AI Safety Gate — Action & Policy Input Specification (Prepare Safety Input Contract)

This document is the **authoritative, zero-ambiguity contract** for what a customer must send to the **Prepare Safety Input** step, implemented as POST /api/validate.

It is derived from the repository’s **actual enforcement code**, primarily:

• src/app/api/validate/route.ts (request validation + enforcement behavior)
• src/lib/asg-validate-schema.ts (ASG_VALIDATE_BODY_SCHEMA, ASG_VALIDATE_CONTEXT_SCHEMA)
• src/lib/public-action-catalog.ts (PUBLIC_ACTION_CATALOG allowed action_kind/action_type)
• src/lib/managed-policy-catalog.ts (Managed Policy catalog + required context evidence)

---

0) Terminology & What “Prepare Safety Input” Means

**Prepare Safety Input** is the act of constructing the request body for:

POST https://aisafegate.com/api/validate

You send:

• **ai_output**: the AI output you are about to execute (or use to execute)
• **context**: metadata describing the intended real-world action + the evidence needed for deterministic enforcement

The Safety Gate returns a **decision**:

• PASS → execution is allowed
• WARN → execution is paused pending approval
• BLOCK → execution is denied

---

1) Global Base Schema (Mandatory)

1.1 Endpoint

#### Request

POST /api/validate

#### Authentication

Header:

• Authorization: Bearer <API_KEY>

#### Content-Type

• Content-Type: application/json

---

1.2 Base JSON Body (as implemented)

The authoritative request schema is defined in Zod (ASG_VALIDATE_BODY_SCHEMA and ASG_VALIDATE_CONTEXT_SCHEMA) and rendered as a live reference here:

/docs/schema-reference

Critical enforcement note (binding)

Even though context is technically optional in the request parser, **Managed enforcement will BLOCK if required context for a blocking policy is missing**, and **the validator will BLOCK if action_kind is unknown or action_type is invalid for that kind**.

Therefore:

• **action_kind is REQUIRED**.
• **action_type is REQUIRED and must be allowed for the given action_kind.**
• **Core context fields are REQUIRED for deterministic enforcement**.

---

1.3 Context Aliases (Supported Inputs)

The validator uses top-level action_kind and action_type.

The managed policy evaluator also mirrors these into the internal context bag as:

• context.actionKind
• context.actionType

---

2) Supported `action_kind` values (source of truth)

The list of supported action_kind values (and the allowed action_type values for each) is generated from PUBLIC_ACTION_CATALOG and rendered here:

/docs/action-reference

---

3) Policy → Action Contract (Managed Policies)

This section enumerates **every managed policy** in src/lib/managed-policy-catalog.ts.

Managed Policy Catalog Version:

• MANAGED_POLICY_VERSION = "v1.1.0-max"

Policy evaluation semantics:

• Policies are selected by action_kind.
• Missing requiredContext fields produce WARN/BLOCK depending on policy severity.
• Thresholds are evaluated using amount_usd, recipient_count, maxRecords ?? records_count ?? blast_radius_estimate, and velocity fields.

---

4) Full Spec

The full spec content is maintained here to preserve audit-grade detail.

(For user-friendly guidance, use /docs/quickstart, /docs/action-guides, and /docs/errors-and-fixes.)