PGAR Runtime Playbooks
Playbooks · PGAR overview · Foundation →
Implementation guides for Policy-Governed Agent Runtime. The insight explains why proposal is not permission. The PGAR Blueprint is the reference design. These playbooks are the how: contracts, enforcement, boundaries, side effects, and tests.
THE CLAIM
The LLM proposes. The PEP enforces. The PDP decides. Every side effect gates at the PEP before downstream runs. These playbooks show you how to build that path.
Four playbook groups
| Group | Overview | What you build |
|---|---|---|
| Foundation | Open → | SARAC contracts, token custody, PEP/PDP loop, step-up, audit replay |
| Assurance | Policy test scenarios | Golden authorization cases in CI, adversarial bypass tests |
| Boundary | Open → | Five trust boundaries from ingress through downstream |
| Domain | Tool registry | Tool manifests, lifecycle, RAG retrieval as governed actions |
Plus Further reading (external) for third-party PDP/PEP and OAuth patterns mapped to this series.
Recommended path
- Foundation (6 playbooks): policy contracts → token & session → PEP → PDP → step-up → audit
- Assurance (2 playbooks): scenario library and adversarial bypass set (start in parallel once PEP exists)
- Boundary (5 playbooks + overview): ingress, agentic app, LLM proposal, PEP + PDP, downstream
- Domain (3 playbooks): pick tools, manifests, and/or RAG for your agent surface
Bridge reading: PGAR with RAG. Eval overlap: Action plane · Tool plane.
All playbooks at a glance
Foundation playbooks
| Playbook | One-line purpose |
|---|---|
| Policy contracts | SARAC payload shapes the PDP evaluates |
| Token & session | Credentials stay out of the LLM boundary |
| PEP enforcement | Receive, ask PDP, audit, act on every proposal |
| PDP surfaces | ALLOW, DENY, STEP_UP rule authoring |
| Step-up & attestation | Re-eval after human approval |
| Audit & replay | Immutable verdict chain for examiners |
Assurance playbooks
| Playbook | One-line purpose |
|---|---|
| Policy test scenarios | Representative, edge, and incident replay cases in CI |
| Adversarial testing | Direct downstream bypass, injection, shadow tools |
Boundary playbooks
| # | Playbook | One-line purpose |
|---|---|---|
| ① | Ingress | Token validation and claims at the edge |
| ② | Agentic app | Orchestration, token custody, validation gates |
| ③ | LLM proposal | Tool schemas only; proposal not permission |
| ④ | PEP + PDP | Verdict before any side effect |
| ⑤ | Downstream | Re-auth, execute, return to app |
See Boundary overview for request flow and multi-agent patterns.
Domain playbooks
| Playbook | One-line purpose |
|---|---|
| Tool registry | Manifest contract, PEP gating per tool |
| Manifest lifecycle | Where manifests live, version, and roll back |
| RAG retrieval | Retrieval as a governed tool and context pack |
Who should read what
| Role | Start with | Then |
|---|---|---|
| Security / IAM | Token & session, Ingress | PDP surfaces, Audit & replay |
| AI platform | PEP enforcement, Agentic app | Tool registry, Manifest lifecycle |
| Governance / compliance | Policy contracts, Audit & replay | Policy test scenarios |
| RAG / knowledge teams | RAG retrieval | PGAR with RAG, Boundary overview |