Governance API

The Governance API lets you define and enforce policies that control how LLM calls are processed through the Firewall.

Overview

Use the Governance API to:

Define policies for PII masking, fact-checking, and policy enforcement
Manage policy versions and rollouts
Evaluate if a request violates policies
Audit policy enforcement actions

Key Endpoints

Create Policy

POST /api/v1/policies

curl -X POST https://api.truthvouch.com/api/v1/policies \
  -H "Authorization: Bearer tv_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Safety Policy",
    "description": "Enforce fact-checking on all production calls",
    "rules": [
      {
        "type": "fact_check",
        "threshold": 0.8,
        "action": "block"
      },
      {
        "type": "pii_detection",
        "action": "mask",
        "entities": ["email", "phone", "ssn"]
      },
      {
        "type": "injection_detection",
        "action": "block"
      }
    ],
    "active": true
  }'

Get Policy

GET /api/v1/policies/{policyId}

curl https://api.truthvouch.com/api/v1/policies/policy_abc123 \
  -H "Authorization: Bearer tv_live_..."

List Policies

GET /api/v1/policies

curl https://api.truthvouch.com/api/v1/policies?status=active \
  -H "Authorization: Bearer tv_live_..."

Update Policy

PATCH /api/v1/policies/{policyId}

curl -X PATCH https://api.truthvouch.com/api/v1/policies/policy_abc123 \
  -H "Authorization: Bearer tv_live_..." \
  -d '{
    "rules": [...],
    "active": true
  }'

Evaluate Policy

Check if a request violates a policy:

POST /api/v1/policies/{policyId}/evaluate

curl -X POST https://api.truthvouch.com/api/v1/policies/policy_abc123/evaluate \
  -H "Authorization: Bearer tv_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "What is 2+2?",
    "response": "2+2 equals 4"
  }'

Response:

{
  "data": {
    "verdict": "allowed",
    "violations": [],
    "alerts": []
  }
}

Rule Types

Fact-Check Rule

Verify response factuality:

{
  "type": "fact_check",
  "threshold": 0.8,
  "action": "block"  // or "warn"
}

PII Detection Rule

Detect and mask personally identifiable information:

{
  "type": "pii_detection",
  "action": "mask",  // or "block"
  "entities": ["email", "phone", "ssn", "credit_card", "passport"]
}

Injection Detection Rule

Block prompt injection attempts:

{
  "type": "injection_detection",
  "action": "block"  // or "warn"
}

Token Limit Rule

Enforce token limits:

{
  "type": "token_limit",
  "maxTokens": 2000,
  "action": "block"  // Reject if response exceeds limit
}

Model Restriction Rule

Allow only specific models:

{
  "type": "model_restriction",
  "allowedModels": ["gpt-4o", "gpt-4-turbo"],
  "action": "block"  // Reject non-whitelisted models
}

Actions

Action	Behavior
`block`	Reject request, return error
`mask`	Mask sensitive data (PII only)
`warn`	Allow request but log warning
`require_approval`	Queue for manual review

Policy Versioning

Policies have multiple versions for safe rollouts:

GET /api/v1/policies/{policyId}/versions

curl https://api.truthvouch.com/api/v1/policies/policy_abc123/versions \
  -H "Authorization: Bearer tv_live_..."

Each version tracks:

Rules and changes
Activation date
Rollback capability