AGT Response Decision Record
This record resolves the PRD open decisions for immediate execution.
| ID | Decision | Resolution |
|---|---|---|
| OD-1 | OSS posture for control-plane core | Extract policy evaluation into meshguard-engine under Apache 2.0. Keep multi-tenant orchestration, storage, identity, audit storage, billing, and console proprietary. |
| OD-2 | Adopt SPIFFE for agent identity | Adopt SPIFFE/SPIRE as first-class mode alongside JWT. JWT remains default for compatibility. |
| OD-3 | Hosted free tier for AGT integration | Ship a free tier for AGT policy and audit. Fleet ops, RBAC, SSO, retention, SIEM, federation, and dedicated deployments are paid. |
| OD-4 | Cedar and Rego policy languages | Support Cedar and Rego as additional policy inputs. AGT-compatible YAML is another first-class format for teams that want AGT interop. |
| OD-5 | Trillian vs in-house Merkle structure | Use Trillian for Merkle tree structure where deployable. Keep ingestion, batching, retention, witness anchoring, and export workflows in MeshGuard. |
Immediate Scope
- Add AGT as a first-class in-process PEP path alongside existing MeshGuard SDKs, sidecars, proxy, and framework integrations.
- Publish the stable PDP contract and HTTP fallback.
- Keep public SDKs active and document how each path works with the shared MeshGuard control plane.
- Prioritize control-plane hardening, audit integrity, identity, policy-as-code, and operator console work while expanding SDK and AGT interoperability.