Build a metadata-only deny diagnostics bundle from a denied request, audit event, or explicit actor/tool context.
POST /v1/deny-diagnostics
POST
/v1/deny-diagnostics
Reuses audit request bundle, policy simulation, registry, session, credential binding, connector route, environment, and client-surface projections. The response never includes request/response bodies, prompts, payloads, tokens, or secret material.
Authorizations
Section titled “Authorizations ”Request Body required
Section titled “Request Body required ”object
schemaVersion
required
requestId
required
Admin API request ID for this diagnostics lookup.
string
deniedRequestId
Denied runtime request ID. Exactly one of deniedRequestId, auditEventId, or explicitContext is required.
string
auditEventId
Audit event ID from search/detail. Exactly one lookup selector is required.
string
explicitContext
object
actor
required
object
userId
string
groupIds
Array<string>
agentId
string
agentInstanceId
string
clientSurfaceId
required
string
target
required
object
serverId
string
apiSourceId
string
operationId
string
toolId
required
string
targetEnvironmentId
required
string
policy
required
object
decision
required
denyReason
required
string
policyVersion
required
string
matchedRule
object
ruleId
required
string
effect
required
reason
required
string
missingAllow
required
boolean
explicitDeny
required
boolean
failingConstraints
required
Array<string>
credentialMode
required
string
remediation
string
clientSurface
required
object
clientSurfaceId
required
string
lifecycleState
required
approvalState
required
string
allowedEnvironmentIds
required
Array<string>
mismatch
required
boolean
environment
required
object
actorEnvironmentId
required
string
targetEnvironmentId
required
string
mismatch
required
boolean
approvals
required
object
agentStatus
required
toolStatus
required
serverStatus
string
apiSourceStatus
string
credentialBinding
required
object
credentialBindingId
string
credentialMode
required
string
lifecycleState
required
revocationStatus
required
materialReturn
required
connectorRoute
required
object
connectorId
string
routeAvailable
required
boolean
routeAvailabilityReason
required
string
healthStatus
required
lifecycleState
required
revocationReasonCode
string
schemaValidation
object
failed
required
boolean
reasonCode
required
string
schemaRef
required
string
fieldPath
string
upstreamAttempted
required
boolean
relatedIds
required
object
requestIds
Array<string>
auditEventIds
Array<string>
clientSessionIds
Array<string>
backendSessionIds
Array<string>
policySimulationIds
Array<string>
tenantId
Tenant scope, derived from auth context in production and explicit in deterministic fixtures.
string
environmentId
Environment scope to permission-check and hide cross-scope diagnostics.
string
Responses
Section titled “ Responses ”Remediation-ready deny diagnostics bundle with safe metadata only.
object
schemaVersion
required
requestId
required
string
diagnosticId
required
string
tenantId
required
string
environmentId
required
string
deniedRequestId
required
string
auditEventId
required
string
inputMode
required
denyReason
required
string
policy
required
object
decision
required
denyReason
required
string
policyVersion
required
string
matchedRule
object
ruleId
required
string
effect
required
reason
required
string
missingAllow
required
boolean
explicitDeny
required
boolean
failingConstraints
required
Array<string>
credentialMode
required
string
remediation
string
clientSurface
required
object
clientSurfaceId
required
string
lifecycleState
required
approvalState
required
string
allowedEnvironmentIds
required
Array<string>
mismatch
required
boolean
environment
required
object
actorEnvironmentId
required
string
targetEnvironmentId
required
string
mismatch
required
boolean
approvals
required
object
agentStatus
required
toolStatus
required
serverStatus
string
apiSourceStatus
string
credentialBinding
required
object
credentialBindingId
string
credentialMode
required
string
lifecycleState
required
revocationStatus
required
materialReturn
required
connectorRoute
required
object
connectorId
string
routeAvailable
required
boolean
routeAvailabilityReason
required
string
healthStatus
required
lifecycleState
required
revocationReasonCode
string
schemaValidation
object
failed
required
boolean
reasonCode
required
string
schemaRef
required
string
fieldPath
string
upstreamAttempted
required
boolean
relatedIds
required
object
requestIds
Array<string>
auditEventIds
Array<string>
clientSessionIds
Array<string>
backendSessionIds
Array<string>
policySimulationIds
Array<string>
suggestedRemediation
required
string
sourceProjections
required
Array
permissions
required
object
allowedActions
required
Array
redactionStatus
required
Request shape, lookup, or safe-metadata validation failed.
object
schemaVersion
required
requestId
required
string
status
required
integer
reasonCode
required
string
message
required
string
retryable
required
boolean
machineSafe
required
boolean
redactionStatus
required
field
Optional metadata-only field identifier for validation errors.
string
Actor lacks tenant/environment permission to read deny diagnostics.
object
schemaVersion
required
requestId
required
string
status
required
integer
reasonCode
required
string
message
required
string
retryable
required
boolean
machineSafe
required
boolean
redactionStatus
required
field
Optional metadata-only field identifier for validation errors.
string
Denied request or audit event was unknown, stale, or outside actor scope.
object
schemaVersion
required
requestId
required
string
status
required
integer
reasonCode
required
string
message
required
string
retryable
required
boolean
machineSafe
required
boolean
redactionStatus
required
field
Optional metadata-only field identifier for validation errors.
string
Type set in Geist, Source Serif 4, and Departure Mono.