pando-ai 0.2.7 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -27,10 +27,11 @@ npx -y pando-ai
|
|
|
27
27
|
On a terminal this opens the **firewall console**: it detects whether `codex`
|
|
28
28
|
and `claude` are protected, offers to install supervised launchers for any that
|
|
29
29
|
aren't, and shows current status and policy. It also installs a persistent
|
|
30
|
-
`~/.pando/bin/pando-ai` command shim,
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
30
|
+
`~/.pando/bin/pando-ai` command shim and, when the current PATH contains a
|
|
31
|
+
stable writable command directory, a same-terminal `pando-ai` shim. Future
|
|
32
|
+
commands such as `pando-ai uninstall` then work even when the first run came
|
|
33
|
+
from `npx`. After installation you keep running `codex` and `claude` normally
|
|
34
|
+
— Pando supervises each launch.
|
|
34
35
|
|
|
35
36
|
## How it works
|
|
36
37
|
|
|
@@ -77,7 +78,7 @@ Legacy completion APIs, including OpenAI chat/completions and Anthropic
|
|
|
77
78
|
| --- | --- | --- |
|
|
78
79
|
| Disable native tools | ✅ `--tools ""` (MCP stays available) + gateway/hook block | ⚠️ read-only sandbox + web search disabled + request/response gateway block |
|
|
79
80
|
| Install Pando MCP, root-scoped | ✅ dynamic `--mcp-config` + `--strict-mcp-config` | ✅ dynamic required `-c mcp_servers.pando.*` with Pando tools pre-approved |
|
|
80
|
-
| `other_mcp: deny_all` | ✅ `--strict-mcp-config` (Pando only)
|
|
81
|
+
| `other_mcp: deny_all` | ✅ `--strict-mcp-config` (Pando only), Claude project built-ins disabled, gateway/hook block | ✅ request/response gateway block |
|
|
81
82
|
| `other_mcp: allow_list` | ✅ strict config with Pando + named servers + gateway/hook block | ✅ request/response gateway block |
|
|
82
83
|
| `other_mcp: deny_list` | ✅ `--disallowedTools` removes denied names + gateway/hook block | ✅ request/response gateway block |
|
|
83
84
|
| Route traffic through local gateway | ✅ API-key/token/helper auth via `ANTHROPIC_BASE_URL`; hooks are always on | ✅ provider override |
|
|
@@ -95,6 +96,20 @@ Legacy completion APIs, including OpenAI chat/completions and Anthropic
|
|
|
95
96
|
enables gateway mode through `ANTHROPIC_BASE_URL`. Subscription-only launches
|
|
96
97
|
use hooks-only fallback because Claude Code does not route subscription OAuth
|
|
97
98
|
through a custom gateway.
|
|
99
|
+
- **Claude Code launch hardening** strips user-supplied flags that can reopen
|
|
100
|
+
native tools, MCP config, plugins, custom settings, IDE attachment, or bypass
|
|
101
|
+
permissions (`--tools`, `--mcp-config`, `--settings`, `--plugin-dir`,
|
|
102
|
+
`--permission-mode`, `--allowedTools`, dangerous permission/channel flags,
|
|
103
|
+
and related aliases). Pando also sets `ENABLE_CLAUDEAI_MCP_SERVERS=false`,
|
|
104
|
+
injects `--disable-slash-commands` when supported, and injects `--bare` /
|
|
105
|
+
`--no-chrome` on Claude builds that expose those flags. If Claude settings
|
|
106
|
+
set `disableAllHooks=true`, Pando refuses to launch Claude because hooks are
|
|
107
|
+
required for subscription-mode enforcement.
|
|
108
|
+
- **Claude Code built-in/project MCP state** is stricter than normal Claude
|
|
109
|
+
config. When policy blocks non-Pando MCP servers, Pando disables matching
|
|
110
|
+
project-level Claude MCP entries such as `computer-use` in `~/.claude.json`
|
|
111
|
+
and removes stale Pando-owned top-level MCP entries. Generated Pando MCP
|
|
112
|
+
config is still passed dynamically on each supervised launch.
|
|
98
113
|
- **Claude Desktop general chat**: not part of the strong-enforcement claim;
|
|
99
114
|
transparent interception is not reliable there without app-level controls.
|
|
100
115
|
|