Governance API

The Governance API lets you define and enforce policies that control how LLM calls are processed through the Firewall.

Overview

Use the Governance API to:

Define policies for PII masking, fact-checking, and policy enforcement
Manage policy versions and rollouts
Evaluate if a request violates policies
Audit policy enforcement actions

Key Endpoints

Create Policy

POST /api/v1/governance/policies

curl -X POST https://api.truthvouch.com/api/v1/governance/policies \
  -H "Authorization: Bearer tv_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Safety Policy",
    "description": "Enforce PII masking on all production calls",
    "code": "package policies.pii\n\ndeny[msg] {\n  input.prompt contains_ssn\n  msg := \"SSN detected\"\n}\n\ncontains_ssn {\n  re_match(\"\\\\d{3}-\\\\d{2}-\\\\d{4}\", input.prompt)\n}",
    "active": true
  }'

Get Policy

GET /api/v1/governance/policies/{policyId}

curl https://api.truthvouch.com/api/v1/governance/policies/policy_abc123 \
  -H "Authorization: Bearer tv_live_..."

List Policies

GET /api/v1/governance/policies

curl https://api.truthvouch.com/api/v1/governance/policies?status=active \
  -H "Authorization: Bearer tv_live_..."

Update Policy

PATCH /api/v1/governance/policies/{policyId}

curl -X PATCH https://api.truthvouch.com/api/v1/governance/policies/policy_abc123 \
  -H "Authorization: Bearer tv_live_..." \
  -d '{
    "code": "package policies.pii\n...",
    "active": true
  }'

Evaluate Policy

Check if a request violates a policy:

POST /api/v1/governance/evaluations/run

curl -X POST https://api.truthvouch.com/api/v1/governance/evaluations/run \
  -H "Authorization: Bearer tv_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "policyId": "policy_abc123",
    "prompt": "What is 2+2?",
    "response": "2+2 equals 4"
  }'

Response:

{
  "data": {
    "verdict": "allowed",
    "violations": [],
    "alerts": []
  }
}

Policy Language

Policies are written in Rego (OPA — Open Policy Agent). Rego is a declarative language designed for policy enforcement.

Example Policies

PII Detection (Block SSN):

package policies.pii

deny[msg] {
  re_match("\\d{3}-\\d{2}-\\d{4}", input.prompt)
  msg := "SSN detected in prompt; please remove PII"
}

Content Safety (Block Violent Content):

package policies.safety

deny[msg] {
  input.response.category == "violent"
  input.response.score > 0.7
  msg := "Response contains violent content; not sending to user"
}

Model Allowlist:

package policies.model_control

deny[msg] {
  not is_approved_model(input.model)
  msg := sprintf("Model %v is not approved", [input.model])
}

is_approved_model(model) {
  approved = ["gpt-4", "gpt-4-turbo", "claude-3-sonnet"]
  model in approved
}

Token Limits:

package policies.tokens

deny[msg] {
  input.tokens_used > 10000
  msg := "Token limit exceeded for this request"
}

Policy Evaluation

Policies are evaluated using OPA (Open Policy Agent). Each policy returns:

allow — Request is allowed to proceed
deny — Request is blocked (with reason)
warn — Request is allowed but warning is logged

Policy Versioning

Policies have multiple versions for safe rollouts:

GET /api/v1/policies/{policyId}/versions

curl https://api.truthvouch.com/api/v1/policies/policy_abc123/versions \
  -H "Authorization: Bearer tv_live_..."

Each version tracks:

Rules and changes
Activation date
Rollback capability