agentnode-sdk 0.11.0__tar.gz → 0.11.2__tar.gz

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/CHANGELOG.md

@@ -1,5 +1,49 @@
 # Changelog
 
+## 0.11.2 — CLI run resolution fixes
+
+### Fixed
+
+- **`agentnode run <slug>` auto-selects a single-tool pack's tool.** When a
+  toolpack declares exactly one tool with an entrypoint, `run <slug>` (no tool
+  name) now resolves that tool instead of a non-existent default `run` function
+  (which raised `ImportError: Function 'run' not found`). Multi-tool packs are
+  unchanged — the runner does not guess among several tools. Applied
+  consistently to the host (`load_tool`) and container (`_resolve_container_target`)
+  paths via a shared `_default_tool_entrypoint` helper.
+- **`agentnode run <slug>:<tool>` resolves the real package trust/lockfile.**
+  The `slug:tool` form is now split at the CLI boundary, so the lockfile entry
+  and trust level come from the real slug instead of being treated as an unknown
+  (and therefore `unverified`) package. The sandbox/trust gate is unchanged and
+  still keys on the real slug — community/unverified packages stay
+  sandbox-mandatory or fail-closed. Slug/tool parsing is now a shared
+  `references.parse_tool_reference` helper used by both the CLI and the agent
+  runtime.
+
+## 0.11.1 — Bugfix + hardening
+
+### Fixed
+
+- **Install targets the running interpreter.** `installer.resolve_python()` now
+  returns `sys.executable` first, so the host build (`agentnode install` of a
+  trusted/curated pack) and `agentnode run` use the **same** Python. Previously
+  it resolved `$VIRTUAL_ENV → ./.venv → PATH python3 → PATH python` and never
+  the interpreter actually running AgentNode, so under **pipx** or an
+  **unactivated venv** the pack installed into a different environment and the
+  run could not import it. The existing fallbacks are kept for the rare case of
+  an empty `sys.executable`. Host build path only — the community/sandbox path
+  builds with `python -m pip` inside the container and was never affected.
+
+### Hardened
+
+- **Agent execution-vector invariant documented + regression-tested.** An
+  agent's own entrypoint code runs on the host (not via `SandboxBackend`), so
+  the `trust >= trusted` gate in `run_agent` is a security invariant. Added an
+  audit comment at the gate (no logic change) and a named regression test
+  asserting that `None`/unknown/`unverified`/`verified`/`preview` agents are
+  refused while `trusted`/`curated` pass — locking the gate against silent
+  lowering that would run community code unsandboxed.
+
 ## 0.11.0 — Execution Sandbox (isolated or not at all)
 
 The execution plane is now sandboxed. Community/unverified code (toolpack

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentnode-sdk
-Version: 0.11.0
+Version: 0.11.2
 Summary: Python SDK for AgentNode — the open upgrade and discovery infrastructure for AI agents.
 Project-URL: Homepage, https://agentnode.net
 Project-URL: Repository, https://github.com/agentnode-ai/agentnode

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/agentnode_sdk/__init__.py

@@ -38,7 +38,7 @@ from agentnode_sdk.runtime import AgentNodeRuntime
 Client = AgentNodeClient
 ToolError = AgentNodeToolError
 
-__version__ = "0.11.0"
+__version__ = "0.11.2"
 __all__ = [
     "AgentNode",
     "AsyncAgentNode",

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/agentnode_sdk/cli/commands.py

@@ -837,6 +837,13 @@ def cmd_run(
     if " " in capability.strip():
         return _cmd_run_smart(capability, raw=raw, explain=explain, dry_run=dry_run, json_output=json_output)
 
+    # Slug mode: support `slug:tool`. Split at the CLI boundary so trust and the
+    # lockfile entry resolve on the REAL slug (slugs are kebab-case and never
+    # contain ':'); the tool name is forwarded to run_tool. The sandbox/trust
+    # gate is unchanged — it keys on the real slug's entry just like a bare slug.
+    from agentnode_sdk.references import parse_tool_reference
+    slug, tool_name = parse_tool_reference(capability)
+
     if input_data and file_path:
         print("--input and --file are mutually exclusive.", file=sys.stderr)
         return 1
@@ -875,10 +882,10 @@ def cmd_run(
         is_interactive = os.environ.get("AGENTNODE_NON_INTERACTIVE", "").lower() not in ("true", "1")
         callback = cli_confirmation_callback if is_interactive else None
 
-        result = run_tool(capability, confirmation_callback=callback, **data)
+        result = run_tool(slug, tool_name=tool_name, confirmation_callback=callback, **data)
 
         if result.mode_used == "policy_denied" and result.policy:
-            _print_guard_block(capability, None, result)
+            _print_guard_block(slug, tool_name, result)
             return 1
 
         if explain and hasattr(result, "policy") and result.policy:

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/agentnode_sdk/installer.py

@@ -40,9 +40,15 @@ PIP_TIMEOUT = 120
 # ---------------------------------------------------------------------------
 
 def resolve_python() -> str:
-    """Find a usable Python 3 interpreter.
+    """Find a usable Python 3 interpreter for the host package build.
 
