> ## Documentation Index
> Fetch the complete documentation index at: https://koreai-content-gov.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Security and Observability Settings

Security and observability settings control PII detection, API exposure, file upload policies, cross-channel session behavior, and the production approval policy that gates deployments.

## PII Protection

The **PII Protection** page configures PII detection patterns, redaction strategies, and consumer access controls for this project.

**Navigation**: **Project** → **Settings** → **PII Protection**

**Global Settings**

| Setting                  | Description                                                    | Default  |
| ------------------------ | -------------------------------------------------------------- | -------- |
| **PII Detection**        | Scan agent inputs for PII using active patterns.               | Enabled  |
| **PII Output Redaction** | Apply redaction to agent outputs before delivery to consumers. | Disabled |

<Note>Credential, secret, and high-risk token scrubbing stays active for logs, traces, session history, and normal API responses even when you disable configurable PII detection.</Note>

### Built-in Patterns

Built-in patterns use pre-configured, optimized detection logic. You can adjust redaction, per-consumer access, and enabled state for each pattern. Only disable high-risk patterns if you have a documented reason and understand the compliance impact.

| Pattern                    | Tag         | Description                                               |
| -------------------------- | ----------- | --------------------------------------------------------- |
| **Email Address**          | Email       | Detects email addresses in text.                          |
| **Phone Number**           | Phone       | Detects phone numbers (US and international formats).     |
| **Social Security Number** | SSN         | Detects US Social Security Numbers (XXX-XX-XXXX).         |
| **Credit Card Number**     | Credit Card | Detects credit/debit card numbers (Visa, MC, Amex, etc.). |
| **IP Address**             | IP Address  | Detects IPv4 and IPv6 addresses.                          |

Click **Configure** next to any pattern to adjust its redaction strategy, consumer access rules, and enabled state.

### Custom Patterns

Click **Add Pattern** to define organization-specific PII detection rules. The **Create PII Pattern** dialog includes the following sections:

**Basics**

| Field           | Description                                                                       |
| --------------- | --------------------------------------------------------------------------------- |
| **Name**        | A unique name for the pattern (for example, US Social Security Number). Required. |
| **Description** | Optional description of what the pattern detects.                                 |
| **Enabled**     | Toggle to activate or deactivate the pattern.                                     |

**Detection**

| Field                    | Description                                                                                          |
| ------------------------ | ---------------------------------------------------------------------------------------------------- |
| **Regex Pattern**        | The regular expression that matches sensitive data. Required.                                        |
| **PII Type**             | Classification of the PII type (**Custom** or a predefined category).                                |
| **Validator Expression** | Optional secondary regex to post-filter matches. The system keeps only matches that pass this regex. |

**Redaction Strategy**

| Option               | Description                                                                    |
| -------------------- | ------------------------------------------------------------------------------ |
| **Predefined Label** | Replace matched text with a configurable label (default: `[REDACTED_<TYPE>]`). |
| **Masked**           | Replace matched text with placeholder characters.                              |
| **Random**           | Replace matched text with random characters.                                   |

When you select **Predefined Label**, configure the **Redaction Label** field to customize the replacement text.

**Consumer Access**

| Field                      | Description                                                                 |
| -------------------------- | --------------------------------------------------------------------------- |
| **Default Render Mode**    | How PII appears by default: **Redacted**, **Tokenized**, or **Original**.   |
| **Per-Consumer Overrides** | Click **Add Consumer** to set render mode overrides for specific consumers. |

<Note>LLM consumers can't receive original plaintext. The system stores a saved LLM override of **Original** as **Tokenized**, and an **Original** default adds an explicit LLM **Tokenized** override.</Note>

**Live Test**
Enter sample text in the **Sample Text** field to test pattern detection before saving. The test runs the regex pattern and validator expression against the input and shows matches with the configured redaction applied.

***

## Public API Access

The **Public API Access** page configures which APIs end-users can access when authenticating through their organization's identity provider (Azure AD, Okta, Google).

**Navigation**: **Project** → **Settings** → **Public API Access**

### Query API

Toggle the **Query API** to allow authenticated end-users to query agents through the public API endpoint. When you enable it, the following configuration fields appear:

| Field                                  | Description                                                                                                                                    |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| **Identity Providers (Auth Profiles)** | Select one or more OIDC-compatible auth profiles (**OAuth 2.0 App** or **Azure AD**). End-users authenticate through their organization's IdP. |
| **Allowed Email Domains**              | Comma-separated list of email domains that can authenticate. Leave empty to allow all domains.                                                 |
| **Allowed Origins (CORS)**             | Comma-separated list of browser origins allowed to make API calls.                                                                             |
| **Allowed Redirect URIs (OAuth Flow)** | Comma-separated full URIs where OAuth redirect responses can go. Exact match only — no wildcards.                                              |

**Session and Rate Limits**

| Field                           | Description                                                    | Default      |
| ------------------------------- | -------------------------------------------------------------- | ------------ |
| **Session Token TTL (seconds)** | How long search session tokens remain valid (60–3600 seconds). | 900 (15 min) |
| **Per User (req/min)**          | Maximum API requests per user per minute.                      | —            |
| **Per Project (req/min)**       | Maximum API requests per project per minute.                   | —            |

***

## Attachments

The **Attachment Settings** page configures file upload behavior for this project.

