Status plane

Preflight

Gate orchestrator and agent runs — returns allowed or blocked watches with agentActions.

POST /api/preflight Guide →

Request body

{
  "watchIds": ["uuid", "…"],   // up to 100
  "agentId": "billing-agent"    // optional — all watches on binding
}

Provide watchIds or agentId. Agent preflight requires org API key or signed-in session.

Responses

200 — allowed: true or blocked without enforcing policy (drifted but notify-only policy).

409 — blocked with policyBlocked: true when policy enforces block_new_runs or kill_in_flight.

401 — agent preflight without credentials.

Blocked watch fields

Each blocked[] entry: watchId, name, driftStatus, reasons[], agentActions[].

reasons[] tokens: breaking_drift, check_failed, never_checked, disabled, policy_block:block_new_runs, policy_block:kill_in_flight. Full table: preflight guide.

FuseGuard trip reason: contract_drift_blocked (OSS).

curl https://driftguard.org/api/preflight \
  -H "Authorization: Bearer dg_live_…" \
  -H "Content-Type: application/json" \
  -d '{"watchIds":["550e8400-e29b-41d4-a716-446655440000"]}'