Pipeline Builder
The pipeline builder assembles steps from OPA policy decisions. It has no policy logic of its own. all configuration flows from OPA.
How it works
Section titled “How it works”- OPA evaluates Rego policies for the agent/org
- Returns a JSON decision with step configurations
- Pipeline builder assembles steps in position order
- Runner executes them sequentially
Step registration
Section titled “Step registration”Steps are registered with the @register decorator:
@register("detect_pii", position=200, category="data_protection", phase="before")def detect_pii(ctx: PipelineContext, config: StepConfig) -> StepResult: ...Position determines execution order. Steps in the same phase run in position order.
Configuration per step
Section titled “Configuration per step”Each step accepts:
on_detection:block,redact,log, orcontinuethreshold: Score threshold for ML-based steps (0.0–1.0)- Custom fields specific to each step
Category schema
Section titled “Category schema”Steps are organized into categories:
| Category | Phase | Steps |
|---|---|---|
access_control | before | validate_input, rate_limit, budget |
data_protection | before | detect_pii, detect_secrets, detect_infra, etc. |
threat_detection | before | detect_injection, detect_escalation, etc. |
route_and_execute | call | call_llm, tool_permissions, scan_tool_calls, etc. |
response_safety | after | scan_output, taint_check, shell_bleed, etc. |
tracking | after | cost_tracking, loop_guard |