**Navigation**: **Project** → **Settings** → **Attachments**

**General**

| Setting                | Description                          | Default             |
| ---------------------- | ------------------------------------ | ------------------- |
| **Enable Attachments** | Allow file uploads in chat sessions. | Enabled (inherited) |

**Upload Limits**

| Setting                | Description                                   | Default              |
| ---------------------- | --------------------------------------------- | -------------------- |
| **Maximum File Size**  | Maximum file size per upload.                 | 20 MB                |
| **Allowed File Types** | MIME types permitted for upload (maximum 50). | 18 types (see below) |

Default allowed file types include `image/jpeg`, `image/png`, `image/gif`, `image/webp`, `application/pdf`, `text/markdown`, `text/plain`, `text/csv`, `application/json`, `application/msword`, `application/vnd.openxmlformats-officedocument.wordprocessingml.document`, `application/vnd.ms-excel`, `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet`, `audio/mpeg`, `audio/wav`, `audio/webm`, `video/mp4`, and `video/webm`.

To add a custom MIME type, enter it in the **Add MIME type** field and click the **add** button. To remove an allowed type, click the **×** next to it.

**Processing**

| Setting                     | Description                                         | Default |
| --------------------------- | --------------------------------------------------- | ------- |
| **PII Policy**              | How the system handles PII detected in attachments. | Redact  |
| **Default Processing Mode** | How the system processes newly uploaded files.      | Full    |

**Info**

| Setting                   | Description                                      | Default |
| ------------------------- | ------------------------------------------------ | ------- |
| **Max Files Per Session** | Maximum number of files per session (read-only). | 100     |

Click **Save Changes** to apply.

***

## Omnichannel

The **Omnichannel** page configures cross-channel session continuity.

**Navigation**: **Project** → **Settings** → **Omnichannel**

Omnichannel settings allow users who start a conversation on one channel to continue it on another without losing context.

**Conversation Recall**

| Setting                         | Description                                                      | Default  |
| ------------------------------- | ---------------------------------------------------------------- | -------- |
| **Enable cross-channel recall** | Allow sessions to transfer across channels.                      | Disabled |
| **Maximum messages to recall**  | Number of messages the platform carries over to the new channel. | 20       |
| **Maximum age (days)**          | How old a conversation can be and still qualify for recall.      | 30       |

**Allowed channels**
Lists all supported channels (**web**, **voice**, **sms**, **whatsapp**, **email**, **slack**, **teams**) with toggles for cross-channel recall participation.

**Identity Requirements**

| Setting                           | Description                                                                 | Default      |
| --------------------------------- | --------------------------------------------------------------------------- | ------------ |
| **Require identity verification** | Whether the system requires identity verification for cross-channel recall. | Enabled      |
| **Minimum identity tier**         | The minimum identity verification tier required to recall sessions.         | 2 - Verified |

**Consent**

| Setting                      | Description                                                           | Default |
| ---------------------------- | --------------------------------------------------------------------- | ------- |
| **Require explicit consent** | Whether the user must explicitly consent before cross-channel recall. | Enabled |

**Live Transcript Sync**
Configure real-time transcript synchronization settings for cross-channel sessions.

Click **Save Settings** to apply changes.

<Note>If you see a "Failed to save settings" error, verify that your role has write permissions for project settings.</Note>

***

## Governance

The **Governance** page sets the production approval policy for this project. The policy controls how strictly the platform gates production deployments, so a stricter level requires more sign-off before an agent version can ship.

**Navigation**: **Project** → **Settings** → **Governance**

**Production approval policy**

The page shows whether the policy is **Inherited (default)** or set explicitly for the project, along with the **Effective** level currently in force and its source (for example, Standard from the platform default). To set an explicit policy, drag the **Approval strictness** slider to a level, then click **Save policy**.

| Level        | Sign-off required                                                                            |
| ------------ | -------------------------------------------------------------------------------------------- |
| **Strict**   | The strictest gate. Applies more sign-off than Standard before a version can ship.           |
| **Standard** | Requires approval, security, and eval sign-off. The publisher can approve their own version. |
| **Open**     | The most permissive gate. Applies less sign-off than Standard.                               |

When you select a level, the page shows that level's sign-off requirements below the slider. Saving an explicit policy overrides the inherited platform default.
