FlowGuard API - v1.2.0-tp.1
    Preparing search index...

    Variable PolicySnapshotSchemaConst

    PolicySnapshotSchema: ZodReadonly<
        ZodPipe<
            ZodObject<
                {
                    mode: ZodEnum<
                        {
                            solo: "solo";
                            team: "team";
                            "team-ci": "team-ci";
                            regulated: "regulated";
                        },
                    >;
                    hash: ZodString;
                    resolvedAt: ZodString;
                    requestedMode: ZodEnum<
                        {
                            solo: "solo";
                            team: "team";
                            "team-ci": "team-ci";
                            regulated: "regulated";
                        },
                    >;
                    source: ZodOptional<
                        ZodEnum<
                            {
                                default: "default";
                                explicit: "explicit";
                                central: "central";
                                repo: "repo";
                            },
                        >,
                    >;
                    effectiveGateBehavior: ZodEnum<
                        { auto_approve: "auto_approve"; human_gated: "human_gated" },
                    >;
                    degradedReason: ZodOptional<ZodString>;
                    resolutionReason: ZodOptional<ZodString>;
                    centralMinimumMode: ZodOptional<
                        ZodEnum<{ solo: "solo"; team: "team"; regulated: "regulated" }>,
                    >;
                    policyDigest: ZodOptional<ZodString>;
                    policyVersion: ZodOptional<ZodString>;
                    policyPathHint: ZodOptional<ZodString>;
                    requireHumanGates: ZodBoolean;
                    maxSelfReviewIterations: ZodNumber;
                    maxImplReviewIterations: ZodNumber;
                    allowSelfApproval: ZodBoolean;
                    minimumActorAssuranceForApproval: ZodDefault<
                        ZodEnum<
                            {
                                best_effort: "best_effort";
                                claim_validated: "claim_validated";
                                idp_verified: "idp_verified";
                            },
                        >,
                    >;
                    requireVerifiedActorsForApproval: ZodDefault<ZodBoolean>;
                    identityProvider: ZodOptional<
                        ZodPreprocess<
                            ZodDiscriminatedUnion<
                                [
                                    ZodObject<
                                        {
                                            issuer: ZodString;
                                            audience: ZodPipe<(...), (...)>;
                                            claimMapping: ZodDefault<(...)>;
                                            mode: ZodLiteral<(...)>;
                                            signingKeys: ZodArray<(...)>;
                                        },
                                        $strict,
                                    >,
                                    ZodObject<
                                        {
                                            issuer: ZodString;
                                            audience: ZodPipe<(...), (...)>;
                                            claimMapping: ZodDefault<(...)>;
                                            mode: ZodLiteral<(...)>;
                                            jwksPath: ZodOptional<(...)>;
                                            jwksUri: ZodOptional<(...)>;
                                            cacheTtlSeconds: ZodDefault<(...)>;
                                        },
                                        $strict,
                                    >,
                                ],
                                "mode",
                            >,
                        >,
                    >;
                    identityProviderMode: ZodDefault<
                        ZodEnum<{ optional: "optional"; required: "required" }>,
                    >;
                    selfReview: ZodOptional<
                        ZodObject<
                            {
                                subagentEnabled: ZodBoolean;
                                fallbackToSelf: ZodBoolean;
                                strictEnforcement: ZodDefault<ZodBoolean>;
                            },
                            $strip,
                        >,
                    >;
                    reviewOutputPolicy: ZodOptional<
                        ZodEnum<
                            {
                                structured_required: "structured_required";
                                text_compat_allowed: "text_compat_allowed";
                            },
                        >,
                    >;
                    reviewInvocationPolicy: ZodOptional<
                        ZodEnum<
                            {
                                host_task_required: "host_task_required";
                                host_task_preferred: "host_task_preferred";
                                sdk_allowed: "sdk_allowed";
                            },
                        >,
                    >;
                    enforceRiskClassification: ZodOptional<ZodBoolean>;
                    allowRiskDowngradeOverride: ZodOptional<ZodBoolean>;
                    allowReducedCeremony: ZodOptional<ZodBoolean>;
                    discoveryHealth: ZodOptional<
                        ZodObject<
                            {
                                enforcement: ZodEnum<
                                    { advisory: "advisory"; required: "required"; off: "off" },
                                >;
                                onDegraded: ZodEnum<{ allow: "allow"; warn: "warn"; block: "block" }>;
