@1agh/maude 0.32.0 → 0.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -132,13 +132,32 @@ export class AcpBridge {
132
132
  if (!adapterEntry) {
133
133
  throw new Error('The Claude agent bridge is not installed in this build.');
134
134
  }
135
- if (!resolveClaudePath()) {
135
+ const claudePath = resolveClaudePath();
136
+ if (!claudePath) {
136
137
  throw new Error("Claude Code isn't connected — run `claude` in a terminal and `/login`.");
137
138
  }
138
139
 
139
140
  // DDR-123 guardrail #1 — strip ANTHROPIC_API_KEY so the child stays on the
140
141
  // user's subscription. This is the whole compliance story; do not weaken it.
141
142
  const env = scrubAgentEnv(process.env);
143
+ // DDR-123 guardrail #2 — pin the adapter to the user's OWN `claude` CLI.
144
+ // `claude-agent-acp`'s `claudeCliPath()` honors CLAUDE_CODE_EXECUTABLE and
145
+ // ONLY otherwise falls back to the ~210 MB native Claude binary shipped as a
146
+ // platform-specific OPTIONAL dep of @anthropic-ai/claude-agent-sdk. The
147
+ // desktop bundle deliberately stages just the adapter's JS closure (not that
148
+ // native binary — see apps/desktop/scripts/stage-resources.mjs), so without
149
+ // this pin the packaged adapter would throw "native binary not found". Driving
150
+ // the user's installed CLI is also the documented intent: it keeps the turn on
151
+ // their subscription rather than the SDK's embedded runtime.
152
+ env.CLAUDE_CODE_EXECUTABLE = claudePath;
153
+ // Least-privilege: the adapter child never talks to the dev-server's GitHub
154
+ // token bridge (only apps/studio/github/token.ts does), so drop the loopback
155
+ // keychain-bridge handle from its env. Keeps a hijacked-PATH `claude` (which
156
+ // would require pre-existing RCE) from reading the user's GitHub token.
157
+ // biome-ignore lint/performance/noDelete: security env-scrub — the key must be fully removed from the child's env, not set to `undefined` (which can leak through as `X=` on spawn).
158
+ delete env.MAUDE_TOKEN_ENDPOINT;
159
+ // biome-ignore lint/performance/noDelete: security env-scrub — see above; `delete` is the intentional primitive here.
160
+ delete env.MAUDE_TOKEN_KEY;
142
161
  // Model + effort selection — config, NOT credentials, so they're added back.
143
162
  this.activeModel = this.desiredModel;
144
163
  this.activeEffort = this.desiredEffort;