bypass-mode perms + deny list, drop allow-list plumbing

claude-settings.json now sets permissions.defaultMode=bypassPermissions
with a small deny list (WebFetch, WebSearch, Task, TodoWrite). The
per-flavor allow list and --tools / --allowedTools CLI flags are gone
— anything not denied auto-approves. mcp.rs loses ALLOWED_BUILTIN_TOOLS,
builtin_tools_arg, allow_list, allowed_mcp_tools. The extraMcpServers
allowedTools field is parsed for back-compat but no longer wired
anywhere; restrict via permissions.deny instead.

hive-ag3nt/prompts/claude-settings.json

@@ -1,5 +1,9 @@
 {
   "autoCompactEnabled": false,
   "autoMemoryEnabled": false,
-  "effortLevel": "medium"
+  "effortLevel": "medium",
+  "permissions": {
+    "defaultMode": "bypassPermissions",
+    "deny": ["WebFetch", "WebSearch", "Task", "TodoWrite"]
+  }
 }

hive-ag3nt/src/mcp.rs

@@ -548,86 +548,23 @@ impl ServerHandler for ManagerServer {}
 /// tools as `mcp__<this>__<tool>` (e.g. `mcp__hyperhive__send`).
 pub const SERVER_NAME: &str = "hyperhive";
 
-/// Built-in claude tools the turn loop enables via `--tools`. Anything not
+/// Which hyperhive MCP surface to advertise — sub-agent (short tool
-/// in this list literally doesn't exist in the session (claude won't even
+/// list) or manager (full lifecycle surface). Threaded through the
-/// try to call it). Web egress (`WebFetch`/`WebSearch`) and nested agents
+/// system-prompt renderer and the per-flavor web UI dispatch; tool
-/// (`Task`) are intentionally omitted for now; `Bash` is allowed pending a
+/// gating itself now lives in `claude-settings.json`'s
-/// finer-grained allow-list system for shell command patterns. Edit later
+/// `permissions.{defaultMode, deny}`, not here.
-/// as our trust model evolves.
-pub const ALLOWED_BUILTIN_TOOLS: &[&str] =
-    &["Bash", "Edit", "Glob", "Grep", "Read", "TodoWrite", "Write"];
-
-/// Which MCP tool surface to advertise via `--allowedTools`. The agent
-/// list is the strict subset of the manager list, so we just thread the
-/// flavor through.
 #[derive(Debug, Clone, Copy)]
 pub enum Flavor {
     Agent,
     Manager,
 }
 
-/// MCP tools claude is allowed to call without prompting. Mirrors the
-/// hyperhive surface so a new tool added in the corresponding `#[tool_router]`
-/// impl needs to be listed here too.
-#[must_use]
-pub fn allowed_mcp_tools(flavor: Flavor) -> Vec<String> {
-    let names: &[&str] = match flavor {
-        Flavor::Agent => &["send", "recv", "ask_operator"],
-        Flavor::Manager => &[
-            "send",
-            "recv",
-            "request_spawn",
-            "kill",
-            "start",
-            "restart",
-            "update",
-            "request_apply_commit",
-            "ask_operator",
-        ],
-    };
-    let mut out: Vec<String> = names
-        .iter()
-        .map(|t| format!("mcp__{SERVER_NAME}__{t}"))
-        .collect();
-    // Extra MCP servers declared via `hyperhive.extraMcpServers` in
-    // the agent's NixOS config. Each entry maps its `allowedTools`
-    // pattern list to `mcp__<server>__<pattern>` so claude can call
-    // them without per-tool operator approval. `["*"]` (the default)
-    // expands to `mcp__<server>__*` — every tool from that server.
-    for (server, spec) in load_extra_mcp() {
-        if server == SERVER_NAME {
-            continue;
-        }
-        for pat in spec.allowed_tools {
-            out.push(format!("mcp__{server}__{pat}"));
-        }
-    }
-    out
-}
-
-/// Combined allow-list passed to `--allowedTools` (auto-approve) — covers
-/// both the built-ins and the MCP surface.
-#[must_use]
-pub fn allowed_tools_arg(flavor: Flavor) -> String {
-    let mut all: Vec<String> = ALLOWED_BUILTIN_TOOLS
-        .iter()
-        .map(|s| (*s).to_owned())
-        .collect();
-    all.extend(allowed_mcp_tools(flavor));
-    all.join(",")
-}
-
-/// Built-in tools list for `--tools` (which built-ins exist in this
-/// session). Same as `ALLOWED_BUILTIN_TOOLS` but joined comma-separated.
-#[must_use]
-pub fn builtin_tools_arg() -> String {
-    ALLOWED_BUILTIN_TOOLS.join(",")
-}
-
 /// Where the NixOS module writes the per-agent extra-MCP spec (see
 /// `nix/templates/harness-base.nix`). Each entry becomes an additional
-/// `mcpServers.<key>` block in the rendered claude config + a
+/// `mcpServers.<key>` block in the rendered claude config; the
-/// `mcp__<key>__<tool>` pattern in `--allowedTools`.
+/// `allowedTools` field is parsed for back-compat but no longer wired
+/// anywhere — under `bypassPermissions` every MCP tool auto-approves
+/// unless listed in `permissions.deny`.
 const EXTRA_MCP_PATH: &str = "/etc/hyperhive/extra-mcp.json";
 
