feat(agentic-org): gate commands with hat policy#5075
Merged
Conversation
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
There was a problem hiding this comment.
Pull request overview
Introduces a first-cut policy boundary for Agentic Organization command execution by adding a dedicated policy package with authorization ports and enforcing a policy gate at the start of the application command pipeline (before idempotency, dispatch, or persistence). This aligns the implementation with governance goals to keep policy logic vendor/adapter-free while making policy denials typed and observable at the command boundary.
Changes:
- Added
@agentic-org/policycontracts + a defaultcreateCommandAuthorizationPortimplementation backed byHatAuthorityPort, with tests for allow/deny behavior. - Updated the application command pipeline to require
CommandAuthorizationPortand reject denied commands before any idempotency lookup, handler dispatch, or state persistence. - Strengthened governance dependency-boundary checks (including policy package constraints) and updated OpenSpec + architecture docs to reflect the new policy gate slice.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| openspec/specs/agentic-organization/spec.md | Specifies that command authorization runs before any command effects and adds policy boundary assertions. |
| agentic-organization/packages/README.md | Updates package inventory and first-slice pipeline narrative to include policy gating. |
| agentic-organization/packages/policy/src/index.ts | Adds policy ports, decision types, and a default command authorization implementation. |
| agentic-organization/packages/policy/test/command-authorization.test.ts | Tests allow/deny mapping from hat authority decisions to policy decisions. |
| agentic-organization/packages/application/src/command-pipeline.ts | Gates command execution via policy authorization before idempotency/dispatch/persistence. |
| agentic-organization/packages/application/src/command-result.ts | Extends command errors with policy_denied and policy metadata fields. |
| agentic-organization/packages/application/test/command-pipeline.test.ts | Updates pipeline tests to provide authorization port and adds an early policy-denial test. |
| agentic-organization/packages/governance/src/package-dependency-boundaries.ts | Adds Policy boundary rule identifier. |
| agentic-organization/packages/governance/test/package-dependency-boundaries.test.ts | Enforces policy package import constraints and expands forbidden vendor/import fragments. |
| agentic-organization/docs/V0_SCHEMA_AND_COMMANDS.md | Updates command contract narrative to reflect policy-derived authorization context. |
| agentic-organization/docs/V0_POLICY_AND_RUNTIME_BOUNDARIES.md | Updates policy/runtime boundary doc to include command authorization gating and denial visibility notes. |
| agentic-organization/docs/TECHNICAL_CA_PACKAGE_ARCHITECTURE.md | Documents the new policy port boundary and the “deny before effects” execution rule. |
| agentic-organization/docs/NORTH_STAR_ALIGNMENT_CHECKPOINT.md | Moves policy/hat authority from “gap” to a checkpoint with remaining follow-ons. |
| agentic-organization/docs/FIRST_IMPLEMENTATION_SLICE.md | Updates slice plan to include policy gate and governance constraints for the new package. |
Normalize the command-contract actor shape in the schema narrative and assert the policy-denial metadata added by the new command pipeline policy gate. Co-Authored-By: Codex <noreply@openai.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@agentic-org/policypackage with genericCommandAuthorizationPortandHatAuthorityPortcontracts.policy_deniederrors for inactive hat authority.Validation
npm testnpm run typecheckgit diff --check origin/main...HEAD