Skip to content

merge: sync main with master — v2.10.1#1311

Merged
jpleva91 merged 56 commits intomainfrom
merge/main-master-sync
Mar 29, 2026
Merged

merge: sync main with master — v2.10.1#1311
jpleva91 merged 56 commits intomainfrom
merge/main-master-sync

Conversation

@jpleva91
Copy link
Copy Markdown
Collaborator

@jpleva91 jpleva91 commented Mar 29, 2026

Resolves main/master divergence. Go kernel, cold-start DX, wildcard fix.

Jared and others added 30 commits March 25, 2026 14:51
@claude
feat(npm): register unscoped 'agentguard' package on npm
33f6df5 
Thin wrapper package that depends on @red-codes/agentguard.
Allows `npx agentguard` to work without the scoped name.

Both `npx agentguard` and `npx @red-codes/agentguard` work identically.

Closes #848

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix(ci): pin all GitHub Actions to SHA digests (supply chain hardening)
3118788 
Replace mutable tag references with immutable SHA-pinned digests across
all 6 workflow files to prevent supply chain attacks via compromised
upstream actions. Original tags preserved as inline comments.

Actions pinned:
- actions/checkout@v6
- actions/setup-node@v6
- pnpm/action-setup@v5
- actions/upload-artifact@v7
- github/codeql-action/init@v4
- github/codeql-action/analyze@v4
- actions/upload-pages-artifact@v4
- actions/deploy-pages@v4
- dtolnay/rust-toolchain@stable
- Swatinem/rust-cache@v2

Closes #829

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merge branch 'worktree-agent-abe249c4' into feat/squad-swarm-spec
5f60840
@claude
chore: bump to v2.6.0 + pin GH Actions to SHA digests
79b0217 
Version bump: 2.5.0 → 2.6.0

Supply chain hardening: all 10 GitHub Actions pinned to verified SHA
digests across 6 workflow files. Closes #829.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix(ci): move unscoped npm wrapper outside pnpm workspace
a9ebda5 
The agentguard-unscoped package depends on @red-codes/agentguard
which doesn't exist in the lockfile (it's the published package).
Moving to npm-wrapper/ excludes it from the pnpm workspace glob.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #887 from AgentGuardHQ/feat/squad-swarm-spec
c979732 
v2.6.0 — Go kernel, SHA pinning, unscoped npm, performance docs
@claude
ci(publish): add unscoped agentguard wrapper to release workflow
669818f 
Publishes both @red-codes/agentguard and the unscoped agentguard
wrapper package on GitHub release. Tolerates "already published"
for the wrapper since its version tracks the CLI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
chore: bump to v2.7.0
6a4c727 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #891 from AgentGuardHQ/feat/squad-swarm-spec
d9ca8e9 
v2.7.0 — automated unscoped npm publish + CI fix
@claude
fix(ci): remove unscoped npm wrapper — blocked by npm name similarity
649e77f 
npm rejects "agentguard" as too similar to existing "agent-guard" package.
Canonical install path is `npx @red-codes/agentguard`.

