{ "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "LocalConfig", "type": "object", "properties": { "config": { "anyOf": [ { "$ref": "#/$defs/RawConfig" }, { "type": "null" } ], "default": null }, "binds": { "type": "array", "items": { "$ref": "#/$defs/LocalBind" } }, "frontendPolicies": { "$ref": "#/$defs/LocalFrontendPolicies" }, "policies": { "description": "policies defines additional policies that can be attached to various other configurations.\nThis is an advanced feature; users should typically use the inline `policies` field under route/gateway.", "type": "array", "items": { "$ref": "#/$defs/LocalPolicy" } }, "workloads": { "type": "array", "items": { "type": "object", "additionalProperties": true }, "default": [] }, "services": { "type": "array", "items": { "type": "object", "additionalProperties": true }, "default": [] }, "backends": { "type": "array", "items": { "$ref": "#/$defs/FullLocalBackend" } }, "routeGroups": { "type": "array", "items": { "$ref": "#/$defs/LocalRouteGroup" } }, "llm": { "anyOf": [ { "$ref": "#/$defs/LocalLLMConfig" }, { "type": "null" } ] }, "mcp": { "anyOf": [ { "$ref": "#/$defs/LocalSimpleMcpConfig" }, { "type": "null" } ] } }, "additionalProperties": false, "$defs": { "RawConfig": { "type": "object", "properties": { "enableIpv6": { "type": [ "boolean", "null" ] }, "dns": { "description": "DNS resolver settings.", "anyOf": [ { "$ref": "#/$defs/RawDnsConfig" }, { "type": "null" } ] }, "localXdsPath": { "description": "Local XDS path. If not specified, the current configuration file will be used.", "type": [ "string", "null" ] }, "modelCatalog": { "description": "Model cost catalog sources; entries are merged in order, with later entries taking precedence.", "type": [ "array", "null" ], "items": { "$ref": "#/$defs/ModelCatalogSource" } }, "database": { "description": "Primary database used by local runtime features.", "anyOf": [ { "$ref": "#/$defs/Config" }, { "type": "null" } ] }, "caAddress": { "type": [ "string", "null" ] }, "caAuthToken": { "type": [ "string", "null" ] }, "xdsAddress": { "type": [ "string", "null" ] }, "xdsAuthToken": { "type": [ "string", "null" ] }, "namespace": { "type": [ "string", "null" ] }, "gateway": { "type": [ "string", "null" ] }, "trustDomain": { "type": [ "string", "null" ] }, "additionalTrustDomains": { "description": "Comma-separated list of additional SPIFFE trust domains accepted on inbound HBONE\nconnections. The local trust_domain is always implicitly included.", "type": [ "string", "null" ] }, "skipValidateTrustDomain": { "description": "When true, skip SPIFFE trust-domain verification on inbound HBONE connections.", "type": [ "boolean", "null" ] }, "serviceAccount": { "type": [ "string", "null" ] }, "clusterId": { "type": [ "string", "null" ] }, "network": { "type": [ "string", "null" ] }, "adminAddr": { "description": "Admin UI address in the format \"ip:port\", \"localhost:port\", \"unix:/path/to/socket\", or \"off\"", "type": [ "string", "null" ] }, "standardAttributes": { "description": "Standard request log attributes populated for database-backed local runtime features.", "anyOf": [ { "$ref": "#/$defs/RawStandardAttributes" }, { "type": "null" } ] }, "statsAddr": { "description": "Stats/metrics server address in the format \"ip:port\", \"localhost:port\", \"unix:/path/to/socket\", or \"off\"", "type": [ "string", "null" ] }, "readinessAddr": { "description": "Readiness probe server address in the format \"ip:port\", \"localhost:port\", \"unix:/path/to/socket\", or \"off\"", "type": [ "string", "null" ] }, "session": { "description": "Configuration for stateful session management", "anyOf": [ { "$ref": "#/$defs/RawSession" }, { "type": "null" } ] }, "mcp": { "description": "MCP gateway settings.", "anyOf": [ { "$ref": "#/$defs/RawMcpConfig" }, { "type": "null" } ] }, "customFunctions": { "description": "Custom CEL functions available to all CEL expressions. These can define re-usable snippets that\ncan be used in any expressions.\nConfigure as a block string containing one or more definitions, for example:\n`customFunctions: |`\n` isInternal() { request.headers[\"x-env\"] == \"internal\" }`\n` this.joined(prefix, parts...) { prefix + this + parts.join(\"\") }`", "type": "string", "default": "" }, "connectionTerminationDeadline": { "type": [ "string", "null" ], "default": null }, "connectionMinTerminationDeadline": { "type": [ "string", "null" ], "default": null }, "workerThreads": { "anyOf": [ { "$ref": "#/$defs/StringOrInt" }, { "type": "null" } ] }, "tracing": { "anyOf": [ { "$ref": "#/$defs/RawTracing" }, { "type": "null" } ] }, "logging": { "anyOf": [ { "$ref": "#/$defs/RawLogging" }, { "type": "null" } ] }, "metrics": { "anyOf": [ { "$ref": "#/$defs/RawMetrics" }, { "type": "null" } ] }, "backend": { "$ref": "#/$defs/BackendConfig", "default": { "keepalives": { "enabled": true, "time": "3m0s", "interval": "3m0s", "retries": 9 }, "connectTimeout": "10s", "poolIdleTimeout": "1m30s", "poolMaxSize": null } }, "hbone": { "anyOf": [ { "$ref": "#/$defs/RawHBONE" }, { "type": "null" } ] } }, "additionalProperties": false }, "RawDnsConfig": { "type": "object", "properties": { "lookupFamily": { "description": "Controls which IP address families the DNS resolver will query for\nupstream connections.\nAccepted values: All, Auto, V4Preferred, V4Only, V6Only.\nDefaults to Auto (IPv4-only when enableIpv6 is false, both when true).", "anyOf": [ { "$ref": "#/$defs/DnsLookupFamily" }, { "type": "null" } ] }, "edns0": { "description": "Whether to enable EDNS0 (Extension Mechanisms for DNS) in the resolver.\nWhen `None`, the system-provided resolver setting is preserved.\nCan also be set via the `DNS_EDNS0` environment variable.", "type": [ "boolean", "null" ] } }, "additionalProperties": false }, "DnsLookupFamily": { "description": "Controls which IP address families the DNS resolver will query for\nupstream (backend) connections.\n\n Maps to hickory_resolver's `LookupIpStrategy` under the hood.\n\nCan be set via the `DNS_LOOKUP_FAMILY` environment variable or the\n`dns.lookupFamily` field in the config file.\n\nSee: ", "oneOf": [ { "description": "Query for both A and AAAA records in parallel and use all results.", "type": "string", "const": "All" }, { "description": "Automatically choose based on the `enable_ipv6` setting. When IPv6 is\nenabled this behaves like `V4Preferred`; otherwise `V4Only`.", "type": "string", "const": "Auto" }, { "description": "Query for both A and AAAA, but prefer IPv4 addresses when both are\navailable.", "type": "string", "const": "V4Preferred" }, { "description": "Only query for A (IPv4) records.", "type": "string", "const": "V4Only" }, { "description": "Only query for AAAA (IPv6) records.", "type": "string", "const": "V6Only" } ] }, "ModelCatalogSource": { "description": "A source of model cost catalog data.", "anyOf": [ { "type": "object", "properties": { "file": { "type": "string" } }, "required": [ "file" ] }, { "type": "object", "properties": { "inline": { "type": "string" } }, "required": [ "inline" ] }, { "type": "object", "properties": { "inline": { "$ref": "#/$defs/Catalog" } }, "required": [ "inline" ] } ] }, "Catalog": { "type": "object", "properties": { "providers": { "type": "object", "additionalProperties": { "$ref": "#/$defs/Provider" }, "default": {} } }, "additionalProperties": false }, "Provider": { "type": "object", "properties": { "models": { "type": "object", "additionalProperties": { "$ref": "#/$defs/Model" }, "default": {} } }, "additionalProperties": false }, "Model": { "type": "object", "properties": { "rates": { "$ref": "#/$defs/Rates" }, "tiers": { "type": "array", "items": { "$ref": "#/$defs/Tier" } } }, "additionalProperties": false }, "Rates": { "type": "object", "properties": { "input": { "anyOf": [ { "$ref": "#/$defs/Money" }, { "type": "null" } ] }, "output": { "anyOf": [ { "$ref": "#/$defs/Money" }, { "type": "null" } ] }, "cacheRead": { "anyOf": [ { "$ref": "#/$defs/Money" }, { "type": "null" } ] }, "cacheWrite": { "anyOf": [ { "$ref": "#/$defs/Money" }, { "type": "null" } ] }, "reasoning": { "anyOf": [ { "$ref": "#/$defs/Money" }, { "type": "null" } ] }, "inputAudio": { "anyOf": [ { "$ref": "#/$defs/Money" }, { "type": "null" } ] }, "outputAudio": { "anyOf": [ { "$ref": "#/$defs/Money" }, { "type": "null" } ] } }, "additionalProperties": false }, "Money": { "type": "string" }, "Tier": { "type": "object", "properties": { "contextOver": { "type": "integer", "format": "uint64", "minimum": 0 }, "rates": { "$ref": "#/$defs/Rates" } }, "additionalProperties": false, "required": [ "contextOver", "rates" ] }, "Config": { "type": "object", "properties": { "url": { "type": "string" } }, "additionalProperties": false, "required": [ "url" ] }, "RawStandardAttributes": { "type": "object", "properties": { "user": { "description": "CEL expression used to populate the `agentgateway.user` request log attribute.", "type": [ "string", "null" ] }, "group": { "description": "CEL expression used to populate the `agentgateway.group` request log attribute.", "type": [ "string", "null" ] } }, "additionalProperties": false }, "RawSession": { "type": "object", "properties": { "key": { "description": "The AES-256-GCM session protection key to be used for session tokens.\nIf not set, sessions will not be encrypted.\nFor example, generated via `openssl rand -hex 32`.", "type": "string" } }, "additionalProperties": false, "required": [ "key" ] }, "RawMcpConfig": { "type": "object", "properties": { "sessionTtl": { "type": [ "string", "null" ], "default": null } }, "additionalProperties": false }, "StringOrInt": { "type": [ "string", "integer" ] }, "RawTracing": { "type": "object", "properties": { "otlpEndpoint": { "type": [ "string", "null" ] }, "headers": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} }, "otlpProtocol": { "$ref": "#/$defs/Protocol", "default": "grpc" }, "fields": { "anyOf": [ { "$ref": "#/$defs/RawLoggingFields" }, { "type": "null" } ] }, "randomSampling": { "description": "Expression to determine the amount of *random sampling*.\nRandom sampling will initiate a new trace span if the incoming request does not have a trace already.\nThis should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.\nThis defaults to 'false'.", "anyOf": [ { "$ref": "#/$defs/StringBoolFloat" }, { "type": "null" } ] }, "clientSampling": { "description": "Expression to determine the amount of *client sampling*.\nClient sampling determines whether to initiate a new trace span if the incoming request does have a trace already.\nThis should evaluate to either a float between 0.0-1.0 (0-100%) or true/false.\nThis defaults to 'true'.", "anyOf": [ { "$ref": "#/$defs/StringBoolFloat" }, { "type": "null" } ] }, "path": { "description": "OTLP path. Default is /v1/traces", "type": [ "string", "null" ] } }, "additionalProperties": false }, "Protocol": { "type": "string", "enum": [ "grpc", "http" ] }, "RawLoggingFields": { "type": "object", "properties": { "remove": { "type": "array", "items": { "type": "string" }, "default": [] }, "add": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} } }, "additionalProperties": false }, "StringBoolFloat": { "type": [ "string", "number", "boolean" ] }, "RawLogging": { "type": "object", "properties": { "filter": { "type": [ "string", "null" ] }, "fields": { "anyOf": [ { "$ref": "#/$defs/RawLoggingFields" }, { "type": "null" } ] }, "level": { "anyOf": [ { "$ref": "#/$defs/RawLoggingLevel" }, { "type": "null" } ] }, "format": { "anyOf": [ { "$ref": "#/$defs/LoggingFormat" }, { "type": "null" } ] }, "database": { "anyOf": [ { "$ref": "#/$defs/Config" }, { "type": "null" } ] } }, "additionalProperties": false }, "RawLoggingLevel": { "anyOf": [ { "type": "string" }, { "type": "array", "items": { "type": "string" } } ] }, "LoggingFormat": { "type": "string", "enum": [ "text", "json" ] }, "RawMetrics": { "type": "object", "properties": { "remove": { "type": "array", "items": { "type": "string" }, "default": [] }, "fields": { "anyOf": [ { "$ref": "#/$defs/RawMetricFields" }, { "type": "null" } ] } }, "additionalProperties": false }, "RawMetricFields": { "type": "object", "properties": { "add": { "type": "object", "additionalProperties": { "type": "string" }, "default": {} } }, "additionalProperties": false }, "BackendConfig": { "type": "object", "properties": { "keepalives": { "$ref": "#/$defs/KeepaliveConfig", "default": { "enabled": true, "time": "3m0s", "interval": "3m0s", "retries": 9 } }, "connectTimeout": { "type": "string", "default": "10s" }, "poolIdleTimeout": { "description": "The maximum duration to keep an idle connection alive.", "type": "string", "default": "1m30s" }, "poolMaxSize": { "description": "The maximum number of connections allowed in the pool, per hostname. If set, this will limit\nthe total number of connections kept alive to any given host.\nNote: excess connections will still be created, they will just not remain idle.\nIf unset, there is no limit", "type": [ "integer", "null" ], "format": "uint", "minimum": 0, "default": null } }, "additionalProperties": false }, "KeepaliveConfig": { "type": "object", "properties": { "enabled": { "type": "boolean", "default": true }, "time": { "type": "string", "default": "3m0s" }, "interval": { "type": "string", "default": "3m0s" }, "retries": { "type": "integer", "format": "uint32", "minimum": 0, "default": 9 } }, "additionalProperties": false }, "RawHBONE": { "type": "object", "properties": { "windowSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0 }, "connectionWindowSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0 }, "frameSize": { "type": [ "integer", "null" ], "format": "uint32", "minimum": 0 }, "poolMaxStreamsPerConn": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "poolUnusedReleaseTimeout": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "LocalBind": { "type": "object", "properties": { "port": { "description": "Port to bind on. Omit it for an internal wildcard bind (which serves any destination port\nvia in-process routing). A numeric port is required unless `mode` is `internal`.", "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535, "default": null }, "listeners": { "type": "array", "items": { "$ref": "#/$defs/LocalListener" } }, "tunnelProtocol": { "$ref": "#/$defs/TunnelProtocol", "default": "direct" }, "mode": { "description": "Whether the bind opens an OS listener socket. Defaults to `standard` (binds the port).\nSet to `internal` to create a routing-only bind that does not bind a socket.", "$ref": "#/$defs/BindMode", "default": "standard" } }, "additionalProperties": false, "required": [ "listeners" ] }, "LocalListener": { "type": "object", "properties": { "name": { "type": [ "string", "null" ], "default": null }, "namespace": { "type": [ "string", "null" ], "default": null }, "hostname": { "description": "Can be a wildcard", "type": [ "string", "null" ] }, "protocol": { "$ref": "#/$defs/LocalListenerProtocol" }, "tls": { "anyOf": [ { "$ref": "#/$defs/LocalTLSServerConfig" }, { "type": "null" } ] }, "routes": { "type": [ "array", "null" ], "items": { "$ref": "#/$defs/LocalRoute" } }, "tcpRoutes": { "type": [ "array", "null" ], "items": { "$ref": "#/$defs/LocalTCPRoute" } }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalGatewayPolicy" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalListenerProtocol": { "type": "string", "enum": [ "HTTP", "HTTPS", "TLS", "TCP", "HBONE" ] }, "LocalTLSServerConfig": { "type": "object", "properties": { "mode": { "description": "Certificate source mode. Static mode uses cert/key as the leaf certificate; dynamic CA\nmode uses cert/key as a CA for on-demand SNI leaf certificate issuance.", "$ref": "#/$defs/LocalTLSServerMode", "default": "static" }, "cert": { "type": "string" }, "key": { "type": "string" }, "root": { "type": [ "string", "null" ] }, "cipherSuites": { "description": "Optional cipher suite allowlist (order is preserved).", "type": [ "array", "null" ], "items": { "type": "string" } }, "minTLSVersion": { "description": "Minimum supported TLS version (only TLS 1.2 and 1.3 are supported).", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "minTlsVersion": { "description": "Minimum supported TLS version (only TLS 1.2 and 1.3 are supported).", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "maxTLSVersion": { "description": "Maximum supported TLS version (only TLS 1.2 and 1.3 are supported).", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "maxTlsVersion": { "description": "Maximum supported TLS version (only TLS 1.2 and 1.3 are supported).", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "keyExchangeGroups": { "description": "Key exchange groups allowed for negotiating TLS.", "type": [ "array", "null" ], "items": { "type": "string" } } }, "additionalProperties": false, "required": [ "cert", "key" ], "allOf": [ { "not": { "required": [ "minTLSVersion", "minTlsVersion" ] } }, { "not": { "required": [ "maxTLSVersion", "maxTlsVersion" ] } } ] }, "LocalTLSServerMode": { "type": "string", "enum": [ "static", "dynamicCa" ] }, "TLSVersion": { "type": "string", "enum": [ "TLS_V1_0", "TLS_V1_1", "TLS_V1_2", "TLS_V1_3" ] }, "LocalRoute": { "type": "object", "properties": { "name": { "type": [ "string", "null" ], "default": null }, "namespace": { "type": [ "string", "null" ], "default": null }, "ruleName": { "type": [ "string", "null" ], "default": null }, "hostnames": { "description": "Can be a wildcard", "type": "array", "items": { "type": "string" } }, "matches": { "type": "array", "items": { "$ref": "#/$defs/RouteMatch" }, "default": [ { "path": { "pathPrefix": "/" } } ] }, "policies": { "anyOf": [ { "$ref": "#/$defs/FilterOrPolicy" }, { "type": "null" } ] }, "backends": { "type": "array", "items": { "$ref": "#/$defs/LocalRouteBackend" } } }, "additionalProperties": false }, "RouteMatch": { "type": "object", "properties": { "headers": { "type": "array", "items": { "$ref": "#/$defs/HeaderMatch" } }, "path": { "$ref": "#/$defs/PathMatch", "default": { "pathPrefix": "/" } }, "method": { "type": "string" }, "query": { "type": "array", "items": { "$ref": "#/$defs/QueryMatch" } } }, "additionalProperties": false }, "HeaderMatch": { "type": "object", "properties": { "name": { "type": "string" }, "value": { "$ref": "#/$defs/HeaderValueMatch" } }, "additionalProperties": false, "required": [ "name", "value" ] }, "HeaderValueMatch": { "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "type": "object", "properties": { "exact": { "type": "string" } }, "required": [ "exact" ], "additionalProperties": false }, { "type": "object", "properties": { "regex": { "type": "string" } }, "required": [ "regex" ], "additionalProperties": false } ] }, "PathMatch": { "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "type": "object", "properties": { "exact": { "type": "string" } }, "required": [ "exact" ], "additionalProperties": false }, { "type": "object", "properties": { "pathPrefix": { "type": "string" } }, "required": [ "pathPrefix" ], "additionalProperties": false }, { "type": "object", "properties": { "regex": { "type": "string" } }, "required": [ "regex" ], "additionalProperties": false } ] }, "QueryMatch": { "type": "object", "properties": { "name": { "type": "string" }, "value": { "$ref": "#/$defs/QueryValueMatch" } }, "additionalProperties": false, "required": [ "name", "value" ] }, "QueryValueMatch": { "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "type": "object", "properties": { "exact": { "type": "string" } }, "required": [ "exact" ], "additionalProperties": false }, { "type": "object", "properties": { "regex": { "type": "string" } }, "required": [ "regex" ], "additionalProperties": false } ] }, "FilterOrPolicy": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Modify request headers before forwarding.