Feat/network policy improvements

[Mr-Lucky]

Summary

Add runtime network anomaly detection and improve network policy handling.

This PR:

• Treats GET/HEAD/OPTIONS network requests as low-risk read operations while elevating DELETE and risky mutating requests appropriately.
• Adds local runtime detection for network behavior and response anomalies, including request bursts, replayed requests, token domain sweeps, large responses, malicious response bodies, MIME mismatches, and credential echo.
• Runs post-tool runtime evaluation for Hermes and OpenClaw network responses, recording completed-call anomalies as warnings.
• Improves blocked-domain matching with structured host/path checks to avoid substring false positives.
• Adds CLI warnings when cached network.defaultOutbound policy may interrupt ordinary external reads.

Type

• Bug fix
• New feature / detection rule
• Refactoring
• Documentation

Testing

• npm run build passes
• npm test passes (373 tests)
• Manually tested the change

Related Issues

Closes #

[github-actions]

AgentGuard PR Review

1. severity: high — src/runtime/protect.ts (normalizePostToolDecision and postToolCall handling)

   • What can go wrong: post-phase evaluations are forcibly downgraded from block/require_approval to warn. That means a malicious or anomalous network response can no longer stop tool execution or require user approval after the fact, even when the runtime detector classifies it as critical.
   • Concrete fix: do not rewrite the decision for post-phase runs. If post-phase is meant to be non-blocking, keep the original decision in logs and introduce a separate “display-only” field instead of mutating enforcement state.

2. severity: high — src/runtime/evaluator.ts (loadNetworkBehaviorState, saveNetworkBehaviorState, __resetNetworkBehaviorForTests)

   • What can go wrong: network behavior state is loaded from disk once and then appended/saved without any locking or atomic write strategy. Concurrent agent actions can corrupt the JSON file or lose events, causing anomaly detection to miss burst/replay/token-sweep patterns.
   • Concrete fix: write to a temp file and rename atomically, and add file locking or a per-process in-memory store with periodic sync. At minimum, validate and recover from partial writes instead of silently clearing the event buffer on parse errors.

3. severity: medium — src/runtime/evaluator.ts (networkBehaviorReasons token sweep/replay detection)

   • What can go wrong: the code stores raw hostnames and hashes derived from request inputs in a persistent file under the AgentGuard home directory. This creates a durable local record of sensitive network activity and credential-derived hashes, which may be accessible to other processes or backups.
   • Concrete fix: minimize persistence by storing only aggregated counters or short-lived ephemeral state, and ensure the state file permissions are enforced before any write/read. Avoid persisting hashes of credential-like values unless strictly necessary.