feat(ctl): innerwarden agent install-hook — enforce the guard in Claude Code#1129
Merged
Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
maiconburn
force-pushed
the
feat/agent-install-hook
branch
from
d4f61ec to
a681699
Compare
…de Code mcp-serve and the check-command endpoint are advisory; a coding agent running its raw shell tool bypasses them. New 'agent install-hook' wires the ENFORCING path: it writes a fail-closed guard script and a PreToolUse Bash hook into the agent's settings.json so every shell command the agent proposes is POSTed to the loopback check-command brain and blocked (exit 2) before it runs when dangerous. Currently supports Claude Code (~/.claude/settings.json); --settings/--url/--block-review override. Idempotent JSON merge preserves existing settings + hooks. Unit tests cover the merge (empty/idempotent/preserves/repairs) and the generated script (deny-only vs block-review, check-command call, fail-closed). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
maiconburn
force-pushed
the
feat/agent-install-hook
branch
from
a681699 to
40c77e8
Compare
esteves-uk
approved these changes
Jun 28, 2026
maiconburn
added a commit
that referenced
this pull request
Jun 28, 2026
…#1132) Bump workspace version 0.15.29 -> 0.15.30 and roll [Unreleased] into [0.15.30]. Contents: - agent-guard now denies commands that disable InnerWarden itself (#1127) - innerwarden agent install-hook: enforcing PreToolUse hook for Claude Code (#1129) - admin-action audit filename in UTC, not local time (#1128) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
agent mcp-serveandPOST /api/agent/check-commandare advisory — a coding agent running its raw shell tool never asks. Newinnerwarden agent install-hookwires the enforcing path for Claude Code:~/.config/innerwarden/claude_code_guard.sh) that POSTs each proposed shell command to the loopbackcheck-commandbrain,Bashhook into the agent'ssettings.json(~/.claude/settings.jsonby default) pointing at it.So every command the agent proposes is inspected before it runs and blocked (exit 2) when the verdict is
deny(orreviewwith--block-review); if the agent is unreachable the hook fails closed.Flags:
--agent(defaultclaude-code),--settings,--url(defaulthttps://127.0.0.1:8787),--block-review.Why
The 2026-06-27 AI-coding-agent guardrail evaluation showed the marketed guardrail only inspects MCP-proxied or check-command-POSTed calls; a raw-shell agent (
claude -p --dangerously-skip-permissions) bypassed it entirely. A deterministic PreToolUse hook is the in-path enforcement that survives the model misjudging a command. Proven live: an always-deny hook blocked the agent's shell tool even in headless mode, and acurl|shinstaller (check-commanddeny) was blocked.Tests
--block-review, the check-command call, fail-closed on error.cargo clippy -p innerwarden-ctl -D warnings+fmtclean.🤖 Generated with Claude Code