feat(examples): add India regulatory policy pack (DPDP, CERT-In, RBI, SEBI, Aadhaar)

[Mayur021]

Description

Adds India to AGT's regulatory coverage, mirroring the African pack (#3077, #3110). India is one of the largest regulated AI-agent markets (fintech, banking, insurtech, public sector) and had no coverage yet.

A set of starter Policy-as-Code examples that govern what an AI agent is allowed to do under Indian law: DPDP (data protection), CERT-In (incident reporting and logging), RBI (payment-data localization and KYC), SEBI (market-entity cyber resilience and AI-output accountability), and Aadhaar (identity masking). Each policy sits at the agent's action and output boundary and returns allow, audit, escalate, or deny, with the exact statutory citation on every decision. Binding vs advisory status is marked per rule; advisory/draft items (RBI FREE-AI, SEBI June-2025 guidelines) only audit, never block. Universal controls are reused via the shared jurisdiction router (IN entry added), not duplicated.

Following the African regulatory pack precedent (#3077, #3110), this ships YAML + Rego reference policies without a separate test suite. The shared router currently lives under african-regulatory/rego/; happy to relocate it to a shared path if preferred.

Type of Change

• New feature (non-breaking change that adds functionality)

Package(s) Affected

• docs / root

Checklist

• My code follows the project style guidelines (matches the existing regulatory-pack format)
• I have added tests that prove my fix/feature works
• All new and existing tests pass (pytest)
• I have updated documentation as needed
• I have signed the Microsoft CLA

Attribution & Prior Art

• This contribution does not contain code copied or derived from other projects without attribution
• Any external projects that inspired this design are credited in code comments or documentation
• If this PR implements functionality similar to an existing open-source project, I have listed it below

Prior art / related projects: Structure and policy format mirror the African regulatory pack (#3077, #3110) in this repository.

AI Assistance

• I can explain every meaningful change in this PR: what it does, why, and what tradeoffs were considered
• I have run tests and verification appropriate for this change
• No part of this PR was autonomously submitted by an AI agent without my review
• I have not used AI to generate review comments on others' PRs

IP, Patents, and Licensing

• This contribution does not implement patent-pending or patent-encumbered techniques
• This contribution does not require an NDA or licensing agreement to understand or use
• Any AI tools used have terms compatible with the MIT License

[github-actions]

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

[github-actions]

🤖 AI Agent: docs-sync-checker — Docs Sync

AI-generated review output. Treat it as untrusted analysis and verify before acting.

Docs Sync

• README.md in examples/policies/india-regulatory/ -- newly added documentation, no issues found.
• aadhaar-pii-protection.yaml in examples/policies/india-regulatory/ -- includes docstring, no issues found.
• certin-2022-directions.yaml in examples/policies/india-regulatory/ -- includes docstring, no issues found.
• dpdp-data-protection.yaml in examples/policies/india-regulatory/ -- includes docstring, no issues found.
• jurisdiction-router.rego in examples/policies/african-regulatory/rego/ -- no docstring required.

Documentation is in sync.

[github-actions]

🤖 AI Agent: test-generator — `examples/policies/african-regulatory/rego/jurisdiction-router.rego`

AI-generated review output. Treat it as untrusted analysis and verify before acting.

examples/policies/african-regulatory/rego/jurisdiction-router.rego

• test_india_jurisdiction_routing -- validate that the jurisdiction router correctly maps "IN" to the new India-specific policies.

examples/policies/india-regulatory/aadhaar-pii-protection.yaml

• test_aadhaar_number_masking -- ensure Aadhaar numbers are masked correctly in outputs.
• test_biometric_data_block -- verify that biometric data disclosure is denied.
• test_public_display_block -- confirm public display of Aadhaar numbers is blocked.

examples/policies/india-regulatory/certin-2022-directions.yaml

• test_incident_reporting_enforcement -- validate denial of actions suppressing or delaying incident reporting.
• test_log_retention_policy -- ensure logs are retained for 180 days within India.
• test_ntp_sync_audit -- check that NTP synchronization issues are flagged for audit.

examples/policies/india-regulatory/dpdp-data-protection.yaml

• test_consent_requirement -- confirm personal data processing is blocked without consent.
• test_purpose_limitation -- ensure data reuse or repurposing without consent is blocked.
• test_security_safeguards -- validate that insecure storage or transmission of personal data is blocked.

[github-actions]

🤖 AI Agent: breaking-change-detector — View details

AI-generated review output. Treat it as untrusted analysis and verify before acting.

No breaking changes detected.

[github-actions]

🤖 AI Agent: contributor-guide — View details

AI-generated review output. Treat it as untrusted analysis and verify before acting.

Welcome, and thank you for contributing this comprehensive addition to the project!

What you did well: The PR provides detailed documentation and well-structured Policy-as-Code examples, following the format of existing regulatory packs.

Actionable items before merge:

1. Add a test suite for the new policies to ensure functionality and compliance, as noted in your checklist.
2. Ensure all existing and new tests pass (pytest).
3. Sign the Microsoft CLA to proceed with the contribution.

Let us know if you need any assistance!

[github-actions]

🤖 AI Agent: security-scanner — View details

AI-generated review output. Treat it as untrusted analysis and verify before acting.

No security issues found.

[github-actions]

🟡 Contributor Check: MEDIUM

Check	Result
Profile	MEDIUM
Credential	LOW
Overall	MEDIUM

Automated check by AGT Contributor Check.

[github-actions]

PR Review Summary

Check	Status	Details
🔍 Code Review	⚠️ Missing	No current-run comment
🛡️ Security Scan	⚠️ Missing	No current-run comment
🔄 Breaking Changes	⚠️ Missing	No current-run comment
📝 Docs Sync	⚠️ Missing	No current-run comment
🧪 Test Coverage	⚠️ Missing	No current-run comment

Verdict: ⚠️ AI review incomplete; ready for human review

AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims.

[Mayur021]

@microsoft-github-policy-service agree