@goplus/agentguard 1.1.26 → 1.1.28-beta.0

package/docs/codex.md

@@ -44,7 +44,8 @@ approval and includes an approval command:
 agentguard approve --action-id act_local_... --once
 ```
 
-Run that command only after the user explicitly approves, then retry the
-original action once. If the action id was not visible, inspect
+Show that command to the user before running it. Run it only after the user
+explicitly approves that exact action; do not let the agent approve its own
+blocked command proactively. Then retry the original action once. If the action id was not visible, inspect
 `agentguard approvals list --json`; use `agentguard approve --last --once`
 only when there is exactly one relevant unexpired pending approval.

package/docs/hermes.md

@@ -29,7 +29,10 @@ hooks:
     - matcher: "write_file|patch|skill_manage"
       command: "node \"/path/to/agentguard/skills/agentguard/scripts/hermes-hook.js\""
       timeout: 10
-    - matcher: "web_search|web_extract|browser_navigate"
+    - matcher: "web_search"
+      command: "node \"/path/to/agentguard/skills/agentguard/scripts/hermes-hook.js\""
+      timeout: 10
+    - matcher: "web_extract|browser_navigate"
       command: "node \"/path/to/agentguard/skills/agentguard/scripts/hermes-hook.js\""
       timeout: 10
 
@@ -55,7 +58,8 @@ or set `hooks_auto_accept: true` in `~/.hermes/config.yaml`.
 | `terminal`, `execute_code` | `exec_command` |
 | `write_file`, `patch`, `skill_manage` | `write_file` |
 | `read_file` | `read_file` |
-| `web_search`, `web_extract`, `browser_navigate` | `network_request` |
+| `web_search` | `web_search` |
+| `web_extract`, `browser_navigate` | `network_request` |
 
 ## Decisions
 

package/docs/openclaw.md

@@ -56,8 +56,9 @@ approval. The block reason includes:
 agentguard approve --action-id act_local_... --once
 ```
 
-Run that command only after the user explicitly approves, then retry the
-original action once. If the action id was not visible in the OpenClaw message,
+Show that command to the user before running it. Run it only after the user
+explicitly approves that exact action; do not let the agent approve its own
+blocked command proactively. Then retry the original action once. If the action id was not visible in the OpenClaw message,
 inspect pending approvals first:
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@goplus/agentguard",
-  "version": "1.1.26",
+  "version": "1.1.28-beta.0",
   "description": "GoPlus AgentGuard — Security guard for AI agents. Blocks dangerous commands, prevents data leaks, protects secrets. 20 detection rules, runtime action evaluation, trust registry.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/skills/agentguard/README.md

@@ -28,8 +28,9 @@ AI Agent Security Guard — protect your AI agents from dangerous commands, data
 
 When installed from SkillHub, Hermes sees the contents of this
 `skills/agentguard` directory first. Runtime hooks are not loaded from
-`SKILL.md` automatically; copy `hermes-hooks.yaml` into `~/.hermes/config.yaml`
-and replace `AGENTGUARD_SKILL_DIR` with this skill's absolute path.
+`SKILL.md` automatically. Run `agentguard init --agent hermes` to install this
+skill into `HERMES_HOME` or `~/.hermes` and merge the hook entries into
+`config.yaml`. The `hermes-hooks.yaml` file remains available for manual setups.
 
 The hook runner is `scripts/hermes-hook.js`. It uses the published
 `@goplus/agentguard` package, so run `npm install` inside this skill directory

package/skills/agentguard/SKILL.md

@@ -119,7 +119,7 @@ Connect behavior:
 
 If the user writes `/agentguard cli <args...>`, execute `agentguard <args...>` directly.
 
