Skip to content

fix(policy): workflow-scoped permits replace catch-all in financial + healthcare demos#13

Merged
imran-siddique merged 2 commits into
fix/runnable-demosfrom
fix/workflow-scoped-permits
Jun 11, 2026
Merged

fix(policy): workflow-scoped permits replace catch-all in financial + healthcare demos#13
imran-siddique merged 2 commits into
fix/runnable-demosfrom
fix/workflow-scoped-permits

Conversation

@imran-siddique

Copy link
Copy Markdown
Contributor

Summary

Closes #12. The financial-services and healthcare Cedar bundles opened with a catch-all permit (principal, action, resource);, so the workflow restrictions described in the READMEs were decorative -- any workflow (or none) could call any catalog tool unless a forbid fired. Each tool is now explicitly permitted only for its declared workflow, the same pattern the globex-financial tenant already used. Wrong workflow, missing workflow, or an unlisted action is denied by Cedar default-deny.

This surfaced a real runtime bug fixed in agentrust-io/cmcp#285: the egress evaluation context lacked workflow_id, so default-deny bundles denied every response at egress. This PR requires cmcp#285.

Verified live (all four paths)

  • financial 250k: 3/3 allow; 750k: deny with mifid-ii-art-25 advice
  • healthcare standard: 3/3 allow; --trigger-hitl: deny with eu-ai-act-art-14 advice
  • negative case: tools/call without _cmcp.workflow_id -> 403 POLICY_DENY
  • trace-output/ reference claims recaptured from these runs (bundle hashes changed)

Stacked on #11.

Generated with Claude Code

…althcare bundles

The bundles opened with permit (principal, action, resource), making the
documented workflow restrictions decorative: any workflow could call any
catalog tool unless a forbid fired. Each tool is now explicitly permitted
only for its declared workflow (the globex-financial pattern); wrong
workflow, missing workflow, or unlisted action hits Cedar default-deny.

Verified live: happy paths allow, HITL/escalation forbids fire with advice,
and a call without _cmcp.workflow_id is denied. trace-output reference
claims recaptured (policy bundle hashes changed). Requires
agentrust-io/cmcp#285 (egress context carries workflow_id).

Closes #12.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…14)

Verify the captured claim and audit bundle in one command, then mutate a
single field and watch the signature fail. Makes the tamper-evidence
guarantee tangible in the quickstart. Requires agentrust-io/cmcp#287.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
@imran-siddique imran-siddique merged commit 9406bfa into fix/runnable-demos Jun 11, 2026
imran-siddique added a commit that referenced this pull request Jun 12, 2026
PRs #11, #13, and #14 were stacked on #10. When #10 squash-merged and its
branch was deleted, GitHub closed/merged the rest of the stack into the
deleted feature branches, so their content never reached main: financial
and healthcare shipped the unparseable advice{} Cedar policies, agents
called endpoints that do not exist, the mock servers and the cmcp verify
tamper demo were missing.

This restores the verified stack tip for the four original examples plus
.gitignore, with em dashes scrubbed per repo style, and merges the root
README: corrected table and 3-terminal quickstart from the stack, plus the
industrial-embodied-ai row with the #18 wording.

Verified before commit: all Cedar bundles parse and produce the documented
decisions (workflow-scoped allow, escalation/HITL deny, default deny), and
all catalog entries validate against the cmcp schema.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant