From 37efb0889f2b02b2d910f51e32912445c6d716f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?m=C3=BCde?= Date: Fri, 15 May 2026 14:41:38 +0200 Subject: [PATCH] turn loop: tool whitelist (no web/task), no skip-permissions --- CLAUDE.md | 44 ++++++++++++++++++--- Cargo.toml | 1 + hive-ag3nt/src/bin/hive-ag3nt.rs | 41 ++++++++++++++++++-- hive-ag3nt/src/mcp.rs | 66 ++++++++++++++++++++++++++++++++ 4 files changed, 143 insertions(+), 9 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 7337044..68addac 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -156,17 +156,38 @@ docs/damocles-migration.md options for moving damocles onto hyperhive marks them `failed` with note `"agent state dir missing"` so they fall out of `pending`. They stay in sqlite for audit. -## Agent MCP surface +## Agent MCP surface + turn loop -The harness ships an embedded MCP server (rmcp 1.7) that claude can launch -via `--mcp-config`. Subcommand: `hive-ag3nt mcp`. Tools: -- `send(to, body)` — message a peer or the operator. -- `recv()` — drain one inbox message. +The harness ships an embedded MCP server (rmcp 1.7) that claude launches as +a stdio child via `--mcp-config`. Subcommand: `hive-ag3nt mcp`. Tools: +- `mcp__hyperhive__send(to, body)` — message a peer or the operator. +- `mcp__hyperhive__recv()` — drain one inbox message. Both translate to `AgentRequest::Send`/`Recv` against the agent's own `/run/hive/mcp.sock` (the existing hyperhive socket). The MCP surface is just claude's view of that socket — same authority, friendlier protocol. +The turn loop in `hive-ag3nt serve` writes +`/run/hive/claude-mcp-config.json` at boot pointing at +`/proc/self/exe mcp` (the running hive-ag3nt binary's nix store path). +Each turn invokes: + +``` +claude --print --mcp-config --tools --allowedTools +``` + +**Tool whitelist** (see `ALLOWED_BUILTIN_TOOLS` in `hive-ag3nt::mcp`): +- Allowed built-ins: `Bash`, `Edit`, `Glob`, `Grep`, `NotebookEdit`, `Read`, + `TodoWrite`, `Write`. +- Denied by omission: `WebFetch`, `WebSearch`, `Task` — no external egress + or nested-agent spawning until we have a real policy story. +- Allowed MCP tools: `mcp__hyperhive__send`, `mcp__hyperhive__recv`. + +`Bash` is on the allow-list "for now" — pending a finer-grained allow-list +system for command patterns (`Bash(git *)`-style). When that lands, the +`builtin_tools_arg` shape will probably change to a setting / hooks +combo per claude-code's permissions plumbing. + Manager will get its own subcommand later with `request_spawn`, `kill`, `request_apply_commit` added to the TOOLS list. @@ -373,6 +394,19 @@ with `./agent.nix` plus an inline module that sets `environment.etc."gitconfig".text` (committer identity = the agent's name) and `systemd.services.hive-ag3nt.environment.HIVE_PORT`/`HIVE_LABEL`. +## Security backlog + +- **Unprivileged containers (userns mapping).** Today the nspawn container + runs as a fully privileged root. Goal: `PrivateUsersChown=yes` (or the + nixos-container equivalent) so uid 0 inside maps to an unprivileged uid + on the host, and a container-root compromise lands the attacker on an + ordinary user account, not the host's root. Requires per-agent state + dirs to be chown'd to that uid on the host side. +- **Bash command allow-list.** Replace the blanket `Bash` allow with a + pattern allow-list (`Bash(git *)`, `Bash(nix build .*)`, etc.) per + claude-code's `--allowedTools` extended grammar. Likely lives in + `agent.nix` so each agent can scope its own shell surface. + ## Polish backlog Not phased — pick when relevant: diff --git a/Cargo.toml b/Cargo.toml index 87a8235..2f4c26f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,6 +30,7 @@ serde = { version = "1", features = ["derive"] } serde_json = "1" similar = "2" tokio = { version = "1", features = [ + "fs", "io-util", "macros", "net", diff --git a/hive-ag3nt/src/bin/hive-ag3nt.rs b/hive-ag3nt/src/bin/hive-ag3nt.rs index 423bcc3..fe24272 100644 --- a/hive-ag3nt/src/bin/hive-ag3nt.rs +++ b/hive-ag3nt/src/bin/hive-ag3nt.rs @@ -122,6 +122,7 @@ async fn needs_login_loop( async fn serve(socket: &Path, interval: Duration, state: Arc>) -> Result<()> { tracing::info!(socket = %socket.display(), "hive-ag3nt serve"); let _ = state; // reserved for future state transitions (turn-loop -> needs-login) + let mcp_config = write_mcp_config(socket).await?; loop { let recv: Result = client::request(socket, &AgentRequest::Recv).await; match recv { @@ -131,7 +132,7 @@ async fn serve(socket: &Path, interval: Duration, state: Arc>) // both ends are falling back to echo. Real loop control is the // manager's job (Phase 4+). if !body.starts_with("echo: ") { - let reply = compute_reply(&body).await; + let reply = compute_reply(&body, &mcp_config).await; let send: Result = client::request( socket, &AgentRequest::Send { @@ -160,8 +161,8 @@ async fn serve(socket: &Path, interval: Duration, state: Arc>) } } -async fn compute_reply(prompt: &str) -> String { - match invoke_claude(prompt).await { +async fn compute_reply(prompt: &str, mcp_config: &Path) -> String { + match invoke_claude(prompt, mcp_config).await { Ok(s) => s, Err(e) => { tracing::warn!