Files

SentryAgent.ai Developer 7593bfe1c1 chore: Phase 2 OpenSpec scoping — proposal, design, specs, tasks

8 workstreams scoped per OpenSpec standards:
1. HashiCorp Vault integration (secret management)
2. Python SDK (sentryagent-idp)
3. Go SDK (idp-sdk-go)
4. Java SDK (ai.sentryagent:idp-sdk)
5. OPA policy engine (dynamic ABAC, hot-reload Rego)
6. Web Dashboard UI (React 18 + TypeScript)
7. Prometheus + Grafana monitoring (7 metrics, pre-built dashboard)
8. Multi-region Terraform deployment (AWS + GCP)

Status: proposed — awaiting CEO dependency approvals (A0.1–A0.5)
before any implementation begins.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-28 14:53:09 +00:00

1.2 KiB

Raw Blame History

Spec: OPA Policy Engine Integration

Status: Pending CEO approval Workstream: 5 of 8

Scope

New OpaMiddleware replacing static scope check in auth.ts
@openpolicyagent/opa-wasm integration (embedded Wasm, no sidecar)
policies/authz.rego — main allow/deny policy
policies/data/scopes.json — scope to permission mapping
SIGHUP handler to hot-reload policies without restart
New env var: POLICY_DIR (default: ./policies)

Policy interface

input = {
  "method": "GET",
  "path": "/api/v1/agents",
  "scopes": ["agents:read"],
  "agentId": "uuid"
}

output = {
  "allow": true | false,
  "reason": "string"   // populated when allow=false
}

Acceptance Criteria

All existing scope checks replaced by OPA evaluation
Policy files hot-reloadable on SIGHUP (no restart required)
OPA Wasm loaded at startup — fail-fast if POLICY_DIR invalid
allow=false responses return 403 with reason in error body
Existing test suite passes unchanged (OPA evaluates same rules as before)
New unit tests for OPA middleware: allow/deny cases, missing scope, invalid input
POLICY_DIR env var documented in docs/devops/environment-variables.md

1.2 KiB Raw Blame History

Spec: OPA Policy Engine Integration

Scope

Policy interface

Acceptance Criteria

1.2 KiB

Raw Blame History