These endpoints manage the global TraceCtrl Guards configuration used to call the Protector Plus service.Documentation Index
Fetch the complete documentation index at: https://docs.tracectrl.ai/llms.txt
Use this file to discover all available pages before exploring further.
Get config (redacted)
api_key redacted (e.g. hOjm***vY2) so it can be safely surfaced in the Settings UI. If no config is set, returns an empty object with empty strings and an empty enabled_guardrails array.
Response — ProtectorConfig
Protector Plus endpoint URL
Redacted API key (first 4 chars +
*** + last 3)List of enabled Protector Plus guardrails
ISO-8601 timestamp, or
null if never setUpsert config
api_key must be provided in the body. The response is returned in redacted form so the UI does not see its freshly-sent key echoed back.
Request body — ProtectorConfigUpsert
Protector Plus base URL (
http or https). Trailing slash is stripped before storage.Full API key.
List of guardrail names. Each must be a known Protector Plus guardrail.
Errors
400—endpoint_url is required400—api_key is required400— URL fails SSRF validation (private/loopback/reserved IP, bad scheme, DNS failure)400—unknown guardrails: [...]if a name is not inPROTECTOR_GUARDRAILS
Response
SameProtectorConfig shape as the GET above (redacted).
Test config
{endpoint_url}/api/protectorplus/v1/health with a 5s timeout. Rejects non-public targets so the test cannot be turned into an SSRF probe.
Response — ProtectorTestResult
true if the upstream returned a 2xxRound-trip time in milliseconds
HTTP status code from the upstream, or
nullError description when
ok is false, otherwise nullSDK config fetch
with tracectrl.guardrails(): setup. There is no authentication in v1 — the deployment is expected to bind the port to loopback or front it with an authenticated proxy. Returns an empty config (rather than 404) if none is set so the SDK can no-op cleanly.
Response — ProtectorConfigUpsert
Protector Plus endpoint URL
Full API key
Enabled guardrails