feat: add SecOps security agent with rule engine, audit log, and ToolInvoker integration

.gitleaks.toml

@@ -0,0 +1,8 @@
+# Gitleaks configuration — allowlist test files containing deliberately
+# fake credentials used by the security rule detector test suite.
+
+[allowlist]
+  paths = [
+    '''tests/unit/security/rules/test_credential_detector\.py''',
+    '''tests/unit/security/test_output_scanner\.py''',
+  ]

CLAUDE.md

@@ -54,7 +54,7 @@ src/ai_company/
   persistence/    # Operational data persistence — pluggable PersistenceBackend protocol, SQLite initial (§7.6)
   observability/  # Structured logging, correlation tracking, log sinks
   providers/      # LLM provider abstraction (LiteLLM adapter)
-  security/       # SecOps agent, approval gates, audit
+  security/       # SecOps agent, rule engine (soft-allow/hard-deny, fail-closed), audit log, output scanner, risk classifier, action type registry, ToolInvoker security integration
   templates/      # Pre-built company templates, personality presets, and builder
   tools/          # Tool registry, built-in tools (file_system/, git, sandbox/, code_runner), MCP bridge (mcp/), role-based access
 ```

DESIGN_SPEC.md

@@ -2169,7 +2169,7 @@ sandboxing:
 > code:read, code:write, code:create, code:delete, code:refactor
 > test:write, test:run
 > docs:write
-> vcs:commit, vcs:push, vcs:branch
+> vcs:read, vcs:commit, vcs:push, vcs:branch
 > deploy:staging, deploy:production
 > comms:internal, comms:external
 > budget:spend, budget:exceed
@@ -3034,11 +3034,23 @@ ai-company/
 │       │       ├── factory.py     # MCPToolFactory (parallel connect)
 │       │       ├── models.py      # MCP domain models
 │       │       └── result_mapper.py # MCP result → ToolExecutionResult mapping
-│       ├── security/                # Security & approval (M7, stubs only)
-│       │   ├── approval.py         # Approval workflow gates (M7) — domain model is in core/approval.py
-│       │   ├── secops_agent.py     # Security operations agent (M7)
-│       │   ├── audit.py            # Audit logging (M7)
-│       │   └── permissions.py      # Permission checking (M7)
+│       ├── security/                # Security & approval
+│       │   ├── action_type_mapping.py # Default ToolCategory → ActionType mapping
+│       │   ├── action_types.py     # ActionTypeCategory registry and validation
+│       │   ├── audit.py            # Append-only AuditLog with configurable eviction
+│       │   ├── config.py           # SecurityConfig, SecurityPolicyRule, RuleEngineConfig
+│       │   ├── models.py           # SecurityVerdict, SecurityContext, AuditEntry, OutputScanResult
+│       │   ├── output_scanner.py   # Post-tool output scanning (credential/secret detection)
+│       │   ├── protocol.py         # SecurityInterceptionStrategy protocol
+│       │   ├── service.py          # SecOpsService — meta-agent coordinating security
+│       │   └── rules/              # Rule engine and detectors
+│       │       ├── engine.py       # RuleEngine (soft-allow + hard-deny, fail-closed)
+│       │       ├── protocol.py     # SecurityRule protocol
+│       │       ├── policy_validator.py   # Policy list validation rule
+│       │       ├── risk_classifier.py    # RiskClassifier (ActionType → ApprovalRiskLevel)
+│       │       ├── destructive_op_detector.py  # Destructive operation detection
+│       │       ├── data_leak_detector.py       # Credential/secret pattern detection
