Configuration reference

The agentgateway schema is available as a JSON schema. Review this page for more information about the schema and how to use it.

Config file validation

Many integrated development environments (IDEs) and editors support schema validation for your standalone agentgateway configuration file.

Default schema validation off main The examples throughout the docs use the following schema that redirects to the agentgateway config on main.

# yaml-language-server: $schema=https://agentgateway.dev/schema/config

Version-specific schema validation

Replace $VERSION in the following schema with the version of agentgateway that you are using, such as 0.12.0.

# yaml-language-server: $schema=https://raw.githubusercontent.com/agentgateway/agentgateway/refs/tags/$VERSION/schema/config.json

For example:

# yaml-language-server: $schema=https://raw.githubusercontent.com/agentgateway/agentgateway/refs/tags/v0.12.0/schema/config.json

Schema

The following table shows the complete agentgateway configuration file schema, with columns for the field and description.

Field	Description
`config`
`config.enableIpv6`
`config.localXdsPath`	Local XDS path. If not specified, the current configuration file will be used.
`config.caAddress`
`config.caAuthToken`
`config.xdsAddress`
`config.xdsAuthToken`
`config.namespace`
`config.gateway`
`config.trustDomain`
`config.serviceAccount`
`config.clusterId`
`config.network`
`config.adminAddr`	Admin UI address in the format “ip:port”
`config.statsAddr`	Stats/metrics server address in the format “ip:port”
`config.readinessAddr`	Readiness probe server address in the format “ip:port”
`config.session`	Configuration for stateful session management
`config.session.key`	The signing key to be used. If not set, sessions will not be encrypted. For example, generated via `openssl rand -hex 32`.
`config.connectionTerminationDeadline`
`config.connectionMinTerminationDeadline`
`config.workerThreads`
`config.tracing`
`config.tracing.otlpEndpoint`
`config.tracing.headers`
`config.tracing.otlpProtocol`
`config.tracing.fields`
`config.tracing.fields.remove`
`config.tracing.fields.add`
`config.tracing.randomSampling`	Expression to determine the amount of random sampling. Random sampling will initiate a new trace span if the incoming request does not have a trace already. This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false. This defaults to ‘false’.
`config.tracing.clientSampling`	Expression to determine the amount of client sampling. Client sampling determines whether to initiate a new trace span if the incoming request does have a trace already. This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false. This defaults to ’true'.
`config.tracing.path`	OTLP path. Default is /v1/traces
`config.logging`
`config.logging.filter`
`config.logging.fields`
`config.logging.fields.remove`
`config.logging.fields.add`
`config.logging.level`
`config.logging.format`
`config.metrics`
`config.metrics.remove`
`config.metrics.fields`
`config.metrics.fields.add`
`config.backend`
`config.backend.keepalives`
`config.backend.keepalives.enabled`
`config.backend.keepalives.time`
`config.backend.keepalives.interval`
`config.backend.keepalives.retries`
`config.backend.connectTimeout`
`config.backend.poolIdleTimeout`	The maximum duration to keep an idle connection alive.
`config.backend.poolMaxSize`	The maximum number of connections allowed in the pool, per hostname. If set, this will limit the total number of connections kept alive to any given host. Note: excess connections will still be created, they will just not remain idle. If unset, there is no limit
`config.hbone`
`config.hbone.windowSize`
`config.hbone.connectionWindowSize`
`config.hbone.frameSize`
`config.hbone.poolMaxStreamsPerConn`
`config.hbone.poolUnusedReleaseTimeout`
`binds`
`binds[].port`
`binds[].listeners`
`binds[].listeners[].name`
`binds[].listeners[].namespace`
`binds[].listeners[].hostname`	Can be a wildcard
`binds[].listeners[].protocol`
`binds[].listeners[].tls`
`binds[].listeners[].tls.cert`
`binds[].listeners[].tls.key`
`binds[].listeners[].tls.root`
`binds[].listeners[].tls.cipherSuites`	Optional cipher suite allowlist (order is preserved).
`binds[].listeners[].tls.minTLSVersion`	Minimum supported TLS version (only TLS 1.2 and 1.3 are supported).
`binds[].listeners[].tls.maxTLSVersion`	Maximum supported TLS version (only TLS 1.2 and 1.3 are supported).
`binds[].listeners[].routes`
`binds[].listeners[].routes[].name`
`binds[].listeners[].routes[].namespace`
`binds[].listeners[].routes[].ruleName`
`binds[].listeners[].routes[].hostnames`	Can be a wildcard
`binds[].listeners[].routes[].matches`
`binds[].listeners[].routes[].matches[].headers`
`binds[].listeners[].routes[].matches[].headers[].name`
`binds[].listeners[].routes[].matches[].headers[].value`
`binds[].listeners[].routes[].matches[].headers[].value.(1)exact`
`binds[].listeners[].routes[].matches[].headers[].value.(1)regex`
`binds[].listeners[].routes[].matches[].path`
`binds[].listeners[].routes[].matches[].path.(1)exact`
`binds[].listeners[].routes[].matches[].path.(1)pathPrefix`
`binds[].listeners[].routes[].matches[].path.(1)regex`
`binds[].listeners[].routes[].matches[].method`
`binds[].listeners[].routes[].matches[].query`
`binds[].listeners[].routes[].matches[].query[].name`
`binds[].listeners[].routes[].matches[].query[].value`
`binds[].listeners[].routes[].matches[].query[].value.(1)exact`
`binds[].listeners[].routes[].matches[].query[].value.(1)regex`
`binds[].listeners[].routes[].policies`
`binds[].listeners[].routes[].policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.urlRewrite`	Modify the URL path or authority.
`binds[].listeners[].routes[].policies.urlRewrite.authority`
`binds[].listeners[].routes[].policies.urlRewrite.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.urlRewrite.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.urlRewrite.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.urlRewrite.path`
`binds[].listeners[].routes[].policies.urlRewrite.path.(any)(1)full`
`binds[].listeners[].routes[].policies.urlRewrite.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.requestMirror`	Mirror incoming requests to another destination.
`binds[].listeners[].routes[].policies.requestMirror.backend`
`binds[].listeners[].routes[].policies.requestMirror.backend.(1)service`
`binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.name`
`binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.name.namespace`
`binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.name.hostname`
`binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.port`
`binds[].listeners[].routes[].policies.requestMirror.backend.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].policies.requestMirror.backend.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].policies.requestMirror.percentage`
`binds[].listeners[].routes[].policies.directResponse`	Directly respond to the request with a static response.
`binds[].listeners[].routes[].policies.directResponse.body`
`binds[].listeners[].routes[].policies.directResponse.status`
`binds[].listeners[].routes[].policies.cors`	Handle CORS preflight requests and append configured CORS headers to applicable requests.
`binds[].listeners[].routes[].policies.cors.allowCredentials`
`binds[].listeners[].routes[].policies.cors.allowHeaders`
`binds[].listeners[].routes[].policies.cors.allowMethods`
`binds[].listeners[].routes[].policies.cors.allowOrigins`
`binds[].listeners[].routes[].policies.cors.exposeHeaders`
`binds[].listeners[].routes[].policies.cors.maxAge`
`binds[].listeners[].routes[].policies.mcpAuthorization`	Authorization policies for MCP access.
`binds[].listeners[].routes[].policies.mcpAuthorization.rules`
`binds[].listeners[].routes[].policies.authorization`	Authorization policies for HTTP access.
`binds[].listeners[].routes[].policies.authorization.rules`
`binds[].listeners[].routes[].policies.mcpAuthentication`	Authentication for MCP clients.
`binds[].listeners[].routes[].policies.mcpAuthentication.issuer`
`binds[].listeners[].routes[].policies.mcpAuthentication.audiences`
`binds[].listeners[].routes[].policies.mcpAuthentication.provider`
`binds[].listeners[].routes[].policies.mcpAuthentication.provider.(any)(1)auth0`
`binds[].listeners[].routes[].policies.mcpAuthentication.provider.(any)(1)keycloak`
`binds[].listeners[].routes[].policies.mcpAuthentication.resourceMetadata`
`binds[].listeners[].routes[].policies.mcpAuthentication.jwks`
`binds[].listeners[].routes[].policies.mcpAuthentication.jwks.(any)file`
`binds[].listeners[].routes[].policies.mcpAuthentication.jwks.(any)url`
`binds[].listeners[].routes[].policies.mcpAuthentication.mode`
`binds[].listeners[].routes[].policies.mcpAuthentication.jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`binds[].listeners[].routes[].policies.mcpAuthentication.jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`binds[].listeners[].routes[].policies.a2a`	Mark this traffic as A2A to enable A2A processing and telemetry.
`binds[].listeners[].routes[].policies.ai`	Mark this as LLM traffic to enable LLM processing.
`binds[].listeners[].routes[].policies.ai.promptGuard`
`binds[].listeners[].routes[].policies.ai.promptGuard.request`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.action`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.rules`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.status`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.action`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.rules`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.body`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.status`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers.add`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers.set`
`binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers.remove`
`binds[].listeners[].routes[].policies.ai.defaults`
`binds[].listeners[].routes[].policies.ai.overrides`
`binds[].listeners[].routes[].policies.ai.transformations`
`binds[].listeners[].routes[].policies.ai.prompts`
`binds[].listeners[].routes[].policies.ai.prompts.append`
`binds[].listeners[].routes[].policies.ai.prompts.append[].role`
`binds[].listeners[].routes[].policies.ai.prompts.append[].content`
`binds[].listeners[].routes[].policies.ai.prompts.prepend`
`binds[].listeners[].routes[].policies.ai.prompts.prepend[].role`
`binds[].listeners[].routes[].policies.ai.prompts.prepend[].content`
`binds[].listeners[].routes[].policies.ai.modelAliases`
`binds[].listeners[].routes[].policies.ai.promptCaching`
`binds[].listeners[].routes[].policies.ai.promptCaching.cacheSystem`
`binds[].listeners[].routes[].policies.ai.promptCaching.cacheMessages`
`binds[].listeners[].routes[].policies.ai.promptCaching.cacheTools`
`binds[].listeners[].routes[].policies.ai.promptCaching.minTokens`
`binds[].listeners[].routes[].policies.ai.routes`
`binds[].listeners[].routes[].policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.backendTLS.key`
`binds[].listeners[].routes[].policies.backendTLS.root`
`binds[].listeners[].routes[].policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.localRateLimit`	Rate limit incoming requests. State is kept local.
`binds[].listeners[].routes[].policies.localRateLimit[].maxTokens`
`binds[].listeners[].routes[].policies.localRateLimit[].tokensPerFill`
`binds[].listeners[].routes[].policies.localRateLimit[].fillInterval`
`binds[].listeners[].routes[].policies.localRateLimit[].type`
`binds[].listeners[].routes[].policies.remoteRateLimit`	Rate limit incoming requests. State is managed by a remote server.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.name`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.name.namespace`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.name.hostname`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.port`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)host`	Hostname or IP address
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)domain`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies`	Policies to connect to the backend
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.add`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.set`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.body`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.add`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.set`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.body`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.key`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.root`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.http.version`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].entries`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].entries[].key`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].entries[].value`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].type`
`binds[].listeners[].routes[].policies.remoteRateLimit.(any)failureMode`	Behavior when the remote rate limit service is unavailable or returns an error. Defaults to failClosed, denying requests with a 500 status on service failure.
`binds[].listeners[].routes[].policies.jwtAuth`	Authenticate incoming JWT requests.
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)mode`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].issuer`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].audiences`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwks`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwks.(any)file`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwks.(any)url`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)mode`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)issuer`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)audiences`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwks`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwks.(any)file`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwks.(any)url`
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`binds[].listeners[].routes[].policies.basicAuth`	Authenticate incoming requests using Basic Authentication with htpasswd.
`binds[].listeners[].routes[].policies.basicAuth.htpasswd`	.htpasswd file contents/reference
`binds[].listeners[].routes[].policies.basicAuth.htpasswd.(any)file`
`binds[].listeners[].routes[].policies.basicAuth.realm`	Realm name for the WWW-Authenticate header
`binds[].listeners[].routes[].policies.basicAuth.mode`	Validation mode for basic authentication
`binds[].listeners[].routes[].policies.apiKey`	Authenticate incoming requests using API Keys
`binds[].listeners[].routes[].policies.apiKey.keys`	List of API keys
`binds[].listeners[].routes[].policies.apiKey.keys[].key`
`binds[].listeners[].routes[].policies.apiKey.keys[].metadata`
`binds[].listeners[].routes[].policies.apiKey.mode`	Validation mode for API keys
`binds[].listeners[].routes[].policies.extAuthz`	Authenticate incoming requests by calling an external authorization server.
`binds[].listeners[].routes[].policies.extAuthz.(any)(1)service`
`binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.name`
`binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.name.namespace`
`binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.name.hostname`
`binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.port`
`binds[].listeners[].routes[].policies.extAuthz.(any)(1)host`	Hostname or IP address
`binds[].listeners[].routes[].policies.extAuthz.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].policies.extAuthz.(any)policies`	Policies to connect to the backend
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.add`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.set`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.body`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.add`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.set`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.body`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.key`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.root`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.http.version`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol`	The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended.
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)grpc`
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)grpc.context`	Additional context to send to the authorization service. This maps to the `context_extensions` field of the request, and only allows static values.
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)grpc.metadata`	Additional metadata to send to the authorization service. This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http`
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.path`
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.redirect`	When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error.
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders`	Specific headers from the authorization response will be copied into the request to the backend.
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.addRequestHeaders`	Specific headers to add in the authorization request (empty = all headers), based on the expression
`binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.metadata`	Metadata to include under the `extauthz` variable, based on the authorization response.
`binds[].listeners[].routes[].policies.extAuthz.(any)failureMode`	Behavior when the authorization service is unavailable or returns an error
`binds[].listeners[].routes[].policies.extAuthz.(any)failureMode.(1)denyWithStatus`
`binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestHeaders`	Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’.
`binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody`	Options for including the request body in the authorization request
`binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody.maxRequestBytes`	Maximum size of request body to buffer (default: 8192)
`binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody.allowPartialMessage`	If true, send partial body when max_request_bytes is reached
`binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody.packAsBytes`	If true, pack body as raw bytes in gRPC
