FeaturesTRelPoliciesGovernance
Get startedSign in

Policy catalog

Twelve gateway-native policies. Seven governance dimensions.

Every policy below ships with the gateway. Each runs in shadow first (observe), then flips to enforce (block) on a single column write — no agent restart, no upstream redeploy. Together they form the documented risk-management catalog the EU AI Act’s Article 9 calls for.

hygiene

Hygiene

Scrub PII and prompt-injection payloads before they reach the agent or upstream.

pii_redaction

PII Redaction

Scrub emails, phone numbers, credit cards, and SSNs from tool responses before the agent sees them. International phone numbers via libphonenumber validation.

Config

patterns[]
injection_guard

Prompt Injection Guard

Block prompt-injection attempts and suspicious control strings in tool arguments before the call reaches the origin.

Config

patterns[]mode

identity

Identity

Restrict who and what can call. Header allowlists, basic auth, agent identity.

allowlist

Tool Allowlist

Restrict the agent to an explicit set of tool names. Everything outside the list is rejected at the gateway.

Config

tool_names[]
basic_auth

Basic Auth

Require HTTP Basic credentials on inbound gateway calls. Fails closed when the header is missing or malformed.

Config

realmusers_hash
client_id

Client ID Allowlist

Require an `x-client-id` (or custom header) and allowlist specific values. Fails closed on missing header.

Config

allowed_ids[]header_name
ip_allowlist

IP Allowlist

Accept gateway calls only from specific IPv4 CIDR blocks. Useful for VPN-only or on-prem agent deployments.

Config

allowed_cidrs[]
agent_identity_required

Agent Identity Required

Require verifiable agent-identity headers on every call. Closes the Meta confused-deputy attack class.

Config

require_headers[]verify_signature

kill-switch

Kill Switch

One-flag stops. The Replit "code freeze" that should have been a guard.

write_freeze

Write Freeze

Kill switch: block all writes (POST/PUT/PATCH/DELETE) with a single flag. Scope per server or org-wide.

Config

enabled

time

Time & State

Time-window gates. Business hours, maintenance freezes, weekend writes.

business_hours

Business Hours

Only allow calls during business windows. Supports multiple windows, per-window timezones, overnight wraps, and DST.

Config

timezonewindows[]

rate

Rate

Cap calls per minute to protect downstream systems from runaway agents.

rate_limit

Rate Limit

Cap calls per minute to protect downstream systems. Scope per tool, per client, or per org.

Config

max_rpmwindow_seconds

residency

Residency

Data-residency gates. EU AI Act geo-fence hooks for cross-region calls.

geo_fence

Geo Fence

Restrict tool calls to allowed regions. EU AI Act data-residency hook, block US routing from EU agents.

Config

allowed_regions[]source

idempotency

Idempotency

Require idempotency keys on writes; dedupe replays inside the TTL window.

idempotency_required

Idempotency Required

Require an idempotency key on write calls and dedupe replays within the TTL window.

Config

ttl_secondskey_source