feat(interventions): add cedar vended intervention handler

[lizradway]

Description

Adds a CedarAuthorization intervention handler that evaluates Cedar authorization policies at the tool-call boundary, providing identity-aware access control for agent tool invocations.

The handler integrates with @cedar-policy/cedar-wasm (optional peer dependency) to evaluate Cedar policies before each tool call, returning deny() or proceed() based on the policy decision.

Follows the cedar-for-agents schema generator conventions:

• One Cedar action per tool (e.g. Action::"search")
• Resource is unconstrained by default (use resourceResolver for domain-specific entities)
• Context is nested: { input: <tool args>, session: { hour_utc, call_count, environment } }

Cedar-to-tool mapping

Cedar concept	Maps to	Example
Principal	User identity from invocationState (via principalResolver)	User::"alice@acme.com"
Action	Tool name	Action::"search"
Resource	Unconstrained default, or domain object via resourceResolver	Resource::"agent" or Record::"42"
Context.input	Tool's input arguments	{ query: "report" }
Context.session	Automatic invocation metadata	{ hour_utc: 14, call_count: 3 }

Key features

• Fail-closed design — missing principal identity denies all tool calls
• File-based or inline policies — pass Cedar policy text directly or a path to a .cedar file
• Pluggable resource resolution — map tools to domain-specific Cedar resources via record or function
• Context enrichment — automatic hour_utc, call_count, environment in session context, plus custom enricher callback
• Session-aware rate limiting — built-in per-session call counters with LRU eviction
• Configurable error handling — onError: 'throw' | 'deny' | 'proceed'

Usage

import { Agent } from '@strands-agents/sdk'
import { CedarAuthorization } from '@strands-agents/sdk/vended-interventions/cedar'

const cedar = new CedarAuthorization({
  policies: './policies/agent.cedar',
  entities: './policies/entities.json',
  principalResolver: (state) => {
    if (!state.user_id) return undefined
    return { type: 'User', id: String(state.user_id) }
  },
})

const agent = new Agent({
  tools: [searchTool, deleteTool],
  interventions: [cedar],
})

await agent.invoke('Delete record 42', {
  invocationState: { user_id: 'alice@acme.com' },
})

Related Issues

• Design doc: https://github.com/strands-agents/docs/blob/main/designs/0006-cedar-authorization.md
• Intervention primitive: https://github.com/strands-agents/docs/blob/main/designs/0007-intervention-primitive.md

Documentation PR

N/A

Type of Change

New feature

Testing

How have you tested the change?

• I ran npm run check for TypeScript (type-check, tests, lint)
• 20 unit tests using real Cedar policy evaluation (no mocks) covering: permit/deny, default-deny, role-based access, rate limiting, environment restrictions, fail-closed on missing principal, malformed policy handling, resource resolution (default, record-based, function), context enrichment, file-based policy/entity loading, onError modes (throw/deny/proceed), session reset
• 3 integration tests with real Bedrock model + real cedar-wasm: policy permit, policy forbid, fail-closed
• Interactive example (examples/cedar/) tested end-to-end with 5 scenarios

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.