Add TEE-side child path access policies

[crossagent-production-app]

Links #7

Adds a security-group-like child derivation path policy layer for agent HDKD paths. Pair approval explicitly activates the path policy, unknown paths are denied by default, and suspend/resume endpoints can toggle JWT issuance without pretending the mathematically-derived child key relationship can be destroyed. The parent-control UI now surfaces the TEE child path policy state on the agent permission detail page.

Change:

• Added broker-side child path policy storage with default-deny checks, pair-approval activation, and suspend/resume/list APIs.
• OIDC/JWT issuance for agent_hdkd sessions now denies missing or suspended child derivation paths before chain device checks.
• Parent-control agent permissions render the TEE child path policy state, derivation path, default-deny posture, and JWT gate status.

Objective Evidence:

• cargo check -p agentkeys-broker-server: passed.
• cargo test -p agentkeys-broker-server storage::grants::tests::child_path_policy -- --nocapture: passed.
• cargo test -p agentkeys-broker-server --test agent_bootstrap_flow -- --nocapture: passed.
• npm --prefix apps/parent-control run typecheck: passed.
• env -u NODE_ENV npm --prefix apps/parent-control run build -- --no-lint: passed.
• ./provisioner-scripts/node_modules/.bin/playwright screenshot http://127.0.0.1:3113 /tmp/agentkeys-issue7-playwright-screenshot-clean.png: passed and captured the local product UI.

Visual Evidence:

• Source Screenshot Match: n.a. (source issue did not include a screenshot).
• Actual product surface captured: parent-control agent detail permissions page showing TEE child path policy, default deny, //agent-1, and JWT:ON.

Reviewer:

• CrossAgent pre-PR draft reviewer.

Risks / Not Covered:

• Suspend/resume persistence is broker SQLite policy, not on-chain extrinsics yet.
• E2E used a temporary local daemon API against the real parent-control frontend.

[crossagent-production-app]

Delivery Evidence Summary

Change:

• Added default-deny child path policy storage and JWT issuance checks.
• Added suspend/resume/list policy APIs.
• Rendered TEE child path policy state in parent-control permissions UI.

Objective Evidence:

• cargo check -p agentkeys-broker-server exit code 0, passed: broker server check completed
• cargo test -p agentkeys-broker-server storage::grants::tests::child_path_policy -- --nocapture exit code 0, passed: child path policy tests passed
• cargo test -p agentkeys-broker-server --test agent_bootstrap_flow -- --nocapture exit code 0, passed: agent bootstrap flow tests passed
• npm --prefix apps/parent-control run typecheck exit code 0, passed: parent-control TypeScript check passed
• env -u NODE_ENV npm --prefix apps/parent-control run build -- --no-lint exit code 0, passed: parent-control production build passed
• ./provisioner-scripts/node_modules/.bin/playwright screenshot http://127.0.0.1:3113 /tmp/agentkeys-issue7-playwright-screenshot-clean.png exit code 0, passed: Playwright captured the local parent-control product UI Evidence: /tmp/agentkeys-issue7-playwright-screenshot-clean.png.

Visual Evidence:

• 
• Source Screenshot Match: n.a. (source issue did not include a screenshot).
• Actual product surface: parent-control agent detail permissions page showing TEE child path policy, default deny, //agent-1, and JWT:ON.

Reviewer:

• CrossAgent pre-PR draft reviewer

Risks / Not Covered:

• Suspend/resume persistence is broker SQLite policy, not on-chain extrinsics yet
• E2E used a temporary local daemon API against the real parent-control frontend

Generated at: 2026-06-04T15:10:16.170Z

[hanwencheng]

Review verdict: hold — right idea, but wrong layer + wrong name, and it needs reconciling with the on-chain scope authority.

Issue #7 asks for "TEE-side" access control. This PR implements it as a broker SQLite child_path_policies table gating OIDC-JWT minting (handlers/oidc.rs check_child_path_policy), and the UI labels it "TEE child path policy." But the broker is not the TEE — arch.md §14 defines the TEE as the signer enclave. Per the CLAUDE.md terminology rule, calling broker-SQLite state "TEE-side" misrepresents where enforcement lives.

It also overlaps the on-chain scope model, which arch.md §16 calls the single source of truth. Agents already get no scope until the master approves on-chain (§10.2 step 13 + §6.3), so default-deny is already the posture. This adds a second, broker-local default-deny gate at JWT-mint time. The genuinely new capability — suspend/resume (pause JWT issuance without an on-chain tx) — is a useful fast kill-switch, but it introduces broker-local authority that §13/§16 don't currently account for (the PR flags this: "not on-chain extrinsics yet").

The v0.2+ framing (issue #7) predates the M1–M7 roadmap.

Recommended action: hold/draft until we resolve — (a) rename off "TEE" (it's broker-side) or move enforcement to the signer/chain; (b) decide whether this is a broker-side cache of on-chain scope or an independent authority, and document the answer in arch.md §13 + §16; (c) keep the suspend/resume kill-switch but give it an arch home. (Noted on #7.)

[hanwencheng]

📋 Structured decision note added — docs/plan/issue-7-child-path-policy-decision.md in #226. Recommendation: keep the broker-side implementation but rename off "TEE" (it gates JWT mint at the broker, not the signer enclave), frame it as a bounded authority (fail-closed cache + operational pause, never a grant), document in §13/§16, and keep suspend/resume with an audit row per toggle. Holding this PR pending that decision.