[Medium] OPA/Cedar policy portability - enterprise adoption blocker #232
Description
Problem
Enterprises that have standardized on OPA for infrastructure policy or Cedar for AWS authorization will not adopt a new policy DSL for agents. It's a political and operational cost they won't take on.
Current State
OPA/Cedar portability is on the v1.2 roadmap. It should stay high priority.
Proposed Approach
Position the toolkit as a policy execution layer that accepts OPA Rego and Cedar policies natively, not as a competing policy language.
This reframes from 'another policy silo' to 'the runtime that executes your existing policies for agent actions.'
Implementation
- OPA Rego adapter — evaluate Rego policies against agent action context
- Cedar adapter — map agent permissions to Cedar authorization model
- Policy translation layer — common enforcement interface
- Documentation showing migration path from existing OPA/Cedar policies
Acceptance Criteria
- OPA Rego policies can be used directly in agent-os policy engine
- Cedar policies can be mapped to agent capability model
- Migration guide for OPA and Cedar users
- Integration tests with real OPA/Cedar policy sets
Priority
P2 — Important for enterprise adoption but requires design work. Target v1.2.