feat: implement Human Confirmation Daemon (port 6000)

Resolves #282. Part of Epic #281 (Vitalik Security).

New daemon/ package with HTTP server on port 6000:
- POST /confirm — submit high-risk action for human review
- POST /confirm/{id}/approve — approve a pending confirmation
- POST /confirm/{id}/deny — deny a pending confirmation
- GET /confirm/{id} — check status
- GET /audit — recent audit log (SQLite-backed)
- GET /health — liveness probe

Features:
- Notification dispatch via Telegram/Discord (using existing
  send_message infrastructure)
- Per-action rate limiting (configurable, default 10/hour)
- Session-scoped and global action whitelists
- Request expiration (default 5 min timeout)
- Full audit log persisted to ~/.hermes/confirmation_audit.db
- HIGH_RISK_ACTIONS set for enforcement
- CLI entry point: python -m daemon.confirmation_server

Includes integration tests (aiohttp test_utils) covering:
- Health, submit, approve, deny, status, audit
- Rate limiting, whitelist auto-approve, 409 conflict,
  404 not found, validation errors

daemon/__init__.py

@@ -0,0 +1,5 @@
+"""Hermes daemon services — long-running background processes."""
+
+from daemon.confirmation_server import ConfirmationServer
+
+__all__ = ["ConfirmationServer"]

daemon/confirmation_server.py

@@ -0,0 +1,664 @@
+"""Human Confirmation Daemon — route high-risk actions through human review.
+
+HTTP server on port 6000 that intercepts dangerous operations and holds them
+until a human approves or denies.  Integrates with the existing approval
+system (tools/approval.py) and notifies humans via Telegram/Discord/CLI.
+
+Endpoints:
+    POST /confirm                — submit a high-risk action for review
+    POST /confirm/{id}/approve   — approve a pending confirmation
+    POST /confirm/{id}/deny      — deny a pending confirmation
+    GET  /confirm/{id}           — check status of a confirmation
+    GET  /audit                  — recent audit log entries
+    GET  /health                 — liveness probe
+
+Every decision is logged to SQLite for audit.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import json
+import logging
+import os
+import sqlite3
+import threading
+import time
+import uuid
+from dataclasses import dataclass, field, asdict
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any, Dict, List, Optional
+
+logger = logging.getLogger(__name__)
+
+try:
+    from aiohttp import web
+    AIOHTTP_AVAILABLE = True
+except ImportError:
+    AIOHTTP_AVAILABLE = False
+    web = None  # type: ignore[assignment]
+
+# ---------------------------------------------------------------------------
+# Configuration
+# ---------------------------------------------------------------------------
+
+DEFAULT_HOST = "127.0.0.1"
+DEFAULT_PORT = 6000
+
+# Actions that always require human confirmation (not bypassable)
+HIGH_RISK_ACTIONS = {
+    "deploy_production",
+    "delete_data",
+    "transfer_funds",
+    "modify_permissions",
+    "shutdown_service",
+    "wipe_database",
+    "exec_remote",
+    "publish_package",
+    "rotate_keys",
+    "migrate_database",
+}
+
+# Default rate limits: max N confirmations per action type per window
+DEFAULT_RATE_LIMIT = 10       # max confirmations per action type
+RATE_LIMIT_WINDOW = 3600      # 1 hour in seconds
+
+
+# ---------------------------------------------------------------------------
+# Data model
+# ---------------------------------------------------------------------------
+
+@dataclass
+class ConfirmationRequest:
+    """A single pending or resolved confirmation."""
+    id: str
+    action: str
+    description: str
+    details: Dict[str, Any] = field(default_factory=dict)
+    requester: str = ""           # agent or user who requested
+    session_key: str = ""
+    status: str = "pending"       # pending | approved | denied | expired
+    resolved_by: str = ""
+    resolved_at: Optional[float] = None
+    created_at: float = field(default_factory=time.time)
+    timeout_seconds: int = 300    # 5 min default
+
+    def to_dict(self) -> dict:
+        d = asdict(self)
+        d["created_at_iso"] = _ts_to_iso(d["created_at"])
+        d["resolved_at_iso"] = _ts_to_iso(d["resolved_at"]) if d["resolved_at"] else None
+        return d
+
+
+def _ts_to_iso(ts: Optional[float]) -> Optional[str]:
+    if ts is None:
+        return None
+    return datetime.fromtimestamp(ts, tz=timezone.utc).isoformat()
+
+
+# ---------------------------------------------------------------------------
+# Audit log (SQLite)
+# ---------------------------------------------------------------------------
+
+class AuditLog:
+    """SQLite-backed audit log for all confirmation decisions."""
