Async post-guards

When every applicable output policy for a tenant is in shadow or async mode (so nothing can block or rewrite the response), DeepintShield returns the response to the user immediately and runs the output checks in the background. Findings still land in the audit store, so you lose no visibility - only the latency you weren’t spending on enforcement.

Default behavior

On. Auto-detected per tenant; no opt-in needed.

# Plugin config:
{ "async_post_guards_when_no_sync": true }

# Or env var:
DEEPINTSHIELD_GUARD_ASYNC_POST_GUARDS=true

When this kicks in

The optimization applies when both are true for a request:

1. The tenant has no output-scope policies in sync mode (every output policy is shadow or async).
2. The request itself doesn’t attach any sync-mode policies via virtual-key overrides or governance attachments.

If either is false, the response is held until output checks finish, as usual.

What stays the same

• Audit trail - every finding still lands in the audit store; you see the same trace, decision, and findings records as with synchronous evaluation.
• Shadow/async findings - these never enforce anyway, so running them in the background changes nothing about their behavior.
• Sync policies - never affected. If any sync output policy applies, evaluation runs inline before the response is returned.

Use shadow mode for new policies

The simplest way to benefit from this optimization: roll new policies out in shadow mode first. You get findings in the audit log without any user-path latency. Promote to sync once you’re confident in the signal.

How to verify it’s active

Response headers reveal the mode that ran:

x-deepintshield-guardrail-status: pass
x-deepintshield-guardrail-mode: async

Or mode: shadow for shadow-only, or mode: sync for sync-only.