Control CoreDocs

🛠️ AI Pilot Troubleshooting (AI Gateway)

This guide covers common issues when configuring AI Pilot for per-bouncer LLM controls.

📌 Quick triage

# Control Plane API
curl -sf http://localhost:8082/api/v1/health

# Bouncer health
curl -sf http://localhost:8080/health

# Plugin admin (live config source on bouncer)
curl -sf http://localhost:9998/pilot/config

🛠️ Common issues

SymptomLikely causeResolution
AI Pilot page loads but bouncer data is emptyBouncer not discovered/linkedVerify bouncer registration and /peps entries
Save override succeeds but runtime behavior unchangedConfig not pushed/applied on target bouncerValidate /pep-config/pilot/bouncer/{id}/ai-management and bouncer /pilot/config
Prompt controls over-block legitimate trafficRules too broad or missing allowlistAdd allowlist terms; move some controls from block to annotate
Exfiltration control blocks approved trafficTrusted domains not configuredAdd exact trusted domains in content safety
Token limits appear inconsistent across replicasMissing shared RedisConfigure REDIS_URL for shared counters
PII redaction not visible in testsAction set to annotate/block onlySwitch relevant control to redact and retest
Smart Control Core says draft generation failedLLM provider key/model rejected at runtimeCheck Smart CC settings provider, bouncer/provider credentials, and provider error details in API logs
Smart Control Core action buttons become unresponsive after route changesStale chat state in long-lived sessionRe-open agent from current page; if stale session persists, refresh once and retry
Code assist in Policy Builder is not auto-availableNot in Code Editor mode, or builder context not active yetOpen Controls → Policy Builder → Code Editor tab, then reopen Smart CC
Code assist ignores PIP signalsPIP mapping exists but lacks relevant attributesMap principal/resource/context attributes in Data Sources and retry with explicit attribute hints

📌 Smart Control Core Agent quick checks

# 1) API health
curl -sf http://localhost:8000/health

# 2) Login and get token (replace creds)
TOKEN=$(curl -s http://localhost:8000/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"<user>","password":"<password>"}' | jq -r '.access_token')

# 3) Verify Smart CC settings
curl -s http://localhost:8000/v1/smart-cc/settings \
  -H "Authorization: Bearer $TOKEN" | jq .

# 4) Run one Smart CC turn
curl -s http://localhost:8000/v1/smart-cc/turn \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"query":"create draft for payroll MFA","context":{},"confirm_action":false}' | jq .

# 5) Run one code-assist turn with builder context
curl -s http://localhost:8000/v1/smart-cc/turn \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"query":"add principal and action checks using PIP risk score","context":{"active_page":"policy_lifecycle","editor_mode":"code","resource_id":"1","bouncer_id":"1","current_policy":{"name":"Draft","rego_excerpt":"package controlcore\n\ndefault allow = false"}},"confirm_action":false}' | jq .

Check for:

  • intent and response_cards present.
  • requires_confirmation=true for mutating draft flows.
  • No provider/auth errors in evidence[] for normal draft generation.
  • Code assist turns return intent=assist_policy_code with snippet/rationale evidence.

🔧 API-level validation

# Effective AI management for a bouncer
curl -H "Authorization: Bearer <token>" \
  http://localhost:8082/pep-config/pilot/bouncer/<pep_id>/ai-management

# Observability payload for charts
curl -H "Authorization: Bearer <token>" \
  "http://localhost:8082/pep-config/pilot/bouncer/<pep_id>/observability?window=24h"

# Recent payload stream
curl -H "Authorization: Bearer <token>" \
  "http://localhost:8082/pep-config/pilot/bouncer/<pep_id>/recent-payloads?limit=8"

Check that:

  • use_global matches your UI state
  • local_override exists when expected
  • effective_config includes all prompt security fields

📌 Runtime compile checks

AI Pilot compiles per-bouncer controls into bouncer runtime config.

Expected keys in effective pilot payload:

  • ai_management
  • compiled_targets.ext_proc.content_safety
  • compiled_targets.xds.cost_optimization
curl -sf http://localhost:9998/pilot/config | jq .

📌 Prompt control tuning strategy

  1. Start with strict controls in sandbox.
  2. Use annotate mode for uncertain detections.
  3. Promote high-confidence patterns to block.
  4. Add explicit allowlist/trusted-domain exceptions.
  5. Re-check audit events and false-positive rates weekly.