Policy Engine API

The Policy Engine API provides programmatic control over Arbitex’s request enforcement layer. You can create and manage policy packs, define rules within those packs, configure the evaluation chain, and simulate policy decisions against synthetic requests — all without touching the admin UI.

Overview

The Policy Engine has three primary concepts:

Policy packs are named containers for rules. A pack groups related rules together — for example, a “Trading Desk Controls” pack or a compliance bundle for SOC 2. Each pack has a type: packs you create directly are custom packs; packs provided by Arbitex for compliance frameworks are bundle packs. Bundle packs are read-only; their contents cannot be modified.

Rules are the enforcement units inside a pack. Each rule has a set of conditions (user groups, entity types, content patterns, provider/model targets, etc.) and a single action to take when those conditions match. Rules within a pack are evaluated in ascending sequence order — lower sequence numbers evaluate first. For the complete list of conditions and actions, see Policy Rule Reference.

Policy chains define which packs are active for your organization and in what order. The org chain is evaluated for every request. Adding a pack to the chain activates it; removing a pack from the chain suspends it without deleting it. The chain also specifies the combining algorithm that governs how a terminal match in one pack interacts with remaining packs.

Combining algorithms

The combining_algorithm field on the chain controls what happens when a terminal rule fires:

first_applicable — The first terminal match wins and stops all further evaluation. Pack order and rule sequence numbers are the primary controls. This behaves like a stateful firewall: the most-specific rule you place earliest takes precedence. It is the recommended algorithm for organizations that want an allow-with-exceptions pattern — place narrow ALLOW rules before broad BLOCK rules and the ALLOW wins.

deny_overrides — If any rule anywhere in the chain produces a BLOCK or CANCEL, that result wins over any ALLOW, regardless of where the rules appear in the sequence. Evaluation continues past an ALLOW to check whether any remaining rule in any remaining pack produces a denial. Use this when your compliance posture requires that no allowlist rule can ever bypass a prohibition — for example, when a compliance bundle contains mandatory blocks that cannot be overridden by custom packs.

Authentication

All endpoints in this reference require an admin-scoped API key. Pass the key as a Bearer token in the Authorization header:

Authorization: Bearer arb_live_your-api-key-here

Requests made with a non-admin key receive 403 Forbidden. For API key management, see API Keys.

Policy pack endpoints

Base URL: https://api.arbitex.ai/api/admin

Method	Path	Description
`GET`	`/policy-packs/`	List all packs with rule counts
`POST`	`/policy-packs/`	Create a custom pack
`GET`	`/policy-packs/{id}`	Get pack detail including rules
`PUT`	`/policy-packs/{id}`	Update pack metadata
`DELETE`	`/policy-packs/{id}`	Delete a custom pack

List policy packs

GET /api/admin/policy-packs/

Returns all policy packs visible to your organization: custom packs you have created and any compliance bundle packs that are active. Each item includes a rule_count computed field; use GET /policy-packs/{id} to retrieve the full rule list.

Response 200 OK — array of PolicyPackWithRuleCount

Field	Type	Description
`id`	UUID	Pack identifier
`tenant_id`	UUID \| null	Owning tenant. `null` for system bundle packs.
`name`	string	Display name
`description`	string	Free-text description
`pack_type`	string	`"custom"` or a compliance bundle type identifier
`compliance_standard`	string \| null	Associated compliance standard (e.g. `"soc2"`, `"hipaa"`). `null` for custom packs.
`version`	string	Pack version string
`is_active`	bool	Whether the pack is currently active in an org chain
`rule_count`	int	Number of rules in the pack
`created_at`	datetime	ISO 8601 UTC
`updated_at`	datetime	ISO 8601 UTC

curl https://api.arbitex.ai/api/admin/policy-packs/ \
  -H "Authorization: Bearer arb_live_your-api-key-here"

