feat: OPA/Rego and Cedar policy portability

Add pluggable policy backend support to both Agent OS and AgentMesh:

Agent OS (PolicyEvaluator):
- ExternalPolicyBackend protocol for pluggable backends
- OPABackend: remote OPA server, local opa CLI, built-in Rego evaluator
- CedarBackend: cedarpy bindings, cedar CLI, built-in permit/forbid parser
- load_rego() and load_cedar() convenience methods
- YAML rules checked first, then external backends in registration order
- Fail-closed on errors, audit entries include backend metadata

AgentMesh (PolicyEngine):
- CedarEvaluator mirroring existing OPAEvaluator pattern
- load_cedar() method on PolicyEngine
- Cedar evaluated after YAML and Rego, before defaults
- CedarDecision dataclass with evaluation_ms tracking

Both backends support three modes:
1. Embedded engine (cedarpy / opa CLI) - fastest
2. Remote server (OPA REST API)
3. Built-in fallback - zero external deps, common patterns only

Tests: 29 Agent OS + 21 AgentMesh = 50 new tests, all passing
Existing 39 policy tests unaffected

Also:
- Optional deps: pip install agent-governance-toolkit[cedar]
- README: OPA/Cedar usage examples
- Comparison doc: OPA/Cedar marked as shipped (was 'planned')

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

README.md

@@ -144,6 +144,56 @@ if (result.Allowed) { /* proceed */ }
 - **[Tutorial 5: Agent Reliability](docs/tutorials/05-agent-reliability.md)** — SLOs, error budgets, chaos testing
 - **[Tutorial 6: Execution Sandboxing](docs/tutorials/06-execution-sandboxing.md)** — Privilege rings and termination
 
+## OPA/Rego & Cedar Policy Support
+
+Bring your existing infrastructure policies to agent governance — no new policy DSL required.
+
+### OPA/Rego (Agent OS)
+
+```python
+from agent_os.policies import PolicyEvaluator
+
+evaluator = PolicyEvaluator()
+evaluator.load_rego(rego_content="""
+package agentos
+default allow = false
+allow { input.tool_name == "web_search" }
+allow { input.role == "admin" }
+""")
+
+decision = evaluator.evaluate({"tool_name": "web_search", "role": "analyst"})
+# decision.allowed == True
+```
+
+### Cedar (Agent OS)
+
+```python
+from agent_os.policies import PolicyEvaluator
+
+evaluator = PolicyEvaluator()
+evaluator.load_cedar(policy_content="""
+permit(principal, action == Action::"ReadData", resource);
+forbid(principal, action == Action::"DeleteFile", resource);
+""")
+
+decision = evaluator.evaluate({"tool_name": "read_data", "agent_id": "agent-1"})
+# decision.allowed == True
+```
+
+### AgentMesh OPA/Cedar
+
+```python
+from agentmesh.governance import PolicyEngine
+
+engine = PolicyEngine()
+engine.load_rego("policies/mesh.rego", package="agentmesh")
+engine.load_cedar(cedar_content='permit(principal, action == Action::"Analyze", resource);')
+
+decision = engine.evaluate("did:mesh:agent-1", {"tool_name": "analyze"})
+```
+
+Three evaluation modes per backend: **embedded engine** (cedarpy/opa CLI), **remote server**, or **built-in fallback** (zero external deps).
+
 ## SDKs & Packages
 
 ### Multi-Language SDKs

packages/agent-compliance/pyproject.toml

@@ -38,6 +38,8 @@ dependencies = [
 [project.optional-dependencies]
 runtime = ["agent-runtime>=2.0.0"]
 sre = ["agent-sre>=1.0.0"]
+opa = []
+cedar = ["cedarpy>=4.0.0"]
 full = [
     "agent-runtime>=2.0.0",
     "agent-sre>=1.0.0",

packages/agent-mesh/src/agentmesh/governance/__init__.py

@@ -25,6 +25,7 @@
 )
 from .shadow import ShadowMode, ShadowResult
 from .opa import OPAEvaluator, OPADecision, load_rego_into_engine
+from .cedar import CedarEvaluator, CedarDecision, load_cedar_into_engine
 from .trust_policy import (
     TrustPolicy,
     TrustRule,
@@ -64,6 +65,9 @@
     "OPAEvaluator",
     "OPADecision",
     "load_rego_into_engine",
+    "CedarEvaluator",
+    "CedarDecision",
+    "load_cedar_into_engine",
     "TrustPolicy",
     "TrustRule",
     "TrustCondition",