turn loop: tool whitelist (no web/task), no skip-permissions
This commit is contained in:
müde
parent
65a10a3c2b
commit
37efb0889f
4 changed files with 143 additions and 9 deletions
44
CLAUDE.md
44
CLAUDE.md
|
|
@ -156,17 +156,38 @@ docs/damocles-migration.md options for moving damocles onto hyperhive
|
|||
marks them `failed` with note `"agent state dir missing"` so they fall out
|
||||
of `pending`. They stay in sqlite for audit.
|
||||
|
||||
## Agent MCP surface
|
||||
## Agent MCP surface + turn loop
|
||||
|
||||
The harness ships an embedded MCP server (rmcp 1.7) that claude can launch
|
||||
via `--mcp-config`. Subcommand: `hive-ag3nt mcp`. Tools:
|
||||
- `send(to, body)` — message a peer or the operator.
|
||||
- `recv()` — drain one inbox message.
|
||||
The harness ships an embedded MCP server (rmcp 1.7) that claude launches as
|
||||
a stdio child via `--mcp-config`. Subcommand: `hive-ag3nt mcp`. Tools:
|
||||
- `mcp__hyperhive__send(to, body)` — message a peer or the operator.
|
||||
- `mcp__hyperhive__recv()` — drain one inbox message.
|
||||
|
||||
Both translate to `AgentRequest::Send`/`Recv` against the agent's own
|
||||
`/run/hive/mcp.sock` (the existing hyperhive socket). The MCP surface is
|
||||
just claude's view of that socket — same authority, friendlier protocol.
|
||||
|
||||
The turn loop in `hive-ag3nt serve` writes
|
||||
`/run/hive/claude-mcp-config.json` at boot pointing at
|
||||
`/proc/self/exe mcp` (the running hive-ag3nt binary's nix store path).
|
||||
Each turn invokes:
|
||||
|
||||
```
|
||||
claude --print --mcp-config <path> --tools <builtins> --allowedTools <builtins+mcp> <prompt>
|
||||
```
|
||||
|
||||
**Tool whitelist** (see `ALLOWED_BUILTIN_TOOLS` in `hive-ag3nt::mcp`):
|
||||
- Allowed built-ins: `Bash`, `Edit`, `Glob`, `Grep`, `NotebookEdit`, `Read`,
|
||||
`TodoWrite`, `Write`.
|
||||
- Denied by omission: `WebFetch`, `WebSearch`, `Task` — no external egress
|
||||
or nested-agent spawning until we have a real policy story.
|
||||
- Allowed MCP tools: `mcp__hyperhive__send`, `mcp__hyperhive__recv`.
|
||||
|
||||
`Bash` is on the allow-list "for now" — pending a finer-grained allow-list
|
||||
system for command patterns (`Bash(git *)`-style). When that lands, the
|
||||
`builtin_tools_arg` shape will probably change to a setting / hooks
|
||||
combo per claude-code's permissions plumbing.
|
||||
|
||||
Manager will get its own subcommand later with `request_spawn`, `kill`,
|
||||
`request_apply_commit` added to the TOOLS list.
|
||||
|
||||
|
|
@ -373,6 +394,19 @@ with `./agent.nix` plus an inline module that sets
|
|||
`environment.etc."gitconfig".text` (committer identity = the agent's name) and
|
||||
`systemd.services.hive-ag3nt.environment.HIVE_PORT`/`HIVE_LABEL`.
|
||||
|
||||
## Security backlog
|
||||
|
||||
- **Unprivileged containers (userns mapping).** Today the nspawn container
|
||||
runs as a fully privileged root. Goal: `PrivateUsersChown=yes` (or the
|
||||
nixos-container equivalent) so uid 0 inside maps to an unprivileged uid
|
||||
on the host, and a container-root compromise lands the attacker on an
|
||||
ordinary user account, not the host's root. Requires per-agent state
|
||||
dirs to be chown'd to that uid on the host side.
|
||||
- **Bash command allow-list.** Replace the blanket `Bash` allow with a
|
||||
pattern allow-list (`Bash(git *)`, `Bash(nix build .*)`, etc.) per
|
||||
claude-code's `--allowedTools` extended grammar. Likely lives in
|
||||
`agent.nix` so each agent can scope its own shell surface.
|
||||
|
||||
## Polish backlog
|
||||
|
||||
Not phased — pick when relevant:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue