diff --git a/src/agents/tool-policy.conformance.test.ts b/src/agents/tool-policy.conformance.test.ts
new file mode 100644
index 000000000..676a0b302
--- /dev/null
+++ b/src/agents/tool-policy.conformance.test.ts
@@ -0,0 +1,13 @@
+import { describe, expect, test } from "vitest";
+import { TOOL_POLICY_CONFORMANCE } from "./tool-policy.conformance.js";
+import { TOOL_GROUPS } from "./tool-policy.js";
+
+describe("TOOL_POLICY_CONFORMANCE", () => {
+  test("matches exported TOOL_GROUPS exactly", () => {
+    expect(TOOL_POLICY_CONFORMANCE.toolGroups).toEqual(TOOL_GROUPS);
+  });
+
+  test("is JSON-serializable", () => {
+    expect(() => JSON.stringify(TOOL_POLICY_CONFORMANCE)).not.toThrow();
+  });
+});
diff --git a/src/agents/tool-policy.conformance.ts b/src/agents/tool-policy.conformance.ts
new file mode 100644
index 000000000..f26e83f5d
--- /dev/null
+++ b/src/agents/tool-policy.conformance.ts
@@ -0,0 +1,17 @@
+/**
+ * Conformance snapshot for tool policy.
+ *
+ * Security note:
+ * - This is static, build-time information (no runtime I/O, no network exposure).
+ * - Intended for CI/tools to detect drift between the implementation policy and
+ *   the formal models/extractors.
+ */
+
+import { TOOL_GROUPS } from "./tool-policy.js";
+
+// Tool name aliases are intentionally not exported from tool-policy today.
+// Keep the conformance snapshot focused on exported policy constants.
+
+export const TOOL_POLICY_CONFORMANCE = {
+  toolGroups: TOOL_GROUPS,
+} as const;