+│       │       └── _utils.py       # walk_string_values utility (recursive argument scanning)
 │       ├── budget/                  # Cost management
 │       │   ├── _optimizer_helpers.py # CostOptimizer shared helper functions
 │       │   ├── config.py           # Budget configuration models

README.md

@@ -33,7 +33,7 @@ AI Company lets you spin up a virtual organization staffed entirely by AI agents
 
 - **Memory Backend Adapter (M5)** - Memory protocols, retrieval pipeline, org memory, and consolidation are complete; initial Mem0 adapter backend ([ADR-001](docs/decisions/ADR-001-memory-layer.md)) pending; research backends (GraphRAG, Temporal KG) planned
 - **CLI Surface** - `cli/` package is placeholder-only
-- **Security/Approval System (M7)** - `security/` package is placeholder-only; real authentication (JWT/OAuth), progressive trust, SecOps agent
+- **Security/Approval System (M7)** - SecOps agent with rule engine (soft-allow/hard-deny, fail-closed), audit log, output scanner, risk classifier, and ToolInvoker integration are implemented; real authentication (JWT/OAuth), progressive trust, and approval workflow gates are planned
 - **Advanced Product Surface** - web dashboard, HR workflows, and external integrations
 
 ## Status

src/ai_company/config/defaults.py

@@ -37,4 +37,5 @@ def default_config_dict() -> dict[str, Any]:
         "api": {},
         "sandboxing": {},
         "mcp": {},
+        "security": {},
     }

src/ai_company/config/schema.py

@@ -26,6 +26,7 @@
 from ai_company.observability.config import LogConfig  # noqa: TC001
 from ai_company.observability.events.config import CONFIG_VALIDATION_FAILED
 from ai_company.persistence.config import PersistenceConfig
+from ai_company.security.config import SecurityConfig
 from ai_company.tools.mcp.config import MCPConfig
 from ai_company.tools.sandbox.sandboxing_config import SandboxingConfig
 
@@ -491,6 +492,7 @@ class RootConfig(BaseModel):
         api: API server configuration.
         sandboxing: Sandboxing backend configuration.
         mcp: MCP bridge configuration.
+        security: Security subsystem configuration.
     """
 
     model_config = ConfigDict(frozen=True)
@@ -586,6 +588,10 @@ class RootConfig(BaseModel):
         default_factory=MCPConfig,
         description="MCP bridge configuration",
     )
+    security: SecurityConfig = Field(
+        default_factory=SecurityConfig,
+        description="Security subsystem configuration",
+    )
 
     @model_validator(mode="after")
     def _validate_unique_agent_names(self) -> Self:

src/ai_company/core/enums.py

@@ -369,18 +369,42 @@ class CoordinationTopology(StrEnum):
 
 
 class ActionType(StrEnum):
-    """Convenience constants for common approval action types.
+    """Two-level action type taxonomy for security classification.
 
-    Models typically use ``NotBlankStr`` for ``action_type`` fields, so these
-    are optional helper constants and custom string values remain valid.
+    Used by autonomy presets (DESIGN_SPEC §12.2), SecOps validation
+    (§12.3), tiered timeout policies (§12.4), and progressive trust
+    (§11.3).  Values follow a ``category:action`` naming convention.
+
+    Custom action type strings are also accepted by models that use
+    ``str`` for ``action_type`` fields — these enum members are
+    convenience constants for the built-in taxonomy.
