romfast/echo-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add Echo identity to CLAUDE.md, add --allowedTools with security restrictions

Browse Source 
CLAUDE.md rewritten to clearly establish Echo's identity and role.
claude_session.py now passes --allowedTools to Claude CLI in both
start_session() and resume_session(), with explicit tool whitelist:
- File tools (Read/Edit/Write/Glob/Grep) + WebFetch/WebSearch (read-only)
- Bash restricted by command prefix (git, python, npm, docker, systemctl)
- SSH/SCP/rsync limited to local network (10.0.20.*)
- curl/wget excluded to prevent data exfiltration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
MoltBot Service
2026-02-14 15:01:49 +00:00
parent 21d55cbc6a
commit 74ba70cd42
2 changed files with 93 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
CLAUDE.md
View File

@@ -1,76 +1,79 @@
# CLAUDE.md # Echo Core
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. **Tu ești Echo** — asistent personal AI al lui Marius. Acest repo este creierul tău: primești mesaje pe Discord/Telegram/WhatsApp, le procesezi prin Claude Code (CLI subprocess), și răspunzi ca Echo.
Nu ești un tool de cod. Ești companion — ajuți cu tot: tehnic, organizare, coaching, sănătate, proiecte personale, dezvoltare. Cine ești și cum te comporți e definit în `personality/*.md`. **Respectă aceste fișiere întotdeauna.**
## How It Works
Mesajele ajung la tine prin adaptoare (Discord, Telegram, WhatsApp) → `router.py``claude_session.py` → Claude CLI subprocess → răspuns trimis înapoi.
Personalitatea ta se construiește din `personality/*.md`, concatenate în ordine:
- `IDENTITY.md` — cine ești
- `SOUL.md` — principii, ton, granițe
- `USER.md` — despre Marius
- `AGENTS.md` — reguli operaționale, model selection, securitate
- `HEARTBEAT.md` — verificări periodice
- `TOOLS.md` — unelte disponibile
## Commands ## Commands
```bash ```bash
# Run all tests # Tests
source .venv/bin/activate && pytest tests/ source .venv/bin/activate && pytest tests/
# Run a single test file
pytest tests/test_router.py
# Run a specific test
pytest tests/test_router.py::test_clear_command -v pytest tests/test_router.py::test_clear_command -v
# Start the bot (via systemd) # Start
systemctl --user start echo-core systemctl --user start echo-core # systemd
source .venv/bin/activate && python3 src/main.py # manual
# Start manually (foreground)
source .venv/bin/activate && python3 src/main.py
# WhatsApp bridge # WhatsApp bridge
systemctl --user start echo-whatsapp-bridge systemctl --user start echo-whatsapp-bridge
# CLI diagnostics (eco = symlink to cli.py, installed by setup.sh) # CLI
eco status eco status
eco doctor eco doctor
# Install dependencies # Dependencies
source .venv/bin/activate && pip install -r requirements.txt source .venv/bin/activate && pip install -r requirements.txt
``` ```
## Architecture ## Architecture
**Message flow:** Adapter → `router.py``claude_session.py` → Claude CLI subprocess → response split → Adapter sends reply. **Flow:** Adapter → `router.py``claude_session.py` → Claude CLI → response split → Adapter reply
Three adapters run concurrently in one asyncio event loop via `asyncio.gather()` in `src/main.py`: **Adapters** (concurrent, `asyncio.gather()` in `src/main.py`):
- **Discord** (`src/adapters/discord_bot.py`) — slash commands, 2000 char split
- **Telegram** (`src/adapters/telegram_bot.py`) — commands + inline keyboards, 4096 char split
- **WhatsApp** (`src/adapters/whatsapp.py`) — polls Baileys bridge at `http://127.0.0.1:8098`, 4096 char split
- **Discord** (`src/adapters/discord_bot.py`): discord.py slash commands, 2000 char split **Sessions** (`src/claude_session.py`): One persistent session per channel. `claude --resume <session_id>`. External messages wrapped in `[EXTERNAL CONTENT]` injection markers.
- **Telegram** (`src/adapters/telegram_bot.py`): python-telegram-bot commands + inline keyboards, 4096 char split
- **WhatsApp** (`src/adapters/whatsapp.py`): polls Node.js Baileys bridge (`bridge/whatsapp/index.js`) at `http://127.0.0.1:8098` every 2s, 4096 char split
All adapters follow the same pattern: module-level `_config`, authorization helpers (`is_owner`, `is_admin`, `is_registered_channel`), `split_message()`, and routing through `route_message(channel_id, user_id, text, model)`. **State:** `sessions/active.json` — channel ID → `{session_id, model, message_count, ...}`
**Claude sessions** (`src/claude_session.py`): Each channel has one persistent session. `send_message()` auto-starts or resumes via `claude --resume <session_id>`. System prompt is built by concatenating `personality/*.md` files. External messages are wrapped in `[EXTERNAL CONTENT]` injection markers. Sensitive env vars are stripped before subprocess execution. **Credentials** (`src/credential_store.py`): System keyring, service `"echo-core"`. Never secrets as CLI args.
**Session state** lives in `sessions/active.json` — maps channel IDs to `{session_id, model, message_count, ...}`. **Config** (`src/config.py`): `config.json` with dot-notation. Namespaces: `channels`, `telegram_channels`, `whatsapp_channels`.
**Credentials** (`src/credential_store.py`): All tokens stored in system keyring under service `"echo-core"`. Required: `discord_token`. Optional: `telegram_token`. Never pass secrets as CLI arguments — use stdin. **Scheduler** (`src/scheduler.py`): APScheduler + `cron/jobs.json`, isolated sessions.
**Config** (`src/config.py`): Loads `config.json` with dot-notation access (`config.get("bot.name")`). Channel namespaces: `channels` (Discord), `telegram_channels`, `whatsapp_channels`. **Heartbeat** (`src/heartbeat.py`): Email, calendar, KB, git checks. Quiet hours 23-08.
**Scheduler** (`src/scheduler.py`): APScheduler loading jobs from `cron/jobs.json`, runs Claude prompts in isolated sessions. **Memory** (`src/memory_search.py`): Ollama all-minilm embeddings (384 dim) + SQLite cosine similarity.
**Heartbeat** (`src/heartbeat.py`): Periodic checks (email, calendar, KB, git), quiet hours 23-08.
**Memory search** (`src/memory_search.py`): Ollama all-minilm embeddings (384 dim) + SQLite cosine similarity.
## Import Convention ## Import Convention
All modules use absolute imports from project root via `sys.path.insert(0, PROJECT_ROOT)`. Import as `from src.config import ...`, `from src.adapters.discord_bot import ...`. No circular imports — adapters → router → claude_session. Absolute imports via `sys.path.insert(0, PROJECT_ROOT)`: `from src.config import ...`, `from src.adapters.discord_bot import ...`. No circular imports.
## Key Files ## Key Files
| Path | Role | | Path | Role |
|------|------| |------|------|
| `src/main.py` | Entry point — starts all adapters + scheduler + heartbeat | | `src/main.py` | Entry point — adapters + scheduler + heartbeat |
| `src/router.py` | Dispatches commands vs Claude messages | | `src/router.py` | Commands vs Claude messages |
| `src/claude_session.py` | Claude CLI wrapper with `--resume` | | `src/claude_session.py` | Claude CLI wrapper with `--resume` |
| `src/credential_store.py` | Keyring secrets (service: `echo-core`) | | `src/credential_store.py` | Keyring secrets |
| `cli.py` | CLI tool (status, doctor, logs, secrets, cron, whatsapp) | | `cli.py` | CLI diagnostics (eco) |
| `config.json` | Runtime config (channels, admins, models, bridges) | | `config.json` | Runtime config |
| `setup.sh` | Interactive 10-step onboarding wizard | | `bridge/whatsapp/index.js` | Baileys + Express bridge, port 8098 |
| `bridge/whatsapp/index.js` | Node.js Baileys + Express bridge on port 8098 | | `personality/*.md` | System prompt — cine ești |
| `personality/*.md` | System prompt files concatenated in order |

