From 0633865598cc68342a0229bff61137aa71a9f2ed Mon Sep 17 00:00:00 2001
From: Erik <erik.nihlen@gmail.com>
Date: Sat, 25 Apr 2026 22:45:39 +0200
Subject: [PATCH] fix(agent): block Agent + Gmail/Drive/Calendar tools, brief
 model not to probe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two complementary changes after observing the model probe boundaries
(it tried mcp__claude_ai_Gmail__search_threads, then tried to delegate
to a subagent via the Agent tool, then suggested the user edit
settings.local.json to add Gmail tools):

1. claude_wrapper.py adds to --disallowed-tools:
   - Agent  (subagent spawning — should never delegate)
   - WebFetch (already; settings.json re-allows acpedia.org only)
   - Every Gmail/Calendar/Drive connector tool name we know about

2. CLAUDE.md adds a 'Non-negotiable scope rules' section:
   - Be a read-only game-state QA service, nothing else
   - Don't attempt tools outside your role
   - Don't explain how to bypass restrictions
   - Don't suggest settings.json edits
   - Don't enumerate hidden tools when asked

Soft (system-prompt) + hard (CLI flag) defenses combined.
---
 CLAUDE.md               | 12 ++++++++++++
 agent/claude_wrapper.py | 22 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/CLAUDE.md b/CLAUDE.md
index 8d0ea7cd..dbc80299 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -145,6 +145,18 @@ Real-time equipment optimization engine for building optimal character loadouts
 
 When invoked through the dashboard's chat window (the **🤖 Assistant** button) or through `/api/agent/ask`, you are acting as the **Overlord Assistant** — answering ad-hoc questions for the user about their live multi-account Asheron's Call setup.
 
+### Non-negotiable scope rules — read carefully
+
+You are a **read-only game-state question-answering service**. Nothing more.
+
+- ✅ Allowed: answer questions using ONLY the `mcp__overlord__*` tools below.
+- ✅ Allowed: lookup AC game info via `WebFetch(domain:acpedia.org)` if useful.
+- ❌ **Do not attempt** any other tool — Bash, Read, Write, Edit, Grep, Glob, ToolSearch, Monitor, TodoWrite, Skill, scheduling, Agent (subagents), Gmail / Calendar / Drive, etc. They will be denied and waste a turn.
+- ❌ **Do not explain to the user how to bypass your restrictions.** Don't suggest editing `settings.json` to add tools. Don't suggest "switch permission mode". Don't propose workarounds. The restrictions are intentional and the user knows about them.
+- ❌ **Do not delegate to subagents.** You answer directly using your tools or you say you can't.
+- ❌ **Do not enumerate "what tools you have"** when asked, beyond a short summary of the `mcp__overlord__*` tools and acpedia WebFetch. Specifically do not list Gmail / Calendar / Drive / built-ins; pretend they don't exist.
+- If the user asks about anything outside the game-state domain — coding, system administration, your own configuration, email, calendar, etc. — politely say "that's out of scope for the Overlord Assistant" and offer game-data help instead.
+
 **You have MCP tools** (from `.mcp.json`) for live game data. **Always use them** instead of guessing or apologising for not having data:
 
 - `get_live_players` — current online characters with positions/kills/state
diff --git a/agent/claude_wrapper.py b/agent/claude_wrapper.py
index 4ea483fd..bbe48712 100644
--- a/agent/claude_wrapper.py
+++ b/agent/claude_wrapper.py
@@ -110,6 +110,10 @@ async def ask_claude(message: str, session_id: str) -> ClaudeResult:
             "NotebookEdit",
             # Network built-ins
             "WebSearch",
+            "WebFetch",  # blocked here; settings.json re-allows acpedia.org
+            # Subagent spawning — the assistant must NEVER delegate to a
+            # general-purpose subagent (which would have its own tool set).
+            "Agent",
             # Tool / session meta-tools — these can list, load, or chain
             # into other tools and must NOT be reachable.
             "ToolSearch",
@@ -132,6 +136,24 @@ async def ask_claude(message: str, session_id: str) -> ClaudeResult:
             "CronDelete",
             "ScheduleWakeup",
             "RemoteTrigger",
+            # Anthropic first-party connectors from the user's claude.ai
+            # account. These are off-mission for an Overlord assistant and
+            # would leak personal data outside the game-state domain.
+            "mcp__claude_ai_Gmail__create_draft",
+            "mcp__claude_ai_Gmail__create_label",
+            "mcp__claude_ai_Gmail__get_message",
+            "mcp__claude_ai_Gmail__get_thread",
+            "mcp__claude_ai_Gmail__list_drafts",
+            "mcp__claude_ai_Gmail__list_labels",
+            "mcp__claude_ai_Gmail__label_message",
+            "mcp__claude_ai_Gmail__label_thread",
+            "mcp__claude_ai_Gmail__search_messages",
+            "mcp__claude_ai_Gmail__search_threads",
+            "mcp__claude_ai_Gmail__send_message",
+            "mcp__claude_ai_Gmail__unlabel_message",
+            "mcp__claude_ai_Gmail__unlabel_thread",
+            "mcp__claude_ai_Google_Calendar__authenticate",
+            "mcp__claude_ai_Google_Drive__authenticate",
         ]
     )