`binds[].listeners[].routes[].policies.extProc`	Extend agentgateway with an external processor
`binds[].listeners[].routes[].policies.extProc.(any)(1)service`
`binds[].listeners[].routes[].policies.extProc.(any)(1)service.name`
`binds[].listeners[].routes[].policies.extProc.(any)(1)service.name.namespace`
`binds[].listeners[].routes[].policies.extProc.(any)(1)service.name.hostname`
`binds[].listeners[].routes[].policies.extProc.(any)(1)service.port`
`binds[].listeners[].routes[].policies.extProc.(any)(1)host`	Hostname or IP address
`binds[].listeners[].routes[].policies.extProc.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].policies.extProc.(any)policies`	Policies to connect to the backend
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.scheme`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.path`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.status`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.add`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.set`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.body`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.add`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.set`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.body`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.cert`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.key`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.root`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.hostname`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.insecure`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.alpn`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].policies.extProc.(any)policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].policies.extProc.(any)policies.http.version`
`binds[].listeners[].routes[].policies.extProc.(any)policies.http.requestTimeout`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.time`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.connectTimeout`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].policies.extProc.(any)failureMode`	Behavior when the ext_proc service is unavailable or returns an error
`binds[].listeners[].routes[].policies.extProc.(any)metadataContext`	Additional metadata to send to the external processing service. Maps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.
`binds[].listeners[].routes[].policies.extProc.(any)requestAttributes`	Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`binds[].listeners[].routes[].policies.extProc.(any)responseAttributes`	Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`binds[].listeners[].routes[].policies.transformations`	Modify requests and responses
`binds[].listeners[].routes[].policies.transformations.request`
`binds[].listeners[].routes[].policies.transformations.request.add`
`binds[].listeners[].routes[].policies.transformations.request.set`
`binds[].listeners[].routes[].policies.transformations.request.remove`
`binds[].listeners[].routes[].policies.transformations.request.body`
`binds[].listeners[].routes[].policies.transformations.response`
`binds[].listeners[].routes[].policies.transformations.response.add`
`binds[].listeners[].routes[].policies.transformations.response.set`
`binds[].listeners[].routes[].policies.transformations.response.remove`
`binds[].listeners[].routes[].policies.transformations.response.body`
`binds[].listeners[].routes[].policies.csrf`	Handle CSRF protection by validating request origins against configured allowed origins.
`binds[].listeners[].routes[].policies.csrf.additionalOrigins`
`binds[].listeners[].routes[].policies.timeout`	Timeout requests that exceed the configured duration.
`binds[].listeners[].routes[].policies.timeout.requestTimeout`
`binds[].listeners[].routes[].policies.timeout.backendRequestTimeout`
`binds[].listeners[].routes[].policies.retry`	Retry matching requests.
`binds[].listeners[].routes[].policies.retry.attempts`
`binds[].listeners[].routes[].policies.retry.backoff`
`binds[].listeners[].routes[].policies.retry.codes`
`binds[].listeners[].routes[].backends`
`binds[].listeners[].routes[].backends[].(1)service`
`binds[].listeners[].routes[].backends[].(1)service.name`
`binds[].listeners[].routes[].backends[].(1)service.name.namespace`
`binds[].listeners[].routes[].backends[].(1)service.name.hostname`
`binds[].listeners[].routes[].backends[].(1)service.port`
`binds[].listeners[].routes[].backends[].(1)host`
`binds[].listeners[].routes[].backends[].(1)dynamic`
`binds[].listeners[].routes[].backends[].(1)mcp`
`binds[].listeners[].routes[].backends[].(1)mcp.targets`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse.host`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse.port`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse.path`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp.host`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp.port`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp.path`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio.cmd`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio.args`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio.env`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.host`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.port`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.path`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.schema`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.schema.(any)file`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.schema.(any)url`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].name`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.http.version`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.mcpAuthorization`	Authorization policies for MCP access.
`binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.mcpAuthorization.rules`
`binds[].listeners[].routes[].backends[].(1)mcp.statefulMode`
`binds[].listeners[].routes[].backends[].(1)mcp.prefixMode`
`binds[].listeners[].routes[].backends[].(1)ai`
`binds[].listeners[].routes[].backends[].(1)ai.(any)name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)openAI`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)openAI.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)gemini`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)gemini.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex.region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex.projectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)anthropic`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)anthropic.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.guardrailIdentifier`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.guardrailVersion`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI.host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI.apiVersion`
`binds[].listeners[].routes[].backends[].(1)ai.(any)hostOverride`
`binds[].listeners[].routes[].backends[].(1)ai.(any)pathOverride`
`binds[].listeners[].routes[].backends[].(1)ai.(any)tokenize`	Whether to tokenize on the request flow. This enables us to do more accurate rate limits, since we know (part of) the cost of the request upfront. This comes with the cost of an expensive operation.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.mcpAuthorization`	Authorization policies for MCP access.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.mcpAuthorization.rules`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.a2a`	Mark this traffic as A2A to enable A2A processing and telemetry.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai`	Mark this as LLM traffic to enable LLM processing.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.action`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.rules`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.action`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.rules`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.defaults`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.overrides`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.transformations`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.append`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.append[].role`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.append[].content`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.prepend`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.prepend[].role`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.prepend[].content`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.modelAliases`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.cacheSystem`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.cacheMessages`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.cacheTools`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.minTokens`
`binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.routes`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)openAI`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)openAI.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)gemini`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)gemini.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex.region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex.projectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)anthropic`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)anthropic.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.guardrailIdentifier`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.guardrailVersion`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI.model`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI.host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI.apiVersion`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].hostOverride`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].pathOverride`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].tokenize`	Whether to tokenize on the request flow. This enables us to do more accurate rate limits, since we know (part of) the cost of the request upfront. This comes with the cost of an expensive operation.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.mcpAuthorization`	Authorization policies for MCP access.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.mcpAuthorization.rules`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.a2a`	Mark this traffic as A2A to enable A2A processing and telemetry.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai`	Mark this as LLM traffic to enable LLM processing.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.action`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.rules`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.action`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.rules`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.body`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.status`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers.add`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers.set`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers.remove`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.defaults`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.overrides`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.transformations`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.append`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.append[].role`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.append[].content`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.prepend`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.prepend[].role`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.prepend[].content`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.modelAliases`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.cacheSystem`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.cacheMessages`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.cacheTools`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.minTokens`
`binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.routes`
`binds[].listeners[].routes[].backends[].weight`
`binds[].listeners[].routes[].backends[].policies`
`binds[].listeners[].routes[].backends[].policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].policies.transformations.request`
`binds[].listeners[].routes[].backends[].policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].policies.transformations.response`
`binds[].listeners[].routes[].backends[].policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].policies.http.version`
`binds[].listeners[].routes[].backends[].policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].policies.mcpAuthorization`	Authorization policies for MCP access.
`binds[].listeners[].routes[].backends[].policies.mcpAuthorization.rules`
`binds[].listeners[].routes[].backends[].policies.a2a`	Mark this traffic as A2A to enable A2A processing and telemetry.
`binds[].listeners[].routes[].backends[].policies.ai`	Mark this as LLM traffic to enable LLM processing.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.action`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.rules`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.status`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.action`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.rules`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host`	Hostname or IP address
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId`	The GCP project ID
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.body`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.status`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers.add`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers.set`
`binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers.remove`
`binds[].listeners[].routes[].backends[].policies.ai.defaults`
`binds[].listeners[].routes[].backends[].policies.ai.overrides`
`binds[].listeners[].routes[].backends[].policies.ai.transformations`
`binds[].listeners[].routes[].backends[].policies.ai.prompts`
`binds[].listeners[].routes[].backends[].policies.ai.prompts.append`
`binds[].listeners[].routes[].backends[].policies.ai.prompts.append[].role`
`binds[].listeners[].routes[].backends[].policies.ai.prompts.append[].content`
`binds[].listeners[].routes[].backends[].policies.ai.prompts.prepend`
`binds[].listeners[].routes[].backends[].policies.ai.prompts.prepend[].role`
`binds[].listeners[].routes[].backends[].policies.ai.prompts.prepend[].content`
`binds[].listeners[].routes[].backends[].policies.ai.modelAliases`
`binds[].listeners[].routes[].backends[].policies.ai.promptCaching`
`binds[].listeners[].routes[].backends[].policies.ai.promptCaching.cacheSystem`
`binds[].listeners[].routes[].backends[].policies.ai.promptCaching.cacheMessages`
`binds[].listeners[].routes[].backends[].policies.ai.promptCaching.cacheTools`
`binds[].listeners[].routes[].backends[].policies.ai.promptCaching.minTokens`
`binds[].listeners[].routes[].backends[].policies.ai.routes`
`binds[].listeners[].tcpRoutes`
`binds[].listeners[].tcpRoutes[].name`
`binds[].listeners[].tcpRoutes[].namespace`
`binds[].listeners[].tcpRoutes[].ruleName`
`binds[].listeners[].tcpRoutes[].hostnames`	Can be a wildcard
`binds[].listeners[].tcpRoutes[].policies`
`binds[].listeners[].tcpRoutes[].policies.backendTLS`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.cert`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.key`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.root`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.hostname`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.insecure`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.insecureHost`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.alpn`
`binds[].listeners[].tcpRoutes[].policies.backendTLS.subjectAltNames`
`binds[].listeners[].tcpRoutes[].backends`
`binds[].listeners[].tcpRoutes[].backends[].(1)service`
`binds[].listeners[].tcpRoutes[].backends[].(1)service.name`
`binds[].listeners[].tcpRoutes[].backends[].(1)service.name.namespace`
`binds[].listeners[].tcpRoutes[].backends[].(1)service.name.hostname`
`binds[].listeners[].tcpRoutes[].backends[].(1)service.port`
`binds[].listeners[].tcpRoutes[].backends[].(1)host`	Hostname or IP address
`binds[].listeners[].tcpRoutes[].backends[].(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].tcpRoutes[].backends[].weight`
`binds[].listeners[].tcpRoutes[].backends[].policies`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.cert`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.key`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.root`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.hostname`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.insecure`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.insecureHost`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.alpn`
`binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.subjectAltNames`
`binds[].listeners[].policies`
`binds[].listeners[].policies.jwtAuth`	Authenticate incoming JWT requests.
`binds[].listeners[].policies.jwtAuth.(any)(any)mode`
`binds[].listeners[].policies.jwtAuth.(any)(any)providers`
`binds[].listeners[].policies.jwtAuth.(any)(any)providers[].issuer`
`binds[].listeners[].policies.jwtAuth.(any)(any)providers[].audiences`
`binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwks`
`binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwks.(any)file`
`binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwks.(any)url`
`binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`binds[].listeners[].policies.jwtAuth.(any)(any)mode`
`binds[].listeners[].policies.jwtAuth.(any)(any)issuer`
`binds[].listeners[].policies.jwtAuth.(any)(any)audiences`
`binds[].listeners[].policies.jwtAuth.(any)(any)jwks`
`binds[].listeners[].policies.jwtAuth.(any)(any)jwks.(any)file`
`binds[].listeners[].policies.jwtAuth.(any)(any)jwks.(any)url`
`binds[].listeners[].policies.jwtAuth.(any)(any)jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`binds[].listeners[].policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`binds[].listeners[].policies.extAuthz`	Authenticate incoming requests by calling an external authorization server.
