fix(sec-core): preserve seharden wrapper defaults

[chenzongyao200127]

Description

Restore the agent-sec-cli harden wrapper defaults so zero-argument and config-only invocations continue to run seharden in scan mode with the agentos_baseline profile. The hardening backend now also keeps parsed SEHarden summary and per-rule results in ActionResult.data while preserving passthrough execution metadata and captured stdout.

The update keeps the concise wrapper help, downstream passthrough behavior, and legacy backend compatibility, and adds regression coverage for the wrapper defaults and structured hardening results.

Related Issue

no-issue: follow-up fix for an unreleased sec-core harden wrapper change

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• cosh (copilot-shell)
• sec-core (agent-sec-core)
• skill (os-skills)
• sight (agentsight)
• Multiple / Project-wide

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For cosh: Lint passes, type check passes, and tests pass
• For sec-core (Rust): cargo clippy -- -D warnings and cargo fmt --check pass
• For sec-core (Python): Ruff format and pytest pass
• For skill: Skill directory structure is valid and shell scripts pass syntax check
• For sight: cargo clippy -- -D warnings and cargo fmt --check pass
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

cd src/agent-sec-core
agent-sec-cli/.venv/bin/python -m ruff check \
  agent-sec-cli/src/agent_sec_cli/cli.py \
  agent-sec-cli/src/agent_sec_cli/security_middleware/backends/hardening.py \
  tests/unit-test/test_cli.py \
  tests/unit-test/security_middleware/backends/test_hardening_backend.py

agent-sec-cli/.venv/bin/python -m pytest \
  tests/unit-test/test_cli.py \
  tests/unit-test/security_middleware/backends/test_hardening_backend.py -q

agent-sec-cli/.venv/bin/python -m pytest tests/unit-test -q

Results:

• ruff check passed for the touched Python files.
• Targeted hardening CLI/backend tests passed: 26 passed.
• Full unit-test suite passed: 102 passed.

Additional Notes

Running pytest tests/ in src/agent-sec-core is currently blocked by a pre-existing e2e collection error caused by duplicate module names:

• tests/e2e/linux-sandbox/e2e_test.py
• tests/e2e/skill-signing/e2e_test.py

This PR does not modify those e2e tests.

[CLAassistant]

All committers have signed the CLA.

[chenzongyao200127]

PTAL @RemindD

[Copilot]

Pull request overview

Restores agent-sec-cli harden wrapper default behavior (scan + agentos_baseline) while shifting the hardening backend to a passthrough-args model that still preserves legacy kwargs support and keeps parsed SEHarden results in ActionResult.data.

Changes:

• Update harden CLI command to forward unknown SEHarden flags verbatim while re-applying wrapper defaults for zero-arg/config-only calls.
• Refactor hardening backend to accept args=[...] passthrough, preserve execution metadata (argv, tool_path, returncode), and keep structured parsed results (failures, fixed_items, summary counters).
• Add/adjust unit tests and update documentation/examples to reflect --scan/--reinforce/--dry-run flags instead of --mode.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/agent-sec-core/tests/unit-test/test_cli.py	Adds regression tests for wrapper help text, default arg injection, passthrough, and downstream help behavior.
src/agent-sec-core/tests/unit-test/security_middleware/backends/test_hardening_backend.py	Updates backend tests for passthrough args, legacy defaults, resolved binary path behavior, and structured results.
src/agent-sec-core/skill/references/agent-sec-seharden.md	Updates skill reference commands/docs to the new harden invocation style.
src/agent-sec-core/skill/SKILL.md	Updates skill execution instructions/examples to match the new harden flags.
src/agent-sec-core/agent-sec-cli/src/agent_sec_cli/security_middleware/backends/hardening.py	Implements passthrough args execution + result metadata and parsing while preserving legacy kwargs defaults.
src/agent-sec-core/agent-sec-cli/src/agent_sec_cli/cli.py	Reworks harden Typer command to allow unknown args passthrough and inject wrapper defaults; adds concise custom help.
src/agent-sec-core/agent-sec-cli/README.md	Updates CLI + Python API usage examples to use args=[...] and new flags.
src/agent-sec-core/agent-sec-cli/BUILD.md	Updates build/install docs to reflect the new harden invocation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[RemindD]

LGTM

[RemindD]

harden --help 没有直接调loongshield --help的原因是想把提供的能力限定在以上三种吗？

[chenzongyao200127]

是的，目前 loongshield 还有一些 subcmd，我觉得在 sec-core-cli 这个场景下不太适合暴露给用户

[chenzongyao200127]

@edonyzpc @kid9 PTAL

[edonyzpc]

这个在cli里面重复定义了