From edc1de3197e6065e53aa69cdd1f264e48d35cc92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?m=C3=BCde?= <git@darkest.space>
Date: Fri, 15 May 2026 15:47:58 +0200
Subject: [PATCH] tools: drop NotebookEdit from the agent whitelist

---
 CLAUDE.md             | 9 +++++----
 hive-ag3nt/src/mcp.rs | 1 -
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 1744cd0..c94311c 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -222,10 +222,11 @@ line (broker's `count_pending`). When adding new tools (manager surface,
 notes/state, etc.), use `run_tool` and they pick up the envelope for free.
 
 **Tool whitelist** (see `ALLOWED_BUILTIN_TOOLS` in `hive-ag3nt::mcp`):
-- Allowed built-ins: `Bash`, `Edit`, `Glob`, `Grep`, `NotebookEdit`, `Read`,
-  `TodoWrite`, `Write`.
-- Denied by omission: `WebFetch`, `WebSearch`, `Task` — no external egress
-  or nested-agent spawning until we have a real policy story.
+- Allowed built-ins: `Bash`, `Edit`, `Glob`, `Grep`, `Read`, `TodoWrite`,
+  `Write`.
+- Denied by omission: `WebFetch`, `WebSearch`, `Task`, `NotebookEdit` —
+  no external egress, nested-agent spawning, or Jupyter handling until we
+  have a real policy story.
 - Allowed MCP tools: `mcp__hyperhive__send`, `mcp__hyperhive__recv`.
 
 `Bash` is on the allow-list "for now" — pending a finer-grained allow-list
diff --git a/hive-ag3nt/src/mcp.rs b/hive-ag3nt/src/mcp.rs
index a91cb8f..f73040f 100644
--- a/hive-ag3nt/src/mcp.rs
+++ b/hive-ag3nt/src/mcp.rs
@@ -355,7 +355,6 @@ pub const ALLOWED_BUILTIN_TOOLS: &[&str] = &[
     "Edit",
     "Glob",
     "Grep",
-    "NotebookEdit",
     "Read",
     "TodoWrite",
     "Write",