`binds[].listeners[].policies.extAuthz.(any)(1)service`
`binds[].listeners[].policies.extAuthz.(any)(1)service.name`
`binds[].listeners[].policies.extAuthz.(any)(1)service.name.namespace`
`binds[].listeners[].policies.extAuthz.(any)(1)service.name.hostname`
`binds[].listeners[].policies.extAuthz.(any)(1)service.port`
`binds[].listeners[].policies.extAuthz.(any)(1)host`	Hostname or IP address
`binds[].listeners[].policies.extAuthz.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].policies.extAuthz.(any)policies`	Policies to connect to the backend
`binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier.add`
`binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier.set`
`binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier.remove`
`binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier.add`
`binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier.set`
`binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier.remove`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.scheme`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.path`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.status`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.request`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.add`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.set`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.remove`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.body`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.response`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.add`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.set`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.remove`
`binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.body`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.cert`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.key`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.root`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.hostname`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.insecure`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.insecureHost`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.alpn`
`binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.subjectAltNames`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].policies.extAuthz.(any)policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].policies.extAuthz.(any)policies.http.version`
`binds[].listeners[].policies.extAuthz.(any)policies.http.requestTimeout`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.enabled`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.time`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.interval`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.retries`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.connectTimeout`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.connectTimeout.secs`
`binds[].listeners[].policies.extAuthz.(any)policies.tcp.connectTimeout.nanos`
`binds[].listeners[].policies.extAuthz.(any)protocol`	The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended.
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)grpc`
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)grpc.context`	Additional context to send to the authorization service. This maps to the `context_extensions` field of the request, and only allows static values.
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)grpc.metadata`	Additional metadata to send to the authorization service. This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)http`
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.path`
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.redirect`	When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error.
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders`	Specific headers from the authorization response will be copied into the request to the backend.
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.addRequestHeaders`	Specific headers to add in the authorization request (empty = all headers), based on the expression
`binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.metadata`	Metadata to include under the `extauthz` variable, based on the authorization response.
`binds[].listeners[].policies.extAuthz.(any)failureMode`	Behavior when the authorization service is unavailable or returns an error
`binds[].listeners[].policies.extAuthz.(any)failureMode.(1)denyWithStatus`
`binds[].listeners[].policies.extAuthz.(any)includeRequestHeaders`	Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’.
`binds[].listeners[].policies.extAuthz.(any)includeRequestBody`	Options for including the request body in the authorization request
`binds[].listeners[].policies.extAuthz.(any)includeRequestBody.maxRequestBytes`	Maximum size of request body to buffer (default: 8192)
`binds[].listeners[].policies.extAuthz.(any)includeRequestBody.allowPartialMessage`	If true, send partial body when max_request_bytes is reached
`binds[].listeners[].policies.extAuthz.(any)includeRequestBody.packAsBytes`	If true, pack body as raw bytes in gRPC
`binds[].listeners[].policies.extProc`	Extend agentgateway with an external processor
`binds[].listeners[].policies.extProc.(any)(1)service`
`binds[].listeners[].policies.extProc.(any)(1)service.name`
`binds[].listeners[].policies.extProc.(any)(1)service.name.namespace`
`binds[].listeners[].policies.extProc.(any)(1)service.name.hostname`
`binds[].listeners[].policies.extProc.(any)(1)service.port`
`binds[].listeners[].policies.extProc.(any)(1)host`	Hostname or IP address
`binds[].listeners[].policies.extProc.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`binds[].listeners[].policies.extProc.(any)policies`	Policies to connect to the backend
`binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier.add`
`binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier.set`
`binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier.remove`
`binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier.add`
`binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier.set`
`binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier.remove`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.scheme`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.path`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)full`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix`
`binds[].listeners[].policies.extProc.(any)policies.requestRedirect.status`
`binds[].listeners[].policies.extProc.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`binds[].listeners[].policies.extProc.(any)policies.transformations.request`
`binds[].listeners[].policies.extProc.(any)policies.transformations.request.add`
`binds[].listeners[].policies.extProc.(any)policies.transformations.request.set`
`binds[].listeners[].policies.extProc.(any)policies.transformations.request.remove`
`binds[].listeners[].policies.extProc.(any)policies.transformations.request.body`
`binds[].listeners[].policies.extProc.(any)policies.transformations.response`
`binds[].listeners[].policies.extProc.(any)policies.transformations.response.add`
`binds[].listeners[].policies.extProc.(any)policies.transformations.response.set`
`binds[].listeners[].policies.extProc.(any)policies.transformations.response.remove`
`binds[].listeners[].policies.extProc.(any)policies.transformations.response.body`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS`	Send TLS to the backend.
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.cert`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.key`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.root`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.hostname`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.insecure`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.insecureHost`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.alpn`
`binds[].listeners[].policies.extProc.(any)policies.backendTLS.subjectAltNames`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth`	Authenticate to the backend.
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)passthrough`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)key`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`binds[].listeners[].policies.extProc.(any)policies.http`	Specify HTTP settings for the backend
`binds[].listeners[].policies.extProc.(any)policies.http.version`
`binds[].listeners[].policies.extProc.(any)policies.http.requestTimeout`
`binds[].listeners[].policies.extProc.(any)policies.tcp`	Specify TCP settings for the backend
`binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives`
`binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.enabled`
`binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.time`
`binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.interval`
`binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.retries`
`binds[].listeners[].policies.extProc.(any)policies.tcp.connectTimeout`
`binds[].listeners[].policies.extProc.(any)policies.tcp.connectTimeout.secs`
`binds[].listeners[].policies.extProc.(any)policies.tcp.connectTimeout.nanos`
`binds[].listeners[].policies.extProc.(any)failureMode`	Behavior when the ext_proc service is unavailable or returns an error
`binds[].listeners[].policies.extProc.(any)metadataContext`	Additional metadata to send to the external processing service. Maps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.
`binds[].listeners[].policies.extProc.(any)requestAttributes`	Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`binds[].listeners[].policies.extProc.(any)responseAttributes`	Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`binds[].listeners[].policies.transformations`	Modify requests and responses
`binds[].listeners[].policies.transformations.request`
`binds[].listeners[].policies.transformations.request.add`
`binds[].listeners[].policies.transformations.request.set`
`binds[].listeners[].policies.transformations.request.remove`
`binds[].listeners[].policies.transformations.request.body`
`binds[].listeners[].policies.transformations.response`
`binds[].listeners[].policies.transformations.response.add`
`binds[].listeners[].policies.transformations.response.set`
`binds[].listeners[].policies.transformations.response.remove`
`binds[].listeners[].policies.transformations.response.body`
`binds[].listeners[].policies.basicAuth`	Authenticate incoming requests using Basic Authentication with htpasswd.
`binds[].listeners[].policies.basicAuth.htpasswd`	.htpasswd file contents/reference
`binds[].listeners[].policies.basicAuth.htpasswd.(any)file`
`binds[].listeners[].policies.basicAuth.realm`	Realm name for the WWW-Authenticate header
`binds[].listeners[].policies.basicAuth.mode`	Validation mode for basic authentication
`binds[].listeners[].policies.apiKey`	Authenticate incoming requests using API Keys
`binds[].listeners[].policies.apiKey.keys`	List of API keys
`binds[].listeners[].policies.apiKey.keys[].key`
`binds[].listeners[].policies.apiKey.keys[].metadata`
`binds[].listeners[].policies.apiKey.mode`	Validation mode for API keys
`binds[].tunnelProtocol`
`frontendPolicies`
`frontendPolicies.http`	Settings for handling incoming HTTP requests.
`frontendPolicies.http.maxBufferSize`
`frontendPolicies.http.http1MaxHeaders`	The maximum number of headers allowed in a request. Changing this value results in a performance degradation, even if set to a lower value than the default (100)
`frontendPolicies.http.http1IdleTimeout`
`frontendPolicies.http.http2WindowSize`
`frontendPolicies.http.http2ConnectionWindowSize`
`frontendPolicies.http.http2FrameSize`
`frontendPolicies.http.http2KeepaliveInterval`
`frontendPolicies.http.http2KeepaliveTimeout`
`frontendPolicies.tls`	Settings for handling incoming TLS connections.
`frontendPolicies.tls.handshakeTimeout`
`frontendPolicies.tls.alpn`
`frontendPolicies.tls.minVersion`
`frontendPolicies.tls.maxVersion`
`frontendPolicies.tls.cipherSuites`
`frontendPolicies.tcp`	Settings for handling incoming TCP connections.
`frontendPolicies.tcp.keepalives`
`frontendPolicies.tcp.keepalives.enabled`
`frontendPolicies.tcp.keepalives.time`
`frontendPolicies.tcp.keepalives.interval`
`frontendPolicies.tcp.keepalives.retries`
`frontendPolicies.accessLog`	Settings for request access logs.
`frontendPolicies.accessLog.filter`
`frontendPolicies.accessLog.add`
`frontendPolicies.accessLog.remove`
`frontendPolicies.tracing`
`frontendPolicies.tracing.(any)(1)service`
`frontendPolicies.tracing.(any)(1)service.name`
`frontendPolicies.tracing.(any)(1)service.name.namespace`
`frontendPolicies.tracing.(any)(1)service.name.hostname`
`frontendPolicies.tracing.(any)(1)service.port`
`frontendPolicies.tracing.(any)(1)host`	Hostname or IP address
`frontendPolicies.tracing.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`frontendPolicies.tracing.(any)policies`	Policies to connect to the backend
`frontendPolicies.tracing.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`frontendPolicies.tracing.(any)policies.requestHeaderModifier.add`
`frontendPolicies.tracing.(any)policies.requestHeaderModifier.set`
`frontendPolicies.tracing.(any)policies.requestHeaderModifier.remove`
`frontendPolicies.tracing.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`frontendPolicies.tracing.(any)policies.responseHeaderModifier.add`
`frontendPolicies.tracing.(any)policies.responseHeaderModifier.set`
`frontendPolicies.tracing.(any)policies.responseHeaderModifier.remove`
`frontendPolicies.tracing.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`frontendPolicies.tracing.(any)policies.requestRedirect.scheme`
`frontendPolicies.tracing.(any)policies.requestRedirect.authority`
`frontendPolicies.tracing.(any)policies.requestRedirect.authority.(any)(1)full`
`frontendPolicies.tracing.(any)policies.requestRedirect.authority.(any)(1)host`
`frontendPolicies.tracing.(any)policies.requestRedirect.authority.(any)(1)port`
`frontendPolicies.tracing.(any)policies.requestRedirect.path`
`frontendPolicies.tracing.(any)policies.requestRedirect.path.(any)(1)full`
`frontendPolicies.tracing.(any)policies.requestRedirect.path.(any)(1)prefix`
`frontendPolicies.tracing.(any)policies.requestRedirect.status`
`frontendPolicies.tracing.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`frontendPolicies.tracing.(any)policies.transformations.request`
`frontendPolicies.tracing.(any)policies.transformations.request.add`
`frontendPolicies.tracing.(any)policies.transformations.request.set`
`frontendPolicies.tracing.(any)policies.transformations.request.remove`
`frontendPolicies.tracing.(any)policies.transformations.request.body`
`frontendPolicies.tracing.(any)policies.transformations.response`
`frontendPolicies.tracing.(any)policies.transformations.response.add`
`frontendPolicies.tracing.(any)policies.transformations.response.set`
`frontendPolicies.tracing.(any)policies.transformations.response.remove`
`frontendPolicies.tracing.(any)policies.transformations.response.body`
`frontendPolicies.tracing.(any)policies.backendTLS`	Send TLS to the backend.
`frontendPolicies.tracing.(any)policies.backendTLS.cert`
`frontendPolicies.tracing.(any)policies.backendTLS.key`
`frontendPolicies.tracing.(any)policies.backendTLS.root`
`frontendPolicies.tracing.(any)policies.backendTLS.hostname`
`frontendPolicies.tracing.(any)policies.backendTLS.insecure`
`frontendPolicies.tracing.(any)policies.backendTLS.insecureHost`
`frontendPolicies.tracing.(any)policies.backendTLS.alpn`
`frontendPolicies.tracing.(any)policies.backendTLS.subjectAltNames`
`frontendPolicies.tracing.(any)policies.backendAuth`	Authenticate to the backend.
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)passthrough`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)key`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)key.(any)file`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)region`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`frontendPolicies.tracing.(any)policies.http`	Specify HTTP settings for the backend
`frontendPolicies.tracing.(any)policies.http.version`
`frontendPolicies.tracing.(any)policies.http.requestTimeout`
`frontendPolicies.tracing.(any)policies.tcp`	Specify TCP settings for the backend
`frontendPolicies.tracing.(any)policies.tcp.keepalives`
`frontendPolicies.tracing.(any)policies.tcp.keepalives.enabled`
`frontendPolicies.tracing.(any)policies.tcp.keepalives.time`
`frontendPolicies.tracing.(any)policies.tcp.keepalives.interval`
`frontendPolicies.tracing.(any)policies.tcp.keepalives.retries`
`frontendPolicies.tracing.(any)policies.tcp.connectTimeout`
`frontendPolicies.tracing.(any)policies.tcp.connectTimeout.secs`
`frontendPolicies.tracing.(any)policies.tcp.connectTimeout.nanos`
`frontendPolicies.tracing.(any)attributes`	Span attributes to add, keyed by attribute name.
`frontendPolicies.tracing.(any)resources`	Resource attributes to add to the tracer provider (OTel `Resource`). This can be used to set things like `service.name` dynamically.
`frontendPolicies.tracing.(any)remove`	Attribute keys to remove from the emitted span attributes. This is applied before `attributes` are evaluated/added, so it can be used to drop default attributes or avoid duplication.
`frontendPolicies.tracing.(any)randomSampling`	Optional per-policy override for random sampling. If set, overrides global config for requests that use this frontend policy.
`frontendPolicies.tracing.(any)clientSampling`	Optional per-policy override for client sampling. If set, overrides global config for requests that use this frontend policy.
`frontendPolicies.tracing.(any)path`
`frontendPolicies.tracing.(any)protocol`
`policies`	policies defines additional policies that can be attached to various other configurations. This is an advanced feature; users should typically use the inline `policies` field under route/gateway.
`policies[].name`
`policies[].name.name`
`policies[].name.namespace`
`policies[].target`
`policies[].target.(1)gateway`
`policies[].target.(1)gateway.gatewayName`
`policies[].target.(1)gateway.gatewayNamespace`
`policies[].target.(1)gateway.listenerName`
`policies[].target.(1)route`
`policies[].target.(1)route.name`
`policies[].target.(1)route.namespace`
`policies[].target.(1)route.ruleName`
`policies[].target.(1)route.kind`
