guardrails helm chart upgrade

[akshaydeo]

Summary

Updates the guardrails and user-provisioning documentation to reflect that env.* references are now supported in guardrail provider config blocks and most SCIM provider config fields. Removes the previous warnings stating env vars were unsupported, replaces hardcoded credential placeholders with env.* examples, and adds comprehensive per-provider field reference tables documenting which fields support env var resolution and which require plain values.

Changes

• Replaced the <Warning> blocks stating env.* was unsupported with <Note> blocks explaining the new env var resolution behavior for guardrail provider config fields
• Updated all example configs (AWS Bedrock, Azure Content Safety, Gray Swan, Regex) to use env.* strings instead of hardcoded placeholder credentials
• Added auth_type field documentation and examples for AWS Bedrock (keys, api_key, iam_role) and Azure Content Safety (api_key, default_credential, entra_id), including separate config snippets for each auth mode
• Added Patronus AI as a new guardrail provider (patronus-ai) with its own tab, example config, and field reference
• Added sampling_rate to all provider config examples; removed the now-unused mode: "block" field from Regex examples
• Added base_url to the Gray Swan provider config
• Added a new Environment Variable Support section to both the config.json and Helm guardrails docs with per-provider tables distinguishing env.*-supported fields from plain-only fields
• Added SailPoint as a supported SCIM provider in the user-provisioning docs, with a full field reference table (SailPoint fields are plain-only — no env.* support)
• Added per-provider env var support tables for all SCIM providers (Okta, Entra ID, Keycloak, Zitadel, Google Workspace, SailPoint) in the user-provisioning docs
• Updated provider_config_ids references in rule examples to reflect the new provider ID numbering (Gray Swan moved from 4 to 5 after Patronus AI was inserted)

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Review the rendered documentation pages for:

• docs/deployment-guides/config-json/guardrails.mdx
• docs/deployment-guides/helm/guardrails.mdx
• docs/enterprise/user-provisioning.mdx

Verify that:

1. The Patronus AI tab appears alongside the other guardrail provider tabs
2. AWS Bedrock and Azure Content Safety tabs show all three auth mode examples
3. The Environment Variable Support reference tables render correctly with proper column alignment
4. All example configs use env.* strings rather than hardcoded placeholder values
5. The SailPoint provider section appears in the user-provisioning page

Breaking changes

• Yes
• No

Related issues

Security considerations

All credential fields in example configurations now use env.* references rather than hardcoded placeholder strings, reducing the risk of users copying examples with literal secrets into production configs. The documentation explicitly distinguishes which fields support env var resolution to prevent misconfiguration.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Documentation

  • Added environment-variable support for provider credential/endpoint fields in guardrails and SCIM/user-provisioning docs; per-provider env support reference added
  • Introduced Patronus AI as a guardrails provider and reordered provider listings
  • Added SailPoint as a SCIM provider option
  • Expanded auth-type examples for AWS Bedrock and Azure Content Safety; added sampling_rate examples across providers

• Chores

  • Minor governance routing early-exit behavior for passthrough requests

Walkthrough

Documentation changes add per-provider environment-variable support (allowing env.VAR_NAME in credential/endpoint fields where listed), update guardrails provider examples to use env-backed values and sampling_rate: 100, introduce Patronus AI (id 4) and move Gray Swan to id 5, add SailPoint to SCIM provider docs, and one repo code change bypasses governance processing for requests with "passthrough" in the URL path.

