pando-ai 0.2.8 → 0.3.1

package/README.md

@@ -27,10 +27,11 @@ npx -y pando-ai
 On a terminal this opens the **firewall console**: it detects whether `codex`
 and `claude` are protected, offers to install supervised launchers for any that
 aren't, and shows current status and policy. It also installs a persistent
-`~/.pando/bin/pando-ai` command shim, so future commands such as
-`pando-ai uninstall` work even when the first run came from `npx`. After
-installation you keep running `codex` and `claude` normally — Pando supervises
-each launch.
+`~/.pando/bin/pando-ai` command shim and, when the current PATH contains a
+stable writable command directory, a same-terminal `pando-ai` shim. Future
+commands such as `pando-ai uninstall` then work even when the first run came
+from `npx`. After installation you keep running `codex` and `claude` normally
+— Pando supervises each launch.
 
 ## How it works
 
@@ -77,7 +78,7 @@ Legacy completion APIs, including OpenAI chat/completions and Anthropic
 | --- | --- | --- |
 | Disable native tools | ✅ `--tools ""` (MCP stays available) + gateway/hook block | ⚠️ read-only sandbox + web search disabled + request/response gateway block |
 | Install Pando MCP, root-scoped | ✅ dynamic `--mcp-config` + `--strict-mcp-config` | ✅ dynamic required `-c mcp_servers.pando.*` with Pando tools pre-approved |
-| `other_mcp: deny_all` | ✅ `--strict-mcp-config` (Pando only) + gateway/hook block | ✅ request/response gateway block |
+| `other_mcp: deny_all` | ✅ `--strict-mcp-config` (Pando only), Claude project built-ins disabled, gateway/hook block | ✅ request/response gateway block |
 | `other_mcp: allow_list` | ✅ strict config with Pando + named servers + gateway/hook block | ✅ request/response gateway block |
 | `other_mcp: deny_list` | ✅ `--disallowedTools` removes denied names + gateway/hook block | ✅ request/response gateway block |
 | Route traffic through local gateway | ✅ API-key/token/helper auth via `ANTHROPIC_BASE_URL`; hooks are always on | ✅ provider override |
@@ -95,6 +96,20 @@ Legacy completion APIs, including OpenAI chat/completions and Anthropic
   enables gateway mode through `ANTHROPIC_BASE_URL`. Subscription-only launches
   use hooks-only fallback because Claude Code does not route subscription OAuth
   through a custom gateway.
+- **Claude Code launch hardening** strips user-supplied flags that can reopen
+  native tools, MCP config, plugins, custom settings, IDE attachment, or bypass
+  permissions (`--tools`, `--mcp-config`, `--settings`, `--plugin-dir`,
+  `--permission-mode`, `--allowedTools`, dangerous permission/channel flags,
+  and related aliases). Pando also sets `ENABLE_CLAUDEAI_MCP_SERVERS=false`,
+  injects `--disable-slash-commands` when supported, and injects `--bare` /
+  `--no-chrome` on Claude builds that expose those flags. If Claude settings
+  set `disableAllHooks=true`, Pando refuses to launch Claude because hooks are
+  required for subscription-mode enforcement.
+- **Claude Code built-in/project MCP state** is stricter than normal Claude
+  config. When policy blocks non-Pando MCP servers, Pando disables matching
+  project-level Claude MCP entries such as `computer-use` in `~/.claude.json`
+  and removes stale Pando-owned top-level MCP entries. Generated Pando MCP
+  config is still passed dynamically on each supervised launch.
 - **Claude Desktop general chat**: not part of the strong-enforcement claim;
   transparent interception is not reliable there without app-level controls.