feat(agentic-org): gate commands with hat policy

agentic-organization/docs/FIRST_IMPLEMENTATION_SLICE.md

@@ -25,6 +25,8 @@ flows, and routing patterns as the Organization learns.
 
 ```text
 send_supervisor_signal
+  -> command authorization policy
+  -> active hat-authority check
   -> idempotency record check
   -> chain-of-command signal
   -> audit event
@@ -62,6 +64,7 @@ escalate.
 | ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `@agentic-org/domain`          | event envelope, command/event constants, aggregate constants, supervisor-chain communication types, hat communication briefs, work item state machine, shared records |
 | `@agentic-org/application`     | command pipeline, command-handler registry, state-store ports, idempotency conflict handling, supervisor signal handler                                               |
+| `@agentic-org/policy`          | command authorization port, hat-authority port, active/expired/revoked/scope/tool denial decisions, typed policy denial reasons                                       |
 | `@agentic-org/state`           | generic state-store/outbox-source ports plus the in-memory Organization state-store factory fake                                                                      |
 | `@agentic-org/state-cockroach` | first replaceable durable SQL implementation of the state-store/outbox-source ports, backed by CockroachDB                                                            |
 | `@agentic-org/messaging`       | stable `agentic-org.<env>.<org>.<domain>.<event>` subject builder, outbox publisher, event publisher port, and typed domain resolver                                  |
@@ -123,6 +126,16 @@ Hermes runs, MCP calls, and UI evidence.
 
 - Hats can expose a communication brief that tells the wearer their duty,
   supervisor line, and efficient upward tools.
+- Every command entering the pipeline is authorized through a generic
+  `CommandAuthorizationPort` before idempotency lookup, handler dispatch,
+  or persistence.
+- The first policy adapter shape delegates to a generic
+  `HatAuthorityPort`, so active hats allow commands and expired, missing,
+  revoked, scope-denied, or tool-denied hats return a typed
+  `policy_denied` result.
+- Policy denial does not create supervisor-signal, audit, outbox, or
+  idempotency state. Denial telemetry/audit is a follow-on effect once a
+  denial-observation port exists.
 - The command pipeline receives state-store factories and command
   handlers through ports instead of constructing in-memory adapters or
   branching on command types.
@@ -140,6 +153,9 @@ Hermes runs, MCP calls, and UI evidence.
 - A governance test enforces that application code does not import the
   state adapter, Cockroach adapter, NestJS, NATS, Dapr, Temporal,
   Drizzle, or Postgres clients.
+- A governance test enforces that policy code does not import
+  application, runtime, state adapters, messaging adapters, NestJS, NATS,
+  Dapr, Temporal, Drizzle, Postgres, or vendor clients.
 - A governance test enforces that the Cockroach state adapter does not
   import messaging, NATS, or JetStream. Durable state can be swapped
   without dragging transport concerns into the repository layer.
@@ -245,17 +261,17 @@ Hermes runs, MCP calls, and UI evidence.
 
 ## Next Slice
 
-The next slice should add policy and hat-authority checks before real
-API, MCP, Hermes, or worker command entrypoints can call the command
-pipeline. After that, add the first real process adapter factories below
+The next slice should add the first real process adapter factories below
 `apps/workers`: concrete NATS pull/publish client construction, durable
 CockroachDB outbox/inbox adapter construction, and a telemetry sink that
 can later send structured logs and metrics into the full-ai-cluster LGTM
 stack. Keep URLs, credentials, and connection pools in app adapter config
 fed by Kubernetes Secret or ExternalSecret values, never in domain
 packages. Add a durable-state integration test using CockroachDB as the
 first cluster-backed implementation once a local/dev connection is
-available.
+available. After that, add denial-observation/audit effects for policy
+denials without making denied commands look like successful business
+state transitions.
 
 Do not make the next slice a pile of bespoke request commands. Build the
 generic supervisor triage lifecycle first, then let specialized

agentic-organization/docs/NORTH_STAR_ALIGNMENT_CHECKPOINT.md

@@ -156,14 +156,20 @@ transaction. The current tests prove the batch boundary and runtime
 recovery behavior; a future local/dev-cluster integration test should
 prove actual rollback behavior with the real adapter binding.
 
-### Policy And Hat Authority Gap
-
-`send_supervisor_signal` does not yet validate actor hat authority,
-source level, target supervisor, or active hat assignment. Before API,
-MCP, Hermes, or worker hosts accept real agent commands, the application
-boundary needs a policy/hat-authority port and tests for unauthorized
-source hats, invalid target supervisors, expired/revoked hats, and
-missing assignments.
+### Policy And Hat Authority Checkpoint
+
+`send_supervisor_signal` now enters through a command pipeline that
+requires a `CommandAuthorizationPort` before idempotency lookup, handler
+dispatch, or persistence. The first policy package maps that command
+authorization request to a generic `HatAuthorityPort`; active authority
+allows the command, while expired, missing, revoked, scope-denied, or
+tool-denied authority returns a typed `policy_denied` result.
+
+The remaining gaps are richer authority semantics and durable
+visibility: tests still need unauthorized source hats, invalid target
+supervisors, missing assignments, and all denial reasons, and the system
+still needs a denial-observation/audit path plus allowed policy-decision
+projection into command effects and event envelopes.
 
 ### Command Surface Closure
 

agentic-organization/docs/TECHNICAL_CA_PACKAGE_ARCHITECTURE.md

@@ -242,17 +242,29 @@ Business services should depend on ports, not concrete adapters.
 Every vendor-specific implementation must sit behind a generic
 Organization interface exported by a non-vendor package. For example,
 application code sees `CommandStateStore`, runtime code sees
-`EventIngestionStore`, and messaging code sees `EventPublisher`; it
-must not see CockroachDB, NATS, OpenZiti, Hindsight, Hermes, Temporal,
-Dapr, Kubernetes, or provider-specific clients directly. Vendor
-packages may define private executor seams for their own composition,
-but those seams are not application contracts.
+`EventIngestionStore`, messaging code sees `EventPublisher`, and command
+code sees `CommandAuthorizationPort`; it must not see CockroachDB,
+NATS, OpenZiti, Hindsight, Hermes, Temporal, Dapr, Kubernetes, OPA, or
+provider-specific clients directly. Vendor packages may define private
+executor seams for their own composition, but those seams are not
+application contracts.
 
 The command pipeline must also depend on a handler registry and a
-state-store factory supplied by the composition layer. It must not
-instantiate the in-memory store or branch on every command type. New
-commands should register a handler; new persistence backends should
-implement the same store-factory port.
+state-store factory supplied by the composition layer. It must also
+receive a command authorization port before any API, MCP, Hermes,
+worker, Temporal, or Dapr entrypoint can execute Organization commands.
+It must not instantiate the in-memory store or branch on every command
+type. New commands should register a handler; new persistence backends
+should implement the same store-factory port.
+
+Policy remains a generic Organization package. The first implementation
+maps a `CommandAuthorizationRequest` to a `HatAuthorityPort` decision:
+active hat authority allows the command, while expired, missing,
+revoked, scope-denied, or tool-denied authority rejects the command with
+a typed policy decision before idempotency lookup, handler dispatch, or
+state persistence. OPA bundles, Kubernetes hat CRD watches, JWT
+validation, Organization DB assignment lookups, and credential-proxy
+checks are later adapter implementations behind that policy boundary.
 
 State-store ports are async at the application boundary. In-memory
 adapters may resolve immediately, but durable SQL, transactional outbox,
@@ -399,6 +411,14 @@ type AgenticEventEnvelope<TPayload> = {
 };
 ```
 
+The current command-authorization slice returns policy metadata on a
+typed denial result but does not yet write denial observations or attach
+allowed policy decisions to audit/outbox envelopes. That is intentional
+for the first gate and should be closed before real API, MCP, Hermes,
+Temporal, or Dapr entrypoints are exposed: allowed decisions should flow
+into the optional `policy` envelope block, and denied decisions should
+be observable without pretending a business state transition succeeded.
+
 No app should publish raw NATS payloads directly. Publishing should go
 through `@agentic-org/messaging`.
 
@@ -924,9 +944,12 @@ Grafana.
    - `@agentic-org/ui-projections`.
 2. Implement the canonical command context, event envelope, typed enums,
    and idempotency key builder.
-3. Implement the first durable SQL schema and migrations for the V0
+3. Add command authorization and hat-authority ports so the command
+   pipeline rejects expired, missing, revoked, scope-denied, or
+   tool-denied hats before handler dispatch or state persistence.
+4. Implement the first durable SQL schema and migrations for the V0
    executable contract, using CockroachDB as the initial adapter.
-4. Implement command handlers for:
+5. Implement command handlers for:
    - send supervisor signal;
    - triage supervisor signal;
    - capability request input through the supervisor signal path;
@@ -937,24 +960,24 @@ Grafana.
    - submit evidence;
    - decide gate;
    - complete outcome review.
-5. Use fake adapters for Hermes, Hindsight, Dapr, Temporal, and
+6. Use fake adapters for Hermes, Hindsight, Dapr, Temporal, and
    hat-system.
-6. Add NATS outbox publisher and one consumer after command tests pass.
-7. Add inbox/consumer dedupe before any NATS-driven automation performs
+7. Add NATS outbox publisher and one consumer after command tests pass.
+8. Add inbox/consumer dedupe before any NATS-driven automation performs
    side effects. The first package-level processor and Cockroach adapter
    now exist; the first package-level worker host composes the outbox and
    inbound-ingestion loops through ports, and the NATS consumer adapter
    owns live ack/nack/DLQ policy.
-8. Add the first rule catalog and reaction executor for ready work,
+9. Add the first rule catalog and reaction executor for ready work,
    review staffing, QA staffing, blocker escalation, and late run
    incidents.
-9. Add runtime hosts. The first NodeNext `apps/workers` host now parses
-   typed process config and composes the worker and NATS consumer loops
-   through ports; NestJS API and richer worker process wiring are still
-   pending.
-10. Add UI projections for work board, review center, and evidence
+10. Add runtime hosts. The first NodeNext `apps/workers` host now parses
+    typed process config and composes the worker and NATS consumer loops
+    through ports; NestJS API and richer worker process wiring are still
+    pending.
+11. Add UI projections for work board, review center, and evidence
     timeline.
-11. Add real cluster adapters one at a time.
+12. Add real cluster adapters one at a time.
 
 ## Extraction Path
 
@@ -991,6 +1014,8 @@ Before a package can be consumed by the OS, it needs:
 - dependency-boundary check;
 - typed enum/state-machine tests;
 - policy allow/deny tests where relevant;
+- command pipeline tests proving policy authorization runs before
+  idempotency lookup, handler dispatch, and state persistence;
 - event envelope tests;
 - idempotency tests for side-effecting commands;
 - rule evaluation tests that prove a state event creates the expected