[
  {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "tenant_id": "b7e3c012-91d0-4a2e-89b5-f2abc8d1e3f4",
    "name": "Trading Desk Controls",
    "description": "Blocks MNPI keywords and restricts OpenAI access for the trading group.",
    "pack_type": "custom",
    "compliance_standard": null,
    "version": "1.0.0",
    "is_active": true,
    "rule_count": 4,
    "created_at": "2026-02-15T10:00:00Z",
    "updated_at": "2026-03-01T14:22:00Z"
  },
  {
    "id": "9c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f",
    "tenant_id": null,
    "name": "SOC 2 Baseline",
    "description": "System bundle: SOC 2 Type II baseline policy rules.",
    "pack_type": "soc2_baseline",
    "compliance_standard": "soc2",
    "version": "2.1.0",
    "is_active": true,
    "rule_count": 12,
    "created_at": "2026-01-01T00:00:00Z",
    "updated_at": "2026-01-01T00:00:00Z"
  }
]

Create a policy pack

POST /api/admin/policy-packs/

Creates a new custom pack. Newly created packs have zero rules and are not added to any chain automatically. Add the pack to your org chain with PUT /api/admin/policy-chains/org to activate it.

Request body

Field	Type	Required	Description
`name`	string	Yes	Display name for the pack
`description`	string	No	Free-text description

curl -X POST https://api.arbitex.ai/api/admin/policy-packs/ \
  -H "Authorization: Bearer arb_live_your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Trading Desk Controls",
    "description": "Blocks MNPI keywords and restricts OpenAI access for the trading group."
  }'

Response 201 Created — PolicyPackWithRuleCount

{
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "tenant_id": "b7e3c012-91d0-4a2e-89b5-f2abc8d1e3f4",
  "name": "Trading Desk Controls",
  "description": "Blocks MNPI keywords and restricts OpenAI access for the trading group.",
  "pack_type": "custom",
  "compliance_standard": null,
  "version": "1.0.0",
  "is_active": false,
  "rule_count": 0,
  "created_at": "2026-03-09T14:00:00Z",
  "updated_at": "2026-03-09T14:00:00Z"
}

Get pack detail

GET /api/admin/policy-packs/{id}

Returns a single pack including its complete rule list. Use this endpoint to inspect all rules in order before making changes.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier

curl https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6 \
  -H "Authorization: Bearer arb_live_your-api-key-here"

Response 200 OK — PolicyPackDetail (extends PolicyPackWithRuleCount)

The response includes all fields from PolicyPackWithRuleCount plus a rules array. Each rule in the array is a PolicyRuleResponse object. See Policy Rule Reference for the full conditions and action field schemas.

{
  "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "tenant_id": "b7e3c012-91d0-4a2e-89b5-f2abc8d1e3f4",
  "name": "Trading Desk Controls",
  "description": "Blocks MNPI keywords and restricts OpenAI access for the trading group.",
  "pack_type": "custom",
  "compliance_standard": null,
  "version": "1.0.0",
  "is_active": true,
  "rule_count": 2,
  "created_at": "2026-02-15T10:00:00Z",
  "updated_at": "2026-03-01T14:22:00Z",
  "rules": [
    {
      "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "pack_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "name": "Block MNPI keyword mentions",
      "sequence": 10,
      "applies_to": "input",
      "conditions": {
        "content_regex": "\\bMNPI\\b"
      },
      "action": {
        "type": "BLOCK",
        "message": "Requests referencing MNPI cannot be processed through this gateway."
      },
      "is_active": true,
      "created_at": "2026-02-15T10:05:00Z",
      "updated_at": "2026-02-15T10:05:00Z"
    }
  ]
}

Update pack metadata

PUT /api/admin/policy-packs/{id}

Updates the name or description of a pack. This endpoint cannot be used to change pack_type, compliance_standard, or rule contents. Bundle packs can have their metadata updated by admins; bundle rule contents remain read-only.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier

Request body

Field	Type	Required	Description
`name`	string	No	New display name
`description`	string	No	New description

curl -X PUT https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6 \
  -H "Authorization: Bearer arb_live_your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Trading Desk Controls v2",
    "description": "Updated to include crypto-related keyword blocks."
  }'

Response 200 OK — PolicyPackWithRuleCount with updated fields.