     """
 
-    CODE_MERGE = "code_merge"
-    DEPLOYMENT = "deployment"
-    BUDGET_SPEND = "budget_spend"
-    EXTERNAL_COMMUNICATION = "external_communication"
-    HIRING = "hiring"
-    ARCHITECTURE_CHANGE = "architecture_change"
+    CODE_READ = "code:read"
+    CODE_WRITE = "code:write"
+    CODE_CREATE = "code:create"
+    CODE_DELETE = "code:delete"
+    CODE_REFACTOR = "code:refactor"
+    TEST_WRITE = "test:write"
+    TEST_RUN = "test:run"
+    DOCS_WRITE = "docs:write"
+    VCS_COMMIT = "vcs:commit"
+    VCS_PUSH = "vcs:push"
+    VCS_BRANCH = "vcs:branch"
+    DEPLOY_STAGING = "deploy:staging"
+    DEPLOY_PRODUCTION = "deploy:production"
+    COMMS_INTERNAL = "comms:internal"
+    COMMS_EXTERNAL = "comms:external"
+    BUDGET_SPEND = "budget:spend"
+    BUDGET_EXCEED = "budget:exceed"
+    ORG_HIRE = "org:hire"
+    ORG_FIRE = "org:fire"
+    ORG_PROMOTE = "org:promote"
+    VCS_READ = "vcs:read"
+    DB_QUERY = "db:query"
+    DB_MUTATE = "db:mutate"
+    DB_ADMIN = "db:admin"
+    ARCH_DECIDE = "arch:decide"
 
 
 class MergeOrder(StrEnum):

src/ai_company/engine/agent_engine.py

@@ -50,12 +50,29 @@
     EXECUTION_ENGINE_TIMEOUT,
     EXECUTION_RECOVERY_FAILED,
 )
+from ai_company.observability.events.security import SECURITY_DISABLED
 from ai_company.providers.enums import MessageRole
 from ai_company.providers.models import ChatMessage
+from ai_company.security.audit import AuditLog
+from ai_company.security.output_scanner import OutputScanner
+from ai_company.security.rules.credential_detector import CredentialDetector
+from ai_company.security.rules.data_leak_detector import DataLeakDetector
+from ai_company.security.rules.destructive_op_detector import (
+    DestructiveOpDetector,
+)
+from ai_company.security.rules.engine import RuleEngine
+from ai_company.security.rules.path_traversal_detector import (
+    PathTraversalDetector,
+)
+from ai_company.security.rules.policy_validator import PolicyValidator
+from ai_company.security.rules.protocol import SecurityRule  # noqa: TC001
+from ai_company.security.rules.risk_classifier import RiskClassifier
+from ai_company.security.service import SecOpsService
 from ai_company.tools.invoker import ToolInvoker
 from ai_company.tools.permissions import ToolPermissionChecker
 
 if TYPE_CHECKING:
+    from ai_company.api.approval_store import ApprovalStore
     from ai_company.budget.coordination_config import ErrorTaxonomyConfig
     from ai_company.budget.enforcer import BudgetEnforcer
     from ai_company.budget.tracker import CostTracker
@@ -68,6 +85,8 @@
     )
     from ai_company.providers.models import CompletionConfig
     from ai_company.providers.protocol import CompletionProvider
+    from ai_company.security.config import SecurityConfig
+    from ai_company.security.protocol import SecurityInterceptionStrategy
     from ai_company.tools.registry import ToolRegistry
 
 logger = get_logger(__name__)
@@ -108,6 +127,8 @@ def __init__(  # noqa: PLR0913
         shutdown_checker: ShutdownChecker | None = None,
         error_taxonomy_config: ErrorTaxonomyConfig | None = None,
         budget_enforcer: BudgetEnforcer | None = None,
+        security_config: SecurityConfig | None = None,
+        approval_store: ApprovalStore | None = None,
     ) -> None:
         self._provider = provider
         self._loop: ExecutionLoop = execution_loop or ReactLoop()
@@ -127,6 +148,8 @@ def __init__(  # noqa: PLR0913
             self._cost_tracker = budget_enforcer.cost_tracker
         else:
             self._cost_tracker = cost_tracker
+        self._security_config = security_config
+        self._approval_store = approval_store
         self._recovery_strategy = recovery_strategy
         self._shutdown_checker = shutdown_checker
         self._error_taxonomy_config = error_taxonomy_config
@@ -185,7 +208,7 @@ async def run(  # noqa: PLR0913
                 await self._budget_enforcer.check_can_execute(agent_id)
                 identity = await self._budget_enforcer.resolve_model(identity)
 
-            tool_invoker = self._make_tool_invoker(identity)
+            tool_invoker = self._make_tool_invoker(identity, task_id=task_id)
             ctx, system_prompt = self._prepare_context(
                 identity=identity,
                 task=task,
@@ -642,15 +665,69 @@ async def _apply_recovery(
             )
             return execution_result
 
+    def _make_security_interceptor(
+        self,
+    ) -> SecurityInterceptionStrategy | None:
+        """Build the SecOps security interceptor if configured."""
