Policy Sync

Policy Sync is a Sovereign feature. It lets an admin push a consistent set of custom rules and allowlist entries to every seat on the team — without Ki!‘s servers being involved.

1. Export ki-policy.json

In Ki!, go to Settings → Team Policy and click Export Policy. This produces a ki-policy.json file signed with your Ed25519 admin key.

The file contains:

Custom regex rules
Allowlist entries
A list of trusted signer public keys
Version and expiry metadata

2. Host it on any HTTPS URL

Upload ki-policy.json to any HTTPS endpoint your team can reach — S3, GCS, GitHub raw, an internal web server. Ki!‘s servers are not involved.

Example S3 public URL:

https://my-bucket.s3.eu-west-1.amazonaws.com/ki-policy.json

3. Configure the URL in Ki!

On each seat, go to Settings → Policy URL and paste the URL. Ki! will:

Fetch the policy file on startup and every 24 hours.
Verify the Ed25519 signature against the trusted signers list.
Apply the rules and allowlist entries — merging with any local additions.

If the fetch fails (network unavailable), Ki! continues with the last successfully verified policy.

4. What the auto-fetch verifies

Ki! rejects a policy file if:

The Ed25519 signature is invalid or missing.
The signing key is not in the trusted signers list.
The version field is lower than the currently applied version (prevents rollback attacks).
The expiry field has passed.

5. Distributing the signing public key

The admin public key must be distributed to team members out-of-band — not via the policy file itself (which would be circular). Options:

Include it in your onboarding runbook.
Push it via MDM as an environment variable.
Store it in a company secrets manager (1Password, Vault, etc.).

Each seat imports the public key once via Settings → Trusted Signers → Add Key.