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaderModifier": { "description": "Modify response headers before returning to the client.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "requestRedirect": { "description": "Return a redirect response instead of forwarding the request.", "anyOf": [ { "$ref": "#/$defs/RequestRedirect" }, { "type": "null" } ], "default": null }, "urlRewrite": { "description": "Rewrite the request path or authority before forwarding.", "anyOf": [ { "$ref": "#/$defs/UrlRewrite" }, { "type": "null" } ], "default": null }, "requestMirror": { "description": "Send a copy of matching requests to another backend.", "anyOf": [ { "$ref": "#/$defs/RequestMirror" }, { "type": "null" } ], "default": null }, "directResponse": { "description": "Return a configured response instead of forwarding the request.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_DirectResponse" }, { "type": "null" } ] }, "cors": { "description": "Handle CORS preflight requests and append configured CORS headers to applicable requests.", "anyOf": [ { "$ref": "#/$defs/CorsSerde" }, { "type": "null" } ], "default": null }, "mcpAuthorization": { "description": "Authorization rules for MCP requests.", "anyOf": [ { "$ref": "#/$defs/McpAuthorization" }, { "type": "null" } ], "default": null }, "mcpGuardrails": { "description": "External MCP policy processors.", "anyOf": [ { "$ref": "#/$defs/McpGuardrails" }, { "type": "null" } ], "default": null }, "authorization": { "description": "Authorization rules for incoming HTTP requests.", "anyOf": [ { "$ref": "#/$defs/Authorization" }, { "type": "null" } ], "default": null }, "mcpAuthentication": { "description": "Authenticate MCP clients.", "anyOf": [ { "$ref": "#/$defs/LocalMcpAuthentication" }, { "type": "null" } ] }, "a2a": { "description": "Mark this traffic as A2A to enable A2A processing and telemetry.", "anyOf": [ { "$ref": "#/$defs/A2aPolicy" }, { "type": "null" } ], "default": null }, "ai": { "description": "Mark this as LLM traffic to enable LLM processing.", "anyOf": [ { "$ref": "#/$defs/Policy" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "TLS settings used when connecting to the backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendTunnel": { "description": "Tunnel settings used when connecting to the backend.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "backendAuth": { "description": "Authentication credentials sent to the backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuthCompat" }, { "type": "null" } ], "default": null }, "localRateLimit": { "description": "Local rate limits for incoming requests.", "anyOf": [ { "$ref": "#/$defs/LocalRateLimitPolicy" }, { "type": "null" } ] }, "remoteRateLimit": { "description": "Remote rate limit checks for incoming requests.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_RemoteRateLimit" }, { "type": "null" } ] }, "jwtAuth": { "description": "Authenticate incoming requests with JWT bearer tokens.", "anyOf": [ { "$ref": "#/$defs/LocalJwtConfig" }, { "type": "null" } ] }, "oidc": { "description": "Authenticate browser requests with OIDC authorization code flow.", "anyOf": [ { "$ref": "#/$defs/LocalOidcConfig" }, { "type": "null" } ] }, "basicAuth": { "description": "Authenticate incoming requests with Basic Auth credentials from an htpasswd user database.", "anyOf": [ { "$ref": "#/$defs/LocalBasicAuth" }, { "type": "null" } ] }, "apiKey": { "description": "Authenticate incoming requests with API keys.", "anyOf": [ { "$ref": "#/$defs/LocalAPIKeys" }, { "type": "null" } ] }, "extAuthz": { "description": "Authorize incoming requests by calling an external authorization service.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_ExtAuthz" }, { "type": "null" } ] }, "extProc": { "description": "Send request and response data to an external processing service.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_ExtProc" }, { "type": "null" } ] }, "transformations": { "description": "Modify request and response headers, bodies, or metadata.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_LocalTransformationConfig" }, { "type": "null" } ] }, "csrf": { "description": "Handle CSRF protection by validating request origins against configured allowed origins.", "anyOf": [ { "$ref": "#/$defs/Csrf" }, { "type": "null" } ], "default": null }, "buffer": { "description": "Buffer request and response bodies.", "anyOf": [ { "$ref": "#/$defs/Buffer" }, { "type": "null" } ], "default": null }, "timeout": { "description": "Set request timeout limits.", "anyOf": [ { "$ref": "#/$defs/TimeoutPolicy" }, { "type": "null" } ], "default": null }, "retry": { "description": "Retry matching failed upstream requests.", "anyOf": [ { "$ref": "#/$defs/RetryPolicy" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "HeaderModifier": { "type": "object", "properties": { "add": { "description": "Headers to append without replacing existing values.", "type": "object", "additionalProperties": { "type": "string" } }, "set": { "description": "Headers to set, replacing any existing values.", "type": "object", "additionalProperties": { "type": "string" } }, "remove": { "description": "Header names to remove.", "type": "array", "items": { "type": "string" } } }, "additionalProperties": false }, "RequestRedirect": { "type": "object", "properties": { "scheme": { "description": "Scheme to use in the redirect URL, such as `http` or `https`.", "type": [ "string", "null" ] }, "authority": { "description": "Host or port rewrite to apply to the redirect URL.", "anyOf": [ { "$ref": "#/$defs/HostRedirect" }, { "type": "null" } ] }, "path": { "description": "Path rewrite to apply to the redirect URL.", "anyOf": [ { "$ref": "#/$defs/PathRedirect" }, { "type": "null" } ] }, "status": { "description": "HTTP status code to return for the redirect.", "type": [ "integer", "null" ], "format": "uint16", "minimum": 1, "maximum": 65535 } }, "additionalProperties": false }, "HostRedirect": { "oneOf": [ { "description": "Replace the full authority, including host and optional port.", "type": "object", "properties": { "full": { "type": "string" } }, "required": [ "full" ], "additionalProperties": false }, { "description": "Replace only the host and preserve the effective port.", "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ], "additionalProperties": false }, { "description": "Replace only the port.", "type": "object", "properties": { "port": { "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535 } }, "required": [ "port" ], "additionalProperties": false }, { "description": "Use the selected backend host when possible.", "type": "string", "const": "auto" }, { "description": "Leave the authority unchanged.", "type": "string", "const": "none" } ] }, "PathRedirect": { "oneOf": [ { "description": "Replace the full request path.", "type": "object", "properties": { "full": { "type": "string" } }, "required": [ "full" ], "additionalProperties": false }, { "description": "Replace only the matched path prefix.", "type": "object", "properties": { "prefix": { "type": "string" } }, "required": [ "prefix" ], "additionalProperties": false } ] }, "UrlRewrite": { "type": "object", "properties": { "authority": { "description": "Host or port rewrite to apply before forwarding the request.", "anyOf": [ { "$ref": "#/$defs/HostRedirect" }, { "type": "null" } ] }, "path": { "description": "Path rewrite to apply before forwarding the request.", "anyOf": [ { "$ref": "#/$defs/PathRedirect" }, { "type": "null" } ] } }, "additionalProperties": false }, "RequestMirror": { "type": "object", "properties": { "backend": { "description": "Backend that receives mirrored request copies.", "$ref": "#/$defs/SimpleLocalBackendSerde" }, "percentage": { "description": "Fraction of matching requests to mirror, from 0.0 to 1.0.", "type": "number", "format": "double" } }, "additionalProperties": false, "required": [ "backend", "percentage" ] }, "SimpleLocalBackendSerde": { "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ], "additionalProperties": false }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ], "additionalProperties": false }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ], "additionalProperties": false } ] }, "NamespacedHostname": { "type": "string" }, "LocalExplicitOrConditional_DirectResponse": { "anyOf": [ { "$ref": "#/$defs/LocalConditionalPolicies_DirectResponse" }, { "$ref": "#/$defs/DirectResponse" } ] }, "LocalConditionalPolicies_DirectResponse": { "type": "object", "properties": { "conditional": { "description": "conditional policy entries. An entry without a condition must be the final fallback.", "type": "array", "items": { "$ref": "#/$defs/LocalConditionalPolicy_DirectResponse" } } }, "additionalProperties": false, "required": [ "conditional" ] }, "LocalConditionalPolicy_DirectResponse": { "type": "object", "properties": { "condition": { "description": "condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "body": { "description": "Static response body, encoded as bytes.", "$ref": "#/$defs/Bytes" }, "bodyExpression": { "description": "CEL expression that computes the response body.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "headers": { "description": "Response headers computed from CEL expressions.", "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } }, "status": { "description": "HTTP status code to return.", "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535 } }, "required": [ "status" ] }, "Expression": { "type": "string" }, "Bytes": { "type": [ "array", "string" ], "items": { "type": "integer", "format": "uint8", "minimum": 0, "maximum": 255 } }, "DirectResponse": { "type": "object", "properties": { "body": { "description": "Static response body, encoded as bytes.", "$ref": "#/$defs/Bytes" }, "bodyExpression": { "description": "CEL expression that computes the response body.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "headers": { "description": "Response headers computed from CEL expressions.", "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } }, "status": { "description": "HTTP status code to return.", "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535 } }, "additionalProperties": false, "required": [ "status" ] }, "CorsSerde": { "type": "object", "properties": { "allowCredentials": { "description": "Add `Access-Control-Allow-Credentials: true` on allowed CORS responses.", "type": "boolean", "default": false }, "allowHeaders": { "description": "Values to return in `Access-Control-Allow-Headers` for allowed preflight requests.", "type": "array", "items": { "type": "string" }, "default": [] }, "allowMethods": { "description": "Values to return in `Access-Control-Allow-Methods` for allowed preflight requests.", "type": "array", "items": { "type": "string" }, "default": [] }, "allowOrigins": { "description": "Request origins that receive CORS response headers. Use `*` to match any origin.", "type": "array", "items": { "type": "string" }, "default": [] }, "exposeHeaders": { "description": "Values to return in `Access-Control-Expose-Headers` for allowed CORS responses.", "type": "array", "items": { "type": "string" }, "default": [] }, "maxAge": { "description": "Value to return in `Access-Control-Max-Age` for allowed preflight requests.", "type": [ "string", "null" ], "default": null } }, "additionalProperties": false }, "McpAuthorization": { "description": "CEL authorization rules for MCP tools, prompts, and resources.", "$ref": "#/$defs/RuleSet" }, "RuleSet": { "type": "object", "properties": { "rules": { "description": "CEL authorization rules to evaluate for a request.", "type": "array", "items": { "$ref": "#/$defs/RuleSerde" } } }, "additionalProperties": false, "required": [ "rules" ] }, "RuleSerde": { "anyOf": [ { "type": "object", "unevaluatedProperties": false, "oneOf": [ { "description": "Allow the request when this CEL expression is true.", "type": "object", "properties": { "allow": { "type": "string" } }, "required": [ "allow" ] }, { "description": "Deny the request when this CEL expression is true.", "type": "object", "properties": { "deny": { "type": "string" } }, "required": [ "deny" ] }, { "description": "Require this CEL expression to be true.", "type": "object", "properties": { "require": { "type": "string" } }, "required": [ "require" ] } ] }, { "type": "string" } ] }, "McpGuardrails": { "type": "object", "properties": { "processors": { "description": "Ordered list of policy processors applied to matched methods; the first\nto reject a request short-circuits the chain. Processors may run on the\nrequest or response side, or both; see `Processor.methods`.", "type": "array", "items": { "$ref": "#/$defs/Processor" } } }, "additionalProperties": false, "required": [ "processors" ] }, "Processor": { "type": "object", "properties": { "methods": { "description": "Allowlist: only methods listed here run through this processor, at the\nconfigured phase. Keys may be exact (`tools/call`), prefix (`tools/*`),\nor suffix (`*/list`) wildcards, or `*` for all methods. Methods matching\nno key bypass this processor; see [`phase::resolve`] for match precedence.", "type": "object", "additionalProperties": { "$ref": "#/$defs/Phase" } } }, "oneOf": [ { "type": "object", "properties": { "policies": { "description": "Policies to connect to the backend.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when the processor is unavailable or returns an error.", "$ref": "#/$defs/FailureMode", "default": "failClosed" }, "metadata": { "description": "CEL expressions evaluated per request and sent to the processor as metadata.", "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } }, "requestHeaders": { "description": "Which incoming request headers are forwarded to the policy server.", "$ref": "#/$defs/HeaderFilter" }, "kind": { "type": "string", "const": "remote" } }, "required": [ "kind" ], "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] } ] }, "Phase": { "type": "string", "enum": [ "off", "request", "response", "full" ] }, "SimpleLocalBackendPolicies": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Modify request headers before forwarding to this backend.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify request and response data for this backend.", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "TLS settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendAuth": { "description": "Authentication credentials sent to this backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuthCompat" }, { "type": "null" } ], "default": null }, "http": { "description": "HTTP protocol settings for this backend.", "anyOf": [ { "$ref": "#/$defs/HTTP" }, { "type": "null" } ], "default": null }, "tcp": { "description": "TCP protocol settings for this backend.", "anyOf": [ { "$ref": "#/$defs/TCP" }, { "type": "null" } ], "default": null }, "backendTunnel": { "description": "Tunnel settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalTransformationConfig": { "type": "object", "properties": { "request": { "description": "Transform the request before it is forwarded.", "anyOf": [ { "$ref": "#/$defs/LocalTransform" }, { "type": "null" } ] }, "response": { "description": "Transform the response before it is returned.", "anyOf": [ { "$ref": "#/$defs/LocalTransform" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalTransform": { "type": "object", "properties": { "add": { "description": "Headers to append using CEL expressions for values.", "type": "object", "additionalProperties": { "type": "string" }, "default": {} }, "set": { "description": "Headers to set using CEL expressions for values.", "type": "object", "additionalProperties": { "type": "string" }, "default": {} }, "remove": { "description": "Header names to remove.", "type": "array", "items": { "type": "string" }, "default": [] }, "body": { "description": "CEL expression that computes a replacement body.", "type": [ "string", "null" ], "default": null }, "metadata": { "description": "Metadata values to add using CEL expressions.", "type": "object", "additionalProperties": { "type": "string" }, "default": {} } }, "additionalProperties": false }, "LocalBackendTLS": { "type": "object", "properties": { "cert": { "description": "Client certificate file to present to the backend.", "type": [ "string", "null" ] }, "key": { "description": "Private key file for the client certificate.", "type": [ "string", "null" ] }, "root": { "description": "Root certificate bundle used to verify the backend certificate.", "type": [ "string", "null" ] }, "hostname": { "description": "Server name to use for TLS verification and SNI.", "type": [ "string", "null" ] }, "insecure": { "description": "Skip certificate trust verification for the backend connection.", "type": "boolean", "default": false }, "insecureHost": { "description": "Skip hostname verification for the backend certificate.", "type": "boolean", "default": false }, "alpn": { "description": "ALPN protocols to offer to the backend.", "type": [ "array", "null" ], "items": { "type": "string" }, "default": null }, "subjectAltNames": { "description": "Additional subject alternative names accepted for the backend certificate.", "type": [ "array", "null" ], "items": { "type": "string" }, "default": null }, "keyExchangeGroups": { "description": "Key exchange groups allowed for negotiating TLS.", "type": [ "array", "null" ], "items": { "$ref": "#/$defs/KeyExchangeGroup" }, "default": null } }, "additionalProperties": false }, "KeyExchangeGroup": { "type": "string", "enum": [ "X25519", "P-256", "P-384", "X25519_MLKEM768" ] }, "BackendAuthCompat": { "anyOf": [ { "type": "object", "properties": { "key": { "$ref": "#/$defs/FileOrInline" } }, "required": [ "key" ] }, { "$ref": "#/$defs/BackendAuth" } ] }, "FileOrInline": { "anyOf": [ { "type": "object", "properties": { "file": { "type": "string" } }, "required": [ "file" ] }, { "type": "string" } ] }, "BackendAuth": { "oneOf": [ { "description": "Forward the validated incoming JWT to the backend.", "type": "object", "properties": { "passthrough": { "type": "object", "properties": { "location": { "description": "Where to place the forwarded credential in the backend request.", "anyOf": [ { "$ref": "#/$defs/AuthorizationLocation" }, { "type": "null" } ] } }, "additionalProperties": false } }, "required": [ "passthrough" ], "additionalProperties": false }, { "description": "Send a configured secret value to the backend.", "type": "object", "properties": { "key": { "type": "object", "properties": { "value": { "description": "Secret value to send to the backend.", "$ref": "#/$defs/FileOrInline" }, "location": { "description": "Where