CDX-301i · Module 3

Approval Workflows & Access Control

3 min read

Approval workflows control which tasks agents can execute autonomously and which require human authorization. The principle is least privilege: agents should have the minimum permissions required for their task, and high-impact actions should require explicit approval. A code review agent can run autonomously — it only reads code and posts comments. A deployment agent requires approval — it modifies production infrastructure.

Access control for agent systems operates at three layers. Task-level access: which task types can an agent execute? A review agent should not be able to execute fix tasks. Resource-level access: which repositories, branches, and environments can an agent access? A staging agent should not access production. Action-level access: which operations can an agent perform? An agent with read access should not be able to push commits. Each layer is configured independently and enforced by the dispatcher, not by the agents themselves — agents should not be trusted to enforce their own access controls.

from dataclasses import dataclass

@dataclass
class AccessPolicy:
    agent_type: str
    allowed_tasks: list[str]
    allowed_repos: list[str]
    allowed_branches: list[str]
    allowed_actions: list[str]
    requires_approval: list[str]  # Actions needing human OK

POLICIES = {
    "reviewer": AccessPolicy(
        agent_type="reviewer",
        allowed_tasks=["review", "analyze"],
        allowed_repos=["*"],
        allowed_branches=["*"],
        allowed_actions=["read", "comment"],
        requires_approval=[],  # Fully autonomous
    ),
    "implementer": AccessPolicy(
        agent_type="implementer",
        allowed_tasks=["implement", "fix", "refactor"],
        allowed_repos=["*"],
        allowed_branches=["feature/*", "fix/*"],
        allowed_actions=["read", "write", "commit"],
        requires_approval=["commit"],  # Needs approval to commit
    ),
    "deployer": AccessPolicy(
        agent_type="deployer",
        allowed_tasks=["deploy"],
        allowed_repos=["infra"],
        allowed_branches=["main"],
        allowed_actions=["read", "write", "deploy"],
        requires_approval=["deploy"],  # Always needs approval
    ),
}
  1. Classify actions by risk List every action agents can perform (read, write, commit, deploy, delete) and classify by impact. Read is low risk; deploy to production is high risk.
  2. Map policies to agent types Each agent type gets an access policy: allowed tasks, repos, branches, and actions. Reviewer = read-only, implementer = write with approval, deployer = deploy with approval.
  3. Enforce at the dispatcher Access control is enforced by the dispatcher before task assignment — not by the agent during execution. Agents that bypass their policy should be flagged and terminated.