agentnode-sdk 0.11.0__tar.gz → 0.11.1__tar.gz

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## 0.11.1 — Bugfix + hardening
+
+### Fixed
+
+- **Install targets the running interpreter.** `installer.resolve_python()` now
+  returns `sys.executable` first, so the host build (`agentnode install` of a
+  trusted/curated pack) and `agentnode run` use the **same** Python. Previously
+  it resolved `$VIRTUAL_ENV → ./.venv → PATH python3 → PATH python` and never
+  the interpreter actually running AgentNode, so under **pipx** or an
+  **unactivated venv** the pack installed into a different environment and the
+  run could not import it. The existing fallbacks are kept for the rare case of
+  an empty `sys.executable`. Host build path only — the community/sandbox path
+  builds with `python -m pip` inside the container and was never affected.
+
+### Hardened
+
+- **Agent execution-vector invariant documented + regression-tested.** An
+  agent's own entrypoint code runs on the host (not via `SandboxBackend`), so
+  the `trust >= trusted` gate in `run_agent` is a security invariant. Added an
+  audit comment at the gate (no logic change) and a named regression test
+  asserting that `None`/unknown/`unverified`/`verified`/`preview` agents are
+  refused while `trusted`/`curated` pass — locking the gate against silent
+  lowering that would run community code unsandboxed.
+
 ## 0.11.0 — Execution Sandbox (isolated or not at all)
 
 The execution plane is now sandboxed. Community/unverified code (toolpack

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentnode-sdk
-Version: 0.11.0
+Version: 0.11.1
 Summary: Python SDK for AgentNode — the open upgrade and discovery infrastructure for AI agents.
 Project-URL: Homepage, https://agentnode.net
 Project-URL: Repository, https://github.com/agentnode-ai/agentnode

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/agentnode_sdk/__init__.py

@@ -38,7 +38,7 @@ from agentnode_sdk.runtime import AgentNodeRuntime
 Client = AgentNodeClient
 ToolError = AgentNodeToolError
 
-__version__ = "0.11.0"
+__version__ = "0.11.1"
 __all__ = [
     "AgentNode",
     "AsyncAgentNode",

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/agentnode_sdk/installer.py

@@ -40,9 +40,15 @@ PIP_TIMEOUT = 120
 # ---------------------------------------------------------------------------
 
 def resolve_python() -> str:
-    """Find a usable Python 3 interpreter.
+    """Find a usable Python 3 interpreter for the host package build.
 
     Resolution order:
+    0. ``sys.executable`` — the interpreter actually running AgentNode, so a host
+       build (``agentnode install``) installs into the SAME environment that
+       ``agentnode run`` later imports from. This fixes pipx / unactivated-venv
+       installs, where ``$VIRTUAL_ENV`` is unset and ``python`` on PATH is a
+       DIFFERENT interpreter (the package would install into the wrong env and
+       ``agentnode run`` would fail to import it).
     1. $VIRTUAL_ENV/bin/python (or Scripts/python.exe on Windows)
     2. .venv/bin/python in cwd
     3. python3 on PATH
@@ -50,6 +56,11 @@ def resolve_python() -> str:
     """
     is_windows = sys.platform == "win32"
 
+    # 0. The interpreter actually running AgentNode — guarantees install and run
+    #    use the same Python. Most reliable; prefer it over PATH/venv heuristics.
+    if sys.executable and os.path.isfile(sys.executable):
+        return sys.executable
+
     # 1. Active virtual environment
     venv = os.environ.get("VIRTUAL_ENV")
     if venv:

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/agentnode_sdk/runtimes/agent_runner.py

@@ -1245,6 +1245,15 @@ def run_agent(
         )
 
     # --- 2. Agent-specific policy: trust >= trusted ---
+    # SECURITY INVARIANT (audit 2026-06): an agent's OWN entrypoint code runs on
+    # the HOST — in a thread (_execute_with_timeout) or a child process
+    # (_execute_with_process) — NOT inside SandboxBackend. The exec-sandbox bow
+    # (P0.0-P0.3) isolates the agent's *tool calls* (they re-enter run_tool's
+    # gate), but NOT the agent's own orchestration code. So `trust >= trusted` is
+    # the ONLY thing keeping community/unverified agent code off the host. Do NOT
+    # lower this gate without first routing agent execution through SandboxBackend,
+    # or community code runs unsandboxed (reintroducing the RCE class the sandbox
+    # bow closed). Locked by test_agent_runner's execution-vector regression test.
     trust_level = entry.get("trust_level", "unverified")
     if not _trust_meets_minimum(trust_level, "trusted"):
         _audit_agent_run(

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "agentnode-sdk"
-version = "0.11.0"
+version = "0.11.1"
 description = "Python SDK for AgentNode — the open upgrade and discovery infrastructure for AI agents."
 readme = "README.md"
 requires-python = ">=3.10"

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/tests/test_agent_runner.py

@@ -319,6 +319,33 @@ class TestRunAgentTrustPolicy:
         assert "trust level" not in (result.error or "")
 
 
+# ---------------------------------------------------------------------------
+# run_agent() — execution-vector invariant (0.11.1 hardening, audit 2026-06)
+# ---------------------------------------------------------------------------
+# An agent's OWN entrypoint code runs on the HOST (thread _execute_with_timeout /
+# process _execute_with_process), NOT through SandboxBackend. The exec-sandbox
+# bow does NOT cover the agent's own code. So `trust >= trusted` at the gate
+# (agent_runner.py ~1248) is a SECURITY INVARIANT: lowering it would run
+# community/unverified agent code unsandboxed on the host. These tests lock the
+# gate against silent regressions — any non-(trusted|curated) level, including an
+# unrecognized or missing one, must be refused with a trust-level error.
+
+class TestRunAgentExecutionVectorInvariant:
+    @pytest.mark.parametrize("trust_level", [None, "unknown", "unverified", "verified", "preview"])
+    def test_community_or_unknown_agent_refused(self, trust_level):
+        entry = _agent_entry(trust_level=trust_level)
+        result = run_agent("test-agent", entry=entry)
+        assert result.success is False
+        assert "trust level" in (result.error or "")
+
+    @pytest.mark.parametrize("trust_level", ["trusted", "curated"])
+    def test_trusted_or_curated_agent_not_gated(self, trust_level):
+        entry = _agent_entry(trust_level=trust_level)
+        result = run_agent("test-agent", entry=entry)
+        # Passes the trust gate (may still fail later at entrypoint loading).
+        assert "trust level" not in (result.error or "")
+
+
 # ---------------------------------------------------------------------------
 # run_agent() — execution
 # ---------------------------------------------------------------------------

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.1}/tests/test_install_hardening.py

@@ -93,3 +93,13 @@ def test_missing_artifact_hash_blocked(monkeypatch, tmp_path):
             artifact_hash=None, entrypoint="pk.tool", trust_level="trusted",
         )
     assert pip_calls == []
+
+
+def test_resolve_python_prefers_sys_executable():
+    """0.11.1 bugfix: the host build must target the interpreter actually running
+    AgentNode, so `agentnode install` + `agentnode run` use the SAME Python. In a
+    pipx / unactivated venv, $VIRTUAL_ENV is unset and `python` on PATH is a
+    DIFFERENT interpreter — the pack would install into the wrong env and the run
+    couldn't import it. resolve_python() must return sys.executable."""
+    import sys
+    assert installer.resolve_python() == sys.executable