From fe1b1d79557ead8229237818e8cf707df8e0cf1b Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Wed, 17 Jun 2026 01:04:49 +0100 Subject: [PATCH] fix: generate governance-compliant AGENTS baseline --- CHANGELOG.md | 1 + src/agent_rules_kit/init_write.py | 29 +++++++++++++++++++++++++---- tests/test_init_write.py | 20 ++++++++++++++++++++ 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f68e803..88915e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ This project has a published GitHub Release line, but no stable support or API g ### Fixed +- Updated generated `AGENTS.md` baseline content so `init --write` no longer creates instructions that fail the current governance scope or authority check. - Fixed secret redaction pattern order so Anthropic-style `sk-ant-` keys match the specific Anthropic pattern before the generic `sk-` pattern. - Tightened governance regex coverage for review/CI bypass, unsafe command guidance, and runtime network or LLM dependency findings. - Expanded secret-like token redaction coverage. diff --git a/src/agent_rules_kit/init_write.py b/src/agent_rules_kit/init_write.py index 92d371f..504bf09 100644 --- a/src/agent_rules_kit/init_write.py +++ b/src/agent_rules_kit/init_write.py @@ -10,11 +10,32 @@ BASELINE_AGENTS_CONTENT = """# Agent Instructions -This repository uses baseline agent instructions generated by agent-rules-kit. +These baseline instructions were generated by agent-rules-kit. +Review and adapt them before relying on them for a specific project. -- Read the repository before changing files. -- Do not run destructive commands unless explicitly requested. -- Do not add secrets, tokens, credentials, or private data. +## Scope + +These instructions apply from the repository root unless a more specific instruction file +defines a narrower scope. + +## Authority + +Follow explicit user requests first. Then follow this file and any more specific +instruction files for the files being changed. + +## Secret handling + +Do not commit, print, or log secrets, tokens, credentials, API keys, private URLs, or private data. + +## Command execution + +Read the repository before changing files. +Ask for explicit confirmation before destructive commands or broad filesystem changes. + +## Review and CI + +Keep the repository review process, CI requirements, branch protection, and maintainer +approval intact. """ diff --git a/tests/test_init_write.py b/tests/test_init_write.py index ada13cb..6b99652 100644 --- a/tests/test_init_write.py +++ b/tests/test_init_write.py @@ -1,9 +1,13 @@ from __future__ import annotations +import io +import json import tempfile import unittest +from contextlib import redirect_stdout from pathlib import Path +from agent_rules_kit.cli import main from agent_rules_kit.init_plan import InitPlanAction from agent_rules_kit.init_write import BASELINE_AGENTS_CONTENT, write_init_files @@ -70,6 +74,22 @@ def test_write_init_files_rejects_missing_root(self) -> None: with self.assertRaises(ValueError): write_init_files(missing_root) + def test_generated_baseline_passes_current_governance_check(self) -> None: + with tempfile.TemporaryDirectory() as temporary_directory: + repository = Path(temporary_directory) + + write_init_files(repository) + + stdout = io.StringIO() + with redirect_stdout(stdout): + exit_code = main(["check", str(repository), "--format", "json"]) + + payload = json.loads(stdout.getvalue()) + + self.assertEqual(exit_code, 0) + self.assertEqual(payload["summary"]["finding_count"], 0) + self.assertEqual(payload["findings"], []) + if __name__ == "__main__": unittest.main()