Fix AgentGuard runtime cleanup flows

[Mr-Lucky]

Summary

• Allow OpenClaw Agent JWT registration to start from detected OpenClaw runtimes without requiring an API key or prior AgentGuard init
• Skip direct AgentGuard CLI/self commands in runtime hooks while keeping compound shell commands protected
• Clean up managed threat-feed cron jobs and saved cron metadata during disconnect
• Clarify Cloud auth status and Agent JWT/API-key behavior in CLI output and skill docs
• Update changelog for the current branch changes

Tests

• Not run in this pass

[github-actions]

AgentGuard PR Review

1. severity: high — src/cli.ts (disconnect action, around the added removeThreatFeedCron(...) call)

   • What can go wrong: disconnect now invokes crontab -l/crontab - through the current environment before the config is cleared. In environments without a real crontab binary or with a malicious PATH, this can fail or execute the wrong program. Because disconnect is a security-sensitive cleanup path, that can leave scheduled threat-feed jobs installed or remove the wrong data.
   • Concrete fix: resolve and invoke a trusted absolute path for cron backends, or validate the executable against a known allowlist before running removal. If removal fails, surface a hard error and do not claim cleanup succeeded.

2. severity: medium — src/feed/cron.ts (removeSystemThreatFeedCron, removeThreatFeedCronFromBackends)

   • What can go wrong: the system-cron removal only checks options.agentGuardHome and removes scripts/${jobId}.sh, but it does not verify that the crontab block actually belongs to the current AgentGuard home or that the block being removed matches the installed script path. If a user has multiple AgentGuard installs or a manually edited job with the same name, disconnect can delete the wrong cron entry or leave the active one behind.
   • Concrete fix: store and match an installation marker containing the home/path in the cron block, and only remove entries whose script path or marker exactly matches the current installation.

3. severity: medium — src/runtime/self-command.ts and src/adapters/engine.ts / src/runtime/protect.ts

   • What can go wrong: the new self-command bypass treats any shell command that parses to agentguard or agentguard-mcp as safe, even when it is being invoked under a modified PATH. An attacker who can influence PATH/working directory could cause a non-AgentGuard binary with that name to be exempted from audit/blocking.
   • Concrete fix: only bypass when the command resolves to the actual installed AgentGuard executable path (or a verified package-managed shim), not just by basename.