 /// Where the NixOS module writes the per-agent send allow-list (see
@@ -687,6 +624,7 @@ struct ExtraMcpServer {
     env: std::collections::BTreeMap<String, String>,
     #[serde(default = "default_allowed_tools")]
     #[serde(rename = "allowedTools")]
+    #[allow(dead_code)] // back-compat: superseded by `permissions.deny`
     allowed_tools: Vec<String>,
 }
 

hive-ag3nt/src/turn.rs

@@ -22,9 +22,13 @@ use crate::mcp;
 /// to read and edit; we ship it via `include_str!`. We turn off claude's
 /// in-session auto-compaction and its cross-session auto-memory because
 /// hyperhive owns those concerns (`/compact` on overflow, notes
-/// persistence under `/state`). Unknown keys are silently ignored by
+/// persistence under `/state`). `permissions.defaultMode =
-/// claude-code; if a key gets renamed we'll spot it because the
+/// bypassPermissions` skips the per-tool approval prompt entirely;
-/// corresponding behavior will start firing mid-turn again.
+/// `permissions.deny` keeps a short list of tools we don't want claude
+/// reaching for (web egress, nested agents, the ephemeral todo list).
+/// Unknown keys are silently ignored by claude-code; if a key gets
+/// renamed we'll spot it because the corresponding behavior will start
+/// firing mid-turn again.
 const CLAUDE_SETTINGS: &str = include_str!("../prompts/claude-settings.json");
 
 /// Regex-ish marker claude-code emits when context overflows. Same string
@@ -81,7 +85,10 @@ pub async fn write_mcp_config(socket: &Path) -> Result<PathBuf> {
 
 /// Drop the static `--settings` JSON next to the MCP config so we can
 /// pass a path (`--settings <file>`) instead of an ever-growing inline
-/// blob — the CLI argv has a finite length budget.
+/// blob — the CLI argv has a finite length budget. The file carries
+/// `permissions.defaultMode = bypassPermissions` + a small `deny` list,
+/// so everything not in `deny` auto-approves without a per-flavor allow
+/// list.
 pub async fn write_settings(socket: &Path) -> Result<PathBuf> {
     let parent = socket.parent().unwrap_or_else(|| Path::new("/run/hive"));
     tokio::fs::create_dir_all(parent).await.ok();
@@ -247,11 +254,7 @@ async fn run_claude(prompt: &str, files: &TurnFiles, bus: &Bus) -> Result<bool>
     cmd.arg("--system-prompt-file").arg(&files.system_prompt);
     cmd.arg("--mcp-config")
         .arg(&files.mcp_config)
-        .arg("--strict-mcp-config")
+        .arg("--strict-mcp-config");
-        .arg("--tools")
-        .arg(mcp::builtin_tools_arg())
-        .arg("--allowedTools")
-        .arg(mcp::allowed_tools_arg(files.flavor));
     let mut child = cmd
         .stdin(Stdio::piped())
         .stdout(Stdio::piped())