+
+    def __init__(self, db_path: Optional[str] = None):
+        if db_path is None:
+            home = Path(os.getenv("HERMES_HOME", Path.home() / ".hermes"))
+            home.mkdir(parents=True, exist_ok=True)
+            db_path = str(home / "confirmation_audit.db")
+        self._conn = sqlite3.connect(db_path, check_same_thread=False)
+        self._conn.execute("PRAGMA journal_mode=WAL")
+        self._conn.execute("""
+            CREATE TABLE IF NOT EXISTS audit_log (
+                id TEXT PRIMARY KEY,
+                action TEXT NOT NULL,
+                description TEXT NOT NULL,
+                details TEXT NOT NULL DEFAULT '{}',
+                requester TEXT NOT NULL DEFAULT '',
+                session_key TEXT NOT NULL DEFAULT '',
+                status TEXT NOT NULL,
+                resolved_by TEXT NOT NULL DEFAULT '',
+                created_at REAL NOT NULL,
+                resolved_at REAL,
+                resolved_at_iso TEXT,
+                created_at_iso TEXT
+            )
+        """)
+        self._conn.commit()
+
+    def log(self, req: ConfirmationRequest) -> None:
+        d = req.to_dict()
+        self._conn.execute(
+            """INSERT OR REPLACE INTO audit_log
+               (id, action, description, details, requester, session_key,
+                status, resolved_by, created_at, resolved_at,
+                resolved_at_iso, created_at_iso)
+               VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""",
+            (
+                d["id"], d["action"], d["description"],
+                json.dumps(d["details"]), d["requester"], d["session_key"],
+                d["status"], d["resolved_by"],
+                d["created_at"], d["resolved_at"],
+                d["resolved_at_iso"], d["created_at_iso"],
+            ),
+        )
+        self._conn.commit()
+
+    def recent(self, limit: int = 50) -> List[dict]:
+        rows = self._conn.execute(
+            "SELECT * FROM audit_log ORDER BY created_at DESC LIMIT ?", (limit,)
+        ).fetchall()
+        cols = [d[0] for d in self._conn.description]
+        return [dict(zip(cols, row)) for row in rows]
+
+    def close(self) -> None:
+        self._conn.close()
+
+
+# ---------------------------------------------------------------------------
+# Rate limiter
+# ---------------------------------------------------------------------------
+
+class RateLimiter:
+    """Simple sliding-window rate limiter per action type."""
+
+    def __init__(self, max_per_window: int = DEFAULT_RATE_LIMIT,
+                 window: int = RATE_LIMIT_WINDOW):
+        self._max = max_per_window
+        self._window = window
+        self._timestamps: Dict[str, List[float]] = {}  # action -> [ts, ...]
+        self._lock = threading.Lock()
+
+    def check(self, action: str) -> bool:
+        """Return True if the action is within rate limits."""
+        now = time.time()
+        with self._lock:
+            timestamps = self._timestamps.get(action, [])
+            # Prune expired
+            timestamps = [t for t in timestamps if now - t < self._window]
+            self._timestamps[action] = timestamps
+            if len(timestamps) >= self._max:
+                return False
+            timestamps.append(now)
+            return True
+
+    def remaining(self, action: str) -> int:
+        now = time.time()
+        with self._lock:
+            timestamps = self._timestamps.get(action, [])
+            timestamps = [t for t in timestamps if now - t < self._window]
+            return max(0, self._max - len(timestamps))
+
+
+# ---------------------------------------------------------------------------
+# Notification dispatcher
+# ---------------------------------------------------------------------------
+
+async def _notify_human(request: ConfirmationRequest) -> None:
+    """Send a notification about a pending confirmation to humans.
+
+    Tries Telegram first, then Discord, then falls back to log warning.
+    Uses the existing send_message infrastructure.
