Drift policy presets

A drift policy defines what happens when a bound watch reports breaking or warning drift — notify, block new runs, open a draft PR, or kill in-flight agents.

Attach a policy to each agent binding in console or via policy: in agents.yaml. Policies are org-scoped rows in drift_policies.

Preset catalog

Preseton_breakingon_warningAck requiredTypical use
notify-only notify notify No Default — alerts only; preflight returns 200 with warnings
dev-flexible draft_pr notify No SchemaSync opens draft PR; no runtime kill
staging-strict block_new_runs notify Optional Preflight and CI return 409; blocks orchestrator starts
production-guard kill_in_flight notify Yes FuseGuard trip + signed runtime webhook; ack before unblock

Breaking actions

ActionPreflightRuntimeRemediation
notify200, allowed: true with drift contextNo blockHuman triage from alerts
draft_pr200No killSchemaSync draft PR queued
block_new_runs409 policyBlocked: trueBlocks new orchestrator runsAck incident to clear
kill_in_flight409Kill via FuseGuard + runtime webhookAck + verify contract fix

Policy object fields

When creating custom policies via API or console SettingsDrift policies:

FieldValuesDefault
onBreakingnotify · draft_pr · block_new_runs · kill_in_flightnotify
onWarningnotifynotify
requireAckToUnblockbooleanfalse (preset-dependent)
autoResolveIncidentbooleantrue

Console

Create and assign policies under ConsoleSettingsDrift policies. Bindings reference a policy by name or ID. The Contract Optimizer nudges bindings stuck on notify-only when breaking drift repeats.

Preflight interaction

POST /api/preflight with agentId evaluates all bound watches and the binding policy. See preflight guide for 200 vs 409 responses.

Related

  • Agent bindings
  • Remediation approval rules
  • FuseGuard loop fuse
  • Breaking vs warning