Add TEE-side child path access policies

[crossagent-production-app]

Links #7

Adds a security-group-like child derivation path policy layer for agent HDKD paths. Pair approval explicitly activates the path policy, unknown paths are denied by default, and suspend/resume endpoints can toggle JWT issuance without pretending the mathematically-derived child key relationship can be destroyed. The parent-control UI now surfaces the TEE child path policy state on the agent permission detail page.

Change:

• Added broker-side child path policy storage with default-deny checks, pair-approval activation, and suspend/resume/list APIs.
• OIDC/JWT issuance for agent_hdkd sessions now denies missing or suspended child derivation paths before chain device checks.
• Parent-control agent permissions render the TEE child path policy state, derivation path, default-deny posture, and JWT gate status.

Objective Evidence:

• cargo check -p agentkeys-broker-server: passed.
• cargo test -p agentkeys-broker-server storage::grants::tests::child_path_policy -- --nocapture: passed.
• cargo test -p agentkeys-broker-server --test agent_bootstrap_flow -- --nocapture: passed.
• npm --prefix apps/parent-control run typecheck: passed.
• env -u NODE_ENV npm --prefix apps/parent-control run build -- --no-lint: passed.
• ./provisioner-scripts/node_modules/.bin/playwright screenshot http://127.0.0.1:3113 /tmp/agentkeys-issue7-playwright-screenshot-clean.png: passed and captured the local product UI.

Visual Evidence:

• Source Screenshot Match: n.a. (source issue did not include a screenshot).
• Actual product surface captured: parent-control agent detail permissions page showing TEE child path policy, default deny, //agent-1, and JWT:ON.

Reviewer:

• CrossAgent pre-PR draft reviewer.

Risks / Not Covered:

• Suspend/resume persistence is broker SQLite policy, not on-chain extrinsics yet.
• E2E used a temporary local daemon API against the real parent-control frontend.

[crossagent-production-app]

Delivery Evidence Summary

Change:

• Added default-deny child path policy storage and JWT issuance checks.
• Added suspend/resume/list policy APIs.
• Rendered TEE child path policy state in parent-control permissions UI.

Objective Evidence:

• cargo check -p agentkeys-broker-server exit code 0, passed: broker server check completed
• cargo test -p agentkeys-broker-server storage::grants::tests::child_path_policy -- --nocapture exit code 0, passed: child path policy tests passed
• cargo test -p agentkeys-broker-server --test agent_bootstrap_flow -- --nocapture exit code 0, passed: agent bootstrap flow tests passed
• npm --prefix apps/parent-control run typecheck exit code 0, passed: parent-control TypeScript check passed
• env -u NODE_ENV npm --prefix apps/parent-control run build -- --no-lint exit code 0, passed: parent-control production build passed
• ./provisioner-scripts/node_modules/.bin/playwright screenshot http://127.0.0.1:3113 /tmp/agentkeys-issue7-playwright-screenshot-clean.png exit code 0, passed: Playwright captured the local parent-control product UI Evidence: /tmp/agentkeys-issue7-playwright-screenshot-clean.png.

Visual Evidence:

• 
• Source Screenshot Match: n.a. (source issue did not include a screenshot).
• Actual product surface: parent-control agent detail permissions page showing TEE child path policy, default deny, //agent-1, and JWT:ON.

Reviewer:

• CrossAgent pre-PR draft reviewer

Risks / Not Covered:

• Suspend/resume persistence is broker SQLite policy, not on-chain extrinsics yet
• E2E used a temporary local daemon API against the real parent-control frontend

Generated at: 2026-06-04T15:10:16.170Z