Skip to content

refactor: remove OPA/Cedar/permit.io stubs from engine#176

Merged
intel352 merged 1 commit intomainfrom
refactor/remove-policy-stubs
Feb 26, 2026
Merged

refactor: remove OPA/Cedar/permit.io stubs from engine#176
intel352 merged 1 commit intomainfrom
refactor/remove-policy-stubs

Conversation

@intel352
Copy link
Contributor

@intel352 intel352 commented Feb 26, 2026

Summary

  • Removes stub OPA and Cedar policy engine backends from the engine (they had zero real implementation)
  • Removes permit.io RBAC provider stub (returned errors for everything)
  • Keeps PolicyEngine interface, PolicyDecision, mock backend, and all step.policy_* pipeline steps
  • OPA/Cedar backends will be reimplemented as external plugins (workflow-plugin-policy-opa, workflow-plugin-policy-cedar) consistent with the plugin architecture
  • Users selecting backend: opa or backend: cedar now get a clear error directing them to the external plugin

Files Changed

  • module/policy_engine.go — removed OPA/Cedar structs, updated Init() to return helpful errors
  • plugins/policy/plugin.go — removed OPA/Cedar module type registrations
  • cmd/wfctl/type_registry.go — removed OPA/Cedar from known module types
  • plugin/rbac/permit.go — deleted (stub that returned errors)
  • plugin/rbac/builtin_test.go — updated tests

Test plan

  • go build ./... passes
  • go vet ./... passes
  • go test ./module/... ./plugins/policy/... passes
  • CI pipeline (Test, Lint, Build, Validate)

🤖 Generated with Claude Code

@intel352 @claude
refactor: remove OPA/Cedar/permit.io stubs from engine
b99b24a 
These will be reimplemented as external plugins (workflow-plugin-policy-opa,
workflow-plugin-policy-cedar) consistent with the plugin architecture.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 26, 2026 21:31
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the policy engine to remove stub implementations of OPA and Cedar backends that had no real functionality, along with the permit.io RBAC provider stub. These will be reimplemented as external plugins following the plugin architecture pattern.

Changes:

  • Removed non-functional OPA and Cedar policy backend stubs from the core engine
  • Removed permit.io RBAC provider stub that only returned errors
  • Updated error messages to direct users to external plugins for OPA/Cedar backends
  • Retained the mock policy backend and all policy pipeline steps for testing

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
module/policy_engine.go Removed OPA/Cedar backend implementations and isTruthy helper; added clear error messages directing users to external plugins
plugins/policy/plugin.go Removed policy.opa and policy.cedar module factories and schemas; updated documentation to reflect mock-only core support
cmd/wfctl/type_registry.go Removed policy.opa and policy.cedar from known module types registry
plugin/rbac/permit.go Deleted permit.io stub provider that returned errors for all operations
plugin/rbac/builtin_test.go Removed permit.io stub tests; retained AWS IAM provider name check test

module/policy_engine.go
m.engine = newOPAPolicyEngine(endpoint, allowStub)
slog.Warn("WARNING: using stub policy engine — all requests will be DENIED. Set allow_stub_backends: true in config to use stub backends for testing.",
"module", m.name, "backend", "opa", "allow_stub_backends", allowStub)
return fmt.Errorf("opa backend not built-in; use the workflow-plugin-policy-opa external plugin")
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message could be more actionable by including a brief instruction on how to use the external plugin. Consider: "opa backend not built-in; install and load the workflow-plugin-policy-opa external plugin, then use backend: 'mock' or configure the OPA module type from the plugin"

Copilot uses AI. Check for mistakes.
module/policy_engine.go
m.engine = newCedarPolicyEngine(allowStub)
slog.Warn("WARNING: using stub policy engine — all requests will be DENIED. Set allow_stub_backends: true in config to use stub backends for testing.",
"module", m.name, "backend", "cedar", "allow_stub_backends", allowStub)
return fmt.Errorf("cedar backend not built-in; use the workflow-plugin-policy-cedar external plugin")
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message could be more actionable by including a brief instruction on how to use the external plugin. Consider: "cedar backend not built-in; install and load the workflow-plugin-policy-cedar external plugin, then use backend: 'mock' or configure the Cedar module type from the plugin"

Suggested change
return fmt.Errorf("cedar backend not built-in; use the workflow-plugin-policy-cedar external plugin")
return fmt.Errorf("cedar backend not built-in; install and load the workflow-plugin-policy-cedar external plugin, then use backend: 'mock' or configure the Cedar module type from the plugin")

Copilot uses AI. Check for mistakes.
@intel352 intel352 merged commit 7d0bf34 into main Feb 26, 2026
18 checks passed
@intel352 intel352 deleted the refactor/remove-policy-stubs branch February 26, 2026 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@intel352