tools[] definitions a client sends and the tool calls a model returns — with four
policies. All are configured like any other policy and scoped
global or per consumer.
Policy (slug) | Stage | Acts on |
|---|---|---|
tool_allowlist | pre_request | The request tools[] array |
tool_definition_transformation | pre_request | The request tools[] definitions |
per_tool_rate_limiter | pre_request · pre_response · post_response | Observed tool calls |
tool_call_validation | pre_response | Tool calls in the model response |
Tool allowlist
Thetool_allowlist policy is glob-based access control for the request tools[] array:
allow_tools whitelists patterns
and deny_tools removes patterns (deny overrides allow) before the model ever sees the
tools.
| Setting | Type | Default | Notes |
|---|---|---|---|
allow_tools | string[] | — | Glob patterns; if set, only matching tools pass. |
deny_tools | string[] | — | Glob patterns removed after allow_tools. |
on_empty_after_filter | enum | reject | When filtering removes every tool: reject, pass_through_empty, or strip_tools_field. |
Tool definition transformation
Thetool_definition_transformation policy reshapes tool definitions on the request leg
before they reach the model — a governance and
steering layer, not an access gate. Patch a matched tool’s JSON schema, override its
description, and inject operator-authored tools.
| Setting | Type | Default | Notes |
|---|---|---|---|
transform_tools | array | — | [{ tool, schema_patch, description_override }] — tool is a glob; schema_patch is an RFC 7386 merge patch. |
inject_tools | array | — | Operator-authored function tools appended to the request. |
on_conflict | enum | gateway_wins | Name collision resolution: gateway_wins, client_wins, or reject. |
Per-tool rate limiter
Theper_tool_rate_limiter policy counts and enforces limits per observed tool call in
model responses. The limit applies gateway-wide when the policy is global, otherwise per
consumer.
| Setting | Type | Default | Notes |
|---|---|---|---|
rules | array | — | Ordered [{ tool, windows, behavior }]; the first matching tool glob wins. Required. |
rules[].windows | array | — | [{ duration, max }] fixed windows for the matched tool. |
behavior_default | enum | reject_response | Applied to rules without an explicit behavior. |
behavior is one of reject_response, inject_error_result, or
strip_tool_from_request.
Tool call validation
Thetool_call_validation policy validates the tool calls an LLM returns against per-tool
rules, rejecting or redacting responses that violate them.
| Setting | Type | Default | Notes |
|---|---|---|---|
rules | array | — | Ordered validation rules. Required (≥1). |
rules[].validator | enum | — | not_in_allowed_list, json_schema, semantic, regex, or denylist. |
rules[].behavior | enum | reject_response | reject_response, redact, mask, or replace_with. |
semantic | object | — | { provider, api_key, model } — required when any rule uses the semantic validator. |
regex and denylist validators use argument_path (a JSONPath into the tool call
arguments) plus pattern / denylist; redact/mask/replace_with apply only to those two
validators.