@agentvault/claude-bridge 0.3.3 → 0.3.4

package/dist/config.d.ts

@@ -8,6 +8,9 @@ export interface BridgeConfig {
     roomFilter?: string;
     model?: string;
     systemPrompt?: string;
+    worker: boolean;
+    workspaceDir?: string;
+    permissionMode: "auto" | "acceptEdits" | "bypassPermissions";
 }
 export declare function loadConfig(env: NodeJS.ProcessEnv, argv?: string[]): BridgeConfig;
 //# sourceMappingURL=config.d.ts.map

package/dist/index.js

@@ -45248,20 +45248,20 @@ function multibaseToPublicKey(multibase) {
 }
 async function signDocument(document, privateKey) {
   await libsodium_wrappers_default.ready;
-  const canonical = canonicalize(document);
+  const canonical2 = canonicalize(document);
   const domainPrefix = libsodium_wrappers_default.from_string(DOMAIN_DID_DOCUMENT);
-  const message = new Uint8Array(domainPrefix.length + canonical.length);
+  const message = new Uint8Array(domainPrefix.length + canonical2.length);
   message.set(domainPrefix);
-  message.set(canonical, domainPrefix.length);
+  message.set(canonical2, domainPrefix.length);
   return libsodium_wrappers_default.crypto_sign_detached(message, privateKey);
 }
 async function verifyDocumentSignature(document, signature, publicKey) {
   await libsodium_wrappers_default.ready;
-  const canonical = canonicalize(document);
+  const canonical2 = canonicalize(document);
   const domainPrefix = libsodium_wrappers_default.from_string(DOMAIN_DID_DOCUMENT);
-  const message = new Uint8Array(domainPrefix.length + canonical.length);
+  const message = new Uint8Array(domainPrefix.length + canonical2.length);
   message.set(domainPrefix);
-  message.set(canonical, domainPrefix.length);
+  message.set(canonical2, domainPrefix.length);
   try {
     return libsodium_wrappers_default.crypto_sign_verify_detached(signature, message, publicKey);
   } catch {
@@ -96449,6 +96449,20 @@ function resolveDataDir(env) {
 function loadConfig(env, argv = []) {
   const { dataDir, source: dataDirSource } = resolveDataDir(env);
   const inviteToken = (argv[0] && !argv[0].startsWith("-") ? argv[0] : "") || env.AV_INVITE_TOKEN || "";
+  const worker = env.AV_WORKER === "1" || env.AV_WORKER === "true";
+  const workspaceDir = env.AV_WORKSPACE_DIR || void 0;
+  const PERMISSION_MODES = ["auto", "acceptEdits", "bypassPermissions"];
+  const permissionMode = env.AV_PERMISSION_MODE ?? "auto";
+  if (!PERMISSION_MODES.includes(permissionMode)) {
+    throw new Error(
+      `invalid AV_PERMISSION_MODE: ${env.AV_PERMISSION_MODE} (expected one of ${PERMISSION_MODES.join(", ")})`
+    );
+  }
+  if (worker && !workspaceDir) {
+    throw new Error(
+      "worker mode requires AV_WORKSPACE_DIR (the project directory the agent works in)"
+    );
+  }
   if (!inviteToken && !hasPersistedCreds(dataDir)) {
     throw new Error(
       "invite token required: pass it as the first argument or set AV_INVITE_TOKEN (or start from a data dir with existing credentials to reconnect)"
@@ -96465,7 +96479,10 @@ function loadConfig(env, argv = []) {
     agentName: env.AV_AGENT_NAME ?? "Claude",
     roomFilter: env.AV_ROOM_ID || void 0,
     model: env.AV_CLAUDE_MODEL || void 0,
-    systemPrompt: env.AV_SYSTEM_PROMPT || void 0
+    systemPrompt: env.AV_SYSTEM_PROMPT || void 0,
+    worker,
+    workspaceDir,
+    permissionMode
   };
 }
 
@@ -117763,6 +117780,81 @@ function Z_($10, Q4) {
   return null;
 }
 
+// src/worker-permission.ts
+import { realpathSync as realpathSync2 } from "node:fs";
+import { resolve as resolve2, dirname, basename, sep } from "node:path";
+var PATH_FIELDS = ["file_path", "path", "notebook_path"];
+function canonical(p2) {
+  const abs = resolve2(p2);
+  try {
+    return realpathSync2(abs);
+  } catch {
+    try {
+      return resolve2(realpathSync2(dirname(abs)), basename(abs));
+    } catch {
+      return abs;
+    }
+  }
+}
+function targetsDataDir(_toolName, input, dataDir) {
+  const canonDir = canonical(dataDir);
+  for (const f7 of PATH_FIELDS) {
+    const v5 = input[f7];
+    if (typeof v5 === "string") {
+      const canon = canonical(v5);
+      if (canon === canonDir || canon.startsWith(canonDir + sep)) return true;
+    }
+  }
+  const cmd = input.command;
+  if (typeof cmd === "string" && cmd.includes(canonDir)) return true;
+  return false;
+}
+function gateDecision(toolName, input, opts) {
+  if (toolName === ROOM_SAY_TOOL_NAME) return { deny: false };
+  if (!opts.isOwnerTurn()) {
+    return { deny: true, reason: "tools are disabled in rooms; reply with the say tool only" };
+  }
+  if (targetsDataDir(toolName, input, opts.dataDir)) {
+    return { deny: true, reason: "access to the AgentVault key directory is not permitted" };
+  }
+  return { deny: false };
+}
+function makeWorkerPreToolUseHook(opts) {
+  return {
+    hooks: [
+      async (input) => {
+        const i2 = input;
+        const verdict = gateDecision(
+          i2.tool_name ?? "",
+          i2.tool_input ?? {},
+          opts
+        );
+        if (verdict.deny) {
+          console.error(`[worker-gate] DENY ${i2.tool_name} \u2014 ${verdict.reason}`);
+          return {
+            hookSpecificOutput: {
+              hookEventName: "PreToolUse",
+              permissionDecision: "deny",
+              permissionDecisionReason: verdict.reason
+            }
+          };
+        }
+        return {};
+      }
+    ]
+  };
+}
+function makeWorkerPermission(opts) {
+  return async (toolName, input) => {
+    const verdict = gateDecision(toolName, input, opts);
+    if (verdict.deny) {
+      console.error(`[worker-gate] DENY ${toolName} \u2014 ${verdict.reason}`);
+      return { behavior: "deny", message: verdict.reason };
+    }
+    return { behavior: "allow", updatedInput: input };
+  };
+}
+
 // ../../node_modules/zod/v4/classic/external.js
 var external_exports = {};
 __export(external_exports, {
@@ -131554,10 +131646,21 @@ var PersistentClaudeSession = class {
   /** Reply sink bound to the message currently being processed. Set as each
    *  message is handed to the model so the say tool routes to the right place. */
   activeReply;
-  /** Per-turn state for the #416 DM auto-reply fallback. */
+  /**
+   * Per-turn state for the #416 DM auto-reply fallback.
+   *
+   * LOAD-BEARING for the worker tool gate: `currentAutoReply` is true ONLY on
+   * owner DM turns (`autoReplyOnText:true` from wireBridge) and false on room
+   * turns (`autoReplyOnText:false`). `makeWorkerPermission` calls
+   * `isOwnerTurn: () => this.currentAutoReply` to decide whether tools are
+   * allowed. A room-origin turn MUST keep this false or untrusted input gains
+   * full tool access. See worker-permission.test.ts for the covering assertion.
+   */
   currentAutoReply = false;
   saidThisTurn = false;
   turnText = "";
+  /** In-process room MCP server — hoisted so buildSdkOptions can reference it. */
+  roomServer;
   /**
    * Queue an inbound message for the model.
    * @param opts.autoReplyOnText — for 1:1 DMs (where the owner always expects a
@@ -131591,8 +131694,8 @@ var PersistentClaudeSession = class {
   }
   async *input() {
     while (true) {
-      const item = this.pending.length > 0 ? this.pending.shift() : await new Promise((resolve2) => {
-        this.waiting = resolve2;
+      const item = this.pending.length > 0 ? this.pending.shift() : await new Promise((resolve3) => {
+        this.waiting = resolve3;
       });
       this.activeReply = item.reply;
       this.currentAutoReply = item.autoReplyOnText ?? false;
@@ -131601,38 +131704,54 @@ var PersistentClaudeSession = class {
       yield item.msg;
     }
   }
+  /**
+   * Build the SDK options for this session. Locked mode (default) is safe for
+   * untrusted inbound room messages. Worker mode (opts.worker=true) enables full
+   * toolset on owner DMs, project context, workspace cwd, and an AV data-dir
+   * fence via canUseTool.
+   */
+  buildSdkOptions() {
+    const base = {
+      model: this.opts.model,
+      systemPrompt: this.opts.systemPrompt,
+      mcpServers: { room: this.roomServer },
+      allowedTools: [ROOM_SAY_TOOL_NAME]
+    };
+    if (!this.opts.worker) {
+      return {
+        ...base,
