turn loop: tool whitelist (no web/task), no skip-permissions

2026-05-15 14:41:38 +02:00 · 2026-05-15 14:41:38 +02:00 · 37efb0889f
commit 37efb0889f
parent 65a10a3c2b
4 changed files with 143 additions and 9 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -156,17 +156,38 @@ docs/damocles-migration.md   options for moving damocles onto hyperhive
  marks them `failed` with note `"agent state dir missing"` so they fall out
  of `pending`. They stay in sqlite for audit.

-## Agent MCP surface
+## Agent MCP surface + turn loop

-The harness ships an embedded MCP server (rmcp 1.7) that claude can launch
-via `--mcp-config`. Subcommand: `hive-ag3nt mcp`. Tools:
- `send(to, body)` — message a peer or the operator.
- `recv()` — drain one inbox message.
+The harness ships an embedded MCP server (rmcp 1.7) that claude launches as
+a stdio child via `--mcp-config`. Subcommand: `hive-ag3nt mcp`. Tools:
+- `mcp__hyperhive__send(to, body)` — message a peer or the operator.
+- `mcp__hyperhive__recv()` — drain one inbox message.

 Both translate to `AgentRequest::Send`/`Recv` against the agent's own
 `/run/hive/mcp.sock` (the existing hyperhive socket). The MCP surface is
 just claude's view of that socket — same authority, friendlier protocol.

+The turn loop in `hive-ag3nt serve` writes
+`/run/hive/claude-mcp-config.json` at boot pointing at
+`/proc/self/exe mcp` (the running hive-ag3nt binary's nix store path).
+Each turn invokes:
+
+```
+claude --print --mcp-config <path> --tools <builtins> --allowedTools <builtins+mcp> <prompt>
+```
+
+**Tool whitelist** (see `ALLOWED_BUILTIN_TOOLS` in `hive-ag3nt::mcp`):
+- Allowed built-ins: `Bash`, `Edit`, `Glob`, `Grep`, `NotebookEdit`, `Read`,
+  `TodoWrite`, `Write`.
+- Denied by omission: `WebFetch`, `WebSearch`, `Task` — no external egress
+  or nested-agent spawning until we have a real policy story.
+- Allowed MCP tools: `mcp__hyperhive__send`, `mcp__hyperhive__recv`.
+
+`Bash` is on the allow-list "for now" — pending a finer-grained allow-list
+system for command patterns (`Bash(git *)`-style). When that lands, the
+`builtin_tools_arg` shape will probably change to a setting / hooks
+combo per claude-code's permissions plumbing.
+
 Manager will get its own subcommand later with `request_spawn`, `kill`,
 `request_apply_commit` added to the TOOLS list.

@ -373,6 +394,19 @@ with `./agent.nix` plus an inline module that sets
 `environment.etc."gitconfig".text` (committer identity = the agent's name) and
 `systemd.services.hive-ag3nt.environment.HIVE_PORT`/`HIVE_LABEL`.

+## Security backlog
+
+- **Unprivileged containers (userns mapping).** Today the nspawn container
+  runs as a fully privileged root. Goal: `PrivateUsersChown=yes` (or the
+  nixos-container equivalent) so uid 0 inside maps to an unprivileged uid
+  on the host, and a container-root compromise lands the attacker on an
+  ordinary user account, not the host's root. Requires per-agent state
+  dirs to be chown'd to that uid on the host side.
+- **Bash command allow-list.** Replace the blanket `Bash` allow with a
+  pattern allow-list (`Bash(git *)`, `Bash(nix build .*)`, etc.) per
+  claude-code's `--allowedTools` extended grammar. Likely lives in
+  `agent.nix` so each agent can scope its own shell surface.
+
 ## Polish backlog

 Not phased — pick when relevant:
--- a/Cargo.toml
+++ b/Cargo.toml
@ -30,6 +30,7 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 similar = "2"
 tokio = { version = "1", features = [
+  "fs",
  "io-util",
  "macros",
  "net",
--- a/hive-ag3nt/src/bin/hive-ag3nt.rs
+++ b/hive-ag3nt/src/bin/hive-ag3nt.rs
@ -122,6 +122,7 @@ async fn needs_login_loop(
 async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>) -> Result<()> {
    tracing::info!(socket = %socket.display(), "hive-ag3nt serve");
    let _ = state; // reserved for future state transitions (turn-loop -> needs-login)
+    let mcp_config = write_mcp_config(socket).await?;
    loop {
        let recv: Result<AgentResponse> = client::request(socket, &AgentRequest::Recv).await;
        match recv {
@ -131,7 +132,7 @@ async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>)
                // both ends are falling back to echo. Real loop control is the
                // manager's job (Phase 4+).
                if !body.starts_with("echo: ") {
-                    let reply = compute_reply(&body).await;
+                    let reply = compute_reply(&body, &mcp_config).await;
                    let send: Result<AgentResponse> = client::request(
                        socket,
                        &AgentRequest::Send {
@ -160,8 +161,8 @@ async fn serve(socket: &Path, interval: Duration, state: Arc<Mutex<LoginState>>)
    }
 }

-async fn compute_reply(prompt: &str) -> String {
-    match invoke_claude(prompt).await {
+async fn compute_reply(prompt: &str, mcp_config: &Path) -> String {
+    match invoke_claude(prompt, mcp_config).await {
        Ok(s) => s,
        Err(e) => {
            tracing::warn!(error = %format!("{e:#}"), "claude failed; falling back to echo");
@ -170,9 +171,21 @@ async fn compute_reply(prompt: &str) -> String {
    }
 }

