feat: add gitea agentic runtime control plane

tests/unit/test_policies.py

@@ -0,0 +1,34 @@
+from __future__ import annotations
+
+import pytest
+
+from engine.devops_agent.policies import PolicyViolation, RuntimePolicy
+
+
+def test_policy_allows_declared_safe_output() -> None:
+    policy = RuntimePolicy(
+        safe_outputs={"add_comment": {"max": 2}},
+        path_scope=["engine/devops_agent/", "README.md"],
+    )
+
+    policy.assert_operation_allowed("add_comment")
+
+
+def test_policy_rejects_undeclared_write_action() -> None:
+    policy = RuntimePolicy(
+        safe_outputs={"add_comment": {"max": 2}},
+        path_scope=[],
+    )
+
+    with pytest.raises(PolicyViolation, match="close_issue"):
+        policy.assert_operation_allowed("close_issue")
+
+
+def test_policy_rejects_paths_outside_scope() -> None:
+    policy = RuntimePolicy(
+        safe_outputs={"write_file": {"max": 5}},
+        path_scope=["engine/devops_agent/"],
+    )
+
+    with pytest.raises(PolicyViolation, match="outside allowed path scope"):
+        policy.assert_path_allowed("skills/gitea-issue-devops-agent/SKILL.md")