Guardrails: Added config management integration

backend/app/api/docs/api_keys/verify.md

@@ -0,0 +1,3 @@
+Verify the provided API key and return the resolved auth context.
+
+This endpoint validates the `X-API-KEY` header and returns `user_id`, `organization_id`, and `project_id` for the authenticated key.

backend/app/api/routes/api_keys.py

@@ -3,7 +3,12 @@
 
 from app.api.deps import SessionDep, AuthContextDep
 from app.crud.api_key import APIKeyCrud
-from app.models import APIKeyPublic, APIKeyCreateResponse, Message
+from app.models import (
+    APIKeyPublic,
+    APIKeyCreateResponse,
+    APIKeyVerifyResponse,
+    Message,
+)
 from app.utils import APIResponse, load_description
 from app.api.permissions import Permission, require_permission
 
@@ -71,3 +76,21 @@ def delete_api_key_route(
     api_key_crud.delete(key_id=key_id)
 
     return APIResponse.success_response(Message(message="API Key deleted successfully"))
+
+
+@router.get(
+    "/verify",
+    response_model=APIResponse[APIKeyVerifyResponse],
+    dependencies=[Depends(require_permission(Permission.REQUIRE_PROJECT))],
+    description=load_description("api_keys/verify.md"),
+)
+def verify_api_key_route(
+    current_user: AuthContextDep,
+):
+    return APIResponse.success_response(
+        APIKeyVerifyResponse(
+            user_id=current_user.user.id,
+            organization_id=current_user.organization_.id,
+            project_id=current_user.project_.id,
+        )
+    )

backend/app/crud/config/config.py

@@ -47,7 +47,7 @@ def create_or_raise(
             version = ConfigVersion(
                 config_id=config.id,
                 version=1,
-                config_blob=config_create.config_blob.model_dump(),
+                config_blob=config_create.config_blob.model_dump(mode="json"),
                 commit_message=config_create.commit_message,
             )
 

backend/app/crud/config/version.py

@@ -79,7 +79,7 @@ def create_or_raise(self, version_create: ConfigVersionUpdate) -> ConfigVersion:
             version = ConfigVersion(
                 config_id=self.config_id,
                 version=next_version,
-                config_blob=validated_blob.model_dump(),
+                config_blob=validated_blob.model_dump(mode="json"),
                 commit_message=version_create.commit_message,
             )
 

backend/app/models/__init__.py

@@ -2,7 +2,13 @@
 
 from .auth import AuthContext, Token, TokenPayload
 
-from .api_key import APIKey, APIKeyBase, APIKeyPublic, APIKeyCreateResponse
+from .api_key import (
+    APIKey,
+    APIKeyBase,
+    APIKeyPublic,
+    APIKeyCreateResponse,
+    APIKeyVerifyResponse,
+)
 
 from .assistants import Assistant, AssistantBase, AssistantCreate, AssistantUpdate
 

backend/app/models/api_key.py

@@ -45,6 +45,14 @@ class APIKeyCreateResponse(APIKeyPublic):
     key: str
 
 
+class APIKeyVerifyResponse(SQLModel):
+    """Response model for API key verification."""
+
+    user_id: int
+    organization_id: int
+    project_id: int
+
+
 class APIKey(APIKeyBase, table=True):
     """Database model for API keys."""
 

backend/app/models/llm/request.py

@@ -210,10 +210,24 @@ def validate_params(self):
 ]
 
 
+class Validator(SQLModel):
+    validator_config_id: UUID
+
+
 class ConfigBlob(SQLModel):
     """Raw JSON blob of config."""
 
     completion: CompletionConfig = Field(..., description="Completion configuration")
+
+    input_guardrails: list[Validator] | None = Field(
+        default=None,
+        description="Guardrails applied to validate/sanitize the input before the LLM call",
+    )
+
+    output_guardrails: list[Validator] | None = Field(
+        default=None,
+        description="Guardrails applied to validate/sanitize the output after the LLM call",
+    )
     # Future additions:
     # classifier: ClassifierConfig | None = None
     # pre_filter: PreFilterConfig | None = None
@@ -298,20 +312,6 @@ class LLMCallRequest(SQLModel):
             "in production, always use the id + version."
         ),
     )
-    input_guardrails: list[dict[str, Any]] | None = Field(
-        default=None,
-        description=(
-            "Optional guardrails configuration to apply input validation. "
-            "If not provided, no guardrails will be applied."
-        ),
-    )
-    output_guardrails: list[dict[str, Any]] | None = Field(
-        default=None,
-        description=(
-            "Optional guardrails configuration to apply output validation. "
-            "If not provided, no guardrails will be applied."
-        ),
-    )
     callback_url: HttpUrl | None = Field(
         default=None, description="Webhook URL for async response delivery"
     )

backend/app/services/llm/guardrails.py

@@ -5,12 +5,18 @@
 import httpx
 
 from app.core.config import settings
+from app.models.llm.request import Validator
 
 logger = logging.getLogger(__name__)
 
