Skip to content

fix(agent-sec-core): override loongshield exit 0 on error + actionable ErrManifestMissing#1282

Open
zhangtaibo wants to merge 1 commit into
alibaba:mainfrom
zhangtaibo:fix/agent-sec-core-harden-exit-code
Open

fix(agent-sec-core): override loongshield exit 0 on error + actionable ErrManifestMissing#1282
zhangtaibo wants to merge 1 commit into
alibaba:mainfrom
zhangtaibo:fix/agent-sec-core-harden-exit-code

Conversation

@zhangtaibo

Copy link
Copy Markdown
Contributor

问题

Fixes #1280
Fixes #1281

agent-sec-cli harden 命令在调用 loongshield 后端时,HardeningBackend 直接透传 loongshield 的 exit code。但 loongshield 在遇到配置文件缺失或非 root 用户执行 reinforce 时仍返回 exit 0,导致 CLI 误报成功。同时 verify 命令的 ErrManifestMissing 错误信息缺乏可操作性提示。

修复

# hardening.py: 检测 [ERROR/ENFORCE-ERROR 输出并覆盖 exit code
+has_output_errors = bool(data.get("failures")) or bool(data.get("fixed_items"))
+has_error_lines = bool(re.search(r"\[ERROR", clean_output))
+effective_exit = proc.returncode
+if effective_exit == 0 and (has_output_errors or has_error_lines):
+    effective_exit = 1

# errors.py: ErrManifestMissing 增加可操作性提示
+f"  Cause: the skill directory has not been signed, or the manifest was deleted.\n"
+f"  Please run `agent-sec-cli sign-skill --skill {skill_name}` to create it,\n"
+f"  or use `agent-sec-cli verify --help` for usage details."

验证

# ECS fresh clone + apply patch + build
source /root/.cargo/env
git clone https://github.com/alibaba/anolisa.git && cd anolisa
git apply fix.patch
bash scripts/rpm-build.sh agent-sec-core
# → VERIFY_EXIT=0, 7 RPMs produced (agent-sec-cli-0.7.0-1.alnx4.x86_64.rpm 207M)

# Tests
cd /root/agentic-os-tests/agent-sec-core
python3 -m pytest tests/test_cli_harden.py tests/test_cli_verify.py -xvs
# → 9 passed, 0 failed

Co-Authored-By: Claude noreply@anthropic.com

…e ErrManifestMissing

Fixes alibaba#1280: HardeningBackend passthrough of loongshield exit 0 when
the tool encounters errors (invalid config, reinforce without root)
causes CLI to falsely report success. Now detects [ERROR/ENFORCE-ERROR
in output and overrides exit code to 1.

Fixes alibaba#1281: ErrManifestMissing error message lacked actionable guidance.
Now includes cause explanation and suggests sign-skill command.

Verified on ECS: fresh clone + apply patch + rpm-build.sh -> exit 0,
7 RPMs produced. All 9 pytest cases pass.

Co-Authored-By: Claude <noreply@anthropic.com>
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


zhangtaibo seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions github-actions Bot added the component:sec-core src/agent-sec-core/ label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

component:sec-core src/agent-sec-core/

Projects

None yet

2 participants