Delete a pack

DELETE /api/admin/policy-packs/{id}

Permanently deletes a custom pack and all its rules. This operation cannot be undone. Bundle packs cannot be deleted — they are managed by Arbitex and shared across all tenants. Attempting to delete a bundle pack returns 403 Forbidden.

A pack that is currently in an org chain must be removed from the chain before it can be deleted. Attempting to delete a pack that is still in an active chain returns 409 Conflict.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier (custom packs only)

curl -X DELETE \
  https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6 \
  -H "Authorization: Bearer arb_live_your-api-key-here"

Response 204 No Content on success.

Status	Description
`204`	Pack deleted
`403`	Cannot delete a bundle pack
`404`	Pack not found
`409`	Pack is currently in an active chain

Rule endpoints

Rules live inside packs and are evaluated in ascending sequence order. Rules with lower sequence numbers evaluate first within a pack.

Method	Path	Description
`GET`	`/policy-packs/{id}/rules/`	List rules for a pack
`POST`	`/policy-packs/{id}/rules/`	Add a rule to a pack
`PUT`	`/policy-packs/{id}/rules/{rule_id}`	Update a rule
`DELETE`	`/policy-packs/{id}/rules/{rule_id}`	Delete a rule
`POST`	`/policy-packs/{id}/rules/reorder`	Reorder rules by sequence number

List rules

GET /api/admin/policy-packs/{id}/rules/

Returns all rules in a pack ordered by sequence number. This is also available as the rules field in the response from GET /policy-packs/{id}.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier

curl https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6/rules/ \
  -H "Authorization: Bearer arb_live_your-api-key-here"

Response 200 OK — array of PolicyRuleResponse, ordered by sequence ascending.

Add a rule

POST /api/admin/policy-packs/{id}/rules/

Adds a new rule to a pack. The rule takes effect immediately for new requests once the pack is in an active chain.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier

Request body — PolicyRuleCreate

Field	Type	Required	Description
`name`	string	Yes	Display name for the rule
`sequence`	integer (≥ 0)	Yes	Evaluation order within the pack. Lower numbers evaluate first. Use gaps (10, 20, 30) to leave room for insertions.
`applies_to`	string	No	Which traffic direction to scan. `"input"` (default), `"output"`, or `"both"`.
`conditions`	object	No	Conditions object. See Policy Rule Reference for all condition fields. Omit or set to `{}` for a catch-all rule.
`action`	object	Yes	Action object with a `type` field plus any action-specific fields.
`is_active`	bool	No	Whether the rule is active. Defaults to `true`.

Action types: BLOCK, ALLOW, CANCEL, REDACT, ROUTE_TO, PROMPT. See Policy Rule Reference — Actions for the full action field schema.

curl -X POST \
  https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6/rules/ \
  -H "Authorization: Bearer arb_live_your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Block MNPI keyword mentions",
    "sequence": 10,
    "applies_to": "input",
    "conditions": {
      "content_regex": "\\bMNPI\\b"
    },
    "action": {
      "type": "BLOCK",
      "message": "Requests referencing MNPI cannot be processed through this gateway."
    }
  }'

Response 201 Created — PolicyRuleResponse

{
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "pack_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "name": "Block MNPI keyword mentions",
  "sequence": 10,
  "applies_to": "input",
  "conditions": {
    "content_regex": "\\bMNPI\\b"
  },
  "action": {
    "type": "BLOCK",
    "message": "Requests referencing MNPI cannot be processed through this gateway."
  },
  "is_active": true,
  "created_at": "2026-03-09T15:00:00Z",
  "updated_at": "2026-03-09T15:00:00Z"
}