`policies[].target.(1)backend`
`policies[].target.(1)backend.(1)backend`
`policies[].target.(1)backend.(1)backend.name`
`policies[].target.(1)backend.(1)backend.namespace`
`policies[].target.(1)backend.(1)backend.section`
`policies[].target.(1)backend.(1)service`
`policies[].target.(1)backend.(1)service.hostname`
`policies[].target.(1)backend.(1)service.namespace`
`policies[].target.(1)backend.(1)service.port`
`policies[].phase`	phase defines at what level the policy runs at. Gateway policies run pre-routing, while Route policies apply post-routing. Only a subset of policies are eligible as Gateway policies. In general, normal (route level) policies should be used, except you need the policy to influence routing.
`policies[].policy`
`policies[].policy.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.requestHeaderModifier.add`
`policies[].policy.requestHeaderModifier.set`
`policies[].policy.requestHeaderModifier.remove`
`policies[].policy.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.responseHeaderModifier.add`
`policies[].policy.responseHeaderModifier.set`
`policies[].policy.responseHeaderModifier.remove`
`policies[].policy.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.requestRedirect.scheme`
`policies[].policy.requestRedirect.authority`
`policies[].policy.requestRedirect.authority.(any)(1)full`
`policies[].policy.requestRedirect.authority.(any)(1)host`
`policies[].policy.requestRedirect.authority.(any)(1)port`
`policies[].policy.requestRedirect.path`
`policies[].policy.requestRedirect.path.(any)(1)full`
`policies[].policy.requestRedirect.path.(any)(1)prefix`
`policies[].policy.requestRedirect.status`
`policies[].policy.urlRewrite`	Modify the URL path or authority.
`policies[].policy.urlRewrite.authority`
`policies[].policy.urlRewrite.authority.(any)(1)full`
`policies[].policy.urlRewrite.authority.(any)(1)host`
`policies[].policy.urlRewrite.authority.(any)(1)port`
`policies[].policy.urlRewrite.path`
`policies[].policy.urlRewrite.path.(any)(1)full`
`policies[].policy.urlRewrite.path.(any)(1)prefix`
`policies[].policy.requestMirror`	Mirror incoming requests to another destination.
`policies[].policy.requestMirror.backend`
`policies[].policy.requestMirror.backend.(1)service`
`policies[].policy.requestMirror.backend.(1)service.name`
`policies[].policy.requestMirror.backend.(1)service.name.namespace`
`policies[].policy.requestMirror.backend.(1)service.name.hostname`
`policies[].policy.requestMirror.backend.(1)service.port`
`policies[].policy.requestMirror.backend.(1)host`	Hostname or IP address
`policies[].policy.requestMirror.backend.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`policies[].policy.requestMirror.percentage`
`policies[].policy.directResponse`	Directly respond to the request with a static response.
`policies[].policy.directResponse.body`
`policies[].policy.directResponse.status`
`policies[].policy.cors`	Handle CORS preflight requests and append configured CORS headers to applicable requests.
`policies[].policy.cors.allowCredentials`
`policies[].policy.cors.allowHeaders`
`policies[].policy.cors.allowMethods`
`policies[].policy.cors.allowOrigins`
`policies[].policy.cors.exposeHeaders`
`policies[].policy.cors.maxAge`
`policies[].policy.mcpAuthorization`	Authorization policies for MCP access.
`policies[].policy.mcpAuthorization.rules`
`policies[].policy.authorization`	Authorization policies for HTTP access.
`policies[].policy.authorization.rules`
`policies[].policy.mcpAuthentication`	Authentication for MCP clients.
`policies[].policy.mcpAuthentication.issuer`
`policies[].policy.mcpAuthentication.audiences`
`policies[].policy.mcpAuthentication.provider`
`policies[].policy.mcpAuthentication.provider.(any)(1)auth0`
`policies[].policy.mcpAuthentication.provider.(any)(1)keycloak`
`policies[].policy.mcpAuthentication.resourceMetadata`
`policies[].policy.mcpAuthentication.jwks`
`policies[].policy.mcpAuthentication.jwks.(any)file`
`policies[].policy.mcpAuthentication.jwks.(any)url`
`policies[].policy.mcpAuthentication.mode`
`policies[].policy.mcpAuthentication.jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`policies[].policy.mcpAuthentication.jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`policies[].policy.a2a`	Mark this traffic as A2A to enable A2A processing and telemetry.
`policies[].policy.ai`	Mark this as LLM traffic to enable LLM processing.
`policies[].policy.ai.promptGuard`
`policies[].policy.ai.promptGuard.request`
`policies[].policy.ai.promptGuard.request[].(1)regex`
`policies[].policy.ai.promptGuard.request[].(1)regex.action`
`policies[].policy.ai.promptGuard.request[].(1)regex.rules`
`policies[].policy.ai.promptGuard.request[].(1)regex.rules[].(any)builtin`
`policies[].policy.ai.promptGuard.request[].(1)regex.rules[].(any)pattern`
`policies[].policy.ai.promptGuard.request[].(1)webhook`
`policies[].policy.ai.promptGuard.request[].(1)webhook.target`
`policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service`
`policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.name`
`policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace`
`policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname`
`policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.port`
`policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)host`	Hostname or IP address
`policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches`
`policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name`
`policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value`
`policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.http.version`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.projectId`	The GCP project ID
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`policies[].policy.ai.promptGuard.request[].rejection`
`policies[].policy.ai.promptGuard.request[].rejection.body`
`policies[].policy.ai.promptGuard.request[].rejection.status`
`policies[].policy.ai.promptGuard.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`policies[].policy.ai.promptGuard.request[].rejection.headers.add`
`policies[].policy.ai.promptGuard.request[].rejection.headers.set`
`policies[].policy.ai.promptGuard.request[].rejection.headers.remove`
`policies[].policy.ai.promptGuard.response`
`policies[].policy.ai.promptGuard.response[].(1)regex`
`policies[].policy.ai.promptGuard.response[].(1)regex.action`
`policies[].policy.ai.promptGuard.response[].(1)regex.rules`
`policies[].policy.ai.promptGuard.response[].(1)regex.rules[].(any)builtin`
`policies[].policy.ai.promptGuard.response[].(1)regex.rules[].(any)pattern`
`policies[].policy.ai.promptGuard.response[].(1)webhook`
`policies[].policy.ai.promptGuard.response[].(1)webhook.target`
`policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service`
`policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.name`
`policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace`
`policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname`
`policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.port`
`policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)host`	Hostname or IP address
`policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches`
`policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name`
`policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value`
`policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.projectId`	The GCP project ID
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`policies[].policy.ai.promptGuard.response[].rejection`
`policies[].policy.ai.promptGuard.response[].rejection.body`
`policies[].policy.ai.promptGuard.response[].rejection.status`
`policies[].policy.ai.promptGuard.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`policies[].policy.ai.promptGuard.response[].rejection.headers.add`
`policies[].policy.ai.promptGuard.response[].rejection.headers.set`
`policies[].policy.ai.promptGuard.response[].rejection.headers.remove`
`policies[].policy.ai.defaults`
`policies[].policy.ai.overrides`
`policies[].policy.ai.transformations`
`policies[].policy.ai.prompts`
`policies[].policy.ai.prompts.append`
`policies[].policy.ai.prompts.append[].role`
`policies[].policy.ai.prompts.append[].content`
`policies[].policy.ai.prompts.prepend`
`policies[].policy.ai.prompts.prepend[].role`
`policies[].policy.ai.prompts.prepend[].content`
`policies[].policy.ai.modelAliases`
`policies[].policy.ai.promptCaching`
`policies[].policy.ai.promptCaching.cacheSystem`
`policies[].policy.ai.promptCaching.cacheMessages`
`policies[].policy.ai.promptCaching.cacheTools`
`policies[].policy.ai.promptCaching.minTokens`
`policies[].policy.ai.routes`
`policies[].policy.backendTLS`	Send TLS to the backend.
`policies[].policy.backendTLS.cert`
`policies[].policy.backendTLS.key`
`policies[].policy.backendTLS.root`
`policies[].policy.backendTLS.hostname`
`policies[].policy.backendTLS.insecure`
`policies[].policy.backendTLS.insecureHost`
`policies[].policy.backendTLS.alpn`
`policies[].policy.backendTLS.subjectAltNames`
`policies[].policy.backendAuth`	Authenticate to the backend.
`policies[].policy.backendAuth.(any)(1)passthrough`
`policies[].policy.backendAuth.(any)(1)key`
`policies[].policy.backendAuth.(any)(1)key.(any)file`
`policies[].policy.backendAuth.(any)(1)gcp`
`policies[].policy.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.backendAuth.(any)(1)aws`
`policies[].policy.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.backendAuth.(any)(1)azure`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.localRateLimit`	Rate limit incoming requests. State is kept local.
`policies[].policy.localRateLimit[].maxTokens`
`policies[].policy.localRateLimit[].tokensPerFill`
`policies[].policy.localRateLimit[].fillInterval`
`policies[].policy.localRateLimit[].type`
`policies[].policy.remoteRateLimit`	Rate limit incoming requests. State is managed by a remote server.
`policies[].policy.remoteRateLimit.(any)(1)service`
`policies[].policy.remoteRateLimit.(any)(1)service.name`
`policies[].policy.remoteRateLimit.(any)(1)service.name.namespace`
`policies[].policy.remoteRateLimit.(any)(1)service.name.hostname`
`policies[].policy.remoteRateLimit.(any)(1)service.port`
`policies[].policy.remoteRateLimit.(any)(1)host`	Hostname or IP address
`policies[].policy.remoteRateLimit.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`policies[].policy.remoteRateLimit.(any)domain`
`policies[].policy.remoteRateLimit.(any)policies`	Policies to connect to the backend
`policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier.add`
`policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier.set`
`policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier.remove`
`policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier.add`
`policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier.set`
`policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier.remove`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.scheme`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.path`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)full`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.remoteRateLimit.(any)policies.requestRedirect.status`
`policies[].policy.remoteRateLimit.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.remoteRateLimit.(any)policies.transformations.request`
`policies[].policy.remoteRateLimit.(any)policies.transformations.request.add`
`policies[].policy.remoteRateLimit.(any)policies.transformations.request.set`
`policies[].policy.remoteRateLimit.(any)policies.transformations.request.remove`
`policies[].policy.remoteRateLimit.(any)policies.transformations.request.body`
`policies[].policy.remoteRateLimit.(any)policies.transformations.response`
`policies[].policy.remoteRateLimit.(any)policies.transformations.response.add`
`policies[].policy.remoteRateLimit.(any)policies.transformations.response.set`
`policies[].policy.remoteRateLimit.(any)policies.transformations.response.remove`
`policies[].policy.remoteRateLimit.(any)policies.transformations.response.body`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS`	Send TLS to the backend.
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.cert`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.key`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.root`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.hostname`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.insecure`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.insecureHost`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.alpn`
`policies[].policy.remoteRateLimit.(any)policies.backendTLS.subjectAltNames`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth`	Authenticate to the backend.
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)passthrough`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)key`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.remoteRateLimit.(any)policies.http`	Specify HTTP settings for the backend
`policies[].policy.remoteRateLimit.(any)policies.http.version`
`policies[].policy.remoteRateLimit.(any)policies.http.requestTimeout`
`policies[].policy.remoteRateLimit.(any)policies.tcp`	Specify TCP settings for the backend
`policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives`
`policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.enabled`
`policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.time`
`policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.interval`
`policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.retries`
`policies[].policy.remoteRateLimit.(any)policies.tcp.connectTimeout`
`policies[].policy.remoteRateLimit.(any)policies.tcp.connectTimeout.secs`
`policies[].policy.remoteRateLimit.(any)policies.tcp.connectTimeout.nanos`
`policies[].policy.remoteRateLimit.(any)descriptors`
`policies[].policy.remoteRateLimit.(any)descriptors[].entries`
`policies[].policy.remoteRateLimit.(any)descriptors[].entries[].key`
`policies[].policy.remoteRateLimit.(any)descriptors[].entries[].value`
`policies[].policy.remoteRateLimit.(any)descriptors[].type`
`policies[].policy.remoteRateLimit.(any)failureMode`	Behavior when the remote rate limit service is unavailable or returns an error. Defaults to failClosed, denying requests with a 500 status on service failure.
`policies[].policy.jwtAuth`	Authenticate incoming JWT requests.
`policies[].policy.jwtAuth.(any)(any)mode`
`policies[].policy.jwtAuth.(any)(any)providers`
`policies[].policy.jwtAuth.(any)(any)providers[].issuer`
`policies[].policy.jwtAuth.(any)(any)providers[].audiences`
`policies[].policy.jwtAuth.(any)(any)providers[].jwks`
`policies[].policy.jwtAuth.(any)(any)providers[].jwks.(any)file`
`policies[].policy.jwtAuth.(any)(any)providers[].jwks.(any)url`
`policies[].policy.jwtAuth.(any)(any)providers[].jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`policies[].policy.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`policies[].policy.jwtAuth.(any)(any)mode`
`policies[].policy.jwtAuth.(any)(any)issuer`
`policies[].policy.jwtAuth.(any)(any)audiences`
`policies[].policy.jwtAuth.(any)(any)jwks`
`policies[].policy.jwtAuth.(any)(any)jwks.(any)file`
`policies[].policy.jwtAuth.(any)(any)jwks.(any)url`
`policies[].policy.jwtAuth.(any)(any)jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`policies[].policy.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`policies[].policy.basicAuth`	Authenticate incoming requests using Basic Authentication with htpasswd.
`policies[].policy.basicAuth.htpasswd`	.htpasswd file contents/reference
`policies[].policy.basicAuth.htpasswd.(any)file`
`policies[].policy.basicAuth.realm`	Realm name for the WWW-Authenticate header
`policies[].policy.basicAuth.mode`	Validation mode for basic authentication
`policies[].policy.apiKey`	Authenticate incoming requests using API Keys
`policies[].policy.apiKey.keys`	List of API keys
`policies[].policy.apiKey.keys[].key`
`policies[].policy.apiKey.keys[].metadata`
`policies[].policy.apiKey.mode`	Validation mode for API keys
`policies[].policy.extAuthz`	Authenticate incoming requests by calling an external authorization server.
`policies[].policy.extAuthz.(any)(1)service`
`policies[].policy.extAuthz.(any)(1)service.name`
`policies[].policy.extAuthz.(any)(1)service.name.namespace`
`policies[].policy.extAuthz.(any)(1)service.name.hostname`
`policies[].policy.extAuthz.(any)(1)service.port`
`policies[].policy.extAuthz.(any)(1)host`	Hostname or IP address
`policies[].policy.extAuthz.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`policies[].policy.extAuthz.(any)policies`	Policies to connect to the backend
`policies[].policy.extAuthz.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.extAuthz.(any)policies.requestHeaderModifier.add`
`policies[].policy.extAuthz.(any)policies.requestHeaderModifier.set`
`policies[].policy.extAuthz.(any)policies.requestHeaderModifier.remove`
`policies[].policy.extAuthz.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.extAuthz.(any)policies.responseHeaderModifier.add`
`policies[].policy.extAuthz.(any)policies.responseHeaderModifier.set`
`policies[].policy.extAuthz.(any)policies.responseHeaderModifier.remove`
`policies[].policy.extAuthz.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.extAuthz.(any)policies.requestRedirect.scheme`
`policies[].policy.extAuthz.(any)policies.requestRedirect.authority`
`policies[].policy.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.extAuthz.(any)policies.requestRedirect.path`
`policies[].policy.extAuthz.(any)policies.requestRedirect.path.(any)(1)full`
`policies[].policy.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.extAuthz.(any)policies.requestRedirect.status`
`policies[].policy.extAuthz.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.extAuthz.(any)policies.transformations.request`
`policies[].policy.extAuthz.(any)policies.transformations.request.add`
`policies[].policy.extAuthz.(any)policies.transformations.request.set`
`policies[].policy.extAuthz.(any)policies.transformations.request.remove`
`policies[].policy.extAuthz.(any)policies.transformations.request.body`
`policies[].policy.extAuthz.(any)policies.transformations.response`
`policies[].policy.extAuthz.(any)policies.transformations.response.add`
`policies[].policy.extAuthz.(any)policies.transformations.response.set`
