> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wardin.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Policies

> In-path enforcement rules that run on every request before it reaches a provider.

Policies are rules enforced **in the gateway request path** — they run after auth and budget checks, before the request is forwarded to a provider. A blocked request never reaches the provider.

## Policy types

### Model allowlist

Restricts which models a key can use. Requests for unlisted models return a `403`.

```yaml theme={null}
type: model_allowlist
config:
  models:
    - claude-opus-4-8
    - claude-sonnet-4-6
    - gpt-4o
```

### PII redaction

Scans the outbound request body and replaces detected PII before forwarding. The original prompt is never sent to the provider.

```yaml theme={null}
type: pii_redaction
config:
  patterns:
    - email
    - phone
    - ssn
    - credit_card
  custom_patterns:
    - name: internal_id
      regex: 'EMP-\d{6}'
      replacement: '[EMPLOYEE_ID]'
```

Redacted values are replaced with `[EMAIL]`, `[PHONE]`, etc. The ClickHouse audit log records what was redacted (not the original value).

### Prompt injection detection

Detects adversarial instruction injection attempts in the user turn. Can be set to `block` or `flag` (log but allow).

```yaml theme={null}
type: prompt_injection
config:
  action: block
  sensitivity: medium   # low | medium | high
```

On `block`, the response is:

```json theme={null}
{
  "error": {
    "type": "policy_violation",
    "policy": "prompt_injection",
    "message": "Request blocked: potential prompt injection detected.",
    "code": 403
  }
}
```

### Guardrail (ML classifier)

Runs the request body through an ML classifier for jailbreak attempts, toxicity, or custom categories. Requires a classifier endpoint to be configured on the gateway by your Wardin administrator (a deployment-level setting, not per-tenant).

```yaml theme={null}
type: guardrail
config:
  categories:
    - jailbreak
    - toxicity
  action: block
  threshold: 0.8
```

## Policy scope

Policies attach to **keys** or to the **tenant** (org-wide). A key inherits tenant-level policies plus its own.

| Scope  | Applies to          |
| ------ | ------------------- |
| Tenant | All keys in the org |
| Key    | One specific key    |

## Enforcement audit trail

Every policy decision is logged to ClickHouse:

```json theme={null}
{
  "event_type": "policy_block",
  "policy_type": "model_allowlist",
  "key_id": "key_01j...",
  "user_id": "user_abc",
  "model_requested": "gpt-4-turbo",
  "timestamp": "2025-01-15T10:05:00Z"
}
```

The **POLICY** stage in the dashboard shows real per-policy hit counts sourced from ClickHouse — not placeholder data — alongside the live enforcement feed.

## Creating a policy

### Dashboard

**POLICY → Create policy** — choose a type, fill the structured form, or switch to raw YAML for advanced config. The editor validates YAML on save and blocks invalid schemas.

### REST API

```bash theme={null}
curl -X POST https://api.wardin.ai/v1/policies \
  -H "Authorization: Bearer wardin_sk_ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "engineering-allowlist",
    "type": "model_allowlist",
    "config": {
      "models": ["claude-opus-4-8", "claude-sonnet-4-6"]
    },
    "keyIds": ["key_01j..."]
  }'
```
