Status plane

Preflight

Gate orchestrator and agent runs — returns allowed or blocked watches with agentActions.

POST /api/preflight Guide →

Request body

{
  "watchIds": ["uuid", "…"],   // up to 100
  "agentId": "billing-agent"    // optional — all watches on binding
}

Provide watchIds or agentId. Agent preflight requires org API key or signed-in session.

Responses

200 — allowed: true or blocked without enforcing policy (drifted but notify-only policy).

409 — blocked with policyBlocked: true when policy enforces block_new_runs or kill_in_flight.

401 — agent preflight without credentials.

curl https://driftguard.org/api/preflight \
  -H "Authorization: Bearer dg_live_…" \
  -H "Content-Type: application/json" \
  -d '{"watchIds":["550e8400-e29b-41d4-a716-446655440000"]}'