Skip to content

Go kernel evaluate does not resolve pack: or YAML — needs flattened JSON #957

New issue
New issue
Closed
#1000
#1303
Closed
Go kernel evaluate does not resolve pack: or YAML — needs flattened JSON#957
#1000
#1303
Labels
agent:copilotAssigned to GitHub Copilot agentpriority:highHigh prioritytier:awaiting-reviewAwaiting senior review
@jpleva91

Description

@jpleva91
jpleva91
opened on Mar 25, 2026

Summary

The Go kernel binary (dist/go-bin/agentguard-go evaluate) only accepts flattened JSON rules on stdin. It does not resolve:

  • pack: essentials (or any pack)
  • YAML policy files
  • extends: chains

This means calling the Go kernel directly with a standard agentguard.yaml returns "No matching policy rule — default deny (fail-closed)" for all actions, including wildcard allows.

Repro

echo '{"action":"file.write","target":"foo.ts"}' | agentguard-go evaluate --policy agentguard.yaml
# Returns: {"allowed":false,"decision":"deny","reason":"No matching policy rule — default deny (fail-closed)"}

Expected

The Go kernel should either:

  1. Resolve packs/YAML internally (preferred for standalone usage)
  2. Or document that callers must pre-resolve via agentguard normalize and pipe JSON

Context

Found during dogfooding v2.7.3 on bench-devs-platform. Related to #955 (Go kernel not wired into hooks).

Impact

Anyone calling the Go binary directly (CI scripts, custom integrations) will get false deny-all behavior.

Metadata

Metadata

Assignees

No one assigned

    Labels

    agent:copilotAssigned to GitHub Copilot agentpriority:highHigh prioritytier:awaiting-reviewAwaiting senior review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions