[dogfood] Governance denial hit by marketing-content-agent-cloud (vagentguard v2.7.3, driver=claude-code) #995
Description
Dogfood: Governance Denial Report
Agent: marketing-content-agent-cloud Version: agentguard v2.7.3 Driver: claude-code Repo: agentguard-cloud
Box: ubuntu-32gb-hil-1 / readybench Exit code: 0
Denial details
**Run STOPPED — governance hook blocking all tool execution.**
This is a catch-22: I cannot run `pnpm install` to install the governance kernel because the governance hook blocks the Bash tool before the kernel is installed.
Policy (agentguard.yaml)
# AgentGuard policy — guardrails for AI coding agents.
# Customize this file to match your project's security requirements.
# Docs: https://github.com/AgentGuardHQ/agent-guard
id: default-policy
name: Default Safety Policy
description: Baseline guardrails for AI coding agents
severity: 4
rules:
# Protected branches — prevent direct push to main/master
- action: git.push
effect: deny
branches: [main, master]
reason: Direct push to protected branch
# No force push — prevent history rewriting
- action: git.force-push
effect: deny
reason: Force push rewrites shared history
# No hard reset — prevents loss of uncommitted work
- action: git.reset-hard
effect: deny
reason: Hard reset destroys uncommitted work
# Protected branch deletion — prevent deleting main/master
- action: git.branch.delete
effect: deny
branches: [main, master]
reason: Cannot delete protected branches
# Secrets protection — block writes to sensitive files
- action: file.write
effect: deny
target: .env
reason: Secrets files must not be modified
- action: file.write
effect: deny
target: ".npmrc"
reason: npm credentials file must not be modified by agents
- action: file.write
effect: deny
target: "id_rsa"
reason: SSH private keys must not be modified
- action: file.write
effect: deny
target: "id_ed25519"
reason: SSH private keys must not be modified
# Skill protection — prevent agent self-modification
- action: file.write
effect: deny
target: ".claude/skills/"
reason: Agent skill files are protected from modification
- action: file.delete
effect: deny
target: ".claude/skills/"
reason: Agent skill files are protected from deletion
# Hook self-modification protection — prevent agent from altering its own governance hooks
- action: file.write
effect: deny
target: ".claude/settings.json"
reason: Agent must not modify its own hook configuration
- action: file.write
effect: deny
target: ".claude/settings.local.json"
reason: Agent must not modify its own hook configuration
# Destructive command protection
- action: shell.exec
effect: deny
target: rm -rf
reason: Destructive shell commands blocked
# Deployment protection
- action: deploy.trigger
effect: deny
reason: Deploy actions require explicit authorization
- action: infra.destroy
effect: deny
reason: Infrastructure destruction requires explicit authorization
# ─── Allowed operations ──────────────────────────────────────────────
# With default-deny enabled, actions without an explicit allow rule are
# denied. The rules below cover standard development workflows.
# Reading is always safe.
- action: file.read
effect: allow
reason: Reading is always safe
# File writes (subject to deny rules above for secrets/credentials).
- action: file.write
effect: allow
reason: File writes allowed by default
# File deletion (subject to deny rules above for skill files).
- action: file.delete
effect: allow
reason: File deletion allowed by default
# File move/rename.
- action: file.move
effect: allow
reason: File move allowed by default
# Shell commands (subject to deny rules above for rm -rf).
- action: shell.exec
effect: allow
reason: Shell execution allowed by default
# Git operations (subject to deny rules for protected branches).
- action: git.diff
effect: allow
reason: Viewing diffs is always safe
- action: git.commit
effect: allow
reason: Commits allowed by default
- action: git.push
effect: allow
reason: Pushes allowed to non-protected branches
- action: git.checkout
effect: allow
reason: Branch checkout allowed by default
- action: git.branch.create
effect: allow
reason: Branch creation allowed by default
- action: git.merge
effect: allow
reason: Merge allowed by default
# Worktree operations — core to agent isolation strategy.
- action: git.worktree.list
effect: allow
reason: Worktree listing is read-only and safe
- action: git.worktree.add
effect: allow
reason: Worktree creation encouraged for isolated agent work
- action: git.worktree.remove
effect: allow
reason: Worktree cleanup needed for housekeeping
# Branch deletion (subject to deny rule for protected branches).
- action: git.branch.delete
effect: allow
reason: Branch cleanup allowed for non-protected branches
# Testing is always encouraged.
- action:
