turn loop: tool whitelist (no web/task), no skip-permissions
This commit is contained in:
müde
parent
65a10a3c2b
commit
37efb0889f
4 changed files with 143 additions and 9 deletions
|
|
@ -101,3 +101,69 @@ pub async fn serve_stdio(socket: PathBuf) -> Result<()> {
|
|||
service.waiting().await?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Name of the hyperhive MCP server inside claude's view. Claude prefixes
|
||||
/// tools as `mcp__<this>__<tool>` (e.g. `mcp__hyperhive__send`).
|
||||
pub const SERVER_NAME: &str = "hyperhive";
|
||||
|
||||
/// Built-in claude tools the turn loop enables via `--tools`. Anything not
|
||||
/// in this list literally doesn't exist in the session (claude won't even
|
||||
/// try to call it). Web egress (`WebFetch`/`WebSearch`) and nested agents
|
||||
/// (`Task`) are intentionally omitted for now; `Bash` is allowed pending a
|
||||
/// finer-grained allow-list system for shell command patterns. Edit later
|
||||
/// as our trust model evolves.
|
||||
pub const ALLOWED_BUILTIN_TOOLS: &[&str] = &[
|
||||
"Bash",
|
||||
"Edit",
|
||||
"Glob",
|
||||
"Grep",
|
||||
"NotebookEdit",
|
||||
"Read",
|
||||
"TodoWrite",
|
||||
"Write",
|
||||
];
|
||||
|
||||
/// MCP tools claude is allowed to call without prompting. Mirrors the
|
||||
/// hyperhive surface so a new tool added below propagates to claude's
|
||||
/// allow-list automatically.
|
||||
#[must_use]
|
||||
pub fn allowed_mcp_tools() -> Vec<String> {
|
||||
["send", "recv"]
|
||||
.iter()
|
||||
.map(|t| format!("mcp__{SERVER_NAME}__{t}"))
|
||||
.collect()
|
||||
}
|
||||
|
||||
/// Combined allow-list passed to `--allowedTools` (auto-approve) — covers
|
||||
/// both the built-ins and the MCP surface.
|
||||
#[must_use]
|
||||
pub fn allowed_tools_arg() -> String {
|
||||
let mut all: Vec<String> = ALLOWED_BUILTIN_TOOLS.iter().map(|s| (*s).to_owned()).collect();
|
||||
all.extend(allowed_mcp_tools());
|
||||
all.join(",")
|
||||
}
|
||||
|
||||
/// Built-in tools list for `--tools` (which built-ins exist in this
|
||||
/// session). Same as `ALLOWED_BUILTIN_TOOLS` but joined comma-separated.
|
||||
#[must_use]
|
||||
pub fn builtin_tools_arg() -> String {
|
||||
ALLOWED_BUILTIN_TOOLS.join(",")
|
||||
}
|
||||
|
||||
/// Render the MCP config blob claude reads from `--mcp-config <path>`.
|
||||
/// `agent_binary` is the path (or PATH-resolvable name) of the `hive-ag3nt`
|
||||
/// executable; `socket` is the hyperhive per-agent socket bind-mounted into
|
||||
/// the container (forwarded to the child as `--socket <path>`).
|
||||
#[must_use]
|
||||
pub fn render_claude_config(agent_binary: &str, socket: &std::path::Path) -> String {
|
||||
let config = serde_json::json!({
|
||||
"mcpServers": {
|
||||
SERVER_NAME: {
|
||||
"command": agent_binary,
|
||||
"args": ["--socket", socket.display().to_string(), "mcp"],
|
||||
"env": {}
|
||||
}
|
||||
}
|
||||
});
|
||||
serde_json::to_string_pretty(&config).unwrap_or_else(|_| "{}".into())
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue