@posthog/agent 2.3.74 → 2.3.80

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@posthog/agent",
-  "version": "2.3.74",
+  "version": "2.3.80",
   "repository": "https://github.com/PostHog/code",
   "description": "TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog",
   "exports": {

package/src/adapters/claude/claude-agent.ts

@@ -817,7 +817,7 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
       cwd,
       mcpServers,
       permissionMode,
-      canUseTool: this.createCanUseTool(sessionId),
+      canUseTool: this.createCanUseTool(sessionId, meta?.allowedDomains),
       logger: this.logger,
       systemPrompt,
       userProvidedOptions: meta?.claudeCode?.options,
@@ -978,7 +978,10 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
     return { sessionId, modes, models, configOptions };
   }
 
-  private createCanUseTool(sessionId: string): CanUseTool {
+  private createCanUseTool(
+    sessionId: string,
+    allowedDomains?: string[],
+  ): CanUseTool {
     return async (toolName, toolInput, { suggestions, toolUseID, signal }) =>
       canUseTool({
         session: this.session,
@@ -993,6 +996,7 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
         logger: this.logger,
         updateConfigOption: (configId: string, value: string) =>
           this.updateConfigOption(configId, value),
+        allowedDomains,
       });
   }
 

package/src/adapters/claude/permissions/permission-handlers.ts

@@ -49,6 +49,7 @@ interface ToolHandlerContext {
   fileContentCache: { [key: string]: string };
   logger: Logger;
   updateConfigOption: (configId: string, value: string) => Promise<void>;
+  allowedDomains?: string[];
 }
 
 async function emitToolDenial(
@@ -422,10 +423,43 @@ function handlePlanFileException(
   };
 }
 
+function extractDomainFromUrl(url: string): string | null {
+  try {
+    return new URL(url).hostname;
+  } catch {
+    return null;
+  }
+}
+
+function isDomainAllowed(hostname: string, allowedDomains: string[]): boolean {
+  return allowedDomains.some((pattern) => {
+    if (pattern.startsWith("*.")) {
+      const suffix = pattern.slice(1); // ".example.com"
+      return hostname === pattern.slice(2) || hostname.endsWith(suffix);
+    }
+    return hostname === pattern;
+  });
+}
+
 export async function canUseTool(
   context: ToolHandlerContext,
 ): Promise<ToolPermissionResult> {
-  const { toolName, toolInput, session } = context;
+  const { toolName, toolInput, session, allowedDomains } = context;
+
+  // Enforce domain allowlist for web tools
+  if (allowedDomains && allowedDomains.length > 0) {
+    if (toolName === "WebFetch" || toolName === "WebSearch") {
+      const url = toolInput.url as string | undefined;
+      if (url) {
+        const hostname = extractDomainFromUrl(url);
+        if (hostname && !isDomainAllowed(hostname, allowedDomains)) {
+          const message = `Domain "${hostname}" is not in the allowed list: ${allowedDomains.join(", ")}`;
+          await emitToolDenial(context, message);
+          return { behavior: "deny", message, interrupt: false };
+        }
+      }
+    }
+  }
 
   if (isToolAllowedForMode(toolName, session.permissionMode)) {
     return {

package/src/adapters/claude/types.ts

@@ -107,6 +107,7 @@ export type NewSessionMeta = {
   permissionMode?: string;
   persistence?: { taskId?: string; runId?: string; logUrl?: string };
   additionalRoots?: string[];
+  allowedDomains?: string[];
   claudeCode?: {
     options?: Options;
   };

package/src/server/agent-server.ts

@@ -707,6 +707,7 @@ export class AgentServer {
         sessionId: payload.run_id,
         taskRunId: payload.run_id,
         systemPrompt: this.buildSessionSystemPrompt(prUrl),
+        allowedDomains: this.config.allowedDomains,
         ...(this.config.claudeCode?.plugins?.length && {
           claudeCode: {
             options: {

package/src/server/bin.ts

@@ -79,6 +79,10 @@ program
     "--claudeCodeConfig <json>",
     "Claude Code config as JSON (systemPrompt, systemPromptAppend, plugins)",
   )
+  .option(
+    "--allowedDomains <domains>",
+    "Comma-separated list of domains allowed for web tools (WebFetch, WebSearch)",
+  )
   .action(async (options) => {
     const envResult = envSchema.safeParse(process.env);
 
@@ -105,6 +109,13 @@ program
       "--claudeCodeConfig",
     );
 
+    const allowedDomains = options.allowedDomains
+      ? options.allowedDomains
+          .split(",")
+          .map((d: string) => d.trim())
+          .filter(Boolean)
+      : undefined;
+
     const server = new AgentServer({
       port: parseInt(options.port, 10),
       jwtPublicKey: env.JWT_PUBLIC_KEY,
@@ -118,6 +129,7 @@ program
       mcpServers,
       baseBranch: options.baseBranch,
       claudeCode,
+      allowedDomains,
     });
 
     process.on("SIGINT", async () => {

package/src/server/types.ts

@@ -22,4 +22,5 @@ export interface AgentServerConfig {
   mcpServers?: RemoteMcpServer[];
   baseBranch?: string;
   claudeCode?: ClaudeCodeConfig;
+  allowedDomains?: string[];
 }