to place the secret in the backend request.", "anyOf": [ { "$ref": "#/$defs/AuthorizationLocation" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "value" ] } }, "required": [ "key" ], "additionalProperties": false }, { "description": "Authenticate to Google Cloud services.", "type": "object", "properties": { "gcp": { "$ref": "#/$defs/GcpAuth" } }, "required": [ "gcp" ], "additionalProperties": false }, { "description": "Sign backend requests with AWS credentials.", "type": "object", "properties": { "aws": { "$ref": "#/$defs/AwsAuth" } }, "required": [ "aws" ], "additionalProperties": false }, { "description": "Authenticate to Azure services.", "type": "object", "properties": { "azure": { "$ref": "#/$defs/AzureAuth" } }, "required": [ "azure" ], "additionalProperties": false }, { "description": "Authenticate to GitHub Copilot.", "type": "string", "const": "copilot" }, { "type": "object", "properties": { "oAuthTokenExchange": { "$ref": "#/$defs/OAuthTokenExchangeAuth" } }, "required": [ "oAuthTokenExchange" ], "additionalProperties": false } ] }, "AuthorizationLocation": { "oneOf": [ { "description": "Read the credential from an HTTP header.", "type": "object", "properties": { "header": { "type": "object", "properties": { "name": { "description": "Header name containing the credential.", "type": "string" }, "prefix": { "description": "Prefix to remove from the header value before validation, such as `Bearer ` or `Basic `.", "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "name" ] } }, "required": [ "header" ], "additionalProperties": false }, { "description": "Read the credential from a URL query parameter.", "type": "object", "properties": { "queryParameter": { "type": "object", "properties": { "name": { "description": "Query parameter name containing the credential.", "type": "string" } }, "additionalProperties": false, "required": [ "name" ] } }, "required": [ "queryParameter" ], "additionalProperties": false }, { "description": "Read the credential from a request cookie.", "type": "object", "properties": { "cookie": { "type": "object", "properties": { "name": { "description": "Cookie name containing the credential.", "type": "string" } }, "additionalProperties": false, "required": [ "name" ] } }, "required": [ "cookie" ], "additionalProperties": false }, { "description": "Read the credential from a CEL expression evaluated against the incoming request.", "type": "object", "properties": { "expression": { "type": "object", "properties": { "expression": { "description": "CEL expression that returns the credential string. This location can extract credentials but cannot insert them.", "$ref": "#/$defs/Expression" } }, "additionalProperties": false, "required": [ "expression" ] } }, "required": [ "expression" ], "additionalProperties": false } ] }, "GcpAuth": { "anyOf": [ { "description": "Fetch an id token", "type": "object", "properties": { "type": { "$ref": "#/$defs/IdToken" }, "audience": { "description": "Audience for the token. If not set, the destination host will be used.", "type": [ "string", "null" ] }, "credential": { "description": "ADC-compatible Google credential JSON. If not set, ambient credentials are used.", "anyOf": [ { "$ref": "#/$defs/FileOrInline" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "type" ] }, { "description": "Fetch an access token", "type": "object", "properties": { "type": { "anyOf": [ { "$ref": "#/$defs/AccessToken" }, { "type": "null" } ], "default": null }, "credential": { "description": "ADC-compatible Google credential JSON. If not set, ambient credentials are used.", "anyOf": [ { "$ref": "#/$defs/FileOrInline" }, { "type": "null" } ] } }, "additionalProperties": false } ] }, "IdToken": { "type": "string", "format": "const", "const": "idToken" }, "AccessToken": { "type": "string", "format": "const", "const": "accessToken" }, "AwsAuth": { "anyOf": [ { "description": "Use explicit AWS credentials", "type": "object", "properties": { "accessKeyId": { "type": "string" }, "secretAccessKey": { "type": "string" }, "region": { "type": [ "string", "null" ] }, "sessionToken": { "type": [ "string", "null" ] }, "serviceName": { "description": "AWS SigV4 signing service name (for example, \"bedrock\", \"bedrock-agentcore\", or \"execute-api\").", "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "accessKeyId", "secretAccessKey" ] }, { "description": "Use implicit AWS authentication (environment variables, IAM roles, etc.)", "type": "object", "properties": { "serviceName": { "description": "AWS SigV4 signing service name (for example, \"bedrock\", \"bedrock-agentcore\", or \"execute-api\").", "type": [ "string", "null" ] }, "assumeRole": { "description": "Optional AWS STS role to assume before signing requests.", "anyOf": [ { "$ref": "#/$defs/AwsAssumeRole" }, { "type": "null" } ] } }, "additionalProperties": false } ] }, "AwsAssumeRole": { "type": "object", "properties": { "roleArn": { "description": "AWS IAM role ARN to assume.", "type": "string" } }, "additionalProperties": false, "required": [ "roleArn" ] }, "AzureAuth": { "oneOf": [ { "description": "Use explicit Azure credentials", "type": "object", "properties": { "explicitConfig": { "type": "object", "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "clientSecret": { "type": "object", "properties": { "tenant_id": { "type": "string" }, "client_id": { "type": "string" }, "client_secret": { "type": "string" } }, "additionalProperties": false, "required": [ "tenant_id", "client_id", "client_secret" ] } }, "required": [ "clientSecret" ] }, { "type": "object", "properties": { "managedIdentity": { "type": "object", "properties": { "userAssignedIdentity": { "anyOf": [ { "$ref": "#/$defs/AzureUserAssignedIdentity" }, { "type": "null" } ] } }, "additionalProperties": false } }, "required": [ "managedIdentity" ] }, { "type": "object", "properties": { "workloadIdentity": { "type": "object", "additionalProperties": false } }, "required": [ "workloadIdentity" ] } ] } }, "required": [ "explicitConfig" ], "additionalProperties": false }, { "description": "Use implicit Azure auth. Note that this is for developer use-cases only!", "type": "object", "properties": { "developerImplicit": { "type": "object", "additionalProperties": false } }, "required": [ "developerImplicit" ], "additionalProperties": false }, { "description": "Automatically detect authentication method based on environment.\nUses Workload Identity on K8s, Managed Identity on Azure VMs, or Developer Tools locally.", "type": "object", "properties": { "implicit": { "type": "object", "additionalProperties": false } }, "required": [ "implicit" ], "additionalProperties": false } ] }, "AzureUserAssignedIdentity": { "oneOf": [ { "type": "object", "properties": { "clientId": { "type": "string" } }, "required": [ "clientId" ], "additionalProperties": false }, { "type": "object", "properties": { "objectId": { "type": "string" } }, "required": [ "objectId" ], "additionalProperties": false }, { "type": "object", "properties": { "resourceId": { "type": "string" } }, "required": [ "resourceId" ], "additionalProperties": false } ] }, "OAuthTokenExchangeAuth": { "type": "object", "properties": { "tokenEndpoint": { "description": "Backend serving the RFC 8693 token endpoint.", "$ref": "#/$defs/SimpleLocalBackendSerde" }, "tokenEndpointPath": { "description": "Token endpoint path on the backend; defaults to \"/\".", "type": "string" }, "audiences": { "description": "`audience` parameters naming the target services at the authorization server.", "type": "array", "items": { "type": "string" } }, "scopes": { "description": "`scope` values for the requested token, sent space-delimited.", "type": "array", "items": { "type": "string" } }, "resources": { "description": "`resource` parameters with the target service URIs.", "type": "array", "items": { "type": "string" } }, "requestedTokenType": { "description": "`requested_token_type` parameter; the server picks when unset.", "type": [ "string", "null" ] }, "clientAuth": { "anyOf": [ { "$ref": "#/$defs/OAuthClientAuth" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "tokenEndpoint" ] }, "OAuthClientAuth": { "type": "object", "properties": { "clientId": { "description": "`client_id` parameter identifying the gateway at the authorization server.", "type": "string" } }, "additionalProperties": false, "required": [ "clientId" ] }, "HTTP": { "type": "object", "properties": { "version": { "description": "HTTP version to use when connecting to the backend.", "type": [ "string", "null" ], "default": null }, "requestTimeout": { "description": "Maximum time allowed for a backend HTTP request.", "type": [ "string", "null" ] } }, "additionalProperties": false }, "TCP": { "type": "object", "properties": { "keepalives": { "description": "TCP keepalive settings for backend connections.", "$ref": "#/$defs/KeepaliveConfig" }, "connectTimeout": { "description": "Maximum time allowed to establish a backend TCP connection.", "$ref": "#/$defs/Duration" } }, "additionalProperties": false, "required": [ "keepalives", "connectTimeout" ] }, "Duration": { "type": "object", "properties": { "secs": { "type": "integer", "format": "uint64", "minimum": 0 }, "nanos": { "type": "integer", "format": "uint32", "minimum": 0 } }, "required": [ "secs", "nanos" ] }, "Tunnel": { "type": "object", "properties": { "proxy": { "description": "Proxy backend used to tunnel the connection.", "$ref": "#/$defs/SimpleLocalBackendSerde" } }, "additionalProperties": false, "required": [ "proxy" ] }, "FailureMode": { "type": "string", "enum": [ "failClosed", "failOpen" ] }, "HeaderFilter": { "description": "Allow/deny filter over request headers, mirroring ext_authz: empty `allowed`\nforwards every header plus all pseudo-headers (`:authority`, `:method`, ...);\na non-empty `allowed` forwards only the listed names. `disallowed` always\nwins. Header names match case-insensitively; pseudo-headers match exactly.", "type": "object", "properties": { "allowed": { "type": "array", "items": { "$ref": "#/$defs/HeaderOrPseudo" } }, "disallowed": { "type": "array", "items": { "$ref": "#/$defs/HeaderOrPseudo" } } }, "additionalProperties": false }, "HeaderOrPseudo": { "type": "string" }, "Authorization": { "$ref": "#/$defs/RuleSet" }, "LocalMcpAuthentication": { "type": "object", "properties": { "issuer": { "description": "Expected token issuer, matched against the JWT `iss` claim.", "type": "string" }, "audiences": { "description": "Accepted token audiences, matched against the JWT `aud` claim.", "type": "array", "items": { "type": "string" } }, "provider": { "description": "Identity provider type used to derive MCP authorization metadata and default JWKS URLs.", "anyOf": [ { "$ref": "#/$defs/McpIDP" }, { "type": "null" } ] }, "resourceMetadata": { "description": "Protected resource metadata returned to MCP clients.", "$ref": "#/$defs/ResourceMetadata" }, "jwks": { "description": "JSON Web Key Set used to verify token signatures. Can be inline, from a file, or fetched remotely.", "$ref": "#/$defs/FileInlineOrRemote" }, "mode": { "description": "Controls whether MCP requests must include a valid JWT.", "$ref": "#/$defs/McpAuthenticationMode", "default": "strict" }, "authorizationLocation": { "description": "Where to read the JWT from in incoming MCP requests.", "$ref": "#/$defs/AuthorizationLocation", "default": { "header": { "name": "authorization", "prefix": "Bearer " } } }, "jwtValidationOptions": { "description": "Claim requirements to enforce after the token signature is verified.", "$ref": "#/$defs/JWTValidationOptions" }, "clientId": { "description": "OAuth client ID advertised to MCP clients when needed.", "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "issuer", "audiences", "resourceMetadata", "jwks" ] }, "McpIDP": { "oneOf": [ { "type": "object", "properties": { "auth0": { "type": "object", "additionalProperties": false } }, "required": [ "auth0" ], "additionalProperties": false }, { "type": "object", "properties": { "keycloak": { "type": "object", "additionalProperties": false } }, "required": [ "keycloak" ], "additionalProperties": false }, { "type": "object", "properties": { "okta": { "type": "object", "additionalProperties": false } }, "required": [ "okta" ], "additionalProperties": false } ] }, "ResourceMetadata": { "type": "object", "additionalProperties": true }, "FileInlineOrRemote": { "anyOf": [ { "type": "object", "properties": { "file": { "type": "string" } }, "required": [ "file" ] }, { "type": "string" }, { "type": "object", "properties": { "url": { "type": "string" } }, "required": [ "url" ] } ] }, "McpAuthenticationMode": { "oneOf": [ { "description": "A valid token, issued by a configured issuer, must be present.\nThis is the default option.", "type": "string", "const": "strict" }, { "description": "If a token exists, validate it.\nWarning: this allows requests without a JWT token! Additionally, 401 errors will not be returned,\nwhich will not trigger clients to initiate an oauth flow.", "type": "string", "const": "optional" }, { "description": "Requests are never rejected. This is useful for usage of claims in later steps (authorization, logging, etc).\nWarning: this allows requests without a JWT token! Additionally, 401 errors will not be returned,\nwhich will not trigger clients to initiate an oauth flow.", "type": "string", "const": "permissive" } ] }, "JWTValidationOptions": { "description": "JWT validation options controlling which claims must be present in a token.\n\nThe `required_claims` set specifies which RFC 7519 registered claims must\nexist in the token payload before validation proceeds. Only the following\nvalues are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered\nclaims such as `iat` and `jti` are **not** enforced by the underlying\n`jsonwebtoken` library and will be silently ignored.\n\nThis only enforces **presence**. Standard claims like `exp` and `nbf`\nhave their values validated independently (e.g., expiry is always checked\nwhen the `exp` claim is present, regardless of this setting).\n\nDefaults to `[\"exp\"]`.", "type": "object", "properties": { "requiredClaims": { "description": "Claims that must be present in the token before validation.\nOnly \"exp\", \"nbf\", \"aud\", \"iss\", \"sub\" are enforced; others\n(including \"iat\" and \"jti\") are ignored.\nDefaults to [\"exp\"]. Use an empty list to require no claims.", "type": "array", "uniqueItems": true, "items": { "type": "string" }, "default": [ "exp" ] } }, "additionalProperties": false }, "A2aPolicy": { "type": "object", "additionalProperties": false }, "Policy": { "type": "object", "properties": { "promptGuard": { "description": "Prompt and response guardrails to apply to LLM traffic.", "anyOf": [ { "$ref": "#/$defs/PromptGuard" }, { "type": "null" } ] }, "defaults": { "description": "Default request body values added only when the client did not provide them.", "type": [ "object", "null" ], "additionalProperties": true }, "overrides": { "description": "Request body values that replace client-provided values.", "type": [ "object", "null" ], "additionalProperties": true }, "transformations": { "description": "Request body values computed from CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "prompts": { "description": "Messages to add before or after the client prompt.", "anyOf": [ { "$ref": "#/$defs/PromptEnrichment" }, { "type": "null" } ] }, "modelAliases": { "description": "Model name aliases that rewrite requested model names.", "type": "object", "additionalProperties": { "type": "string" } }, "promptCaching": { "description": "Prompt caching settings for providers that support cache markers.", "anyOf": [ { "$ref": "#/$defs/PromptCachingConfig" }, { "type": "null" } ] }, "routes": { "description": "Route type overrides selected by request path suffix.", "type": "object", "additionalProperties": { "$ref": "#/$defs/RouteType" } } }, "additionalProperties": false }, "PromptGuard": { "type": "object", "properties": { "streaming": { "description": "Apply prompt guards to streaming responses and realtime websocket messages.", "$ref": "#/$defs/PromptGuardStreamingMode" }, "request": { "description": "Guards applied to client requests before they reach the LLM.", "type": "array", "items": { "$ref": "#/$defs/RequestGuard" } }, "response": { "description": "Guards applied to LLM responses before they reach the client.", "type": "array", "items": { "$ref": "#/$defs/ResponseGuard" } } }, "additionalProperties": false }, "PromptGuardStreamingMode": { "oneOf": [ { "description": "Do not apply prompt guards to streaming responses or realtime websocket messages.", "type": "string", "const": "Disabled" }, { "description": "Apply prompt guards to streaming responses and realtime websocket messages.", "type": "string", "const": "Enabled" } ] }, "RequestGuard": { "type": "object", "properties": { "rejection": { "description": "Response returned when the request is rejected.", "$ref": "#/$defs/RequestRejection", "default": { "body": "The request was rejected due to inappropriate content", "status": 403 } } }, "unevaluatedProperties": false, "oneOf": [ { "description": "Apply regex-based masking or rejection rules.", "type": "object", "properties": { "regex": { "$ref": "#/$defs/RegexRules" } }, "required": [ "regex" ] }, { "description": "Call a webhook to evaluate the prompt.", "type": "object", "properties": { "webhook": { "$ref": "#/$defs/Webhook" } }, "required": [ "webhook" ] }, { "description": "Use OpenAI moderation to evaluate the prompt.", "type": "object", "properties": { "openAIModeration": { "$ref": "#/$defs/Moderation" } }, "required": [ "openAIModeration" ] }, { "description": "Use AWS Bedrock Guardrails to evaluate the prompt.", "type": "object", "properties": { "bedrockGuardrails": { "$ref": "#/$defs/BedrockGuardrails" } }, "required": [ "bedrockGuardrails" ] }, { "description": "Use Google Model Armor to evaluate the prompt.", "type": "object", "properties": { "googleModelArmor": { "$ref": "#/$defs/GoogleModelArmor" } }, "required": [ "googleModelArmor" ] }, { "description": "Use Azure Content Safety to evaluate the prompt.", "type": "object", "properties": { "azureContentSafety": { "$ref": "#/$defs/AzureContentSafety" } }, "required": [ "azureContentSafety" ] } ] }, "RequestRejection": { "type": "object", "properties": { "body": { "description": "Response body returned when content is rejected.", "$ref": "#/$defs/Bytes", "default": "The request was rejected due to inappropriate content" }, "status": { "description": "HTTP status code returned when content is rejected.", "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535, "default": 403 }, "headers": { "description": "Headers to add, set, or remove from the rejection response.