new: agent governance scripts#4
Conversation
|
looks good to me. One issue I see if there is lot of variability in the methods to deliver the config, I guess it is necessary given the differences between OSes and MDMs |
Yeah, they are all based on the support matrix shared by the product. |
| if [ ! -d "$REPO/.git" ]; then | ||
| git init -q "$REPO" | ||
| git -C "$REPO" remote add origin "$REPO_URL" | ||
| fi | ||
| git -C "$REPO" fetch --depth 1 origin "$REF" | ||
| git -C "$REPO" -c advice.detachedHead=false checkout -f FETCH_HEAD |
There was a problem hiding this comment.
@sibicramesh what happens if there is no git? I'm assuming we tested this?
There was a problem hiding this comment.
Its going to fail somewhere but dont think we tested it. Git is a prereq with the scripts method and its documented. cc @prakhar-endor
There was a problem hiding this comment.
I would bet that many of the endpoints we deploy this to don't have git. Now they also likely wouldn't have Cursor, but from a hygiene perspective, I don't think IT / Security operators will want half-deployed guardrails even if there is minimal risk.
There was a problem hiding this comment.
afaik git and jq are two pre-requisites for it
|
|
||
| 1. **Library → Add New → Custom Script.** Paste the credential line, then the body of `scripts/runner.sh`: | ||
| ```sh | ||
| #!/bin/sh | ||
| export ENDOR_API_CREDENTIALS_KEY='…' ENDOR_API_CREDENTIALS_SECRET='…' ENDOR_NAMESPACE='…' | ||
| # …contents of scripts/runner.sh below (set AGENT=cursor, REF=<tag>)… | ||
| ``` | ||
| Single-quote the values so a `"`, `$`, or backtick can't break the assignment; if a value contains a single quote, write it as `'\''`. | ||
| 2. Set **Execution Frequency** to *Run every 15 min* or *Run daily*. | ||
| 3. Assign it to the target **Blueprint**. |
There was a problem hiding this comment.
Is there a script we can just copy and paste without messing with quotes?
There was a problem hiding this comment.
Yes, thats the intended purpose here. You just copy the runner.sh and embed it here. The quotes are only relevant when the values contain non alphanumeric characters and you will see shell errors.
| # installed binary ("endorctl"). | ||
| find "$DIR" -name 'endorctl-download-*' -mmin +60 -delete 2>/dev/null | ||
| TMP=$(mktemp "$DIR/endorctl-download-XXXXXX") || exit 1 | ||
| curl -fsSL --retry 5 --retry-connrefused --retry-all-errors -o "$TMP" "$URL" || { rm -f "$TMP"; exit 1; } |
There was a problem hiding this comment.
--retry-all-errors was introduced in curl version 7.71.0 , ubuntu 20.04 (lts) comes bundled with v7.68.0 so won't work out of the box there , we'll need to define in docs clearly to use curl > 7.71.0
Fix Windows endorctl install and Cursor hook enforcement
| env: ({ | ||
| AGENT_HOOK_ENDOR_API: $url, | ||
| AGENT_HOOK_ENDOR_API_CREDENTIALS_KEY: $key, | ||
| AGENT_HOOK_ENDOR_API_CREDENTIALS_SECRET: $secret, | ||
| AGENT_HOOK_ENDOR_NAMESPACE: $ns | ||
| } + $envobj), |
There was a problem hiding this comment.
The issue
render.sh builds Claude's env block by merging the dedicated-flag credentials with the --env object:
env: ({
AGENT_HOOK_ENDOR_API: $url,
AGENT_HOOK_ENDOR_API_CREDENTIALS_KEY: $key,
AGENT_HOOK_ENDOR_API_CREDENTIALS_SECRET: $secret,
AGENT_HOOK_ENDOR_NAMESPACE: $ns
} + $envobj), # <-- $envobj is the RIGHT operand
Two facts combine into the bug:
- jq's object + is right-biased — on a key collision, the right operand ($envobj, built from --env) wins (step 5 below).
- add_env (render.sh:49–54) only validates key characters, not reserved names — so
AGENT_HOOK_ENDOR_API_CREDENTIALS_KEYis accepted as an ordinary --env key (step 4, exit 0).
Net effect: a --env whose key matches one of the AGENT_HOOK_ENDOR_* variables silently overrides the corresponding --api-key / --api-secret / --namespace / --api-url flag, with no warning. The Claude hooks read those exact variables at runtime (--api-key "$AGENT_HOOK_ENDOR_API_CREDENTIALS_KEY", step 6), so the audit actually runs with the overriding value.
4 participants
RFC: https://endorlabs.atlassian.net/wiki/x/FIBlbQ
Full agent governance suite