`policies[].policy.extAuthz.(any)policies.transformations.response.remove`
`policies[].policy.extAuthz.(any)policies.transformations.response.body`
`policies[].policy.extAuthz.(any)policies.backendTLS`	Send TLS to the backend.
`policies[].policy.extAuthz.(any)policies.backendTLS.cert`
`policies[].policy.extAuthz.(any)policies.backendTLS.key`
`policies[].policy.extAuthz.(any)policies.backendTLS.root`
`policies[].policy.extAuthz.(any)policies.backendTLS.hostname`
`policies[].policy.extAuthz.(any)policies.backendTLS.insecure`
`policies[].policy.extAuthz.(any)policies.backendTLS.insecureHost`
`policies[].policy.extAuthz.(any)policies.backendTLS.alpn`
`policies[].policy.extAuthz.(any)policies.backendTLS.subjectAltNames`
`policies[].policy.extAuthz.(any)policies.backendAuth`	Authenticate to the backend.
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)passthrough`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)key`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.extAuthz.(any)policies.http`	Specify HTTP settings for the backend
`policies[].policy.extAuthz.(any)policies.http.version`
`policies[].policy.extAuthz.(any)policies.http.requestTimeout`
`policies[].policy.extAuthz.(any)policies.tcp`	Specify TCP settings for the backend
`policies[].policy.extAuthz.(any)policies.tcp.keepalives`
`policies[].policy.extAuthz.(any)policies.tcp.keepalives.enabled`
`policies[].policy.extAuthz.(any)policies.tcp.keepalives.time`
`policies[].policy.extAuthz.(any)policies.tcp.keepalives.interval`
`policies[].policy.extAuthz.(any)policies.tcp.keepalives.retries`
`policies[].policy.extAuthz.(any)policies.tcp.connectTimeout`
`policies[].policy.extAuthz.(any)policies.tcp.connectTimeout.secs`
`policies[].policy.extAuthz.(any)policies.tcp.connectTimeout.nanos`
`policies[].policy.extAuthz.(any)protocol`	The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended.
`policies[].policy.extAuthz.(any)protocol.(1)grpc`
`policies[].policy.extAuthz.(any)protocol.(1)grpc.context`	Additional context to send to the authorization service. This maps to the `context_extensions` field of the request, and only allows static values.
`policies[].policy.extAuthz.(any)protocol.(1)grpc.metadata`	Additional metadata to send to the authorization service. This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.
`policies[].policy.extAuthz.(any)protocol.(1)http`
`policies[].policy.extAuthz.(any)protocol.(1)http.path`
`policies[].policy.extAuthz.(any)protocol.(1)http.redirect`	When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error.
`policies[].policy.extAuthz.(any)protocol.(1)http.includeResponseHeaders`	Specific headers from the authorization response will be copied into the request to the backend.
`policies[].policy.extAuthz.(any)protocol.(1)http.addRequestHeaders`	Specific headers to add in the authorization request (empty = all headers), based on the expression
`policies[].policy.extAuthz.(any)protocol.(1)http.metadata`	Metadata to include under the `extauthz` variable, based on the authorization response.
`policies[].policy.extAuthz.(any)failureMode`	Behavior when the authorization service is unavailable or returns an error
`policies[].policy.extAuthz.(any)failureMode.(1)denyWithStatus`
`policies[].policy.extAuthz.(any)includeRequestHeaders`	Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’.
`policies[].policy.extAuthz.(any)includeRequestBody`	Options for including the request body in the authorization request
`policies[].policy.extAuthz.(any)includeRequestBody.maxRequestBytes`	Maximum size of request body to buffer (default: 8192)
`policies[].policy.extAuthz.(any)includeRequestBody.allowPartialMessage`	If true, send partial body when max_request_bytes is reached
`policies[].policy.extAuthz.(any)includeRequestBody.packAsBytes`	If true, pack body as raw bytes in gRPC
`policies[].policy.extProc`	Extend agentgateway with an external processor
`policies[].policy.extProc.(any)(1)service`
`policies[].policy.extProc.(any)(1)service.name`
`policies[].policy.extProc.(any)(1)service.name.namespace`
`policies[].policy.extProc.(any)(1)service.name.hostname`
`policies[].policy.extProc.(any)(1)service.port`
`policies[].policy.extProc.(any)(1)host`	Hostname or IP address
`policies[].policy.extProc.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`policies[].policy.extProc.(any)policies`	Policies to connect to the backend
`policies[].policy.extProc.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`policies[].policy.extProc.(any)policies.requestHeaderModifier.add`
`policies[].policy.extProc.(any)policies.requestHeaderModifier.set`
`policies[].policy.extProc.(any)policies.requestHeaderModifier.remove`
`policies[].policy.extProc.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`policies[].policy.extProc.(any)policies.responseHeaderModifier.add`
`policies[].policy.extProc.(any)policies.responseHeaderModifier.set`
`policies[].policy.extProc.(any)policies.responseHeaderModifier.remove`
`policies[].policy.extProc.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`policies[].policy.extProc.(any)policies.requestRedirect.scheme`
`policies[].policy.extProc.(any)policies.requestRedirect.authority`
`policies[].policy.extProc.(any)policies.requestRedirect.authority.(any)(1)full`
`policies[].policy.extProc.(any)policies.requestRedirect.authority.(any)(1)host`
`policies[].policy.extProc.(any)policies.requestRedirect.authority.(any)(1)port`
`policies[].policy.extProc.(any)policies.requestRedirect.path`
`policies[].policy.extProc.(any)policies.requestRedirect.path.(any)(1)full`
`policies[].policy.extProc.(any)policies.requestRedirect.path.(any)(1)prefix`
`policies[].policy.extProc.(any)policies.requestRedirect.status`
`policies[].policy.extProc.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`policies[].policy.extProc.(any)policies.transformations.request`
`policies[].policy.extProc.(any)policies.transformations.request.add`
`policies[].policy.extProc.(any)policies.transformations.request.set`
`policies[].policy.extProc.(any)policies.transformations.request.remove`
`policies[].policy.extProc.(any)policies.transformations.request.body`
`policies[].policy.extProc.(any)policies.transformations.response`
`policies[].policy.extProc.(any)policies.transformations.response.add`
`policies[].policy.extProc.(any)policies.transformations.response.set`
`policies[].policy.extProc.(any)policies.transformations.response.remove`
`policies[].policy.extProc.(any)policies.transformations.response.body`
`policies[].policy.extProc.(any)policies.backendTLS`	Send TLS to the backend.
`policies[].policy.extProc.(any)policies.backendTLS.cert`
`policies[].policy.extProc.(any)policies.backendTLS.key`
`policies[].policy.extProc.(any)policies.backendTLS.root`
`policies[].policy.extProc.(any)policies.backendTLS.hostname`
`policies[].policy.extProc.(any)policies.backendTLS.insecure`
`policies[].policy.extProc.(any)policies.backendTLS.insecureHost`
`policies[].policy.extProc.(any)policies.backendTLS.alpn`
`policies[].policy.extProc.(any)policies.backendTLS.subjectAltNames`
`policies[].policy.extProc.(any)policies.backendAuth`	Authenticate to the backend.
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)passthrough`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)key`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)key.(any)file`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`policies[].policy.extProc.(any)policies.http`	Specify HTTP settings for the backend
`policies[].policy.extProc.(any)policies.http.version`
`policies[].policy.extProc.(any)policies.http.requestTimeout`
`policies[].policy.extProc.(any)policies.tcp`	Specify TCP settings for the backend
`policies[].policy.extProc.(any)policies.tcp.keepalives`
`policies[].policy.extProc.(any)policies.tcp.keepalives.enabled`
`policies[].policy.extProc.(any)policies.tcp.keepalives.time`
`policies[].policy.extProc.(any)policies.tcp.keepalives.interval`
`policies[].policy.extProc.(any)policies.tcp.keepalives.retries`
`policies[].policy.extProc.(any)policies.tcp.connectTimeout`
`policies[].policy.extProc.(any)policies.tcp.connectTimeout.secs`
`policies[].policy.extProc.(any)policies.tcp.connectTimeout.nanos`
`policies[].policy.extProc.(any)failureMode`	Behavior when the ext_proc service is unavailable or returns an error
`policies[].policy.extProc.(any)metadataContext`	Additional metadata to send to the external processing service. Maps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.
`policies[].policy.extProc.(any)requestAttributes`	Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`policies[].policy.extProc.(any)responseAttributes`	Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`policies[].policy.transformations`	Modify requests and responses
`policies[].policy.transformations.request`
`policies[].policy.transformations.request.add`
`policies[].policy.transformations.request.set`
`policies[].policy.transformations.request.remove`
`policies[].policy.transformations.request.body`
`policies[].policy.transformations.response`
`policies[].policy.transformations.response.add`
`policies[].policy.transformations.response.set`
`policies[].policy.transformations.response.remove`
`policies[].policy.transformations.response.body`
`policies[].policy.csrf`	Handle CSRF protection by validating request origins against configured allowed origins.
`policies[].policy.csrf.additionalOrigins`
`policies[].policy.timeout`	Timeout requests that exceed the configured duration.
`policies[].policy.timeout.requestTimeout`
`policies[].policy.timeout.backendRequestTimeout`
`policies[].policy.retry`	Retry matching requests.
`policies[].policy.retry.attempts`
`policies[].policy.retry.backoff`
`policies[].policy.retry.codes`
`workloads`
`services`
`backends`
`backends[].name`
`backends[].host`
`backends[].policies`
`backends[].policies.requestHeaderModifier`	Headers to be modified in the request.
`backends[].policies.requestHeaderModifier.add`
`backends[].policies.requestHeaderModifier.set`
`backends[].policies.requestHeaderModifier.remove`
`backends[].policies.responseHeaderModifier`	Headers to be modified in the response.
`backends[].policies.responseHeaderModifier.add`
`backends[].policies.responseHeaderModifier.set`
`backends[].policies.responseHeaderModifier.remove`
`backends[].policies.requestRedirect`	Directly respond to the request with a redirect.
`backends[].policies.requestRedirect.scheme`
`backends[].policies.requestRedirect.authority`
`backends[].policies.requestRedirect.authority.(any)(1)full`
`backends[].policies.requestRedirect.authority.(any)(1)host`
`backends[].policies.requestRedirect.authority.(any)(1)port`
`backends[].policies.requestRedirect.path`
`backends[].policies.requestRedirect.path.(any)(1)full`
`backends[].policies.requestRedirect.path.(any)(1)prefix`
`backends[].policies.requestRedirect.status`
`backends[].policies.transformations`	Modify requests and responses sent to and from the backend.
`backends[].policies.transformations.request`
`backends[].policies.transformations.request.add`
`backends[].policies.transformations.request.set`
`backends[].policies.transformations.request.remove`
`backends[].policies.transformations.request.body`
`backends[].policies.transformations.response`
`backends[].policies.transformations.response.add`
`backends[].policies.transformations.response.set`
`backends[].policies.transformations.response.remove`
`backends[].policies.transformations.response.body`
`backends[].policies.backendTLS`	Send TLS to the backend.
`backends[].policies.backendTLS.cert`
`backends[].policies.backendTLS.key`
`backends[].policies.backendTLS.root`
`backends[].policies.backendTLS.hostname`
`backends[].policies.backendTLS.insecure`
`backends[].policies.backendTLS.insecureHost`
`backends[].policies.backendTLS.alpn`
`backends[].policies.backendTLS.subjectAltNames`
`backends[].policies.backendAuth`	Authenticate to the backend.
`backends[].policies.backendAuth.(any)(1)passthrough`
`backends[].policies.backendAuth.(any)(1)key`
`backends[].policies.backendAuth.(any)(1)key.(any)file`
`backends[].policies.backendAuth.(any)(1)gcp`
`backends[].policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`backends[].policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.backendAuth.(any)(1)aws`
`backends[].policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`backends[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`backends[].policies.backendAuth.(any)(1)aws.(any)region`
`backends[].policies.backendAuth.(any)(1)aws.(any)sessionToken`
`backends[].policies.backendAuth.(any)(1)azure`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`backends[].policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`backends[].policies.http`	Specify HTTP settings for the backend
`backends[].policies.http.version`
`backends[].policies.http.requestTimeout`
`backends[].policies.tcp`	Specify TCP settings for the backend
`backends[].policies.tcp.keepalives`
`backends[].policies.tcp.keepalives.enabled`
`backends[].policies.tcp.keepalives.time`
`backends[].policies.tcp.keepalives.interval`
`backends[].policies.tcp.keepalives.retries`
`backends[].policies.tcp.connectTimeout`
`backends[].policies.tcp.connectTimeout.secs`
`backends[].policies.tcp.connectTimeout.nanos`
`backends[].policies.mcpAuthorization`	Authorization policies for MCP access.
`backends[].policies.mcpAuthorization.rules`
`backends[].policies.a2a`	Mark this traffic as A2A to enable A2A processing and telemetry.
`backends[].policies.ai`	Mark this as LLM traffic to enable LLM processing.
`backends[].policies.ai.promptGuard`
`backends[].policies.ai.promptGuard.request`
`backends[].policies.ai.promptGuard.request[].(1)regex`
`backends[].policies.ai.promptGuard.request[].(1)regex.action`
`backends[].policies.ai.promptGuard.request[].(1)regex.rules`
`backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin`
`backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern`
`backends[].policies.ai.promptGuard.request[].(1)webhook`
`backends[].policies.ai.promptGuard.request[].(1)webhook.target`
`backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service`
`backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name`
`backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace`
`backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname`
`backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port`
`backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host`	Hostname or IP address
`backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches`
`backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name`
`backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value`
`backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId`	The GCP project ID
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`backends[].policies.ai.promptGuard.request[].rejection`
`backends[].policies.ai.promptGuard.request[].rejection.body`
`backends[].policies.ai.promptGuard.request[].rejection.status`
`backends[].policies.ai.promptGuard.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`backends[].policies.ai.promptGuard.request[].rejection.headers.add`
`backends[].policies.ai.promptGuard.request[].rejection.headers.set`
`backends[].policies.ai.promptGuard.request[].rejection.headers.remove`
`backends[].policies.ai.promptGuard.response`
`backends[].policies.ai.promptGuard.response[].(1)regex`
`backends[].policies.ai.promptGuard.response[].(1)regex.action`
`backends[].policies.ai.promptGuard.response[].(1)regex.rules`
`backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin`
`backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern`
`backends[].policies.ai.promptGuard.response[].(1)webhook`
`backends[].policies.ai.promptGuard.response[].(1)webhook.target`
`backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service`
`backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name`
`backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace`
`backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname`
`backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port`
`backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host`	Hostname or IP address
`backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches`
`backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name`
`backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value`
`backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId`	The GCP project ID
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`backends[].policies.ai.promptGuard.response[].rejection`
`backends[].policies.ai.promptGuard.response[].rejection.body`
`backends[].policies.ai.promptGuard.response[].rejection.status`
`backends[].policies.ai.promptGuard.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`backends[].policies.ai.promptGuard.response[].rejection.headers.add`
`backends[].policies.ai.promptGuard.response[].rejection.headers.set`
`backends[].policies.ai.promptGuard.response[].rejection.headers.remove`
`backends[].policies.ai.defaults`
`backends[].policies.ai.overrides`
`backends[].policies.ai.transformations`
`backends[].policies.ai.prompts`
`backends[].policies.ai.prompts.append`
`backends[].policies.ai.prompts.append[].role`
`backends[].policies.ai.prompts.append[].content`
`backends[].policies.ai.prompts.prepend`
`backends[].policies.ai.prompts.prepend[].role`
`backends[].policies.ai.prompts.prepend[].content`
`backends[].policies.ai.modelAliases`
`backends[].policies.ai.promptCaching`
`backends[].policies.ai.promptCaching.cacheSystem`
`backends[].policies.ai.promptCaching.cacheMessages`
`backends[].policies.ai.promptCaching.cacheTools`
`backends[].policies.ai.promptCaching.minTokens`
`backends[].policies.ai.routes`
`llm`
`llm.port`
`llm.models`	models defines the set of models that can be served by this gateway. The model name refers to the model in the users request that is matched; the model sent to the actual LLM can be overridden on a per-model basis.
`llm.models[].name`	name is the name of the model we are matching from a users request. If params.model is set, that will be used in the request to the LLM provider. If not, the incoming model is used.
`llm.models[].params`	params customizes parameters for the outgoing request