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ] } }, "additionalProperties": false }, "RegexRules": { "type": "object", "properties": { "action": { "description": "Action to take when a regex rule matches.", "$ref": "#/$defs/Action", "default": "mask" }, "rules": { "description": "Regex or built-in patterns to evaluate.", "type": "array", "items": { "$ref": "#/$defs/RegexRule" } } }, "additionalProperties": false, "required": [ "rules" ] }, "Action": { "oneOf": [ { "description": "Replace matching content with masked text.", "type": "string", "const": "mask" }, { "description": "Reject the request or response when content matches.", "type": "string", "const": "reject" } ] }, "RegexRule": { "anyOf": [ { "description": "Use a built-in sensitive data pattern.", "type": "object", "properties": { "builtin": { "description": "Built-in pattern name.", "$ref": "#/$defs/Builtin" } }, "additionalProperties": false, "required": [ "builtin" ] }, { "description": "Use a custom regular expression.", "type": "object", "properties": { "pattern": { "description": "Regular expression pattern to evaluate.", "type": "string" } }, "additionalProperties": false, "required": [ "pattern" ] } ] }, "Builtin": { "oneOf": [ { "description": "U.S. Social Security number pattern.", "type": "string", "const": "ssn" }, { "description": "Credit card number pattern.", "type": "string", "const": "creditCard" }, { "description": "Phone number pattern.", "type": "string", "const": "phoneNumber" }, { "description": "Email address pattern.", "type": "string", "const": "email" }, { "description": "Canadian Social Insurance Number pattern.", "type": "string", "const": "caSin" } ] }, "Webhook": { "type": "object", "properties": { "target": { "description": "Backend that receives guardrail webhook requests.", "$ref": "#/$defs/SimpleLocalBackendSerde" }, "forwardHeaderMatches": { "description": "Incoming request headers to forward to the webhook.", "type": "array", "items": { "$ref": "#/$defs/HeaderMatch" } }, "failureMode": { "description": "Behavior when the webhook is unreachable or returns an error.\nDefaults to `failClosed`.", "$ref": "#/$defs/WebhookFailureMode" } }, "additionalProperties": false, "required": [ "target" ] }, "WebhookFailureMode": { "description": "Defines how the proxy behaves when a webhook guardrail is unreachable or\nreturns an error.\n\nDefaults to `failClosed`. When failing closed, the error is propagated and\nthe LLM request is rejected. When failing open, the request is allowed\nthrough despite the webhook failure.", "oneOf": [ { "description": "Reject the request when the webhook guardrail is unavailable (default).", "type": "string", "const": "failClosed" }, { "description": "Allow the request through when the webhook guardrail is unavailable.", "type": "string", "const": "failOpen" } ] }, "Moderation": { "type": "object", "properties": { "model": { "description": "Moderation model to use. Defaults to `omni-moderation-latest`.", "type": [ "string", "null" ] }, "policies": { "description": "Backend policies used when calling the moderation provider.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false }, "BedrockGuardrails": { "description": "Configuration for AWS Bedrock Guardrails integration.", "type": "object", "properties": { "guardrailIdentifier": { "description": "The unique identifier of the guardrail", "type": "string" }, "guardrailVersion": { "description": "The version of the guardrail", "type": "string" }, "region": { "description": "AWS region where the guardrail is deployed", "type": "string" }, "policies": { "description": "Backend policies for AWS authentication (optional, defaults to implicit AWS auth)", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "guardrailIdentifier", "guardrailVersion", "region" ] }, "GoogleModelArmor": { "description": "Configuration for Google Cloud Model Armor integration.", "type": "object", "properties": { "templateId": { "description": "The template ID for the Model Armor configuration", "type": "string" }, "projectId": { "description": "The GCP project ID", "type": "string" }, "location": { "description": "The GCP region (default: us-central1)", "type": [ "string", "null" ] }, "policies": { "description": "Backend policies for GCP authentication (optional, defaults to implicit GCP auth)", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "templateId", "projectId" ] }, "AzureContentSafety": { "description": "Configuration for Azure Content Safety integration.\n\nUses the Azure AI Content Safety APIs to detect harmful content\nand jailbreak attempts. The endpoint and authentication are shared\nacross all enabled features.", "type": "object", "properties": { "endpoint": { "description": "The Azure Content Safety endpoint hostname (e.g., \".cognitiveservices.azure.com\")", "type": "string" }, "policies": { "description": "Backend policies for Azure authentication (optional, defaults to implicit Azure auth)", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "analyzeText": { "description": "Analyze Text configuration for detecting harmful content categories\n(Hate, SelfHarm, Sexual, Violence) and blocklist matches.", "anyOf": [ { "$ref": "#/$defs/AnalyzeTextConfig" }, { "type": "null" } ] }, "detectJailbreak": { "description": "Detect Text Jailbreak configuration for detecting jailbreak attempts.\nOnly applicable to request guards.", "anyOf": [ { "$ref": "#/$defs/DetectJailbreakConfig" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "endpoint" ] }, "AnalyzeTextConfig": { "description": "Configuration for the Analyze Text API.", "type": "object", "properties": { "severityThreshold": { "description": "Severity threshold (0-6 for FourSeverityLevels). Content at or above this level is blocked. Default: 2.", "type": [ "integer", "null" ], "format": "int32" }, "apiVersion": { "description": "API version to use (default: \"2024-09-01\")", "type": [ "string", "null" ] }, "blocklistNames": { "description": "Blocklist names to check against", "type": [ "array", "null" ], "items": { "type": "string" } }, "haltOnBlocklistHit": { "description": "When true, further analysis stops if a blocklist is hit", "type": [ "boolean", "null" ] } }, "additionalProperties": false }, "DetectJailbreakConfig": { "description": "Configuration for the Detect Jailbreak API.", "type": "object", "properties": { "apiVersion": { "description": "API version to use (default: \"2024-02-15-preview\")", "type": [ "string", "null" ] } }, "additionalProperties": false }, "ResponseGuard": { "type": "object", "properties": { "rejection": { "description": "Response returned when the LLM response is rejected.", "$ref": "#/$defs/RequestRejection", "default": { "body": "The request was rejected due to inappropriate content", "status": 403 } } }, "unevaluatedProperties": false, "oneOf": [ { "description": "Apply regex-based masking or rejection rules.", "type": "object", "properties": { "regex": { "$ref": "#/$defs/RegexRules" } }, "required": [ "regex" ] }, { "description": "Call a webhook to evaluate the response.", "type": "object", "properties": { "webhook": { "$ref": "#/$defs/Webhook" } }, "required": [ "webhook" ] }, { "description": "Use AWS Bedrock Guardrails to evaluate the response.", "type": "object", "properties": { "bedrockGuardrails": { "$ref": "#/$defs/BedrockGuardrails" } }, "required": [ "bedrockGuardrails" ] }, { "description": "Use Google Model Armor to evaluate the response.", "type": "object", "properties": { "googleModelArmor": { "$ref": "#/$defs/GoogleModelArmor" } }, "required": [ "googleModelArmor" ] }, { "description": "Use Azure Content Safety to evaluate the response.", "type": "object", "properties": { "azureContentSafety": { "$ref": "#/$defs/AzureContentSafety" } }, "required": [ "azureContentSafety" ] } ] }, "PromptEnrichment": { "type": "object", "properties": { "append": { "description": "Messages appended to the end of each chat request.", "type": "array", "items": { "$ref": "#/$defs/SimpleChatCompletionMessage" } }, "prepend": { "description": "Messages prepended to the beginning of each chat request.", "type": "array", "items": { "$ref": "#/$defs/SimpleChatCompletionMessage" } } }, "additionalProperties": false }, "SimpleChatCompletionMessage": { "description": "SimpleChatCompletionMessage is a simplified chat message", "type": "object", "properties": { "role": { "type": "string" }, "content": { "type": "string" } }, "additionalProperties": false, "required": [ "role", "content" ] }, "PromptCachingConfig": { "type": "object", "properties": { "cacheSystem": { "description": "Add cache markers to system prompts when supported by the provider.", "type": "boolean", "default": true }, "cacheMessages": { "description": "Add cache markers to chat messages when supported by the provider.", "type": "boolean", "default": true }, "cacheTools": { "description": "Add cache markers to tool definitions when supported by the provider.", "type": "boolean", "default": false }, "minTokens": { "description": "Minimum prompt size required before cache markers are added.", "type": [ "integer", "null" ], "format": "uint", "minimum": 0, "default": 1024 }, "cacheMessageOffset": { "description": "Message offset used when choosing where to place cache markers.", "type": "integer", "format": "uint", "minimum": 0, "default": 0 } }, "additionalProperties": false }, "RouteType": { "oneOf": [ { "description": "OpenAI /v1/chat/completions", "type": "string", "const": "completions" }, { "description": "Anthropic /v1/messages", "type": "string", "const": "messages" }, { "description": "OpenAI /v1/models", "type": "string", "const": "models" }, { "description": "Send the request to the upstream LLM provider as-is", "type": "string", "const": "passthrough" }, { "description": "Send the request to the upstream LLM provider as-is but attempt to extract information from it\nand apply a subset of policies (rate limit and telemetry; no guardrails).", "type": "string", "const": "detect" }, { "description": "OpenAI /responses", "type": "string", "const": "responses" }, { "description": "OpenAI /embeddings", "type": "string", "const": "embeddings" }, { "description": "OpenAI /realtime (websockets)", "type": "string", "const": "realtime" }, { "description": "Anthropic /v1/messages/count_tokens", "type": "string", "const": "anthropicTokenCount" }, { "description": "Cohere /v2/rerank (document reranking)", "type": "string", "const": "rerank" } ] }, "LocalRateLimitPolicy": { "anyOf": [ { "$ref": "#/$defs/LocalConditionalPolicies_RateLimitSpec" }, { "type": "array", "items": { "$ref": "#/$defs/RateLimitSpec" } } ] }, "LocalConditionalPolicies_RateLimitSpec": { "type": "object", "properties": { "conditional": { "description": "conditional policy entries. An entry without a condition must be the final fallback.", "type": "array", "items": { "$ref": "#/$defs/LocalConditionalPolicy_RateLimitSpec" } } }, "additionalProperties": false, "required": [ "conditional" ] }, "LocalConditionalPolicy_RateLimitSpec": { "type": "object", "properties": { "condition": { "description": "condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "maxTokens": { "description": "Maximum number of tokens that can accumulate in the local bucket.", "type": "integer", "format": "uint64", "minimum": 0, "default": 0 }, "tokensPerFill": { "description": "Number of tokens added to the local bucket each fill interval.", "type": "integer", "format": "uint64", "minimum": 0, "default": 0 }, "fillInterval": { "description": "How often the local bucket is refilled.", "type": "string" }, "type": { "description": "Whether this limit counts requests or LLM tokens.", "$ref": "#/$defs/RateLimitType", "default": "requests" } }, "required": [ "fillInterval" ] }, "RateLimitType": { "oneOf": [ { "description": "Count each request as one unit.", "type": "string", "const": "requests" }, { "description": "Count LLM token usage.", "type": "string", "const": "tokens" } ] }, "RateLimitSpec": { "type": "object", "properties": { "maxTokens": { "description": "Maximum number of tokens that can accumulate in the local bucket.", "type": "integer", "format": "uint64", "minimum": 0, "default": 0 }, "tokensPerFill": { "description": "Number of tokens added to the local bucket each fill interval.", "type": "integer", "format": "uint64", "minimum": 0, "default": 0 }, "fillInterval": { "description": "How often the local bucket is refilled.", "type": "string" }, "type": { "description": "Whether this limit counts requests or LLM tokens.", "$ref": "#/$defs/RateLimitType", "default": "requests" } }, "additionalProperties": false, "required": [ "fillInterval" ] }, "LocalExplicitOrConditional_RemoteRateLimit": { "anyOf": [ { "$ref": "#/$defs/LocalConditionalPolicies_RemoteRateLimit" }, { "$ref": "#/$defs/RemoteRateLimit" } ] }, "LocalConditionalPolicies_RemoteRateLimit": { "type": "object", "properties": { "conditional": { "description": "conditional policy entries. An entry without a condition must be the final fallback.", "type": "array", "items": { "$ref": "#/$defs/LocalConditionalPolicy_RemoteRateLimit" } } }, "additionalProperties": false, "required": [ "conditional" ] }, "LocalConditionalPolicy_RemoteRateLimit": { "type": "object", "properties": { "condition": { "description": "condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "domain": { "description": "Rate limit domain sent to the remote rate limit service.", "type": "string" }, "policies": { "description": "Backend policies used when connecting to the remote rate limit service.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "descriptors": { "description": "Descriptors sent to the remote rate limit service.", "$ref": "#/$defs/DescriptorSet" }, "failureMode": { "description": "Behavior when the remote rate limit service is unavailable or returns an error.\nDefaults to failClosed, denying requests with a 500 status on service failure.", "$ref": "#/$defs/RemoteRateLimitFailureMode", "default": "failClosed" } }, "required": [ "domain", "descriptors" ], "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "DescriptorSet": { "type": "array", "items": { "$ref": "#/$defs/DescriptorEntry" } }, "DescriptorEntry": { "type": "object", "properties": { "entries": { "description": "Descriptor key/value entries. Values are CEL expressions evaluated from the request.", "type": "array", "items": { "$ref": "#/$defs/KV" } }, "type": { "description": "Whether this descriptor limits requests or LLM tokens.", "$ref": "#/$defs/RateLimitType", "default": "requests" }, "cost": { "description": "cost determines the optional expression to determine the cost of the request.\nIf unset, type `requests` defaults to `1`, and type `tokens` defaults to `llm.totalTokens`.\nIf the expression fails to evaluate, the descriptor is skipped.\nCosts for type `requests` are evaluated during request processing. Costs for type `tokens`\nare evaluated upon request completion.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "limitOverride": { "description": "limitOverride determines the optional expression to determine the limit of the request.\nThis tells the remote server what limit to apply to the request.\nNote: this does not specify the *cost* of the request, which is done by the `cost` field.\nThe expression must evaluate to a map with `unit` and `requestsPerUnit` keys. For example:\n`{\"unit\":\"second\",\"requestsPerUnit\":100}`.\nValid units: second, minute, hour, day, month, year\nIf the expression fails to evaluate, the descriptor is skipped.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "entries" ] }, "KV": { "type": "object", "properties": { "key": { "description": "Descriptor entry key sent to the remote rate limit service.", "type": "string" }, "value": { "description": "CEL expression used to compute the descriptor entry value.", "type": "string" } }, "required": [ "key", "value" ] }, "RemoteRateLimitFailureMode": { "description": "Defines how the proxy behaves when the remote rate limit service is\nunavailable or returns an error.\n\nDefaults to `FailClosed`. When failing closed, a 500 Internal Server Error\nis returned when the service is unavailable. When failing open, requests are\nallowed through despite the service failure.\n\n# Configuration\n\nBoth camelCase (`failOpen`, `failClosed`) and PascalCase (`FailOpen`,\n`FailClosed`) are accepted in configuration files", "oneOf": [ { "description": "Deny the request with a 500 status when the rate limit service is unavailable (default).", "type": "string", "const": "failClosed" }, { "description": "Deny the request with a 500 status when the rate limit service is unavailable (default).", "type": "string", "const": "FailClosed" }, { "description": "Allow the request through when the rate limit service is unavailable.", "type": "string", "const": "failOpen" }, { "description": "Allow the request through when the rate limit service is unavailable.", "type": "string", "const": "FailOpen" } ] }, "RemoteRateLimit": { "type": "object", "properties": { "domain": { "description": "Rate limit domain sent to the remote rate limit service.", "type": "string" }, "policies": { "description": "Backend policies used when connecting to the remote rate limit service.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "descriptors": { "description": "Descriptors sent to the remote rate limit service.", "$ref": "#/$defs/DescriptorSet" }, "failureMode": { "description": "Behavior when the remote rate limit service is unavailable or returns an error.\nDefaults to failClosed, denying requests with a 500 status on service failure.", "$ref": "#/$defs/RemoteRateLimitFailureMode", "default": "failClosed" } }, "required": [ "domain", "descriptors" ], "unevaluatedProperties": false, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "LocalJwtConfig": { "anyOf": [ { "description": "Validate JWTs against one or more trusted token issuers.", "type": "object", "properties": { "mode": { "description": "Controls whether requests must include a JWT and how validation failures are handled.", "$ref": "#/$defs/Mode", "default": "optional" }, "location": { "description": "Where to read the JWT from in incoming requests.", "$ref": "#/$defs/AuthorizationLocation", "default": { "header": { "name": "authorization", "prefix": "Bearer " } } }, "providers": { "description": "Trusted issuers and their signing keys.", "type": "array", "items": { "$ref": "#/$defs/ProviderConfig" } } }, "additionalProperties": false, "required": [ "providers" ] }, { "description": "Validate JWTs against a single trusted token issuer.", "type": "object", "properties": { "mode": { "description": "Controls whether requests must include a JWT and how validation failures are handled.", "$ref": "#/$defs/Mode", "default": "optional" }, "location": { "description": "Where to read the JWT from in incoming requests.", "$ref": "#/$defs/AuthorizationLocation", "default": { "header": { "name": "authorization", "prefix": "Bearer " } } }, "issuer": { "description": "Expected token issuer, matched against the JWT `iss` claim.", "type": "string" }, "audiences": { "description": "Accepted token audiences, matched against the JWT `aud` claim when set.", "type": [ "array", "null" ], "items": { "type": "string" } }, "jwks": { "description": "JSON Web Key Set used to verify token signatures. Can be inline, from a file, or fetched remotely.", "$ref": "#/$defs/FileInlineOrRemote" }, "jwtValidationOptions": { "description": "Claim requirements to enforce after the token signature is verified.", "$ref": "#/$defs/JWTValidationOptions" } }, "additionalProperties": false, "required": [ "issuer", "jwks" ] } ] }, "Mode": { "oneOf": [ { "description": "Require a valid JWT from a configured issuer.", "type": "string", "const": "strict" }, { "description": "Validate the JWT when present.