-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathjurisdiction-router.rego
More file actions
122 lines (109 loc) · 5.03 KB
/
Copy pathjurisdiction-router.rego
File metadata and controls
122 lines (109 loc) · 5.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# agt-policies
# Jurisdiction Router — maps customer/transaction country to applicable policy packs
#
# Purpose:
# A single source of truth for "which policies apply to this agent action?"
# Integrations query this file first, then evaluate only the returned packs.
# Eliminates unnecessary policy evaluations and makes multi-country agents safe.
#
# Two policy layers:
# 1. Universal agent safety controls — apply to ALL agents regardless of country
# (prompt_injection, pii_leakage, tool_permissions, human_approval, model_routing)
# 2. Jurisdiction-specific regulatory packs — apply based on customer_country
# (cbn, bvn_nin, ndpa, nfiu for NG; kdpa for KE; popia for ZA)
#
# Input schema expected:
# {
# "context": {
# "customer_country": "NG", # ISO 3166-1 alpha-2 (primary)
# "transaction_countries": ["NG", "ZA"] # optional — for cross-border transactions
# }
# }
#
# Callers query:
# data.agt_policies.router.applicable_policies → set of pack IDs
# data.agt_policies.router.resolved_queries → set of OPA query paths to evaluate
# data.agt_policies.router.is_supported_jurisdiction
# data.agt_policies.router.unsupported_jurisdiction_warning
package agt_policies.router
import rego.v1
# ── Universal agent safety packs ─────────────────────────────────
# These apply to ALL agent actions regardless of country.
universal_policies := {
"prompt_injection",
"pii_leakage",
"tool_permissions",
"human_approval",
"model_routing",
}
# ── Jurisdiction → regulatory policy pack mapping ─────────────────
# Add new countries here. Each entry is: "ISO_CODE": {set of pack IDs}
# Pack IDs must match keys in policy_queries below.
jurisdiction_policies := {
"NG": {"cbn", "bvn_nin", "ndpa", "nfiu"},
"KE": {"kdpa"},
"ZA": {"popia"},
"UG": {"uganda_dppa"},
"TZ": {"tanzania_pdpa"},
"ET": {"ethiopia_pdp"},
"GH": {"ghana_dpa"},
"RW": {"rwanda_dpa"},
"EG": {"egypt_pdpl"},
"MU": {"mauritius_dpa"},
}
# ── Policy pack → OPA query path ─────────────────────────────────
# Authoritative mapping of pack ID → query path used by integrations.
policy_queries := {
"cbn": "data.agt_policies_nigeria.cbn.decision",
"bvn_nin": "data.agt_policies_nigeria.bvn_nin.decision",
"ndpa": "data.agt_policies_nigeria.ndpa.decision",
"nfiu": "data.agt_policies_nigeria.nfiu.decision",
"kdpa": "data.agt_policies_africa.kdpa.decision",
"popia": "data.agt_policies_africa.popia.decision",
"uganda_dppa": "data.agt_policies_africa.uganda_dppa.decision",
"tanzania_pdpa": "data.agt_policies_africa.tanzania_pdpa.decision",
"ethiopia_pdp": "data.agt_policies_africa.ethiopia_pdp.decision",
"ghana_dpa": "data.agt_policies_africa.ghana_dpa.decision",
"rwanda_dpa": "data.agt_policies_africa.rwanda_dpa.decision",
"egypt_pdpl": "data.agt_policies_africa.egypt_pdpl.decision",
"mauritius_dpa": "data.agt_policies_africa.mauritius_dpa.decision",
"prompt_injection": "data.agt_policies_agent.prompt_injection.decision",
"pii_leakage": "data.agt_policies_agent.pii_leakage.decision",
"tool_permissions": "data.agt_policies_agent.tool_permissions.decision",
"human_approval": "data.agt_policies_agent.human_approval.decision",
"model_routing": "data.agt_policies_agent.model_routing.decision",
}
# ── applicable_policies ───────────────────────────────────────────
# Universal layer: always included for every agent action
applicable_policies contains policy if {
some policy in universal_policies
}
# Jurisdiction layer: customer's primary country
applicable_policies contains policy if {
some policy in jurisdiction_policies[input.context.customer_country]
}
# Multi-jurisdiction: transaction spans multiple countries
# Example: NG customer, data routed to ZA → NDPA + POPIA both apply
applicable_policies contains policy if {
some country in input.context.transaction_countries
some policy in jurisdiction_policies[country]
}
# ── resolved_queries ──────────────────────────────────────────────
# The OPA query paths the caller should run — ready to use directly.
# Example: opa eval -d policies/rego/ -i input.json "data.agt_policies.router.resolved_queries"
resolved_queries contains query if {
some pack in applicable_policies
query := policy_queries[pack]
}
# ── Jurisdiction support checks ───────────────────────────────────
is_supported_jurisdiction if {
input.context.customer_country in object.keys(jurisdiction_policies)
}
unsupported_jurisdiction_warning := msg if {
not is_supported_jurisdiction
input.context.customer_country
msg := sprintf(
"No regulatory pack for jurisdiction '%v' — universal agent safety controls still apply.",
[input.context.customer_country],
)
}