Policy Configuration
OPA risk gating rules, app authorization policies, and tenant-level enforcement.
Agentic Risk Gating (OPA)
Score policy: weighted_sum
Auto-destructive threshold: 0.7
SLA policy: runs_24x7
| Condition | Approvals | Required Role |
|---|---|---|
| financial ≥ 0.7 | 2 | finance_manager |
| compliance ≥ 0.5 | 2 | compliance_officer |
| operational ≥ 0.5 | 1 | — |
| !rollback_capable | 1 | — |
| all low + rollback capable | 0 | — |
Source: aether-policies/aether-risk.rego · Package: aether.risk.gates
Application Authorization Policies
| Domain | OPA Package | Rules | Status |
|---|---|---|---|
| Presales Q&A | presales.authz | 4 | active |
| RFP Workbench | rfp.authz | 3 | active |
Served by aether-policy container (OPA 1.0.0, port 8181).
ITSM Domain Enforcement
Engine: In-process PolicyEnforcer (stateless, pure Python)
Method: Router-level tool allowlist checks per tenant config
Behavior:
- Checks
(role, tower, tool_name)against tenant'sActionAllowlist - Returns:
allowed,requires_approval,requires_dual_approval - No external OPA call — enforced in-process for latency