SawatoMosswartsEnjoyersClub/MosswartOverlord
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(agent): SECURITY — replace bypassPermissions with dontAsk

Browse source 
bypassPermissions ignores --allowed-tools entirely (per
permission-modes.md docs). With it, the model could call Bash, Write,
Edit, Read, etc. — confirmed by writing /tmp/owned.sh in a test.

dontAsk is the correct production headless mode: auto-DENIES anything
outside the --allowed-tools whitelist instead of prompting. Without
this, our entire MCP whitelist was effectively useless.
This commit is contained in:
Erik 2026-04-25 21:05:53 +02:00
parent 6d5819d297
commit d3943e894c
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
agent/claude_wrapper.py
View file

@ -104,9 +104,13 @@ async def ask_claude(message: str, session_id: str) -> ClaudeResult:
"json", "json",
"--allowed-tools", "--allowed-tools",
allowed_tools, allowed_tools,
# Auto-approve any tool that's in --allowed-tools. # CRITICAL: dontAsk auto-DENIES anything outside --allowed-tools.
# Do NOT use bypassPermissions here — that mode ignores the whitelist
# entirely and lets the model call Bash/Write/Edit/etc. (verified
# the hard way: it wrote /tmp/owned.sh when prompted to).
# See https://code.claude.com/docs/en/permission-modes.md
"--permission-mode", "--permission-mode",
"bypassPermissions", "dontAsk",
] ]
logger.info( logger.info(