Execution Plans and Local API: Safer Governance in Real Workflows
This release answered a blunt operator request: do not give us a faster delete button, give us a safer approval path and a way to automate around it.
Approval path
Execution plans before action
Operators can export a review artifact before any cleanup step enters the conversation.
Automation
Local API for scripted workflows
Teams that live in cron jobs and internal orchestration can trigger scans without giving up the local-first model.
Policy
Different thresholds by environment
Production and dev do not need to share the same definition of idle or risky.
One customer paused cleanup for three weeks after a near miss in production. Their message was simple: give us a safe approval path, not a faster delete button.
This release is the answer. Savings still matter, but trust and auditability come first when the team is touching live infrastructure.
Generate Plan: review before execution
The workflow now starts with a generated execution plan rather than pushing operators toward immediate action. That change is small in UI terms and large in operational terms.
- Scan: identify candidate waste across the connected providers.
- Plan: turn the result set into a read-only execution summary.
- Approve: export the report for sign-off before any destructive step is discussed.
That makes it easier to send a document titled something like Q1 cleanup plan through internal approval without asking reviewers to trust a transient screen state.
Local API: automation without changing the trust boundary
Enterprise operations are not run entirely by clicking through a GUI. The local API server gives teams a way to trigger scans and retrieve results from their own environment while keeping the product local-first. The hosted side does not become a new automation broker for customer infrastructure.
curl -X POST "http://127.0.0.1:9123/api/scan"
curl "http://127.0.0.1:9123/api/results"import requests
scan_response = requests.post("http://127.0.0.1:9123/api/scan", timeout=30)
print(scan_response.status_code)
results_response = requests.get("http://127.0.0.1:9123/api/results", timeout=30)
print(results_response.json())const scanResponse = await fetch("http://127.0.0.1:9123/api/scan", {
method: "POST",
});
console.log(scanResponse.status);
const resultsResponse = await fetch("http://127.0.0.1:9123/api/results");
console.log(await resultsResponse.json());Policy separation by environment
One global idle threshold is rarely enough. A CPU level that looks safe for a dev sandbox can be unacceptable for a production background job. Provider-specific and environment-specific policies make the workflow more credible because the product stops pretending every account should behave the same way.
The practical effect is straightforward: stricter review in sandbox and dev, more conservative handling in production.
For the next maturity step, continue with Evolution of Control v1.16 and the broader rollout guardrails in Technical Whitepaper Part 4.
Walk through the safer approval flow
Save your first $1,000 before the next billing cycle.