`llm.models[].params.model`	The model to send to the provider. If unset, the same model will be used from the request.
`llm.models[].params.apiKey`	An API key to attach to the request. If unset this will be automatically detected from the environment.
`llm.models[].params.awsRegion`
`llm.models[].params.vertexRegion`
`llm.models[].params.vertexProject`
`llm.models[].params.azureHost`	For Azure: the host of the deployment
`llm.models[].params.azureApiVersion`	For Azure: the API version to use
`llm.models[].provider`	provider of the LLM we are connecting too
`llm.models[].defaults`	defaults allows setting default values for the request. If these are not present in the request body, they will be set. To override even when set, use `overrides`.
`llm.models[].overrides`	overrides allows setting values for the request, overriding any existing values
`llm.models[].transformation`	transformation allows setting values from CEL expressions for the request, overriding any existing values.
`llm.models[].requestHeaders`	requestHeaders modifies headers in requests to the LLM provider.
`llm.models[].requestHeaders.add`
`llm.models[].requestHeaders.set`
`llm.models[].requestHeaders.remove`
`llm.models[].guardrails`	guardrails to apply to the request or response
`llm.models[].guardrails.request`
`llm.models[].guardrails.request[].(1)regex`
`llm.models[].guardrails.request[].(1)regex.action`
`llm.models[].guardrails.request[].(1)regex.rules`
`llm.models[].guardrails.request[].(1)regex.rules[].(any)builtin`
`llm.models[].guardrails.request[].(1)regex.rules[].(any)pattern`
`llm.models[].guardrails.request[].(1)webhook`
`llm.models[].guardrails.request[].(1)webhook.target`
`llm.models[].guardrails.request[].(1)webhook.target.(1)service`
`llm.models[].guardrails.request[].(1)webhook.target.(1)service.name`
`llm.models[].guardrails.request[].(1)webhook.target.(1)service.name.namespace`
`llm.models[].guardrails.request[].(1)webhook.target.(1)service.name.hostname`
`llm.models[].guardrails.request[].(1)webhook.target.(1)service.port`
`llm.models[].guardrails.request[].(1)webhook.target.(1)host`	Hostname or IP address
`llm.models[].guardrails.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches`
`llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].name`
`llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].value`
`llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`llm.models[].guardrails.request[].(1)openAIModeration`
`llm.models[].guardrails.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`llm.models[].guardrails.request[].(1)openAIModeration.policies`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.path`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.status`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.add`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.set`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.remove`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.body`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.add`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.set`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.remove`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.body`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.cert`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.key`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.root`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.hostname`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.insecure`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.alpn`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`llm.models[].guardrails.request[].(1)openAIModeration.policies.http.version`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.http.requestTimeout`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`llm.models[].guardrails.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`llm.models[].guardrails.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`llm.models[].guardrails.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.http.version`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`llm.models[].guardrails.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`llm.models[].guardrails.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`llm.models[].guardrails.request[].(1)googleModelArmor.projectId`	The GCP project ID
`llm.models[].guardrails.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`llm.models[].guardrails.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.path`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.status`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.add`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.set`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.remove`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.body`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.add`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.set`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.remove`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.body`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.cert`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.key`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.root`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.http.version`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.http.requestTimeout`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`llm.models[].guardrails.request[].rejection`
`llm.models[].guardrails.request[].rejection.body`
`llm.models[].guardrails.request[].rejection.status`
`llm.models[].guardrails.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`llm.models[].guardrails.request[].rejection.headers.add`
`llm.models[].guardrails.request[].rejection.headers.set`
`llm.models[].guardrails.request[].rejection.headers.remove`
`llm.models[].guardrails.response`
`llm.models[].guardrails.response[].(1)regex`
`llm.models[].guardrails.response[].(1)regex.action`
`llm.models[].guardrails.response[].(1)regex.rules`
`llm.models[].guardrails.response[].(1)regex.rules[].(any)builtin`
`llm.models[].guardrails.response[].(1)regex.rules[].(any)pattern`
`llm.models[].guardrails.response[].(1)webhook`
`llm.models[].guardrails.response[].(1)webhook.target`
`llm.models[].guardrails.response[].(1)webhook.target.(1)service`
`llm.models[].guardrails.response[].(1)webhook.target.(1)service.name`
`llm.models[].guardrails.response[].(1)webhook.target.(1)service.name.namespace`
`llm.models[].guardrails.response[].(1)webhook.target.(1)service.name.hostname`
`llm.models[].guardrails.response[].(1)webhook.target.(1)service.port`
`llm.models[].guardrails.response[].(1)webhook.target.(1)host`	Hostname or IP address
`llm.models[].guardrails.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches`
`llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].name`
`llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].value`
`llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`llm.models[].guardrails.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`llm.models[].guardrails.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`llm.models[].guardrails.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.http.version`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`llm.models[].guardrails.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`llm.models[].guardrails.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`llm.models[].guardrails.response[].(1)googleModelArmor.projectId`	The GCP project ID
`llm.models[].guardrails.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`llm.models[].guardrails.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.path`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.status`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.add`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.set`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.remove`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.body`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.add`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.set`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.remove`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.body`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.cert`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.key`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.root`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.http.version`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.http.requestTimeout`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`llm.models[].guardrails.response[].rejection`
`llm.models[].guardrails.response[].rejection.body`
`llm.models[].guardrails.response[].rejection.status`
`llm.models[].guardrails.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`llm.models[].guardrails.response[].rejection.headers.add`
`llm.models[].guardrails.response[].rejection.headers.set`
`llm.models[].guardrails.response[].rejection.headers.remove`
`llm.models[].matches`	matches specifies the conditions under which this model should be used in addition to matching the model name.
`llm.models[].matches[].headers`
`llm.models[].matches[].headers[].name`
`llm.models[].matches[].headers[].value`
`llm.models[].matches[].headers[].value.(1)exact`
`llm.models[].matches[].headers[].value.(1)regex`
`llm.policies`	policies defines policies for handling incoming requests, before a model is selected
`llm.policies.jwtAuth`	Authenticate incoming JWT requests.
`llm.policies.jwtAuth.(any)(any)mode`
`llm.policies.jwtAuth.(any)(any)providers`
`llm.policies.jwtAuth.(any)(any)providers[].issuer`
`llm.policies.jwtAuth.(any)(any)providers[].audiences`
`llm.policies.jwtAuth.(any)(any)providers[].jwks`
`llm.policies.jwtAuth.(any)(any)providers[].jwks.(any)file`
`llm.policies.jwtAuth.(any)(any)providers[].jwks.(any)url`
`llm.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`llm.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`llm.policies.jwtAuth.(any)(any)mode`
`llm.policies.jwtAuth.(any)(any)issuer`
`llm.policies.jwtAuth.(any)(any)audiences`
`llm.policies.jwtAuth.(any)(any)jwks`
`llm.policies.jwtAuth.(any)(any)jwks.(any)file`
`llm.policies.jwtAuth.(any)(any)jwks.(any)url`
`llm.policies.jwtAuth.(any)(any)jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`llm.policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`llm.policies.extAuthz`	Authenticate incoming requests by calling an external authorization server.
`llm.policies.extAuthz.(any)(1)service`
`llm.policies.extAuthz.(any)(1)service.name`
`llm.policies.extAuthz.(any)(1)service.name.namespace`
`llm.policies.extAuthz.(any)(1)service.name.hostname`
`llm.policies.extAuthz.(any)(1)service.port`
`llm.policies.extAuthz.(any)(1)host`	Hostname or IP address
`llm.policies.extAuthz.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`llm.policies.extAuthz.(any)policies`	Policies to connect to the backend
`llm.policies.extAuthz.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`llm.policies.extAuthz.(any)policies.requestHeaderModifier.add`
`llm.policies.extAuthz.(any)policies.requestHeaderModifier.set`
`llm.policies.extAuthz.(any)policies.requestHeaderModifier.remove`
`llm.policies.extAuthz.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`llm.policies.extAuthz.(any)policies.responseHeaderModifier.add`
`llm.policies.extAuthz.(any)policies.responseHeaderModifier.set`
`llm.policies.extAuthz.(any)policies.responseHeaderModifier.remove`
`llm.policies.extAuthz.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`llm.policies.extAuthz.(any)policies.requestRedirect.scheme`
`llm.policies.extAuthz.(any)policies.requestRedirect.authority`
`llm.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full`
`llm.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host`
`llm.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port`
`llm.policies.extAuthz.(any)policies.requestRedirect.path`
`llm.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full`
`llm.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix`
`llm.policies.extAuthz.(any)policies.requestRedirect.status`
`llm.policies.extAuthz.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`llm.policies.extAuthz.(any)policies.transformations.request`
`llm.policies.extAuthz.(any)policies.transformations.request.add`
`llm.policies.extAuthz.(any)policies.transformations.request.set`
`llm.policies.extAuthz.(any)policies.transformations.request.remove`
`llm.policies.extAuthz.(any)policies.transformations.request.body`
`llm.policies.extAuthz.(any)policies.transformations.response`
`llm.policies.extAuthz.(any)policies.transformations.response.add`
`llm.policies.extAuthz.(any)policies.transformations.response.set`
`llm.policies.extAuthz.(any)policies.transformations.response.remove`
`llm.policies.extAuthz.(any)policies.transformations.response.body`
`llm.policies.extAuthz.(any)policies.backendTLS`	Send TLS to the backend.
`llm.policies.extAuthz.(any)policies.backendTLS.cert`
`llm.policies.extAuthz.(any)policies.backendTLS.key`
`llm.policies.extAuthz.(any)policies.backendTLS.root`
`llm.policies.extAuthz.(any)policies.backendTLS.hostname`
`llm.policies.extAuthz.(any)policies.backendTLS.insecure`
`llm.policies.extAuthz.(any)policies.backendTLS.insecureHost`
`llm.policies.extAuthz.(any)policies.backendTLS.alpn`
`llm.policies.extAuthz.(any)policies.backendTLS.subjectAltNames`
`llm.policies.extAuthz.(any)policies.backendAuth`	Authenticate to the backend.
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)key`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`llm.policies.extAuthz.(any)policies.http`	Specify HTTP settings for the backend
`llm.policies.extAuthz.(any)policies.http.version`
`llm.policies.extAuthz.(any)policies.http.requestTimeout`
`llm.policies.extAuthz.(any)policies.tcp`	Specify TCP settings for the backend
`llm.policies.extAuthz.(any)policies.tcp.keepalives`
`llm.policies.extAuthz.(any)policies.tcp.keepalives.enabled`
`llm.policies.extAuthz.(any)policies.tcp.keepalives.time`
`llm.policies.extAuthz.(any)policies.tcp.keepalives.interval`
`llm.policies.extAuthz.(any)policies.tcp.keepalives.retries`
`llm.policies.extAuthz.(any)policies.tcp.connectTimeout`
`llm.policies.extAuthz.(any)policies.tcp.connectTimeout.secs`
`llm.policies.extAuthz.(any)policies.tcp.connectTimeout.nanos`
`llm.policies.extAuthz.(any)protocol`	The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended.
`llm.policies.extAuthz.(any)protocol.(1)grpc`
`llm.policies.extAuthz.(any)protocol.(1)grpc.context`	Additional context to send to the authorization service. This maps to the `context_extensions` field of the request, and only allows static values.
`llm.policies.extAuthz.(any)protocol.(1)grpc.metadata`	Additional metadata to send to the authorization service. This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.
`llm.policies.extAuthz.(any)protocol.(1)http`
`llm.policies.extAuthz.(any)protocol.(1)http.path`
`llm.policies.extAuthz.(any)protocol.(1)http.redirect`	When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error.
`llm.policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders`	Specific headers from the authorization response will be copied into the request to the backend.
`llm.policies.extAuthz.(any)protocol.(1)http.addRequestHeaders`	Specific headers to add in the authorization request (empty = all headers), based on the expression
`llm.policies.extAuthz.(any)protocol.(1)http.metadata`	Metadata to include under the `extauthz` variable, based on the authorization response.
`llm.policies.extAuthz.(any)failureMode`	Behavior when the authorization service is unavailable or returns an error
`llm.policies.extAuthz.(any)failureMode.(1)denyWithStatus`
`llm.policies.extAuthz.(any)includeRequestHeaders`	Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’.
`llm.policies.extAuthz.(any)includeRequestBody`	Options for including the request body in the authorization request
`llm.policies.extAuthz.(any)includeRequestBody.maxRequestBytes`	Maximum size of request body to buffer (default: 8192)
`llm.policies.extAuthz.(any)includeRequestBody.allowPartialMessage`	If true, send partial body when max_request_bytes is reached
`llm.policies.extAuthz.(any)includeRequestBody.packAsBytes`	If true, pack body as raw bytes in gRPC
`llm.policies.extProc`	Extend agentgateway with an external processor
`llm.policies.extProc.(any)(1)service`
`llm.policies.extProc.(any)(1)service.name`
`llm.policies.extProc.(any)(1)service.name.namespace`
`llm.policies.extProc.(any)(1)service.name.hostname`
`llm.policies.extProc.(any)(1)service.port`
`llm.policies.extProc.(any)(1)host`	Hostname or IP address
`llm.policies.extProc.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`llm.policies.extProc.(any)policies`	Policies to connect to the backend
`llm.policies.extProc.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`llm.policies.extProc.(any)policies.requestHeaderModifier.add`
`llm.policies.extProc.(any)policies.requestHeaderModifier.set`
`llm.policies.extProc.(any)policies.requestHeaderModifier.remove`
`llm.policies.extProc.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`llm.policies.extProc.(any)policies.responseHeaderModifier.add`
`llm.policies.extProc.(any)policies.responseHeaderModifier.set`
`llm.policies.extProc.(any)policies.responseHeaderModifier.remove`
`llm.policies.extProc.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`llm.policies.extProc.(any)policies.requestRedirect.scheme`
`llm.policies.extProc.(any)policies.requestRedirect.authority`
`llm.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full`
`llm.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host`
`llm.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port`
`llm.policies.extProc.(any)policies.requestRedirect.path`
`llm.policies.extProc.(any)policies.requestRedirect.path.(any)(1)full`
`llm.policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix`
`llm.policies.extProc.(any)policies.requestRedirect.status`
`llm.policies.extProc.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`llm.policies.extProc.(any)policies.transformations.request`
`llm.policies.extProc.(any)policies.transformations.request.add`
`llm.policies.extProc.(any)policies.transformations.request.set`
