feat: Cedar HITL approval gates for agent tool use

.pre-commit-config.yaml

@@ -71,6 +71,14 @@ repos:
         exclude: ^docs/node_modules/
         stages: [pre-commit]
 
+      - id: types-sync-cdk-cli
+        name: type sync drift (CDK ↔ CLI)
+        entry: bash -lc 'cd "$(git rev-parse --show-toplevel)" && mise run check:types-sync'
+        language: system
+        pass_filenames: false
+        files: ^(cdk/src/handlers/shared/types\.ts$|cli/src/types\.ts$|scripts/check-types-sync\.ts$)
+        stages: [pre-commit]
+
       - id: monorepo-security-pre-push
         name: security scans (pre-push)
         entry: bash -lc 'cd "$(git rev-parse --show-toplevel)" && mise run hooks:pre-push:security'

agent/Dockerfile

@@ -20,6 +20,13 @@ COPY --from=gh-builder /out/gh /usr/local/bin/gh
 #   - build-essential (native compilation for some repos)
 #   - curl (downloads)
 RUN apt-get update && \
+    # Patch any base-image CVEs that have a fix available in the
+    # current Debian point release. Without this, transitive system-
+    # library CVEs (e.g. libnghttp2 CVE-2026-27135) ride the base
+    # ``python:3.13-slim`` tag until upstream rebuilds, which can be
+    # weeks. ``--no-install-recommends`` keeps the upgrade narrow and
+    # reproducible — only already-installed packages get bumped.
+    apt-get upgrade -y --no-install-recommends && \
     apt-get install -y --no-install-recommends \
         curl \
         git \
@@ -54,6 +61,13 @@ RUN uv sync --frozen --no-dev --directory /app
 # Copy agent code (ARG busts cache so file edits are always picked up)
 ARG CACHE_BUST=0
 COPY src/ /app/src/
+# Cedar HITL built-in policy files (hard_deny.cedar + soft_deny.cedar).
+# ``agent/src/policy.py::_POLICIES_DIR`` resolves to ``/app/policies``
+# at import time; without these files the PolicyEngine init raises
+# ``missing built-in hard-deny policies`` and every task fails at 0
+# turns before the agent even connects to the CLI. Discovered during
+# Chunk 10 E2E T2.2 — the Dockerfile previously only copied ``src/``.
+COPY policies/ /app/policies/
 COPY prepare-commit-msg.sh /app/
 COPY test_sdk_smoke.py test_subprocess_threading.py /app/
 

agent/policies/hard_deny.cedar

@@ -0,0 +1,59 @@
+// Built-in hard-deny policy set for Cedar HITL engine.
+//
+// Hard-deny is ABSOLUTE: no --pre-approve scope and no blueprint `disable:`
+// directive can bypass these rules. See docs/design/CEDAR_HITL_GATES.md
+// §12.5 and decision #8.
+//
+// Every rule in this file MUST carry @tier("hard") + @rule_id annotations.
+// Adding a rule here expands the set of categorically-forbidden agent
+// actions; removing a rule requires a security review.
+
+// Base catch-all permit. Specific forbid rules below override.
+@rule_id("base_permit")
+permit (principal, action, resource);
+
+// pr_review tasks may never invoke Write. Absolute; cannot be overridden
+// by per-blueprint customization or --pre-approve.
+@tier("hard")
+@rule_id("pr_review_forbid_write")
+forbid (
+    principal == Agent::TaskAgent::"pr_review",
+    action == Agent::Action::"invoke_tool",
+    resource == Agent::Tool::"Write"
+);
+
+// pr_review tasks may never invoke Edit.
+@tier("hard")
+@rule_id("pr_review_forbid_edit")
+forbid (
+    principal == Agent::TaskAgent::"pr_review",
+    action == Agent::Action::"invoke_tool",
+    resource == Agent::Tool::"Edit"
+);
+
+// Reject `rm -rf /` and similar absolute-root destructive commands.
+@tier("hard")
+@rule_id("rm_slash")
+forbid (principal, action == Agent::Action::"execute_bash", resource)
+when { context.command like "*rm -rf /*" };
+
+// Reject writes into `.git/` at the repo root (breaks local git state).
+@tier("hard")
+@rule_id("write_git_internals")
+forbid (principal, action == Agent::Action::"write_file", resource)
+when { context.file_path like ".git/*" };
+
+// Reject writes into nested `.git/` directories (submodules, worktrees).
+@tier("hard")
+@rule_id("write_git_internals_nested")
+forbid (principal, action == Agent::Action::"write_file", resource)
+when { context.file_path like "*/.git/*" };
+
+// Reject any SQL DROP TABLE through Bash — agents should not be running
+// destructive DDL against production or dev databases without a human
+// in the loop. Hard-deny because even "just testing locally" is a common
+// vector for data loss (wrong DB connected via saved credentials).
+@tier("hard")
+@rule_id("drop_table")
+forbid (principal, action == Agent::Action::"execute_bash", resource)
+when { context.command like "*DROP TABLE*" };