Changes

Cohort / File(s)	Summary
Guardrails — config-json docs/deployment-guides/config-json/guardrails.mdx	Replaced blanket env.* prohibition with an “Environment Variable Support” matrix; converted credential/endpoint fields to env.* where supported; added sampling_rate: 100; added auth_type examples for AWS Bedrock and Azure Content Safety; added Patronus AI (id: 4) and moved Gray Swan to id: 5; updated full example/provider IDs.
Guardrails — helm docs/deployment-guides/helm/guardrails.mdx	Mirrors config-json changes: per-provider env.* support, env-backed credential/endpoint examples, sampling_rate: 100 across providers, Bedrock/Azure multi-auth examples, Patronus AI added (id: 4) and Gray Swan moved to id: 5, updated full example and rule references.
Enterprise SCIM docs docs/enterprise/user-provisioning.mdx	Added sailpoint to documented scim_config.provider values; added “Environment variable support” section listing which SCIM provider fields accept env.* vs plain-only; marks attribute mapping arrays plain-only; documents SailPoint as plain-only.
Provider examples & field matrix docs/.../guardrails.mdx, docs/.../helm/guardrails.mdx	Expanded per-provider field lists showing env.* support vs plain-only; updated Regex example (removed mode, set sampling_rate: 100); adjusted AWS/Azure/Gray Swan examples to use env-backed values where supported; added Patronus AI snippets.
Governance plugin plugins/governance/main.go	Added an early-exit in HTTPTransportPreHook to bypass downstream governance logic for HTTP requests whose URL path contains "passthrough".

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant HTTPHook as HTTPTransportPreHook
    participant Validator as VirtualKey/Router
    participant Parser as BodyParser/Serializer
    participant LB as LoadBalancer
    participant MCP as MCPToolInjector
    participant Backend as BackendService

    Client->>HTTPHook: HTTP request (path contains "passthrough")
    HTTPHook-->>Client: Bypass governance (early exit)
    Client->>Backend: Request forwarded directly

    %% Normal flow
    Client->>HTTPHook: HTTP request (normal)
    HTTPHook->>Validator: Validate keys & routing
    Validator->>Parser: Parse/serialize body
    Parser->>LB: Select upstream
    LB->>MCP: Inject MCP tools
    MCP->>Backend: Forward processed request

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nibble lines of docs and tuck my keys away,

Env vars peek out where literals used to stay.
Patronus hops in, Gray Swan drifts to five,
SailPoint finds a spot, the examples come alive. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'guardrails helm chart upgrade' is vague and only partially captures the full scope of the changeset, which includes config-json guardrails docs, helm guardrails docs, and user-provisioning docs with env var support additions.	Consider a more descriptive title like 'Document env var support in guardrails and SCIM providers' to better reflect the comprehensive documentation updates across multiple modules.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description comprehensively covers the Summary, Changes, Type of change, Affected areas, How to test, Breaking changes, and Security considerations sections. However, the 'Related issues' and 'How to test' (testing steps) sections are minimal or missing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 04-26-guardrails_helm_chart_upgrade

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[akshaydeo]

• guardrails helm chart upgrade #3062 👈 (View in Graphite)
• env var updates #3061
• vertex + anthropic fixes #3055
• adds message filter flow for log details messages #3054
• bedrock cli compatibility changes #3053
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Confidence Score: 4/5

Documentation changes are safe to merge; the Go change in main.go introduces an unconditional governance bypass that should be reviewed before merging.

A single P1 finding in the Go code (unconditional passthrough bypass) caps the score at 4. The docs changes are clean and internally consistent.

plugins/governance/main.go — the passthrough early-return needs scoping or intentional justification.

Security Review

• Governance bypass (plugins/governance/main.go, line 349): strings.Contains(req.Path, \"passthrough\") unconditionally skips all governance — including virtual key authentication and guardrails — for any request whose path matches the substring. An operator who has configured virtual keys or guardrails would have those controls silently bypassed for all passthrough-routed traffic.

Important Files Changed

Filename	Overview
plugins/governance/main.go	Adds a broad strings.Contains(req.Path, "passthrough") early-return in HTTPTransportPreHook that unconditionally skips virtual key validation, routing rules, and guardrails for any matching path.
docs/deployment-guides/config-json/guardrails.mdx	Replaces env-var-unsupported warnings with notes, adds Patronus AI provider tab, adds auth-mode examples for AWS Bedrock and Azure Content Safety, renumbers Gray Swan to id 5, and adds comprehensive env-var support reference tables.
docs/deployment-guides/helm/guardrails.mdx	Mirrors the config-json changes for the Helm values format, including Patronus AI tab, auth-mode snippets, env-var support tables, and provider ID renumbering.
docs/enterprise/user-provisioning.mdx	Adds SailPoint as a SCIM provider and adds per-provider env-var support tables for all SCIM providers (Okta, Entra ID, Keycloak, Zitadel, Google Workspace, SailPoint).