\nThis is the default option.\nWarning: this allows requests without a JWT.", "type": "string", "const": "optional" }, { "description": "Decode valid JWTs for later policy use.\nWarning: this allows requests with missing or invalid JWTs.", "type": "string", "const": "permissive" } ] }, "ProviderConfig": { "type": "object", "properties": { "issuer": { "description": "Expected token issuer, matched against the JWT `iss` claim.", "type": "string" }, "audiences": { "description": "Accepted token audiences, matched against the JWT `aud` claim when set.", "type": [ "array", "null" ], "items": { "type": "string" } }, "jwks": { "description": "JSON Web Key Set used to verify token signatures. Can be inline, from a file, or fetched remotely.", "$ref": "#/$defs/FileInlineOrRemote" }, "jwtValidationOptions": { "description": "Claim requirements to enforce after the token signature is verified.", "$ref": "#/$defs/JWTValidationOptions" } }, "additionalProperties": false, "required": [ "issuer", "jwks" ] }, "LocalOidcConfig": { "description": "Browser-based OIDC authentication policy.\n\nExplicit mode is still OIDC: it supplies provider metadata manually instead of using discovery.\nUnauthenticated non-callback requests always redirect to the provider login flow. Routes that\nneed non-redirect authentication behavior should use a different auth policy.", "type": "object", "properties": { "issuer": { "description": "Issuer used for discovery and ID token validation.", "type": "string" }, "discovery": { "description": "Optional discovery document override. If omitted, discovery uses\n`${issuer}/.well-known/openid-configuration`.", "anyOf": [ { "$ref": "#/$defs/FileInlineOrRemote" }, { "type": "null" } ] }, "authorizationEndpoint": { "description": "Authorization endpoint used to start the browser login flow.", "type": [ "string", "null" ], "default": null }, "tokenEndpoint": { "description": "Token endpoint used to exchange the authorization code.", "type": [ "string", "null" ], "default": null }, "tokenEndpointAuth": { "description": "Token endpoint client authentication method for explicit provider configuration.\n\nDiscovery mode derives this from provider metadata. Explicit mode defaults to\n`clientSecretBasic` when omitted.", "anyOf": [ { "$ref": "#/$defs/TokenEndpointAuth" }, { "type": "null" } ], "default": null }, "jwks": { "description": "JWKS source used to validate returned ID tokens.", "anyOf": [ { "$ref": "#/$defs/FileInlineOrRemote" }, { "type": "null" } ] }, "clientId": { "description": "OAuth2 client identifier used for authorization and token exchange.", "type": "string" }, "clientSecret": { "description": "OAuth2 client secret used for token exchange.", "type": "string" }, "redirectURI": { "description": "Absolute callback URI handled by the gateway.\nThis policy always redirects unauthenticated non-callback requests back through this login\nflow.", "type": "string" }, "scopes": { "description": "Additional OAuth2 scopes to request. `openid` is always included.", "type": "array", "items": { "type": "string" }, "default": [] } }, "additionalProperties": false, "required": [ "issuer", "clientId", "clientSecret", "redirectURI" ] }, "TokenEndpointAuth": { "type": "string", "enum": [ "clientSecretBasic", "clientSecretPost" ] }, "LocalBasicAuth": { "type": "object", "properties": { "htpasswd": { "description": "User database in htpasswd format. Can be inline or loaded from a file.", "$ref": "#/$defs/FileOrInline" }, "realm": { "description": "Realm shown in the `WWW-Authenticate` response header when credentials are missing or invalid.", "type": [ "string", "null" ], "default": null }, "mode": { "description": "Controls whether requests must include valid Basic Auth credentials.", "$ref": "#/$defs/BasicAuthMode", "default": "optional" }, "authorizationLocation": { "description": "Where to read the Basic Auth credentials from in incoming requests.", "$ref": "#/$defs/AuthorizationLocation", "default": { "header": { "name": "authorization", "prefix": "Basic " } } } }, "additionalProperties": false, "required": [ "htpasswd" ] }, "BasicAuthMode": { "description": "Validation mode for Basic Auth.", "oneOf": [ { "description": "Require a valid username and password.", "type": "string", "const": "strict" }, { "description": "Validate credentials when present.\nThis is the default option.\nWarning: this allows requests without Basic Auth credentials.", "type": "string", "const": "optional" } ] }, "LocalAPIKeys": { "type": "object", "properties": { "keys": { "description": "API keys that are accepted by this policy.", "type": "array", "items": { "$ref": "#/$defs/LocalAPIKey" } }, "mode": { "description": "Controls whether requests must include a valid API key.", "$ref": "#/$defs/APIKeyMode", "default": "optional" }, "location": { "description": "Where to read the API key from in incoming requests.", "$ref": "#/$defs/AuthorizationLocation", "default": { "header": { "name": "authorization", "prefix": "Bearer " } } } }, "additionalProperties": false, "required": [ "keys" ] }, "LocalAPIKey": { "anyOf": [ { "type": "object", "properties": { "key": { "description": "API key value to accept.", "$ref": "#/$defs/APIKey" }, "metadata": { "description": "Optional metadata attached to requests authenticated with this key." } }, "additionalProperties": false, "required": [ "key" ] }, { "type": "object", "properties": { "keyHash": { "description": "SHA-256 hash of an API key value to accept, in `sha256:` format.", "$ref": "#/$defs/APIKeyHash" }, "metadata": { "description": "Optional metadata attached to requests authenticated with this key." } }, "additionalProperties": false, "required": [ "keyHash" ] } ] }, "APIKey": { "type": "string" }, "APIKeyHash": { "type": "string" }, "APIKeyMode": { "description": "Validation mode for API key authentication.", "oneOf": [ { "description": "Require a valid API key.", "type": "string", "const": "strict" }, { "description": "Validate the API key when present.\nThis is the default option.\nWarning: this allows requests without an API key.", "type": "string", "const": "optional" }, { "description": "Decode valid API keys for later policy use.\nWarning: this allows requests with missing or invalid API keys.", "type": "string", "const": "permissive" } ] }, "LocalExplicitOrConditional_ExtAuthz": { "anyOf": [ { "$ref": "#/$defs/LocalConditionalPolicies_ExtAuthz" }, { "$ref": "#/$defs/ExtAuthz" } ] }, "LocalConditionalPolicies_ExtAuthz": { "type": "object", "properties": { "conditional": { "description": "conditional policy entries. An entry without a condition must be the final fallback.", "type": "array", "items": { "$ref": "#/$defs/LocalConditionalPolicy_ExtAuthz" } } }, "additionalProperties": false, "required": [ "conditional" ] }, "LocalConditionalPolicy_ExtAuthz": { "type": "object", "properties": { "condition": { "description": "condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "policies": { "description": "Backend policies used when connecting to the authorization service.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "protocol": { "description": "Protocol used to call the authorization service. Use gRPC unless the service only supports HTTP.", "$ref": "#/$defs/ExtAuthzProtocol", "default": { "grpc": {} } }, "failureMode": { "description": "Behavior when the authorization service is unavailable or returns an error.", "$ref": "#/$defs/ExtAuthzFailureMode", "default": "deny" }, "includeRequestHeaders": { "description": "Request headers to send to the authorization service.\nIf unset, gRPC sends all request headers and HTTP sends only `Authorization`.", "type": "array", "items": { "$ref": "#/$defs/HeaderOrPseudo" } }, "includeRequestBody": { "description": "Options for sending the request body to the authorization service.", "anyOf": [ { "$ref": "#/$defs/BodyOptions" }, { "type": "null" } ] }, "cache": { "description": "Cache authorization results using CEL expressions as the cache key.\nWarning: the safety of this feature depends on the cache key accurately capturing the fields\nthe server operates on. For example, if you return a different result based on header A but only\ncache header B, users may get incorrect cache hits.", "anyOf": [ { "$ref": "#/$defs/CacheConfig" }, { "type": "null" } ] } }, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "ExtAuthzProtocol": { "oneOf": [ { "description": "Call the authorization service using the gRPC authorization protocol.", "type": "object", "properties": { "grpc": { "type": "object", "properties": { "context": { "description": "Static context values to send to the authorization service.\nMaps to the `context_extensions` field in the request.", "type": [ "object", "null" ], "additionalProperties": { "type": "string" } }, "metadata": { "description": "Metadata values to send to the authorization service, computed from CEL expressions.\nMaps to the `metadata_context.filter_metadata` field in the request.\nIf unset, `envoy.filters.http.jwt_authn` is set when JWT auth is also used, for compatibility.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "additionalProperties": false } }, "required": [ "grpc" ], "additionalProperties": false }, { "description": "Call the authorization service using HTTP.", "type": "object", "properties": { "http": { "type": "object", "properties": { "path": { "description": "CEL expression that computes the authorization request path.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "redirect": { "description": "CEL expression that computes a redirect URL when authorization fails.\nWhen the authorization service returns unauthorized, this redirects instead of returning the error directly.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "body": { "description": "CEL expression that computes the authorization request body.\nStrings and bytes are used directly; other values are JSON-encoded.\nIf set, this replaces forwarding the incoming request body.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "includeResponseHeaders": { "description": "Authorization response headers to copy into the backend request.", "type": "array", "items": { "type": "string" } }, "addRequestHeaders": { "description": "Headers to add to the authorization request using CEL expressions. Empty means all headers.", "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } }, "metadata": { "description": "Metadata values to expose under the `extauthz` variable after authorization.", "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "additionalProperties": false } }, "required": [ "http" ], "additionalProperties": false } ] }, "ExtAuthzFailureMode": { "oneOf": [ { "description": "Allow the request when the authorization service cannot make a decision.", "type": "string", "const": "allow" }, { "description": "Deny the request when the authorization service cannot make a decision.", "type": "string", "const": "deny" }, { "description": "Deny the request with the configured HTTP status code.", "type": "object", "properties": { "denyWithStatus": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "required": [ "denyWithStatus" ], "additionalProperties": false } ] }, "BodyOptions": { "type": "object", "properties": { "maxRequestBytes": { "description": "Maximum request body size to send to the authorization service. Defaults to 8192 bytes.", "type": "integer", "format": "uint32", "minimum": 0, "default": 0 }, "allowPartialMessage": { "description": "Whether to send a partial body when the request exceeds `maxRequestBytes`.", "type": "boolean", "default": false }, "packAsBytes": { "description": "Whether to send the body as raw bytes for gRPC authorization checks.", "type": "boolean", "default": false } }, "additionalProperties": false }, "CacheConfig": { "type": "object", "properties": { "key": { "description": "CEL expressions that make up the cache key. Empty keys are accepted, but do not produce cache hits.", "type": "array", "items": { "$ref": "#/$defs/Expression" } }, "ttl": { "description": "CEL expression that returns how long cached authorization results are reused.\nThe expression is evaluated after the authorization response has been applied\nto the request, and must return either a duration or timestamp.", "$ref": "#/$defs/Expression" }, "maxEntries": { "description": "Maximum number of authorization results to keep in the cache.", "type": "integer", "format": "uint", "minimum": 0, "default": 10000 } }, "additionalProperties": false, "required": [ "key", "ttl" ] }, "ExtAuthz": { "type": "object", "properties": { "policies": { "description": "Backend policies used when connecting to the authorization service.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "protocol": { "description": "Protocol used to call the authorization service. Use gRPC unless the service only supports HTTP.", "$ref": "#/$defs/ExtAuthzProtocol", "default": { "grpc": {} } }, "failureMode": { "description": "Behavior when the authorization service is unavailable or returns an error.", "$ref": "#/$defs/ExtAuthzFailureMode", "default": "deny" }, "includeRequestHeaders": { "description": "Request headers to send to the authorization service.\nIf unset, gRPC sends all request headers and HTTP sends only `Authorization`.", "type": "array", "items": { "$ref": "#/$defs/HeaderOrPseudo" } }, "includeRequestBody": { "description": "Options for sending the request body to the authorization service.", "anyOf": [ { "$ref": "#/$defs/BodyOptions" }, { "type": "null" } ] }, "cache": { "description": "Cache authorization results using CEL expressions as the cache key.\nWarning: the safety of this feature depends on the cache key accurately capturing the fields\nthe server operates on. For example, if you return a different result based on header A but only\ncache header B, users may get incorrect cache hits.", "anyOf": [ { "$ref": "#/$defs/CacheConfig" }, { "type": "null" } ] } }, "unevaluatedProperties": false, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "LocalExplicitOrConditional_ExtProc": { "anyOf": [ { "$ref": "#/$defs/LocalConditionalPolicies_ExtProc" }, { "$ref": "#/$defs/ExtProc" } ] }, "LocalConditionalPolicies_ExtProc": { "type": "object", "properties": { "conditional": { "description": "conditional policy entries. An entry without a condition must be the final fallback.", "type": "array", "items": { "$ref": "#/$defs/LocalConditionalPolicy_ExtProc" } } }, "additionalProperties": false, "required": [ "conditional" ] }, "LocalConditionalPolicy_ExtProc": { "type": "object", "properties": { "condition": { "description": "condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "policies": { "description": "Backend policies used when connecting to the external processing service.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when the external processing service is unavailable or returns an error.", "$ref": "#/$defs/ExtProcFailureMode", "default": "failClosed" }, "metadataContext": { "description": "Additional metadata to send to the external processing service.\nMaps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "requestAttributes": { "description": "Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "responseAttributes": { "description": "Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "processingOptions": { "description": "Controls which request and response parts are sent to the external processing service.", "$ref": "#/$defs/ProcessingOptions", "default": { "requestBodyMode": "fullDuplexStreamed", "responseBodyMode": "fullDuplexStreamed", "requestHeaderMode": "send", "responseHeaderMode": "send", "requestTrailerMode": "send", "responseTrailerMode": "send", "allowModeOverride": false } } }, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "ExtProcFailureMode": { "oneOf": [ { "description": "Reject the request when the external processing service fails.", "type": "string", "const": "failClosed" }, { "description": "Continue the request when the external processing service fails.", "type": "string", "const": "failOpen" } ] }, "ProcessingOptions": { "type": "object", "properties": { "requestBodyMode": { "description": "How request bodies are sent to the external processing service.", "$ref": "#/$defs/BodySendMode", "default": "fullDuplexStreamed" }, "responseBodyMode": { "description": "How response bodies are sent to the external processing service.", "$ref": "#/$defs/BodySendMode", "default": "fullDuplexStreamed" }, "requestHeaderMode": { "description": "Whether request headers are sent to the external processing service.", "$ref": "#/$defs/HeaderSendMode", "default": "send" }, "responseHeaderMode": { "description": "Whether response headers are sent to the external processing service.", "$ref": "#/$defs/HeaderSendMode", "default": "send" }, "requestTrailerMode": { "description": "Whether request trailers are sent to the external processing service.", "$ref": "#/$defs/TrailerSendMode", "default": "send" }, "responseTrailerMode": { "description": "Whether response trailers are sent to the external processing service.", "$ref": "#/$defs/TrailerSendMode", "default": "send" }, "allowModeOverride": { "description": "Whether the external processing service can change processing modes during a request.", "type": "boolean", "default": false } }, "additionalProperties": false }, "BodySendMode": { "oneOf": [ { "description": "Do not send the body to the external processing service.", "type": "string", "const": "none" }, { "description": "Buffer and send the full body to the external processing service.", "type": "string", "const": "buffered" }, { "description": "Buffer and send the body up to the configured limit.", "type": "string", "const": "bufferedPartial" }, { "description": "Stream the body bidirectionally with the external processing service.", "type": "string", "const": "fullDuplexStreamed" } ] }, "HeaderSendMode": { "oneOf": [ { "description": "Send headers to the external processing service.", "type": "string", "const": "send" }, { "description": "Do not send headers to the external processing service.", "type": "string", "const": "skip" } ] }, "TrailerSendMode": { "oneOf": [ { "description": "Send trailers to the external processing service.", "type": "string", "const": "send" }, { "description": "Do not send trailers to the external processing service.", "type": "string", "const": "skip" } ] }, "ExtProc": { "type": "object", "properties": { "policies": { "description": "Backend policies used when connecting to the external processing service.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when the external processing service is unavailable or returns an error.", "$ref": "#/$defs/ExtProcFailureMode", "default": "failClosed" }, "metadataContext": { "description": "Additional metadata to send to the external processing service.