tool=database.querypayload_hash=9f31...tool=database.querypayload_hash=9f31...policy_sha=c8d1...decision=REQUIRE_APPROVALpolicy_sha=ae02...decision=DENY12 changed decisions0 new production allowsThe replay engine re-evaluates recorded execution requests against a selected policy.
It is built for incident review and policy change validation. It is not model simulation.
recorded ActionEvent + policy file -> replay verdict + decision diffRecorded request:
actor: finance-agent
capability: payments.transfer.production
payload: {"amount": 5000, "destination": "unknown"}
Policy v1:
amount_gt: 1000 -> require_approval
Policy v2:
unknown_destination -> deny
Replay result:
REQUIRE_APPROVAL -> DENY| Output | Use |
|---|---|
| Decision diff | See which historical calls change behavior. |
| Matched rule | Explain why a decision happened. |
| Payload hash | Tie replay output back to audit evidence. |
| Policy hash | Prove which policy was evaluated. |
Given the same recorded event and the same policy, evaluation should produce the same decision.
Replay does not reconstruct hidden model reasoning. It re-runs policy against recorded execution context.
Replay cannot recover fields the adapter failed to record.
Replay also cannot prove that the downstream system executed correctly after an allow decision. It proves the authorization decision for the request CapFence saw.