ENTERPILOT
diff --git a/‎.env.template‎
Lines changed: 4 additions & 0 deletions b/‎.env.template‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎internal/admin/dashboard/static/js/dashboard.js‎
Lines changed: 2 additions & 2 deletions b/‎internal/admin/dashboard/static/js/dashboard.js‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/admin/dashboard/static/js/modules/dashboard-layout.test.js‎
Lines changed: 3 additions & 1 deletion b/‎internal/admin/dashboard/static/js/modules/dashboard-layout.test.js‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎internal/admin/dashboard/static/js/modules/guardrails.test.js‎
Lines changed: 15 additions & 0 deletions b/‎internal/admin/dashboard/static/js/modules/guardrails.test.js‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎internal/admin/dashboard/templates/index.html‎
Lines changed: 7 additions & 5 deletions b/‎internal/admin/dashboard/templates/index.html‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎internal/admin/handler.go‎
Lines changed: 3 additions & 0 deletions b/‎internal/admin/handler.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎internal/admin/handler_guardrails_test.go‎
Lines changed: 54 additions & 0 deletions b/‎internal/admin/handler_guardrails_test.go‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎internal/app/app.go‎
Lines changed: 14 additions & 7 deletions b/‎internal/app/app.go‎
Lines changed: 14 additions & 7 deletions
diff --git a/‎internal/app/app_test.go‎
Lines changed: 31 additions & 1 deletion b/‎internal/app/app_test.go‎
Lines changed: 31 additions & 1 deletion
diff --git a/‎internal/executionplans/compiler.go‎
Lines changed: 2 additions & 2 deletions b/‎internal/executionplans/compiler.go‎
Lines changed: 2 additions & 2 deletions
@@ -130,6 +130,10 @@
 # to streaming requests for OpenAI-compatible providers
 # ENFORCE_RETURNING_USAGE_DATA=true
 
+# Enable/disable guardrails globally (default: false)
+# When enabled, configured guardrails can run for workflows that reference them
+# GUARDRAILS_ENABLED=false
+
 # Guardrails for inline batch processing (default: false)
 # When true, guardrails are applied to inline /v1/batches request items
 # (e.g. /v1/chat/completions and /v1/responses items).
 
@@ -205,8 +205,8 @@ function dashboard() {
 
         guardrailsPageVisible() {
             return typeof this.executionPlanRuntimeBooleanFlag === 'function'
-                ? this.executionPlanRuntimeBooleanFlag('GUARDRAILS_ENABLED', false)
-                : false;
+                ? this.executionPlanRuntimeBooleanFlag('GUARDRAILS_ENABLED', true)
+                : true;
         },
 
         setTheme(t) {
 
@@ -87,7 +87,8 @@ test('dashboard pages reuse a shared auth banner template', () => {
     );
 
     const authBannerCalls = indexTemplate.match(/{{template "auth-banner" \.}}/g) || [];
-    assert.equal(authBannerCalls.length, 6);
+    assert.equal(authBannerCalls.length, 7);
+    assert.match(indexTemplate, /<div x-show="page==='guardrails'">[\s\S]*{{template "auth-banner" \.}}/);
     assert.doesNotMatch(
         indexTemplate,
         /<div class="alert alert-warning" x-show="authError">[\s\S]*Authentication required\. Enter your API key in the sidebar to view data\.[\s\S]*<\/div>/
@@ -113,6 +114,7 @@ test('workflow guardrail warning links directly to the top-level guardrails page
     assert.match(indexTemplate, /No named guardrails are currently registered on this deployment\./);
     assert.match(indexTemplate, /class="alert alert-warning alert-inline-actions" x-show="guardrailRefs\.length === 0"/);
     assert.match(indexTemplate, /@click="navigate\('guardrails'\)">Open Guardrails<\/button>/);
+    assert.match(indexTemplate, /id="guardrail-filter"[^>]*aria-label="Guardrail filter"[^>]*x-model="guardrailFilter"/);
 });
 
 test('usage and audit pages reuse a shared pagination template', () => {
 
@@ -52,6 +52,21 @@ test('normalizeGuardrailConfig merges stored config over type defaults', () => {
     assert.equal(JSON.stringify(config), JSON.stringify({ mode: 'inject', content: 'be careful' }));
 });
 