Update a rule

PUT /api/admin/policy-packs/{id}/rules/{rule_id}

Updates an existing rule. All fields in the request body replace the current values — supply all fields you want to retain, not just the changed ones. The rule takes effect for new requests immediately.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier
`rule_id`	UUID	Rule identifier

Request body — same fields as PolicyRuleCreate. All fields are optional in an update; omitted fields retain their current values.

curl -X PUT \
  "https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6/rules/a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
  -H "Authorization: Bearer arb_live_your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Block MNPI keyword mentions",
    "sequence": 10,
    "applies_to": "both",
    "conditions": {
      "content_regex": "\\bMNPI\\b"
    },
    "action": {
      "type": "BLOCK",
      "message": "Requests referencing MNPI cannot be processed through this gateway."
    }
  }'

Response 200 OK — PolicyRuleResponse with updated fields.

Delete a rule

DELETE /api/admin/policy-packs/{id}/rules/{rule_id}

Permanently removes a rule from a pack. The deletion takes effect for new requests immediately. This operation cannot be undone.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier
`rule_id`	UUID	Rule identifier

curl -X DELETE \
  "https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6/rules/a1b2c3d4-e5f6-7890-abcd-ef1234567890" \
  -H "Authorization: Bearer arb_live_your-api-key-here"

Response 204 No Content on success.

Reorder rules

POST /api/admin/policy-packs/{id}/rules/reorder

Updates the sequence numbers for multiple rules in a single atomic operation. Use this to restructure evaluation order without individually updating each rule. Sequence numbers do not need to be contiguous — using gaps such as 10, 20, 30 is recommended.

Path parameters

Parameter	Type	Description
`id`	UUID	Pack identifier

Request body — ReorderRequest

Field	Type	Required	Description
`entries`	array	Yes	List of `{id: UUID, sequence: integer (≥ 0)}` objects. Each entry maps a rule ID to its new sequence number.

All rules referenced in entries must belong to the specified pack. Rules not listed in entries retain their current sequence numbers.

curl -X POST \
  "https://api.arbitex.ai/api/admin/policy-packs/3fa85f64-5717-4562-b3fc-2c963f66afa6/rules/reorder" \
  -H "Authorization: Bearer arb_live_your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "entries": [
      { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "sequence": 10 },
      { "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "sequence": 20 },
      { "id": "c3d4e5f6-a7b8-9012-cdef-123456789012", "sequence": 30 }
    ]
  }'

Response 200 OK — updated array of PolicyRuleResponse for all rules in the pack, ordered by the new sequence numbers.

Chain endpoints

The policy chain defines the active set of packs and their evaluation order for your organization. At this time, Arbitex supports one chain per organization (the org chain).

Method	Path	Description
`GET`	`/policy-chains/`	List all chains
`PUT`	`/policy-chains/org`	Update the org chain
`POST`	`/policy-chains/simulate`	Simulate policy evaluation

Get org policy chains

GET /api/admin/policy-chains/

Returns all policy chains for your organization. Currently returns one item: the org chain.

curl https://api.arbitex.ai/api/admin/policy-chains/ \
  -H "Authorization: Bearer arb_live_your-api-key-here"

Response 200 OK — array of PolicyChainResponse

PolicyChainResponse fields:

Field	Type	Description
`id`	UUID	Chain identifier
`scope`	string	Chain scope. Currently always `"org"`.
`combining_algorithm`	string	`"first_applicable"` or `"deny_overrides"`
`packs`	array	Ordered list of `PolicyChainEntryResponse` objects
`created_at`	datetime	ISO 8601 UTC
`updated_at`	datetime	ISO 8601 UTC

PolicyChainEntryResponse fields (elements of packs):

Field	Type	Description
`id`	UUID	Chain entry identifier (not the pack ID)
`pack_id`	UUID	Referenced pack identifier
`pack_name`	string	Pack display name at time of last chain update
`pack_type`	string	`"custom"` or bundle type
`rule_count`	int	Current rule count in the pack
`sequence`	int	Evaluation order within the chain. Lower numbers evaluate first.
`is_active`	bool	Whether this pack is currently active in the chain