_{Reviews (9): Last reviewed commit: "guardrails helm chart upgrade" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/deployment-guides/config-json/guardrails.mdx`:
- Around line 11-13: Update the Note block that currently shows the example
string "env.AWS_SECRET_KEY" to use the consistent AWS variable name
"env.AWS_SECRET_ACCESS_KEY" so it matches the Bedrock example; search for the
literal "env.AWS_SECRET_KEY" in the guardrails.mdx content and replace it with
"env.AWS_SECRET_ACCESS_KEY" to avoid copy/paste misconfiguration.

In `@docs/deployment-guides/helm/guardrails.mdx`:
- Around line 11-13: The Note uses env.AWS_SECRET_KEY but the Bedrock example
uses env.AWS_SECRET_ACCESS_KEY; update the Note so both examples use the same
canonical environment variable name (prefer env.AWS_SECRET_ACCESS_KEY) — replace
env.AWS_SECRET_KEY in the guardrail provider `config` block example with
env.AWS_SECRET_ACCESS_KEY to ensure consistency across the page.

In `@docs/enterprise/user-provisioning.mdx`:
- Line 88: The provider list string was updated to include "sailpoint" but the
UI/content for provider cards doesn't surface a SailPoint setup path; update the
user-provisioning page to either add a SailPoint provider card/link (matching
the other providers' card pattern) that points to setup/config docs for
SailPoint, or explicitly annotate the provider list to say "SailPoint
(config-only)" and add a short note under the provider cards explaining what
"config-only" means; look for the "provider": "okta | entra | zitadel | keycloak
| google | sailpoint" string and the provider cards section on the page to make
the change.
- Around line 115-216: The SCIM provider docs list unsupported providers and
fields that conflict with the schema; update docs to match the schema in
transports/config.schema.json by removing or refactoring all provider sections
except the supported "okta" and "entra" providers and remove references to
non-existent config objects and fields (e.g., okta_config, entra_config,
attributeRoleMappings, attributeTeamMappings, attributeBusinessUnitMappings)
that will be rejected by validation; keep only the exact fields and env.*
support semantics defined by the schema for provider values ["okta","entra"], or
note that other providers/attribute-mapping arrays are future work and will be
added in a follow-up PR.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dd40607a-125f-4756-9757-521e47a67aaf

📥 Commits

Reviewing files that changed from the base of the PR and between e7a62e3 and cae1379.

📒 Files selected for processing (3)

• docs/deployment-guides/config-json/guardrails.mdx
• docs/deployment-guides/helm/guardrails.mdx
• docs/enterprise/user-provisioning.mdx

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/deployment-guides/helm/guardrails.mdx`:
- Around line 245-251: Update the Regex env-support matrix to include the
timeout field: add a new table row for `timeout` (or append `timeout` into the
existing Regex table) showing whether it is required (No), env.* supported
(Plain only) and a short Notes entry (e.g., timeout in seconds for pattern
evaluation; optional). Ensure this matches the examples that already use
`timeout` so the docs clearly state its env-support behavior and default/units.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 669c48ac-0931-417d-b6db-c1930b3ec8e4

📥 Commits

Reviewing files that changed from the base of the PR and between 1169c9d and 39d8ac2.

📒 Files selected for processing (3)

• docs/deployment-guides/config-json/guardrails.mdx
• docs/deployment-guides/helm/guardrails.mdx
• docs/enterprise/user-provisioning.mdx

✅ Files skipped from review due to trivial changes (1)

• docs/deployment-guides/config-json/guardrails.mdx

[coderabbitai]

🧹 Nitpick comments (4)

docs/deployment-guides/config-json/guardrails.mdx (2)

11-13: Resolve inconsistent AWS secret env var name in the note.