Removes npm-wrapper/ and the publish step. Closes #848 as won't-fix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #898 from AgentGuardHQ/feat/squad-swarm-spec
5232421 
fix(ci): remove blocked unscoped npm wrapper
@claude
feat(npm): register 'aiguard' convenience package (AI Guard)
50209ee 
npx aiguard → delegates to @red-codes/agentguard.
Added to publish workflow for automated releases.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
feat(npm): register 'aguard' convenience package (Agent Guard)
c9e085b 
npx aguard → delegates to @red-codes/agentguard.
Replaces aiguard attempt. Added to publish workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #899 from AgentGuardHQ/feat/squad-swarm-spec
10d98df 
feat(npm): add aiguard convenience package
@claude
chore: bump to v2.7.1 (2.7.0 CLI already published)
2fa7e37 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge branch 'master' into feat/squad-swarm-spec
75e2fab
@jpleva91
Merge pull request #900 from AgentGuardHQ/feat/squad-swarm-spec
3f4277e 
v2.7.1 — aguard npm package
@claude
docs: update CLI references from agentguard to aguard across 58 files
448ff72 
Replaces npx agentguard → npx aguard in docs, README, site, CLI help,
templates, CLAUDE.md, ROADMAP.md, and source code user-facing strings.
Keeps @red-codes/agentguard as the scoped package name in imports
and package.json.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merge branch 'worktree-agent-a020dbe3' into feat/squad-swarm-spec
83bee22 
# Conflicts:
#	npm-wrapper/agentguard/README.md
resolve stash conflict
825b770
Merge branch 'feat/squad-swarm-spec' of https://github.com/AgentGuard…
9fe29d1 
…HQ/agentguard into feat/squad-swarm-spec
@claude
chore: bump to v2.7.2 — aguard docs update
9983069 
58 files updated: npx agentguard → npx aguard across docs, README,
site, CLI help, templates, and user-facing strings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix: prettier format bin.ts
37b2c22 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix: update test expectations for aguard rename
011173e 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #904 from AgentGuardHQ/feat/squad-swarm-spec
ac5d5b3 
v2.7.2 — aguard docs + CLI references
@claude
fix(cli): add bin and postinstall subpaths to package exports
a74d9cd 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #947 from AgentGuardHQ/fix/cli-exports-bin
24d4a6d 
fix(cli): add missing subpath exports for bin and postinstall
@claude
chore(kernel-em): EM cycle report 2026-03-26T00:00Z
f8e3e04 
- Health: green — all loop guards pass, no escalations
- PR #969 (fix claude-init binary path, closes #964 priority:critical): CI 5/5 green, flagged for architect review
- Closed stale EM report PR #966 (superseded)
- Sprint: #955 (Go kernel hook delegation) + #957 (Go pack resolution) in-progress, senior assigned
- PR budget: 1 open / 3 max
- Tests: 4129/4129 passing

https://claude.ai/code/session_016dXuQwappMAvdGYJaix7C9
@jpleva91
Merge pull request #975 from AgentGuardHQ/agent/kernel-em-20260326-00…
3d18b74 
…0000

Auto-merged: low-risk chore/docs PR, CI green.
Add .github/copilot-instructions.md for Copilot coding agent
e8e1d6f 
Establishes Tier C governance rules, coding standards, branch naming,
PR rules, and autonomy directives for the GitHub Copilot coding agent.
Modeled after agentguard-cloud instructions, tailored for the OSS
TypeScript/pnpm monorepo stack.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jpleva91 and others added 26 commits March 25, 2026 20:22
@jpleva91
Merge branch 'master' into agent/docs/copilot-instructions
12c1826
@jpleva91
Merge pull request #976 from AgentGuardHQ/agent/docs/copilot-instruct…
7af4e63 
…ions

Add .github/copilot-instructions.md
@jpleva91
feat: add Codex CLI and Gemini CLI hook support (v2.8.0)
42c3cc4 
Adds governance hooks for OpenAI Codex CLI and Google Gemini CLI, bringing total supported CLI agents to 4.

New commands: agentguard codex-hook, codex-init, gemini-hook, gemini-init
New adapters: codex-cli.ts, gemini-cli.ts
Version: 2.7.2 → 2.8.0
Tests: 759+ passing, coverage above thresholds

Closes part of multi-model orchestration initiative.
@jpleva91
feat: agent identity telemetry + init all driver hooks (#1025)
511b4a1 
* feat: init Codex, Copilot, and Gemini hook configs

Adds governance hook configurations for all 3 new CLI drivers
introduced in v2.8.0. Claude hooks already existed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: agent identity in local telemetry + init all driver hooks

- Migration v5: add agent_id column + index to sessions table
- All 4 hooks (claude, codex, copilot, gemini) now pass resolved
  agent identity into session tracking via SessionStartData.agentId
- Resolve agent identity once before cloud telemetry (DRY)
- Re-init hook configs via agentguard *-init CLI commands
- Update migration tests for new schema version