+test('normalizeGuardrailConfig returns the input config for unknown types', () => {
+    const module = createGuardrailsModule();
+    module.guardrailTypes = [
+        {
+            type: 'system_prompt',
+            defaults: { mode: 'inject', content: '' },
+            fields: []
+        }
+    ];
+
+    const config = module.normalizeGuardrailConfig({ content: 'test' }, 'unknown_type');
+
+    assert.equal(JSON.stringify(config), JSON.stringify({ content: 'test' }));
+});
+
 test('filteredGuardrails matches user_path values', () => {
     const module = createGuardrailsModule();
     module.guardrails = [
 
@@ -287,14 +287,16 @@ <h3>Guardrail Library</h3>
         </div>
     </div>
 
-    <div class="alert alert-warning" x-show="!guardrailsRuntimeEnabled() && !authError">
+    {{template "auth-banner" .}}
+
+    <div class="alert alert-warning" x-show="!guardrailsRuntimeEnabled()">
         Runtime guardrail execution is currently off because <code>GUARDRAILS_ENABLED</code> is disabled. You can still manage definitions here.
     </div>
-    <div class="alert alert-warning" x-show="!guardrailsAvailable && !authError">
+    <div class="alert alert-warning" x-show="!authError && !guardrailsAvailable">
         Guardrails feature is unavailable.
     </div>
-    <div class="alert alert-warning" x-show="guardrailError && !authError" x-text="guardrailError"></div>
-    <div class="alert alert-success" x-show="guardrailNotice && !guardrailError" x-text="guardrailNotice"></div>
+    <div class="alert alert-warning" x-show="!authError && guardrailError" x-text="guardrailError"></div>
+    <div class="alert alert-success" x-show="!authError && guardrailNotice && !guardrailError" x-text="guardrailNotice"></div>
 
     <div class="settings-guardrails-layout" :class="{ 'is-editor-open': guardrailFormOpen }">
         <section class="settings-panel settings-guardrails-list">
@@ -308,7 +310,7 @@ <h3>Instances</h3>
 
             <div class="table-toolbar" x-show="guardrailsAvailable">
                 <div class="table-toolbar-main">
-                    <input type="text" class="filter-input" placeholder="Filter by name, type, user path, summary..." x-model="guardrailFilter">
+                    <input type="text" id="guardrail-filter" class="filter-input" placeholder="Filter by name, type, user path, summary..." aria-label="Guardrail filter" x-model="guardrailFilter">
                 </div>
             </div>
 
 
@@ -1173,6 +1173,9 @@ func (h *Handler) activeWorkflowGuardrailReferences(ctx context.Context, name st
 
 	references := make([]string, 0)
 	for _, view := range views {
+		if !view.Payload.Features.Guardrails {
+			continue
+		}
 		for _, step := range view.Payload.Guardrails {
 			if strings.TrimSpace(step.Ref) != name {
 				continue
 
