Add biometric authentication guard for critical configuration changes

[danieljustus]

Goal

Add a biometric authentication (Touch ID / Face ID) guard before critical configuration changes such as agent tier upgrades, auth method changes, and other destructive operations. Currently, anyone with access to the MacBook can instruct the agent to change settings, and the agent will execute them without additional identity verification.

Why now

Security gap: Touch ID is already implemented for vault unlock (internal/session/touchid_darwin.go, internal/session/biometric.go), but critical configuration changes like agent tier upgrades (cmd/mcp/agent_upgrade.go) only require a simple y/N confirmation or the --yes flag. There is no biometric or passphrase re-authentication before these high-impact operations.

Evidence:

• cmd/mcp/agent_upgrade.go — tier upgrades use confirmUpgrade() (interactive y/N) or --yes flag, no biometric challenge
• internal/mcp/server/tools_auth.go — set_auth_method tool allows disabling Touch ID via MCP if agent has canManageConfig
• internal/policy/types.go — ActionRequireBiometry policy action exists but is not enforced for config changes
• internal/mcp/server/approval_helper.go — approval system only uses TTY prompts, not biometric auth

Current state / Evidence

• Touch ID / biometric auth: implemented for vault unlock only (internal/session/touchid_darwin.go, internal/session/biometric.go)
• Agent tier upgrades: cmd/mcp/agent_upgrade.go — interactive confirmation only
• Auth method changes via MCP: internal/mcp/server/tools_auth.go — guarded by canManageConfig() only
• Policy engine: internal/policy/ — supports ActionRequireBiometry but not wired to config operations
• Approval system: internal/mcp/server/approval_helper.go — TTY-based, no biometric integration

References:

• internal/session/touchid_darwin.go
• internal/session/biometric.go
• cmd/mcp/agent_upgrade.go
• internal/mcp/server/tools_auth.go
• internal/policy/types.go
• internal/mcp/server/approval_helper.go

In Scope

• Define "critical operations" list (e.g., tier upgrades, auth method changes, profile deletion if implemented, token revocation)
• Integrate biometric authentication (BiometricAuthenticator.Authenticate()) before critical operations on macOS
• Fallback to passphrase re-prompt on non-macOS platforms or when Touch ID is unavailable
• Wire ActionRequireBiometry policy action into config-change code paths
• Update MCP tool handlers to require biometric approval for critical config changes
• Add --biometric / --no-biometric flags to CLI commands that perform critical changes
• Ensure the biometric prompt shows the exact operation being performed (agent name, tier change, auth method)

Out of Scope

• Replacing existing vault unlock biometric flow (keep as-is)
• Adding biometric to every password retrieval (only for config changes)
• Non-critical operations like listing entries or reading values
• Mobile app implementation (this is a Go CLI tool)

Acceptance criteria

• Running openpass agent upgrade <name> --tier admin triggers Touch ID prompt on macOS before applying changes
• MCP set_auth_method tool requires biometric approval when changing away from Touch ID
• Non-macOS platforms fall back to passphrase re-prompt with clear explanation
• --yes flag is rejected for critical operations unless --no-biometric is also passed (or similar escape hatch)
• All critical config changes are audit-logged with biometric success/failure status
• Policy engine ActionRequireBiometry is enforced for config operations matching configured rules
• Existing tests pass; new tests added for biometric guard on critical operations

Risks / Dependencies

• CGo + macOS build requirement for Touch ID (already in place)
• User experience: some users may find biometric prompts for config changes intrusive — provide opt-out via config
• Backward compatibility: scripts using --yes for automation will need updating
• Edge case: headless environments (CI, SSH) need graceful fallback to passphrase or --no-biometric flag