Closes #1029

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Jared <jared@agentguard.dev>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jpleva91
docs: add ecosystem section + update framework list in README (#1082)
23e044f 
* chore: bump version to 2.8.1

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: add ecosystem section + update framework list in README

Adds ecosystem table (ShellForge, RTK, TurboQuant, DefenseClaw, OpenShell,
DeepAgents, OpenCode) and updates "Works with" to list all 6 frameworks.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Jared <jared@agentguard.dev>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jpleva91 @claude
fix: bootstrap exemption for governance hooks (#995)
cf50ad6 
The governance hook blocked ALL tool calls when the AgentGuard kernel
binary was not yet available, creating a catch-22: agents could not run
`pnpm install` to build the kernel because the hook blocked it first.
This had been blocking the marketing squad for 5 EM cycles.

Fix: detect bootstrap mode at two layers:
- Shell wrapper: read stdin payload and allow install/build commands
  and read-only tools through when the binary is missing
- TypeScript hook: catch module-not-found errors from unbuilt kernel
  packages and allow bootstrap-safe actions through

Non-bootstrap actions remain fail-closed (blocked) for security.

Closes #995

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91 @claude
fix(ci): resolve format failure — apply Prettier to hook command files
5b7bb9f 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jpleva91 @claude
fix(hooks): shared bootstrap module, chaining protection, all 4 drivers
349a5b9 
- Extract bootstrap.ts as single source of truth for allowlists
  (fixes broken import from 5b7bb9f that referenced missing module)
- Add containsChainingOperators() — blocks "pnpm install && curl evil"
- Cross-driver payload normalization (tool_name vs toolName, tool_input vs toolArgs)
- Shell wrapper chaining protection via grep after case match
- 65 tests: Claude/Copilot/Codex/Gemini payloads, chaining bypass, read-only tools

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #1295 from AgentGuardHQ/fix/bootstrap-catch22-995
523b0c5 
fix: bootstrap exemption for governance hooks
@jpleva91
fix(ci): add skip workflow for site-only PRs (closes #1267) (#1296)
a96bcdf 
Merged by HQ EM — closes #1267 (P0 CI infra blocker for site-only PRs). All 5 checks passed.
@jpleva91 @claude
feat(go): complete Go kernel — replace TS hook pipeline entirely
7a64388 
Go kernel now handles all Claude Code hook events with full feature parity:
- PreToolUse: policy eval, invariant checking, enforcement mode routing
  (enforce/guide/educate/monitor), read-only tool fail-open, session state,
  identity wizard, retry tracking, cloud telemetry, lesson capture
- PostToolUse: bash error reporting, format/test pass tracking, PR detection
- Stop: session viewer generation, root session cleanup
- Notification: live session viewer spawn

New files: env.go, session.go, identity.go, lesson.go, telemetry.go
Key fix: FromStdin() fallback — Claude Code sends payloads via stdin,
not env vars. This was the root cause of Go fast-path never executing.

Performance: 2ms Go vs 290ms TS — 145x faster hook evaluation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #1300 from AgentGuardHQ/feat/go-kernel-complete
759913b 
feat(go): complete Go kernel — full TS hook parity, 145x faster
@jpleva91 @claude
fix(go): add wildcard + namespace matching to policy engine, bump 2.10.0
ca306a8 
matchesAction() was missing "*" wildcard and "git.*" namespace matching.
Without this, policies with `action: "*"` (default-allow) never matched,
causing all actions to hit default-deny in the Go kernel.