(error = %format!("{e:#}"), "claude failed; falling back to echo"); @@ -170,9 +171,21 @@ async fn compute_reply(prompt: &str) -> String { } } -async fn invoke_claude(prompt: &str) -> Result { +async fn invoke_claude(prompt: &str, mcp_config: &Path) -> Result { + // Whitelist model: `--tools` restricts which built-ins exist in the + // session (omitting WebFetch/WebSearch/Task means claude literally + // can't invoke them); `--allowedTools` auto-approves the same set + // plus the hyperhive MCP surface so there's no permission prompt + // mid-turn. A finer-grained allow-list system for Bash command + // patterns is on the backlog (PLAN.md polish). let out = Command::new("claude") .arg("--print") + .arg("--mcp-config") + .arg(mcp_config) + .arg("--tools") + .arg(mcp::builtin_tools_arg()) + .arg("--allowedTools") + .arg(mcp::allowed_tools_arg()) .arg(prompt) .output() .await?; @@ -190,6 +203,26 @@ async fn invoke_claude(prompt: &str) -> Result { Ok(text) } +/// Drop the per-agent MCP config on disk so the turn loop can hand its path +/// to `claude --mcp-config`. Lives under `/run/hive/` (the bind-mounted +/// per-agent runtime dir) so it's ephemeral and isolated per container. +/// Returns the config path. +async fn write_mcp_config(socket: &Path) -> Result { + let parent = socket.parent().unwrap_or_else(|| Path::new("/run/hive")); + tokio::fs::create_dir_all(parent).await.ok(); + let path = parent.join("claude-mcp-config.json"); + // `/proc/self/exe` resolves to the running hive-ag3nt binary's nix store + // path, which the spawned child can re-invoke as the MCP server. Avoids + // needing claude-code's $PATH to contain hive-ag3nt. + let exe = std::env::current_exe() + .ok() + .map_or_else(|| "hive-ag3nt".into(), |p| p.display().to_string()); + let body = mcp::render_claude_config(&exe, socket); + tokio::fs::write(&path, body).await?; + tracing::info!(path = %path.display(), "wrote claude MCP config"); + Ok(path) +} + fn render(resp: &AgentResponse) -> Result<()> { println!("{}", serde_json::to_string_pretty(resp)?); Ok(()) diff --git a/hive-ag3nt/src/mcp.rs b/hive-ag3nt/src/mcp.rs index ff9bb8f..5e99ebf 100644 --- a/hive-ag3nt/src/mcp.rs +++ b/hive-ag3nt/src/mcp.rs @@ -101,3 +101,69 @@ pub async fn serve_stdio(socket: PathBuf) -> Result<()> { service.waiting().await?; Ok(()) } + +/// Name of the hyperhive MCP server inside claude's view. Claude prefixes +/// tools as `mcp____` (e.g. `mcp__hyperhive__send`). +pub const SERVER_NAME: &str = "hyperhive"; + +/// Built-in claude tools the turn loop enables via `--tools`. Anything not +/// in this list literally doesn't exist in the session (claude won't even +/// try to call it). Web egress (`WebFetch`/`WebSearch`) and nested agents +/// (`Task`) are intentionally omitted for now; `Bash` is allowed pending a +/// finer-grained allow-list system for shell command patterns. Edit later +/// as our trust model evolves. +pub const ALLOWED_BUILTIN_TOOLS: &[&str] = &[ + "Bash", + "Edit", + "Glob", + "Grep", + "NotebookEdit", + "Read", + "TodoWrite", + "Write", +]; + +/// MCP tools claude is allowed to call without prompting. Mirrors the +/// hyperhive surface so a new tool added below propagates to claude's +/// allow-list automatically. +#[must_use] +pub fn allowed_mcp_tools() -> Vec { + ["send", "recv"] + .iter() + .map(|t| format!("mcp__{SERVER_NAME}__{t}")) + .collect() +} + +/// Combined allow-list passed to `--allowedTools` (auto-approve) — covers +/// both the built-ins and the MCP surface. +#[must_use] +pub fn allowed_tools_arg() -> String { + let mut all: Vec = ALLOWED_BUILTIN_TOOLS.iter().map(|s| (*s).to_owned()).collect(); + all.extend(allowed_mcp_tools()); + all.join(",") +} + +/// Built-in tools list for `--tools` (which built-ins exist in this +/// session). Same as `ALLOWED_BUILTIN_TOOLS` but joined comma-separated. +#[must_use] +pub fn builtin_tools_arg() -> String { + ALLOWED_BUILTIN_TOOLS.join(",") +} + +/// Render the MCP config blob claude reads from `--mcp-config `. +/// `agent_binary` is the path (or PATH-resolvable name) of the `hive-ag3nt` +/// executable; `socket` is the hyperhive per-agent socket bind-mounted into +/// the container (forwarded to the child as `--socket `). +#[must_use] +pub fn render_claude_config(agent_binary: &str, socket: &std::path::Path) -> String { + let config = serde_json::json!({ + "mcpServers": { + SERVER_NAME: { + "command": agent_binary, + "args": ["--socket", socket.display().to_string(), "mcp"], + "env": {} + } + } + }); + serde_json::to_string_pretty(&config).unwrap_or_else(|_| "{}".into()) +}