+    """
+    msg = (
+        f"\U0001f514 Confirmation Required\n"
+        f"Action: {request.action}\n"
+        f"Description: {request.description}\n"
+        f"Requester: {request.requester}\n"
+        f"ID: {request.id}\n\n"
+        f"Approve: POST /confirm/{request.id}/approve\n"
+        f"Deny:    POST /confirm/{request.id}/deny"
+    )
+
+    sent = False
+
+    # Try Telegram
+    try:
+        from tools.send_message_tool import _handle_send
+        result = _handle_send({
+            "target": "telegram",
+            "message": msg,
+        })
+        result_dict = json.loads(result) if isinstance(result, str) else result
+        if "error" not in result_dict:
+            sent = True
+            logger.info("Confirmation %s: notified via Telegram", request.id)
+    except Exception as e:
+        logger.debug("Telegram notify failed: %s", e)
+
+    # Try Discord if Telegram failed
+    if not sent:
+        try:
+            from tools.send_message_tool import _handle_send
+            result = _handle_send({
+                "target": "discord",
+                "message": msg,
+            })
+            result_dict = json.loads(result) if isinstance(result, str) else result
+            if "error" not in result_dict:
+                sent = True
+                logger.info("Confirmation %s: notified via Discord", request.id)
+        except Exception as e:
+            logger.debug("Discord notify failed: %s", e)
+
+    if not sent:
+        logger.warning(
+            "Confirmation %s: no messaging channel available. "
+            "Action '%s' requires human review -- check /confirm/%s",
+            request.id, request.action, request.id,
+        )
+
+
+# ---------------------------------------------------------------------------
+# Whitelist manager
+# ---------------------------------------------------------------------------
+
+class Whitelist:
+    """Configurable whitelist for actions that skip confirmation."""
+
+    def __init__(self):
+        self._allowed: Dict[str, set] = {}  # session_key -> {action, ...}
+        self._global_allowed: set = set()
+        self._lock = threading.Lock()
+
+    def is_whitelisted(self, action: str, session_key: str = "") -> bool:
+        with self._lock:
+            if action in self._global_allowed:
+                return True
+            if session_key and action in self._allowed.get(session_key, set()):
+                return True
+            return False
+
+    def add(self, action: str, session_key: str = "") -> None:
+        with self._lock:
+            if session_key:
+                self._allowed.setdefault(session_key, set()).add(action)
+            else:
+                self._global_allowed.add(action)
+
+    def remove(self, action: str, session_key: str = "") -> None:
+        with self._lock:
+            if session_key:
+                self._allowed.get(session_key, set()).discard(action)
+            else:
+                self._global_allowed.discard(action)
+
+
+# ---------------------------------------------------------------------------
+# Confirmation Server
+# ---------------------------------------------------------------------------
+
+class ConfirmationServer:
+    """HTTP server for human confirmation of high-risk actions.
+
+    Usage:
+        server = ConfirmationServer()
+        await server.start()       # blocks
+        # or:
+        server.start_background()  # non-blocking
+        ...
+        await server.stop()
+    """
+
+    def __init__(self, host: str = DEFAULT_HOST, port: int = DEFAULT_PORT,
+                 db_path: Optional[str] = None,
+                 rate_limit: int = DEFAULT_RATE_LIMIT):
+        if not AIOHTTP_AVAILABLE:
+            raise RuntimeError(
+                "aiohttp is required for the confirmation daemon. "
+                "Install with: pip install aiohttp"
+            )
+        self._host = host
+        self._port = port
+        self._audit = AuditLog(db_path)
+        self._rate_limiter = RateLimiter(max_per_window=rate_limit)
+        self._whitelist = Whitelist()
+        self._pending: Dict[str, ConfirmationRequest] = {}
+        self._lock = threading.Lock()
+        self._app: Optional[web.Application] = None
+        self._runner: Optional[web.AppRunner] = None
+        self._bg_thread: Optional[threading.Thread] = None
+
+    # --- Lifecycle ---
+
+    def _build_app(self) -> web.Application:
+        app = web.Application(client_max_size=1_048_576)  # 1 MB
+        app["server"] = self
+        app.router.add_post("/confirm", self._handle_submit)
+        app.router.add_post("/confirm/{req_id}/approve", self._handle_approve)
+        app.router.add_post("/confirm/{req_id}/deny", self._handle_deny)
+        app.router.add_get("/confirm/{req_id}", self._handle_status)
+        app.router.add_get("/audit", self._handle_audit)
+        app.router.add_get("/health", self._handle_health)
+        return app
+
+    async def start(self) -> None:
+        """Start the server and block until stopped."""