51
src/claude_session.py
View File

@@ -44,6 +44,55 @@ PERSONALITY_FILES = [
"HEARTBEAT.md", "HEARTBEAT.md",
] ]
# Tools allowed in non-interactive (-p) mode.
# NOTE: curl/wget intentionally excluded (data exfiltration risk).
# Use WebFetch/WebSearch for safe, read-only web access.
# SSH/SCP/rsync restricted to local network (10.0.20.*).
ALLOWED_TOOLS = [
"Read", "Edit", "Write", "Glob", "Grep",
# Read-only web (safe — cannot POST data)
"WebFetch",
"WebSearch",
# Python scripts
"Bash(python3 *)",
"Bash(.venv/bin/python3 *)",
"Bash(pip *)",
"Bash(pytest *)",
# Git
"Bash(git add *)",
"Bash(git commit *)",
"Bash(git push *)",
"Bash(git pull *)",
"Bash(git status *)",
"Bash(git diff *)",
"Bash(git log *)",
"Bash(git checkout *)",
"Bash(git branch *)",
# Node/npm
"Bash(npm *)",
"Bash(node *)",
"Bash(npx *)",
# System
"Bash(systemctl --user *)",
"Bash(trash *)",
"Bash(mkdir *)",
"Bash(cp *)",
"Bash(mv *)",
"Bash(ls *)",
"Bash(cat *)",
"Bash(chmod *)",
# Docker (local daemon only)
"Bash(docker *)",
"Bash(docker-compose *)",
"Bash(docker compose *)",
# SSH — local network only (no external hosts)
"Bash(ssh *@10.0.20.*)",
"Bash(ssh root@10.0.20.*)",
"Bash(ssh echo@10.0.20.*)",
"Bash(scp *10.0.20.*)",
"Bash(rsync *10.0.20.*)",
]
# Environment variables to REMOVE from Claude subprocess # Environment variables to REMOVE from Claude subprocess
# (secrets, tokens, and vars that cause nested-session errors) # (secrets, tokens, and vars that cause nested-session errors)
_ENV_STRIP = { _ENV_STRIP = {
@@ -201,6 +250,7 @@ def start_session(
"--model", model, "--model", model,
"--output-format", "json", "--output-format", "json",
"--system-prompt", system_prompt, "--system-prompt", system_prompt,
"--allowedTools", *ALLOWED_TOOLS,
] ]
_t0 = time.monotonic() _t0 = time.monotonic()
@@ -268,6 +318,7 @@ def resume_session(
CLAUDE_BIN, "-p", wrapped_message, CLAUDE_BIN, "-p", wrapped_message,
"--resume", session_id, "--resume", session_id,
"--output-format", "json", "--output-format", "json",
"--allowedTools", *ALLOWED_TOOLS,
] ]
_t0 = time.monotonic() _t0 = time.monotonic()