- test.run
- test.run.unit
- test.run.integration
effect: allow
reason: Running tests is always safe
# Package management.
- action: npm.install
effect: allow
reason: Package installation allowed by default
- action: npm.script.run
effect: allow
reason: NPM script execution allowed by default
# HTTP requests.
- action: http.request
effect: allow
reason: HTTP requests allowed by default
# ─── MCP tool invocations ────────────────────────────────────────────
# Scheduled-tasks MCP — required for three-tier governance pipeline.
- action: mcp.call
effect: allow
target: "scheduled-tasks"
reason: Scheduled task management needed for tier review pipeline
# Claude Preview MCP — browser preview tools.
- action: mcp.call
effect: allow
target: "Claude_Preview"
reason: Preview tools allowed for development
# Playwright MCP — browser automation tools.
- action: mcp.call
effect: allow
target: "plugin_playwright_playwright"
reason: Playwright browser tools allowed for testing
# Context7 MCP — documentation lookup.
- action: mcp.call
effect: allow
target: "plugin_context7_context7"
reason: Documentation lookup is always safe
# MCP Registry — searching for MCP servers.
- action: mcp.call
effect: allow
target: "mcp-registry"
reason: Registry search is read-only and safe
telemetry:
enabled: truePersona (persona.env)
AGENTGUARD_PERSONA_DRIVER=claude
AGENTGUARD_PERSONA_MODEL=opus
AGENTGUARD_PERSONA_ROLE=jared
AGENTGUARD_PERSONA_PROJECT=agentguard-workspace
AGENTGUARD_PERSONA_TRUST_TIER=standard
AGENTGUARD_PERSONA_AUTONOMY=semi-autonomous
AGENTGUARD_PERSONA_RISK_TOLERANCE=moderate
AGENTGUARD_PERSONA_RUNTIME=claude-code
AGENTGUARD_PERSONA_PROVIDER=anthropic
AGENTGUARD_PERSONA_TAGS=jared,claude
AGENTGUARD_AGENT_NAME=claude:opus:jared
Hook settings (.claude/settings.json)
{
"hooks": {
"PreToolUse": [
{
"hooks": [
{
"type": "command",
"command": "bash scripts/claude-hook-wrapper.sh"
}
]
}
],
"PostToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "agentguard claude-hook post --store sqlite"
}
]
}
],
"SessionStart": [
{
"hooks": [
{
"type": "command",
"command": "bash scripts/session-persona-check.sh",
"timeout": 5000,
"blocking": true
}
]
},
{
"hooks": [
{
"type": "command",
"command": "bash -c 'M=$(git rev-parse --path-format=absolute --git-common-dir); M=${M%/.git}; [ -f \"$M/.env\" ] && [ ! -f .env ] && cp \"$M/.env\" .env || true'",
"timeout": 5000,
"blocking": true
}
]
},
{
"hooks": [
{
"type": "command",
"command": "agentguard status",
"timeout": 10000,
"blocking": false
}
]
}
],
"Notification": [
{
"hooks": [
{
"type": "command",
"command": "agentguard claude-hook notify --store sqlite",
"timeout": 15000,
"blocking": false
}
]
}
],
"Stop": [
{
"hooks": [
{
"type": "command",
"command": "agentguard claude-hook stop --store sqlite",
"timeout": 15000,
"blocking": false
}
]
}
]
}
}Log tail (last 50 lines)
[Thu Mar 26 12:31:55 PM UTC 2026] START: marketing-content-agent-cloud (driver=claude-code, timeout=900s, repo=agentguard-cloud, worktree=/home/readybench/agentguard-workspace/.worktrees/marketing-content-agent-cloud-1411857)
**Run STOPPED — governance hook blocking all tool execution.**
Every tool call (Glob, Bash, Read, etc.) is being rejected by the `scripts/claude-hook-wrapper.sh` pre-tool-use hook with:
> `AgentGuard kernel binary not found — governance cannot evaluate this action. Run: pnpm install`
This is a catch-22: I cannot run `pnpm install` to install the governance kernel because the governance hook blocks the Bash tool before the kernel is installed.
**Resolution requires human intervention:**
1. A human (or a session without the blocking hook) needs to run `pnpm install` in the worktree to bootstrap the AgentGuard kernel binary.
2. Alternatively, the hook in `settings.json` could be temporarily adjusted to allow bootstrapping commands before the kernel is present.
No skills were executed. No content was generated. No changes were made.
[Thu Mar 26 12:32:41 PM UTC 2026] FINISH: marketing-content-agent-cloud exit_code=0 (attempt 1/1)
[Thu Mar 26 12:32:41 PM UTC 2026] No commits, cleaning up branch
Auto-filed by run-agent.sh dogfood handler