@@ -225,3 +225,57 @@ func TestDeleteGuardrailRejectsActiveWorkflowReference(t *testing.T) {
 		t.Fatalf("error message = %q, want active workflow reference", envelope.Error.Message)
 	}
 }
+
+func TestDeleteGuardrailIgnoresDisabledWorkflowGuardrailRefs(t *testing.T) {
+	guardrailService := newGuardrailService(t, guardrails.Definition{
+		Name: "policy-system",
+		Type: "system_prompt",
+		Config: rawGuardrailConfig(t, map[string]any{
+			"mode":    "inject",
+			"content": "be precise",
+		}),
+	})
+	planStore := &executionPlanTestStore{
+		versions: []executionplans.Version{
+			{
+				ID:       "global-plan",
+				Scope:    executionplans.Scope{},
+				ScopeKey: "global",
+				Version:  1,
+				Active:   true,
+				Name:     "global",
+				Payload: executionplans.Payload{
+					SchemaVersion: 1,
+					Features:      executionplans.FeatureFlags{Cache: true, Audit: true, Usage: true, Guardrails: false},
+					Guardrails:    []executionplans.GuardrailStep{{Ref: "policy-system", Step: 10}},
+				},
+				PlanHash: "hash-global",
+			},
+		},
+	}
+	planService, err := executionplans.NewService(planStore, executionplans.NewCompiler(guardrailService))
+	if err != nil {
+		t.Fatalf("executionplans.NewService() error = %v", err)
+	}
+	if err := planService.Refresh(context.Background()); err != nil {
+		t.Fatalf("planService.Refresh() error = %v", err)
+	}
+
+	h := NewHandler(nil, nil, WithGuardrailService(guardrailService), WithExecutionPlans(planService))
+	e := echo.New()
+	req := httptest.NewRequest(http.MethodDelete, "/admin/api/v1/guardrails/policy-system", nil)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+	c.SetPath("/admin/api/v1/guardrails/:name")
+	c.SetPathValues(echo.PathValues{{Name: "name", Value: "policy-system"}})
+
+	if err := h.DeleteGuardrail(c); err != nil {
+		t.Fatalf("DeleteGuardrail() error = %v", err)
+	}
+	if rec.Code != http.StatusNoContent {
+		t.Fatalf("status = %d, want 204", rec.Code)
+	}
+	if _, ok := h.guardrailDefs.Get("policy-system"); ok {
+		t.Fatal("Get(policy-system) = present, want deleted guardrail")
+	}
+}
@@ -195,12 +195,12 @@ func New(ctx context.Context, cfg Config) (*App, error) {
 		}
 		return nil, fmt.Errorf("failed to prepare guardrail definitions: %w", err)
 	}
-	if err := guardrailResult.Service.EnsureSeedDefinitions(ctx, seedGuardrails); err != nil {
+	if err := guardrailResult.Service.UpsertDefinitions(ctx, seedGuardrails); err != nil {
 		closeErr := errors.Join(app.guardrails.Close(), app.aliases.Close(), app.batch.Close(), app.usage.Close(), app.audit.Close(), app.providers.Close())
 		if closeErr != nil {
-			return nil, fmt.Errorf("failed to seed guardrails: %w (also: close error: %v)", err, closeErr)
+			return nil, fmt.Errorf("failed to upsert guardrails: %w (also: close error: %v)", err, closeErr)
 		}
-		return nil, fmt.Errorf("failed to seed guardrails: %w", err)
+		return nil, fmt.Errorf("failed to upsert guardrails: %w", err)
 	}
 
 	// Build runtime execution dependencies. Policy is passed explicitly into the
@@ -225,7 +225,7 @@ func New(ctx context.Context, cfg Config) (*App, error) {
 		}
 		return nil, fmt.Errorf("failed to initialize execution plans: %w", err)
 	}
-	defaultExecutionPlan := defaultExecutionPlanInput(appCfg, guardrailResult.Service.Names())
+	defaultExecutionPlan := defaultExecutionPlanInput(appCfg, guardrailResult.Service.Names(), seedGuardrails)
 	if err := executionPlanResult.Service.EnsureDefaultGlobal(ctx, defaultExecutionPlan); err != nil {
 		closeErr := errors.Join(executionPlanResult.Close(), app.guardrails.Close(), app.aliases.Close(), app.batch.Close(), app.usage.Close(), app.audit.Close(), app.providers.Close())
 		if closeErr != nil {
@@ -731,7 +731,7 @@ func configGuardrailDefinitions(cfg config.GuardrailsConfig) ([]guardrails.Defin
 	return definitions, nil
 }
 
-func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string) executionplans.CreateInput {
+func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string, configuredGuardrails []guardrails.Definition) executionplans.CreateInput {
 	fallbackEnabled := fallbackFeatureEnabledGlobally(cfg)
 	payload := executionplans.Payload{
 		SchemaVersion: 1,
@@ -746,6 +746,13 @@ func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string)
 	for _, name := range availableGuardrails {
 		available[strings.TrimSpace(name)] = struct{}{}
 	}
+	for _, definition := range configuredGuardrails {
+		name := strings.TrimSpace(definition.Name)
+		if name == "" {
+			continue
+		}
+		available[name] = struct{}{}
+	}
 	if cfg.Guardrails.Enabled && len(cfg.Guardrails.Rules) > 0 {
 		payload.Guardrails = make([]executionplans.GuardrailStep, 0, len(cfg.Guardrails.Rules))
 		for _, rule := range cfg.Guardrails.Rules {
@@ -765,8 +772,8 @@ func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string)
 	return executionplans.CreateInput{
 		Scope:       executionplans.Scope{},
 		Activate:    true,
-		Name:        "default-global",
-		Description: "Bootstrapped from runtime configuration",
+		Name:        executionplans.ManagedDefaultGlobalName,
+		Description: executionplans.ManagedDefaultGlobalDescription,
 		Payload:     payload,
 	}
 }
 