 
-def call_guardrails(
-    input_text: str, guardrail_config: list[dict], job_id: UUID
+def run_guardrails_validation(
+    input_text: str,
+    guardrail_config: list[Validator | dict[str, Any]],
+    job_id: UUID,
+    project_id: int | None,
+    organization_id: int | None,
+    suppress_pass_logs: bool = True,
 ) -> dict[str, Any]:
     """
     Call the Kaapi guardrails service to validate and process input text.
@@ -19,14 +25,26 @@ def call_guardrails(
         input_text: Text to validate and process.
         guardrail_config: List of validator configurations to apply.
         job_id: Unique identifier for the request.
+        project_id: Project identifier expected by guardrails API.
+        organization_id: Organization identifier expected by guardrails API.
+        suppress_pass_logs: Whether to suppress successful validation logs in guardrails service.
 
     Returns:
         JSON response from the guardrails service with validation results.
     """
+    validators = [
+        validator.model_dump(mode="json")
+        if isinstance(validator, Validator)
+        else validator
+        for validator in guardrail_config
+    ]
+
     payload = {
         "request_id": str(job_id),
+        "project_id": project_id,
+        "organization_id": organization_id,
         "input": input_text,
-        "validators": guardrail_config,
+        "validators": validators,
     }
 
     headers = {
@@ -38,16 +56,17 @@ def call_guardrails(
     try:
         with httpx.Client(timeout=10.0) as client:
             response = client.post(
-                settings.KAAPI_GUARDRAILS_URL,
+                f"{settings.KAAPI_GUARDRAILS_URL}/",
                 json=payload,
+                params={"suppress_pass_logs": str(suppress_pass_logs).lower()},
                 headers=headers,
             )
 
             response.raise_for_status()
             return response.json()
     except Exception as e:
         logger.warning(
-            f"[call_guardrails] Service unavailable. Bypassing guardrails. job_id={job_id}. error={e}"
+            f"[run_guardrails_validation] Service unavailable. Bypassing guardrails. job_id={job_id}. error={e}"
         )
 
         return {
@@ -58,3 +77,93 @@ def call_guardrails(
                 "rephrase_needed": False,
             },
         }
+
+
+def list_validators_config(
+    organization_id: int | None,
+    project_id: int | None,
+    input_validator_configs: list[Validator] | None,
+    output_validator_configs: list[Validator] | None,
+) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
+    """
+    Fetch validator configurations by IDs for input and output guardrails.
+
+    Calls:
+        GET /validators/configs/?organization_id={organization_id}&project_id={project_id}&ids={uuid}
+    """
+    input_validator_config_ids = [
+        validator_config.validator_config_id
+        for validator_config in (input_validator_configs or [])
+    ]
+    output_validator_config_ids = [
+        validator_config.validator_config_id
+        for validator_config in (output_validator_configs or [])
+    ]
+
+    if not input_validator_config_ids and not output_validator_config_ids:
+        return [], []
+
+    headers = {
+        "accept": "application/json",
+        "Authorization": f"Bearer {settings.KAAPI_GUARDRAILS_AUTH}",
+        "Content-Type": "application/json",
+    }
+
+    endpoint = f"{settings.KAAPI_GUARDRAILS_URL}/validators/configs/"
+
+    def _build_params(validator_ids: list[UUID]) -> dict[str, Any]:
+        params = {
+            "organization_id": organization_id,
+            "project_id": project_id,
+            "ids": [str(validator_config_id) for validator_config_id in validator_ids],
+        }
+        return {key: value for key, value in params.items() if value is not None}
+
+    try:
+        with httpx.Client(timeout=10.0) as client:
+
+            def _fetch_by_ids(validator_ids: list[UUID]) -> list[dict[str, Any]]:
+                if not validator_ids:
+                    return []
+
+                response = client.get(
+                    endpoint,
+                    params=_build_params(validator_ids),
+                    headers=headers,
+                )
+                response.raise_for_status()
+
+                payload = response.json()
+                if not isinstance(payload, dict):
+                    raise ValueError(
+                        "Invalid validators response format: expected JSON object."
+                    )
+
+                if not payload.get("success", False):
+                    raise ValueError(
+                        "Validator config fetch failed: `success` is false."
+                    )
+
+                validators = payload.get("data", [])
+                if not isinstance(validators, list):
+                    raise ValueError(
+                        "Invalid validators response format: `data` must be a list."
+                    )
+
+                return [
+                    validator for validator in validators if isinstance(validator, dict)
+                ]
+
+            input_guardrails = _fetch_by_ids(input_validator_config_ids)
+            output_guardrails = _fetch_by_ids(output_validator_config_ids)
+            return input_guardrails, output_guardrails
+
+    except Exception as e:
+        logger.warning(
+            "[list_validators_config] Guardrails service unavailable or invalid response. "
+            "Proceeding without input/output guardrails. "
+            f"input_validator_config_ids={input_validator_config_ids}, output_validator_config_ids={output_validator_config_ids}, "
+            f"organization_id={organization_id}, "
+            f"project_id={project_id}, endpoint={endpoint}, error={e}"
+        )
+        return [], []