Policy and Security

10.1 Policy Engine Fundamentals

Component
Purpose
Tech Under the Hood

OPA Evaluator

Runs Rego policy snippets per request

Open Policy Agent v0.58 embedded

Policy Store

Versioned collection of rules (staged → active)

Git‑backed; change = PR

Decision Log

JSON entry of input, decision, latency

Pushed to Loki / CloudWatch

A policy receives input JSON:

{ "tool": "slack.post", "agent": "kb_responder", "user": "[email protected]", "payload_bytes": 2048, "region": "us‑east‑1" }

…and returns allow = true/false plus optional require_approval = true.

10.2 Creating & Editing Policies

  1. Org Settings → Policies → New Policy

  2. Choose Scope: Org‑wide, Namespace, or Agent‑specific.

  3. Pick Template or start blank.

  4. Test – paste a sample input; evaluator shows decision & latency.

  5. Stage → Approve → Activate (two‑person review recommended).

  6. Monitor – Decision log appears in Home → Policy Journal.

Pro Tip ✨ Keep rules atomic. One purpose per file; easier to audit & roll back.

10.3 Human‑in‑Loop Approval Flows

If require_approval = true, the call is paused and a message is sent to the Approvals Inbox (and Slack DM if configured). Approver sees:

  • Tool & parameters (channel, text)

  • Agent thought excerpt

  • Risk score (payload size, PII likelihood)

Actions:

Button
Effect

Approve

Tool call resumes; audit stamped approved_by field

Deny

Task fails with DeniedByPolicy error

Escalate

Re‑route to org owner for final decision

Approval SLAs are configurable (default 30 min). Expired requests auto‑deny.

10.4 Manifest Signing & Verification

Every MCP tool must ship a manifest.json. Aethera's signer CLI attaches:

  • sha256 hash of manifest content

  • Vendor X.509 cert

  • Timestamp & nonce

The Gateway validates signature, checks revocation list, and enforces version pinning. If a manifest changes, the old hash is retired but still runnable for 14 days (grace window) unless revoked for CVE.

bash

$ aethera sign-manifest mytool/manifest.json --cert vendor.pem Signed ✔ fingerprint: 8F:91:2A:…

10.5 Audit Lineage & Forensics

Every step in the chain is hashed:

H1 = SHA256(system_prompt) H2 = SHA256(H1 || user_prompt) H3 = SHA256(H2 || tool_call_payload)

Hashes plus metadata are stored for 7 years (configurable) in an append‑only ledger (AWS QLDB). Audit Explorer lets you replay a task: prompts, decisions, outputs, and exact model version.

10.6 Compliance & Data Residency

Standard
How Aethera Helps

SOC 2 Type II

Continuous control monitoring, yearly pen‑test

GDPR

Region pinning (eu‑west‑1 sandboxes), data deletion API

HIPAA

BAA on request; PHI classifiers auto‑redact logs

ISO / IEC 42001

AI management & risk documentation, model inventory

Data residency is enforced via policy (input.region). Agents created in eu‑west‑1 cannot call tools in us‑east‑1 unless explicitly allowed.

10.7 Best Practices & Recipes

Goal
Policy Snippet

Prevent production DB writes

allow { not input.tool == "postgres.exec" }

Limit Slack posts to #ops

allow { input.tool == "slack.post"; input.params.channel == "#ops" }

Block external HTTP during office hours

deny { input.tool == "http.get"; time.hour(now) >= 9; time.hour(now) <= 17 }

Auto‑require approval if PII detected

require_approval { input pii_score > 0.3 }

Checklist: Review rules monthly, rotate certs quarterly, test using Policy Simulator before major launches.

Last updated