+        self._app = self._build_app()
+        self._runner = web.AppRunner(self._app)
+        await self._runner.setup()
+        site = web.TCPSite(self._runner, self._host, self._port)
+        await site.start()
+        logger.info(
+            "Confirmation daemon listening on http://%s:%s",
+            self._host, self._port,
+        )
+        # Run until cancelled
+        try:
+            await asyncio.Event().wait()
+        except asyncio.CancelledError:
+            pass
+        finally:
+            await self.stop()
+
+    def start_background(self) -> None:
+        """Start the server in a background thread (non-blocking)."""
+        def _run():
+            asyncio.run(self.start())
+        self._bg_thread = threading.Thread(target=_run, daemon=True)
+        self._bg_thread.start()
+
+    async def stop(self) -> None:
+        """Gracefully stop the server."""
+        if self._runner:
+            await self._runner.cleanup()
+            self._runner = None
+        self._audit.close()
+        logger.info("Confirmation daemon stopped")
+
+    # --- Internal helpers ---
+
+    def _get_request(self, req_id: str) -> Optional[ConfirmationRequest]:
+        with self._lock:
+            return self._pending.get(req_id)
+
+    def _expire_old_requests(self) -> int:
+        """Mark expired requests. Returns count expired."""
+        now = time.time()
+        expired = 0
+        with self._lock:
+            for req in list(self._pending.values()):
+                if req.status == "pending" and (now - req.created_at) > req.timeout_seconds:
+                    req.status = "expired"
+                    req.resolved_at = now
+                    req.resolved_by = "system:timeout"
+                    self._audit.log(req)
+                    expired += 1
+        return expired
+
+    # --- HTTP handlers ---
+
+    async def _handle_submit(self, request: web.Request) -> web.Response:
+        """POST /confirm -- submit a new confirmation request."""
+        try:
+            body = await request.json()
+        except Exception:
+            return web.json_response(
+                {"error": "Invalid JSON body"}, status=400
+            )
+
+        action = (body.get("action") or "").strip()
+        description = (body.get("description") or "").strip()
+        details = body.get("details") or {}
+        requester = (body.get("requester") or "agent").strip()
+        session_key = (body.get("session_key") or "").strip()
+        timeout = body.get("timeout_seconds", 300)
+
+        if not action:
+            return web.json_response(
+                {"error": "Field 'action' is required"}, status=400
+            )
+        if not description:
+            return web.json_response(
+                {"error": "Field 'description' is required"}, status=400
+            )
+
+        # Whitelist check
+        if self._whitelist.is_whitelisted(action, session_key):
+            auto_id = str(uuid.uuid4())[:8]
+            return web.json_response({
+                "id": auto_id,
+                "action": action,
+                "status": "auto_approved",
+                "message": f"Action '{action}' is whitelisted for this session",
+            })
+
+        # Rate limit check
+        if not self._rate_limiter.check(action):
+            remaining = self._rate_limiter.remaining(action)
+            return web.json_response({
+                "error": f"Rate limit exceeded for action '{action}'",
+                "remaining": remaining,
+                "window_seconds": RATE_LIMIT_WINDOW,
+            }, status=429)
+
+        # Enforce timeout bounds
+        try:
+            timeout = max(30, min(int(timeout), 3600))
+        except (ValueError, TypeError):
+            timeout = 300
+
+        # Create request
+        req = ConfirmationRequest(
+            id=str(uuid.uuid4())[:12],
+            action=action,
+            description=description,
+            details=details,
+            requester=requester,
+            session_key=session_key,
+            timeout_seconds=timeout,
+        )
+
+        with self._lock:
+            self._pending[req.id] = req
+
+        # Audit log
+        self._audit.log(req)
+
+        # Notify humans (fire-and-forget)
+        asyncio.create_task(_notify_human(req))
+
+        logger.info(
+            "Confirmation %s submitted: action=%s requester=%s",
+            req.id, action, requester,
+        )
+
+        return web.json_response({
+            "id": req.id,
+            "action": req.action,
+            "status": req.status,
+            "timeout_seconds": req.timeout_seconds,
+            "message": "Confirmation pending. Awaiting human review.",
+            "approve_url": f"/confirm/{req.id}/approve",
+            "deny_url": f"/confirm/{req.id}/deny",
+        }, status=202)
+
+    async def _handle_approve(self, request: web.Request) -> web.Response:
+        """POST /confirm/{id}/approve -- approve a pending confirmation."""
