vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

turn loop: tool whitelist (no web/task), no skip-permissions

Browse source
This commit is contained in:
müde 2026-05-15 14:41:38 +02:00
parent 65a10a3c2b
commit 37efb0889f
4 changed files with 143 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

41
hive-ag3nt/src/bin/hive-ag3nt.rs
View file

@ -122,6 +122,7 @@ async fn needs_login_loop(
async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>) -> Result<()> {
tracing::info!(socket = %socket.display(), "hive-ag3nt serve");
let _ = state; // reserved for future state transitions (turn-loop -> needs-login)
let mcp_config = write_mcp_config(socket).await?;
loop {
let recv: Result<AgentResponse> = client::request(socket, &AgentRequest::Recv).await;
match recv {
@ -131,7 +132,7 @@ async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>)
// both ends are falling back to echo. Real loop control is the
// manager's job (Phase 4+).
if !body.starts_with("echo: ") {
let reply = compute_reply(&body).await;
let reply = compute_reply(&body, &mcp_config).await;
let send: Result<AgentResponse> = client::request(
socket,
&AgentRequest::Send {
@ -160,8 +161,8 @@ async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>)
}
}
async fn compute_reply(prompt: &str) -> String {
match invoke_claude(prompt).await {
async fn compute_reply(prompt: &str, mcp_config: &Path) -> String {
match invoke_claude(prompt, mcp_config).await {
Ok(s) => s,
Err(e) => {
tracing::warn!(error = %format!("{e:#}"), "claude failed; falling back to echo");
@ -170,9 +171,21 @@ async fn compute_reply(prompt: &str) -> String {
}
}
async fn invoke_claude(prompt: &str) -> Result<String> {
async fn invoke_claude(prompt: &str, mcp_config: &Path) -> Result<String> {
// Whitelist model: `--tools` restricts which built-ins exist in the
// session (omitting WebFetch/WebSearch/Task means claude literally
// can't invoke them); `--allowedTools` auto-approves the same set
// plus the hyperhive MCP surface so there's no permission prompt
// mid-turn. A finer-grained allow-list system for Bash command
// patterns is on the backlog (PLAN.md polish).
let out = Command::new("claude")
.arg("--print")
.arg("--mcp-config")
.arg(mcp_config)
.arg("--tools")
.arg(mcp::builtin_tools_arg())
.arg("--allowedTools")
.arg(mcp::allowed_tools_arg())
.arg(prompt)
.output()
.await?;
@ -190,6 +203,26 @@ async fn invoke_claude(prompt: &str) -> Result<String> {
Ok(text)
}
/// Drop the per-agent MCP config on disk so the turn loop can hand its path
/// to `claude --mcp-config`. Lives under `/run/hive/` (the bind-mounted
/// per-agent runtime dir) so it's ephemeral and isolated per container.
/// Returns the config path.
async fn write_mcp_config(socket: &Path) -> Result<PathBuf> {
let parent = socket.parent().unwrap_or_else(|| Path::new("/run/hive"));
tokio::fs::create_dir_all(parent).await.ok();
let path = parent.join("claude-mcp-config.json");
// `/proc/self/exe` resolves to the running hive-ag3nt binary's nix store
// path, which the spawned child can re-invoke as the MCP server. Avoids
// needing claude-code's $PATH to contain hive-ag3nt.
let exe = std::env::current_exe()
.ok()
.map_or_else(|| "hive-ag3nt".into(), |p| p.display().to_string());
let body = mcp::render_claude_config(&exe, socket);
tokio::fs::write(&path, body).await?;
tracing::info!(path = %path.display(), "wrote claude MCP config");
Ok(path)
}
fn render(resp: &AgentResponse) -> Result<()> {
println!("{}", serde_json::to_string_pretty(resp)?);
Ok(())

66
hive-ag3nt/src/mcp.rs
View file

@ -101,3 +101,69 @@ pub async fn serve_stdio(socket: PathBuf) -> Result<()> {
service.waiting().await?;
Ok(())
}
/// Name of the hyperhive MCP server inside claude's view. Claude prefixes
/// tools as `mcp__<this>__<tool>` (e.g. `mcp__hyperhive__send`).
pub const SERVER_NAME: &str = "hyperhive";
/// Built-in claude tools the turn loop enables via `--tools`. Anything not
/// in this list literally doesn't exist in the session (claude won't even
/// try to call it). Web egress (`WebFetch`/`WebSearch`) and nested agents
/// (`Task`) are intentionally omitted for now; `Bash` is allowed pending a
/// finer-grained allow-list system for shell command patterns. Edit later
/// as our trust model evolves.
pub const ALLOWED_BUILTIN_TOOLS: &[&str] = &[
"Bash",
"Edit",
"Glob",
"Grep",
"NotebookEdit",
"Read",
"TodoWrite",
"Write",
];
/// MCP tools claude is allowed to call without prompting. Mirrors the
/// hyperhive surface so a new tool added below propagates to claude's
/// allow-list automatically.
#[must_use]
pub fn allowed_mcp_tools() -> Vec<String> {
["send", "recv"]
.iter()
.map(|t| format!("mcp__{SERVER_NAME}__{t}"))
.collect()
}
/// Combined allow-list passed to `--allowedTools` (auto-approve) — covers
/// both the built-ins and the MCP surface.
#[must_use]
pub fn allowed_tools_arg() -> String {
let mut all: Vec<String> = ALLOWED_BUILTIN_TOOLS.iter().map(|s| (*s).to_owned()).collect();
all.extend(allowed_mcp_tools());
all.join(",")
}
/// Built-in tools list for `--tools` (which built-ins exist in this
/// session). Same as `ALLOWED_BUILTIN_TOOLS` but joined comma-separated.
#[must_use]
pub fn builtin_tools_arg() -> String {
ALLOWED_BUILTIN_TOOLS.join(",")
}
/// Render the MCP config blob claude reads from `--mcp-config <path>`.
/// `agent_binary` is the path (or PATH-resolvable name) of the `hive-ag3nt`
/// executable; `socket` is the hyperhive per-agent socket bind-mounted into
/// the container (forwarded to the child as `--socket <path>`).
#[must_use]
pub fn render_claude_config(agent_binary: &str, socket: &std::path::Path) -> String {
let config = serde_json::json!({
"mcpServers": {
SERVER_NAME: {
"command": agent_binary,
"args": ["--socket", socket.display().to_string(), "mcp"],
"env": {}
}
}
});
serde_json::to_string_pretty(&config).unwrap_or_else(|_| "{}".into())
}