Implement working directory scope locking for ADF agents

[AlexMikhalev]

Context

ADF agents currently have unrestricted filesystem access on bigbox. There is no mechanism to prevent an agent from reading or writing files outside its assigned working directory. Piwork (ferologics/Piwork) implements a robust scope locking model: one-time bind of working folder per task, traversal/symlink escape blocking, and a dedicated scope-negative test suite.

Proposal

Scope Locking

• One-time bind: once an agent is assigned a working_dir, it is locked for the session
• Record scope_locked: bool in ManagedAgent
• Reject any attempt to change working directory after binding

Escape Prevention

• Block .. path traversal in file operation arguments
• Block symlink escapes (symlinks pointing outside scope)
• Log violations to NightwatchMonitor as security events

Scope-Negative Test Suite

• Attempt traversal: ../../../etc/passwd -- must fail
• Attempt symlink escape: create symlink pointing outside scope -- must fail
• Attempt working_dir change after lock -- must fail
• All tests must pass as prerequisites for agent deployment

Integration

• With Agent SDK (Epic: Migrate ADF Claude agents to Agent SDK #689): PostToolUse hook inspects file paths
• With subprocess model: parse file paths from structured envelope (Implement JSONL RPC envelope for agent-orchestrator communication #688)
• NightwatchMonitor: new signal type for scope violations (alongside drift and error rate)

References

• Piwork permissions model: https://github.com/ferologics/Piwork/blob/main/docs/permissions-model.md
• Piwork scope-negative tests: mise run test-scope-negative
• KB article: cto-executive-system/knowledge/external/context-engineering/piwork-desktop-ui-for-pi-agent.md
• Plan: cto-executive-system/plans/adf-architecture-improvements.md (item 2.2)
• Depends on: Implement JSONL RPC envelope for agent-orchestrator communication #688 (RPC envelope) or Epic: Migrate ADF Claude agents to Agent SDK #689 (Agent SDK)