fix(agent): prevent Cedar NoDecision on bash commands with quotes

Cedar entity UIDs use Type::"id" format — when the resource ID
contained double quotes (e.g. git commit -m "fix bug"), the parser
failed and returned NoDecision, which fail-closed denied the call.
This blocked virtually all real git/gh commands in production.

Fix: use fixed sentinel resource IDs ("command" for execute_bash,
"file" for write_file) instead of embedding raw command/path text
in the Cedar entity UID. The deny-list policies only match on
context.command and context.file_path, never on the resource ID,
so behavior is identical.

Author: bgagent

agent/src/policy.py

@@ -131,6 +131,12 @@ def _evaluate(
         """Run a single Cedar authorization check.
 
         Returns (allowed, reason). Fails closed on NoDecision.
+
+        ``resource_id`` must be a simple identifier safe for Cedar entity
+        UID parsing (no quotes, newlines, or special chars). Callers that
+        evaluate user-supplied values (bash commands, file paths) should
+        pass a fixed sentinel and put the real value in ``context`` where
+        the policies match against it.
         """
         cedarpy = self._cedarpy
         if cedarpy is None:
@@ -194,31 +200,38 @@ def evaluate_tool_use(self, tool_name: str, tool_input: dict) -> PolicyDecision:
                 )
                 return PolicyDecision(allowed=False, reason=reason, duration_ms=elapsed)
 
-            # Additional checks for Write/Edit: check file path
+            # Additional checks for Write/Edit: check file path.
+            # Use a fixed sentinel resource_id ("file") because file paths
+            # may contain quotes/special chars that break Cedar UID parsing.
+            # The actual path is in context.file_path where policies match it.
             if tool_name in ("Write", "Edit"):
                 file_path = tool_input.get("file_path", "")
                 if file_path:
                     file_context = {**base_context, "file_path": file_path}
                     allowed, deny_reason = self._evaluate(
                         "write_file",
                         "Agent::File",
-                        file_path,
+                        "file",
                         file_context,
                     )
                     if not allowed:
                         elapsed = (time.monotonic() - start) * 1000
                         reason = deny_reason or f"Cedar policy denied write to {file_path}"
                         return PolicyDecision(allowed=False, reason=reason, duration_ms=elapsed)
 
-            # Additional checks for Bash: check command
+            # Additional checks for Bash: check command.
+            # Use a fixed sentinel resource_id ("command") because bash
+            # commands contain quotes/special chars that break Cedar UID
+            # parsing.  The actual command is in context.command where
+            # policies match it.
             if tool_name == "Bash":
                 command = tool_input.get("command", "")
                 if command:
                     bash_context = {**base_context, "command": command}
                     allowed, deny_reason = self._evaluate(
                         "execute_bash",
                         "Agent::BashCommand",
-                        command[:200],
+                        "command",
                         bash_context,
                     )
                     if not allowed:

agent/tests/test_policy.py

@@ -134,6 +134,58 @@ def test_allows_mise_run_build(self):
         assert result.allowed is True
 
 
+class TestBashCommandsWithQuotes:
+    """Commands containing double quotes must not cause NoDecision."""
+
+    def test_allows_git_commit_with_message(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        result = engine.evaluate_tool_use("Bash", {"command": 'git commit -m "fix: login bug"'})
+        assert result.allowed is True
+
+    def test_allows_git_commit_tree(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        cmd = 'git commit-tree HEAD^{tree} -m "squash"'
+        result = engine.evaluate_tool_use("Bash", {"command": cmd})
+        assert result.allowed is True
+
+    def test_allows_gh_pr_create(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        cmd = 'gh pr create --title "my PR" --body "desc"'
+        result = engine.evaluate_tool_use("Bash", {"command": cmd})
+        assert result.allowed is True
+
+    def test_allows_gh_api_post(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        cmd = 'gh api --method POST /repos/o/r/pulls -f title="PR"'
+        result = engine.evaluate_tool_use("Bash", {"command": cmd})
+        assert result.allowed is True
+
+    def test_allows_heredoc_commit(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        cmd = "git commit -m \"$(cat <<'EOF'\nFix the bug\nEOF\n)\""
+        result = engine.evaluate_tool_use("Bash", {"command": cmd})
+        assert result.allowed is True
+
+    def test_denies_force_push_with_quotes(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        result = engine.evaluate_tool_use("Bash", {"command": 'git push --force "origin" main'})
+        assert result.allowed is False
+
+
+class TestFilePathsWithSpecialChars:
+    """File paths with special characters must not cause NoDecision."""
+
+    def test_allows_path_with_quotes(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        result = engine.evaluate_tool_use("Write", {"file_path": '/workspace/it"s-a-file.ts'})
+        assert result.allowed is True
+
+    def test_denies_protected_path_with_quotes(self):
+        engine = PolicyEngine(task_type="new_task", repo="owner/repo")
+        result = engine.evaluate_tool_use("Write", {"file_path": '.github/workflows/ci"test.yml'})
+        assert result.allowed is False
+
+
 class TestExtraPolicies:
     def test_extra_forbid_applied(self):
         extra = [