coilysiren/agent-guard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
No description
23 commits 1 branch 19 tags 93 KiB
  • Go 97.2%
  • Ruby 1.9%
  • Makefile 0.9%
Find a file
Exact
Kai Siren 13128f15cb
Some checks are pending
release / release (push) Waiting to run
Details
release / bump-formula (push) Blocked by required conditions
Details
test / test (push) Waiting to run
Details
feat(hook): route bare nix to the coily pkg nix wrapper 
Companion to coilysiren/coily#320. Adds nix to coilyRoutes so the
PreToolUse hook hands a bare nix invocation a recovery hint pointing
at the audited coily pkg nix passthrough. Keeps coilyRoutes aligned
with coily's wrapperRecovery, which an alignment test enforces.

closes #29

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 06:12:16 -07:00
.agent-guard rename: update cross-repo refs after coilyco-ai to agentic-os-kai 2026-05-15 02:27:09 -07:00
.github/workflows ci: drop codex-review-gate workflows 2026-05-19 02:26:30 -07:00
cmd/agent-guard feat(hook): route bare nix to the coily pkg nix wrapper 2026-05-22 06:12:16 -07:00
docs chore: complete trifecta + re-enable catalog-doc-size + catalog-trifecta 2026-05-15 23:46:41 -07:00
Formula chore(formula): bump to v0.0.18 [skip ci] 2026-05-19 09:26:58 +00:00
.gitignore Seed initial repo scaffolding 2026-05-13 21:38:21 -07:00
.golangci.yaml Wire exec + lint, add CI + release pipeline 2026-05-13 21:46:11 -07:00
.pre-commit-config.yaml chore: complete trifecta + re-enable catalog-doc-size + catalog-trifecta 2026-05-15 23:46:41 -07:00
AGENTS.md ci(release): bump local Formula in-repo, drop homebrew-tap dispatch 2026-05-19 02:22:37 -07:00
CODE_OF_CONDUCT.md Seed initial repo scaffolding 2026-05-13 21:38:21 -07:00
CONTRIBUTING.md Move .coily/coily.yaml to .agent-guard/agent-guard.yaml 2026-05-14 06:48:09 -07:00
go.mod Wire exec + lint, add CI + release pipeline 2026-05-13 21:46:11 -07:00
go.sum Wire exec + lint, add CI + release pipeline 2026-05-13 21:46:11 -07:00
LICENSE Seed initial repo scaffolding 2026-05-13 21:38:21 -07:00
Makefile Seed initial repo scaffolding 2026-05-13 21:38:21 -07:00
README.md ci(release): bump local Formula in-repo, drop homebrew-tap dispatch 2026-05-19 02:22:37 -07:00
SECURITY.md Seed initial repo scaffolding 2026-05-13 21:38:21 -07:00

README.md

agent-guard

A generic-purpose cli-guard consumer for repos that take external contributions. Sits between AI agents (or any semi-trusted automation) and the host system, with no maintainer-specific allowlists.

agent-guard is to external contributors what coily is to Kai's own machines: a thin, audited wrapper around the cli-guard primitives. coily ships personal verbs (homelab SSH, vault paths, deploy hooks). agent-guard ships only verbs that make sense to any contributor walking up to a repo cold.

Status

v0. Not yet wired into any downstream. First adopter target is the urfave/cli namespaced repos (cli-mcp, cli-web-docs, cli-web-ops).

What it does

Wraps a small, fixed set of dev verbs (build, test, vet, lint, tidy) behind cli-guard's policy gate. Every invocation:

  • validates argv against shell-metacharacter rejection
  • writes one append-only JSONL audit row
  • binds to a git toplevel via --commit-scope
  • refuses repo-shaped verbs on a dirty tree

Downstream repos add an .agent-guard/agent-guard.yaml listing which Makefile targets are exposed. The contract is verified by agent-guard lint.

Install

brew tap coilysiren/agent-guard https://github.com/coilysiren/agent-guard
brew install coilysiren/agent-guard/agent-guard

The explicit-URL brew tap form is required because this repo isn't homebrew-* prefixed.

Usage

agent-guard exec build
agent-guard exec test
agent-guard lint

See docs/ for the full verb list and examples/ for runnable demos.

Claude Code PreToolUse hook

agent-guard hook pre-tool-use is a stdin-driven Claude Code hook that does two things:

  1. Binary-path check. Required by default. When the agent invokes agent-guard or coily directly, the hook resolves the binary via command -v and refuses to let it run unless the resolved path is one of the canonical homebrew install paths. This blocks PATH-hijack attacks where a malicious agent-guard or coily earlier on $PATH would otherwise execute. agent-guard ships with maximum-security defaults; this check is on, no flag, no config.
  2. Routing-hint surface. Catches bare invocations of wrapped binaries (make, gh, aws, kubectl, ...) and surfaces a recovery hint to the agent before it shops other shell shapes. The hint names the wrapper the agent should use. The active table is picked by whether cwd lives under .agent-guard/agent-guard.yaml or .coily/coily.yaml.

No network, no state. Failure modes (unparseable payload, missing fields, no matching route, binary absent from PATH) pass through silently. Hard denial stays the job of permissions.deny in the consuming repo's .claude/settings.json.

Register the hook with one command (idempotent, safe to re-run, preserves unrelated keys):

agent-guard install-hooks

This writes the PreToolUse entry into <git-toplevel>/.claude/settings.json. Pass --path <file> to target a different settings.json, --dry-run to preview the merged content, or --check (exit non-zero when the hook is not yet registered, for CI).

Or hand-roll the entry:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          { "type": "command", "command": "agent-guard hook pre-tool-use" }
        ]
      }
    ]
  }
}

Related

Support

Bug or feature request: create a new issue. Conduct: Code of Conduct. Security: SECURITY.md. License: LICENSE.

See also

Cross-reference convention from coilysiren/agentic-os#59.