@goplus/agentguard 1.1.28-beta.1 → 1.1.28

package/plugins/hermes/tests/test_failmodes.py

@@ -0,0 +1,57 @@
+"""Engine failures fail closed (pre) unless fail-open is requested."""
+
+import subprocess
+
+import pytest
+
+from helpers import make_protect_runner, register_with
+
+
+def test_timeout_fails_closed_for_mapped_tool(monkeypatch):
+    monkeypatch.delenv("AGENTGUARD_HERMES_FAIL_OPEN", raising=False)
+    runner = make_protect_runner(raises=subprocess.TimeoutExpired(cmd="agentguard", timeout=10))
+    ctx, _ = register_with(runner)
+    result = ctx.hooks["pre_tool_call"]("terminal", {"command": "git status"})
+    assert isinstance(result, dict)
+    assert result["action"] == "block"
+    assert "fail-closed" in result["message"]
+
+
+def test_os_error_fails_closed(monkeypatch):
+    monkeypatch.delenv("AGENTGUARD_HERMES_FAIL_OPEN", raising=False)
+    runner = make_protect_runner(raises=OSError("boom"))
+    ctx, _ = register_with(runner)
+    result = ctx.hooks["pre_tool_call"]("write_file", {"path": "/etc/hosts"})
+    assert isinstance(result, dict)
+    assert result["action"] == "block"
+
+
+def test_fail_open_env_allows_on_engine_error(monkeypatch):
+    monkeypatch.setenv("AGENTGUARD_HERMES_FAIL_OPEN", "1")
+    runner = make_protect_runner(raises=OSError("boom"))
+    ctx, _ = register_with(runner)
+    result = ctx.hooks["pre_tool_call"]("terminal", {"command": "git status"})
+    assert result is None
+
+
+def test_post_phase_never_blocks_on_engine_error(monkeypatch):
+    monkeypatch.delenv("AGENTGUARD_HERMES_FAIL_OPEN", raising=False)
+    runner = make_protect_runner(raises=subprocess.TimeoutExpired(cmd="agentguard", timeout=10))
+    ctx, _ = register_with(runner)
+    result = ctx.hooks["post_tool_call"]("terminal", {"command": "rm -rf /"})
+    assert result is None
+
+
+def test_malformed_output_with_block_exit_code_blocks():
+    runner = make_protect_runner(stdout="not-json", returncode=2)
+    ctx, _ = register_with(runner)
+    result = ctx.hooks["pre_tool_call"]("terminal", {"command": "rm -rf /"})
+    assert isinstance(result, dict)
+    assert result["action"] == "block"
+
+
+def test_malformed_output_with_ok_exit_code_allows():
+    runner = make_protect_runner(stdout="not-json", returncode=0)
+    ctx, _ = register_with(runner)
+    result = ctx.hooks["pre_tool_call"]("terminal", {"command": "echo hi"})
+    assert result is None

package/plugins/hermes/tests/test_post.py

@@ -0,0 +1,19 @@
+"""post_tool_call is audit-only and never blocks."""
+
+from helpers import make_protect_runner, register_with
+
+
+def test_post_tool_call_never_blocks_even_on_block_decision():
+    ctx, _ = register_with(make_protect_runner(decision="block"))
+    result = ctx.hooks["post_tool_call"]("terminal", {"command": "rm -rf /"})
+    assert result is None
+
+
+def test_bridge_post_phase_returns_none():
+    _, guard = register_with(make_protect_runner(decision="block"))
+    decision = guard.evaluate(
+        event="post_tool_call",
+        tool_name="terminal",
+        args={"command": "rm -rf /"},
+    )
+    assert decision is None

package/plugins/hermes/tests/test_resolution.py

@@ -0,0 +1,35 @@
+"""Engine resolution: npx is opt-in; explicit binary is preferred."""
+
+import bridge
+
+
+def _only_npx(name):
+    return "/usr/bin/npx" if name == "npx" else None
+
+
+def test_npx_not_used_without_optin(monkeypatch, tmp_path):
+    monkeypatch.delenv("AGENTGUARD_BIN", raising=False)
+    monkeypatch.delenv("AGENTGUARD_HERMES_HOOK", raising=False)
+    monkeypatch.delenv("AGENTGUARD_HERMES_ALLOW_NPX", raising=False)
+    monkeypatch.setattr(bridge.shutil, "which", _only_npx)
+    monkeypatch.setattr(bridge.Path, "home", classmethod(lambda cls: tmp_path))
+    argv, mode = bridge.AgentGuardBridge._resolve_invocation()
+    assert argv is None and mode is None
+
+
+def test_npx_used_with_optin(monkeypatch, tmp_path):
+    monkeypatch.delenv("AGENTGUARD_BIN", raising=False)
+    monkeypatch.delenv("AGENTGUARD_HERMES_HOOK", raising=False)
+    monkeypatch.setenv("AGENTGUARD_HERMES_ALLOW_NPX", "1")
+    monkeypatch.setattr(bridge.shutil, "which", _only_npx)
+    monkeypatch.setattr(bridge.Path, "home", classmethod(lambda cls: tmp_path))
+    argv, mode = bridge.AgentGuardBridge._resolve_invocation()
+    assert mode == "protect" and argv[0] == "npx"
+
+
+def test_agentguard_bin_is_preferred(monkeypatch, tmp_path):
+    monkeypatch.setenv("AGENTGUARD_BIN", "/opt/agentguard")
+    monkeypatch.delenv("AGENTGUARD_HERMES_HOOK", raising=False)
+    monkeypatch.setattr(bridge.Path, "home", classmethod(lambda cls: tmp_path))
+    argv, mode = bridge.AgentGuardBridge._resolve_invocation()
+    assert mode == "protect" and argv == ["/opt/agentguard", "protect"]

package/plugins/hermes/tests/test_validation.py

@@ -0,0 +1,43 @@
+"""Malformed mapped-tool payloads fail closed before the engine is invoked."""
+
+from helpers import make_protect_runner, register_with
+
+
+def test_terminal_without_command_blocks_without_engine():
+    calls = []
+    ctx, _ = register_with(make_protect_runner(decision="allow", calls=calls))
+    result = ctx.hooks["pre_tool_call"]("terminal", {})
+    assert isinstance(result, dict) and result["action"] == "block"
+    assert "missing" in result["message"]
+    assert calls == []  # engine never invoked on a malformed payload
+
+
+def test_write_file_without_path_blocks():
+    ctx, _ = register_with(make_protect_runner(decision="allow"))
+    result = ctx.hooks["pre_tool_call"]("write_file", {"content": "x"})
+    assert isinstance(result, dict) and result["action"] == "block"
+
+
+def test_web_extract_without_url_blocks():
+    ctx, _ = register_with(make_protect_runner(decision="allow"))
+    result = ctx.hooks["pre_tool_call"]("web_extract", {})
+    assert isinstance(result, dict) and result["action"] == "block"
+
+
+def test_malformed_blocks_even_under_fail_open(monkeypatch):
+    monkeypatch.setenv("AGENTGUARD_HERMES_FAIL_OPEN", "1")
+    ctx, _ = register_with(make_protect_runner(decision="allow"))
+    result = ctx.hooks["pre_tool_call"]("terminal", {})
+    assert isinstance(result, dict) and result["action"] == "block"
+
+
+def test_post_phase_does_not_validate():
+    ctx, _ = register_with(make_protect_runner(decision="block"))
+    result = ctx.hooks["post_tool_call"]("terminal", {})
+    assert result is None
+
+
+def test_wellformed_payload_passes_validation():
+    ctx, _ = register_with(make_protect_runner(decision="allow"))
+    result = ctx.hooks["pre_tool_call"]("terminal", {"command": "ls"})
+    assert result is None

package/skills/agentguard/action-policies.md

@@ -51,6 +51,28 @@ Scan request body for sensitive data. Priority determines risk level:
 6. POST/PUT to untrusted domain -> escalate medium to high
 7. Domain in allowlist -> ALLOW (low)
 
+### Social Account Actions
+
+Mutating requests to X/Twitter or TweetClaw social account endpoints receive the
+`SOCIAL_ACCOUNT_ACTION` risk tag and escalate to high risk. Balanced mode prompts
+the operator before execution because these requests can post tweets, post tweet
+replies, send direct messages, upload media, create monitors, register webhooks,
+or run giveaway draws.
+
+| Example | Risk |
+|---------|------|
+| `POST https://api.twitter.com/2/tweets` | high |
+| `POST https://xquik.com/api/v1/x/tweets` | high |
+| `POST https://xquik.com/api/v1/x/dm/12345` | high |
+| `POST https://xquik.com/api/v1/x/media` | high |
+| `POST https://xquik.com/api/v1/monitors` | high |
+| `POST https://xquik.com/api/v1/webhooks` | high |
+| `POST https://xquik.com/api/v1/draws` | high |
+
+Read-only TweetClaw requests such as tweet search, user lookup, or follower
+export remain low risk unless they hit another rule such as secret scanning,
+high-risk TLD handling, or webhook exfiltration.
+
 ## Command Execution Detector
 
 ### Dangerous Commands (always DENY, critical)