+        if self._security_config is None:
+            logger.warning(
+                SECURITY_DISABLED,
+                note="No SecurityConfig provided — all security checks skipped",
+            )
+            return None
+        if not self._security_config.enabled:
+            return None
+
+        cfg = self._security_config
+        re_cfg = cfg.rule_engine
+        policy_validator = PolicyValidator(
+            hard_deny_action_types=frozenset(cfg.hard_deny_action_types),
+            auto_approve_action_types=frozenset(cfg.auto_approve_action_types),
+        )
+        # Build the detector list respecting config flags.
+        detectors: list[SecurityRule] = [policy_validator]
+        if re_cfg.credential_patterns_enabled:
+            detectors.append(CredentialDetector())
+        if re_cfg.path_traversal_detection_enabled:
+            detectors.append(PathTraversalDetector())
+        if re_cfg.destructive_op_detection_enabled:
+            detectors.append(DestructiveOpDetector())
+        if re_cfg.data_leak_detection_enabled:
+            detectors.append(DataLeakDetector())
+
+        rule_engine = RuleEngine(
+            rules=tuple(detectors),
+            risk_classifier=RiskClassifier(),
+            config=re_cfg,
+        )
+        return SecOpsService(
+            config=cfg,
+            rule_engine=rule_engine,
+            audit_log=AuditLog(),
+            output_scanner=OutputScanner(),
+            approval_store=self._approval_store,
+        )
+
     def _make_tool_invoker(
         self,
         identity: AgentIdentity,
+        task_id: str | None = None,
     ) -> ToolInvoker | None:
-        """Create a ToolInvoker with permission checking, or None."""
+        """Create a ToolInvoker with permission checking and security.
+
+        Returns None if no tool registry is configured.
+        """
         if self._tool_registry is None:
             return None
         checker = ToolPermissionChecker.from_permissions(identity.tools)
-        return ToolInvoker(self._tool_registry, permission_checker=checker)
+        interceptor = self._make_security_interceptor()
+        return ToolInvoker(
+            self._tool_registry,
+            permission_checker=checker,
+            security_interceptor=interceptor,
+            agent_id=str(identity.id),
+            task_id=task_id,
+        )
 
     def _log_completion(
         self,

src/ai_company/observability/events/security.py

@@ -0,0 +1,32 @@
+"""Security event constants."""
+
+from typing import Final
+
+SECURITY_EVALUATE_START: Final[str] = "security.evaluate.start"
+SECURITY_EVALUATE_COMPLETE: Final[str] = "security.evaluate.complete"
+SECURITY_RULE_MATCHED: Final[str] = "security.rule.matched"
+SECURITY_RULE_ERROR: Final[str] = "security.rule.error"
+SECURITY_VERDICT_ALLOW: Final[str] = "security.verdict.allow"
+SECURITY_VERDICT_DENY: Final[str] = "security.verdict.deny"
+SECURITY_VERDICT_ESCALATE: Final[str] = "security.verdict.escalate"
+SECURITY_AUDIT_RECORDED: Final[str] = "security.audit.recorded"
+SECURITY_AUDIT_EVICTION: Final[str] = "security.audit.eviction"
+SECURITY_OUTPUT_SCAN_START: Final[str] = "security.output_scan.start"
+SECURITY_OUTPUT_SCAN_FINDING: Final[str] = "security.output_scan.finding"
+SECURITY_ESCALATION_CREATED: Final[str] = "security.escalation.created"
+SECURITY_ESCALATION_STORE_ERROR: Final[str] = "security.escalation.store_error"
+SECURITY_CONFIG_LOADED: Final[str] = "security.config.loaded"
