Fix agent CLI self-command allowlist

[Mr-Lucky]

Summary

• Allow AgentGuard and supported agent CLI management commands to bypass runtime interception
• Support additional OpenClaw/Hermes-style payload shapes such as args.cmd, cmd, toolInput, and input.command
• Make runtime allowedCommandPatterns effective while preserving compound/multiline command blocking
• Add regression coverage for agent CLI allowlisting, OpenClaw argument parsing, and compound command safety

Testing

• npm run build
• npm test

Type

• Bug fix
• New feature / detection rule
• Refactoring
• Documentation

Testing

• npm run build passes
• npm test passes (32 tests)
• Manually tested the change

Related Issues

Closes #

[github-actions]

AgentGuard PR Review

I found one actionable issue in the runtime allowlist changes.

1. severity: high — src/runtime/self-command.ts / src/runtime/evaluator.ts (SUPPORTED_AGENT_COMMANDS, matchesAllowedCommand)
   • What can go wrong: The new allowlist treats several external CLIs (cursor, gemini, copilot, gh copilot) as “AgentGuard self-commands” and also allows any shell command whose normalized prefix matches an allowed pattern. This can bypass protection for commands that are not actually AgentGuard management commands. For example, cursor --version or gh copilot explain ... will now be skipped/auto-allowed even though they may invoke unrelated third-party tools with their own side effects. In addition, the prefix-match behavior can approve broader commands than intended when a pattern is too generic.
   • Concrete fix: Restrict self-command detection to the actual AgentGuard binaries/subcommands only, and do not broaden the command allowlist to unrelated tools. If these CLIs must be supported, require exact, explicitly enumerated subcommands or a structured command parser rather than prefix/glob matching against raw shell text.