new: agent governance scripts#4
Open
sibicramesh wants to merge 7 commits into
Open
Conversation
|
looks good to me. One issue I see if there is lot of variability in the methods to deliver the config, I guess it is necessary given the differences between OSes and MDMs |
georgeap70
reviewed
Jun 15, 2026
Author
Yeah, they are all based on the support matrix shared by the product. |
| "hooks": { | ||
| "sessionStart": [ | ||
| { | ||
| "command": "powershell -NoProfile -EncodedCommand JABpAG4AIAA9ACAAWwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQAKACQAQgBpAG4AIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFACAAJwAuAGUAbgBkAG8AcgBjAHQAbABcAGUAbgBkAG8AcgBjAHQAbAAuAGUAeABlACcACgAkAHMAawBpAHAAIAA9ACAAJABmAGEAbABzAGUACgBpAGYAIAAoACQAZQBuAHYAOgBFAE4ARABPAFIAQwBUAEwAXwBTAEsASQBQAF8AVQBQAEQAQQBUAEUAIAAtAGEAbgBkACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAQgBpAG4AKQApACAAewAgACQAcwBrAGkAcAAgAD0AIAAkAHQAcgB1AGUAIAB9AAoAaQBmACAAKAAtAG4AbwB0ACAAJABzAGsAaQBwACkAIAB7AAoAIAAgAHMAdwBpAHQAYwBoACAAKAAkAGUAbgB2ADoAUABSAE8AQwBFAFMAUwBPAFIAXwBBAFIAQwBIAEkAVABFAEMAVABVAFIARQApACAAewAKACAAIAAgACAAJwBBAE0ARAA2ADQAJwAgAHsAIAAkAGEAcgBjAGgAIAA9ACAAJwBhAG0AZAA2ADQAJwAgAH0ACgAgACAAIAAgACcAQQBSAE0ANgA0ACcAIAB7ACAAJABhAHIAYwBoACAAPQAgACcAYQByAG0ANgA0ACcAIAB9AAoAIAAgACAAIABkAGUAZgBhAHUAbAB0ACAAewAgAGUAeABpAHQAIAAxACAAfQAKACAAIAB9AAoAIAAgACQAdQByAGwAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgBlAG4AZABvAHIAbABhAGIAcwAuAGMAbwBtAC8AZABvAHcAbgBsAG8AYQBkAC8AbABhAHQAZQBzAHQALwBlAG4AZABvAHIAYwB0AGwAXwB3AGkAbgBkAG8AdwBzAF8AJABhAHIAYwBoAC4AZQB4AGUAIgAKACAAIAAkAGEAcgBjAGgASwBlAHkAIAA9ACAAJwBBAFIAQwBIAF8AVABZAFAARQBfAFcASQBOAEQATwBXAFMAXwAnACAAKwAgACQAYQByAGMAaAAuAFQAbwBVAHAAcABlAHIAKAApAAoAIAAgACQAYwB1AHIAcgBlAG4AdAAgAD0AIAAnACcACgAgACAAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAQgBpAG4AKQAgAHsACgAgACAAIAAgAHQAcgB5ACAAewAKACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AIAAoACYAIAAkAEIAaQBuACAALQAtAHYAZQByAHMAaQBvAG4AIAAyAD4AJABuAHUAbABsACkAIAB8ACAAUwBlAGwAZQBjAHQALQBTAHQAcgBpAG4AZwAgAC0AUABhAHQAdABlAHIAbgAgACcAdgBlAHIAcwBpAG8AbgAnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAgACAAIAAgACAAIABpAGYAIAAoACQAbABpAG4AZQApACAAewAgACQAYwB1AHIAcgBlAG4AdAAgAD0AIAAoACQAbABpAG4AZQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAAtAHMAcABsAGkAdAAgACcAXABzACsAJwApAFsALQAxAF0AIAB9AAoAIAAgACAAIAB9ACAAYwBhAHQAYwBoACAAewB9AAoAIAAgAH0ACgAgACAAJABsAGEAdABlAHMAdAAgAD0AIAAnACcAOwAgACQAZQB4AHAAZQBjAHQAZQBkAFMAaABhACAAPQAgACcAJwAKACAAIAB0AHIAeQAgAHsACgAgACAAIAAgACQAbQBlAHQAYQAgAD0AIABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJwBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgBlAG4AZABvAHIAbABhAGIAcwAuAGMAbwBtAC8AbQBlAHQAYQAvAHYAZQByAHMAaQBvAG4AJwAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwAgADMAMAAKACAAIAAgACAAJABsAGEAdABlAHMAdAAgAD0AIABbAHMAdAByAGkAbgBnAF0AJABtAGUAdABhAC4AQwBsAGkAZQBuAHQAVgBlAHIAcwBpAG8AbgAKACAAIAAgACAAJABlAHgAcABlAGMAdABlAGQAUwBoAGEAIAA9ACAAWwBzAHQAcgBpAG4AZwBdACQAbQBlAHQAYQAuACQAYQByAGMAaABLAGUAeQAKACAAIAB9ACAAYwBhAHQAYwBoACAAewB9AAoAIAAgACQAdQBwAHQAbwBkAGEAdABlACAAPQAgACgAJABjAHUAcgByAGUAbgB0ACAALQBhAG4AZAAgACgAKAAtAG4AbwB0ACAAJABsAGEAdABlAHMAdAApACAALQBvAHIAIAAoACQAYwB1AHIAcgBlAG4AdAAgAC0AZQBxACAAJABsAGEAdABlAHMAdAApACkAKQAKACAAIABpAGYAIAAoAC0AbgBvAHQAIAAkAHUAcAB0AG8AZABhAHQAZQApACAAewAKACAAIAAgACAAaQBmACAAKAAkAGUAeABwAGUAYwB0AGUAZABTAGgAYQAgAC0AbgBvAHQAbQBhAHQAYwBoACAAJwBeAFsAMAAtADkAYQAtAGYAQQAtAEYAXQB7ADYANAB9ACQAJwApACAAewAgAGUAeABpAHQAIAAxACAAfQAKACAAIAAgACAAJABkAGkAcgAgAD0AIABTAHAAbABpAHQALQBQAGEAdABoACAAJABCAGkAbgAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0ARgBvAHIAYwBlACAALQBQAGEAdABoACAAJABkAGkAcgAgAHwAIABPAHUAdAAtAE4AdQBsAGwACgAgACAAIAAgACMAIABTAHcAZQBlAHAAIABsAGUAZgB0AG8AdgBlAHIAcwAgAGYAcgBvAG0AIABpAG4AdABlAHIAcgB1AHAAdABlAGQAIABwAGEAcwB0ACAAcgB1AG4AcwAuACAAQQBnAGUALQBnAGEAdABlAGQAIABzAG8AIABhACAAYwBvAG4AYwB1AHIAcgBlAG4AdAAKACAAIAAgACAAIwAgAHMAZQBzAHMAaQBvAG4AJwBzACAAaQBuAC0AZgBsAGkAZwBoAHQAIABkAG8AdwBuAGwAbwBhAGQAIABpAHMAIABuAGUAdgBlAHIAIABkAGUAbABlAHQAZQBkADsAIAB0AGgAZQAgAG4AYQBtAGUAIABjAGEAbgBuAG8AdAAgAG0AYQB0AGMAaAAgAHQAaABlAAoAIAAgACAAIAAjACAAaQBuAHMAdABhAGwAbABlAGQAIABiAGkAbgBhAHIAeQAgACgAIgBlAG4AZABvAHIAYwB0AGwALgBlAHgAZQAiACkALgAKACAAIAAgACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZABpAHIAIAAtAEYAaQBsAHQAZQByACAAJwBlAG4AZABvAHIAYwB0AGwALQBkAG8AdwBuAGwAbwBhAGQALQAqACcAIAAtAEYAbwByAGMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAHwACgAgACAAIAAgACAAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAIAAkAF8ALgBMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBsAHQAIAAoAEcAZQB0AC0ARABhAHQAZQApAC4AQQBkAGQATQBpAG4AdQB0AGUAcwAoAC0ANgAwACkAIAB9ACAAfAAKACAAIAAgACAAIAAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0ARgBvAHIAYwBlACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlAAoAIAAgACAAIAAkAHQAbQBwACAAPQAgAEoAbwBpAG4ALQBQAGEAdABoACAAJABkAGkAcgAgACgAJwBlAG4AZABvAHIAYwB0AGwALQBkAG8AdwBuAGwAbwBhAGQALQAnACAAKwAgAFsASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApACkACgAgACAAIAAgAHQAcgB5ACAAewAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAHUAcgBsACAALQBPAHUAdABGAGkAbABlACAAJAB0AG0AcAAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwAgADEAMgAwACAAfQAgAGMAYQB0AGMAaAAgAHsAIABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAJAB0AG0AcAApACAAewAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0ARgBvAHIAYwBlACAAJAB0AG0AcAAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAgAH0AOwAgAGUAeABpAHQAIAAxACAAfQAKACAAIAAgACAAaQBmACAAKAAoAEcAZQB0AC0ARgBpAGwAZQBIAGEAcwBoACAALQBBAGwAZwBvAHIAaQB0AGgAbQAgAFMASABBADIANQA2ACAALQBQAGEAdABoACAAJAB0AG0AcAApAC4ASABhAHMAaAAgAC0AbgBlACAAJABlAHgAcABlAGMAdABlAGQAUwBoAGEAKQAgAHsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEYAbwByAGMAZQAgACQAdABtAHAAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwAgAGUAeABpAHQAIAAxACAAfQAKACAAIAAgACAATQBvAHYAZQAtAEkAdABlAG0AIAAtAEYAbwByAGMAZQAgACQAdABtAHAAIAAkAEIAaQBuAAoAIAAgAH0ACgB9AAoAJABlAG4AdgA6AEUATgBEAE8AUgBfAEEASQBfAEEAVQBEAEkAVABfAEMAQQBDAEgARQBfAEUATgBBAEIATABFAEQAIAA9ACAAJwB0AHIAdQBlACcACgAkAGkAbgAgAHwAIAAmACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwALgBlAG4AZABvAHIAYwB0AGwAXABlAG4AZABvAHIAYwB0AGwALgBlAHgAZQAiACAALQAtAGEAcABpACAAJwBoAHQAdABwAHMAOgAvAC8AYQBwAGkALgBlAG4AZABvAHIAbABhAGIAcwAuAGMAbwBtACcAIAAtAC0AbgBhAG0AZQBzAHAAYQBjAGUAIAAnAHMAcABpAGQAZQByAG0AYQBuACcAIAAtAC0AYQBwAGkALQBrAGUAeQAgACcAUABFAFAARQAnACAALQAtAGEAcABpAC0AcwBlAGMAcgBlAHQAIAAnAFAAQQBQAEEAJwAgAGEAaQAtAGEAdQBkAGkAdAAgAGMAdQByAHMAbwByADsAIABlAHgAaQB0ACAAJABMAEEAUwBUAEUAWABJAFQAQwBPAEQARQA=" |
