Policy and Security
10.1 Policy Engine Fundamentals
OPA Evaluator
Runs Rego policy snippets per request
Open Policy Agent v0.58 embedded
Policy Store
Versioned collection of rules (staged → active)
Git‑backed; change = PR
Decision Log
JSON entry of input, decision, latency
Pushed to Loki / CloudWatch
A policy receives input JSON:
{ "tool": "slack.post", "agent": "kb_responder", "user": "[email protected]", "payload_bytes": 2048, "region": "us‑east‑1" }
…and returns allow = true/false
plus optional require_approval = true
.
10.2 Creating & Editing Policies
Org Settings → Policies → New Policy
Choose Scope: Org‑wide, Namespace, or Agent‑specific.
Pick Template or start blank.
Test – paste a sample input; evaluator shows decision & latency.
Stage → Approve → Activate (two‑person review recommended).
Monitor – Decision log appears in Home → Policy Journal.
Pro Tip ✨ Keep rules atomic. One purpose per file; easier to audit & roll back.
10.3 Human‑in‑Loop Approval Flows
If require_approval = true
, the call is paused and a message is sent to the Approvals Inbox (and Slack DM if configured). Approver sees:
Tool & parameters (
channel
,text
)Agent thought excerpt
Risk score (payload size, PII likelihood)
Actions:
Approve
Tool call resumes; audit stamped approved_by
field
Deny
Task fails with DeniedByPolicy
error
Escalate
Re‑route to org owner for final decision
Approval SLAs are configurable (default 30 min). Expired requests auto‑deny.
10.4 Manifest Signing & Verification
Every MCP tool must ship a manifest.json. Aethera's signer CLI attaches:
sha256
hash of manifest contentVendor X.509 cert
Timestamp & nonce
The Gateway validates signature, checks revocation list, and enforces version pinning. If a manifest changes, the old hash is retired but still runnable for 14 days (grace window) unless revoked for CVE.
bash
$ aethera sign-manifest mytool/manifest.json --cert vendor.pem Signed ✔ fingerprint: 8F:91:2A:…
10.5 Audit Lineage & Forensics
Every step in the chain is hashed:
H1 = SHA256(system_prompt) H2 = SHA256(H1 || user_prompt) H3 = SHA256(H2 || tool_call_payload)
Hashes plus metadata are stored for 7 years (configurable) in an append‑only ledger (AWS QLDB). Audit Explorer lets you replay a task: prompts, decisions, outputs, and exact model version.
10.6 Compliance & Data Residency
SOC 2 Type II
Continuous control monitoring, yearly pen‑test
GDPR
Region pinning (eu‑west‑1
sandboxes), data deletion API
HIPAA
BAA on request; PHI classifiers auto‑redact logs
ISO / IEC 42001
AI management & risk documentation, model inventory
Data residency is enforced via policy (input.region
). Agents created in eu‑west‑1
cannot call tools in us‑east‑1
unless explicitly allowed.
10.7 Best Practices & Recipes
Prevent production DB writes
allow { not input.tool == "postgres.exec" }
Limit Slack posts to #ops
allow { input.tool == "slack.post"; input.params.channel == "#ops" }
Block external HTTP during office hours
deny { input.tool == "http.get"; time.hour(now) >= 9; time.hour(now) <= 17 }
Auto‑require approval if PII detected
require_approval { input pii_score > 0.3 }
Checklist: Review rules monthly, rotate certs quarterly, test using Policy Simulator before major launches.
Last updated