-When AgentGuard returns `confirm` or a block reason that includes `Approve once: agentguard approve --action-id ... --once`, do not retry the protected action until the user explicitly approves. Treat user replies such as "yes", "approve", "approved", "confirm", "confirmed", "continue", "go ahead", "execute", "run it", "同意", "确认", "批准", "继续", or "执行" as explicit approval for the most recent protected action. After approval, run exactly the provided `agentguard approve --action-id ... --once` command, then retry the original action once. If the action id is unavailable, use `agentguard approvals list --json`; only use `agentguard approve --last --once` when there is exactly one relevant unexpired pending approval. If multiple pending approvals exist, ask the user to choose a specific action id.
+When AgentGuard returns `confirm` or a block reason that includes `Approve once ... agentguard approve --action-id ... --once`, do not retry the protected action until the user explicitly approves. Show the exact approval command to the user before running it. Never run an approval command proactively, and never infer approval from context or from the agent's own plan. Treat user replies such as "yes", "approve", "approved", "confirm", "confirmed", "continue", "go ahead", "execute", "run it", "同意", "确认", "批准", "继续", or "执行" as explicit approval for the most recent protected action only after the user has seen the command and understands which action is being approved. After approval, run exactly the provided `agentguard approve --action-id ... --once` command, then retry the original action once. If the action id is unavailable, use `agentguard approvals list --json`; only use `agentguard approve --last --once` when there is exactly one relevant unexpired pending approval. If multiple pending approvals exist, ask the user to choose a specific action id.
 
 Do **not** route plain `/agentguard scan`, `/agentguard action`, `/agentguard patrol`, `/agentguard trust`, `/agentguard report`, `/agentguard config`, `/agentguard checkup`, `/agentguard checkup --json`, or natural-language requests like "run agentguard checkup" through the packaged CLI. Those are this skill's higher-level workflows. Only use the packaged CLI checkup path when the user includes `--against-advisory <id>` or explicitly writes `/agentguard cli checkup ...`.
 
@@ -142,7 +142,8 @@ template at `hermes-hooks.yaml`.
 | `pre_tool_call` | `terminal`, `execute_code` | `exec_command` |
 | `pre_tool_call` | `write_file`, `patch`, `skill_manage` | `write_file` |
 | `pre_tool_call` | `read_file` | `read_file` |
-| `pre_tool_call` | `web_search`, `web_extract`, `browser_navigate`, `browser_open`, `web_open`, `open_url`, `visit_url`, `open` | `network_request` |
+| `pre_tool_call` | `web_search` | `web_search` |
+| `pre_tool_call` | `web_extract`, `browser_navigate`, `browser_open`, `web_open`, `open_url`, `visit_url`, `open` | `network_request` |
 | `post_tool_call` | Same tools | Audit-only |
 
 Hermes `pre_tool_call` supports allow/block only. If AgentGuard returns `ask`,

package/skills/agentguard/hermes-hooks.yaml

@@ -19,7 +19,10 @@ hooks:
     - matcher: "read_file"
       command: "node \"AGENTGUARD_SKILL_DIR/scripts/hermes-hook.js\""
       timeout: 10
-    - matcher: "web_search|web_extract|browser_navigate|browser_open|web_open|open_url|visit_url|open"
+    - matcher: "web_search"
+      command: "node \"AGENTGUARD_SKILL_DIR/scripts/hermes-hook.js\""
+      timeout: 10
+    - matcher: "web_extract|browser_navigate|browser_open|web_open|open_url|visit_url|open"
       command: "node \"AGENTGUARD_SKILL_DIR/scripts/hermes-hook.js\""
       timeout: 10
 

package/skills/agentguard/scripts/action-cli.js

@@ -150,6 +150,12 @@ function buildEnvelope() {
       };
       break;
 
+    case 'web_search':
+      data = {
+        query: getArg('query') || getArg('q') || '',
+      };
+      break;
+
     case 'secret_access':
       data = {
         secret_name: getArg('secret-name') || '',

package/skills/agentguard/scripts/hermes-hook.js

@@ -182,6 +182,7 @@ function runtimeActionTypeFrom(toolName) {
     case 'read_file':
       return 'file_read';
     case 'web_search':
+      return 'web_search';
     case 'web_extract':
     case 'browser_navigate':
     case 'browser_open':