Skip to main content

Configuration & Policy Overview

This section explains how Keeptrusts declarative config turns policy controls into a working gateway contract. Use it to decide which policy kinds you need, how they fit into policies.chain, and how the resulting config behaves at runtime.

Start here

If you need to...Start with
Understand the supported top-level schemaDeclarative Config Reference
Browse supported controls before choosing onePolicy Controls Catalog
Define provider targets, routing, or fallbackProviders Configuration and data-routing-policy
Add tests before rolloutConfig Testing and kt policy test
Protect sensitive or regulated datapii-detector and dlp-filter
Defend the input boundaryprompt-injection

Follow this order

  1. Start with the Declarative Config Reference so the document shape is correct.
  2. Pick the policy kinds you need from the Policy Controls Catalog.
  3. Add them to policies.chain and tune each block under policy.<kind>.
  4. Validate the config with linting and tests before rollout.
  5. Add the audit marker and verify request outcomes with kt events or the Events API. Add History only when capture is enabled and retained session context is needed.

How policies work

Major policy groups

Request and routing controls

Policy KindPurpose
prompt-injectionBlock prompt-injection and jailbreak signals before upstream calls
pii-detectorDetect sensitive identifiers and redact or block request content
dlp-filterApply broader pattern-based filtering for sensitive or proprietary data
rbacApply role, identity, and sensitivity-based access rules
agent-firewallRestrict agent tool use and unsafe action classes
data-routing-policyFilter provider targets by retention or training metadata

Output controls

Policy KindPurpose
quality-scorerScore output quality and block or escalate on thresholds
human-oversightReturn an escalated result instead of delivering output
citation-verifierVerify groundedness against context

Audit and evidence

Policy KindPurpose
audit-loggerEmit an allow-only audit marker; retention and storage are configured separately

Example configuration

pack:
name: "my-project"
version: "0.1.0"
enabled: true

policies:
chain:
- prompt-injection
- pii-detector
- quality-scorer
- audit-logger

policy:
prompt-injection:
attack_patterns:
- "ignore.*previous.*instructions"
- "forget.*system.*prompt"
encoding:
decode_base64: true
normalize_unicode: true
detect_homoglyphs: true
boundaries:
enforce_delimiters: true
reject_fake_boundaries: true
response:
action: block

pii-detector:
action: redact
pci_mode: true

quality-scorer:
assertions:
- type: word-count
config:
min: 20
thresholds:
min_aggregate: 0.7

audit-logger: {}

Key rules

  • Chain order matters — policies execute in the order listed in policies.chain.
  • First blocking verdict wins — once the gateway blocks a turn, later policies do not run for that stage.
  • Redaction and output buffering are runtime behaviors — some policies redact request text, some buffer and inspect output, and some do both.
  • Some controls are phase-limited today — for example, human-oversight is output-only and language-validator currently enforces input checks only.

See the Declarative Config Reference for the complete schema and the Policy Controls Catalog for the inventory of supported controls.

Next steps