                                onDrift: ZodEnum<{ allow: "allow"; warn: "warn"; block: "block" }>;
                            },
                            $strip,
                        >,
                    >;
                    validationEvidence: ZodOptional<
                        ZodObject<
                            {
                                enforcement: ZodEnum<
                                    { advisory: "advisory"; required: "required"; off: "off" },
                                >;
                                allowNoCommands: ZodBoolean;
                            },
                            $strip,
                        >,
                    >;
                    audit: ZodObject<
                        {
                            emitTransitions: ZodBoolean;
                            emitToolCalls: ZodBoolean;
                            enableChainHash: ZodBoolean;
                            timestampAssurance: ZodDefault<
                                ZodOptional<
                                    ZodObject<
                                        {
                                            enabled: ZodDefault<(...)>;
                                            mode: ZodDefault<(...)>;
                                            strict: ZodDefault<(...)>;
                                            criticalEvents: ZodDefault<(...)>;
                                            tsaUrl: ZodOptional<(...)>;
                                            trustAnchors: ZodOptional<(...)>;
                                            ntpServers: ZodOptional<(...)>;
                                            ntpDriftThresholdMs: ZodDefault<(...)>;
                                            tsaTimeoutMs: ZodDefault<(...)>;
                                        },
                                        $strip,
                                    >,
                                >,
                            >;
                        },
                        $strip,
                    >;
                    actorClassification: ZodRecord<ZodString, ZodString>;
                },
                $strip,
            >,
            ZodTransform<
                {
                    mode: "solo"
                    | "team"
                    | "team-ci"
                    | "regulated";
                    hash: string;
                    resolvedAt: string;
                    requestedMode: "solo" | "team" | "team-ci" | "regulated";
                    source?: "default" | "explicit" | "central" | "repo";
                    effectiveGateBehavior: "auto_approve" | "human_gated";
                    degradedReason?: string;
                    resolutionReason?: string;
                    centralMinimumMode?: "solo" | "team" | "regulated";
                    policyDigest?: string;
                    policyVersion?: string;
                    policyPathHint?: string;
                    requireHumanGates: boolean;
                    maxSelfReviewIterations: number;
                    maxImplReviewIterations: number;
                    allowSelfApproval: boolean;
                    minimumActorAssuranceForApproval:
                        | "best_effort"
                        | "claim_validated"
                        | "idp_verified";
                    requireVerifiedActorsForApproval: boolean;
                    identityProvider?: | {
                        issuer: string;
                        audience: string[];
                        claimMapping: {
                            subjectClaim: string;
                            emailClaim: string;
                            nameClaim: string;
                        };
                        mode: "static";
                        signingKeys: (
                            | {
                                kind: "jwk";
                                kid: string;
                                alg: "RS256"
                                | "ES256";
                                jwk:
                                    | { kty: ...; n: ...; e: ... }
                                    | { kty: ...; x: ...; y: ...; crv: ... };
                            }
                            | { kind: "pem"; kid: string; alg: "RS256"
                            | "ES256"; pem: string }
                        )[];
                    }
                    | {
                        issuer: string;
                        audience: string[];
                        claimMapping: {
                            subjectClaim: string;
                            emailClaim: string;
                            nameClaim: string;
                        };
                        mode: "jwks";
                        jwksPath?: string;
                        jwksUri?: string;
                        cacheTtlSeconds: number;
                    };
                    identityProviderMode: "optional"
                    | "required";
                    selfReview?: {
                        subagentEnabled: boolean;
                        fallbackToSelf: boolean;
                        strictEnforcement: boolean;
                    };
                    reviewOutputPolicy?: "structured_required"
                    | "text_compat_allowed";
                    reviewInvocationPolicy?:
                        | "host_task_required"
                        | "host_task_preferred"
                        | "sdk_allowed";
                    audit: {
                        emitTransitions: boolean;
                        emitToolCalls: boolean;
                        enableChainHash: boolean;
                        timestampAssurance: {
                            enabled: boolean;
                            mode: "local_only"
                            | "ntp_check"
                            | "tsa_critical";
                            strict: boolean;
                            criticalEvents: string[];
                            tsaUrl?: string;
                            trustAnchors?: string[];
                            ntpServers?: string[];
                            ntpDriftThresholdMs: number;