\nMaps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } } }, "requestAttributes": { "description": "Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "responseAttributes": { "description": "Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "processingOptions": { "description": "Controls which request and response parts are sent to the external processing service.", "$ref": "#/$defs/ProcessingOptions", "default": { "requestBodyMode": "fullDuplexStreamed", "responseBodyMode": "fullDuplexStreamed", "requestHeaderMode": "send", "responseHeaderMode": "send", "requestTrailerMode": "send", "responseTrailerMode": "send", "allowModeOverride": false } } }, "unevaluatedProperties": false, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "LocalExplicitOrConditional_LocalTransformationConfig": { "anyOf": [ { "$ref": "#/$defs/LocalConditionalPolicies_LocalTransformationConfig" }, { "$ref": "#/$defs/LocalTransformationConfig" } ] }, "LocalConditionalPolicies_LocalTransformationConfig": { "type": "object", "properties": { "conditional": { "description": "conditional policy entries. An entry without a condition must be the final fallback.", "type": "array", "items": { "$ref": "#/$defs/LocalConditionalPolicy_LocalTransformationConfig" } } }, "additionalProperties": false, "required": [ "conditional" ] }, "LocalConditionalPolicy_LocalTransformationConfig": { "type": "object", "properties": { "condition": { "description": "condition must evaluate to true for this policy to execute. If unset, the policy is the fallback.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "request": { "description": "Transform the request before it is forwarded.", "anyOf": [ { "$ref": "#/$defs/LocalTransform" }, { "type": "null" } ] }, "response": { "description": "Transform the response before it is returned.", "anyOf": [ { "$ref": "#/$defs/LocalTransform" }, { "type": "null" } ] } } }, "Csrf": { "type": "object", "properties": { "additionalOrigins": { "description": "Additional trusted origins allowed to send state-changing requests.", "type": "array", "uniqueItems": true, "items": { "type": "string" }, "default": [] } }, "additionalProperties": false }, "Buffer": { "type": "object", "properties": { "request": { "description": "Buffer incoming request bodies before forwarding.", "anyOf": [ { "$ref": "#/$defs/BufferBody" }, { "type": "null" } ] }, "response": { "description": "Buffer upstream response bodies before sending them to the client.", "anyOf": [ { "$ref": "#/$defs/BufferBody" }, { "type": "null" } ] } }, "additionalProperties": false }, "BufferBody": { "type": "object", "properties": { "maxBytes": { "description": "Maximum body size to buffer in bytes.", "type": [ "integer", "null" ], "format": "uint", "minimum": 0 } }, "additionalProperties": false }, "TimeoutPolicy": { "type": "object", "properties": { "requestTimeout": { "description": "Maximum time allowed for the full downstream request and response.", "type": [ "string", "null" ] }, "backendRequestTimeout": { "description": "Maximum time allowed for the upstream backend request.", "type": [ "string", "null" ] } }, "additionalProperties": false }, "RetryPolicy": { "type": "object", "properties": { "attempts": { "description": "Total number of attempts, including the original request.", "type": "integer", "format": "uint8", "minimum": 1, "maximum": 255, "default": 1 }, "backoff": { "description": "Delay between retry attempts.", "type": [ "string", "null" ] }, "codes": { "description": "HTTP response status codes that should be retried.", "type": "array", "items": { "type": "integer", "format": "uint16", "minimum": 1, "maximum": 65535 } }, "precondition": { "description": "CEL expression evaluated against the request before any attempt; when `false`,\nretries are disabled (only the initial attempt is made), e.g. `request.method == \"GET\"`.\nRetrying requires buffering the request body in memory for replay, so this lets us skip\nthat cost when the request is known to be non-retriable (e.g. streaming or websockets).", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "condition": { "description": "CEL expression evaluated against each response to decide whether to retry. A response\nis retried when its status code is in `codes` *or* this expression evaluates to `true`.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "codes" ] }, "LocalRouteBackend": { "type": "object", "properties": { "weight": { "type": "integer", "format": "uint", "minimum": 0, "default": 1 }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalBackendPolicies" }, { "type": "null" } ] } }, "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "type": "object", "properties": { "backend": { "type": "string" } }, "required": [ "backend" ] }, { "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ] }, { "description": "Route to the in-process admin service instead of a network upstream.", "type": "object", "properties": { "internal": { "$ref": "#/$defs/InternalBackend" } }, "required": [ "internal" ] }, { "type": "object", "properties": { "dynamic": { "type": "object", "additionalProperties": false } }, "required": [ "dynamic" ] }, { "type": "object", "properties": { "mcp": { "$ref": "#/$defs/LocalMcpBackend" } }, "required": [ "mcp" ] }, { "type": "object", "properties": { "ai": { "$ref": "#/$defs/LocalAIBackend" } }, "required": [ "ai" ] }, { "type": "object", "properties": { "aws": { "$ref": "#/$defs/LocalAwsBackend" } }, "required": [ "aws" ] }, { "type": "object", "properties": { "routeGroup": { "type": "string" } }, "required": [ "routeGroup" ] }, { "type": "object", "properties": { "invalid": { "type": "null" } }, "required": [ "invalid" ] } ] }, "InternalBackend": { "description": "Selects how an internal backend maps proxy requests to the admin API.", "anyOf": [ { "description": "Forward the request to the admin API using the request's current path and query.", "type": "string", "const": "forward" }, { "description": "Rewrite all requests to this admin API path, preserving the original query string.", "type": "string" } ] }, "LocalMcpBackend": { "type": "object", "properties": { "targets": { "type": "array", "items": { "$ref": "#/$defs/LocalMcpTarget" } }, "statefulMode": { "$ref": "#/$defs/McpStatefulMode" }, "prefixMode": { "anyOf": [ { "$ref": "#/$defs/McpPrefixMode" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when one or more MCP targets fail to initialize or fail during fanout.\nDefaults to `failClosed`.", "anyOf": [ { "$ref": "#/$defs/McpBackendFailureMode" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "targets" ] }, "LocalMcpTarget": { "type": "object", "properties": { "name": { "type": "string" }, "policies": { "anyOf": [ { "$ref": "#/$defs/MCPLocalBackendPolicies" }, { "type": "null" } ] } }, "required": [ "name" ], "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "sse": { "type": "object", "unevaluatedProperties": false, "anyOf": [ { "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "host": { "type": "string" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 }, "path": { "type": "string" } }, "required": [ "host", "port", "path" ] }, { "type": "object", "properties": { "backend": { "type": "string" }, "path": { "type": [ "string", "null" ] } }, "required": [ "backend" ] } ] } }, "required": [ "sse" ] }, { "type": "object", "properties": { "mcp": { "type": "object", "unevaluatedProperties": false, "anyOf": [ { "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "host": { "type": "string" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 }, "path": { "type": "string" } }, "required": [ "host", "port", "path" ] }, { "type": "object", "properties": { "backend": { "type": "string" }, "path": { "type": [ "string", "null" ] } }, "required": [ "backend" ] } ] } }, "required": [ "mcp" ] }, { "type": "object", "properties": { "stdio": { "type": "object", "properties": { "cmd": { "type": "string" }, "args": { "type": "array", "items": { "type": "string" } }, "env": { "type": "object", "additionalProperties": { "type": "string" } }, "clear_env": { "type": "boolean" } }, "additionalProperties": false, "required": [ "cmd" ] } }, "required": [ "stdio" ] }, { "type": "object", "properties": { "openapi": { "type": "object", "properties": { "schema": { "$ref": "#/$defs/FileInlineOrRemote" } }, "unevaluatedProperties": false, "anyOf": [ { "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "host": { "type": "string" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 }, "path": { "type": "string" } }, "required": [ "host", "port", "path" ] }, { "type": "object", "properties": { "backend": { "type": "string" }, "path": { "type": [ "string", "null" ] } }, "required": [ "backend" ] } ], "required": [ "schema" ] } }, "required": [ "openapi" ] } ] }, "MCPLocalBackendPolicies": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Modify request headers before forwarding to this backend.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify request and response data for this backend.", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "TLS settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendAuth": { "description": "Authentication credentials sent to this backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuthCompat" }, { "type": "null" } ], "default": null }, "http": { "description": "HTTP protocol settings for this backend.", "anyOf": [ { "$ref": "#/$defs/HTTP" }, { "type": "null" } ], "default": null }, "tcp": { "description": "TCP protocol settings for this backend.", "anyOf": [ { "$ref": "#/$defs/TCP" }, { "type": "null" } ], "default": null }, "backendTunnel": { "description": "Tunnel settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "mcpAuthorization": { "description": "Authorization rules for MCP requests.", "anyOf": [ { "$ref": "#/$defs/McpAuthorization" }, { "type": "null" } ], "default": null }, "mcpGuardrails": { "description": "External MCP policy processors.", "anyOf": [ { "$ref": "#/$defs/McpGuardrails" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "McpStatefulMode": { "type": "string", "enum": [ "stateless", "stateful" ] }, "McpPrefixMode": { "type": "string", "enum": [ "always", "conditional" ] }, "McpBackendFailureMode": { "oneOf": [ { "description": "Fail the entire session if any target fails to initialize or any\nupstream fails during a fanout. This is the default and matches\ncurrent behavior.", "type": "string", "const": "failClosed" }, { "description": "Skip failed targets/upstreams and continue serving from healthy ones.\nIf ALL targets fail, still return an error.", "type": "string", "const": "failOpen" } ] }, "LocalAIBackend": { "anyOf": [ { "$ref": "#/$defs/LocalNamedAIProvider" }, { "type": "object", "properties": { "groups": { "type": "array", "items": { "$ref": "#/$defs/LocalAIProviders" } } }, "additionalProperties": false, "required": [ "groups" ] } ] }, "LocalNamedAIProvider": { "type": "object", "properties": { "name": { "type": "string" }, "provider": { "$ref": "#/$defs/AIProvider" }, "hostOverride": { "description": "Override the upstream host for this provider.", "type": [ "string", "null" ] }, "pathOverride": { "description": "Override the upstream path for this provider.", "type": [ "string", "null" ] }, "pathPrefix": { "description": "Override the default base path prefix for this provider.", "type": [ "string", "null" ] }, "tokenize": { "description": "Whether to tokenize on the request flow. This enables us to do more accurate rate limits,\nsince we know (part of) the cost of the request upfront.\nThis comes with the cost of an expensive operation.", "type": "boolean", "default": false }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalBackendPolicies" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "name", "provider" ] }, "AIProvider": { "oneOf": [ { "type": "object", "properties": { "openAI": { "$ref": "#/$defs/OpenAIProvider" } }, "required": [ "openAI" ], "additionalProperties": false }, { "type": "object", "properties": { "gemini": { "$ref": "#/$defs/GeminiProvider" } }, "required": [ "gemini" ], "additionalProperties": false }, { "type": "object", "properties": { "vertex": { "$ref": "#/$defs/VertexProvider" } }, "required": [ "vertex" ], "additionalProperties": false }, { "type": "object", "properties": { "anthropic": { "$ref": "#/$defs/AnthropicProvider" } }, "required": [ "anthropic" ], "additionalProperties": false }, { "type": "object", "properties": { "bedrock": { "$ref": "#/$defs/BedrockProvider" } }, "required": [ "bedrock" ], "additionalProperties": false }, { "type": "object", "properties": { "azure": { "$ref": "#/$defs/AzureProvider" } }, "required": [ "azure" ], "additionalProperties": false }, { "type": "object", "properties": { "copilot": { "$ref": "#/$defs/CopilotProvider" } }, "required": [ "copilot" ], "additionalProperties": false }, { "type": "object", "properties": { "custom": { "$ref": "#/$defs/CustomProvider" } }, "required": [ "custom" ], "additionalProperties": false } ] }, "OpenAIProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "GeminiProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] } } }, "VertexProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] }, "region": { "description": "Vertex AI region. Special values: `global` uses the global endpoint, while `us` and `eu`\nuse restricted multi-region endpoints. Other values are treated as regional locations.", "type": [ "string", "null" ] }, "projectId": { "type": "string" } }, "additionalProperties": false, "required": [ "projectId" ] }, "AnthropicProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "BedrockProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] }, "region": { "type": "string" }, "guardrailIdentifier": { "type": [ "string", "null" ] }, "guardrailVersion": { "type": [ "string", "null" ] } }, "required": [ "region" ] }, "AzureProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] }, "resourceName": { "description": "The Azure resource name used to construct the endpoint host.", "type": "string" }, "resourceType": { "description": "The type of Azure endpoint. Determines the host suffix.", "$ref": "#/$defs/AzureResourceType" }, "apiVersion": { "type": [ "string", "null" ] }, "projectName": { "description": "The Foundry project name, required when `resourceType` is `foundry`.\nUsed to construct paths: `/api/projects/{projectName}/openai/v1/...`.\nThis is distinct from `resourceName` which is used for the host.", "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "resourceName", "resourceType" ] }, "AzureResourceType": { "description": "The type of Azure endpoint to connect to.", "oneOf": [ { "description": "Azure OpenAI Service endpoint: `{resourceName}.openai.azure.com`", "type": "string", "const": "openAI" }, { "description": "Azure AI Foundry (project) endpoint: `{resourceName}.services.ai.azure.com`\nRequires `project_name` to construct paths like `/api/projects/{project}/openai/v1/...`", "type": "string", "const": "foundry" }, { "description": "Azure AI Foundry (project) endpoint: `{resourceName}.services.ai.azure.com`\nRequires `project_name` to construct paths like `/api/projects/{project}/openai/v1/...`", "type": "string", "const": "aiServices" } ] }, "CopilotProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] } }, "additionalProperties": false }, "CustomProvider": { "type": "object", "properties": { "model": { "type": [ "string", "null" ] }, "providerOverride": { "description": "Provider identity for cost-catalog lookup and telemetry. Built-in named providers\n(cohere, mistral, ...) set this so their cost resolves under the right catalog key;\na bare custom provider may set it to match a catalog entry. Falls back to \"custom\".", "type": [ "string", "null" ] }, "formats": { "type": "array", "items": { "$ref": "#/$defs/ProviderFormatConfig" } } }, "additionalProperties": false, "required": [ "formats" ] }, "ProviderFormatConfig": { "type": "object", "properties": { "type": { "$ref": "#/$defs/ProviderFormat" }, "path": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "type" ] }, "ProviderFormat": { "type": "string", "enum": [ "completions", "messages", "responses", "embeddings", "anthropicTokenCount", "realtime", "rerank" ] }, "LocalBackendPolicies": { "type": "object", "properties": { "requestHeaderModifier": { "description": "Modify request headers before forwarding to this backend.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify request and response data for this backend.", "anyOf": [ { "$ref": "#/$defs/LocalTransformationConfig" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "TLS settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendAuth": { "description": "Authentication credentials sent to this backend.", "anyOf": [ { "$ref": "#/$defs/BackendAuthCompat" }, { "type": "null" } ], "default": null }, "http": { "description": "HTTP protocol settings for this backend.", "anyOf": [ { "$ref": "#/$defs/HTTP" }, { "type": "null" } ], "default": null }, "tcp": { "description": "TCP protocol settings for this backend.", "anyOf": [ { "$ref": "#/$defs/TCP" }, { "type": "null" } ], "default": null }, "backendTunnel": { "description": "Tunnel settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "responseHeaderModifier": { "description": "Modify response headers returned from this backend.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "requestRedirect": { "description": "Return a redirect response instead of forwarding to this backend.", "anyOf": [ { "$ref": "#/$defs/RequestRedirect" }, { "type": "null" } ], "default": null }, "health": { "description": "Detect unhealthy backend responses and temporarily remove unhealthy endpoints.", "anyOf": [ { "$ref": "#/$defs/LocalHealthPolicy" }, { "type": "null" } ] }, "extAuthz": { "description": "Authorize incoming requests by calling an external authorization service after this backend is selected.", "anyOf": [ { "$ref": "#/$defs/ExtAuthz" }, { "type": "null" } ], "default": null }, "mcpAuthorization": { "description": "Authorization rules for MCP requests.", "anyOf": [ { "$ref": "#/$defs/McpAuthorization" }, { "type": "null" } ], "default": null }, "mcpGuardrails": { "description": "External MCP policy processors.", "anyOf": [ { "$ref": "#/$defs/McpGuardrails" }, { "type": "null" } ], "default": null }, "a2a": { "description": "Mark this traffic as A2A to enable A2A processing and telemetry.", "anyOf": [ { "$ref": "#/$defs/A2aPolicy" }, { "type": "null" } ], "default": null }, "inferenceRouting": { "description": "Route requests through an endpoint picker before forwarding to this backend.", "anyOf": [ { "$ref": "#/$defs/InferenceRouting" }, { "type": "null" } ], "default": null }, "ai": { "description": "Mark this as LLM traffic to enable LLM processing.", "anyOf": [ { "$ref": "#/$defs/Policy" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalHealthPolicy": { "description": "Local/config health policy with CEL as string; converted to Policy by compiling the expression.\nMirrors the proto `Health` message structure.", "type": "object", "properties": { "unhealthyExpression": { "description": "CEL expression where `true` marks the backend response as unhealthy.