Skip to main content
Operayde
Talk to usGet a quote
/
Operator portal

Policies

Authoring, signing, and deploying OPA policy bundles across the fleet.

Last updated 18 Apr 2026

Policy on Operayde is Open Policy Agent bundles signed by the central plane and enforced by every appliance.

Authoring

Policies live in .rego files. The portal gives you a simple editor, but most customers keep policies in their own git and publish through our CLI:

operayde policy push \
  --tenant acme \
  --bundle ./policy \
  --message "Restrict code_exec tool to engineering rooms"

The command:

  1. Packages the bundle (all .rego files + a data.json if present).
  2. Signs the bundle with an Operayde-issued signing key.
  3. Publishes it to the config service.
  4. Pushes a manifest to every appliance on the tenant.

Shape

Every request flows into OPA with a common input document:

input := {
  "tenant":  "acme",
  "key":     {"id": "...", "scopes": ["room:research","model:instruct"]},
  "request": {"model": "operayde/instruct-13b", "path": "/v1/chat/completions"},
  "actor":   {"user_id": "alice@acme.example", "roles": ["user"]},
}
 
allow {
  input.key.scopes[_] == "room:research"
  startswith(input.request.model, "operayde/instruct")
}

The gateway evaluates data.operayde.allow. If it’s not true, the request is denied with a policy-annotated 403.

Rollout

Policy deploys roll across the fleet with exponential staging: 1%, 10%, 50%, 100%. If the rollout observes a denial-rate spike larger than 2× the prior baseline, it pauses and notifies you. You can override and continue from the portal, or roll back.