     Resolution order:
+    0. ``sys.executable`` — the interpreter actually running AgentNode, so a host
+       build (``agentnode install``) installs into the SAME environment that
+       ``agentnode run`` later imports from. This fixes pipx / unactivated-venv
+       installs, where ``$VIRTUAL_ENV`` is unset and ``python`` on PATH is a
+       DIFFERENT interpreter (the package would install into the wrong env and
+       ``agentnode run`` would fail to import it).
     1. $VIRTUAL_ENV/bin/python (or Scripts/python.exe on Windows)
     2. .venv/bin/python in cwd
     3. python3 on PATH
@@ -50,6 +56,11 @@ def resolve_python() -> str:
     """
     is_windows = sys.platform == "win32"
 
+    # 0. The interpreter actually running AgentNode — guarantees install and run
+    #    use the same Python. Most reliable; prefer it over PATH/venv heuristics.
+    if sys.executable and os.path.isfile(sys.executable):
+        return sys.executable
+
     # 1. Active virtual environment
     venv = os.environ.get("VIRTUAL_ENV")
     if venv:
@@ -1025,6 +1036,21 @@ def _resolve_entrypoint(entrypoint: str) -> tuple[str, str]:
     return entrypoint, "run"
 
 
+def _default_tool_entrypoint(entry: dict) -> str | None:
+    """Entrypoint to use when no explicit ``tool_name`` is given.
+
+    Auto-selects the sole tool when the pack declares EXACTLY one tool with an
+    entrypoint, so ``agentnode run <slug>`` works for single-tool packs without
+    the caller knowing the tool name. Otherwise falls back to the package-level
+    entrypoint — multi-tool packs are unchanged (the runner must not guess
+    among several tools). Returns ``None`` when neither is available.
+    """
+    tools = entry.get("tools") or []
+    if len(tools) == 1 and tools[0].get("entrypoint"):
+        return tools[0]["entrypoint"]
+    return entry.get("entrypoint")
+
+
 def load_tool(slug: str, tool_name: str | None = None, *, _internal: bool = False) -> Any:
     """Load an installed package's tool function.
 
@@ -1090,8 +1116,9 @@ def load_tool(slug: str, tool_name: str | None = None, *, _internal: bool = Fals
             f"Available tools: {[t.get('name') for t in pkg.get('tools', [])]}"
         )
 
-    # v0.1 fallback / single-tool: use package-level entrypoint
-    entrypoint = pkg.get("entrypoint")
+    # No tool_name: auto-select the sole tool when exactly one is declared,
+    # else fall back to the package-level entrypoint (multi-tool unchanged).
+    entrypoint = _default_tool_entrypoint(pkg)
     if not entrypoint:
         raise ImportError(f"Package '{slug}' has no entrypoint in lockfile.")
 

agentnode_sdk-0.11.2/agentnode_sdk/references.py

@@ -0,0 +1,21 @@
+"""Shared parsing for package/tool references.
+
+A reference is either a bare package slug (``"word-counter-pack"``) or a
+``slug:tool`` pair (``"word-counter-pack:count_words"``). Package slugs are
+kebab-case (``[a-z0-9-]``) and never contain ``':'``, so the first ``':'``
+unambiguously separates the slug from an optional tool name.
+
+Used by both the CLI run path (``cli.commands.cmd_run``) and the agent runtime
+(``runtimes.agent_runner``) so the two stay in lock-step.
+"""
+from __future__ import annotations
+
+
+def parse_tool_reference(ref: str) -> tuple[str, str | None]:
+    """Parse ``'slug:tool'`` or ``'slug'`` into ``(slug, tool_name)``.
+
+    Returns ``(slug, None)`` when no tool is given (or the tool part is empty,
+    e.g. ``"slug:"``), so callers can treat it as "no specific tool".
+    """
+    slug, _, tool = ref.partition(":")
+    return slug, (tool or None)

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/agentnode_sdk/runtimes/agent_runner.py