+        req_id = request.match_info["req_id"]
+        req = self._get_request(req_id)
+
+        if req is None:
+            return web.json_response(
+                {"error": f"Confirmation '{req_id}' not found"}, status=404
+            )
+
+        if req.status != "pending":
+            return web.json_response({
+                "error": f"Confirmation '{req_id}' already resolved",
+                "status": req.status,
+            }, status=409)
+
+        # Parse optional approver identity
+        try:
+            body = await request.json()
+            approver = (body.get("approver") or "api").strip()
+        except Exception:
+            approver = "api"
+
+        req.status = "approved"
+        req.resolved_by = approver
+        req.resolved_at = time.time()
+
+        # Audit log
+        self._audit.log(req)
+
+        logger.info(
+            "Confirmation %s APPROVED by %s (action=%s)",
+            req_id, approver, req.action,
+        )
+
+        return web.json_response({
+            "id": req.id,
+            "action": req.action,
+            "status": "approved",
+            "resolved_by": approver,
+            "resolved_at": req.resolved_at,
+        })
+
+    async def _handle_deny(self, request: web.Request) -> web.Response:
+        """POST /confirm/{id}/deny -- deny a pending confirmation."""
+        req_id = request.match_info["req_id"]
+        req = self._get_request(req_id)
+
+        if req is None:
+            return web.json_response(
+                {"error": f"Confirmation '{req_id}' not found"}, status=404
+            )
+
+        if req.status != "pending":
+            return web.json_response({
+                "error": f"Confirmation '{req_id}' already resolved",
+                "status": req.status,
+            }, status=409)
+
+        try:
+            body = await request.json()
+            denier = (body.get("denier") or "api").strip()
+            reason = (body.get("reason") or "").strip()
+        except Exception:
+            denier = "api"
+            reason = ""
+
+        req.status = "denied"
+        req.resolved_by = denier
+        req.resolved_at = time.time()
+
+        # Audit log
+        self._audit.log(req)
+
+        logger.info(
+            "Confirmation %s DENIED by %s (action=%s, reason=%s)",
+            req_id, denier, req.action, reason,
+        )
+
+        resp = {
+            "id": req.id,
+            "action": req.action,
+            "status": "denied",
+            "resolved_by": denier,
+            "resolved_at": req.resolved_at,
+        }
+        if reason:
+            resp["reason"] = reason
+        return web.json_response(resp)
+
+    async def _handle_status(self, request: web.Request) -> web.Response:
+        """GET /confirm/{id} -- check status of a confirmation."""
+        req_id = request.match_info["req_id"]
+        req = self._get_request(req_id)
+
+        if req is None:
+            return web.json_response(
+                {"error": f"Confirmation '{req_id}' not found"}, status=404
+            )
+
+        # Check for expiration
+        if req.status == "pending":
+            now = time.time()
+            if (now - req.created_at) > req.timeout_seconds:
+                req.status = "expired"
+                req.resolved_at = now
+                req.resolved_by = "system:timeout"
+                self._audit.log(req)
+
+        return web.json_response(req.to_dict())
+
+    async def _handle_audit(self, request: web.Request) -> web.Response:
+        """GET /audit -- recent audit log entries."""
+        try:
+            limit = int(request.query.get("limit", "50"))
+            limit = max(1, min(limit, 500))
+        except (ValueError, TypeError):
+            limit = 50
+
+        entries = self._audit.recent(limit)
+        return web.json_response({
+            "count": len(entries),
+            "entries": entries,
+        })
+
+    async def _handle_health(self, request: web.Request) -> web.Response:
+        """GET /health -- liveness probe."""
