feat(core): add authority policy obstruction vocabulary

[flyingrobots]

Summary

Adds the next Echo authority-ladder slice: obstruction vocabulary for authority policy evaluation.

This PR keeps the grant-intent path obstruction-only while naming the policy failure surfaces Echo must eventually witness:

• InvalidDelegation
• ScopeEscalation
• ReplayOrDuplicateIntent
• UnsupportedAuthorityPolicy

The core doctrine remains:

policy shape != trusted governance

What this proves

• malformed grant intents obstruct
• missing issuer authority obstructs
• invalid delegation obstructs
• scope escalation obstructs
• replay/duplicate intent obstructs
• unsupported policy obstructs
• no accepted receipt exists
• no grant is admitted
• no invocation success path exists

What this is not

• not real authority policy implementation
• not grant validation
• not grant admission
• not AdmissionTicket emission
• not LawWitness emission
• not runtime execution
• not scheduler, WASM, app noun, or Continuum work

Verification

RED:

cargo test -p warp-core capability_grant_intent
# failed before core updates because AuthorityPolicyEvaluation and the new obstruction variants did not exist

GREEN / validation:

cargo test -p warp-core capability_grant_intent
cargo test -p warp-core optic_invocation
cargo check -p warp-core
scripts/ban-nondeterminism.sh
git diff --check
npx markdownlint-cli2 docs/design/optic-capability-grant-registry.md CHANGELOG.md

Push gate also passed: fmt, guards, clippy-core, tests-warp-core, rustdoc.

Summary by CodeRabbit

• New Features

  • Enhanced capability grant intent handling: now detects replay/duplicate intents, invalid delegations, scope escalations, missing-issuer and malformed intents, and records intents more deterministically via policy-shaped evaluation.

• Documentation

  • Updated design docs and changelog to describe the expanded obstruction categories and policy-evaluation posture.

• Tests

  • Expanded regression tests to cover the new obstruction outcomes and recording behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1fae8bc9-4068-487c-93d9-cf49cbc0c9b0

📥 Commits

Reviewing files that changed from the base of the PR and between d70ef0b and e3ac10d.

📒 Files selected for processing (1)

• docs/design/optic-capability-grant-intent-boundary.md

---

📝 Walkthrough

Walkthrough

This PR extends the capability grant intent boundary by introducing an obstruction-only AuthorityPolicyEvaluation model on AuthorityContext, adds InvalidDelegation, ScopeEscalation, and ReplayOrDuplicateIntent obstruction variants, updates classification logic to map policy evaluation states to specific obstructions before deterministic recording, expands test coverage, and synchronizes specification documents.

Changes

Capability Grant Intent Obstruction Expansion

Layer / File(s)	Summary
Authority Policy Evaluation Model crates/warp-core/src/optic_artifact.rs	Introduces AuthorityPolicyEvaluation enum as an obstruction-only posture and adds policy_evaluation field to AuthorityContext. Extends CapabilityGrantIntentObstruction with InvalidDelegation, ScopeEscalation, and ReplayOrDuplicateIntent variants to replace DuplicateGrantIntent.
Obstruction Classification and Recording Logic crates/warp-core/src/optic_artifact.rs	Classification now detects ReplayOrDuplicateIntent when intent ID exists, then maps authority_context.policy_evaluation and policy presence to InvalidDelegation, ScopeEscalation, or UnsupportedAuthorityPolicy. Submit logic uses records_submitted_intent(obstruction) predicate instead of direct enum comparison.
Public API Exports crates/warp-core/src/lib.rs	Re-exports AuthorityPolicyEvaluation from optic_artifact as public API.
Test Coverage for Obstruction Variants crates/warp-core/tests/capability_grant_intent_tests.rs	Updates fixture to set policy_evaluation: Unsupported. Adds regression tests for ReplayOrDuplicateIntent (dual submission), InvalidDelegation, ScopeEscalation, and UnsupportedAuthorityPolicy. Rewrites comprehensive "never makes grant authority" test to cover malformed, missing-issuer, invalid-delegation, scope-escalation, replay, and unsupported-policy paths.
Specification Alignment docs/design/optic-capability-grant-intent-boundary.md	Updates design document with AuthorityPolicyEvaluation enumeration, extends AuthorityContext with policy_evaluation field, updates CapabilityGrantIntentObstruction variant list, and expands sequence/class diagrams to show explicit obstruction branches for replay/duplicate, missing issuer, invalid delegation, and scope escalation.
Changelog Update CHANGELOG.md	Updates unreleased entry to reference CapabilityGrantIntentGate and enumerate deterministic recording of well-formed intents with explicit obstructions for malformed, missing-issuer, invalid-delegation, scope-escalation, replay/duplicate, and unsupported-policy cases.