@@ -559,10 +559,7 @@ class AgentContext:
                         tc_args = {}
 
                 # Parse slug:tool_name from the tool call name
-                if ":" in tc_name:
-                    slug, tool_name = tc_name.split(":", 1)
-                else:
-                    slug, tool_name = tc_name, None
+                slug, tool_name = _parse_tool_reference(tc_name)
 
                 tool_result = self.try_tool(slug, tool_name, **tc_args)
 
@@ -1245,6 +1242,15 @@ def run_agent(
         )
 
     # --- 2. Agent-specific policy: trust >= trusted ---
+    # SECURITY INVARIANT (audit 2026-06): an agent's OWN entrypoint code runs on
+    # the HOST — in a thread (_execute_with_timeout) or a child process
+    # (_execute_with_process) — NOT inside SandboxBackend. The exec-sandbox bow
+    # (P0.0-P0.3) isolates the agent's *tool calls* (they re-enter run_tool's
+    # gate), but NOT the agent's own orchestration code. So `trust >= trusted` is
+    # the ONLY thing keeping community/unverified agent code off the host. Do NOT
+    # lower this gate without first routing agent execution through SandboxBackend,
+    # or community code runs unsandboxed (reintroducing the RCE class the sandbox
+    # bow closed). Locked by test_agent_runner's execution-vector regression test.
     trust_level = entry.get("trust_level", "unverified")
     if not _trust_meets_minimum(trust_level, "trusted"):
         _audit_agent_run(
@@ -2194,11 +2200,13 @@ def _parse_literal(value: str) -> Any:
 # ---------------------------------------------------------------------------
 
 def _parse_tool_reference(ref: str) -> tuple[str, str | None]:
-    """Parse 'slug:tool_name' or 'slug' into (slug, tool_name)."""
-    if ":" in ref:
-        slug, tool_name = ref.split(":", 1)
-        return slug, tool_name
-    return ref, None
+    """Parse 'slug:tool_name' or 'slug' into (slug, tool_name).
+
+    Thin wrapper over the shared :func:`agentnode_sdk.references.parse_tool_reference`
+    so the agent runtime and the CLI run path stay in lock-step.
+    """
+    from agentnode_sdk.references import parse_tool_reference
+    return parse_tool_reference(ref)
 
 
 def _resolve_input_mapping(

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/agentnode_sdk/runtimes/python_runner.py

@@ -445,7 +445,7 @@ def _resolve_container_target(entry: dict, tool_name: str | None) -> tuple[str,
         first then the default function (``run``), matching load_tool's getattr order;
       - no tool_name → package entrypoint module + its function.
     """
-    from agentnode_sdk.installer import _resolve_entrypoint
+    from agentnode_sdk.installer import _resolve_entrypoint, _default_tool_entrypoint
 
     tools = entry.get("tools") or []
     if tool_name:
@@ -463,7 +463,7 @@ def _resolve_container_target(entry: dict, tool_name: str | None) -> tuple[str,
             tool_name=tool_name,
         )
 
-    ep = entry.get("entrypoint")
+    ep = _default_tool_entrypoint(entry)
     if not ep:
         raise AgentNodeToolError(
             "Package has no entrypoint in the lockfile.", tool_name=None,

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "agentnode-sdk"
-version = "0.11.0"
+version = "0.11.2"
 description = "Python SDK for AgentNode — the open upgrade and discovery infrastructure for AI agents."
 readme = "README.md"
 requires-python = ">=3.10"

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/tests/test_agent_runner.py

@@ -319,6 +319,33 @@ class TestRunAgentTrustPolicy:
         assert "trust level" not in (result.error or "")
 
 
+# ---------------------------------------------------------------------------
+# run_agent() — execution-vector invariant (0.11.1 hardening, audit 2026-06)
+# ---------------------------------------------------------------------------
+# An agent's OWN entrypoint code runs on the HOST (thread _execute_with_timeout /
+# process _execute_with_process), NOT through SandboxBackend. The exec-sandbox
+# bow does NOT cover the agent's own code. So `trust >= trusted` at the gate
+# (agent_runner.py ~1248) is a SECURITY INVARIANT: lowering it would run
+# community/unverified agent code unsandboxed on the host. These tests lock the
+# gate against silent regressions — any non-(trusted|curated) level, including an
+# unrecognized or missing one, must be refused with a trust-level error.
+
+class TestRunAgentExecutionVectorInvariant:
+    @pytest.mark.parametrize("trust_level", [None, "unknown", "unverified", "verified", "preview"])
+    def test_community_or_unknown_agent_refused(self, trust_level):
+        entry = _agent_entry(trust_level=trust_level)
+        result = run_agent("test-agent", entry=entry)
+        assert result.success is False
+        assert "trust level" in (result.error or "")
+
+    @pytest.mark.parametrize("trust_level", ["trusted", "curated"])
+    def test_trusted_or_curated_agent_not_gated(self, trust_level):
+        entry = _agent_entry(trust_level=trust_level)
+        result = run_agent("test-agent", entry=entry)
+        # Passes the trust gate (may still fail later at entrypoint loading).
+        assert "trust level" not in (result.error or "")
+
+
 # ---------------------------------------------------------------------------
 # run_agent() — execution
 # ---------------------------------------------------------------------------

