |
|---|---|---|
quality-scorer | response | quality-scorer |
human-oversight | response | human-oversight |
citation-verifier | response | citation-verifier |
financial-compliance | response | financial-compliance |
healthcare-compliance | response | healthcare-compliance |
legal-privilege | response | legal-privilege |
upl-filter | response | upl-filter |
mnpi-filter | response | mnpi-filter |
bias-monitor | response | bias-monitor |
flagged-review | response | config-flagged-review |
response-rewriter | response | response-rewriter |
Choose controls by outcome
| Customer outcome | Start with | Add when needed |
|---|---|---|
| Block prompt attacks | prompt-injection | embedding-detector for its documented similarity signals |
| Redact sensitive identifiers | pii-detector | hipaa-phi-detector, student-privacy, or case-privacy for their narrower domains |
| Protect organization-specific data | dlp-filter | data-routing-policy to constrain eligible providers |
| Govern agent tools | tool-validation | tool-security, tool-budget, and agent-firewall for distinct checks |
| Require output quality or evidence | quality-scorer | citation-verifier and human-oversight |
| Transform prompts or responses | request-rewriter | response-rewriter for supported non-streaming output |
| Add regulated-domain text controls | Compliance Policies | Read each policy's limitations; these controls do not certify compliance |
| Record an audit marker | audit-logger | Runtime Events and Trail workflows for actual evidence, storage, and integrity |
Adjacent controls are not interchangeable. For example, tool-budget checks a
declared request token ceiling; it is not cumulative cost metering.
audit-logger emits an allow-only marker; it does not configure retention.
Schema acceptance versus enforcement
Use three separate questions when reviewing a block:
- Is the YAML valid? The declarative schema answers this.
- Will the block run? The effective chain, route, conditions, and targeting answer this.
- What does the runtime enforce? The linked guide's exact inputs, verdicts, reason codes, transport support, and limitations answer this.
Important current examples:
audit-loggeraccepts immutability and retention fields, but its evaluator ignores them.tool-budget.max_cost_usdis accepted, but the policy does not enforce it.response-rewriter.preserve_structureis accepted and reported, while the supported JSON handler preserves structure regardless of the value.student-privacydetects more input keywords than its output block path, and keyword-only redaction verdicts do not guarantee those words are replaced.upl-filterandresponse-rewriterdo not currently enforce their output behavior on SSE streaming responses.
Treat a green lint result as shape validation, not proof of those runtime capabilities.
Chain and route behavior
- Chain order is observable. A blocking or escalating stage result prevents later entries in that stage from running.
- Conditional
whenclauses can filter by path, exact header value, or model. - Targeting can scope entries to teams or gateways.
- Route-owned chains can differ from the global chain.
- Output policies inspect only the response formats their guides list.
- Policies that need the complete response can add latency or be unavailable on a streaming path.
When behavior differs between two requests, first compare their route, applied
configuration version, targeting context, request family, and stream value.
Validation and rollout
Run the narrow validation sequence on the exact pack:
kt policy lint --file policy-config.yaml
kt policy test --json
kt gateway run \
--listen 127.0.0.1:41002 \
--agent policy-verification \
--policy-config policy-config.yaml
kt policy test is useful for pre-request decisions and its documented fixture
features. It is not a full transport simulation. Use representative live
gateway requests for routing, external integrations, rewriting, response
policies, redaction, and streaming.
Before broad rollout:
- Add positive, negative, boundary, and false-positive cases.
- Exercise every request family and streaming mode the application uses.
- Verify caller-visible status/body and nested policy results.
- Correlate the request ID with
kt events tail --since 10m --json. - Confirm the intended gateway is running the expected configuration version.
Troubleshooting
| Symptom | Likely cause | What to check |
|---|---|---|
| Config lints but policy never appears | The block is absent from the effective chain or is filtered by route, when, or targeting. | Inspect the applied global/route chain and request context. |
| A valid field has no effect | Schema acceptance can be broader than current enforcement. | Read the policy's supported-fields and limitations sections. |
| Output policy works only for some clients | Response JSON shape or streaming mode differs. | Compare request family, stream, and the documented supported paths. |
| Expected later marker/result is absent | An earlier policy stopped the stage. | Inspect chain order and the decisive block/escalate reason. |
| Pack tests pass but integration fails | The test runner does not simulate all gateway handlers and transport paths. | Run the exact request through a controlled gateway/upstream. |
Final reason is ok despite a policy-specific allow result | Nested allow reasons do not necessarily replace the overall reason. | Inspect policy_results[], not only the final envelope. |
Next steps
- Policy Controls Catalog — compare capabilities and starter configurations
- Declarative Config Reference — inspect the top-level schema
- Conditional Chains — scope execution by request context
- Config Testing — build deterministic behavior coverage
- Config-First Workflow — validate, deploy, and verify the same version