`llm.policies.extProc.(any)policies.transformations.request.remove`
`llm.policies.extProc.(any)policies.transformations.request.body`
`llm.policies.extProc.(any)policies.transformations.response`
`llm.policies.extProc.(any)policies.transformations.response.add`
`llm.policies.extProc.(any)policies.transformations.response.set`
`llm.policies.extProc.(any)policies.transformations.response.remove`
`llm.policies.extProc.(any)policies.transformations.response.body`
`llm.policies.extProc.(any)policies.backendTLS`	Send TLS to the backend.
`llm.policies.extProc.(any)policies.backendTLS.cert`
`llm.policies.extProc.(any)policies.backendTLS.key`
`llm.policies.extProc.(any)policies.backendTLS.root`
`llm.policies.extProc.(any)policies.backendTLS.hostname`
`llm.policies.extProc.(any)policies.backendTLS.insecure`
`llm.policies.extProc.(any)policies.backendTLS.insecureHost`
`llm.policies.extProc.(any)policies.backendTLS.alpn`
`llm.policies.extProc.(any)policies.backendTLS.subjectAltNames`
`llm.policies.extProc.(any)policies.backendAuth`	Authenticate to the backend.
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)passthrough`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)key`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`llm.policies.extProc.(any)policies.http`	Specify HTTP settings for the backend
`llm.policies.extProc.(any)policies.http.version`
`llm.policies.extProc.(any)policies.http.requestTimeout`
`llm.policies.extProc.(any)policies.tcp`	Specify TCP settings for the backend
`llm.policies.extProc.(any)policies.tcp.keepalives`
`llm.policies.extProc.(any)policies.tcp.keepalives.enabled`
`llm.policies.extProc.(any)policies.tcp.keepalives.time`
`llm.policies.extProc.(any)policies.tcp.keepalives.interval`
`llm.policies.extProc.(any)policies.tcp.keepalives.retries`
`llm.policies.extProc.(any)policies.tcp.connectTimeout`
`llm.policies.extProc.(any)policies.tcp.connectTimeout.secs`
`llm.policies.extProc.(any)policies.tcp.connectTimeout.nanos`
`llm.policies.extProc.(any)failureMode`	Behavior when the ext_proc service is unavailable or returns an error
`llm.policies.extProc.(any)metadataContext`	Additional metadata to send to the external processing service. Maps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.
`llm.policies.extProc.(any)requestAttributes`	Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`llm.policies.extProc.(any)responseAttributes`	Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`llm.policies.transformations`	Modify requests and responses
`llm.policies.transformations.request`
`llm.policies.transformations.request.add`
`llm.policies.transformations.request.set`
`llm.policies.transformations.request.remove`
`llm.policies.transformations.request.body`
`llm.policies.transformations.response`
`llm.policies.transformations.response.add`
`llm.policies.transformations.response.set`
`llm.policies.transformations.response.remove`
`llm.policies.transformations.response.body`
`llm.policies.basicAuth`	Authenticate incoming requests using Basic Authentication with htpasswd.
`llm.policies.basicAuth.htpasswd`	.htpasswd file contents/reference
`llm.policies.basicAuth.htpasswd.(any)file`
`llm.policies.basicAuth.realm`	Realm name for the WWW-Authenticate header
`llm.policies.basicAuth.mode`	Validation mode for basic authentication
`llm.policies.apiKey`	Authenticate incoming requests using API Keys
`llm.policies.apiKey.keys`	List of API keys
`llm.policies.apiKey.keys[].key`
`llm.policies.apiKey.keys[].metadata`
`llm.policies.apiKey.mode`	Validation mode for API keys
`llm.policies.authorization`	Authorization policies for HTTP access.
`llm.policies.authorization.rules`
`mcp`
`mcp.port`
`mcp.targets`
`mcp.targets[].(1)sse`
`mcp.targets[].(1)sse.host`
`mcp.targets[].(1)sse.port`
`mcp.targets[].(1)sse.path`
`mcp.targets[].(1)mcp`
`mcp.targets[].(1)mcp.host`
`mcp.targets[].(1)mcp.port`
`mcp.targets[].(1)mcp.path`
`mcp.targets[].(1)stdio`
`mcp.targets[].(1)stdio.cmd`
`mcp.targets[].(1)stdio.args`
`mcp.targets[].(1)stdio.env`
`mcp.targets[].(1)openapi`
`mcp.targets[].(1)openapi.host`
`mcp.targets[].(1)openapi.port`
`mcp.targets[].(1)openapi.path`
`mcp.targets[].(1)openapi.schema`
`mcp.targets[].(1)openapi.schema.(any)file`
`mcp.targets[].(1)openapi.schema.(any)url`
`mcp.targets[].name`
`mcp.targets[].policies`
`mcp.targets[].policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.targets[].policies.requestHeaderModifier.add`
`mcp.targets[].policies.requestHeaderModifier.set`
`mcp.targets[].policies.requestHeaderModifier.remove`
`mcp.targets[].policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.targets[].policies.responseHeaderModifier.add`
`mcp.targets[].policies.responseHeaderModifier.set`
`mcp.targets[].policies.responseHeaderModifier.remove`
`mcp.targets[].policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.targets[].policies.requestRedirect.scheme`
`mcp.targets[].policies.requestRedirect.authority`
`mcp.targets[].policies.requestRedirect.authority.(any)(1)full`
`mcp.targets[].policies.requestRedirect.authority.(any)(1)host`
`mcp.targets[].policies.requestRedirect.authority.(any)(1)port`
`mcp.targets[].policies.requestRedirect.path`
`mcp.targets[].policies.requestRedirect.path.(any)(1)full`
`mcp.targets[].policies.requestRedirect.path.(any)(1)prefix`
`mcp.targets[].policies.requestRedirect.status`
`mcp.targets[].policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.targets[].policies.transformations.request`
`mcp.targets[].policies.transformations.request.add`
`mcp.targets[].policies.transformations.request.set`
`mcp.targets[].policies.transformations.request.remove`
`mcp.targets[].policies.transformations.request.body`
`mcp.targets[].policies.transformations.response`
`mcp.targets[].policies.transformations.response.add`
`mcp.targets[].policies.transformations.response.set`
`mcp.targets[].policies.transformations.response.remove`
`mcp.targets[].policies.transformations.response.body`
`mcp.targets[].policies.backendTLS`	Send TLS to the backend.
`mcp.targets[].policies.backendTLS.cert`
`mcp.targets[].policies.backendTLS.key`
`mcp.targets[].policies.backendTLS.root`
`mcp.targets[].policies.backendTLS.hostname`
`mcp.targets[].policies.backendTLS.insecure`
`mcp.targets[].policies.backendTLS.insecureHost`
`mcp.targets[].policies.backendTLS.alpn`
`mcp.targets[].policies.backendTLS.subjectAltNames`
`mcp.targets[].policies.backendAuth`	Authenticate to the backend.
`mcp.targets[].policies.backendAuth.(any)(1)passthrough`
`mcp.targets[].policies.backendAuth.(any)(1)key`
`mcp.targets[].policies.backendAuth.(any)(1)key.(any)file`
`mcp.targets[].policies.backendAuth.(any)(1)gcp`
`mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.targets[].policies.backendAuth.(any)(1)aws`
`mcp.targets[].policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.targets[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.targets[].policies.backendAuth.(any)(1)aws.(any)region`
`mcp.targets[].policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.targets[].policies.backendAuth.(any)(1)azure`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.targets[].policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.targets[].policies.http`	Specify HTTP settings for the backend
`mcp.targets[].policies.http.version`
`mcp.targets[].policies.http.requestTimeout`
`mcp.targets[].policies.tcp`	Specify TCP settings for the backend
`mcp.targets[].policies.tcp.keepalives`
`mcp.targets[].policies.tcp.keepalives.enabled`
`mcp.targets[].policies.tcp.keepalives.time`
`mcp.targets[].policies.tcp.keepalives.interval`
`mcp.targets[].policies.tcp.keepalives.retries`
`mcp.targets[].policies.tcp.connectTimeout`
`mcp.targets[].policies.tcp.connectTimeout.secs`
`mcp.targets[].policies.tcp.connectTimeout.nanos`
`mcp.targets[].policies.mcpAuthorization`	Authorization policies for MCP access.
`mcp.targets[].policies.mcpAuthorization.rules`
`mcp.statefulMode`
`mcp.prefixMode`
`mcp.policies`
`mcp.policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.requestHeaderModifier.add`
`mcp.policies.requestHeaderModifier.set`
`mcp.policies.requestHeaderModifier.remove`
`mcp.policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.responseHeaderModifier.add`
`mcp.policies.responseHeaderModifier.set`
`mcp.policies.responseHeaderModifier.remove`
`mcp.policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.requestRedirect.scheme`
`mcp.policies.requestRedirect.authority`
`mcp.policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.requestRedirect.path`
`mcp.policies.requestRedirect.path.(any)(1)full`
`mcp.policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.requestRedirect.status`
`mcp.policies.urlRewrite`	Modify the URL path or authority.
`mcp.policies.urlRewrite.authority`
`mcp.policies.urlRewrite.authority.(any)(1)full`
`mcp.policies.urlRewrite.authority.(any)(1)host`
`mcp.policies.urlRewrite.authority.(any)(1)port`
`mcp.policies.urlRewrite.path`
`mcp.policies.urlRewrite.path.(any)(1)full`
`mcp.policies.urlRewrite.path.(any)(1)prefix`
`mcp.policies.requestMirror`	Mirror incoming requests to another destination.
`mcp.policies.requestMirror.backend`
`mcp.policies.requestMirror.backend.(1)service`
`mcp.policies.requestMirror.backend.(1)service.name`
`mcp.policies.requestMirror.backend.(1)service.name.namespace`
`mcp.policies.requestMirror.backend.(1)service.name.hostname`
`mcp.policies.requestMirror.backend.(1)service.port`
`mcp.policies.requestMirror.backend.(1)host`	Hostname or IP address
`mcp.policies.requestMirror.backend.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`mcp.policies.requestMirror.percentage`
`mcp.policies.directResponse`	Directly respond to the request with a static response.
`mcp.policies.directResponse.body`
`mcp.policies.directResponse.status`
`mcp.policies.cors`	Handle CORS preflight requests and append configured CORS headers to applicable requests.
`mcp.policies.cors.allowCredentials`
`mcp.policies.cors.allowHeaders`
`mcp.policies.cors.allowMethods`
`mcp.policies.cors.allowOrigins`
`mcp.policies.cors.exposeHeaders`
`mcp.policies.cors.maxAge`
`mcp.policies.mcpAuthorization`	Authorization policies for MCP access.
`mcp.policies.mcpAuthorization.rules`
`mcp.policies.authorization`	Authorization policies for HTTP access.
`mcp.policies.authorization.rules`
`mcp.policies.mcpAuthentication`	Authentication for MCP clients.
`mcp.policies.mcpAuthentication.issuer`
`mcp.policies.mcpAuthentication.audiences`
`mcp.policies.mcpAuthentication.provider`
`mcp.policies.mcpAuthentication.provider.(any)(1)auth0`
`mcp.policies.mcpAuthentication.provider.(any)(1)keycloak`
`mcp.policies.mcpAuthentication.resourceMetadata`
`mcp.policies.mcpAuthentication.jwks`
`mcp.policies.mcpAuthentication.jwks.(any)file`
`mcp.policies.mcpAuthentication.jwks.(any)url`
`mcp.policies.mcpAuthentication.mode`
`mcp.policies.mcpAuthentication.jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`mcp.policies.mcpAuthentication.jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`mcp.policies.a2a`	Mark this traffic as A2A to enable A2A processing and telemetry.
`mcp.policies.ai`	Mark this as LLM traffic to enable LLM processing.
`mcp.policies.ai.promptGuard`
`mcp.policies.ai.promptGuard.request`
`mcp.policies.ai.promptGuard.request[].(1)regex`
`mcp.policies.ai.promptGuard.request[].(1)regex.action`
`mcp.policies.ai.promptGuard.request[].(1)regex.rules`
`mcp.policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin`
`mcp.policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern`
`mcp.policies.ai.promptGuard.request[].(1)webhook`
`mcp.policies.ai.promptGuard.request[].(1)webhook.target`
`mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service`
`mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name`
`mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace`
`mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname`
`mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port`
`mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)host`	Hostname or IP address
`mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches`
`mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name`
`mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value`
`mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.model`	Model to use. Defaults to `omni-moderation-latest`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS`	Send TLS to the backend.
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth`	Authenticate to the backend.
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.http`	Specify HTTP settings for the backend
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp`	Specify TCP settings for the backend
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs`
`mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.projectId`	The GCP project ID
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`mcp.policies.ai.promptGuard.request[].rejection`
`mcp.policies.ai.promptGuard.request[].rejection.body`
`mcp.policies.ai.promptGuard.request[].rejection.status`
`mcp.policies.ai.promptGuard.request[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`mcp.policies.ai.promptGuard.request[].rejection.headers.add`
`mcp.policies.ai.promptGuard.request[].rejection.headers.set`
`mcp.policies.ai.promptGuard.request[].rejection.headers.remove`
`mcp.policies.ai.promptGuard.response`
`mcp.policies.ai.promptGuard.response[].(1)regex`
`mcp.policies.ai.promptGuard.response[].(1)regex.action`
`mcp.policies.ai.promptGuard.response[].(1)regex.rules`
`mcp.policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin`
`mcp.policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern`
`mcp.policies.ai.promptGuard.response[].(1)webhook`
`mcp.policies.ai.promptGuard.response[].(1)webhook.target`
`mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service`
`mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name`
`mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace`
`mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname`
`mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port`
`mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)host`	Hostname or IP address
`mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches`
`mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name`
`mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value`
`mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact`
`mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails`	Configuration for AWS Bedrock Guardrails integration.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier`	The unique identifier of the guardrail
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion`	The version of the guardrail
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.region`	AWS region where the guardrail is deployed
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies`	Backend policies for AWS authentication (optional, defaults to implicit AWS auth)
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS`	Send TLS to the backend.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth`	Authenticate to the backend.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http`	Specify HTTP settings for the backend
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp`	Specify TCP settings for the backend
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs`
`mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor`	Configuration for Google Cloud Model Armor integration.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.templateId`	The template ID for the Model Armor configuration
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.projectId`	The GCP project ID
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.location`	The GCP region (default: us-central1)
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies`	Backend policies for GCP authentication (optional, defaults to implicit GCP auth)
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS`	Send TLS to the backend.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth`	Authenticate to the backend.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http`	Specify HTTP settings for the backend
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp`	Specify TCP settings for the backend
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs`
`mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos`
`mcp.policies.ai.promptGuard.response[].rejection`
`mcp.policies.ai.promptGuard.response[].rejection.body`
`mcp.policies.ai.promptGuard.response[].rejection.status`
`mcp.policies.ai.promptGuard.response[].rejection.headers`	Optional headers to add, set, or remove from the rejection response
`mcp.policies.ai.promptGuard.response[].rejection.headers.add`
`mcp.policies.ai.promptGuard.response[].rejection.headers.set`
`mcp.policies.ai.promptGuard.response[].rejection.headers.remove`
`mcp.policies.ai.defaults`
`mcp.policies.ai.overrides`
`mcp.policies.ai.transformations`
`mcp.policies.ai.prompts`
`mcp.policies.ai.prompts.append`
`mcp.policies.ai.prompts.append[].role`
`mcp.policies.ai.prompts.append[].content`
`mcp.policies.ai.prompts.prepend`
`mcp.policies.ai.prompts.prepend[].role`
`mcp.policies.ai.prompts.prepend[].content`
`mcp.policies.ai.modelAliases`
`mcp.policies.ai.promptCaching`
`mcp.policies.ai.promptCaching.cacheSystem`
`mcp.policies.ai.promptCaching.cacheMessages`
`mcp.policies.ai.promptCaching.cacheTools`
`mcp.policies.ai.promptCaching.minTokens`
`mcp.policies.ai.routes`
`mcp.policies.backendTLS`	Send TLS to the backend.
`mcp.policies.backendTLS.cert`
`mcp.policies.backendTLS.key`
`mcp.policies.backendTLS.root`
`mcp.policies.backendTLS.hostname`
`mcp.policies.backendTLS.insecure`
`mcp.policies.backendTLS.insecureHost`
`mcp.policies.backendTLS.alpn`
`mcp.policies.backendTLS.subjectAltNames`
`mcp.policies.backendAuth`	Authenticate to the backend.
`mcp.policies.backendAuth.(any)(1)passthrough`
`mcp.policies.backendAuth.(any)(1)key`
`mcp.policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.backendAuth.(any)(1)gcp`
`mcp.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.backendAuth.(any)(1)aws`
`mcp.policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.backendAuth.(any)(1)azure`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.localRateLimit`	Rate limit incoming requests. State is kept local.