agentnode_sdk-0.11.2/tests/test_cli_run_resolution.py

@@ -0,0 +1,36 @@
+"""CLI `run` resolution (0.11.2): `slug:tool` is split at the CLI boundary so the
+real slug feeds trust/lockfile resolution, and the tool name is forwarded."""
+from agentnode_sdk.cli import commands
+from agentnode_sdk.models import RunToolResult
+
+
+def _spy_run_tool(captured):
+    def fake(slug, tool_name=None, confirmation_callback=None, **kwargs):
+        captured["slug"] = slug
+        captured["tool_name"] = tool_name
+        captured["kwargs"] = kwargs
+        return RunToolResult(success=True, result={"ok": True}, mode_used="subprocess")
+    return fake
+
+
+def test_cmd_run_splits_slug_tool(monkeypatch):
+    """`run <slug>:<tool>` → run_tool(real_slug, tool_name=tool). The real slug
+    is what reaches run_tool, so trust/lockfile resolve on it (not the colon
+    string treated as an unknown unverified package)."""
+    captured = {}
+    monkeypatch.setattr("agentnode_sdk.runner.run_tool", _spy_run_tool(captured))
+    rc = commands.cmd_run("word-counter-pack:count_words", input_data='{"text":"a b"}', json_output=True)
+    assert rc == 0
+    assert captured["slug"] == "word-counter-pack"
+    assert captured["tool_name"] == "count_words"
+    assert captured["kwargs"] == {"text": "a b"}
+
+
+def test_cmd_run_bare_slug_has_no_tool(monkeypatch):
+    """Bare `run <slug>` still forwards tool_name=None (unchanged)."""
+    captured = {}
+    monkeypatch.setattr("agentnode_sdk.runner.run_tool", _spy_run_tool(captured))
+    rc = commands.cmd_run("word-counter-pack", input_data='{"text":"a"}', json_output=True)
+    assert rc == 0
+    assert captured["slug"] == "word-counter-pack"
+    assert captured["tool_name"] is None

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/tests/test_install_hardening.py

@@ -93,3 +93,13 @@ def test_missing_artifact_hash_blocked(monkeypatch, tmp_path):
             artifact_hash=None, entrypoint="pk.tool", trust_level="trusted",
         )
     assert pip_calls == []
+
+
+def test_resolve_python_prefers_sys_executable():
+    """0.11.1 bugfix: the host build must target the interpreter actually running
+    AgentNode, so `agentnode install` + `agentnode run` use the SAME Python. In a
+    pipx / unactivated venv, $VIRTUAL_ENV is unset and `python` on PATH is a
+    DIFFERENT interpreter — the pack would install into the wrong env and the run
+    couldn't import it. resolve_python() must return sys.executable."""
+    import sys
+    assert installer.resolve_python() == sys.executable

agentnode_sdk-0.11.2/tests/test_references.py

@@ -0,0 +1,16 @@
+"""Shared slug/tool reference parsing (0.11.2)."""
+import pytest
+
+from agentnode_sdk.references import parse_tool_reference
+
+
+@pytest.mark.parametrize("ref,expected", [
+    ("word-counter-pack", ("word-counter-pack", None)),
+    ("word-counter-pack:count_words", ("word-counter-pack", "count_words")),
+    ("a-b", ("a-b", None)),
+    ("a-b:c", ("a-b", "c")),
+    ("a-b:", ("a-b", None)),            # empty tool part → None
+    ("a-b:c:d", ("a-b", "c:d")),        # only the first colon splits
+])
+def test_parse_tool_reference(ref, expected):
+    assert parse_tool_reference(ref) == expected

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/tests/test_sandbox_gate.py

@@ -82,6 +82,20 @@ def test_other_nontrusted_blocked_when_unavailable(tmp_path, trust):
     assert res.mode_used == "sandbox_unavailable"
 
