Resolve policy refs for manifest validation and policy picker flows.

POST

/v1/policies/resolve-refs

Resolves tools[].policy_refs[] as policy_version references in the same tenant and environment. Runtime-valid refs must point to published policies; draft, rejected, archived, missing, and wrong-environment refs are not runtime-valid. Server-owner flows may pass owner_team so missing refs can still return a generic validation row without requiring tenant-wide policy.read.

Authorizations

• oidc

Request Body ^required

object

tenant_id

required

string

>= 1 characters

environment_id

required

string

>= 1 characters

owner_team

Optional owner team scope for server-owner picker and pasted-ref flows.

string

>= 1 characters

policy_refs

required

Array<string>

>= 1 items

actor_id

Rejected if supplied; actor is derived from authentication context.

string

Responses

200

One resolution row per requested policy ref. Refs outside the actor’s policy.read scope are returned as scoped-empty policy_ref_not_found rows, not 403.

object

schema_version

required

items

required

Array<object>

object

policy_ref

required

string

>= 1 characters

exists

required

boolean

status

required

Any of:

string

string

Allowed values: draft validating published archived rejected

null

null

active_in_environment

required

boolean

owner

required

Any of:

object

object

user_id

required

string

>= 1 characters

team

required

string

>= 1 characters

null

null

description

required

string | null

rule_count

required

integer

used_by_servers_count

required

integer

valid_for_runtime

required

boolean

reason_code

required

Allowed values: valid policy_ref_not_found policy_ref_not_published policy_ref_archived policy_ref_environment_mismatch

400

Empty policy_refs or client-supplied actor_id.