+SECURITY_DISABLED: Final[str] = "security.disabled"
+SECURITY_RISK_FALLBACK: Final[str] = "security.risk.fallback"
+SECURITY_CREDENTIAL_DETECTED: Final[str] = "security.credential.detected"
+SECURITY_PATH_TRAVERSAL_DETECTED: Final[str] = "security.path_traversal.detected"
+SECURITY_DESTRUCTIVE_OP_DETECTED: Final[str] = "security.destructive_op.detected"
+SECURITY_DATA_LEAK_DETECTED: Final[str] = "security.data_leak.detected"
+SECURITY_POLICY_DENY: Final[str] = "security.policy.deny"
+SECURITY_POLICY_AUTO_APPROVE: Final[str] = "security.policy.auto_approve"
+SECURITY_INTERCEPTOR_ERROR: Final[str] = "security.interceptor.error"
+SECURITY_OUTPUT_SCAN_ERROR: Final[str] = "security.output_scan.error"
+SECURITY_AUDIT_CONFIG_ERROR: Final[str] = "security.audit.config_error"
+SECURITY_SCAN_DEPTH_EXCEEDED: Final[str] = "security.scan.depth_exceeded"
+SECURITY_AUDIT_RECORD_ERROR: Final[str] = "security.audit.record_error"
+SECURITY_ACTION_TYPE_INVALID: Final[str] = "security.action_type.invalid"

src/ai_company/observability/events/tool.py

@@ -40,6 +40,11 @@
 TOOL_FS_GLOB_REJECTED: Final[str] = "tool.fs.glob_rejected"
 TOOL_FS_NOOP: Final[str] = "tool.fs.noop"
 
+# ── Security interception events ────────────────────────────────
+TOOL_SECURITY_DENIED: Final[str] = "tool.security.denied"
+TOOL_SECURITY_ESCALATED: Final[str] = "tool.security.escalated"
+TOOL_OUTPUT_REDACTED: Final[str] = "tool.output.redacted"
+
 # ── Subprocess utility events ───────────────────────────────────
 TOOL_SUBPROCESS_TRANSPORT_CLOSE_FAILED: Final[str] = (
     "tool.subprocess.transport_close_failed"

src/ai_company/security/__init__.py

@@ -0,0 +1,56 @@
+"""Security subsystem — SecOps agent, rule engine, audit, and models.
+
+Public API:
+
+- ``SecOpsService`` — the meta-agent coordinating security.
+- ``SecurityConfig`` — top-level security configuration.
+- ``SecurityVerdict`` / ``SecurityVerdictType`` — evaluation results.
+- ``SecurityContext`` — tool invocation context for evaluation.
+- ``AuditEntry`` / ``AuditLog`` — audit recording.
+- ``OutputScanResult`` / ``OutputScanner`` — post-tool output scanning.
+- ``SecurityInterceptionStrategy`` — protocol for the ToolInvoker.
+- ``ActionTypeRegistry`` / ``ActionTypeCategory`` — action taxonomy.
+- ``RuleEngine`` / ``SecurityRule`` — rule evaluation.
+"""
+
+from ai_company.security.action_types import (
+    ActionTypeCategory,
+    ActionTypeRegistry,
+)
+from ai_company.security.audit import AuditLog
+from ai_company.security.config import (
+    RuleEngineConfig,
+    SecurityConfig,
+    SecurityPolicyRule,
+)
+from ai_company.security.models import (
+    AuditEntry,
+    OutputScanResult,
+    SecurityContext,
+    SecurityVerdict,
+    SecurityVerdictType,
+)
+from ai_company.security.output_scanner import OutputScanner
+from ai_company.security.protocol import SecurityInterceptionStrategy
+from ai_company.security.rules.engine import RuleEngine
+from ai_company.security.rules.protocol import SecurityRule
+from ai_company.security.service import SecOpsService
+
+__all__ = [
+    "ActionTypeCategory",
+    "ActionTypeRegistry",
+    "AuditEntry",
+    "AuditLog",
+    "OutputScanResult",
+    "OutputScanner",
+    "RuleEngine",
+    "RuleEngineConfig",
+    "SecOpsService",
+    "SecurityConfig",
+    "SecurityContext",
+    "SecurityInterceptionStrategy",
+    "SecurityPolicyRule",
+    "SecurityRule",
+    "SecurityVerdict",
+    "SecurityVerdictType",
+]