Skip to content

feat: Policy conflict resolution with 4 declared strategies#97

Merged
imran-siddique merged 1 commit intomainfrom
fix/policy-conflict-resolution
Mar 7, 2026
Merged

feat: Policy conflict resolution with 4 declared strategies#97
imran-siddique merged 1 commit intomainfrom
fix/policy-conflict-resolution

Conversation

@imran-siddique
Copy link
Member

@imran-siddique imran-siddique commented Mar 7, 2026

Summary

Closes #91 — Declares an explicit, documented, and testable conflict resolution model for the policy engine.

Problem

When multiple policies apply to the same agent action, the existing engine uses implicit priority-based first-match-wins with no declared precedence model. This is the hardest unsolved problem in every policy engine (XACML, OPA, Cedar) and was entirely undocumented.

Solution

*New module: \conflict_resolution.py*

4 conflict resolution strategies:

Strategy Behavior Use Case
\DENY_OVERRIDES\ Any deny wins, regardless of priority Safety-critical (healthcare, finance)
\ALLOW_OVERRIDES\ Any allow wins, regardless of priority Exception-based governance
\PRIORITY_FIRST_MATCH\ Highest priority rule wins (v1.0 default) Backward compatibility
\MOST_SPECIFIC_WINS\ Agent > Tenant > Global scope Multi-tenant deployments

Policy scope field:

  • Added \scope\ to \Policy\ model: \global, \ enant, or \�gent\
  • Drives \MOST_SPECIFIC_WINS\ strategy; informational metadata for other strategies

Resolution trace:

  • Every resolution produces a human-readable trace for audit/debug
  • \conflict_detected\ flag indicates when genuinely conflicting decisions existed

Breaking Changes

None. Default strategy is \PRIORITY_FIRST_MATCH\ which preserves v1.0 behavior. The \scope\ field defaults to \global.

Tests

  • 25 new tests: All 4 strategies, edge cases, engine integration, YAML round-trip
  • 54 existing policy tests: All pass unchanged

@imran-siddique
feat: policy conflict resolution with 4 declared strategies
e78cc0d 
- Add ConflictResolutionStrategy enum: DENY_OVERRIDES, ALLOW_OVERRIDES,
  PRIORITY_FIRST_MATCH, MOST_SPECIFIC_WINS
- Add PolicyScope enum: GLOBAL, TENANT, AGENT with specificity ranking
- Add PolicyConflictResolver with resolution trace for auditability
- Add 'scope' field to Policy model (defaults to 'global')
- Wire conflict resolution into PolicyEngine.evaluate() — collects ALL
  matching rules then resolves via configured strategy
- Default strategy is PRIORITY_FIRST_MATCH (backward compatible with v1.0)
- 25 tests covering all 4 strategies, edge cases, and engine integration
- 54 existing policy tests continue to pass (Closes #91)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@imran-siddique imran-siddique merged commit f99bc9c into main Mar 7, 2026
23 of 24 checks passed
@imran-siddique imran-siddique deleted the fix/policy-conflict-resolution branch March 7, 2026 22:40
@github-actions github-actions bot added tests agent-mesh agent-mesh package labels Mar 7, 2026
@github-actions
Copy link

github-actions bot commented Mar 7, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions github-actions bot added the size/XL Extra large PR (500+ lines) label Mar 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

agent-mesh agent-mesh package size/XL Extra large PR (500+ lines) tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: declare and document explicit policy conflict resolution model

1 participant

@imran-siddique