Output Policies API

Endpoints

Both require a Bearer API key from a user with admin or owner role. Both return 404 when ENABLE_OUTPUT_FILTERING is off globally on the backend.

Policy shape

{
  "enabled": true,
  "mode": "flag",
  "libraries": ["pii", "credentials", "prompt_injection"],
  "deny_severity_threshold": "critical",
  "redact_severity_threshold": "warning",
  "request_id": "req_..."
}

• enabled — master switch. When false, no outcome scans run and receipts carry output_scan_flags = null.
• mode — one of "flag" (record-only), "deny" (refuse receipt on threshold), or "redact" (hash the cleaned outcome).
• libraries — which pattern libraries to run. Valid values: pii, credentials, prompt_injection.
• deny_severity_threshold — in deny mode, the minimum hit severity that blocks the receipt. info | warning | critical.
• redact_severity_threshold — unused today (Phase 2 redacts every match regardless of severity). Reserved for a future per-severity redaction toggle.

GET /output-policies

Returns the full blob. An org that never called PATCH receives the default policy (enabled, flag mode, all libraries, critical deny threshold, warning redact threshold).

PATCH /output-policies

Request body

All fields optional. Only the fields supplied are changed:

{
  "mode": "deny",
  "deny_severity_threshold": "critical"
}

The above leaves enabled, libraries, and redact_severity_threshold untouched.

Errors

How outcome scans land on receipts

Every POST /actions/{id}/notarize call with a completed outcome runs the org's active policy against outcome_details. See guides/output-filtering for the full behaviour per mode; the short version:

The output_scan_flags blob is part of the signed canonical JSON, so a verifier re-computing the signature will see the tamper if anyone edits the flags after notarize.