Migrating From AGT Local Policies
This guide moves an AGT-governed agent from local YAML evaluation to MeshGuard-managed policy decisions without rewriting the agent.
1. Preserve The AGT Policy File
MeshGuard accepts AGT-compatible YAML as the first-class policy format:
yaml
apiVersion: governance.toolkit/v1
kind: Policy
metadata:
name: support-agent-prod
spec:
defaultEffect: deny
rules:
- effect: allow
actions:
- read:ticket
- write:ticket_note
- effect: deny
actions:
- admin:*MeshGuard-specific extensions must be namespaced under meshguard.app/v1.
2. Add The MeshGuard Adapter
bash
pip install meshguard-agtpython
from meshguard_agt import configure_agt_with_meshguard
kernel = configure_agt_with_meshguard(
gateway_url="https://gateway.meshguard.app",
tenant_id="acme-corp",
agent_token=os.environ["MESHGUARD_AGENT_TOKEN"],
)3. Lift The Policy
bash
meshguard policy lint policies/support-agent.yaml
meshguard policy lift policies/support-agent.yaml --tenant acme-corp
meshguard policy plan
meshguard policy apply4. Dry-Run Against History
Before production promotion, replay the policy against historical decisions:
bash
meshguard policy test --against last-7d
meshguard policy diff current staged5. Canary The Rollout
bash
meshguard policy apply --canary 10 --rollback-on "denial_rate > 0.05 for 10m"6. Lock Local Evaluation To Break-Glass
After the remote PDP is stable, keep local YAML evaluation only as a signed last-known-good fallback for sidecars and disconnected environments.