[
  {
    "id": "d4e5f6a7-b8c9-0123-defa-234567890123",
    "scope": "org",
    "combining_algorithm": "first_applicable",
    "packs": [
      {
        "id": "e5f6a7b8-c9d0-1234-efab-345678901234",
        "pack_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "pack_name": "Trading Desk Controls",
        "pack_type": "custom",
        "rule_count": 4,
        "sequence": 10,
        "is_active": true
      },
      {
        "id": "f6a7b8c9-d0e1-2345-fabc-456789012345",
        "pack_id": "9c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f",
        "pack_name": "SOC 2 Baseline",
        "pack_type": "soc2_baseline",
        "rule_count": 12,
        "sequence": 20,
        "is_active": true
      }
    ],
    "created_at": "2026-01-15T09:00:00Z",
    "updated_at": "2026-03-01T14:30:00Z"
  }
]

Update the org chain

PUT /api/admin/policy-chains/org

Replaces the org chain configuration in a single atomic operation. This endpoint controls:

Which packs are in the chain — only packs referenced in packs will be active after the update.
Evaluation order — packs are evaluated in ascending sequence order.
The combining algorithm — "first_applicable" or "deny_overrides".

The update is atomic. The previous chain configuration is replaced entirely. Any pack not included in the packs array is removed from the chain (but not deleted).

Request body — PolicyChainUpdateRequest

Field	Type	Required	Description
`packs`	array	Yes	Ordered list of `{id: UUID, sequence: integer}` entries. `id` is the pack UUID (not the chain entry UUID).
`combining_algorithm`	string	No	`"first_applicable"` (default) or `"deny_overrides"`. See Overview for semantics.

Pack ordering guidance:

A typical org chain follows this pattern from lowest to highest sequence number:

Custom allowlist / exception rules (sequence 10–30) — narrow ALLOW rules that carve exceptions for specific groups or models. Must be early so they can fire before BLOCK rules when using first_applicable.
Compliance bundle packs (sequence 40–60) — Arbitex-provided packs for active frameworks (SOC 2, HIPAA, etc.).
Custom restriction rules (sequence 70–90) — custom BLOCK, REDACT, and PROMPT rules for your organization’s policies.
Catch-all block (sequence 999, optional) — a pack with a single no-conditions BLOCK rule for a deny-all posture.

curl -X PUT https://api.arbitex.ai/api/admin/policy-chains/org \
  -H "Authorization: Bearer arb_live_your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "packs": [
      { "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6", "sequence": 10 },
      { "id": "9c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f", "sequence": 20 }
    ],
    "combining_algorithm": "first_applicable"
  }'

Response 200 OK — PolicyChainResponse reflecting the updated chain.

{
  "id": "d4e5f6a7-b8c9-0123-defa-234567890123",
  "scope": "org",
  "combining_algorithm": "first_applicable",
  "packs": [
    {
      "id": "e5f6a7b8-c9d0-1234-efab-345678901234",
      "pack_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "pack_name": "Trading Desk Controls",
      "pack_type": "custom",
      "rule_count": 4,
      "sequence": 10,
      "is_active": true
    },
    {
      "id": "f6a7b8c9-d0e1-2345-fabc-456789012345",
      "pack_id": "9c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f",
      "pack_name": "SOC 2 Baseline",
      "pack_type": "soc2_baseline",
      "rule_count": 12,
      "sequence": 20,
      "is_active": true
    }
  ],
  "created_at": "2026-01-15T09:00:00Z",
  "updated_at": "2026-03-09T15:00:00Z"
}

Simulate endpoint

POST /api/admin/policy-chains/simulate

Runs a synthetic request through the full policy evaluation pipeline without forwarding to any AI provider. Use this to verify rule behavior before placing a pack in the active chain, or to debug why a live request was handled in an unexpected way.

The simulator evaluates the same rule evaluation logic as the live gateway. It does not create any audit log entries — simulation results are ephemeral.