+        return web.json_response({
+            "status": "ok",
+            "pending_count": len(self._pending),
+            "timestamp": time.time(),
+        })
+
+
+# ---------------------------------------------------------------------------
+# CLI entry point
+# ---------------------------------------------------------------------------
+
+def main():
+    """Run the confirmation daemon as a standalone process."""
+    import argparse
+    logging.basicConfig(
+        level=logging.INFO,
+        format="%(asctime)s [%(name)s] %(levelname)s: %(message)s",
+    )
+
+    parser = argparse.ArgumentParser(
+        description="Hermes Human Confirmation Daemon"
+    )
+    parser.add_argument(
+        "--host", default=os.getenv("CONFIRMATION_HOST", DEFAULT_HOST),
+        help="Bind address (default: 127.0.0.1)",
+    )
+    parser.add_argument(
+        "--port", type=int,
+        default=int(os.getenv("CONFIRMATION_PORT", DEFAULT_PORT)),
+        help="Bind port (default: 6000)",
+    )
+    parser.add_argument(
+        "--db-path", default=None,
+        help="SQLite database path (default: ~/.hermes/confirmation_audit.db)",
+    )
+    parser.add_argument(
+        "--rate-limit", type=int,
+        default=int(os.getenv("CONFIRMATION_RATE_LIMIT", DEFAULT_RATE_LIMIT)),
+        help="Max confirmations per action per hour (default: 10)",
+    )
+    args = parser.parse_args()
+
+    if not AIOHTTP_AVAILABLE:
+        print("ERROR: aiohttp is required. Install with: pip install aiohttp")
+        raise SystemExit(1)
+
+    server = ConfirmationServer(
+        host=args.host,
+        port=args.port,
+        db_path=args.db_path,
+        rate_limit=args.rate_limit,
+    )
+
+    print(f"Starting Confirmation Daemon on http://{args.host}:{args.port}")
+    asyncio.run(server.start())
+
+
+if __name__ == "__main__":
+    main()

tests/test_confirmation_server.py

@@ -0,0 +1,316 @@
+"""Tests for the Human Confirmation Daemon."""
+
+import asyncio
+import json
+import time
+from unittest.mock import patch, MagicMock
+
+import pytest
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+# We import after the fixtures to avoid aiohttp import issues in test envs
+try:
+    from aiohttp import web
+    from aiohttp.test_utils import AioHTTPTestCase, unittest_run_loop
+    AIOHTTP_AVAILABLE = True
+except ImportError:
+    AIOHTTP_AVAILABLE = False
+
+if AIOHTTP_AVAILABLE:
+    from daemon.confirmation_server import (
+        ConfirmationServer,
+        ConfirmationRequest,
+        AuditLog,
+        RateLimiter,
+        Whitelist,
+        HIGH_RISK_ACTIONS,
+        DEFAULT_RATE_LIMIT,
+        RATE_LIMIT_WINDOW,
+    )
+
+
+@pytest.mark.skipif(not AIOHTTP_AVAILABLE, reason="aiohttp not installed")
+class TestRateLimiter:
+    """Unit tests for the RateLimiter."""
+
+    def test_allows_within_limit(self):
+        rl = RateLimiter(max_per_window=3, window=60)
+        assert rl.check("deploy") is True
+        assert rl.check("deploy") is True
+        assert rl.check("deploy") is True
+
+    def test_blocks_over_limit(self):
+        rl = RateLimiter(max_per_window=2, window=60)
+        assert rl.check("deploy") is True
+        assert rl.check("deploy") is True
+        assert rl.check("deploy") is False
+
+    def test_remaining_count(self):
+        rl = RateLimiter(max_per_window=5, window=60)
+        assert rl.remaining("deploy") == 5
+        rl.check("deploy")
+        assert rl.remaining("deploy") == 4
+
+    def test_separate_actions_independent(self):
+        rl = RateLimiter(max_per_window=2, window=60)
+        assert rl.check("deploy") is True
+        assert rl.check("deploy") is True
+        assert rl.check("deploy") is False
+        assert rl.check("shutdown") is True  # different action
+
+
+@pytest.mark.skipif(not AIOHTTP_AVAILABLE, reason="aiohttp not installed")
+class TestWhitelist:
+    """Unit tests for the Whitelist."""