 
+def test_cli_community_slug_tool_still_failclosed(tmp_path, monkeypatch, capsys):
+    """0.11.2: splitting `slug:tool` at the CLI must NOT bypass the sandbox gate.
+    A community (unverified) pack run as `slug:tool` with no container runtime
+    stays fail-closed — cmd_run forwards the REAL slug, whose trust the gate reads."""
+    from agentnode_sdk.cli import commands
+    set_default_backend(_FakeBackend(available=False))
+    lf = _write_lockfile(tmp_path, "evil-pack", "unverified")
+    monkeypatch.setattr(installer, "_lockfile_path", lambda: lf)
+    rc = commands.cmd_run("evil-pack:dotool", input_data='{"x":1}', json_output=True)
+    out = capsys.readouterr().out
+    assert rc == 1
+    assert "sandbox_unavailable" in out
+
+
 def test_curated_not_blocked_when_unavailable(tmp_path, monkeypatch):
     set_default_backend(_FakeBackend(available=False))
     _stub_check_run_deny(monkeypatch)

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/tests/test_toolpack_sandbox.py

@@ -339,6 +339,21 @@ def test_resolve_target_v01_package_default():
     assert _resolve_container_target(entry, None) == ("mod.tool", ["run"])
 
 
+def test_resolve_target_single_tool_autoselect():
+    # 0.11.2: single-tool pack, no tool_name → auto-select the sole tool (not run)
+    entry = {"entrypoint": "wc.tool",
+             "tools": [{"name": "count_words", "entrypoint": "wc.tool:count_words"}]}
+    assert _resolve_container_target(entry, None) == ("wc.tool", ["count_words"])
+
+
+def test_resolve_target_multi_tool_keeps_package_default():
+    # 0.11.2: multi-tool, no tool_name → package-level entrypoint (unchanged)
+    entry = {"entrypoint": "mod.tool:dispatch",
+             "tools": [{"name": "a", "entrypoint": "mod.tool:a"},
+                       {"name": "b", "entrypoint": "mod.tool:b"}]}
+    assert _resolve_container_target(entry, None) == ("mod.tool", ["dispatch"])
+
+
 def test_resolve_target_v02_colon_function():
     entry = {"entrypoint": "mod.tool:describe", "tools": []}
     assert _resolve_container_target(entry, None) == ("mod.tool", ["describe"])

{agentnode_sdk-0.11.0 → agentnode_sdk-0.11.2}/tests/test_v02.py

@@ -69,6 +69,48 @@ class TestLoadTool:
                 func = load_tool("my-pack")
                 assert func == mock_module.run
 
+    def test_load_single_tool_autoselect(self, tmp_path):
+        """0.11.2: single-tool pack — load_tool(slug) with no tool_name
+        auto-selects the sole tool's entrypoint instead of the default `run`."""
+        self._write_lockfile(tmp_path, {
+            "word-counter-pack": {
+                "version": "1.0.0",
+                "entrypoint": "wc.tool",  # colon-less → old code defaulted to run()
+                "tools": [
+                    {"name": "count_words", "entrypoint": "wc.tool:count_words"},
+                ],
+            }
+        })
+        # spec=[...] so the module has NO `run` attr — old behavior would raise.
+        mock_module = MagicMock(spec=["count_words"])
+        mock_module.count_words = lambda text="": {"words": 0}
+
+        with patch("agentnode_sdk.installer._lockfile_path", return_value=tmp_path / "agentnode.lock"):
+            with patch("agentnode_sdk.installer.importlib.import_module", return_value=mock_module):
+                func = load_tool("word-counter-pack")
+                assert func == mock_module.count_words
+
+    def test_load_multi_tool_uses_package_entrypoint(self, tmp_path):
+        """0.11.2: multi-tool pack — load_tool(slug) with no tool_name still uses
+        the package-level entrypoint (no guessing among tools). Unchanged."""
+        self._write_lockfile(tmp_path, {
+            "multi-pack": {
+                "version": "1.0.0",
+                "entrypoint": "multi.tool:dispatch",
+                "tools": [
+                    {"name": "a", "entrypoint": "multi.tool:a"},
+                    {"name": "b", "entrypoint": "multi.tool:b"},
+                ],
+            }
+        })
+        mock_module = MagicMock(spec=["dispatch", "a", "b"])
+        mock_module.dispatch = lambda **k: "dispatched"
+
+        with patch("agentnode_sdk.installer._lockfile_path", return_value=tmp_path / "agentnode.lock"):
+            with patch("agentnode_sdk.installer.importlib.import_module", return_value=mock_module):
+                func = load_tool("multi-pack")
+                assert func == mock_module.dispatch
+
     def test_load_v02_with_tool_name(self, tmp_path):
         """v0.2 pack — load_tool(slug, tool_name) returns specific function."""
         self._write_lockfile(tmp_path, {