The note on line 12 uses "env.AWS_SECRET_KEY" as the example, but the AWS Bedrock provider (lines 74-75) uses "env.AWS_SECRET_ACCESS_KEY". AWS SDK standard convention uses AWS_SECRET_ACCESS_KEY. Consider updating the note to use the canonical name for consistency.

🛠️ Suggested doc fix

-Credential and endpoint fields in guardrail provider `config` blocks support `"env.VAR_NAME"` strings (e.g. `"env.AWS_SECRET_KEY"`). Bifrost resolves the value from the process environment at startup.
+Credential and endpoint fields in guardrail provider `config` blocks support `"env.VAR_NAME"` strings (e.g. `"env.AWS_SECRET_ACCESS_KEY"`). Bifrost resolves the value from the process environment at startup.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/deployment-guides/config-json/guardrails.mdx` around lines 11 - 13,
Update the Note block that currently shows the example credential string
"env.AWS_SECRET_KEY" to use the canonical AWS variable name
"env.AWS_SECRET_ACCESS_KEY" so it matches the AWS Bedrock provider example and
common AWS SDK conventions; locate the Note element containing the example
string (and the AWS Bedrock provider example strings
"env.AWS_SECRET_ACCESS_KEY") and replace the shorter nonstandard name with the
full "env.AWS_SECRET_ACCESS_KEY" for consistency.

---

294-300: Add timeout to the Regex env-support matrix.

The Regex provider example includes "timeout": 5, but the Regex env-support table (lines 294-300) doesn't list the timeout field. Add it for consistency with other providers and so users can see the env-support behavior for all configurable fields.

🛠️ Suggested doc fix

 ### Regex

 | Field | Required | env.\* supported | Notes |
 |-------|----------|-----------------|-------|
 | `patterns` | Yes | **Plain only** | Array of `{ pattern, description?, flags? }` objects |
 | `sampling_rate` | No | **Plain only** | `0`–`100`; percentage of requests to evaluate (default: `100`) |
+| `timeout` | No | **Plain only** | Execution timeout in seconds |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/deployment-guides/config-json/guardrails.mdx` around lines 294 - 300,
The Regex env-support table is missing the `timeout` field shown in the Regex
provider example; update the Regex table to include a `timeout` row indicating
whether env.* is supported (e.g., Plain only or same as other fields) and a
brief Notes entry (e.g., seconds, optional) so it matches the example that uses
`"timeout": 5`; locate the Regex section and add the `timeout` entry next to
`patterns` and `sampling_rate` in the table.

docs/deployment-guides/helm/guardrails.mdx (1)

245-251: Add timeout to the Regex env-support matrix.

The Regex provider example (lines 37-38) includes timeout: 5, but the Regex env-support table in lines 245-251 doesn't list the timeout field. Add it for completeness so users know the env-support behavior for all configurable fields.

🛠️ Suggested doc fix

 ### Regex

 | Field | Required | env.\* supported | Notes |
 |-------|----------|-----------------|-------|
 | `patterns` | Yes | **Plain only** | Array of `{ pattern, description?, flags? }` objects |
 | `sampling_rate` | No | **Plain only** | `0`–`100`; percentage of requests to evaluate (default: `100`) |
+| `timeout` | No | **Plain only** | Execution timeout in seconds |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/deployment-guides/helm/guardrails.mdx` around lines 245 - 251, Update
the Regex env-support table to include the timeout field: add a row for
`timeout` (mark as No for Required, **Plain only** for env.* supported) and
include a short Notes entry such as `seconds; evaluation timeout (e.g., 5 in
example)` so the table reflects the `timeout` shown in the Regex provider
example.

docs/enterprise/user-provisioning.mdx (1)

30-43: Consider adding a SailPoint provider card for discoverability.

The provider list on line 88 includes sailpoint, but the provider cards in lines 30-43 don't include a SailPoint option. While the previous review comment on this was marked as addressed, the cards still only show Okta, Microsoft Entra, Zitadel, and Google Workspace. Users looking for SailPoint setup documentation may not find it easily without a card linking to setup docs.

