Status plane
Preflight
Gate orchestrator and agent runs — returns allowed or blocked watches with agentActions.
Request body
{
"watchIds": ["uuid", "…"], // up to 100
"agentId": "billing-agent" // optional — all watches on binding
}
Provide watchIds or agentId. Agent preflight requires org API key or signed-in session.
Responses
200 — allowed: true or blocked without enforcing policy (drifted but notify-only policy).
409 — blocked with policyBlocked: true when policy enforces block_new_runs or kill_in_flight.
401 — agent preflight without credentials.
Blocked watch fields
Each blocked[] entry: watchId, name, driftStatus, reasons[], agentActions[].
reasons[] tokens: breaking_drift, check_failed, never_checked, disabled, policy_block:block_new_runs, policy_block:kill_in_flight. Full table: preflight guide.
FuseGuard trip reason: contract_drift_blocked (OSS).