Preflight
Preflight checks an agent's governance setup for common problems before you deploy it to production. Run it when you are setting up a new agent, after making policy changes, or any time you want to confirm an agent is correctly configured.
Think of it as a pre-deployment checklist: a set of known things that go wrong, checked for you automatically.
How to run a preflight check
Open the Preflight page, select the agent you want to check, and the results appear automatically. Each check shows a pass, warning, or fail result with a plain-language explanation of what was found.
What gets checked
Identity
Confirms the agent has an identity type configured with all required fields filled in.
An agent without identity cannot be verified as the process it claims to be. This matters most in production where agents are calling real APIs with real consequences.
If this fails: go to the agent's detail page and configure its identity.
Policies attached
Confirms at least one policy is linked to this agent.
An agent with no policies has access to zero tools. It will be blocked on every call it attempts.
If this fails: assign a policy directly from the Preflight page - you do not need to navigate away.
Tools approved and active
Confirms that all tools in the agent's policies are approved and currently enabled.
A policy that contains a pending or disabled tool creates a silent gap: the agent's policy appears to cover a tool, but calls to that tool will be blocked at runtime. This is one of the most common sources of unexpected production failures.
If this fails: approve the pending tool or re-enable the disabled tool directly from the Preflight fix actions.
No policy gaps
Confirms that every tool the agent is expected to use is actually covered by one of its policies.
Policy gaps happen when a workflow is updated to use a new tool but the policy is not updated to match.
If this fails: the check identifies which tools are missing and lets you add them to the relevant policy from this page.
Execution contract
Confirms the agent has a declared execution mode and timeout.
Without this, KeyRunner cannot determine how long to wait for a call to complete or how to handle timeouts.
If this fails: update the execution contract from the Preflight fix action.
Governance contract
Confirms the agent has a declared lifecycle shape and approval gate strategy.
Without this, KeyRunner cannot enforce the correct behaviour if a call needs to be cancelled or compensated.
If this fails: update the governance contract from the Preflight fix action.
Fixing issues from Preflight
Most failures include a fix action you can take directly on the Preflight page. You do not need to navigate to the Agents, Tools, or Policies pages for common issues.
When all checks pass, Preflight confirms the agent is ready.
Preflight vs. Policy Playground
Preflight and the Policy Playground answer different questions:
| Preflight | Policy Playground | |
|---|---|---|
| Question it answers | Is this agent correctly set up? | Would this specific call be allowed or blocked? |
| What you provide | Select an agent | Agent + tool name + input arguments |
| What you get back | Pass/fail per governance check | The exact verdict for that specific call |
| When to use it | Before deploying an agent | When testing specific call patterns |
Use Preflight first to confirm the overall setup is correct. Then use the Playground to confirm specific calls produce the verdict you expect.