Molecule OS
Endpoints

Resolve policy

Explain the compiled scope for a surface — the ACL tokens a key holds and the classifications it may see, without running a search.

POST/v1/policy/resolve

Returns the compiled scope for a key acting under a surface — without running a retrieval. Use it to debug "why can't this key see that document?" and to show callers exactly what they're allowed to touch. It is the human-readable form of the filter that /v1/retrieve ANDs into every query.

Request body

Prop

Type

Request
{ "surface": "agent_assist", "onBehalfOf": "5591" }

Response

Prop

Type

Response — internal agent acting for customer 5591
{
  "audience": "internal_agent",
  "namespace": "t_serviceagent",
  "aclTokens": ["public", "internal", "confidential", "subject:5591"],
  "product": "serviceagent",
  "allowedClassifications": ["public", "internal", "confidential"],
  "predicates": [
    { "field": "acl", "op": "anyof", "value": ["public", "internal", "confidential", "subject:5591"] }
  ],
  "decisionId": "dec_c40e…"
}

Compare an anonymous public key — it holds only ["public"], so the same document about customer 5591 is invisible to it:

Response — anonymous public key
{
  "audience": "end_customer",
  "namespace": "t_serviceagent",
  "aclTokens": ["public"],
  "product": "serviceagent",
  "allowedClassifications": ["public"],
  "predicates": [{ "field": "acl", "op": "anyof", "value": ["public"] }],
  "decisionId": "dec_c40f…"
}

Try it

POST http://localhost:8080/v1/policy/resolve

On this page