Capstone: Assemble the AI Security Fabric
Overview
The Architect capstone. Every earlier course taught one product in isolation.
This one wires them into a single pipeline and asks you to reason about the
whole system: Zift scans an application and extracts its embedded authorization
into Rego, Writ governs that policy from Git (signs it, promotes it, keeps
decision logs with replay), the PDP (OPA or Enterprise OPA) evaluates it at the
PEP, Herald exposes the same authorization query over MCP and federates the
context that fills input, and decision logs plus field masking close the loop
back to audit and replay. Verdict, coming soon, adds a human-in-the-loop
approval step on top. The lab is one runnable policy that stands in for the
whole fabric: the artifact Zift produced, Writ governs, the PDP evaluates,
Herald fronts, and the log pipeline masks.
Who this is for
Architects and senior platform or security engineers who have completed the
product courses and now need to design the end-to-end flow. The prerequisites
are assumed and used directly: Assess with Zift
for how embedded authorization becomes Rego, Govern with
Writ for signed bundles, promotion, and replay,
and Evaluate with Herald for the MCP query
surface and federated context. You should be fluent in Rego (default deny,
incremental allow if rules, the in operator, opa test) from OPA & EOPA
Fundamentals; the lab has you author the
policy the whole fabric enforces.
Outcomes
By the end of this course you will be able to:
- Trace one authorization decision through the full fabric, naming what Zift, Writ, the PDP, and Herald each contribute and, precisely, what each is not.
- Explain the hand-offs between products: extraction to Git, Git to signed bundle, bundle to PDP, PDP to MCP query, and decision to masked log.
- Read the extracted-then-governed policy the fabric enforces and predict its allow and deny decisions, including the role, ownership, and restricted paths.
- Configure decision-log masking so sensitive fields never enter the audit trail while the evidence an auditor and a Writ replay need survives.
- Place Verdict (coming soon) correctly as the human-in-the-loop approval layer, without overstating what ships today.
Lessons
- The whole pipeline: four products, one decision
- The hand-offs: extract, govern, evaluate, expose
- Closing the loop: decision logs, masking, and replay
- Where Verdict fits and how to reason about the whole system
Hands-on lab
This course includes a capstone lab in lab/. One policy.rego
represents the extracted-then-governed policy the fabric enforces for a
customer-records service: the role map Zift extracted, the ownership guard it
pulled from an inline check, and a restricted-record path gated by the ITSM
signal Herald federates. A companion mask.rego keeps the subject SSN and the
resource card number out of the decision log, and an opa-config.yaml shows the
wiring. The policy ships RED: role_permissions and the structured
decision are wired for you, but the three allow rules are stubbed behind a
# TODO(learner) block. You author them until the suite is green:
git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/capstone-four-product-fabric -v
Starter state: FAIL: 3/11 (the three allow tests fail; the four deny tests and
the four masking tests already pass). Target: PASS: 11/11. Keep iterating until opa test is green; the tests are the source of truth.
Certification
Counts toward the Architect track and is the culminating practical. Like the
other tracks, certification is machine-graded: the assessment engine hands you a
scenario spanning the fabric (an extraction to reason about, a policy to author,
and a masking requirement) and runs your policy against a hidden opa test
suite you never see, including allow, deny, and mask cases you must anticipate
rather than the ones in this lab. This lab is practice for that exam, not the exam itself. A short quiz accompanies the
practical.