olivier/claude-failover
1
0
Fork 0
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions

feat(safety): PreToolUse hook gating destructive tool calls (FNDG-04b, Option A)

Browse source 
Adds internal/safety/ — the in-repo source of truth for the PreToolUse hook
deployed into every project before a Claude Code agent is launched. The hook
blocks destructive Bash/Edit/Write patterns on sessions running with
--dangerously-skip-permissions, closing the exploitation path where a prompt
injection via MCP sessions.send could otherwise trigger arbitrary destruction
without interactive confirmation.

Wire-up:
- internal/dispatcher/dispatcher.go launchAgent: deploys hook before claude
  launch; fail-closed if deployment fails.
- internal/switcher/account_switcher.go relaunchDedicatedSessions: redeploys
  hook before --resume after account failover; fail-open (log + continue)
  since the initial deployment is still in place.

Blocks (exit 2, stderr shown to model):
- rm -rf targeting /, ~, $HOME, /etc, /var, /usr, /boot
- dd of=/dev/{sd,nvme,disk,hd,mmcblk}*, mkfs*
- git push --force (but allows --force-with-lease)
- git reset --hard on main|master|production
- sudo outside short allowlist (systemctl, journalctl, cp, install, apt*)
- curl|sh, bash <(curl ...), eval "$(curl ...)", fork bomb, crontab -e
- chmod 777 on system paths / home
- Writes to .claude/settings*.json, .claude/hooks/, ~/.ssh/authorized_keys,
  shell rc files, /etc/sudoers*, /etc/systemd/*

Warn-only (logged, not blocked):
- kubectl delete, helm uninstall, terraform destroy
- DROP TABLE, TRUNCATE TABLE, DELETE FROM ... WHERE 1=1

Hook script is embedded via //go:embed so a single binary release carries
the authoritative copy. Every launch rewrites the deployed file with mode
0555 (anti-tamper); the hook itself also blocks writes to .claude/hooks/
for defense in depth.

Decision: Olivier, 2026-04-19 — Option A now, Option C (two pools) tracked
separately. Complements FNDG-04 input sanitization in secuaas-mcp.

Tests: 8 unit/integration tests in internal/safety/, plus a dispatcher-level
test verifying the hook is written before launch. go vet clean, go test ./...
all pass.

Refs: FNDG-04 audit (secuaas-mcp branch audit/mcp-stdio-2026-04-18)
Task:  .agent-queue/inbox/20260418-211102-fndg-04b-*.md

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Ubuntu 2026-04-19 17:48:27 +00:00
parent 336f1f27bb
commit 58690da69f
8 changed files with 885 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

38
VERSION.md
View file

@ -1,4 +1,40 @@
# Version actuelle : 0.3.9
# Version actuelle : 0.4.0
## [0.4.0] - 2026-04-19
**Type:** Minor — FNDG-04b Option A : PreToolUse safety hook déployé avant chaque lancement Claude
### Ajouté
- `internal/safety/` : nouveau package, source de vérité unique pour le hook PreToolUse
- `hook.sh` (embed `//go:embed`) : gate destructive Bash/Edit/Write avant exécution par l'agent
- `safety.go` : `EnsureHookDeployed(projectDir)` — déploie le hook (mode 0555, read-only anti-tamper)
et merge la config PreToolUse dans `.claude/settings.json` sans toucher les autres clés
- `docs/security/claude-safety-hook.md` : mécanisme, liste des patterns bloqués, dépendances, tests
### Modifié
- `internal/dispatcher/dispatcher.go` (`launchAgent`) : `safety.EnsureHookDeployed(projectDir)` avant
tout lancement `claude --dangerously-skip-permissions`. Fail-closed si le hook ne se déploie pas.
- `internal/switcher/account_switcher.go` (`relaunchDedicatedSessions`) : redéploiement du hook avant
chaque `--resume` post-failover. Fail-open (log + continue) — le hook initial reste en place.
### Sécurité (FNDG-04)
Audit MCP STDIO 2026-04-18 (`audit/mcp-stdio-2026-04-18` dans secuaas-mcp). FNDG-04b est la deuxième
ligne de défense côté agent ; FNDG-04 (sanitization) est la première ligne côté MCP.
Décision Olivier (2026-04-19) : Option A retenue. Option C (deux pools) différée.
Patterns bloqués : `rm -rf /|~|$HOME|/etc|/var|/usr|/boot`, `dd of=/dev/...`, `mkfs*`,
`git push --force` (sauf `--force-with-lease`), `git reset --hard main|master|production`,
`sudo` hors allowlist `systemctl|journalctl|cp|install|apt`, `curl|sh`, `bash <(curl …)`,
`eval "$(curl …)"`, fork bomb, crontab -e, chmod 777 sur paths système, et toutes écritures
sur `.claude/settings*.json`, `.claude/hooks/`, `~/.ssh/authorized_keys`, shell rc, `/etc/sudoers*`,
`/etc/systemd/*`.
### Tests effectués
- ✅ `go build ./...` (sans erreurs)
- ✅ `go test ./internal/safety/...` — 8 tests, tous passent
- ✅ `go test ./...` — suite complète OK
- ✅ `go vet ./...` — aucun warning
---
## [0.3.9] - 2026-04-16
**Type:** Patch — `go mod tidy` (fsnotify direct dep cleanup)