🤖 Prompt for AI Agents

Verify each finding against the current code and determine if this is intentional or needs addressing.

In `@docs/enterprise/user-provisioning.mdx` around lines 30 - 43, The provider card group
lists Okta, Microsoft Entra, Zitadel, and Google Workspace, but does not include a card for
SailPoint even though the provider list and env-support tables document it. Check if there's
a separate SailPoint setup guide linked elsewhere, or if adding a SailPoint card would
improve discoverability. If there's no setup guide, consider adding a note that SailPoint
is config-only (schema file only, no separate setup guide) in the provider list section.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/enterprise/user-provisioning.mdx` around lines 30 - 43, The CardGroup in
user-provisioning.mdx currently renders Card components for Okta, Microsoft
Entra, Zitadel, and Google Workspace but omits SailPoint; add a new Card (same
pattern as the others) with title "SailPoint", an appropriate icon (e.g.,
"sailpoint" or "cloud" if icon missing), and href pointing to the SailPoint
setup doc (or to a new/internal note) so SailPoint is discoverable, or—if no
setup guide exists—add a Card titled "SailPoint" whose body text clarifies
"config-only (schema file only, no separate setup guide)" and links to the
schema/config reference; update the CardGroup containing Card components to
include this new Card and ensure the Card title matches the provider identifier
`sailpoint`.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/deployment-guides/config-json/guardrails.mdx`:
- Around line 11-13: Update the Note block that currently shows the example
credential string "env.AWS_SECRET_KEY" to use the canonical AWS variable name
"env.AWS_SECRET_ACCESS_KEY" so it matches the AWS Bedrock provider example and
common AWS SDK conventions; locate the Note element containing the example
string (and the AWS Bedrock provider example strings
"env.AWS_SECRET_ACCESS_KEY") and replace the shorter nonstandard name with the
full "env.AWS_SECRET_ACCESS_KEY" for consistency.
- Around line 294-300: The Regex env-support table is missing the `timeout`
field shown in the Regex provider example; update the Regex table to include a
`timeout` row indicating whether env.* is supported (e.g., Plain only or same as
other fields) and a brief Notes entry (e.g., seconds, optional) so it matches
the example that uses `"timeout": 5`; locate the Regex section and add the
`timeout` entry next to `patterns` and `sampling_rate` in the table.

In `@docs/deployment-guides/helm/guardrails.mdx`:
- Around line 245-251: Update the Regex env-support table to include the timeout
field: add a row for `timeout` (mark as No for Required, **Plain only** for
env.* supported) and include a short Notes entry such as `seconds; evaluation
timeout (e.g., 5 in example)` so the table reflects the `timeout` shown in the
Regex provider example.

In `@docs/enterprise/user-provisioning.mdx`:
- Around line 30-43: The CardGroup in user-provisioning.mdx currently renders
Card components for Okta, Microsoft Entra, Zitadel, and Google Workspace but
omits SailPoint; add a new Card (same pattern as the others) with title
"SailPoint", an appropriate icon (e.g., "sailpoint" or "cloud" if icon missing),
and href pointing to the SailPoint setup doc (or to a new/internal note) so
SailPoint is discoverable, or—if no setup guide exists—add a Card titled
"SailPoint" whose body text clarifies "config-only (schema file only, no
separate setup guide)" and links to the schema/config reference; update the
CardGroup containing Card components to include this new Card and ensure the
Card title matches the provider identifier `sailpoint`.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3bac0d12-4b16-4cff-9f71-482ee79fd97b

📥 Commits

Reviewing files that changed from the base of the PR and between 39d8ac2 and f06aa56.

📒 Files selected for processing (4)

• docs/deployment-guides/config-json/guardrails.mdx
• docs/deployment-guides/helm/guardrails.mdx
• docs/enterprise/user-provisioning.mdx
• plugins/governance/main.go

✅ Files skipped from review due to trivial changes (1)

• plugins/governance/main.go

[akshaydeo]

Merge activity

• Apr 27, 8:08 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 27, 8:13 PM UTC: @akshaydeo merged this pull request with Graphite.

The base branch was changed.