feat(security): add agent fail-closed POC smoke suite

[bb-connor]

Summary

• add deterministic fail-closed POCs for codex, claude-code, engine-local, and engine-remote adapters
• add regression tests proving blocked paths do not execute dispatcher side effects and engine transport failures deny closed
• add CI smoke job (agent-fail-closed-smoke) that runs all POCs and uploads a consolidated report artifact
• document the suite in adapter READMEs and docs/reports/agent-fail-closed-pocs.md

Validation

• npm --prefix packages/adapters/clawdstrike-adapter-core ci && npm --prefix packages/adapters/clawdstrike-adapter-core run build
• npm --prefix packages/adapters/clawdstrike-codex ci && npm --prefix packages/adapters/clawdstrike-codex run build && npm --prefix packages/adapters/clawdstrike-codex test
• npm --prefix packages/adapters/clawdstrike-claude-code ci && npm --prefix packages/adapters/clawdstrike-claude-code run build && npm --prefix packages/adapters/clawdstrike-claude-code test
• npm --prefix packages/adapters/clawdstrike-hush-cli-engine ci && npm --prefix packages/adapters/clawdstrike-hush-cli-engine run build && npm --prefix packages/adapters/clawdstrike-hush-cli-engine test
• npm --prefix packages/adapters/clawdstrike-hushd-engine ci && npm --prefix packages/adapters/clawdstrike-hushd-engine run build && npm --prefix packages/adapters/clawdstrike-hushd-engine test
• node tools/scripts/agent-fail-closed-smoke.mjs

---

Note

Medium Risk
Adds new CI gating suites and new fail-closed regression coverage across adapters and policy evaluation; risk is mainly CI flakiness/runtime increases and potential false negatives/positives in security checks.

Overview
Expands CI security gating by adding a policy-torture job that runs a new battery of policy stress suites (merge semantics, posture transitions, guard coverage, extends loop/depth failures) and uploads stable JSON reports; check now depends on this new gate.

Adds deterministic fail-closed verification for agent adapters: new per-adapter POC scripts (poc:fail-closed) plus a consolidated agent-fail-closed-smoke CI job that runs all POCs, generates docs/reports/agent-fail-closed-smoke.{json,md}, and uploads them as artifacts.

Tightens regression coverage in code/tests by adding Rust IRM test coverage for path extraction precedence (filesystem_irm_prefers_object_path_over_pathlike_string_arg) and new adapter unit tests ensuring blocked tool calls never execute dispatcher side effects, plus engine tests that deny with engine_error on spawn/network failures.

^{Written by Cursor Bugbot for commit f1cb98b. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b781d9a513

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

Added follow-up security testing changes in commit 723ca342.

• Added policy-torture PR gate to CI in .github/workflows/ci.yml and made check depend on it.
• Added JSON artifact upload for audit traceability: tests/policy-torture/reports/*.json.
• Added torture edge-case coverage in tests/policy-torture/run.sh:
  • extends loop detection stress
  • extends depth-limit stress
  • mixed path token precedence regression execution
• Added IRM regression test filesystem_irm_prefers_object_path_over_pathlike_string_arg in crates/libs/clawdstrike/src/irm/fs.rs.

Validation run:

• bash tests/policy-torture/run.sh (pass)
• cargo test -p clawdstrike --lib irm::fs::tests::filesystem_irm_prefers_object_path_over_pathlike_string_arg -- --exact (pass)

[bb-connor]

Addressed all currently unresolved PR #63 review threads in 22e492cc.

Changes made

• Fixed fail-closed POC catch semantics in both adapters to avoid catch-shadowing false diagnostics:
  • packages/adapters/clawdstrike-codex/examples/fail-closed-poc/run.mjs
  • packages/adapters/clawdstrike-claude-code/examples/fail-closed-poc/run.mjs
• Removed unnecessary CI serialization:
  • changed check.needs back to security-regressions only in .github/workflows/ci.yml
• Hardened smoke artifact upload:
  • added if-no-files-found: error to agent-fail-closed-smoke artifact upload step.

Validation

• node --check packages/adapters/clawdstrike-codex/examples/fail-closed-poc/run.mjs
• node --check packages/adapters/clawdstrike-claude-code/examples/fail-closed-poc/run.mjs
• node packages/adapters/clawdstrike-codex/examples/fail-closed-poc/run.mjs
• node packages/adapters/clawdstrike-claude-code/examples/fail-closed-poc/run.mjs

[bb-connor]

@codex

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bb-connor]

Addressed in f1cb98b7.

• Updated .github/workflows/ci.yml so check now explicitly depends on both security-regressions and policy-torture:
  • needs: [security-regressions, policy-torture]

This restores the intended behavior where the policy torture PR gate blocks the check path and downstream jobs.