-async fn invoke_claude(prompt: &str) -> Result<String> {
+async fn invoke_claude(prompt: &str, mcp_config: &Path) -> Result<String> {
+    // Whitelist model: `--tools` restricts which built-ins exist in the
+    // session (omitting WebFetch/WebSearch/Task means claude literally
+    // can't invoke them); `--allowedTools` auto-approves the same set
+    // plus the hyperhive MCP surface so there's no permission prompt
+    // mid-turn. A finer-grained allow-list system for Bash command
+    // patterns is on the backlog (PLAN.md polish).
    let out = Command::new("claude")
        .arg("--print")
+        .arg("--mcp-config")
+        .arg(mcp_config)
+        .arg("--tools")
+        .arg(mcp::builtin_tools_arg())
+        .arg("--allowedTools")
+        .arg(mcp::allowed_tools_arg())
        .arg(prompt)
        .output()
        .await?;
@ -190,6 +203,26 @@ async fn invoke_claude(prompt: &str) -> Result<String> {
    Ok(text)
 }

+/// Drop the per-agent MCP config on disk so the turn loop can hand its path
+/// to `claude --mcp-config`. Lives under `/run/hive/` (the bind-mounted
+/// per-agent runtime dir) so it's ephemeral and isolated per container.
+/// Returns the config path.
+async fn write_mcp_config(socket: &Path) -> Result<PathBuf> {
+    let parent = socket.parent().unwrap_or_else(|| Path::new("/run/hive"));
+    tokio::fs::create_dir_all(parent).await.ok();
+    let path = parent.join("claude-mcp-config.json");
+    // `/proc/self/exe` resolves to the running hive-ag3nt binary's nix store
+    // path, which the spawned child can re-invoke as the MCP server. Avoids
+    // needing claude-code's $PATH to contain hive-ag3nt.
+    let exe = std::env::current_exe()
+        .ok()
+        .map_or_else(|| "hive-ag3nt".into(), |p| p.display().to_string());
+    let body = mcp::render_claude_config(&exe, socket);
+    tokio::fs::write(&path, body).await?;
+    tracing::info!(path = %path.display(), "wrote claude MCP config");
+    Ok(path)
+}
+
 fn render(resp: &AgentResponse) -> Result<()> {
    println!("{}", serde_json::to_string_pretty(resp)?);
    Ok(())
--- a/hive-ag3nt/src/mcp.rs
+++ b/hive-ag3nt/src/mcp.rs
@ -101,3 +101,69 @@ pub async fn serve_stdio(socket: PathBuf) -> Result<()> {
    service.waiting().await?;
    Ok(())
 }
+
+/// Name of the hyperhive MCP server inside claude's view. Claude prefixes
+/// tools as `mcp__<this>__<tool>` (e.g. `mcp__hyperhive__send`).
+pub const SERVER_NAME: &str = "hyperhive";
+
+/// Built-in claude tools the turn loop enables via `--tools`. Anything not
+/// in this list literally doesn't exist in the session (claude won't even
+/// try to call it). Web egress (`WebFetch`/`WebSearch`) and nested agents
+/// (`Task`) are intentionally omitted for now; `Bash` is allowed pending a
+/// finer-grained allow-list system for shell command patterns. Edit later
+/// as our trust model evolves.
+pub const ALLOWED_BUILTIN_TOOLS: &[&str] = &[
+    "Bash",
+    "Edit",
+    "Glob",
+    "Grep",
+    "NotebookEdit",
+    "Read",
+    "TodoWrite",
+    "Write",
+];
+
+/// MCP tools claude is allowed to call without prompting. Mirrors the
+/// hyperhive surface so a new tool added below propagates to claude's
+/// allow-list automatically.
+#[must_use]
+pub fn allowed_mcp_tools() -> Vec<String> {
+    ["send", "recv"]
+        .iter()
+        .map(|t| format!("mcp__{SERVER_NAME}__{t}"))
+        .collect()
+}
+
+/// Combined allow-list passed to `--allowedTools` (auto-approve) — covers
+/// both the built-ins and the MCP surface.
+#[must_use]
+pub fn allowed_tools_arg() -> String {
+    let mut all: Vec<String> = ALLOWED_BUILTIN_TOOLS.iter().map(|s| (*s).to_owned()).collect();
+    all.extend(allowed_mcp_tools());
+    all.join(",")
+}
+
+/// Built-in tools list for `--tools` (which built-ins exist in this
+/// session). Same as `ALLOWED_BUILTIN_TOOLS` but joined comma-separated.
+#[must_use]
+pub fn builtin_tools_arg() -> String {
+    ALLOWED_BUILTIN_TOOLS.join(",")
+}
+
+/// Render the MCP config blob claude reads from `--mcp-config <path>`.
+/// `agent_binary` is the path (or PATH-resolvable name) of the `hive-ag3nt`
+/// executable; `socket` is the hyperhive per-agent socket bind-mounted into
+/// the container (forwarded to the child as `--socket <path>`).
+#[must_use]
+pub fn render_claude_config(agent_binary: &str, socket: &std::path::Path) -> String {
+    let config = serde_json::json!({
+        "mcpServers": {
+            SERVER_NAME: {
+                "command": agent_binary,
+                "args": ["--socket", socket.display().to_string(), "mcp"],
+                "env": {}
+            }
+        }
+    });
+    serde_json::to_string_pretty(&config).unwrap_or_else(|_| "{}".into())
+}