Documentation Index Fetch the complete documentation index at: https://docs.case.dev/llms.txt
Use this file to discover all available pages before exploring further.
Governance policies define which AI providers can handle your organization’s requests. Create policies based on trust tiers, compliance requirements, and enforcement rules.
Policy Schema interface GovernancePolicy { id : string ; // "gpol_xxx" - Auto-generated orgId : string ; // Organization ID name : string ; // Human-readable name description ? : string ; // Optional description tagSlot ? : number ; // 1-12, or null for default isDefault : boolean ; // Is this the default policy? isActive : boolean ; // Is policy active? rules : PolicyRules ; // Policy rules createdAt : string ; // ISO timestamp updatedAt : string ; // ISO timestamp } interface PolicyRules { // Trust tier requirements minimumTrustTier ? : "most_trusted" | "trusted" | "sketchy" ; // Compliance requirements blockChinaProviders : boolean ; // Block China-based providers requireZdr : boolean ; // Require Zero Data Retention requireBaa : boolean ; // Require BAA available requireHipaa : boolean ; // Require HIPAA compliance requireSoc2 : boolean ; // Require SOC 2 Type II // Provider lists providerAllowlist ? : string []; // Only allow these providers providerBlocklist ? : string []; // Block these providers // Enforcement enforcement : "hard_block" | "soft_block" | "warn" ; }
Create a Policy cURL
CLI
Typescript
Python
Go
curl -X POST https://api.case.dev/governance \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "name": "Production - HIPAA Compliant", "description": "Only HIPAA-certified providers with BAA", "tagSlot": 1, "isDefault": true, "rules": { "minimumTrustTier": "most_trusted", "blockChinaProviders": true, "requireHipaa": true, "requireBaa": true, "enforcement": "hard_block" } }'
{ "id" : "gpol_abc123" , "orgId" : "org_xxx" , "name" : "Production - HIPAA Compliant" , "description" : "Only HIPAA-certified providers with BAA" , "tagSlot" : 1 , "isDefault" : true , "isActive" : true , "rules" : { "minimumTrustTier" : "most_trusted" , "blockChinaProviders" : true , "requireZdr" : false , "requireBaa" : true , "requireHipaa" : true , "requireSoc2" : false , "enforcement" : "hard_block" }, "createdAt" : "2025-01-10T14:30:00Z" , "updatedAt" : "2025-01-10T14:30:00Z" }
Policy Templates HIPAA-Compliant Production For healthcare and PHI handling:
{ "name" : "Production - HIPAA" , "rules" : { "minimumTrustTier" : "most_trusted" , "blockChinaProviders" : true , "requireHipaa" : true , "requireBaa" : true , "enforcement" : "hard_block" } }
Allowed providers: Anthropic, OpenAI, Azure, Google Vertex AI, AWS Bedrock, CohereSOC 2 Type II Only For enterprise security requirements:
{ "name" : "Enterprise - SOC 2" , "rules" : { "minimumTrustTier" : "trusted" , "blockChinaProviders" : true , "requireSoc2" : true , "enforcement" : "hard_block" } }
Allowed providers: All Most Trusted + Groq, DeepInfra, Fireworks, Together AI, Mistral, CohereEU Data Residency For GDPR and EU data sovereignty:
{ "name" : "EU Data Residency" , "rules" : { "blockChinaProviders" : true , "providerAllowlist" : [ "anthropic" , "mistral" , "deepinfra" , "azure" ], "enforcement" : "hard_block" } }
Note: Verify each provider’s EU region availability for your use case.Zero Data Retention For maximum data protection:
{ "name" : "Zero Data Retention" , "rules" : { "minimumTrustTier" : "most_trusted" , "blockChinaProviders" : true , "requireZdr" : true , "enforcement" : "hard_block" } }
Development / Permissive For testing and development environments:
{ "name" : "Development" , "rules" : { "minimumTrustTier" : "trusted" , "blockChinaProviders" : true , "enforcement" : "warn" } }
Development Only: Use warn enforcement only in development. Production should use hard_block.
Strict Allowlist Allow only specific approved providers:
{ "name" : "Approved Vendors Only" , "rules" : { "providerAllowlist" : [ "anthropic" , "openai" ], "blockChinaProviders" : true , "enforcement" : "hard_block" } }
Tag Slots Tag slots (1-12) allow you to assign policies to specific use cases and select them at request time.
┌─────────────────────────────────────────────────────────────┐ │ Organization Policies │ ├──────┬────────────────────────┬─────────────────────────────┤ │ Slot │ Policy Name │ Use Case │ ├──────┼────────────────────────┼─────────────────────────────┤ │ 1 │ Production - HIPAA │ PHI handling │ │ 2 │ Development │ Testing & dev │ │ 3 │ EU Data Residency │ European customers │ │ 4 │ Financial Services │ SOX compliance │ │ - │ (Default) │ All other requests │ └──────┴────────────────────────┴─────────────────────────────┘
Select Policy by Slot cURL
CLI
Typescript
Python
C#
Java
PHP
Go
curl -X POST https://api.case.dev/llm/v1/chat/completions \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "model": "claude-sonnet-4-20250514", "messages": [{"role": "user", "content": "Analyze this patient record"}], "governance_policy": 1 }'
List Policies cURL
CLI
Typescript
Python
Go
curl https://api.case.dev/governance \ -H "Authorization: Bearer sk_case_xxx"
{ "policies" : [ { "id" : "gpol_abc123" , "name" : "Production - HIPAA" , "tagSlot" : 1 , "isDefault" : true , "isActive" : true , "rules" : { "minimumTrustTier" : "most_trusted" , "requireHipaa" : true , "requireBaa" : true } }, { "id" : "gpol_def456" , "name" : "Development" , "tagSlot" : 2 , "isDefault" : false , "isActive" : true , "rules" : { "minimumTrustTier" : "trusted" , "enforcement" : "warn" } } ] }
Update a Policy cURL
CLI
Typescript
Python
Go
curl -X PATCH https://api.case.dev/governance/gpol_abc123 \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "rules": { "requireSoc2": true } }'
Delete a Policy cURL
CLI
Typescript
Python
Go
curl -X DELETE https://api.case.dev/governance/gpol_abc123 \ -H "Authorization: Bearer sk_case_xxx"
Cannot Delete Default: You cannot delete the default policy. Set another policy as default first.
Enforcement Modes Mode Behavior Use Case hard_blockRequest fails with 403 Production soft_blockRequest fails, logged as violation Staging warnRequest proceeds, violation logged Development
Hard Block Response { "error" : { "message" : "Request blocked by governance policy" , "type" : "governance_blocked" , "code" : "GOVERNANCE_BLOCKED" , "violations" : [ "Provider 'deepseek' is China-based and blocked by policy" , "Provider 'deepseek' does not meet minimum trust tier 'most_trusted'" ] } }
Warn Mode Response Request succeeds but includes violation header:
X-Governance-Violations : Provider 'groq' does not have BAA available
Validate a Policy Test which providers would be allowed before creating:
cURL
CLI
Typescript
Python
Go
curl -X POST https://api.case.dev/governance/validate \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "rules": { "minimumTrustTier": "most_trusted", "requireHipaa": true, "requireBaa": true } }'
{ "valid" : true , "allowedProviders" : [ "anthropic" , "openai" , "azure" , "google" , "bedrock" , "cohere" ], "blockedProviders" : [ { "slug" : "groq" , "reason" : "BAA not available" }, { "slug" : "deepseek" , "reason" : "China-based provider" } ], "warnings" : [] }
Next Steps
Provider Registry View all providers with compliance data.
Audit Logging Track policy decisions and generate reports.