Also bumps version to 2.10.0 for the Go kernel release.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jpleva91
Merge pull request #1302 from AgentGuardHQ/release/2.10.0
e6e9a40 
fix(go): wildcard policy matching + bump to 2.10.0
@jpleva91
fix(dx): cold-start — postinstall creates identity, wrapper preserves…
0112ad5 
… stdin, CI ships Go binaries
@jpleva91
Merge pull request #1304 from AgentGuardHQ/fix/cold-start-dx
3fa08a1 
fix(dx): cold-start install works without claude-init
@jpleva91
chore: bump version to 2.10.1
59f68d8
@jpleva91
Merge pull request #1308 from AgentGuardHQ/release/2.10.1
a6569e2 
chore: bump to 2.10.1
@jpleva91
merge: sync main with master — v2.10.1, Go kernel, cold-start DX
85a621c
@jpleva91
fix: include codex/gemini adapters from master
624bc4a
@jpleva91
fix: remove deepagents hooks (unused)
559d284
@jpleva91
fix: remove deepagents references from bin.ts
fe0e268
@jpleva91
fix: remove orphaned deepagents call sites from bin.ts
008c3b8
@jpleva91
chore(ci): remove rust-kernel check — Go kernel replaces it
b1d142f
@jpleva91
chore: remove all deepagents references — unused, replaced by goose d…
d76d179 
…river
@jpleva91
fix: use master's postinstall tests (match v2.10 starter policy)
21cd5be
@jpleva91 jpleva91 merged commit 1bfef6c into main Mar 29, 2026
3 of 4 checks passed
@jpleva91 jpleva91 deleted the merge/main-master-sync branch March 29, 2026 04:54
@jpleva91
Copy link
Copy Markdown
Collaborator Author

jpleva91 commented Mar 29, 2026

[workspace-pr-review-agent] Workspace Config Review

Verdict: CHANGES REQUESTED

Summary: Large merge sync (v2.10.1) bringing in cold-start DX improvements, new Codex/Gemini CLI adapters, and deletion of the DeepAgents adapter. The bootstrap exemption added to scripts/claude-hook-wrapper.sh introduces a security-relevant bypass path that has a subtle injection risk.

Findings

Severity File Finding
WARNING scripts/claude-hook-wrapper.sh:40-60 Bootstrap exemption uses raw case pattern matching on the entire JSON payload string. If a file write payload contains "command":"pnpm install" in its content or file_path fields, BOOTSTRAP_SAFE=1 is set even though this is a Write tool. The CMD_VALUE chaining check extracts the first "command" match in the full JSON, which would be the injected substring — not a chaining operator — so the check passes and the Write action is allowed through. This only fires when the kernel binary is absent, but it's a fragile assumption. Consider matching only "tool_name":"Bash" payloads, not all payloads with a command substring.
WARNING apps/cli/src/postinstall.ts:23 Default starter policy mode changed from guidemonitor. In monitor mode all actions are allowed through (just logged). New users who install and run without customizing policy will have no governance enforcement. Consider using guide as the default (educates without hard blocking) or adding a prominent warning in the postinstall output when monitor mode is active.
WARNING .github/workflows/publish.yml Removes the aguard wrapper version check (Verify aguard wrapper version matches CLI). The wrapper version in npm-wrapper/aguard/package.json can now diverge from the CLI version without CI catching it. The new step publishes the wrapper but doesn't validate version parity first.
SUGGESTION scripts/claude-hook-wrapper.sh:38 The bootstrap exemption comment says "fail closed for non-bootstrap actions" but the original comment said "MUST fail closed" (unconditional). The changed wording subtly weakens the documented safety guarantee. Recommend keeping the original "MUST fail closed" language and adding "except for bootstrap commands as enumerated below."
SUGGESTION apps/cli/src/commands/deepagents-init.ts (deleted) DeepAgents adapter removed without a corresponding deprecation notice in CHANGELOG.md or README. Any agents currently using the DeepAgents hook path will silently lose governance enforcement after upgrade.

Swarm Impact Assessment

  • Agents affected: Any swarm agent using claude-hook-wrapper.sh (all Claude Code agents on jared box), agents using DeepAgents adapter
  • Risk level: MEDIUM
  • Rollback complexity: Simple revert for postinstall mode change; bootstrap exemption logic is more coupled

Config Consistency Check

  • All new scheduled agents have SKILL.md files — N/A (no schedule changes)
  • All new scheduled agents have registry entries — N/A
  • No schedule collisions introduced — N/A
  • Timeouts are appropriate — N/A

Automated review by workspace-pr-review-agent (claude-code:opus:reviewer) — AgentGuard workspace swarm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jpleva91 @claude