steer/steer.example.yaml at main · EnforceGrid/steer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# steer.example.yaml — copy to steer.yaml and fill in your values.
# Environment variable substitution is supported: ${VAR} or ${VAR:-default}.

proxy:
  host: "0.0.0.0"
  port: ${STEER_PORT:-8080}
  fail_open: false       # set true only for initial testing; false blocks on policy error
  timeout_ms: 30000
  retry_attempts: 2

# ── Upstream: default LLM provider ──────────────────────────────────────────
upstream:
  base_url: "https://api.openai.com"
  api_key: "${OPENAI_API_KEY}"

# ── Named providers (optional) ───────────────────────────────────────────────
# Define additional providers and map model names to them.
# Requests for an unmapped model fall through to upstream above.
providers:
  anthropic:
    base_url: "https://api.anthropic.com"
    api_key: "${ANTHROPIC_API_KEY}"

models:
  claude-sonnet-4-6:
    provider: anthropic
    model: claude-sonnet-4-6
  claude-haiku-4-5-20251001:
    provider: anthropic
    model: claude-haiku-4-5-20251001

# ── PII detection ────────────────────────────────────────────────────────────
# Defaults cover personal data and the credential shapes most likely to leak
# from a developer prompt. To slim the list, comment out lines below.
# Additional patterns available: phone_intl, ip_address, iban. See docs
# for full registry.
#
# The shipped `default-secrets-block` policy in default.cedar enumerates the
# secret pattern names below to BLOCK on. If you remove an `*_key`, `*_token`,
# `jwt`, or `bearer_token` entry here, the corresponding pattern won't be
# scanned and the policy can't block it — keep them enabled unless you
# explicitly fork the policy too.
pii:
  enabled: true
  patterns:
    # Personal data — `default-pii-flag` logs these but does not block
    - credit_card
    - ssn
    - email
    - phone
    - phone_intl
    - ip_address
    - iban
    # Auth secrets — `default-secrets-block` BLOCKS these by default
    - anthropic_key
    - openai_key
    - github_token
    - slack_token
    - stripe_key
    - aws_access_key
    - aws_secret_key
    - azure_key
    - google_api_key
    - jwt
    - bearer_token
    - generic_secret

# ── Cedar policy enforcement ─────────────────────────────────────────────────
policy:
  format: cedar
  policy_dir: "./dsl/policies"
  watch: false           # set true to hot-reload .cedar files on change

  # Enforcement mode. Default: enforce.
  #   enforce — block requests/responses that trip a forbid policy.
  #   observe — log every decision but never block. Use for the first
  #             1-2 weeks of a production rollout to surface false
  #             positives before flipping to enforce.
  # Observation rewrites @enforcement("block"|"steer") -> @enforcement("flag")
  # globally — no per-policy edits required. Audit entries carry
  # `observed: true` for would-have-blocked events; filter with:
  #   jq 'select(.enforcement.observed == true)' audit.jsonl
  mode: enforce

# ── Streaming ────────────────────────────────────────────────────────────────
streaming:
  enabled: true
  buffer_size_bytes: 512
  buffer_timeout_ms: 200

# ── Audit ────────────────────────────────────────────────────────────────────
audit:
  backend: stdout              # stdout | file
  log_path: "./audit.jsonl"    # honored when backend: file
  retain_payloads: masked      # never | masked | raw
  # Output format:
  #   json    — single-line JSON per request (default; SIEM-friendly)
  #   compact — one human line per request, e.g.
  #             `[BLOCK] POST /v1/messages model=... rule=... matched=... latency=11.8ms`
  #             (recommended for `docker logs -f` and developer terminals)
  #   pretty  — multi-line indented JSON (ad-hoc inspection)
  format: json

# ── Handover (human-in-the-loop holds) ───────────────────────────────────────
handover:
  enabled: false

# ── Tenant settings (single-tenant OSS) ──────────────────────────────────────
# These are exposed for the single tenant running this binary. Enterprise
# (multi-tenant) reads them from a DB instead. Each flips a value in the
# Cedar evaluation context — write policies that reference them to drive
# behaviour off the values you set here.
tenant:
  # Lawful basis recorded for data processing (GDPR Art 6 / AIUC-1 E005).
  # Surfaced as `context.consent_given`. The shipped baseline does NOT
  # include a no-consent policy by default (it generated noise). To enforce:
  # drop an override .cedar file at `<policy_dir>/default/consent.cedar` —
  # see the header of default.cedar for the snippet.
  consent_given: false

  # Tenant industry classification. Surfaced as `context.org_industry`.
  # Useful for industry-specific policies (e.g. healthcare PHI rules).
  industry: "other"

  # IANA timezone. Surfaced as `context.org_timezone`.
  timezone: "UTC"

  # Data residency region for AIUC-1 E004 cross-border checks. Surfaced
  # as `context.org_region`. Empty = no residency requirement.
  region: ""

  # Business hours window, e.g. "Mon-Fri 09:00-17:00". Surfaced as
  # `context.org_business_hours_active`. Empty = always active.
  business_hours_window: ""