Pre-run check (preflight)

Ask DriftGuard whether dependent contracts are safe before you start an agent run, deploy, or outbound tool call.

The preflight API is a single HTTP call (or MCP status tools) that returns allowed or a structured block list with agentActions for remediation.

When to use preflight

  • Before agent runs — LangGraph, custom orchestrators, or FuseGuard-wrapped agents
  • Before deploys — gate when production agents depend on vendor MCP catalogs
  • CI smoke — assert fleet health alongside coverage assert

For one-off JSON comparison without fleet context, use offline compare_json instead.

Watch list preflight

Check explicit watch IDs your run depends on:

curl -s https://driftguard.org/api/preflight \
  -H "Authorization: Bearer dg_live_…" \
  -H "Content-Type: application/json" \
  -d '{"watchIds":["550e8400-e29b-41d4-a716-446655440000"]}'

Allowed response

{
  "allowed": true,
  "blocked": [],
  "durationMs": 12
}

Blocked response

When a watch is drifted, errored, never checked, or disabled:

{
  "allowed": false,
  "blocked": [{
    "watchId": "…",
    "name": "stripe-api",
    "driftStatus": "drifted",
    "reasons": ["breaking_drift"],
    "agentActions": ["update_tool_schema", "ack_incident"]
  }],
  "durationMs": 18
}

If a drift policy enforces block_new_runs or kill_in_flight, HTTP status is 409 with policyBlocked: true.

Agent binding preflight

Check all watches bound to a production agent (from agents.yaml or console bindings):

curl -s https://driftguard.org/api/preflight \
  -H "Authorization: Bearer dg_live_…" \
  -H "Content-Type: application/json" \
  -d '{"agentId":"billing-agent"}'

Requires org-scoped API key or signed-in session. Returns agent status plus the same allowed / blocked shape.

MCP equivalents

  • get_watch_status — single watch canonical status
  • get_agent_status — agent binding + policy action
  • list_affected_agents — after drift on a watch, see impacted agents

See MCP tools reference.

FuseGuard integration

OSS FuseGuard can call preflight before each outbound tool call when DRIFTGUARD_API_KEY and watch IDs are configured. Trips with contract_drift_blocked include agentActions in trip metadata. Guide: FuseGuard loop fuse.

Limits & performance

  • Up to 100 watchIds per request
  • Latency logged server-side as preflight.complete (target p95 review in CP-1b)
  • Empty watchIds returns allowed: true

Related

  • API: POST /api/preflight
  • Glossary — drift_status, agentAction
  • Portfolio overview — fleet health summary