Skip to content
Kairos Engine

CLI: policy

kairos policy validates and inspects deployment policy files, resolving effective configuration values from base constraints and operator overrides.

Subcommands

Section titled “Subcommands”
SubcommandDescription
validateValidate a policy file and display effective values
inspectInspect a policy with full base and effective details

kairos policy validate

Section titled “kairos policy validate”

Validate a deployment policy file and display effective configuration values.

Terminal window
kairos policy validate policy.json

Validates the policy against the schema, then resolves the effective configuration by applying overrides to the base constraints.

Output (success):

Policy is valid.
  schema version:       1
  policy version:       1
  gamma floor (eff.):   0.2
  mode (eff.):          state_gate
  staleness max (ms):   60000
  require signature:    false
  fail behavior:        fail_closed

Exit code 1 on validation failure.

kairos policy inspect

Section titled “kairos policy inspect”

Inspect a deployment policy and output the full resolved configuration as JSON, showing both effective values and base constraints.

Terminal window
kairos policy inspect policy.json

Output:

{
  "schemaVersion": 1,
  "policyVersion": 1,
  "effective": {
    "gammaFloor": 0.2,
    "mode": "state_gate",
    "metricStalenessMaxMs": 60000,
    "requireMetricSignature": false,
    "failBehavior": "fail_closed"
  },
  "base": {
    "gammaFloorMin": 0.15,
    "permittedModes": ["state_gate", "state_plus_action_gate"],
    "metricStalenessMaxMs": 60000,
    "requireMetricSignature": false,
    "failBehavior": "fail_closed"
  },
  "hasOverrides": true
}
SectionDescription
effectiveResolved values after applying overrides to base constraints
baseBase policy constraints (minimum gamma floor, permitted modes, etc.)
hasOverridesWhether operator overrides were applied (vs. base-only)

Exit code 1 on parsing or validation failure.

Resolution Logic

Section titled “Resolution Logic”

The effective configuration is resolved by combining the signed base policy with operator overrides:

  • gammaFloor: Override value, but must be ≥ base.gammaFloorMin
  • mode: Override value, but must be in base.permittedModes
  • metricStalenessMaxMs: From base (not overrideable)
  • requireMetricSignature: From base (not overrideable)
  • failBehavior: From base (not overrideable)

This two-layer design allows operators to tune parameters within bounds set by the signed base policy. See Deployment Policy for full schema details.