@@ -5,6 +5,7 @@ import (
 
 	"gomodel/config"
 	"gomodel/internal/admin"
+	"gomodel/internal/guardrails"
 )
 
 func TestRuntimeExecutionFeatureCaps_EnableFallbackFromOverride(t *testing.T) {
@@ -30,7 +31,7 @@ func TestDefaultExecutionPlanInput_SetsFallbackFeature(t *testing.T) {
 		},
 	}
 
-	input := defaultExecutionPlanInput(cfg, nil)
+	input := defaultExecutionPlanInput(cfg, nil, nil)
 	if input.Payload.Features.Fallback == nil {
 		t.Fatal("defaultExecutionPlanInput().Payload.Features.Fallback = nil, want non-nil")
 	}
@@ -39,6 +40,35 @@ func TestDefaultExecutionPlanInput_SetsFallbackFeature(t *testing.T) {
 	}
 }
 
+func TestDefaultExecutionPlanInput_IncludesConfiguredGuardrailsMissingFromLoadedCatalog(t *testing.T) {
+	cfg := &config.Config{
+		Guardrails: config.GuardrailsConfig{
+			Enabled: true,
+			Rules: []config.GuardrailRuleConfig{
+				{
+					Name:  "policy-system",
+					Type:  "system_prompt",
+					Order: 10,
+				},
+			},
+		},
+	}
+
+	input := defaultExecutionPlanInput(cfg, nil, []guardrails.Definition{
+		{Name: "policy-system", Type: "system_prompt"},
+	})
+
+	if !input.Payload.Features.Guardrails {
+		t.Fatal("defaultExecutionPlanInput().Payload.Features.Guardrails = false, want true")
+	}
+	if len(input.Payload.Guardrails) != 1 {
+		t.Fatalf("len(defaultExecutionPlanInput().Payload.Guardrails) = %d, want 1", len(input.Payload.Guardrails))
+	}
+	if got := input.Payload.Guardrails[0].Ref; got != "policy-system" {
+		t.Fatalf("defaultExecutionPlanInput().Payload.Guardrails[0].Ref = %q, want policy-system", got)
+	}
+}
+
 func TestConfigGuardrailDefinitions_DisabledIgnoresInvalidRules(t *testing.T) {
 	definitions, err := configGuardrailDefinitions(config.GuardrailsConfig{
 		Enabled: false,
 
@@ -1,7 +1,7 @@
 package executionplans
 
 import (
-	"fmt"
+	"net/http"
 
