Skip to main content

Capstone: Assemble the AI Security Fabric

Overview

The Architect capstone. Every earlier course taught one product in isolation. This one wires them into a single pipeline and asks you to reason about the whole system: Zift scans an application and extracts its embedded authorization into Rego, Writ governs that policy from Git (signs it, promotes it, keeps decision logs with replay), the PDP (OPA or Enterprise OPA) evaluates it at the PEP, Herald exposes the same authorization query over MCP and federates the context that fills input, and decision logs plus field masking close the loop back to audit and replay. Verdict, coming soon, adds a human-in-the-loop approval step on top. The lab is one runnable policy that stands in for the whole fabric: the artifact Zift produced, Writ governs, the PDP evaluates, Herald fronts, and the log pipeline masks.

Who this is for

Architects and senior platform or security engineers who have completed the product courses and now need to design the end-to-end flow. The prerequisites are assumed and used directly: Assess with Zift for how embedded authorization becomes Rego, Govern with Writ for signed bundles, promotion, and replay, and Evaluate with Herald for the MCP query surface and federated context. You should be fluent in Rego (default deny, incremental allow if rules, the in operator, opa test) from OPA & EOPA Fundamentals; the lab has you author the policy the whole fabric enforces.

Outcomes

By the end of this course you will be able to:

  • Trace one authorization decision through the full fabric, naming what Zift, Writ, the PDP, and Herald each contribute and, precisely, what each is not.
  • Explain the hand-offs between products: extraction to Git, Git to signed bundle, bundle to PDP, PDP to MCP query, and decision to masked log.
  • Read the extracted-then-governed policy the fabric enforces and predict its allow and deny decisions, including the role, ownership, and restricted paths.
  • Configure decision-log masking so sensitive fields never enter the audit trail while the evidence an auditor and a Writ replay need survives.
  • Place Verdict (coming soon) correctly as the human-in-the-loop approval layer, without overstating what ships today.

Lessons

  1. The whole pipeline: four products, one decision
  2. The hand-offs: extract, govern, evaluate, expose
  3. Closing the loop: decision logs, masking, and replay
  4. Where Verdict fits and how to reason about the whole system

Hands-on lab

This course includes a capstone lab in lab/. One policy.rego represents the extracted-then-governed policy the fabric enforces for a customer-records service: the role map Zift extracted, the ownership guard it pulled from an inline check, and a restricted-record path gated by the ITSM signal Herald federates. A companion mask.rego keeps the subject SSN and the resource card number out of the decision log, and an opa-config.yaml shows the wiring. The policy ships RED: role_permissions and the structured decision are wired for you, but the three allow rules are stubbed behind a # TODO(learner) block. You author them until the suite is green:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/capstone-four-product-fabric -v

Starter state: FAIL: 3/11 (the three allow tests fail; the four deny tests and the four masking tests already pass). Target: PASS: 11/11. Keep iterating until opa test is green; the tests are the source of truth.

Certification

Counts toward the Architect track and is the culminating practical. Like the other tracks, certification is machine-graded: the assessment engine hands you a scenario spanning the fabric (an extraction to reason about, a policy to author, and a masking requirement) and runs your policy against a hidden opa test suite you never see, including allow, deny, and mask cases you must anticipate rather than the ones in this lab. This lab is practice for that exam, not the exam itself. A short quiz accompanies the practical.