agent/policies/soft_deny.cedar

@@ -0,0 +1,84 @@
+// Base catch-all permit. Without it, cedarpy's default-deny would turn
+// every non-matching Cedar evaluation on this tier into a DENY decision,
+// making the soft tier indistinguishable from hard-deny. With it, Cedar
+// returns ALLOW (no matching forbid) and our engine's STEP 3 sees only
+// the genuine forbid hits as REQUIRE_APPROVAL.
+@rule_id("base_permit")
+permit (principal, action, resource);
+
+// Built-in soft-deny policy set for Cedar HITL engine.
+//
+// Soft-deny is the HUMAN-IN-THE-LOOP surface: matching rules pause the
+// tool call, write an approval request to DynamoDB, and await a human
+// response via `bgagent approve` / `bgagent deny`. See
+// docs/design/CEDAR_HITL_GATES.md §§2, 6, 15.4.
+//
+// Every rule in this file MUST carry:
+//   @tier("soft")
+//   @rule_id("...")         — stable ID for --pre-approve rule:X
+//   @approval_timeout_s     — integer seconds >= 30 (<120 emits WARN per IMPL-25)
+//   @severity               — "low" | "medium" | "high"
+//   @category               — optional free-form UX grouping
+//
+// Blueprints may OPT OUT of specific rules here via
+// `security.cedarPolicies.disable: [rule_id]`. They may NOT disable any
+// rule in hard_deny.cedar (blueprint loader rejects those at task start).
+
+// Gate any git --force / -f push. 300s default approval window, medium severity.
+// Covers both long-form (--force) and short-form (-f) variants, including
+// the bare `git push -f` invocation with no branch argument.
+@tier("soft")
+@rule_id("force_push_any")
+@approval_timeout_s("300")
+@severity("medium")
+@category("destructive")
+forbid (principal, action == Agent::Action::"execute_bash", resource)
+when { context.command like "*git push --force*"
+    || context.command like "*git push -f *"
+    || context.command like "*git push -f" };
+
+// Force-push to main/prod specifically — longer window, higher severity.
+// Multi-match with force_push_any is expected: the engine's annotation
+// merging picks min(300, 600)=300s and max(medium, high)=high.
+@tier("soft")
+@rule_id("force_push_main")
+@approval_timeout_s("600")
+@severity("high")
+@category("destructive")
+forbid (principal, action == Agent::Action::"execute_bash", resource)
+when { context.command like "*git push --force origin main*"
+    || context.command like "*git push --force origin prod*"
+    || context.command like "*git push -f origin main*"
+    || context.command like "*git push -f origin prod*" };
+
+// Non-force pushes to protected branches — catches the case where an
+// agent bypasses PR workflow by pushing directly.
+@tier("soft")
+@rule_id("push_to_protected_branch")
+@approval_timeout_s("300")
+@severity("medium")
+@category("destructive")
+forbid (principal, action == Agent::Action::"execute_bash", resource)
+when { context.command like "*git push origin main*"
+    || context.command like "*git push origin master*"
+    || context.command like "*git push origin prod*"
+    || context.command like "*git push origin release/*" };
+
+// Writes to `.env` files typically contain secrets. 600s window, high severity.
+@tier("soft")
+@rule_id("write_env_files")
+@approval_timeout_s("600")
+@severity("high")
+@category("filesystem")
+forbid (principal, action == Agent::Action::"write_file", resource)
+when { context.file_path like "*.env" };
+
+// Writes to any path containing "credentials" — SSH keys, AWS creds,
+// service-account JSON, etc. 300s window, high severity.
+@tier("soft")
+@rule_id("write_credentials")
+@approval_timeout_s("300")
+@severity("high")
+@category("auth")
+forbid (principal, action == Agent::Action::"write_file", resource)
+when { context.file_path like "*credentials*" };

agent/pyproject.toml

@@ -11,7 +11,7 @@ dependencies = [
     "uvicorn==0.46.0", #https://pypi.org/project/uvicorn/
     "aws-opentelemetry-distro~=0.17.0", #https://pypi.org/project/aws-opentelemetry-distro/
     "mcp==1.27.1", #https://pypi.org/project/mcp/
-    "cedarpy>=4.8.1", #https://github.com/k9securityio/cedar-py
+    "cedarpy==4.8.0", #https://github.com/k9securityio/cedar-py — EXACT pin per mise.toml parity contract with @cedar-policy/[email protected]
 ]
 
 [tool.bandit]

agent/src/config.py

@@ -92,6 +92,10 @@ def build_config(
     channel_metadata: dict[str, str] | None = None,
     trace: bool = False,
     user_id: str = "",
+    approval_timeout_s: int | None = None,
+    initial_approvals: list[str] | None = None,
+    initial_approval_gate_count: int = 0,
+    approval_gate_cap: int | None = None,
 ) -> TaskConfig:
     """Build and validate configuration from explicit parameters.
 
@@ -146,6 +150,10 @@ def build_config(
         channel_metadata=channel_metadata or {},
         trace=trace,
         user_id=user_id,
+        approval_timeout_s=approval_timeout_s,
+        initial_approvals=initial_approvals or [],
+        initial_approval_gate_count=initial_approval_gate_count,
+        approval_gate_cap=approval_gate_cap,
     )