 	"gomodel/internal/core"
 	"gomodel/internal/guardrails"
@@ -69,7 +69,7 @@ func (c *compiler) compileGuardrails(steps []guardrails.StepReference) (*guardra
 		return nil, "", nil
 	}
 	if c == nil || c.registry == nil {
-		return nil, "", fmt.Errorf("guardrails are enabled but no guardrail registry is configured")
+		return nil, "", core.NewProviderError("", http.StatusBadGateway, "guardrails are enabled but no guardrail registry is configured", nil)
 	}
 	return c.registry.BuildPipeline(steps)
 }
Original file line number	Diff line number	Diff line change
`@@ -195,12 +195,12 @@ func New(ctx context.Context, cfg Config) (*App, error) {`
`195`	`195`	`}`
`196`	`196`	`return nil, fmt.Errorf("failed to prepare guardrail definitions: %w", err)`
`197`	`197`	`}`
`198`		`- if err := guardrailResult.Service.EnsureSeedDefinitions(ctx, seedGuardrails); err != nil {`
	`198`	`+ if err := guardrailResult.Service.UpsertDefinitions(ctx, seedGuardrails); err != nil {`
`199`	`199`	`closeErr := errors.Join(app.guardrails.Close(), app.aliases.Close(), app.batch.Close(), app.usage.Close(), app.audit.Close(), app.providers.Close())`
`200`	`200`	`if closeErr != nil {`
`201`		`- return nil, fmt.Errorf("failed to seed guardrails: %w (also: close error: %v)", err, closeErr)`
	`201`	`+ return nil, fmt.Errorf("failed to upsert guardrails: %w (also: close error: %v)", err, closeErr)`
`202`	`202`	`}`
`203`		`- return nil, fmt.Errorf("failed to seed guardrails: %w", err)`
	`203`	`+ return nil, fmt.Errorf("failed to upsert guardrails: %w", err)`
`204`	`204`	`}`
`205`	`205`
`206`	`206`	`// Build runtime execution dependencies. Policy is passed explicitly into the`
`@@ -225,7 +225,7 @@ func New(ctx context.Context, cfg Config) (*App, error) {`
`225`	`225`	`}`
`226`	`226`	`return nil, fmt.Errorf("failed to initialize execution plans: %w", err)`
`227`	`227`	`}`
`228`		`- defaultExecutionPlan := defaultExecutionPlanInput(appCfg, guardrailResult.Service.Names())`
	`228`	`+ defaultExecutionPlan := defaultExecutionPlanInput(appCfg, guardrailResult.Service.Names(), seedGuardrails)`
`229`	`229`	`if err := executionPlanResult.Service.EnsureDefaultGlobal(ctx, defaultExecutionPlan); err != nil {`
`230`	`230`	`closeErr := errors.Join(executionPlanResult.Close(), app.guardrails.Close(), app.aliases.Close(), app.batch.Close(), app.usage.Close(), app.audit.Close(), app.providers.Close())`
`231`	`231`	`if closeErr != nil {`
`@@ -731,7 +731,7 @@ func configGuardrailDefinitions(cfg config.GuardrailsConfig) ([]guardrails.Defin`
`731`	`731`	`return definitions, nil`
`732`	`732`	`}`
`733`	`733`
`734`		`-func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string) executionplans.CreateInput {`
	`734`	`+func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string, configuredGuardrails []guardrails.Definition) executionplans.CreateInput {`
`735`	`735`	`fallbackEnabled := fallbackFeatureEnabledGlobally(cfg)`
`736`	`736`	`payload := executionplans.Payload{`
`737`	`737`	`SchemaVersion: 1,`
`@@ -746,6 +746,13 @@ func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string)`
`746`	`746`	`for _, name := range availableGuardrails {`
`747`	`747`	`available[strings.TrimSpace(name)] = struct{}{}`
`748`	`748`	`}`
	`749`	`+ for _, definition := range configuredGuardrails {`
	`750`	`+ name := strings.TrimSpace(definition.Name)`
	`751`	`+ if name == "" {`
	`752`	`+ continue`
	`753`	`+ }`
	`754`	`+ available[name] = struct{}{}`
	`755`	`+ }`
`749`	`756`	`if cfg.Guardrails.Enabled && len(cfg.Guardrails.Rules) > 0 {`
`750`	`757`	`payload.Guardrails = make([]executionplans.GuardrailStep, 0, len(cfg.Guardrails.Rules))`
`751`	`758`	`for _, rule := range cfg.Guardrails.Rules {`
`@@ -765,8 +772,8 @@ func defaultExecutionPlanInput(cfg *config.Config, availableGuardrails []string)`
`765`	`772`	`return executionplans.CreateInput{`
`766`	`773`	`Scope: executionplans.Scope{},`
`767`	`774`	`Activate: true,`
`768`		`- Name: "default-global",`
`769`		`- Description: "Bootstrapped from runtime configuration",`
	`775`	`+ Name: executionplans.ManagedDefaultGlobalName,`
	`776`	`+ Description: executionplans.ManagedDefaultGlobalDescription,`
`770`	`777`	`Payload: payload,`
`771`	`778`	`}`
`772`	`779`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`package executionplans`
`2`	`2`
`3`	`3`	`import (`
`4`		`- "fmt"`
	`4`	`+ "net/http"`
`5`	`5`
`6`	`6`	`"gomodel/internal/core"`
`7`	`7`	`"gomodel/internal/guardrails"`
`@@ -69,7 +69,7 @@ func (c compiler) compileGuardrails(steps []guardrails.StepReference) (guardra`
`69`	`69`	`return nil, "", nil`
`70`	`70`	`}`
`71`	`71`	`if c == nil \|\| c.registry == nil {`
`72`		`- return nil, "", fmt.Errorf("guardrails are enabled but no guardrail registry is configured")`
	`72`	`+ return nil, "", core.NewProviderError("", http.StatusBadGateway, "guardrails are enabled but no guardrail registry is configured", nil)`
`73`	`73`	`}`
`74`	`74`	`return c.registry.BuildPipeline(steps)`
`75`	`75`	`}`