Skip to content

[Bounty $8k] fix(runtime): fail closed when policy engine is unavailable (fixes #3592)#3593

Open
Karry2019web wants to merge 1 commit into
orchestration-agent:mainfrom
Karry2019web:fix/policy-fail-closed-3592
Open

[Bounty $8k] fix(runtime): fail closed when policy engine is unavailable (fixes #3592)#3593
Karry2019web wants to merge 1 commit into
orchestration-agent:mainfrom
Karry2019web:fix/policy-fail-closed-3592

Conversation

@Karry2019web
Copy link
Copy Markdown

@Karry2019web Karry2019web commented May 24, 2026

Closes #3592

Summary

Add a PolicyEngine class that evaluates whether an operation should be allowed or denied. When the policy engine is unavailable (network failure, service down, etc.), all operations fail closed — denied by default — to maintain security posture.

Changes

  • New src/common/policy.pyPolicyEngine class with:
    • is_available() — cached health check against policy backend
    • evaluate(action, resource, context) — returns PolicyDecision.ALLOW, DENY, or ERROR
    • Fail-closed: when the engine is unreachable, returns DENY
  • Modified src/orchestrator/engine.pyOrchestrationEngine now:
    • Accepts an optional policy_engine parameter (defaults to a no-endpoint engine that allows everything)
    • Gated _execute_task through self.policy.evaluate() before any work begins
    • Policy deny triggers on_error hooks and returns immediately
  • New tests/test_policy.py — 7 tests covering:
    • Default allow when no endpoint configured
    • Fail-closed deny when engine is unavailable
    • Health check caching behavior
    • Integration with OrchestrationEngine

Acceptance Criteria

  • Tests cover denied execution and engine unavailability
  • The worker records one durable terminal outcome and does not leave orphaned work
  • Retry behavior is bounded (policy deny stops execution immediately)

Testing

pytest tests/test_policy.py -v

@Karry2019web
fix(runtime): fail closed when policy engine is unavailable (fixes or…
75bed5c 
…chestration-agent#3592)

Add a PolicyEngine class that evaluates operation permissions with
fail-closed semantics: when the engine is unavailable, all operations
are denied rather than allowed through.

Changes:
- New src/common/policy.py with PolicyEngine class
- Modified src/orchestrator/engine.py to gate task execution through policy
- New tests/test_policy.py with unit and integration tests

The policy gate is placed in _execute_task before any work begins.
When the policy engine denies an operation or is unreachable, the
task is rejected with a RuntimeError and on_error hooks are called.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ Bounty $8k ] [ Runtime ] Fail closed when policy engine is unavailable — policy runtime

1 participant

@Karry2019web