Request body — PolicySimulateRequest

Field	Type	Required	Description
`prompt`	string (min length 1)	Yes	The prompt text to evaluate against the policy chain. Include content that is expected to trigger the rules you are testing.
`provider`	string	Yes	Provider identifier for the simulated request (e.g., `"openai"`, `"anthropic"`).
`model`	string	Yes	Model identifier for the simulated request (e.g., `"gpt-4o"`, `"claude-sonnet-4-20250514"`).
`user_groups`	string[]	Yes	List of group names to simulate for the user. These override any real user’s group membership — use this to test rules without needing a real user in the target groups.

curl -X POST https://api.arbitex.ai/api/admin/policy-chains/simulate \
  -H "Authorization: Bearer arb_live_your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "Can you help me analyze the MNPI disclosed in the board meeting?",
    "provider": "openai",
    "model": "gpt-4o",
    "user_groups": ["trading-desk", "employees"]
  }'

Response 200 OK — PolicySimulateResponse

Field	Type	Description
`matched`	bool	`true` if any rule in the chain produced a terminal match
`matched_pack_id`	UUID \| null	Pack containing the matched rule. `null` if no match.
`matched_pack_name`	string \| null	Name of the matched pack. `null` if no match.
`matched_rule_id`	UUID \| null	ID of the matched rule. `null` if no match.
`matched_rule_name`	string \| null	Name of the matched rule. `null` if no match.
`matched_sequence`	integer \| null	Sequence number of the matched rule. `null` if no match.
`action`	object \| null	The full action object from the matched rule. `null` if no match.
`match_reason`	string \| null	Human-readable description of why the rule matched. `null` if no match.
`evaluation_trace`	array	Ordered list of `PolicySimRuleTrace` objects — one per rule evaluated, in the order the engine evaluated them.

PolicySimRuleTrace fields:

Field	Type	Description
`pack_id`	UUID	Pack containing this rule
`pack_name`	string	Pack name
`rule_id`	UUID	Rule identifier
`rule_name`	string	Rule name
`sequence`	int	Rule sequence number
`matched`	bool	Whether this rule matched the simulated request
`match_reason`	string \| null	Why this specific rule matched or did not match. `null` if the rule did not match.

Reading the evaluation trace

The evaluation_trace array is the primary debugging tool. Each entry corresponds to one rule that the engine considered, in the order of evaluation. The trace stops at the terminal match — no entries appear after the first matching terminal rule.

A rule entry with "matched": false means the engine evaluated the rule and the conditions were not satisfied. The match_reason is null for non-matching rules.

A rule entry with "matched": true is the rule that fired. The match_reason describes which conditions were met.

If matched is false on the top-level response (no terminal match anywhere in the chain), the trace shows all rules that were evaluated and their outcomes. This is useful for diagnosing why an expected BLOCK rule did not fire — look for the rule in the trace and read its match_reason.

Full example

Request:

{
  "prompt": "Can you help me analyze the MNPI disclosed in the board meeting?",
  "provider": "openai",
  "model": "gpt-4o",
  "user_groups": ["trading-desk", "employees"]
}

Response:

{
  "matched": true,
  "matched_pack_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "matched_pack_name": "Trading Desk Controls",
  "matched_rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "matched_rule_name": "Block MNPI keyword mentions",
  "matched_sequence": 10,
  "action": {
    "type": "BLOCK",
    "message": "Requests referencing MNPI cannot be processed through this gateway."
  },
  "match_reason": "content_regex matched pattern '\\bMNPI\\b' in prompt",
  "evaluation_trace": [
    {
      "pack_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "pack_name": "Trading Desk Controls",
      "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "rule_name": "Block MNPI keyword mentions",
      "sequence": 10,
      "matched": true,
      "match_reason": "content_regex matched pattern '\\bMNPI\\b' in prompt"
    }
  ]
}

The trace shows a single evaluated rule. The engine stopped at sequence 10 because it produced a terminal BLOCK match under first_applicable. The SOC 2 Baseline pack (sequence 20) was not reached.

