Redundant rule

A rule that is shadowed by an earlier, more general rule and can never be reached.

Redundant rule

Checkrd evaluates rules top-down and stops at the first match. If an earlier rule matches a superset of a later rule's match conditions, the later rule is redundant — it will never be evaluated. Redundant rules are a common authoring mistake because they create a false impression that the policy is more restrictive than it actually is.

The engine detects this when two rules of the same tier (both allow or both deny) have identical match conditions. The second rule is flagged as redundant.

Example

yaml

rules:
  - name: deny-all-deletes
    deny:
      method: [DELETE]
      url: "api.stripe.com/**"
  - name: deny-stripe-deletes # redundant: deny-all-deletes already matches this
    deny:
      method: [DELETE]
      url: "api.stripe.com/**"

Fix

Remove the duplicate rule. If you intended the two rules to have different scopes, narrow the match conditions on one of them so they cover distinct request sets:

yaml

rules:
  - name: deny-all-deletes
    deny:
      method: [DELETE]
      url: "api.stripe.com/**"