# OPA configuration for agentd gateway
#
# Runs OPA as:
# 1. Envoy ext_authz gRPC server (port 9191)
# 2. Policy bundle server for agentd (port 8181)
# 3. Admin API for policy management
#
# Bundle is loaded via CLI argument: --bundle /bundles/agentd-bundle.tar.gz
decision_logs:
console: true
status:
console: true
plugins:
envoy_ext_authz_grpc:
addr: ":9191"
# Use router policy that delegates to gateway or egress based on context
path: agentd/authz
dry-run: false
enable-reflection: true