> ## Documentation Index > Fetch the complete documentation index at: https://doc.featherhq.com/llms.txt > Use this file to discover all available pages before exploring further. # Describe the policy authoring cascade + per-transport runtime resolution ## OpenAPI ````yaml /api-reference/openapi.json get /v1/policies/capabilities openapi: 3.1.0 info: title: Feather API description: >- Unified customer experience platform API. Manages identity, conversations, memory, agents, procedures, policies, model routing, knowledge bases, integrations, and runtime execution. version: 1.21.0 servers: - url: https://api-sandbox.featherhq.com description: Sandbox - url: http://localhost:8000 description: Local dev security: [] paths: /v1/policies/capabilities: get: tags: - policies summary: Describe the policy authoring cascade + per-transport runtime resolution operationId: getPolicyCapabilities responses: '200': description: Successful Response content: application/json: schema: $ref: '#/components/schemas/PolicyCapabilitiesResponse' '400': description: Bad request content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' '401': description: Authentication required content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' security: - APIKeyHeader: [] components: schemas: PolicyCapabilitiesResponse: properties: points: items: $ref: '#/components/schemas/PolicyPointCapability' type: array title: Points resolutions: items: $ref: '#/components/schemas/ResolutionEntry' type: array title: Resolutions check_types: items: $ref: '#/components/schemas/PolicyCheckCapability' type: array title: Check Types cross_cutting: items: $ref: '#/components/schemas/PolicyCrossCuttingFact' type: array title: Cross Cutting type: object required: - points - resolutions - check_types - cross_cutting title: PolicyCapabilitiesResponse description: >- The full policy capability table (static, org-independent). ``points`` is the channel-blind authoring cascade; ``resolutions`` is the non-authored runtime-resolution section (per-transport strategy + consequence) for the behavior preview; ``check_types`` is the presentation metadata for every check kind. ErrorResponse: properties: error: type: string title: Error message: type: string title: Message type: object required: - error - message title: ErrorResponse description: Standard error response returned by all API error handlers. PolicyPointCapability: properties: enforcement_point: $ref: '#/components/schemas/PolicyEnforcementPoint' description: type: string title: Description checks: items: $ref: '#/components/schemas/PolicyPointCheckCapability' type: array title: Checks actions: items: $ref: '#/components/schemas/PolicyActionCapability' type: array title: Actions supports_tool_target: type: boolean title: Supports Tool Target default: false type: object required: - enforcement_point - description - checks - actions title: PolicyPointCapability description: >- One enforcement point — the checks + actions it offers (channel-blind, maximal menu). ``supports_tool_target`` is True at pre_tool/post_tool, where a policy may be pinned to a single tool (``tool_target``); False at input/agent_response, where a tool is not in scope and a tool_target is rejected by the validator. ResolutionEntry: properties: enforcement_point: $ref: '#/components/schemas/PolicyEnforcementPoint' transport_class: type: string title: Transport Class strictness: type: string title: Strictness check_type: $ref: '#/components/schemas/PolicyCheckType' strategy: type: string title: Strategy consequence: type: string title: Consequence type: object required: - enforcement_point - transport_class - strictness - check_type - strategy - consequence title: ResolutionEntry description: >- One row of the runtime-resolution section — the platform-derived strategy + consequence. NOT authored: a (point, transport_class, strictness, check_type) resolves to a ``strategy`` with a plain-language ``consequence``. The UI's behavior-by-transport preview reads these; a drift-guard test pins them to :func:`src.policy.resolution.resolve_strategy`. PolicyCheckCapability: properties: check_type: $ref: '#/components/schemas/PolicyCheckType' label: type: string title: Label hint: type: string title: Hint type: object required: - check_type - label - hint title: PolicyCheckCapability description: >- Human-readable presentation metadata for one check kind the cascade offers. Mirrors the UI's ``CHECK_TYPE_LABELS`` (``label``) and ``CHECK_TYPE_HINTS`` (``hint``). Which kinds are offered at a point is driven by ``PolicyPointCapability.checks`` — this is just the shared label/hint copy. PolicyCrossCuttingFact: properties: key: type: string title: Key note: type: string title: Note type: object required: - key - note title: PolicyCrossCuttingFact description: A table-level invariant the UI surfaces (not tied to one point). PolicyEnforcementPoint: type: string enum: - input - pre_tool - post_tool - agent_response title: PolicyEnforcementPoint description: >- Where in a turn a policy's check fires (v2: one point per policy). ``agent_response`` is the single author-facing reply point — the v1 ``response`` (per-streamed-unit) + ``post_response`` (complete reply) split is an internal runtime detail now, selected by the platform-derived enforcement strategy (buffer-and-gate vs per-unit), not an authored distinction. PolicyPointCheckCapability: properties: check_type: $ref: '#/components/schemas/PolicyCheckType' strictness_options: items: type: string type: array title: Strictness Options cost_note: anyOf: - type: string - type: 'null' title: Cost Note type: object required: - check_type - strictness_options title: PolicyPointCheckCapability description: >- One check kind available at a point, with its per-(point, check) strictness options. ``strictness_options`` are the ``PolicyStrictness`` string values an author may pick for this (point, check). The UI renders the strictness control iff ``len > 1`` (so only ``input``·llm_judge and ``agent_response``·expression); the write-validator coerces to the single value otherwise. ``cost_note`` is plain-language latency/cost guidance the UI surfaces (e.g. the llm_judge round-trip cost). The kind's label/hint live once in the top-level ``check_types`` metadata, not duplicated here. PolicyActionCapability: properties: action: $ref: '#/components/schemas/PolicyAction' label: type: string title: Label degradation_note: anyOf: - type: string - type: 'null' title: Degradation Note config_requirements: items: type: string type: array title: Config Requirements warning: anyOf: - type: string - type: 'null' title: Warning warning_applies_to_checks: anyOf: - items: type: string type: array - type: 'null' title: Warning Applies To Checks supports_judge_message: type: boolean title: Supports Judge Message default: false type: object required: - action - label title: PolicyActionCapability description: >- One action available at a point, with its surfaced effect. ``label`` is the human-readable name the UI renders. ``degradation_note`` is plain-language and rendered verbatim — it describes WHAT the action does (the per-transport latency/guarantee lives in the runtime-resolution section, not here). ``config_requirements`` lists action_config keys the validator requires at least one of (redact needs ``patterns`` or ``max_length``). ``warning`` flags a discouraged-but-allowed combination (llm_judge + redact); ``warning_applies_to_checks`` names the check kinds the warning is relevant to so the UI shows it only when that kind is the selected check. ``supports_judge_message`` is True where an llm_judge can author the user-facing block/append copy itself (opt-in via ``check_config['judge_authored_message']``). PolicyCheckType: type: string enum: - expression - llm_judge title: PolicyCheckType description: >- How a policy decides whether content/state violates it. - ``expression``: a ``PolicyExprEvaluator`` boolean over turn state. - ``llm_judge``: a secondary LLM (via model_router) judges against ``guardrail_text``. PolicyAction: type: string enum: - block - redact - append - require_approval - handoff title: PolicyAction description: >- What happens when a check fails. - ``block``: emit a canned safe message, raise ``PolicyViolationError``, short-circuit. - ``redact``: deterministic regex/truncate (NO LLM rewrite). - ``append``: append a disclaimer. - ``require_approval``: route through the HITL approval seam (``pre_tool`` only). - ``handoff``: hand off via ``HandoffService`` (source="policy"). The v1 ``monitor`` action is gone — observe-only is the ``monitor`` *mode* now. securitySchemes: APIKeyHeader: type: apiKey in: header name: x-api-key ````