`mcp.policies.localRateLimit[].maxTokens`
`mcp.policies.localRateLimit[].tokensPerFill`
`mcp.policies.localRateLimit[].fillInterval`
`mcp.policies.localRateLimit[].type`
`mcp.policies.remoteRateLimit`	Rate limit incoming requests. State is managed by a remote server.
`mcp.policies.remoteRateLimit.(any)(1)service`
`mcp.policies.remoteRateLimit.(any)(1)service.name`
`mcp.policies.remoteRateLimit.(any)(1)service.name.namespace`
`mcp.policies.remoteRateLimit.(any)(1)service.name.hostname`
`mcp.policies.remoteRateLimit.(any)(1)service.port`
`mcp.policies.remoteRateLimit.(any)(1)host`	Hostname or IP address
`mcp.policies.remoteRateLimit.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`mcp.policies.remoteRateLimit.(any)domain`
`mcp.policies.remoteRateLimit.(any)policies`	Policies to connect to the backend
`mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier.add`
`mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier.set`
`mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier.remove`
`mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier.add`
`mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier.set`
`mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier.remove`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.scheme`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.path`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)full`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.remoteRateLimit.(any)policies.requestRedirect.status`
`mcp.policies.remoteRateLimit.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.remoteRateLimit.(any)policies.transformations.request`
`mcp.policies.remoteRateLimit.(any)policies.transformations.request.add`
`mcp.policies.remoteRateLimit.(any)policies.transformations.request.set`
`mcp.policies.remoteRateLimit.(any)policies.transformations.request.remove`
`mcp.policies.remoteRateLimit.(any)policies.transformations.request.body`
`mcp.policies.remoteRateLimit.(any)policies.transformations.response`
`mcp.policies.remoteRateLimit.(any)policies.transformations.response.add`
`mcp.policies.remoteRateLimit.(any)policies.transformations.response.set`
`mcp.policies.remoteRateLimit.(any)policies.transformations.response.remove`
`mcp.policies.remoteRateLimit.(any)policies.transformations.response.body`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS`	Send TLS to the backend.
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.cert`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.key`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.root`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.hostname`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.insecure`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.insecureHost`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.alpn`
`mcp.policies.remoteRateLimit.(any)policies.backendTLS.subjectAltNames`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth`	Authenticate to the backend.
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)passthrough`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.remoteRateLimit.(any)policies.http`	Specify HTTP settings for the backend
`mcp.policies.remoteRateLimit.(any)policies.http.version`
`mcp.policies.remoteRateLimit.(any)policies.http.requestTimeout`
`mcp.policies.remoteRateLimit.(any)policies.tcp`	Specify TCP settings for the backend
`mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives`
`mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.enabled`
`mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.time`
`mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.interval`
`mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.retries`
`mcp.policies.remoteRateLimit.(any)policies.tcp.connectTimeout`
`mcp.policies.remoteRateLimit.(any)policies.tcp.connectTimeout.secs`
`mcp.policies.remoteRateLimit.(any)policies.tcp.connectTimeout.nanos`
`mcp.policies.remoteRateLimit.(any)descriptors`
`mcp.policies.remoteRateLimit.(any)descriptors[].entries`
`mcp.policies.remoteRateLimit.(any)descriptors[].entries[].key`
`mcp.policies.remoteRateLimit.(any)descriptors[].entries[].value`
`mcp.policies.remoteRateLimit.(any)descriptors[].type`
`mcp.policies.remoteRateLimit.(any)failureMode`	Behavior when the remote rate limit service is unavailable or returns an error. Defaults to failClosed, denying requests with a 500 status on service failure.
`mcp.policies.jwtAuth`	Authenticate incoming JWT requests.
`mcp.policies.jwtAuth.(any)(any)mode`
`mcp.policies.jwtAuth.(any)(any)providers`
`mcp.policies.jwtAuth.(any)(any)providers[].issuer`
`mcp.policies.jwtAuth.(any)(any)providers[].audiences`
`mcp.policies.jwtAuth.(any)(any)providers[].jwks`
`mcp.policies.jwtAuth.(any)(any)providers[].jwks.(any)file`
`mcp.policies.jwtAuth.(any)(any)providers[].jwks.(any)url`
`mcp.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`mcp.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`mcp.policies.jwtAuth.(any)(any)mode`
`mcp.policies.jwtAuth.(any)(any)issuer`
`mcp.policies.jwtAuth.(any)(any)audiences`
`mcp.policies.jwtAuth.(any)(any)jwks`
`mcp.policies.jwtAuth.(any)(any)jwks.(any)file`
`mcp.policies.jwtAuth.(any)(any)jwks.(any)url`
`mcp.policies.jwtAuth.(any)(any)jwtValidationOptions`	JWT validation options controlling which claims must be present in a token. The `required_claims` set specifies which RFC 7519 registered claims must exist in the token payload before validation proceeds. Only the following values are recognized: `exp`, `nbf`, `aud`, `iss`, `sub`. Other registered claims such as `iat` and `jti` are not enforced by the underlying `jsonwebtoken` library and will be silently ignored. This only enforces presence. Standard claims like `exp` and `nbf` have their values validated independently (e.g., expiry is always checked when the `exp` claim is present, regardless of this setting). Defaults to `["exp"]`.
`mcp.policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims`	Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims.
`mcp.policies.basicAuth`	Authenticate incoming requests using Basic Authentication with htpasswd.
`mcp.policies.basicAuth.htpasswd`	.htpasswd file contents/reference
`mcp.policies.basicAuth.htpasswd.(any)file`
`mcp.policies.basicAuth.realm`	Realm name for the WWW-Authenticate header
`mcp.policies.basicAuth.mode`	Validation mode for basic authentication
`mcp.policies.apiKey`	Authenticate incoming requests using API Keys
`mcp.policies.apiKey.keys`	List of API keys
`mcp.policies.apiKey.keys[].key`
`mcp.policies.apiKey.keys[].metadata`
`mcp.policies.apiKey.mode`	Validation mode for API keys
`mcp.policies.extAuthz`	Authenticate incoming requests by calling an external authorization server.
`mcp.policies.extAuthz.(any)(1)service`
`mcp.policies.extAuthz.(any)(1)service.name`
`mcp.policies.extAuthz.(any)(1)service.name.namespace`
`mcp.policies.extAuthz.(any)(1)service.name.hostname`
`mcp.policies.extAuthz.(any)(1)service.port`
`mcp.policies.extAuthz.(any)(1)host`	Hostname or IP address
`mcp.policies.extAuthz.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`mcp.policies.extAuthz.(any)policies`	Policies to connect to the backend
`mcp.policies.extAuthz.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.extAuthz.(any)policies.requestHeaderModifier.add`
`mcp.policies.extAuthz.(any)policies.requestHeaderModifier.set`
`mcp.policies.extAuthz.(any)policies.requestHeaderModifier.remove`
`mcp.policies.extAuthz.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.extAuthz.(any)policies.responseHeaderModifier.add`
`mcp.policies.extAuthz.(any)policies.responseHeaderModifier.set`
`mcp.policies.extAuthz.(any)policies.responseHeaderModifier.remove`
`mcp.policies.extAuthz.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.extAuthz.(any)policies.requestRedirect.scheme`
`mcp.policies.extAuthz.(any)policies.requestRedirect.authority`
`mcp.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.extAuthz.(any)policies.requestRedirect.path`
`mcp.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full`
`mcp.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.extAuthz.(any)policies.requestRedirect.status`
`mcp.policies.extAuthz.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.extAuthz.(any)policies.transformations.request`
`mcp.policies.extAuthz.(any)policies.transformations.request.add`
`mcp.policies.extAuthz.(any)policies.transformations.request.set`
`mcp.policies.extAuthz.(any)policies.transformations.request.remove`
`mcp.policies.extAuthz.(any)policies.transformations.request.body`
`mcp.policies.extAuthz.(any)policies.transformations.response`
`mcp.policies.extAuthz.(any)policies.transformations.response.add`
`mcp.policies.extAuthz.(any)policies.transformations.response.set`
`mcp.policies.extAuthz.(any)policies.transformations.response.remove`
`mcp.policies.extAuthz.(any)policies.transformations.response.body`
`mcp.policies.extAuthz.(any)policies.backendTLS`	Send TLS to the backend.
`mcp.policies.extAuthz.(any)policies.backendTLS.cert`
`mcp.policies.extAuthz.(any)policies.backendTLS.key`
`mcp.policies.extAuthz.(any)policies.backendTLS.root`
`mcp.policies.extAuthz.(any)policies.backendTLS.hostname`
`mcp.policies.extAuthz.(any)policies.backendTLS.insecure`
`mcp.policies.extAuthz.(any)policies.backendTLS.insecureHost`
`mcp.policies.extAuthz.(any)policies.backendTLS.alpn`
`mcp.policies.extAuthz.(any)policies.backendTLS.subjectAltNames`
`mcp.policies.extAuthz.(any)policies.backendAuth`	Authenticate to the backend.
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)key`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.extAuthz.(any)policies.http`	Specify HTTP settings for the backend
`mcp.policies.extAuthz.(any)policies.http.version`
`mcp.policies.extAuthz.(any)policies.http.requestTimeout`
`mcp.policies.extAuthz.(any)policies.tcp`	Specify TCP settings for the backend
`mcp.policies.extAuthz.(any)policies.tcp.keepalives`
`mcp.policies.extAuthz.(any)policies.tcp.keepalives.enabled`
`mcp.policies.extAuthz.(any)policies.tcp.keepalives.time`
`mcp.policies.extAuthz.(any)policies.tcp.keepalives.interval`
`mcp.policies.extAuthz.(any)policies.tcp.keepalives.retries`
`mcp.policies.extAuthz.(any)policies.tcp.connectTimeout`
`mcp.policies.extAuthz.(any)policies.tcp.connectTimeout.secs`
`mcp.policies.extAuthz.(any)policies.tcp.connectTimeout.nanos`
`mcp.policies.extAuthz.(any)protocol`	The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended.
`mcp.policies.extAuthz.(any)protocol.(1)grpc`
`mcp.policies.extAuthz.(any)protocol.(1)grpc.context`	Additional context to send to the authorization service. This maps to the `context_extensions` field of the request, and only allows static values.
`mcp.policies.extAuthz.(any)protocol.(1)grpc.metadata`	Additional metadata to send to the authorization service. This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.
`mcp.policies.extAuthz.(any)protocol.(1)http`
`mcp.policies.extAuthz.(any)protocol.(1)http.path`
`mcp.policies.extAuthz.(any)protocol.(1)http.redirect`	When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error.
`mcp.policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders`	Specific headers from the authorization response will be copied into the request to the backend.
`mcp.policies.extAuthz.(any)protocol.(1)http.addRequestHeaders`	Specific headers to add in the authorization request (empty = all headers), based on the expression
`mcp.policies.extAuthz.(any)protocol.(1)http.metadata`	Metadata to include under the `extauthz` variable, based on the authorization response.
`mcp.policies.extAuthz.(any)failureMode`	Behavior when the authorization service is unavailable or returns an error
`mcp.policies.extAuthz.(any)failureMode.(1)denyWithStatus`
`mcp.policies.extAuthz.(any)includeRequestHeaders`	Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’.
`mcp.policies.extAuthz.(any)includeRequestBody`	Options for including the request body in the authorization request
`mcp.policies.extAuthz.(any)includeRequestBody.maxRequestBytes`	Maximum size of request body to buffer (default: 8192)
`mcp.policies.extAuthz.(any)includeRequestBody.allowPartialMessage`	If true, send partial body when max_request_bytes is reached
`mcp.policies.extAuthz.(any)includeRequestBody.packAsBytes`	If true, pack body as raw bytes in gRPC
`mcp.policies.extProc`	Extend agentgateway with an external processor
`mcp.policies.extProc.(any)(1)service`
`mcp.policies.extProc.(any)(1)service.name`
`mcp.policies.extProc.(any)(1)service.name.namespace`
`mcp.policies.extProc.(any)(1)service.name.hostname`
`mcp.policies.extProc.(any)(1)service.port`
`mcp.policies.extProc.(any)(1)host`	Hostname or IP address
`mcp.policies.extProc.(any)(1)backend`	Explicit backend reference. Backend must be defined in the top level backends list
`mcp.policies.extProc.(any)policies`	Policies to connect to the backend
`mcp.policies.extProc.(any)policies.requestHeaderModifier`	Headers to be modified in the request.
`mcp.policies.extProc.(any)policies.requestHeaderModifier.add`
`mcp.policies.extProc.(any)policies.requestHeaderModifier.set`
`mcp.policies.extProc.(any)policies.requestHeaderModifier.remove`
`mcp.policies.extProc.(any)policies.responseHeaderModifier`	Headers to be modified in the response.
`mcp.policies.extProc.(any)policies.responseHeaderModifier.add`
`mcp.policies.extProc.(any)policies.responseHeaderModifier.set`
`mcp.policies.extProc.(any)policies.responseHeaderModifier.remove`
`mcp.policies.extProc.(any)policies.requestRedirect`	Directly respond to the request with a redirect.
`mcp.policies.extProc.(any)policies.requestRedirect.scheme`
`mcp.policies.extProc.(any)policies.requestRedirect.authority`
`mcp.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full`
`mcp.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host`
`mcp.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port`
`mcp.policies.extProc.(any)policies.requestRedirect.path`
`mcp.policies.extProc.(any)policies.requestRedirect.path.(any)(1)full`
`mcp.policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix`
`mcp.policies.extProc.(any)policies.requestRedirect.status`
`mcp.policies.extProc.(any)policies.transformations`	Modify requests and responses sent to and from the backend.
`mcp.policies.extProc.(any)policies.transformations.request`
`mcp.policies.extProc.(any)policies.transformations.request.add`
`mcp.policies.extProc.(any)policies.transformations.request.set`
`mcp.policies.extProc.(any)policies.transformations.request.remove`
`mcp.policies.extProc.(any)policies.transformations.request.body`
`mcp.policies.extProc.(any)policies.transformations.response`
`mcp.policies.extProc.(any)policies.transformations.response.add`
`mcp.policies.extProc.(any)policies.transformations.response.set`
`mcp.policies.extProc.(any)policies.transformations.response.remove`
`mcp.policies.extProc.(any)policies.transformations.response.body`
`mcp.policies.extProc.(any)policies.backendTLS`	Send TLS to the backend.
`mcp.policies.extProc.(any)policies.backendTLS.cert`
`mcp.policies.extProc.(any)policies.backendTLS.key`
`mcp.policies.extProc.(any)policies.backendTLS.root`
`mcp.policies.extProc.(any)policies.backendTLS.hostname`
`mcp.policies.extProc.(any)policies.backendTLS.insecure`
`mcp.policies.extProc.(any)policies.backendTLS.insecureHost`
`mcp.policies.extProc.(any)policies.backendTLS.alpn`
`mcp.policies.extProc.(any)policies.backendTLS.subjectAltNames`
`mcp.policies.extProc.(any)policies.backendAuth`	Authenticate to the backend.
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)passthrough`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)key`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience`	Audience for the token. If not set, the destination host will be used.
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity`
`mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit`
`mcp.policies.extProc.(any)policies.http`	Specify HTTP settings for the backend
`mcp.policies.extProc.(any)policies.http.version`
`mcp.policies.extProc.(any)policies.http.requestTimeout`
`mcp.policies.extProc.(any)policies.tcp`	Specify TCP settings for the backend
`mcp.policies.extProc.(any)policies.tcp.keepalives`
`mcp.policies.extProc.(any)policies.tcp.keepalives.enabled`
`mcp.policies.extProc.(any)policies.tcp.keepalives.time`
`mcp.policies.extProc.(any)policies.tcp.keepalives.interval`
`mcp.policies.extProc.(any)policies.tcp.keepalives.retries`
`mcp.policies.extProc.(any)policies.tcp.connectTimeout`
`mcp.policies.extProc.(any)policies.tcp.connectTimeout.secs`
`mcp.policies.extProc.(any)policies.tcp.connectTimeout.nanos`
`mcp.policies.extProc.(any)failureMode`	Behavior when the ext_proc service is unavailable or returns an error
`mcp.policies.extProc.(any)metadataContext`	Additional metadata to send to the external processing service. Maps to the `metadata_context.filter_metadata` field in ProcessingRequest, and allows dynamic CEL expressions.
`mcp.policies.extProc.(any)requestAttributes`	Maps to the request `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`mcp.policies.extProc.(any)responseAttributes`	Maps to the response `attributes` field in ProcessingRequest, and allows dynamic CEL expressions.
`mcp.policies.transformations`	Modify requests and responses
`mcp.policies.transformations.request`
`mcp.policies.transformations.request.add`
`mcp.policies.transformations.request.set`
`mcp.policies.transformations.request.remove`
`mcp.policies.transformations.request.body`
`mcp.policies.transformations.response`
`mcp.policies.transformations.response.add`
`mcp.policies.transformations.response.set`
`mcp.policies.transformations.response.remove`
`mcp.policies.transformations.response.body`
`mcp.policies.csrf`	Handle CSRF protection by validating request origins against configured allowed origins.
`mcp.policies.csrf.additionalOrigins`
`mcp.policies.timeout`	Timeout requests that exceed the configured duration.
`mcp.policies.timeout.requestTimeout`
`mcp.policies.timeout.backendRequestTimeout`
`mcp.policies.retry`	Retry matching requests.
`mcp.policies.retry.attempts`
`mcp.policies.retry.backoff`
`mcp.policies.retry.codes`

CEL expressions

Configuration reference

Config file validation

Schema

What could be improved?