There was a problem hiding this comment.
this has hardcoded api-key and secret
--api 'https://api.endorlabs.com' --namespace 'spiderman' --api-key 'PEPE' --api-secret 'PAPA' ai-audit cursor; exit $LASTEXITCODE% at the end . Does that mean IT admin has to regenerate this BASE64 encoded string at their end for thier flavour of hooks.json ( with their api key and secret ) ??
Author
There was a problem hiding this comment.
No, the IT admins just pass the credentials to render.sh, and it takes care of generating a hooks config that's compatible with both the agent and the OS.
dpowley
reviewed
Jun 16, 2026
Comment on lines
+47
to
+52
| if [ ! -d "$REPO/.git" ]; then | ||
| git init -q "$REPO" | ||
| git -C "$REPO" remote add origin "$REPO_URL" | ||
| fi | ||
| git -C "$REPO" fetch --depth 1 origin "$REF" | ||
| git -C "$REPO" -c advice.detachedHead=false checkout -f FETCH_HEAD |
There was a problem hiding this comment.
@sibicramesh what happens if there is no git? I'm assuming we tested this?
Author
There was a problem hiding this comment.
Its going to fail somewhere but dont think we tested it. Git is a prereq with the scripts method and its documented. cc @prakhar-endor
There was a problem hiding this comment.
I would bet that many of the endpoints we deploy this to don't have git. Now they also likely wouldn't have Cursor, but from a hygiene perspective, I don't think IT / Security operators will want half-deployed guardrails even if there is minimal risk.
dpowley
reviewed
Jun 16, 2026
Comment on lines
+33
to
+42
|
|
||
| 1. **Library → Add New → Custom Script.** Paste the credential line, then the body of `scripts/runner.sh`: | ||
| ```sh | ||
| #!/bin/sh | ||
| export ENDOR_API_CREDENTIALS_KEY='…' ENDOR_API_CREDENTIALS_SECRET='…' ENDOR_NAMESPACE='…' | ||
| # …contents of scripts/runner.sh below (set AGENT=cursor, REF=<tag>)… | ||
| ``` | ||
| Single-quote the values so a `"`, `$`, or backtick can't break the assignment; if a value contains a single quote, write it as `'\''`. | ||
| 2. Set **Execution Frequency** to *Run every 15 min* or *Run daily*. | ||
| 3. Assign it to the target **Blueprint**. |
There was a problem hiding this comment.
Is there a script we can just copy and paste without messing with quotes?
Author
There was a problem hiding this comment.
Yes, thats the intended purpose here. You just copy the runner.sh and embed it here. The quotes are only relevant when the values contain non alphanumeric characters and you will see shell errors.
| # installed binary ("endorctl"). | ||
| find "$DIR" -name 'endorctl-download-*' -mmin +60 -delete 2>/dev/null | ||
| TMP=$(mktemp "$DIR/endorctl-download-XXXXXX") || exit 1 | ||
| curl -fsSL --retry 5 --retry-connrefused --retry-all-errors -o "$TMP" "$URL" || { rm -f "$TMP"; exit 1; } |
There was a problem hiding this comment.
--retry-all-errors was introduced in curl version 7.71.0 , ubuntu 20.04 (lts) comes bundled with v7.68.0 so won't work out of the box there , we'll need to define in docs clearly to use curl > 7.71.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
RFC: https://endorlabs.atlassian.net/wiki/x/FIBlbQ
Full agent governance suite