No-match example

If no rule matches, the top-level matched is false and action is null. The request would proceed to the AI provider on a live request.

{
  "matched": false,
  "matched_pack_id": null,
  "matched_pack_name": null,
  "matched_rule_id": null,
  "matched_rule_name": null,
  "matched_sequence": null,
  "action": null,
  "match_reason": null,
  "evaluation_trace": [
    {
      "pack_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "pack_name": "Trading Desk Controls",
      "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "rule_name": "Block MNPI keyword mentions",
      "sequence": 10,
      "matched": false,
      "match_reason": null
    },
    {
      "pack_id": "9c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f",
      "pack_name": "SOC 2 Baseline",
      "rule_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
      "rule_name": "Block PII exfiltration — SSN",
      "sequence": 10,
      "matched": false,
      "match_reason": null
    }
  ]
}

Bundle endpoints

GET /api/admin/policy-packs/bundles/

Returns the list of system bundle packs available to your organization. Bundle packs are pre-configured policy packs maintained by Arbitex for specific compliance frameworks (SOC 2, HIPAA, GDPR, and others). Their rules are managed by Arbitex and updated when framework requirements change.

Bundle packs are read-only. You cannot create, modify, or delete bundle packs or their rules. To activate a bundle pack for your organization, add it to your org chain using PUT /api/admin/policy-chains/org.

curl https://api.arbitex.ai/api/admin/policy-packs/bundles/ \
  -H "Authorization: Bearer arb_live_your-api-key-here"

Response 200 OK — array of PolicyPackWithRuleCount where pack_type is a bundle type identifier and tenant_id is null.

[
  {
    "id": "9c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f",
    "tenant_id": null,
    "name": "SOC 2 Baseline",
    "description": "Baseline policy rules for SOC 2 Type II compliance. Covers data handling, access restrictions, and audit trail requirements.",
    "pack_type": "soc2_baseline",
    "compliance_standard": "soc2",
    "version": "2.1.0",
    "is_active": false,
    "rule_count": 12,
    "created_at": "2026-01-01T00:00:00Z",
    "updated_at": "2026-01-01T00:00:00Z"
  },
  {
    "id": "0a1b2c3d-4e5f-6789-0abc-def123456789",
    "tenant_id": null,
    "name": "HIPAA Safeguards",
    "description": "Policy rules implementing HIPAA minimum necessary and PHI handling requirements.",
    "pack_type": "hipaa_safeguards",
    "compliance_standard": "hipaa",
    "version": "1.3.0",
    "is_active": false,
    "rule_count": 8,
    "created_at": "2026-01-01T00:00:00Z",
    "updated_at": "2026-02-15T00:00:00Z"
  }
]

The is_active field reflects whether this bundle is currently in your org chain. To see the full rule contents of a bundle pack, use GET /api/admin/policy-packs/{id} with the bundle pack’s id.

Error responses

Status	Description
`400 Bad Request`	Missing required field, invalid field value, or validation failure (e.g., `sequence` is negative, regex is unsafe)
`403 Forbidden`	API key does not have admin permissions, or the operation is not permitted on the target resource (e.g., attempting to delete a bundle pack)
`404 Not Found`	Pack or rule not found
`409 Conflict`	Operation conflicts with current state (e.g., deleting a pack that is in an active chain)
`422 Unprocessable Entity`	Request body schema is valid but contains logically invalid values

Policy Engine API

Overview

Combining algorithms

Authentication

Policy pack endpoints

List policy packs

Create a policy pack

Get pack detail

Update pack metadata

Delete a pack

Rule endpoints

List rules

Add a rule

Update a rule

Delete a rule

Reorder rules

Chain endpoints

Get org policy chains

Update the org chain

Simulate endpoint

Reading the evaluation trace

Full example

No-match example

Bundle endpoints

Error responses

See also