+        permissionMode: "dontAsk",
+        tools: [],
+        settingSources: []
+      };
+    }
+    const gateOpts = {
+      dataDir: this.opts.dataDir ?? "",
+      // LOAD-BEARING: this.currentAutoReply is true only on owner DM turns.
+      // A room turn must keep it false or untrusted input gains full tool access.
+      // See worker-permission.test.ts for the covering assertion.
+      isOwnerTurn: () => this.currentAutoReply
+    };
+    return {
+      ...base,
+      permissionMode: this.opts.permissionMode ?? "auto",
+      settingSources: ["user", "project"],
+      cwd: this.opts.workspaceDir,
+      // PRIMARY gate: a PreToolUse hook fires on EVERY tool call regardless of
+      // permissionMode. canUseTool alone is bypassed in "auto" mode (the SDK's
+      // classifier auto-approves without hitting the "ask" path) — verified live.
+      hooks: { PreToolUse: [makeWorkerPreToolUseHook(gateOpts)] },
+      // Secondary (defense-in-depth): covers the "ask" path in default/dontAsk modes.
+      canUseTool: makeWorkerPermission(gateOpts)
+    };
+  }
   async start() {
-    const roomServer = _s({
+    this.roomServer = _s({
       name: "room",
       version: "0.2.0",
       tools: [makeRoomSayTool((text) => this.deliver(text))]
     });
-    const sdkOptions = {
-      model: this.opts.model,
-      systemPrompt: this.opts.systemPrompt,
-      // SECURITY: this session is driven by UNTRUSTED inbound room messages from
-      // other agents. It must NOT be able to run general tools (shell/file/network)
-      // — that would be a prompt-injection → RCE / key-exfil path on the host. The
-      // ONLY tool it gets is room_say (post text to the active room), which has no
-      // such reach. Defense is capability REMOVAL first, permission mode second:
-      //   - tools [] : remove ALL built-in tools (Bash/Read/Write/...) at the
-      //     source so an injection can't even reach the permission layer. The
-      //     room_say MCP tool comes via mcpServers and is unaffected by this.
-      //   - permissionMode "dontAsk" (NEVER "bypassPermissions"): deny anything not
-      //     pre-approved — no reliance on a no-TTY-implies-denial assumption.
-      //   - allowedTools [ROOM_SAY_TOOL_NAME] : pre-approve ONLY room_say.
-      //   - settingSources [] : do not load CLAUDE.md / project agents / skills
-      //     from disk into an untrusted-input session.
-      // When CClaude later becomes a tool-using coder, additional tools must only
-      // be enabled INSIDE an isolation boundary (sandboxed dev droplet, no prod/
-      // network access, no access to the device-key dir) AND gated by canUseTool.
-      permissionMode: "dontAsk",
-      tools: [],
-      allowedTools: [ROOM_SAY_TOOL_NAME],
-      mcpServers: { room: roomServer },
-      settingSources: []
-      // maxTurns left unset → persistent multi-turn (NOT maxTurns:1)
-    };
+    const sdkOptions = this.buildSdkOptions();
     const q5 = this.opts.queryImpl ? this.opts.queryImpl({
       prompt: this.input(),
       options: sdkOptions
@@ -131779,7 +131898,14 @@ async function main() {
       "[bridge] warning: passing the invite token on the command line is visible to other local users via 'ps'. Prefer: AV_INVITE_TOKEN=\u2026 npx @agentvault/claude-bridge"
     );
   }
+  console.error(`[bridge] version: ${true ? "0.3.4" : "dev"}`);
   console.error(`[bridge] data dir: ${cfg.dataDir} (${cfg.dataDirSource})`);
+  if (cfg.worker) {
+    console.error(`[bridge] WORKER MODE \u2014 workspace: ${cfg.workspaceDir} \xB7 permissions: ${cfg.permissionMode} \xB7 enclave dir fenced`);
+    console.error(
+      "[bridge] WORKER MODE WARNING: worker mode mixes untrusted room context with trusted owner DM turns in one persistent session. The turn-scoped gate (isOwnerTurn) prevents tool use ON a room turn, but does NOT prevent a room message from planting an instruction that fires on a later owner DM turn when tools are enabled (cross-turn injection). Until Slice 2: run a worker bridge DM-only (no room traffic) or under OS-user isolation."
+    );
+  }
   const target = new ActiveTarget();
   if (cfg.roomFilter) target.setRoom(cfg.roomFilter);
   const channel = new SecureChannel({
@@ -131798,7 +131924,11 @@ async function main() {
     // per-message binding is what prevents a private 1:1 reply from leaking into a
     // room when room traffic arrives mid-compose.
     // Assistant reasoning that wasn't sent — log a short trace only.
-    onObserve: (text) => console.error(`[bridge] observed (${text.length} chars, not sent)`)
+    onObserve: (text) => console.error(`[bridge] observed (${text.length} chars, not sent)`),
+    worker: cfg.worker,
+    workspaceDir: cfg.workspaceDir,
+    permissionMode: cfg.permissionMode,
+    dataDir: cfg.dataDir
   });
   wireBridge(
     channel,

