Skip to main content

Policy Forking Runtime

Status

Implemented for OP-038R. Tenants can now read OneProtect-managed compliance policy baselines, fork a baseline into a tenant-managed policy, update forked policy metadata with optimistic version control, and read immutable version history.

What Was Implemented

  • Postgres/RLS migration for tenant policy forks and immutable tenant policy versions.
  • SQLite local runtime tables used by the FastAPI test path.
  • Baseline policy seeding from the existing SOC 2, HIPAA, and GLBA control catalog.
  • FastAPI policy list/detail, fork, update, and version-history endpoints.
  • Lifecycle event emission for compliance.policy.forked, compliance.policy.updated, and compliance.policy.version_created.
  • Audit records for reads, forks, updates, denied baseline edits, and optimistic version conflicts.
  • Compliance console read surface that distinguishes Managed by OneProtect from Managed by Tenant policies.

Validation

make validate-contracts
make typecheck-python
make lint
make test-sqlite
npm --prefix frontend test -- --run
make docs-build

Security / Tenant Isolation

OneProtect-managed baselines are global read-only reference rows. Tenant forks and version history carry tenant_id and are protected by Postgres RLS. Tenant admins and system admins can fork or update tenant-managed policies; operators and auditors receive read-only policy views. Version conflicts fail closed and create denied-action audit evidence.

Known Limitations

  • No visual policy editor or diff view.
  • No approval workflow or bulk operations.
  • No deployment, CI, Terraform, Helm, or AWS changes.