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels: tooling

🎮 Authority obstructions now obstruct with reason,
Replays caught, delegations checked with season,
Policy evaluations map to variants true,
Recording only what the gate deems due. ✓

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: introducing authority policy obstruction vocabulary (InvalidDelegation, ScopeEscalation, ReplayOrDuplicateIntent, UnsupportedAuthorityPolicy) to the authority evaluation system.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stack/authority-policy-obstruction-vocabulary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[flyingrobots]

🔍 Static Audit Results

| Filepath | Line(s) | Severity | Classification | Description |
| :--- | :--- | :--- | :--- | :--- |
| `crates/warp-core/src/optic_artifact.rs` | `L435-449` | Major | Logic Error / Admission Semantics | Empty `AuthorityPolicy.policy_id` is not rejected before policy evaluation, so an incomplete policy context can still classify as `InvalidDelegation` or `ScopeEscalation` instead of unsupported policy. |
| `crates/warp-core/tests/capability_grant_intent_tests.rs` | `L216-253` | Minor | Test Coverage Drift | The broad `never_makes_grant_authority` invariant does not exercise the new `InvalidDelegation`, `ScopeEscalation`, or `ReplayOrDuplicateIntent` obstruction surfaces added by this branch. |
| `docs/design/optic-capability-grant-registry.md` | `L4-7` | Nit | Naming / Documentation Drift | The file path still says `registry` while the document title and current doctrine describe an intent boundary, preserving stale CRUD vocabulary in a design-map location. |

Cc: @codex — please review the evidence bundles above and confirm validation alignment.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5205e750c3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject empty policy IDs before policy evaluation

In classify_capability_grant_intent, policy presence is validated only with authority_context.policy.is_none(), so Some(AuthorityPolicy { policy_id: "" }) falls through to policy_evaluation and can be classified as InvalidDelegation or ScopeEscalation instead of an unsupported/malformed policy context. This changes admission semantics (the intent ID is then recorded for replay blocking via records_submitted_intent) and produces misleading obstruction outcomes for incomplete authority contexts; validate non-empty policy_id before entering the evaluation match.

Useful? React with 👍 / 👎.

[flyingrobots]

🔧 Static Audit Resolution

| Issue | Severity | Addressed by | Regression coverage | Outcome |
| :--- | :--- | :--- | :--- | :--- |
| Empty `AuthorityPolicy.policy_id` could over-classify as `InvalidDelegation` / `ScopeEscalation` instead of unsupported policy shape. | Major | d70ef0b | `capability_grant_intent_obstructs_missing_policy_identity_as_unsupported_policy`; `cargo test -p warp-core capability_grant_intent` | Missing policy identity now obstructs as `UnsupportedAuthorityPolicy` before policy evaluation posture is considered. |
| Broad never-authority invariant omitted new obstruction surfaces. | Minor | d70ef0b | `capability_grant_intent_never_makes_grant_authority`; `cargo test -p warp-core capability_grant_intent` | Invariant now covers malformed, missing issuer, invalid delegation, scope escalation, replay/duplicate, and unsupported policy. |
| Design doc path preserved stale registry vocabulary. | Nit | d70ef0b | `test ! -e docs/design/optic-capability-grant-registry.md && test -e docs/design/optic-capability-grant-intent-boundary.md`; `npx markdownlint-cli2 docs/design/optic-capability-grant-intent-boundary.md CHANGELOG.md` | Doc renamed to `docs/design/optic-capability-grant-intent-boundary.md`; no stale path references remain. |

Validation also passed:

cargo check -p warp-core
scripts/ban-nondeterminism.sh
git diff --check
push gate: fmt, guards, clippy-core, tests-warp-core, rustdoc

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/design/optic-capability-grant-intent-boundary.md (2)

250-253: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

AuthorityContext documentation is missing policy_evaluation.