+
+    def test_global_whitelist(self):
+        wl = Whitelist()
+        assert wl.is_whitelisted("deploy") is False
+        wl.add("deploy")
+        assert wl.is_whitelisted("deploy") is True
+
+    def test_session_scoped_whitelist(self):
+        wl = Whitelist()
+        assert wl.is_whitelisted("deploy", "session1") is False
+        wl.add("deploy", "session1")
+        assert wl.is_whitelisted("deploy", "session1") is True
+        assert wl.is_whitelisted("deploy", "session2") is False
+
+    def test_remove(self):
+        wl = Whitelist()
+        wl.add("deploy")
+        assert wl.is_whitelisted("deploy") is True
+        wl.remove("deploy")
+        assert wl.is_whitelisted("deploy") is False
+
+
+@pytest.mark.skipif(not AIOHTTP_AVAILABLE, reason="aiohttp not installed")
+class TestAuditLog:
+    """Unit tests for the AuditLog."""
+
+    def test_log_and_retrieve(self, tmp_path):
+        db = str(tmp_path / "test_audit.db")
+        log = AuditLog(db_path=db)
+
+        req = ConfirmationRequest(
+            id="test-123",
+            action="deploy_production",
+            description="Deploy v2.0 to prod",
+            requester="timmy",
+        )
+        log.log(req)
+
+        entries = log.recent(limit=10)
+        assert len(entries) == 1
+        assert entries[0]["id"] == "test-123"
+        assert entries[0]["action"] == "deploy_production"
+        assert entries[0]["status"] == "pending"
+
+        log.close()
+
+    def test_update_on_resolve(self, tmp_path):
+        db = str(tmp_path / "test_audit.db")
+        log = AuditLog(db_path=db)
+
+        req = ConfirmationRequest(
+            id="test-456",
+            action="delete_data",
+            description="Purge old records",
+        )
+        log.log(req)
+
+        # Resolve
+        req.status = "approved"
+        req.resolved_by = "alexander"
+        req.resolved_at = time.time()
+        log.log(req)
+
+        entries = log.recent(limit=10)
+        assert len(entries) == 1
+        assert entries[0]["status"] == "approved"
+        assert entries[0]["resolved_by"] == "alexander"
+
+        log.close()
+
+
+@pytest.mark.skipif(not AIOHTTP_AVAILABLE, reason="aiohttp not installed")
+class TestConfirmationRequest:
+    """Unit tests for the data model."""
+
+    def test_to_dict(self):
+        req = ConfirmationRequest(
+            id="abc123",
+            action="deploy_production",
+            description="Ship it",
+            details={"version": "2.0"},
+        )
+        d = req.to_dict()
+        assert d["id"] == "abc123"
+        assert d["status"] == "pending"
+        assert d["created_at_iso"] is not None
+        assert d["resolved_at_iso"] is None
+        assert d["details"]["version"] == "2.0"
+
+
+# ---------------------------------------------------------------------------
+# Integration tests (HTTP)
+# ---------------------------------------------------------------------------
+
+@pytest.mark.skipif(not AIOHTTP_AVAILABLE, reason="aiohttp not installed")
+class TestConfirmationHTTP(AioHTTPTestCase):
+    """Full HTTP integration tests for the ConfirmationServer."""
