fix(agent): SECURITY — replace bypassPermissions with dontAsk

bypassPermissions ignores --allowed-tools entirely (per permission-modes.md docs). With it, the model could call Bash, Write, Edit, Read, etc. — confirmed by writing /tmp/owned.sh in a test. dontAsk is the correct production headless mode: auto-DENIES anything outside the --allowed-tools whitelist instead of prompting. Without this, our entire MCP whitelist was effectively useless.
2026-04-25 21:05:53 +02:00 · 2026-04-25 21:05:53 +02:00 · d3943e894c
commit d3943e894c
parent 6d5819d297
1 changed files with 6 additions and 2 deletions
--- a/agent/claude_wrapper.py
+++ b/agent/claude_wrapper.py
@ -104,9 +104,13 @@ async def ask_claude(message: str, session_id: str) -> ClaudeResult:
        "json",
        "--allowed-tools",
        allowed_tools,
-        # Auto-approve any tool that's in --allowed-tools.
+        # CRITICAL: dontAsk auto-DENIES anything outside --allowed-tools.
+        # Do NOT use bypassPermissions here — that mode ignores the whitelist
+        # entirely and lets the model call Bash/Write/Edit/etc. (verified
+        # the hard way: it wrote /tmp/owned.sh when prompted to).
+        # See https://code.claude.com/docs/en/permission-modes.md
        "--permission-mode",
-        "bypassPermissions",
+        "dontAsk",
    ]

    logger.info(