The [masterfiles policy framework][Masterfiles Policy Framework] defaults to using cf_promises_validated as a simple gating mechanism for policy updates. This gating mechanism helps in avoiding the distribution of broken policy to clients as well as reducing the burden on the policy server during times policy is not changing.

The $(sys.masterdir)/cf_promises_validated is created by cf-agent or any other CFEngine component after new policy in $(sys.inputdir) has been validated.

By default (in the masterfiles policy framework) non policy servers only trigger a fully policy scan when $(sys.inputdir)/cf_promises_validated is repaired.

By default (in the masterfiles policy framework) policy servers always pull all policy changes to $(sys.inputdir). If the policy successfully validates then $(sys.masterdir)/cf_promises_validated is updated, and remote agents will update their policy when they notice that change. If the policy does not validate $(sys.masterdir)/cf_promises_validated is not updated, and remote clients will see no need to scan for updates.

Note: Dynamic inputs could mean different validation results on different hosts. Be conscious of different perspectives when validating policy.