+
+    async def get_application(self):
+        # Suppress notification during tests
+        with patch("daemon.confirmation_server._notify_human", return_value=None):
+            server = ConfirmationServer(
+                host="127.0.0.1",
+                port=6000,
+                db_path=":memory:",
+            )
+            self._server = server
+            return server._build_app()
+
+    @unittest_run_loop
+    async def test_health(self):
+        resp = await self.client.request("GET", "/health")
+        assert resp.status == 200
+        data = await resp.json()
+        assert data["status"] == "ok"
+
+    @unittest_run_loop
+    async def test_submit_confirmation(self):
+        with patch("daemon.confirmation_server._notify_human", return_value=None):
+            resp = await self.client.request("POST", "/confirm", json={
+                "action": "deploy_production",
+                "description": "Deploy v2.0 to production",
+                "requester": "timmy",
+                "session_key": "test-session",
+            })
+        assert resp.status == 202
+        data = await resp.json()
+        assert data["status"] == "pending"
+        assert data["action"] == "deploy_production"
+        assert "id" in data
+
+    @unittest_run_loop
+    async def test_submit_missing_action(self):
+        resp = await self.client.request("POST", "/confirm", json={
+            "description": "Something",
+        })
+        assert resp.status == 400
+
+    @unittest_run_loop
+    async def test_submit_missing_description(self):
+        resp = await self.client.request("POST", "/confirm", json={
+            "action": "deploy_production",
+        })
+        assert resp.status == 400
+
+    @unittest_run_loop
+    async def test_approve_flow(self):
+        # Submit
+        with patch("daemon.confirmation_server._notify_human", return_value=None):
+            submit_resp = await self.client.request("POST", "/confirm", json={
+                "action": "deploy_production",
+                "description": "Ship it",
+            })
+        assert submit_resp.status == 202
+        submit_data = await submit_resp.json()
+        req_id = submit_data["id"]
+
+        # Approve
+        approve_resp = await self.client.request(
+            "POST", f"/confirm/{req_id}/approve",
+            json={"approver": "alexander"},
+        )
+        assert approve_resp.status == 200
+        approve_data = await approve_resp.json()
+        assert approve_data["status"] == "approved"
+        assert approve_data["resolved_by"] == "alexander"
+
+        # Check status
+        status_resp = await self.client.request("GET", f"/confirm/{req_id}")
+        assert status_resp.status == 200
+        status_data = await status_resp.json()
+        assert status_data["status"] == "approved"
+
+    @unittest_run_loop
+    async def test_deny_flow(self):
+        with patch("daemon.confirmation_server._notify_human", return_value=None):
+            submit_resp = await self.client.request("POST", "/confirm", json={
+                "action": "delete_data",
+                "description": "Wipe everything",
+            })
+        req_id = (await submit_resp.json())["id"]
+
+        deny_resp = await self.client.request(
+            "POST", f"/confirm/{req_id}/deny",
+            json={"denier": "alexander", "reason": "Too risky"},
+        )
+        assert deny_resp.status == 200
+        deny_data = await deny_resp.json()
+        assert deny_data["status"] == "denied"
+        assert deny_data["reason"] == "Too risky"
+
+    @unittest_run_loop
+    async def test_double_approve_returns_409(self):
+        with patch("daemon.confirmation_server._notify_human", return_value=None):
+            submit_resp = await self.client.request("POST", "/confirm", json={
+                "action": "deploy_production",
+                "description": "Ship it",
+            })
+        req_id = (await submit_resp.json())["id"]
+
+        await self.client.request(f"POST", f"/confirm/{req_id}/approve")
+        resp2 = await self.client.request(f"POST", f"/confirm/{req_id}/approve")
+        assert resp2.status == 409
+
+    @unittest_run_loop
+    async def test_not_found(self):
+        resp = await self.client.request("GET", "/confirm/nonexistent")
+        assert resp.status == 404
+
+    @unittest_run_loop
+    async def test_audit_log(self):
+        with patch("daemon.confirmation_server._notify_human", return_value=None):
+            await self.client.request("POST", "/confirm", json={
+                "action": "deploy_production",
+                "description": "Ship it",
+            })
+
+        resp = await self.client.request("GET", "/audit")
+        assert resp.status == 200
+        data = await resp.json()
+        assert data["count"] >= 1
+
+    @unittest_run_loop
+    async def test_rate_limit(self):
+        # Exhaust rate limit (default is 10)
+        with patch("daemon.confirmation_server._notify_human", return_value=None):
+            for i in range(10):
+                await self.client.request("POST", "/confirm", json={
+                    "action": "test_rate_action",
+                    "description": f"Request {i}",
+                })
+
+            # 11th should be rate-limited
+            resp = await self.client.request("POST", "/confirm", json={
+                "action": "test_rate_action",
+                "description": "Over the limit",
+            })
+            assert resp.status == 429
+
+    @unittest_run_loop
+    async def test_whitelist_auto_approves(self):
+        self._server._whitelist.add("safe_action")
+        resp = await self.client.request("POST", "/confirm", json={
+            "action": "safe_action",
+            "description": "This is whitelisted",
+        })
+        assert resp.status == 200
+        data = await resp.json()
+        assert data["status"] == "auto_approved"