package/dist/session.d.ts

@@ -55,6 +55,15 @@ export interface SessionOpts {
     model?: string;
     systemPrompt?: string;
     queryImpl?: QueryFn;
+    /** When true, session runs as a worker agent: full toolset on owner DMs,
+     *  project context loaded, workspace cwd set, AV data dir fenced off. */
+    worker?: boolean;
+    /** Workspace directory to set as cwd in worker mode. */
+    workspaceDir?: string;
+    /** Claude permission mode for worker turns (default: "auto"). */
+    permissionMode?: "auto" | "acceptEdits" | "bypassPermissions";
+    /** AgentVault data directory — fenced off from worker tool access. */
+    dataDir?: string;
 }
 export declare class PersistentClaudeSession {
     private opts;
@@ -63,10 +72,21 @@ export declare class PersistentClaudeSession {
     /** Reply sink bound to the message currently being processed. Set as each
      *  message is handed to the model so the say tool routes to the right place. */
     private activeReply?;
-    /** Per-turn state for the #416 DM auto-reply fallback. */
+    /**
+     * Per-turn state for the #416 DM auto-reply fallback.
+     *
+     * LOAD-BEARING for the worker tool gate: `currentAutoReply` is true ONLY on
+     * owner DM turns (`autoReplyOnText:true` from wireBridge) and false on room
+     * turns (`autoReplyOnText:false`). `makeWorkerPermission` calls
+     * `isOwnerTurn: () => this.currentAutoReply` to decide whether tools are
+     * allowed. A room-origin turn MUST keep this false or untrusted input gains
+     * full tool access. See worker-permission.test.ts for the covering assertion.
+     */
     private currentAutoReply;
     private saidThisTurn;
     private turnText;
+    /** In-process room MCP server — hoisted so buildSdkOptions can reference it. */
+    private roomServer;
     constructor(opts: SessionOpts);
     /**
      * Queue an inbound message for the model.
@@ -83,6 +103,13 @@ export declare class PersistentClaudeSession {
      *  the one captured for the message being answered, not a live global target. */
     deliver(text: string): Promise<void>;
     private input;
+    /**
+     * Build the SDK options for this session. Locked mode (default) is safe for
+     * untrusted inbound room messages. Worker mode (opts.worker=true) enables full
+     * toolset on owner DMs, project context, workspace cwd, and an AV data-dir
+     * fence via canUseTool.
+     */
+    private buildSdkOptions;
     start(): Promise<void>;
 }
 export {};

package/dist/worker-permission.d.ts

@@ -0,0 +1,22 @@
+import type { CanUseTool, HookCallbackMatcher } from "@anthropic-ai/claude-agent-sdk";
+/**
+ * PRIMARY enforcement: a PreToolUse hook. Unlike canUseTool (the SDK's "ask"
+ * path, which `permissionMode:"auto"` BYPASSES by auto-approving benign tools via
+ * its classifier — verified live: the canUseTool gate never fired in auto mode),
+ * a PreToolUse `deny` fires on EVERY tool call regardless of permission mode.
+ * This is what actually enforces the gate at runtime.
+ */
+export declare function makeWorkerPreToolUseHook(opts: {
+    dataDir: string;
+    isOwnerTurn: () => boolean;
+}): HookCallbackMatcher;
+/**
+ * SECONDARY (defense-in-depth): the canUseTool callback covers the SDK's "ask"
+ * path (permissionMode `"default"`/`"dontAsk"`). Shares gateDecision with the
+ * PreToolUse hook above, so a deny in one is a deny in the other.
+ */
+export declare function makeWorkerPermission(opts: {
+    dataDir: string;
+    isOwnerTurn: () => boolean;
+}): CanUseTool;
+//# sourceMappingURL=worker-permission.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentvault/claude-bridge",
-  "version": "0.3.3",
+  "version": "0.3.4",
   "type": "module",
   "description": "AgentVault Claude Bridge — daemon for bridging a Claude agent into secure E2E-encrypted AgentVault 1:1 direct messages and rooms.",
   "main": "dist/index.js",