\nWhen unset, any 5xx response or connection failure is treated as unhealthy.", "type": [ "string", "null" ] }, "eviction": { "description": "Settings for temporarily removing unhealthy backends.", "anyOf": [ { "$ref": "#/$defs/LocalEviction" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalEviction": { "description": "Local/config eviction sub-policy with duration as string; mirrors `Eviction`.", "type": "object", "properties": { "duration": { "description": "How long to evict an unhealthy backend.", "type": [ "string", "null" ] }, "restoreHealth": { "description": "Health score to restore when the backend returns from eviction.", "type": [ "number", "null" ], "format": "double" }, "consecutiveFailures": { "description": "Consecutive unhealthy responses required before eviction.", "type": [ "integer", "null" ], "format": "int32" }, "healthThreshold": { "description": "Health score threshold below which an unhealthy response can evict the backend.", "type": [ "number", "null" ], "format": "double" } }, "additionalProperties": false }, "InferenceRouting": { "type": "object", "properties": { "endpointPicker": { "description": "Endpoint picker backend that selects the destination endpoint.", "$ref": "#/$defs/SimpleLocalBackendSerde" }, "destinationMode": { "description": "How to use the destination returned by the endpoint picker.", "$ref": "#/$defs/InferenceRoutingDestinationMode" } }, "additionalProperties": false, "required": [ "endpointPicker" ] }, "InferenceRoutingDestinationMode": { "description": "Controls how an endpoint-picker-selected destination is used.", "oneOf": [ { "description": "Require the selected destination to match agentgateway's local service endpoints.", "type": "string", "const": "validated" }, { "description": "Trust the selected destination directly without local endpoint validation.", "type": "string", "const": "passthrough" } ] }, "LocalAIProviders": { "type": "object", "properties": { "providers": { "type": "array", "items": { "$ref": "#/$defs/LocalNamedAIProvider" } } }, "additionalProperties": false, "required": [ "providers" ] }, "LocalAwsBackend": { "type": "object", "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "agentCore": { "$ref": "#/$defs/LocalAgentCoreBackend" } }, "required": [ "agentCore" ] } ] }, "LocalAgentCoreBackend": { "type": "object", "properties": { "agentRuntimeArn": { "type": "string" }, "qualifier": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "agentRuntimeArn" ] }, "LocalTCPRoute": { "type": "object", "properties": { "name": { "type": [ "string", "null" ], "default": null }, "namespace": { "type": [ "string", "null" ], "default": null }, "ruleName": { "type": [ "string", "null" ], "default": null }, "hostnames": { "description": "Can be a wildcard", "type": "array", "items": { "type": "string" } }, "policies": { "anyOf": [ { "$ref": "#/$defs/TCPFilterOrPolicy" }, { "type": "null" } ] }, "backends": { "type": "array", "items": { "$ref": "#/$defs/LocalTCPRouteBackend" } } }, "additionalProperties": false }, "TCPFilterOrPolicy": { "type": "object", "properties": { "backendTLS": { "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalTCPRouteBackend": { "type": "object", "properties": { "weight": { "type": "integer", "format": "uint", "minimum": 0, "default": 1 }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalTCPBackendPolicies" }, { "type": "null" } ] } }, "unevaluatedProperties": false, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "LocalTCPBackendPolicies": { "type": "object", "properties": { "backendTLS": { "description": "TLS settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "backendTunnel": { "description": "Tunnel settings used when connecting to this backend.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalGatewayPolicy": { "type": "object", "properties": { "oidc": { "description": "Authenticate browser requests with OIDC authorization code flow.", "anyOf": [ { "$ref": "#/$defs/LocalOidcConfig" }, { "type": "null" } ] }, "jwtAuth": { "description": "Authenticate incoming requests with JWT bearer tokens.", "anyOf": [ { "$ref": "#/$defs/LocalJwtConfig" }, { "type": "null" } ] }, "authorization": { "description": "Authorization rules for incoming HTTP requests.", "anyOf": [ { "$ref": "#/$defs/Authorization" }, { "type": "null" } ], "default": null }, "extAuthz": { "description": "Authorize incoming requests by calling an external authorization service.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_ExtAuthz" }, { "type": "null" } ] }, "extProc": { "description": "Send request and response data to an external processing service.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_ExtProc" }, { "type": "null" } ] }, "cors": { "description": "Handle CORS preflight requests and append configured CORS headers to applicable requests.", "anyOf": [ { "$ref": "#/$defs/CorsSerde" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify request and response headers, bodies, or metadata.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_LocalTransformationConfig" }, { "type": "null" } ] }, "basicAuth": { "description": "Authenticate incoming requests with Basic Auth credentials from an htpasswd user database.", "anyOf": [ { "$ref": "#/$defs/LocalBasicAuth" }, { "type": "null" } ] }, "apiKey": { "description": "Authenticate incoming requests with API keys.", "anyOf": [ { "$ref": "#/$defs/LocalAPIKeys" }, { "type": "null" } ] } }, "additionalProperties": false }, "TunnelProtocol": { "type": "string", "enum": [ "direct", "hboneWaypoint", "hboneGateway", "proxy", "connect" ] }, "BindMode": { "oneOf": [ { "description": "Open a listener socket on the bind's address (the normal behavior).", "type": "string", "const": "standard" }, { "description": "Do not open a socket. The bind is registered for routing only and is reachable\nvia in-process re-entry (e.g. another listener redirecting CONNECT traffic to it).", "type": "string", "const": "internal" } ] }, "LocalFrontendPolicies": { "type": "object", "properties": { "http": { "description": "Settings for handling incoming HTTP requests.", "anyOf": [ { "$ref": "#/$defs/FrontendHTTP" }, { "type": "null" } ], "default": null }, "tls": { "description": "Settings for handling incoming TLS connections.", "anyOf": [ { "$ref": "#/$defs/TLS" }, { "type": "null" } ], "default": null }, "tcp": { "description": "Settings for handling incoming TCP connections.", "anyOf": [ { "$ref": "#/$defs/FrontendTCP" }, { "type": "null" } ], "default": null }, "networkAuthorization": { "description": "CEL authorization for downstream network connections.", "anyOf": [ { "$ref": "#/$defs/NetworkAuthorization" }, { "type": "null" } ], "default": null }, "proxy": { "description": "Enable downstream PROXY protocol handling on this gateway or port, including\nversion matching and whether PROXY headers are required or optional.", "anyOf": [ { "$ref": "#/$defs/Proxy" }, { "type": "null" } ], "default": null }, "proxyProtocol": { "description": "Enable downstream PROXY protocol handling on this gateway or port, including\nversion matching and whether PROXY headers are required or optional.", "anyOf": [ { "$ref": "#/$defs/Proxy" }, { "type": "null" } ], "default": null }, "connect": { "description": "Enable or disable downstream HTTP CONNECT handling.", "anyOf": [ { "$ref": "#/$defs/Connect" }, { "type": "null" } ], "default": null }, "accessLog": { "description": "Settings for request access logs.", "anyOf": [ { "$ref": "#/$defs/LoggingPolicy" }, { "type": "null" } ], "default": null }, "logging": { "description": "Settings for request access logs.", "anyOf": [ { "$ref": "#/$defs/LoggingPolicy" }, { "type": "null" } ], "default": null }, "tracing": { "description": "Settings for exporting request traces.", "anyOf": [ { "$ref": "#/$defs/TracingConfig" }, { "type": "null" } ], "default": null } }, "additionalProperties": false, "allOf": [ { "not": { "required": [ "proxy", "proxyProtocol" ] } }, { "not": { "required": [ "accessLog", "logging" ] } } ] }, "FrontendHTTP": { "type": "object", "properties": { "maxBufferSize": { "description": "Maximum request or response body size buffered by the frontend.", "type": "integer", "format": "uint", "minimum": 0, "default": 2097152 }, "http1MaxHeaders": { "description": "Maximum number of headers allowed in an HTTP/1 request. Changing this value causes a\nperformance degradation, even when set lower than the default of 100.", "type": [ "integer", "null" ], "format": "uint", "minimum": 0, "default": null }, "http1IdleTimeout": { "description": "How long an idle HTTP/1 connection may stay open.", "type": "string", "default": "10m0s" }, "http1HeaderCase": { "description": "Header casing behavior for HTTP/1 responses.", "$ref": "#/$defs/HTTPHeaderCase", "default": "lowercase" }, "http2WindowSize": { "description": "HTTP/2 stream flow-control window size.", "type": [ "integer", "null" ], "format": "uint32", "minimum": 0, "default": null }, "http2ConnectionWindowSize": { "description": "HTTP/2 connection flow-control window size.", "type": [ "integer", "null" ], "format": "uint32", "minimum": 0, "default": null }, "http2FrameSize": { "description": "Maximum HTTP/2 frame size.", "type": [ "integer", "null" ], "format": "uint32", "minimum": 0, "default": null }, "http2MaxHeaderSize": { "description": "Maximum size of HTTP/2 request headers.", "type": [ "integer", "null" ], "format": "uint32", "minimum": 0, "default": null }, "http2KeepaliveInterval": { "description": "Interval between HTTP/2 keepalive pings.", "type": [ "string", "null" ], "default": null }, "http2KeepaliveTimeout": { "description": "Time to wait for an HTTP/2 keepalive ping response.", "type": [ "string", "null" ], "default": null }, "maxConnectionDuration": { "description": "Maximum time a connection may stay open. After this duration, the connection is gracefully\nclosed after the current in-flight request completes. Useful for even traffic distribution\nbehind load balancers during scaling events.", "type": [ "string", "null" ], "default": null } }, "additionalProperties": false }, "HTTPHeaderCase": { "oneOf": [ { "description": "Encode HTTP/1 header names in lowercase.", "type": "string", "const": "lowercase" }, { "description": "Preserve original HTTP/1 request header casing when encoding responses on the same connection.", "type": "string", "const": "preserve" } ] }, "TLS": { "type": "object", "properties": { "handshakeTimeout": { "description": "Maximum time allowed to complete the downstream TLS handshake.", "type": "string", "default": "15s" }, "alpn": { "description": "ALPN protocols advertised to downstream clients.", "type": [ "array", "null" ], "items": { "type": "array", "items": { "type": "integer", "format": "uint8", "minimum": 0, "maximum": 255 } }, "default": null }, "minVersion": { "description": "Minimum TLS version accepted from downstream clients.", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "maxVersion": { "description": "Maximum TLS version accepted from downstream clients.", "anyOf": [ { "$ref": "#/$defs/TLSVersion" }, { "type": "null" } ] }, "cipherSuites": { "description": "Cipher suites allowed for downstream TLS.", "type": [ "array", "null" ], "items": { "type": "string" } }, "keyExchangeGroups": { "description": "Key exchange groups allowed for negotiating TLS.", "type": [ "array", "null" ], "items": { "type": "string" } } }, "additionalProperties": false }, "FrontendTCP": { "type": "object", "properties": { "keepalives": { "description": "TCP keepalive settings for downstream connections.", "$ref": "#/$defs/KeepaliveConfig" } }, "additionalProperties": false, "required": [ "keepalives" ] }, "NetworkAuthorization": { "description": "CEL authorization rules for downstream network connections.", "$ref": "#/$defs/RuleSet" }, "Proxy": { "type": "object", "properties": { "version": { "description": "PROXY protocol versions accepted from downstream clients.", "$ref": "#/$defs/ProxyVersion", "default": "v2" }, "mode": { "description": "Whether downstream connections must include a PROXY protocol header.", "$ref": "#/$defs/ProxyMode", "default": "strict" } }, "additionalProperties": false }, "ProxyVersion": { "oneOf": [ { "description": "Accept PROXY protocol v1.", "type": "string", "const": "v1" }, { "description": "Accept PROXY protocol v2.", "type": "string", "const": "v2" }, { "description": "Accept PROXY protocol v1 or v2.", "type": "string", "const": "all" } ] }, "ProxyMode": { "oneOf": [ { "description": "Require a PROXY protocol header on each connection.", "type": "string", "const": "strict" }, { "description": "Accept connections with or without a PROXY protocol header.", "type": "string", "const": "optional" } ] }, "Connect": { "type": "object", "properties": { "mode": { "description": "How downstream HTTP CONNECT requests are handled.", "$ref": "#/$defs/ConnectMode" } }, "additionalProperties": false, "required": [ "mode" ] }, "ConnectMode": { "oneOf": [ { "description": "Reject HTTP CONNECT requests.", "type": "string", "const": "deny" }, { "description": "Route HTTP CONNECT requests through normal route matching.", "type": "string", "const": "route" }, { "description": "Treat HTTP CONNECT requests as tunnels.", "type": "string", "const": "tunnel" } ] }, "LoggingPolicy": { "type": "object", "properties": { "filter": { "description": "CEL expression that decides whether a request is logged.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "add": { "description": "Access log fields to add, computed from CEL expressions.", "type": "object", "additionalProperties": { "type": "string" } }, "remove": { "description": "Access log field names to remove.", "type": "array", "uniqueItems": true, "items": { "type": "string" } }, "otlp": { "description": "OTLP log export settings.", "anyOf": [ { "$ref": "#/$defs/OtlpLoggingConfig" }, { "type": "null" } ] }, "database": { "description": "Database-specific access log settings.", "anyOf": [ { "$ref": "#/$defs/DatabaseLoggingConfig" }, { "type": "null" } ] } }, "additionalProperties": false }, "OtlpLoggingConfig": { "type": "object", "properties": { "policies": { "description": "Backend policies used when exporting OTLP logs.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "protocol": { "description": "OTLP protocol used to export logs.", "$ref": "#/$defs/TracingProtocol", "default": "grpc" }, "path": { "description": "OTLP HTTP path used to export logs.", "type": "string" } }, "unevaluatedProperties": false, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "TracingProtocol": { "type": "string", "enum": [ "grpc", "http" ] }, "DatabaseLoggingConfig": { "type": "object", "properties": { "add": { "description": "Database-only fields to add, computed from CEL expressions.", "type": "object", "additionalProperties": { "type": "string" } } }, "additionalProperties": false }, "TracingConfig": { "description": "Configuration for dynamic tracing policy", "type": "object", "properties": { "policies": { "description": "Backend policies used when exporting traces.", "anyOf": [ { "$ref": "#/$defs/SimpleLocalBackendPolicies" }, { "type": "null" } ] }, "attributes": { "description": "Span attributes to add, keyed by attribute name.", "$ref": "#/$defs/OrderedStringMap_Expression", "default": {} }, "resources": { "description": "Resource attributes to add to the tracer provider (OTel `Resource`).\nThis can be used to set things like `service.name` dynamically.", "$ref": "#/$defs/OrderedStringMap_Expression", "default": {} }, "remove": { "description": "Attribute keys to remove from the emitted span attributes.\n\nThis is applied before `attributes` are evaluated/added, so it can be used to drop\ndefault attributes or avoid duplication.", "type": "array", "items": { "type": "string" }, "default": [] }, "randomSampling": { "description": "Optional per-policy override for random sampling. If set, overrides global config for\nrequests that use this frontend policy.", "anyOf": [ { "$ref": "#/$defs/StringBoolFloat" }, { "type": "null" } ], "default": null }, "clientSampling": { "description": "Optional per-policy override for client sampling. If set, overrides global config for\nrequests that use this frontend policy.", "anyOf": [ { "$ref": "#/$defs/StringBoolFloat" }, { "type": "null" } ], "default": null }, "filter": { "description": "Optional CEL filter with KEEP semantics. When set, only requests for which the expression\nevaluates to `true` have their trace span(s) exported; all other spans are dropped. When\nunset, no filtering is applied (all sampled spans are exported). Composes after sampling\n(only sampled spans are evaluated). This matches `accessLog.filter` (keep-semantics):\n`true` keeps. Missing/errored fields evaluate to `false`, so on eval error the span is\ndropped (fail closed).", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ] }, "path": { "description": "OTLP HTTP path used to export traces.", "type": "string", "default": "/v1/traces" }, "protocol": { "description": "OTLP protocol used to export traces. Defaults to HTTP.", "$ref": "#/$defs/TracingProtocol", "default": "grpc" } }, "unevaluatedProperties": false, "oneOf": [ { "description": "Service reference. Service must be defined in the top level services list.", "type": "object", "properties": { "service": { "type": "object", "properties": { "name": { "$ref": "#/$defs/NamespacedHostname" }, "port": { "type": "integer", "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "name", "port" ] } }, "required": [ "service" ] }, { "description": "Hostname or IP address", "type": "object", "properties": { "host": { "description": "Hostname or IP address", "type": "string" } }, "required": [ "host" ] }, { "type": "object", "properties": { "backend": { "description": "Explicit backend reference. Backend must be defined in the top level backends list", "type": "string" } }, "required": [ "backend" ] } ] }, "OrderedStringMap_Expression": { "type": "object", "additionalProperties": { "$ref": "#/$defs/Expression" } }, "LocalPolicy": { "type": "object", "properties": { "name": { "description": "Policy name used when attaching this policy to a target.", "$ref": "#/$defs/ResourceName" }, "target": { "description": "Gateway, listener, route, or backend that this policy attaches to.", "$ref": "#/$defs/PolicyTarget" }, "phase": { "description": "When the policy runs. Gateway policies run before route selection, while route policies run after route selection.