feat(agent-guard): deny commands that disable InnerWarden itself

[maiconburn]

What

The in-path command guard (POST /api/agent/check-command, the MCP innerwarden_check_command tool, and agent proxy --mode guard) previously returned allow / risk 0 for commands that disable InnerWarden — systemctl stop/mask innerwarden-*, pkill -f innerwarden, innerwarden uninstall, rm/truncate of its binaries/config/data/pinned-eBPF. So an AI coding agent wired through the guardrail could be talked into turning the monitor off without the guard objecting.

Change

New security_tooling_tamper signal (score 60 → deny) in crates/agent-guard:

• threats::check_security_tamper + SECURITY_TAMPER_INDICATORS + INNERWARDEN_SELF_PATHS, wired into analyze_command.
• Denies InnerWarden self-disable/removal and the universal defense-evasion verbs (stop auditd, setenforce 0, auditctl -e 0, disable AppArmor; MITRE T1562/T1489).
• File removal requires a destructive verb AND an InnerWarden path, so reads/greps under /etc/innerwarden stay allowed.
• Status reads and restarts (innerwarden get status, systemctl status/restart innerwarden-agent) are not flagged.

Why

Closes the command-layer half of the self-tamper gap found in the 2026-06-27 AI-coding-agent guardrail evaluation (a maintenance-framed systemctl stop was scored allow). The kernel-side mitre_hunt uid-0 self-stop carve-out is tracked separately.

Tests

• analyze_command_flags_innerwarden_self_disable — deny + high + security_tooling_tamper across service-stop/mask, pkill/killall, CLI uninstall/disable, rm/truncate of IW paths.
• analyze_command_flags_host_monitor_disable — deny on auditd/AppArmor/SELinux disable.
• analyze_command_allows_innerwarden_status_read — no deny / no tamper signal on status reads + restart.

make test green; cargo fmt --all + clippy -p innerwarden-agent-guard -D warnings clean.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!