add Echo identity to CLAUDE.md, add --allowedTools with security restrictions

CLAUDE.md rewritten to clearly establish Echo's identity and role. claude_session.py now passes --allowedTools to Claude CLI in both start_session() and resume_session(), with explicit tool whitelist: - File tools (Read/Edit/Write/Glob/Grep) + WebFetch/WebSearch (read-only) - Bash restricted by command prefix (git, python, npm, docker, systemctl) - SSH/SCP/rsync limited to local network (10.0.20.*) - curl/wget excluded to prevent data exfiltration Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 15:01:49 +00:00
parent 21d55cbc6a
commit 74ba70cd42
2 changed files with 93 additions and 39 deletions
--- a/src/claude_session.py
+++ b/src/claude_session.py
@@ -44,6 +44,55 @@ PERSONALITY_FILES = [
    "HEARTBEAT.md",
 ]

+# Tools allowed in non-interactive (-p) mode.
+# NOTE: curl/wget intentionally excluded (data exfiltration risk).
+# Use WebFetch/WebSearch for safe, read-only web access.
+# SSH/SCP/rsync restricted to local network (10.0.20.*).
+ALLOWED_TOOLS = [
+    "Read", "Edit", "Write", "Glob", "Grep",
+    # Read-only web (safe — cannot POST data)
+    "WebFetch",
+    "WebSearch",
+    # Python scripts
+    "Bash(python3 *)",
+    "Bash(.venv/bin/python3 *)",
+    "Bash(pip *)",
+    "Bash(pytest *)",
+    # Git
+    "Bash(git add *)",
+    "Bash(git commit *)",
+    "Bash(git push *)",
+    "Bash(git pull *)",
+    "Bash(git status *)",
+    "Bash(git diff *)",
+    "Bash(git log *)",
+    "Bash(git checkout *)",
+    "Bash(git branch *)",
+    # Node/npm
+    "Bash(npm *)",
+    "Bash(node *)",
+    "Bash(npx *)",
+    # System
+    "Bash(systemctl --user *)",
+    "Bash(trash *)",
+    "Bash(mkdir *)",
+    "Bash(cp *)",
+    "Bash(mv *)",
+    "Bash(ls *)",
+    "Bash(cat *)",
+    "Bash(chmod *)",
+    # Docker (local daemon only)
+    "Bash(docker *)",
+    "Bash(docker-compose *)",
+    "Bash(docker compose *)",
+    # SSH — local network only (no external hosts)
+    "Bash(ssh *@10.0.20.*)",
+    "Bash(ssh root@10.0.20.*)",
+    "Bash(ssh echo@10.0.20.*)",
+    "Bash(scp *10.0.20.*)",
+    "Bash(rsync *10.0.20.*)",
+]
+
 # Environment variables to REMOVE from Claude subprocess
 # (secrets, tokens, and vars that cause nested-session errors)
 _ENV_STRIP = {
@@ -201,6 +250,7 @@ def start_session(
        "--model", model,
        "--output-format", "json",
        "--system-prompt", system_prompt,
+        "--allowedTools", *ALLOWED_TOOLS,
    ]

    _t0 = time.monotonic()
@@ -268,6 +318,7 @@ def resume_session(
        CLAUDE_BIN, "-p", wrapped_message,
        "--resume", session_id,
        "--output-format", "json",
+        "--allowedTools", *ALLOWED_TOOLS,
    ]

    _t0 = time.monotonic()