fix(sec-core): parse loongshield harden output

[chenzongyao200127]

Description

Update agent-sec-cli harden parsing to handle the current loongshield seharden output formats, including verbose Summary: lines and FAIL [rule_id] rule records. The hardening summary now displays compliance when a non-compliant scan exits non-zero but still emits parseable rule statistics, while avoiding reinforce suggestions for synthetic UNKNOWN parser-fallback failures. Security events now also preserve the command success/failure state at the top-level event result while keeping parsed seharden details under details.result.

Output Examples

Representative loongshield 1.2.1 verbose scan output:

SEHarden scan: profile='agentos_baseline', level='baseline', 23 rule(s)
  PASS [fs.cramfs_disabled] Ensure mounting of cramfs is disabled
  FAIL [fs.udf_disabled] Ensure mounting of udf is disabled
    reason: actual: loaded
Summary: 20 passed, 0 fixed, 3 failed, 0 manual, 0 dry-run-pending / 23 total

The scan above may exit non-zero because the host is non-compliant. The security event keeps that command state at the top level, while preserving parsed seharden details under details.result:

[
  {
    "event_type": "harden",
    "category": "hardening",
    "result": "failed",
    "details": {
      "request": {
        "args": ["--scan", "--config", "agentos_baseline", "--verbose"]
      },
      "result": {
        "mode": "scan",
        "config": "agentos_baseline",
        "returncode": 1,
        "passed": 20,
        "fixed": 0,
        "failed": 3,
        "manual": 0,
        "dry_run_pending": 0,
        "total": 23,
        "failures": [
          {
            "rule_id": "fs.udf_disabled",
            "status": "FAIL",
            "message": "Ensure mounting of udf is disabled"
          }
        ],
        "fixed_items": []
      }
    }
  }
]

agent-sec-cli events --summary consumes the same security event data and can now report compliance even when the scan event itself is failed:

Security Posture Summary (last 1 hours)

System Status: Needs attention ⚠

--- Hardening ---
  Scans performed:  1 (succeeded: 0, failed: 1)

  Latest scan result:
    Compliance: 20/23 rules passed (87.0%)
    Check system status using `agent-sec-cli harden --scan`

---
Total events: 1  |  Failed: 1  |  Last event: just now

Suggested actions:
  agent-sec-cli harden --reinforce    Fix failed rules

If loongshield only emits summary counts but per-rule details cannot be parsed, the backend records a synthetic UNKNOWN failure. In that case the summary still shows compliance, but does not suggest harden --reinforce because there is no actionable parsed rule id.

Related Issue

no-issue: compatibility fix for loongshield 1.2.1 hardening output

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• cosh (copilot-shell)
• sec-core (agent-sec-core)
• skill (os-skills)
• sight (agentsight)
• tokenless (tokenless)
• ckpt (ws-ckpt)
• memory (agent-memory)
• anolisa (anolisa-cli)
• Multiple / Project-wide

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For cosh: Lint passes, type check passes, and tests pass
• For sec-core (Rust): cargo clippy -- -D warnings and cargo fmt --check pass
• For sec-core (Python): Ruff format and pytest pass
• For skill: Skill directory structure is valid and shell scripts pass syntax check
• For sight: cargo clippy -- -D warnings and cargo fmt --check pass
• For tokenless: cargo clippy -- -D warnings and cargo fmt --check pass
• For memory (Linux only): cargo clippy --all-targets -- -D warnings, cargo fmt --check, and cargo test pass
• For anolisa: cargo clippy --all-targets --locked -- -D warnings, cargo fmt --all --check, and cargo test --locked pass
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

• cd src/agent-sec-core && uv run --project agent-sec-cli pytest tests/unit-test/security_middleware/test_lifecycle.py tests/unit-test/security_middleware/backends/test_hardening_backend.py tests/unit-test/security_events/test_summary_formatter.py -q
• cd src/agent-sec-core && uv run --project agent-sec-cli pytest tests/e2e/cli/test_events_e2e.py --collect-only -q
• cd src/agent-sec-core && uv run --project agent-sec-cli ruff check agent-sec-cli/src/agent_sec_cli/security_middleware/lifecycle.py agent-sec-cli/src/agent_sec_cli/security_middleware/backends/hardening.py agent-sec-cli/src/agent_sec_cli/security_events/summary_formatter.py tests/unit-test/security_middleware/test_lifecycle.py tests/unit-test/security_middleware/backends/test_hardening_backend.py tests/unit-test/security_events/test_summary_formatter.py tests/e2e/cli/test_events_e2e.py
• cd src/agent-sec-core && uv run --project agent-sec-cli black --check agent-sec-cli/src/agent_sec_cli/security_middleware/lifecycle.py agent-sec-cli/src/agent_sec_cli/security_middleware/backends/hardening.py agent-sec-cli/src/agent_sec_cli/security_events/summary_formatter.py tests/unit-test/security_middleware/test_lifecycle.py tests/unit-test/security_middleware/backends/test_hardening_backend.py tests/unit-test/security_events/test_summary_formatter.py tests/e2e/cli/test_events_e2e.py

[edonyzpc]

LGTM