vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
389a764e8da3647b1c9a3c81e64d80b7c3cfb3e1
sentryagent-idp/openspec/specs/opa-policy/spec.md
SentryAgent.ai Developer d42c653eea chore(openspec): archive engineering-docs and phase-2-production-ready changes 
- engineering-docs → archive/2026-03-29-engineering-docs (63/63 tasks complete)
- phase-2-production-ready → archive/2026-03-29-phase-2-production-ready (89/89 tasks complete)
- openspec/specs/ synced with all Phase 1 + Phase 2 + engineering-docs capabilities (22 specs total)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-29 12:41:53 +00:00

1.2 KiB
Raw Blame History

Spec: OPA Policy Engine Integration

Status: Pending CEO approval Workstream: 5 of 8

Scope

  • New OpaMiddleware replacing static scope check in auth.ts
  • @openpolicyagent/opa-wasm integration (embedded Wasm, no sidecar)
  • policies/authz.rego — main allow/deny policy
  • policies/data/scopes.json — scope to permission mapping
  • SIGHUP handler to hot-reload policies without restart
  • New env var: POLICY_DIR (default: ./policies)

Policy interface

input = {
  "method": "GET",
  "path": "/api/v1/agents",
  "scopes": ["agents:read"],
  "agentId": "uuid"
}

output = {
  "allow": true | false,
  "reason": "string"   // populated when allow=false
}

Acceptance Criteria

  • All existing scope checks replaced by OPA evaluation
  • Policy files hot-reloadable on SIGHUP (no restart required)
  • OPA Wasm loaded at startup — fail-fast if POLICY_DIR invalid
  • allow=false responses return 403 with reason in error body
  • Existing test suite passes unchanged (OPA evaluates same rules as before)
  • New unit tests for OPA middleware: allow/deny cases, missing scope, invalid input
  • POLICY_DIR env var documented in docs/devops/environment-variables.md
Reference in New Issue View Git Blame Copy Permalink