                            tsaTimeoutMs: number;
                        };
                    };
                    actorClassification: Record<string, string>;
                    enforceRiskClassification: boolean;
                    allowRiskDowngradeOverride: boolean;
                    allowReducedCeremony: boolean;
                    discoveryHealth: {
                        enforcement: "advisory" | "required" | "off";
                        onDegraded: "allow" | "warn" | "block";
                        onDrift: "allow" | "warn" | "block";
                    };
                    validationEvidence: {
                        enforcement: "advisory"
                        | "required"
                        | "off";
                        allowNoCommands: boolean;
                    };
                },
                {
                    mode: "solo"
                    | "team"
                    | "team-ci"
                    | "regulated";
                    hash: string;
                    resolvedAt: string;
                    requestedMode: "solo" | "team" | "team-ci" | "regulated";
                    source?: "default" | "explicit" | "central" | "repo";
                    effectiveGateBehavior: "auto_approve" | "human_gated";
                    degradedReason?: string;
                    resolutionReason?: string;
                    centralMinimumMode?: "solo" | "team" | "regulated";
                    policyDigest?: string;
                    policyVersion?: string;
                    policyPathHint?: string;
                    requireHumanGates: boolean;
                    maxSelfReviewIterations: number;
                    maxImplReviewIterations: number;
                    allowSelfApproval: boolean;
                    minimumActorAssuranceForApproval:
                        | "best_effort"
                        | "claim_validated"
                        | "idp_verified";
                    requireVerifiedActorsForApproval: boolean;
                    identityProvider?: | {
                        issuer: string;
                        audience: string[];
                        claimMapping: {
                            subjectClaim: string;
                            emailClaim: string;
                            nameClaim: string;
                        };
                        mode: "static";
                        signingKeys: (
                            | {
                                kind: "jwk";
                                kid: string;
                                alg: "RS256"
                                | "ES256";
                                jwk:
                                    | { kty: ...; n: ...; e: ... }
                                    | { kty: ...; x: ...; y: ...; crv: ... };
                            }
                            | { kind: "pem"; kid: string; alg: "RS256"
                            | "ES256"; pem: string }
                        )[];
                    }
                    | {
                        issuer: string;
                        audience: string[];
                        claimMapping: {
                            subjectClaim: string;
                            emailClaim: string;
                            nameClaim: string;
                        };
                        mode: "jwks";
                        jwksPath?: string;
                        jwksUri?: string;
                        cacheTtlSeconds: number;
                    };
                    identityProviderMode: "optional"
                    | "required";
                    selfReview?: {
                        subagentEnabled: boolean;
                        fallbackToSelf: boolean;
                        strictEnforcement: boolean;
                    };
                    reviewOutputPolicy?: "structured_required"
                    | "text_compat_allowed";
                    reviewInvocationPolicy?:
                        | "host_task_required"
                        | "host_task_preferred"
                        | "sdk_allowed";
                    enforceRiskClassification?: boolean;
                    allowRiskDowngradeOverride?: boolean;
                    allowReducedCeremony?: boolean;
                    discoveryHealth?: {
                        enforcement: "advisory"
                        | "required"
                        | "off";
                        onDegraded: "allow" | "warn" | "block";
                        onDrift: "allow" | "warn" | "block";
                    };
                    validationEvidence?: {
                        enforcement: "advisory"
                        | "required"
                        | "off";
                        allowNoCommands: boolean;
                    };
                    audit: {
                        emitTransitions: boolean;
                        emitToolCalls: boolean;
                        enableChainHash: boolean;
                        timestampAssurance: {
                            enabled: boolean;
                            mode: "local_only"
                            | "ntp_check"
                            | "tsa_critical";
                            strict: boolean;
                            criticalEvents: string[];
                            tsaUrl?: string;
                            trustAnchors?: string[];
                            ntpServers?: string[];
                            ntpDriftThresholdMs: number;
                            tsaTimeoutMs: number;
                        };
                    };
                    actorClassification: Record<string, string>;
                },
            >,
        >,
    > = ...

    Immutable policy snapshot embedded in SessionState.

    Stores all FlowGuard-critical fields so auditors can verify which rules governed a session — even after policy presets are updated.

    The hash is SHA-256 of the canonical JSON of the full GovernancePolicy. Non-repudiation: hash matches → policy is authentic and unmodified.

    Lives in state layer (not config) because it is part of SessionState — the innermost layer must not depend on outer layers.