Skip to content

Preflight

Preflight checks an agent's governance setup for common problems before you deploy it to production. Run it when you are setting up a new agent, after making policy changes, or any time you want to confirm an agent is correctly configured.

Think of it as a pre-deployment checklist: a set of known things that go wrong, checked for you automatically.

How to run a preflight check

Open the Preflight page, select the agent you want to check, and the results appear automatically. Each check shows a pass, warning, or fail result with a plain-language explanation of what was found.

What gets checked

Identity

Confirms the agent has an identity type configured with all required fields filled in.

An agent without identity cannot be verified as the process it claims to be. This matters most in production where agents are calling real APIs with real consequences.

If this fails: go to the agent's detail page and configure its identity.

Policies attached

Confirms at least one policy is linked to this agent.

An agent with no policies has access to zero tools. It will be blocked on every call it attempts.

If this fails: assign a policy directly from the Preflight page - you do not need to navigate away.

Tools approved and active

Confirms that all tools in the agent's policies are approved and currently enabled.

A policy that contains a pending or disabled tool creates a silent gap: the agent's policy appears to cover a tool, but calls to that tool will be blocked at runtime. This is one of the most common sources of unexpected production failures.

If this fails: approve the pending tool or re-enable the disabled tool directly from the Preflight fix actions.

No policy gaps

Confirms that every tool the agent is expected to use is actually covered by one of its policies.

Policy gaps happen when a workflow is updated to use a new tool but the policy is not updated to match.

If this fails: the check identifies which tools are missing and lets you add them to the relevant policy from this page.

Execution contract

Confirms the agent has a declared execution mode and timeout.

Without this, KeyRunner cannot determine how long to wait for a call to complete or how to handle timeouts.

If this fails: update the execution contract from the Preflight fix action.

Governance contract

Confirms the agent has a declared lifecycle shape and approval gate strategy.

Without this, KeyRunner cannot enforce the correct behaviour if a call needs to be cancelled or compensated.

If this fails: update the governance contract from the Preflight fix action.

Fixing issues from Preflight

Most failures include a fix action you can take directly on the Preflight page. You do not need to navigate to the Agents, Tools, or Policies pages for common issues.

When all checks pass, Preflight confirms the agent is ready.

Preflight vs. Policy Playground

Preflight and the Policy Playground answer different questions:

PreflightPolicy Playground
Question it answersIs this agent correctly set up?Would this specific call be allowed or blocked?
What you provideSelect an agentAgent + tool name + input arguments
What you get backPass/fail per governance checkThe exact verdict for that specific call
When to use itBefore deploying an agentWhen testing specific call patterns

Use Preflight first to confirm the overall setup is correct. Then use the Playground to confirm specific calls produce the verdict you expect.

Released under the MIT License.