vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

turn loop: tool whitelist (no web/task), no skip-permissions

Browse source
This commit is contained in:
müde 2026-05-15 14:41:38 +02:00
parent 65a10a3c2b
commit 37efb0889f
4 changed files with 143 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

41
hive-ag3nt/src/bin/hive-ag3nt.rs
View file

@ -122,6 +122,7 @@ async fn needs_login_loop(
async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>) -> Result<()> {
tracing::info!(socket = %socket.display(), "hive-ag3nt serve");
let _ = state; // reserved for future state transitions (turn-loop -> needs-login)
let mcp_config = write_mcp_config(socket).await?;
loop {
let recv: Result<AgentResponse> = client::request(socket, &AgentRequest::Recv).await;
match recv {
@ -131,7 +132,7 @@ async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>)
// both ends are falling back to echo. Real loop control is the
// manager's job (Phase 4+).
if !body.starts_with("echo: ") {
let reply = compute_reply(&body).await;
let reply = compute_reply(&body, &mcp_config).await;
let send: Result<AgentResponse> = client::request(
socket,
&AgentRequest::Send {
@ -160,8 +161,8 @@ async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>)
}
}
async fn compute_reply(prompt: &str) -> String {
match invoke_claude(prompt).await {
async fn compute_reply(prompt: &str, mcp_config: &Path) -> String {
match invoke_claude(prompt, mcp_config).await {
Ok(s) => s,
Err(e) => {
tracing::warn!(error = %format!("{e:#}"), "claude failed; falling back to echo");
@ -170,9 +171,21 @@ async fn compute_reply(prompt: &str) -> String {
}
}
async fn invoke_claude(prompt: &str) -> Result<String> {
async fn invoke_claude(prompt: &str, mcp_config: &Path) -> Result<String> {
// Whitelist model: `--tools` restricts which built-ins exist in the
// session (omitting WebFetch/WebSearch/Task means claude literally
// can't invoke them); `--allowedTools` auto-approves the same set
// plus the hyperhive MCP surface so there's no permission prompt
// mid-turn. A finer-grained allow-list system for Bash command
// patterns is on the backlog (PLAN.md polish).
let out = Command::new("claude")
.arg("--print")
.arg("--mcp-config")
.arg(mcp_config)
.arg("--tools")
.arg(mcp::builtin_tools_arg())
.arg("--allowedTools")
.arg(mcp::allowed_tools_arg())
.arg(prompt)
.output()
.await?;
@ -190,6 +203,26 @@ async fn invoke_claude(prompt: &str) -> Result<String> {
Ok(text)
}
/// Drop the per-agent MCP config on disk so the turn loop can hand its path
/// to `claude --mcp-config`. Lives under `/run/hive/` (the bind-mounted
/// per-agent runtime dir) so it's ephemeral and isolated per container.
/// Returns the config path.
async fn write_mcp_config(socket: &Path) -> Result<PathBuf> {
let parent = socket.parent().unwrap_or_else(|| Path::new("/run/hive"));
tokio::fs::create_dir_all(parent).await.ok();
let path = parent.join("claude-mcp-config.json");
// `/proc/self/exe` resolves to the running hive-ag3nt binary's nix store
// path, which the spawned child can re-invoke as the MCP server. Avoids
// needing claude-code's $PATH to contain hive-ag3nt.
let exe = std::env::current_exe()
.ok()
.map_or_else(|| "hive-ag3nt".into(), |p| p.display().to_string());
let body = mcp::render_claude_config(&exe, socket);
tokio::fs::write(&path, body).await?;
tracing::info!(path = %path.display(), "wrote claude MCP config");
Ok(path)
}
fn render(resp: &AgentResponse) -> Result<()> {
println!("{}", serde_json::to_string_pretty(resp)?);
Ok(())