Line 250-253 (ER model) and Line 308-309 (narrative) still describe AuthorityContext as issuer + policy only, but this spec now introduces policy_evaluation (Line 165) and uses it in obstruction classification. Please add it to keep the model deterministic and unambiguous across sections.

As per coding guidelines, "Documentation accuracy matters — especially anything touching determinism guarantees, hash stability, or canonical ordering. Flag factual errors and stale cross-references."

Also applies to: 308-309

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/optic-capability-grant-intent-boundary.md` around lines 250 -
253, The AuthorityContext ER model and narrative are missing the new
policy_evaluation field; update the AuthorityContext definition and accompanying
narrative to include policy_evaluation (the same structure introduced earlier)
so all references (e.g., AuthorityContext, policy_evaluation, obstruction
classification) are consistent and deterministic across the document; ensure the
ER block adds policy_evaluation with its type and the explanatory paragraph
mentions how policy_evaluation is used for evaluation/hash stability and ties
into obstruction classification semantics.

---

318-318: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use replay/duplicate terminology consistently.

Line 318 says classifies duplicate grant intents, but the updated obstruction vocabulary is ReplayOrDuplicateIntent. This is stale wording and narrows the documented behavior.

As per coding guidelines, "Documentation accuracy matters — especially anything touching determinism guarantees, hash stability, or canonical ordering. Flag factual errors and stale cross-references."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/design/optic-capability-grant-intent-boundary.md` at line 318, The
phrase "classifies duplicate grant intents" is stale — update the wording to use
the new obstruction vocabulary (e.g., "ReplayOrDuplicateIntent" or
"replay/duplicate intent") and broaden the description so it no longer narrows
behavior; specifically, replace the phrase with language that references
ReplayOrDuplicateIntent and clarifies it covers both replayed and duplicate
intents rather than only "duplicate grant intents" (search for the exact phrase
and edit the surrounding sentence to match the current terminology and scope).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/design/optic-capability-grant-intent-boundary.md`:
- Around line 250-253: The AuthorityContext ER model and narrative are missing
the new policy_evaluation field; update the AuthorityContext definition and
accompanying narrative to include policy_evaluation (the same structure
introduced earlier) so all references (e.g., AuthorityContext,
policy_evaluation, obstruction classification) are consistent and deterministic
across the document; ensure the ER block adds policy_evaluation with its type
and the explanatory paragraph mentions how policy_evaluation is used for
evaluation/hash stability and ties into obstruction classification semantics.
- Line 318: The phrase "classifies duplicate grant intents" is stale — update
the wording to use the new obstruction vocabulary (e.g.,
"ReplayOrDuplicateIntent" or "replay/duplicate intent") and broaden the
description so it no longer narrows behavior; specifically, replace the phrase
with language that references ReplayOrDuplicateIntent and clarifies it covers
both replayed and duplicate intents rather than only "duplicate grant intents"
(search for the exact phrase and edit the surrounding sentence to match the
current terminology and scope).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ec580a6d-406f-4e66-8128-72a2d022f23c

📥 Commits

Reviewing files that changed from the base of the PR and between a52a795 and d70ef0b.

📒 Files selected for processing (5)

• CHANGELOG.md
• crates/warp-core/src/lib.rs
• crates/warp-core/src/optic_artifact.rs
• crates/warp-core/tests/capability_grant_intent_tests.rs
• docs/design/optic-capability-grant-intent-boundary.md

[flyingrobots]

🔧 CodeRabbit docs feedback resolved

| Issue | Severity | Addressed by | Regression coverage | Outcome |
| :--- | :--- | :--- | :--- | :--- |
| `AuthorityContext` ER/narrative omitted `policy_evaluation`. | Major | e3ac10d | `sed -n '250,254p' docs/design/optic-capability-grant-intent-boundary.md \| rg -n "policy_evaluation"`; `npx markdownlint-cli2 docs/design/optic-capability-grant-intent-boundary.md` | ER model and narrative now include `policy_evaluation` as obstruction-classification posture, not trusted governance. |
| Stale “duplicate grant intents” wording did not match `ReplayOrDuplicateIntent`. | Minor | e3ac10d | `rg -n "classifies duplicate grant intents" docs/design/optic-capability-grant-intent-boundary.md` returns no matches; `git diff --check` | Wording now uses replay/duplicate terminology and names `ReplayOrDuplicateIntent`. |