PRD-GOVERN-001: Policy Governance and Access Control

Type

Functional

Priority

Critical

MVP Status

✅ MVP (Walking Skeleton Cycle S1C)

Requirement Statement (EARS Format)

When a user requests access to a policy, the system shall evaluate governance rules and grant/deny access based on OPA policy decisions.

User Story

As a policy administrator, I want all policy access to be governed by declarative rules, so that only authorized users can query sensitive governance policies.

Acceptance Criteria

AC-001.1: Evaluate OPA Policy

• Given an access request with user context
• When the governance service evaluates it
• Then OPA shall return allow/deny decision based on Rego rules

AC-001.2: Enforce Access Control

• Given a query request to the memory service
• When the governance check is performed
• Then unauthorized requests shall be rejected with 403 Forbidden

AC-001.3: Audit All Decisions

• Given any policy decision (allow or deny)
• When the decision is made
• Then an audit log entry shall be written with timestamp, user, resource, decision

AC-001.4: Decision Performance

• Given a simple policy rule
• When OPA evaluates it
• Then the decision shall complete in <5ms (p95)

AC-001.5: Policy Reload

• Given updated Rego policy files
• When they are saved to the policies directory
• Then OPA shall reload policies without service restart

AC-001.6: Default Deny

• Given no explicit allow policy
• When an access request is made
• Then the decision shall be deny (fail-safe default)

Dependencies

• Open Policy Agent (OPA) binary or library
• Rego policy files
• Structured logging framework

Related Specifications

• ADRs: ADR-008 (Policy Governance), ADR-006 (Ingest), ADR-007 (Memory)
• SDS: SDS-GOVERN-010 (Governance Service)
• Plan: P001-SKELETON (Walking Skeleton)

Success Metrics

• Decision Latency: <5ms for simple policies (p95)
• Audit Coverage: 100% of decisions logged
• Policy Reload: <100ms to reload updated policies
• Deny Rate: Track unauthorized access attempts

Non-Functional Requirements

• NFR-001.1: Fail-safe (default deny when uncertain)
• NFR-001.2: Auditable (structured logs, tamper-evident)
• NFR-001.3: Declarative (Rego policy-as-code, version control)
• NFR-001.4: Observable (emit decision metrics via OpenTelemetry)

Out of Scope (for MVP)

• External policy repositories (Git sync)
• Fine-grained attribute-based policies (ABAC)
• Policy testing framework
• Policy versioning and rollback
• Distributed policy enforcement (multi-region)

Next Steps:

• Design SDS-GOVERN-010
• Implement Cycle S1C vertical slice
• Write integration tests per acceptance criteria