Policy Decision Contract (Shadow Mode v1)¶

Status: Active baseline Last updated: 2026-05-28

This document defines the baseline policy decision contract used to introduce external policy decision points safely, without changing current runtime safety behavior.

Scope¶

Shadow mode v1 covers pre-execution policy decisions for:

trust_level checks
requires_confirmation checks

Gate execution behavior (mandatory_pre_gates, mandatory_post_gates) remains runtime-owned in this stage and is out of scope for external parity.

Contract Goals¶

Keep current runtime safety enforcement authoritative.
Evaluate optional external policy decisions in parallel.
Detect divergences before any enforcement handoff.

Decision Input¶

Decision payload fields:

capability_id
step_id
safety (capability safety block)
context_trust_level
confirmed_capabilities
context_tenant_id (optional)
target_tenant_id (optional)

Decision Output¶

Decision result fields:

status: allow|block|require_human
reason: optional string

Shadow Mode Rules¶

Internal baseline decision remains source of truth.
External adapter decision is evaluated and compared, never enforced in v1.
Any mismatch is surfaced as verification failure for operator review.

same_tenant baseline rule:

If allowed_targets contains same_tenant, runtime requires a non-empty context_tenant_id.
If target_tenant_id is present and differs from context_tenant_id, policy blocks execution.
Current operational capability adoption baseline: decision.task.delegate, web.request.send, email.message.send, message.notification.send, agent.plan.execute.
Channel consistency probes validate tenant propagation across http-async, http-resume, and http-replay execution paths.
Transport consistency probes validate tenant sourcing across HTTP auth/body resolution and MCP skill.execute invocation.

Runtime Operating Modes¶

The runtime supports three policy externalization modes:

off (default): external adapter not used.
shadow: compare external decision vs internal baseline, internal remains authoritative.
enforce: enforce external decision for pre-checks (trust_level, requires_confirmation) with internal fallback behavior controlled by fail-open/fail-closed.

Environment controls:

AGENT_SKILLS_POLICY_EXTERNAL_MODE=off|shadow|enforce
AGENT_SKILLS_POLICY_EXTERNAL_FAIL_OPEN=true|false
AGENT_SKILLS_POLICY_EXTERNAL_ADAPTER=none|mirror|opa
AGENT_SKILLS_POLICY_OPA_URL=http://<opa-host>/v1/data/orca/policy/pre
AGENT_SKILLS_POLICY_OPA_TIMEOUT_SECONDS=<float>

Fail-open behavior:

If external adapter is unavailable and fail-open is enabled, runtime falls back to internal baseline checks.
If fail-open is disabled, external adapter errors become runtime policy execution failures.

Suggested Rollout Profile¶

Dev: MODE=shadow, ADAPTER=mirror or ADAPTER=opa, FAIL_OPEN=true
Staging: MODE=shadow, ADAPTER=opa, FAIL_OPEN=true
Production initial: MODE=enforce, ADAPTER=opa, FAIL_OPEN=true
Production hardened: MODE=enforce, ADAPTER=opa, FAIL_OPEN=false

Verification¶

Run:

python tooling/verify_policy_shadow_mode.py --report-file artifacts/policy_shadow_report.json

Tenant isolation matrix:

python tooling/verify_tenant_isolation_matrix.py --report-file artifacts/tenant_isolation_matrix_report.json

OPA policy bundle lifecycle:

python tooling/verify_policy_bundle_lifecycle.py --bundle-root policies/opa --report-file artifacts/policy_bundle_lifecycle_report.json

Report:

status
summary.total/matched/mismatched/match_ratio
comparisons[]
mismatches[]

Tenant matrix report:

status
summary.total/passed/failed/pass_ratio
by_surface (runtime_identity, runtime_persistence, runtime_policy, channel_tenancy, transport_tenancy, registry_vocabulary, registry_capabilities)
checks[]

Policy bundle lifecycle report:

status
summary.total/passed/failed/pass_ratio
bundle_root
checks[]
contract (opa_policy_bundle_lifecycle_v2)

Out of Scope (v1)¶

OPA runtime decision enforcement cutover.
Replacing in-runtime safety gates.
Tenant-scoped policy-bundle governance with explicit environment promotion controls.