Smart Control Core (settings)
Audience: Control Plane administrators, security engineers
Time: ~10 min
Prerequisites: Admin access to Settings → Smart Control Core (/settings/smart-cc); outbound HTTPS allowed to your LLM provider unless you use Native (local).
Use this page to configure the Smart Control Core Agent (SCCA): LLM provider credentials, optional per-environment overrides, built-in Rego authoring guidance, telemetry to external models, and diagnostics.
What
- Agent on/off — shows or hides the floating Smart Control Core command bar.
- Styling — background tint and dock position.
- AI permissions — Allow metadata access includes PIP attribute names/types and curated resource inventory in prompts (not live PIP record values).
- LLM provider — Groq, OpenAI-compatible vendors, Azure OpenAI, Anthropic-compatible endpoints, Native (local inference), etc.
- Provider API key — stored server-side; never returned in plaintext after save. Use Test connection to validate credentials.
- Control guidance — Guidance profile tag plus Additional skills / Custom rules text you control. A built-in Rego authoring skill is always prepended; uploaded text extends it.
- Diagnostics — optional structured logs on logger
smart_cc.diagnostics(sizes; debug mode can add redacted payload previews). - Privacy — the server scrubs common PII/token patterns from assembled prompts before outbound LLM calls; Rego snippets may still contain literals you wrote.
Why
SCCA accelerates control authoring and operational questions. Settings centralize which model is used, how much context is injected, and organizational conventions (extra skills/rules), without embedding customer logic in the product binary.
How
1. Choose provider and credentials (~2 min)
- Open Settings → Smart Control Core.
- Pick LLM provider.
- If a key is required, type a new key only when adding or rotating. The field stays empty when a key is already stored.
- Optionally set Custom API URL / gateway (required for Custom / some enterprise gateways).
- Click Test connection. Expect a success toast with latency.
Troubleshooting: If Test connection fails with HTTP 401/403, confirm the key is for the selected provider and URL. For Native, ensure your local inference endpoint responds on the URL configured in your deployment manifests.
2. Metadata and token budget (~2 min)
- Allow metadata access: leave on for richer SCCA answers; turn off to reduce context size (some flows still include minimal resource lists).
- Token usage limit: monthly budget tracked by the Control Plane for SCCA paths; tune if you exhaust the cap.
3. Guidance and built-in skill (~3 min)
- Guidance profile is a tag (default
headless-agent-v1) for auditing bundles. - Use View built-in Rego authoring skill to read the default baseline (fail-closed,
import rego.v1, style rules). - Paste or upload supplementary instructions under Additional skills and organizational constraints under Custom rules.
4. Diagnostics (~2 min)
- Toggle Enable diagnostic logging only while troubleshooting.
- Pick Log level:
errorfor failures only,infofor outbound sizes,debugfor optional redacted previews. - Include redacted payload preview applies only when level is debug; avoid on shared sinks if policy text is sensitive.
Troubleshooting: If logs never appear, confirm your observability pipeline captures Logger name
smart_cc.diagnosticsfrom Control Plane API process logs.
5. Privacy expectations (~1 min)
Read Privacy & Security on the page. Prompts may include truncated Rego excerpts and structured resource metadata. Treat Rego source as confidential if it references internal systems.
Quick reference
| Situation | What to do |
|---|---|
| I saved a key but the field looks empty | Expected. Stored keys are not echoed; use Test connection or paste a new key to rotate. |
| I need per-environment LLM keys | Match the Control Plane environment selector; save a configuration per environment. |
| SCCA ignores my uploaded skill | Confirm Save completed; verify the file size is within limits. |