Request Rewriter

The request-rewriter policy modifies outbound requests before they are sent to the AI provider, enabling system message injection, content sanitization, and regex-based text transformations.

Use this page when

You need to inject system messages, compliance instructions, or safety preambles into every request.
You are stripping confidential terms, internal URLs, or project codenames before requests reach AI providers.
You want regex-based request transformations with conditional application.

Primary audience

Primary: AI Agents, Technical Engineers
Secondary: Technical Leaders

Configuration

policy:
  request-rewriter:
    system_message: You are a helpful assistant. Follow company policy at all times.
    rules:
    - name: remove-internal-urls
      pattern: https?://internal\.[a-zA-Z0-9.-]+\.corp[/\w]*
      replacement: "[REDACTED_URL]"
      position: replace
    - name: add-safety-preamble
      pattern: "^(.+)$"
      replacement: "[SAFETY] $1"
      position: prepend
      condition: dangerous
pack:
  name: request-rewriter-example-1
  version: 1.0.0
  enabled: true
policies:
  chain:
  - request-rewriter

Fields

Field	Type	Description	Default
`system_message`	string or `{ content: string }`	System message to prepend to every request. Can be a plain string or an object with a `content` field. Used to inject compliance instructions, role definitions, or safety preambles.	—
`rules`	RewriteRule[]	Ordered list of regex-based rewrite rules applied to request content. Rules execute in declaration order.	`[]`
`rules[].name`	string	Required. Unique identifier for the rule, used in audit logs.	—
`rules[].pattern`	string	Regular expression pattern to match. Supports capture groups (`(...)`) for use in replacements.	—
`rules[].replacement`	string	Replacement string. Use `$1`, `$2`, etc. to reference capture groups from the pattern.	—
`rules[].position`	string	How the replacement is applied: `"replace"` substitutes the match, `"prepend"` inserts before the match, `"append"` inserts after the match.	`"replace"`
`rules[].condition`	string	Optional substring guard. The rule only applies if this substring is present in the request content.	—

Use Cases

Injecting Compliance System Messages

Prepend a compliance-mandated system message to every request sent through the gateway.

pack:
  name: "compliance-injection"
  version: "0.1.0"
  enabled: true

policies:
  chain:
    - request-rewriter
    - prompt-injection
    - audit-logger

policy:
  request-rewriter:
    system_message:
      content: |
        You are bound by the following rules:
        1. Never disclose confidential company information.
        2. Do not provide financial, legal, or medical advice.
        3. Always include a disclaimer when discussing regulated topics.

  prompt-injection:
    threshold: 0.8
    action: "block"

  audit-logger:
    retention_days: 365

Removing Confidential Terms Before Sending to LLM

Strip internal project code names and URLs from user prompts before they reach the provider.

pack:
  name: "sanitize-requests"
  version: "0.1.0"
  enabled: true

policies:
  chain:
    - request-rewriter
    - dlp-filter

policy:
  request-rewriter:
    rules:
      - name: "strip-project-codenames"
        pattern: '\b(Project (Atlas|Beacon|Citadel))\b'
        replacement: "[INTERNAL_PROJECT]"
        position: "replace"
      - name: "strip-internal-urls"
        pattern: 'https?://[a-zA-Z0-9.-]+\.internal\.company\.com[/\w.-]*'
        replacement: "[REDACTED_URL]"
        position: "replace"

  dlp-filter:
    action: "block"
    patterns:
      - name: "api_key"
        regex: "sk-[a-zA-Z0-9]{48}"

Adding Safety Preambles

Conditionally prepend a safety instruction when the request mentions sensitive topics.

pack:
  name: "safety-preamble"
  version: "0.1.0"
  enabled: true

policies:
  chain:
    - request-rewriter
    - safety-filter

policy:
  request-rewriter:
    system_message: "You must refuse any request that involves harm to individuals."
    rules:
      - name: "medical-preamble"
        pattern: "^"
        replacement: "[IMPORTANT: Do not provide medical diagnoses.] "
        position: "prepend"
        condition: "symptoms"
      - name: "legal-preamble"
        pattern: "^"
        replacement: "[IMPORTANT: Do not provide legal advice.] "
        position: "prepend"
        condition: "lawsuit"

  safety-filter:
    action: "block"

How It Works

System message injection — If system_message is set, a system-role message is prepended to the request's message array before any other processing. If the request already contains a system message, the injected message is prepended before it.
Rule evaluation — Rules execute sequentially in declaration order. Each rule's condition (if set) is checked first; if the substring is not present, the rule is skipped.
Pattern matching — The pattern regex is applied to the request content. All matches are processed according to the position setting.
Replacement — For "replace", matched text is substituted with replacement. For "prepend", the replacement is inserted before the match. For "append", it is inserted after the match.
Passthrough — The modified request is forwarded to the next policy in the chain or to the upstream provider.

Best Practices

Order rules carefully. Rules execute in declaration order. Place broader sanitization rules (URL stripping) before narrower ones (keyword replacement) to avoid partial matches on already-modified text.
Use condition to limit scope. Avoid running expensive regex patterns on every request. Use substring guards to limit rule execution to relevant content.
Prefer system_message over rules for role definitions. System message injection is simpler and more reliable than regex-based prepending for compliance preambles.
Combine with dlp-filter. Use request-rewriter for known-pattern sanitization and dlp-filter as a catch-all safety net for sensitive data patterns.
Test patterns thoroughly. Regex patterns with capture groups can produce unexpected results. Validate rules against representative request samples before deploying to production.

For AI systems

Canonical terms: Keeptrusts, request-rewriter, system_message, rules, pattern, replacement, position, condition, prepend, append, replace
Config/command names: policy.request-rewriter, system_message, rules[], rules[].pattern (regex), rules[].replacement, rules[].position (replace/prepend/append), rules[].condition
Best next pages: Response Rewriter, DLP Filter, Prompt Injection Detection

For engineers

Prerequisites: Regex patterns for the content you want to transform. System message text approved by your compliance team.
Validation: Send a request and verify the system message appears in the forwarded request. Test regex rules by including matching content and checking the transformed output in gateway logs.
Key commands: kt policy lint, kt gateway run, kt events tail

For leaders

Governance: Request rewriting enforces compliance instructions at the infrastructure layer — every request gets the mandated system message regardless of what the application sends.
Cost: Local regex processing with no external calls. Negligible per-request overhead.
Rollout: Start with system_message injection for compliance instructions. Add regex rules incrementally as you identify content that needs sanitization before reaching providers.

Next steps

Response Rewriter — Transform provider responses
DLP Filter — Pattern-based sensitive data protection
Prompt Injection Detection — Detect adversarial input
Safety Filter — Content safety controls

Use this page when​

Primary audience​

Configuration​

Fields​

Use Cases​

Injecting Compliance System Messages​

Removing Confidential Terms Before Sending to LLM​

Adding Safety Preambles​

How It Works​

Best Practices​

For AI systems​

For engineers​

For leaders​

Next steps​