feat: add in-container OPA authz and gated write mode#6
Open
feat: add in-container OPA authz and gated write mode#6
Conversation
Auto-inject async SQLAlchemy drivers for bare postgresql/mysql/sqlite URLs so acc castledm dsn output works directly as DATABASE_URL. Add MySQL dialect/session handling and test coverage to preserve read-only enforcement across backends.
Keep the README provider-agnostic by removing the CastleDM DSN integration section while preserving the general DATABASE_URL behavior documentation.
Run OPA locally in the container and move authorization decisions to composed Rego policies so baseline constraints and ACL checks both gate access. This keeps enforcement fail-closed while preserving existing SQL safety semantics and tool contracts.
Introduce policy-governed INSERT/UPDATE/DELETE support behind explicit runtime gates and Rego write constraints to preserve deny-by-default behavior. Add coverage across validator, MCP interface, and Docker+OPA integration paths to harden authorization and fail-closed behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
INSERT/UPDATE/DELETE) with parser-derived write facts, explicit config brakes, and Regowrite_constraintsguardrails.Test plan
python -m pytest -q tests/test_config.py tests/test_opa_policy.py tests/test_write_facts.py tests/test_mcp_interface.py tests/test_query_validator_security.py tests/test_mcp_stdio_security.pypython -m pytest -q -m "docker_integration and smoke" tests/integration/docker/test_mcp_docker_opa_matrix.py