\nUse route policies by default unless the policy needs to affect route selection.", "$ref": "#/$defs/PolicyPhase", "default": "route" }, "policy": { "description": "Policy settings to apply to the selected target.", "$ref": "#/$defs/FilterOrPolicy" } }, "additionalProperties": false, "required": [ "name", "target", "policy" ] }, "ResourceName": { "type": "object", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "additionalProperties": false, "required": [ "name", "namespace" ] }, "PolicyTarget": { "oneOf": [ { "type": "object", "properties": { "gateway": { "$ref": "#/$defs/ListenerTarget" } }, "required": [ "gateway" ], "additionalProperties": false }, { "type": "object", "properties": { "route": { "$ref": "#/$defs/RouteName" } }, "required": [ "route" ], "additionalProperties": false }, { "type": "object", "properties": { "backend": { "$ref": "#/$defs/BackendTarget" } }, "required": [ "backend" ], "additionalProperties": false }, { "type": "object", "properties": { "listenerSet": { "$ref": "#/$defs/ListenerSetTarget" } }, "required": [ "listenerSet" ], "additionalProperties": false } ] }, "ListenerTarget": { "type": "object", "properties": { "gatewayName": { "type": "string" }, "gatewayNamespace": { "type": "string" }, "listenerName": { "type": [ "string", "null" ] }, "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "gatewayName", "gatewayNamespace" ] }, "RouteName": { "type": "object", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" }, "ruleName": { "type": [ "string", "null" ] }, "kind": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "name", "namespace" ] }, "BackendTarget": { "oneOf": [ { "type": "string", "enum": [ "invalid" ] }, { "type": "object", "properties": { "backend": { "type": "object", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" }, "section": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "name", "namespace" ] } }, "required": [ "backend" ], "additionalProperties": false }, { "type": "object", "properties": { "service": { "type": "object", "properties": { "hostname": { "type": "string" }, "namespace": { "type": "string" }, "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 } }, "additionalProperties": false, "required": [ "hostname", "namespace" ] } }, "required": [ "service" ], "additionalProperties": false } ] }, "ListenerSetTarget": { "type": "object", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" }, "section": { "type": [ "string", "null" ] } }, "additionalProperties": false, "required": [ "name", "namespace" ] }, "PolicyPhase": { "type": "string", "enum": [ "route", "gateway" ] }, "FullLocalBackend": { "type": "object", "properties": { "name": { "type": "string" }, "policies": { "anyOf": [ { "$ref": "#/$defs/LocalBackendPolicies" }, { "type": "null" } ] } }, "required": [ "name" ], "unevaluatedProperties": false, "oneOf": [ { "type": "object", "properties": { "host": { "type": "string" } }, "required": [ "host" ] }, { "description": "Route to the in-process admin service instead of a network upstream.", "type": "object", "properties": { "internal": { "$ref": "#/$defs/InternalBackend" } }, "required": [ "internal" ] }, { "type": "object", "properties": { "mcp": { "$ref": "#/$defs/LocalMcpBackend" } }, "required": [ "mcp" ] }, { "type": "object", "properties": { "ai": { "$ref": "#/$defs/LocalAIBackend" } }, "required": [ "ai" ] }, { "type": "object", "properties": { "aws": { "$ref": "#/$defs/LocalAwsBackend" } }, "required": [ "aws" ] } ] }, "LocalRouteGroup": { "type": "object", "properties": { "name": { "type": "string" }, "routes": { "type": "array", "items": { "$ref": "#/$defs/LocalRoute" } } }, "additionalProperties": false, "required": [ "name", "routes" ] }, "LocalLLMConfig": { "type": "object", "properties": { "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "tls": { "anyOf": [ { "$ref": "#/$defs/LocalTLSServerConfig" }, { "type": "null" } ] }, "providers": { "description": "providers defines reusable LLM provider defaults that models may reference.", "type": "array", "items": { "$ref": "#/$defs/LocalLLMProvider" } }, "models": { "description": "models defines the set of models that can be served by this gateway. The model name refers to the\nmodel in the users request that is matched; the model sent to the actual LLM can be overridden\non a per-model basis.", "type": "array", "items": { "$ref": "#/$defs/LocalLLMModels" } }, "virtualModels": { "description": "virtualModels defines a set of models that can be served from the gateway. The model name refers to the\nmodel in the users request that is matched. However, unlike the `models` field, virtual models will\ndynamically route to a specific model (configured in `models`) based on the configured logic.", "type": "array", "items": { "$ref": "#/$defs/LocalLLMVirtualModel" } }, "policies": { "description": "policies defines policies for handling incoming requests, before a model is selected", "anyOf": [ { "$ref": "#/$defs/LocalLLMPolicy" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "models" ] }, "LocalLLMProvider": { "type": "object", "properties": { "name": { "description": "name is referenced from llm.models[].provider.reference.", "type": "string" }, "params": { "description": "params customizes parameters for outgoing requests that use this provider.", "$ref": "#/$defs/LocalLLMParams" }, "provider": { "description": "provider of the LLM we are connecting to.", "$ref": "#/$defs/LocalModelAIProvider" }, "defaults": { "description": "defaults defines provider-level policy defaults. Model-level policy fields override these.", "anyOf": [ { "$ref": "#/$defs/LocalLLMProviderDefaults" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "name", "provider" ] }, "LocalLLMParams": { "type": "object", "properties": { "model": { "description": "The model to send to the provider.\nIf unset, the same model will be used from the request.", "type": [ "string", "null" ], "default": null }, "apiKey": { "description": "An API key to attach to the request.\nIf unset this will be automatically detected from the environment.", "anyOf": [ { "$ref": "#/$defs/SecretFromFile" }, { "type": "null" } ] }, "awsRegion": { "type": [ "string", "null" ] }, "vertexRegion": { "type": [ "string", "null" ] }, "vertexProject": { "type": [ "string", "null" ] }, "azureResourceName": { "description": "For Azure: the resource name of the deployment", "type": [ "string", "null" ] }, "azureResourceType": { "description": "For Azure: the type of Azure endpoint (openAI or foundry)", "anyOf": [ { "$ref": "#/$defs/AzureResourceType" }, { "type": "null" } ] }, "azureApiVersion": { "description": "For Azure: the API version to use", "type": [ "string", "null" ] }, "azureProjectName": { "description": "For Azure: the Foundry project name (required for foundry resource type)", "type": [ "string", "null" ] }, "baseUrl": { "description": "Base URL for the upstream provider. Expands to hostOverride, pathPrefix, and tls for https URLs.", "type": [ "string", "null" ], "default": null }, "hostOverride": { "description": "Override the upstream host for this provider.", "type": [ "string", "null" ], "deprecated": true, "default": null }, "pathOverride": { "description": "Override the upstream path for this provider.", "type": [ "string", "null" ], "deprecated": true, "default": null }, "pathPrefix": { "description": "Override the default base path prefix for this provider.", "type": [ "string", "null" ], "deprecated": true, "default": null }, "tokenize": { "description": "Whether to tokenize the request before forwarding it upstream.", "type": "boolean", "default": false } }, "additionalProperties": false }, "SecretFromFile": { "$ref": "#/$defs/FileOrInline" }, "LocalModelAIProvider": { "oneOf": [ { "type": "string", "enum": [ "openai", "openAI", "gemini", "vertex", "anthropic", "bedrock", "azure", "copilot", "cohere", "ollama", "baseten", "cerebras", "deepinfra", "deepseek", "groq", "huggingface", "mistral", "openrouter", "togetherai", "xai", "fireworks" ] }, { "type": "object", "properties": { "reference": { "type": "string" } }, "required": [ "reference" ], "additionalProperties": false }, { "type": "object", "properties": { "custom": { "$ref": "#/$defs/CustomProvider" } }, "required": [ "custom" ], "additionalProperties": false } ] }, "LocalLLMProviderDefaults": { "type": "object", "properties": { "defaults": { "type": [ "object", "null" ], "additionalProperties": true }, "overrides": { "type": [ "object", "null" ], "additionalProperties": true }, "transformation": { "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "requestHeaders": { "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaders": { "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "backendTLS": { "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "tls": { "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "auth": { "anyOf": [ { "$ref": "#/$defs/BackendAuthCompat" }, { "type": "null" } ], "default": null }, "health": { "anyOf": [ { "$ref": "#/$defs/LocalHealthPolicy" }, { "type": "null" } ] }, "backendTunnel": { "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "promptCaching": { "anyOf": [ { "$ref": "#/$defs/PromptCachingConfig" }, { "type": "null" } ] } }, "additionalProperties": false, "allOf": [ { "not": { "required": [ "backendTLS", "tls" ] } } ] }, "LocalLLMModels": { "type": "object", "properties": { "name": { "description": "name is the name of the model we are matching from a users request. If params.model is set, that\nwill be used in the request to the LLM provider. If not, the incoming model is used.", "type": "string" }, "visibility": { "description": "visibility controls whether clients can request this model directly (rather than only via a `virtualModel`).", "$ref": "#/$defs/ModelVisibility" }, "params": { "description": "params customizes parameters for the outgoing request", "$ref": "#/$defs/LocalLLMParams" }, "provider": { "description": "provider of the LLM we are connecting too", "$ref": "#/$defs/LocalModelAIProvider" }, "passthrough": { "description": "passthrough controls how requests are handled.\nBy default, requests will be parsed and translated as needed.\nWith passthrough, they will be unmodified and optionally inspected (with `detect`).\nIn this mode, requests must be sent in the native format of the provider.", "anyOf": [ { "$ref": "#/$defs/LocalLLMPassthrough" }, { "type": "null" } ] }, "authorization": { "description": "authorization configures HTTP authorization rules for requests to this model.", "anyOf": [ { "$ref": "#/$defs/Authorization" }, { "type": "null" } ] }, "defaults": { "description": "defaults allows setting default values for the request. If these are not present in the request body, they will be set.\nTo override even when set, use `overrides`.", "type": [ "object", "null" ], "additionalProperties": true }, "overrides": { "description": "overrides allows setting values for the request, overriding any existing values", "type": [ "object", "null" ], "additionalProperties": true }, "transformation": { "description": "transformation allows setting values from CEL expressions for the request, overriding any existing values.", "type": [ "object", "null" ], "additionalProperties": { "$ref": "#/$defs/Expression" } }, "requestHeaders": { "description": "requestHeaders modifies headers in requests to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "responseHeaders": { "description": "responseHeaders modifies headers in responses from the LLM provider.", "anyOf": [ { "$ref": "#/$defs/HeaderModifier" }, { "type": "null" } ], "default": null }, "backendTLS": { "description": "tls configures TLS when connecting to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "tls": { "description": "tls configures TLS when connecting to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/LocalBackendTLS" }, { "type": "null" } ] }, "auth": { "description": "auth configures authentication when connecting to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/BackendAuthCompat" }, { "type": "null" } ], "default": null }, "health": { "description": "health configures outlier detection for this model backend.", "anyOf": [ { "$ref": "#/$defs/LocalHealthPolicy" }, { "type": "null" } ] }, "backendTunnel": { "description": "backendTunnel configures tunneling when connecting to the LLM provider.", "anyOf": [ { "$ref": "#/$defs/Tunnel" }, { "type": "null" } ], "default": null }, "guardrails": { "description": "guardrails to apply to the request or response", "anyOf": [ { "$ref": "#/$defs/PromptGuard" }, { "type": "null" } ] }, "promptCaching": { "description": "promptCaching configures cache point insertion for supported LLM providers.", "anyOf": [ { "$ref": "#/$defs/PromptCachingConfig" }, { "type": "null" } ] }, "matches": { "description": "matches specifies the conditions under which this model should be used in addition to matching the model name.", "type": "array", "items": { "$ref": "#/$defs/LLMRouteMatch" } } }, "additionalProperties": false, "required": [ "name", "provider" ], "allOf": [ { "not": { "required": [ "backendTLS", "tls" ] } } ] }, "ModelVisibility": { "oneOf": [ { "description": "Public models can be requested directly by clients and are included in the model list.", "type": "string", "const": "public" }, { "description": "Internal models can be targeted by virtual models but cannot be requested directly.", "type": "string", "const": "internal" } ] }, "LocalLLMPassthrough": { "oneOf": [ { "description": "Pass through the request while extracting LLM telemetry and rate-limit inputs when possible.", "type": "string", "const": "detect" }, { "description": "Pass through the request without interpreting it as LLM traffic.", "type": "string", "const": "opaque" } ] }, "LLMRouteMatch": { "type": "object", "properties": { "headers": { "type": "array", "items": { "$ref": "#/$defs/HeaderMatch" } } }, "additionalProperties": false }, "LocalLLMVirtualModel": { "type": "object", "properties": { "name": { "description": "name is the public model name clients request.", "type": "string" }, "routing": { "description": "routing selects an existing LLM model backend for each request.", "$ref": "#/$defs/LocalLLMVirtualModelRouting" } }, "additionalProperties": false, "required": [ "name", "routing" ] }, "LocalLLMVirtualModelRouting": { "type": "object", "properties": { "weighted": { "description": "weighted enables weight-based selection of the target model.", "anyOf": [ { "$ref": "#/$defs/LocalLLMWeightedRouting" }, { "type": "null" } ] }, "failover": { "description": "failover enables priority-based selection of the target model.\nWithin a priority level, the best provider is selected by a composite score factoring in health\nand latency.\nIf all models within a priority level are degraded, requests will move onto the next priority group.", "anyOf": [ { "$ref": "#/$defs/LocalLLMFailoverRouting" }, { "type": "null" } ] }, "conditional": { "description": "Conditional enables condition-based selection of the target model. Each condition is evaluated\nin order until the best match is found.", "anyOf": [ { "$ref": "#/$defs/LocalLLMConditionalRouting" }, { "type": "null" } ] } }, "additionalProperties": false }, "LocalLLMWeightedRouting": { "type": "object", "properties": { "targets": { "description": "targets are existing model names or names matched by wildcard model entries.", "type": "array", "items": { "$ref": "#/$defs/LocalLLMWeightedTarget" } } }, "additionalProperties": false, "required": [ "targets" ] }, "LocalLLMWeightedTarget": { "type": "object", "properties": { "model": { "description": "model is resolved against llm.models using the same wildcard matching as client requests.", "type": "string" }, "weight": { "type": "integer", "format": "uint", "minimum": 0, "default": 1 } }, "additionalProperties": false, "required": [ "model" ] }, "LocalLLMFailoverRouting": { "type": "object", "properties": { "targets": { "description": "targets are grouped by priority. Lower priority values are tried first.", "type": "array", "items": { "$ref": "#/$defs/LocalLLMFailoverTarget" } } }, "additionalProperties": false, "required": [ "targets" ] }, "LocalLLMFailoverTarget": { "type": "object", "properties": { "model": { "description": "model is resolved against llm.models using the same wildcard matching as client requests.", "type": "string" }, "priority": { "description": "priority groups targets for failover. Lower values are preferred.", "type": "integer", "format": "uint", "minimum": 0 } }, "additionalProperties": false, "required": [ "model", "priority" ] }, "LocalLLMConditionalRouting": { "type": "object", "properties": { "targets": { "description": "targets are evaluated in order. The first matching condition selects the model.", "type": "array", "items": { "$ref": "#/$defs/LocalLLMConditionalTarget" } } }, "additionalProperties": false, "required": [ "targets" ] }, "LocalLLMConditionalTarget": { "type": "object", "properties": { "when": { "description": "when must evaluate to true for this target to be selected. Omit only on the final fallback target.", "anyOf": [ { "$ref": "#/$defs/Expression" }, { "type": "null" } ], "default": null }, "model": { "description": "model is resolved against llm.models using the same wildcard matching as client requests.", "type": "string" } }, "additionalProperties": false, "required": [ "model" ] }, "LocalLLMPolicy": { "type": "object", "properties": { "oidc": { "description": "Authenticate browser requests with OIDC authorization code flow.", "anyOf": [ { "$ref": "#/$defs/LocalOidcConfig" }, { "type": "null" } ] }, "jwtAuth": { "description": "Authenticate incoming requests with JWT bearer tokens.", "anyOf": [ { "$ref": "#/$defs/LocalJwtConfig" }, { "type": "null" } ] }, "authorization": { "description": "Authorization rules for incoming HTTP requests.", "anyOf": [ { "$ref": "#/$defs/Authorization" }, { "type": "null" } ], "default": null }, "extAuthz": { "description": "Authorize incoming requests by calling an external authorization service.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_ExtAuthz" }, { "type": "null" } ] }, "extProc": { "description": "Send request and response data to an external processing service.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_ExtProc" }, { "type": "null" } ] }, "cors": { "description": "Handle CORS preflight requests and append configured CORS headers to applicable requests.", "anyOf": [ { "$ref": "#/$defs/CorsSerde" }, { "type": "null" } ], "default": null }, "transformations": { "description": "Modify request and response headers, bodies, or metadata.", "anyOf": [ { "$ref": "#/$defs/LocalExplicitOrConditional_LocalTransformationConfig" }, { "type": "null" } ] }, "basicAuth": { "description": "Authenticate incoming requests with Basic Auth credentials from an htpasswd user database.", "anyOf": [ { "$ref": "#/$defs/LocalBasicAuth" }, { "type": "null" } ] }, "apiKey": { "description": "Authenticate incoming requests with API keys.", "anyOf": [ { "$ref": "#/$defs/LocalAPIKeys" }, { "type": "null" } ] }, "guardrails": { "description": "Guardrails to apply to every configured model.", "anyOf": [ { "$ref": "#/$defs/PromptGuard" }, { "type": "null" } ] }, "localRateLimit": { "description": "Local rate limits for incoming requests.", "type": "array", "items": { "$ref": "#/$defs/RateLimitSpec" }, "default": [] }, "remoteRateLimit": { "description": "Remote rate limit checks for incoming requests.", "anyOf": [ { "$ref": "#/$defs/RemoteRateLimit" }, { "type": "null" } ], "default": null } }, "additionalProperties": false }, "LocalSimpleMcpConfig": { "type": "object", "properties": { "port": { "type": [ "integer", "null" ], "format": "uint16", "minimum": 0, "maximum": 65535 }, "targets": { "type": "array", "items": { "$ref": "#/$defs/LocalMcpTarget" } }, "statefulMode": { "$ref": "#/$defs/McpStatefulMode" }, "prefixMode": { "anyOf": [ { "$ref": "#/$defs/McpPrefixMode" }, { "type": "null" } ] }, "failureMode": { "description": "Behavior when one or more MCP targets fail to initialize or fail during fanout.\nDefaults to `failClosed`.", "anyOf": [ { "$ref": "#/$defs/McpBackendFailureMode" }, { "type": "null" } ] }, "policies": { "anyOf": [ { "$ref": "#/$defs/FilterOrPolicy" }, { "type": "null" } ] } }, "additionalProperties": false, "required": [ "targets" ] } } }