claude-failover

History

Ubuntu 58690da69f feat(safety): PreToolUse hook gating destructive tool calls (FNDG-04b, Option A) Adds internal/safety/ — the in-repo source of truth for the PreToolUse hook deployed into every project before a Claude Code agent is launched. The hook blocks destructive Bash/Edit/Write patterns on sessions running with --dangerously-skip-permissions, closing the exploitation path where a prompt injection via MCP sessions.send could otherwise trigger arbitrary destruction without interactive confirmation. Wire-up: - internal/dispatcher/dispatcher.go launchAgent: deploys hook before claude launch; fail-closed if deployment fails. - internal/switcher/account_switcher.go relaunchDedicatedSessions: redeploys hook before --resume after account failover; fail-open (log + continue) since the initial deployment is still in place. Blocks (exit 2, stderr shown to model): - rm -rf targeting /, ~, $HOME, /etc, /var, /usr, /boot - dd of=/dev/{sd,nvme,disk,hd,mmcblk}, mkfs - git push --force (but allows --force-with-lease) - git reset --hard on main\|master\|production - sudo outside short allowlist (systemctl, journalctl, cp, install, apt) - curl\|sh, bash <(curl ...), eval "$(curl ...)", fork bomb, crontab -e - chmod 777 on system paths / home - Writes to .claude/settings.json, .claude/hooks/, ~/.ssh/authorized_keys, shell rc files, /etc/sudoers, /etc/systemd/ Warn-only (logged, not blocked): - kubectl delete, helm uninstall, terraform destroy - DROP TABLE, TRUNCATE TABLE, DELETE FROM ... WHERE 1=1 Hook script is embedded via //go:embed so a single binary release carries the authoritative copy. Every launch rewrites the deployed file with mode 0555 (anti-tamper); the hook itself also blocks writes to .claude/hooks/ for defense in depth. Decision: Olivier, 2026-04-19 — Option A now, Option C (two pools) tracked separately. Complements FNDG-04 input sanitization in secuaas-mcp. Tests: 8 unit/integration tests in internal/safety/, plus a dispatcher-level test verifying the hook is written before launch. go vet clean, go test ./... all pass. Refs: FNDG-04 audit (secuaas-mcp branch audit/mcp-stdio-2026-04-18) Task: .agent-queue/inbox/20260418-211102-fndg-04b-*.md Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-19 17:48:27 +00:00
..
account_switcher.go	feat(safety): PreToolUse hook gating destructive tool calls (FNDG-04b, Option A)	2026-04-19 17:48:27 +00:00
account_switcher_test.go	fix(switcher+symlinks): rollback on ensure failure (Bug #1 ) + requiredShared contract test (Bug #10 )	2026-04-16 19:53:48 +00:00

Ubuntu 58690da69f feat(safety): PreToolUse hook gating destructive tool calls (FNDG-04b, Option A)

Adds internal/safety/ — the in-repo source of truth for the PreToolUse hook
deployed into every project before a Claude Code agent is launched. The hook
blocks destructive Bash/Edit/Write patterns on sessions running with
--dangerously-skip-permissions, closing the exploitation path where a prompt
injection via MCP sessions.send could otherwise trigger arbitrary destruction
without interactive confirmation.

Wire-up:
- internal/dispatcher/dispatcher.go launchAgent: deploys hook before claude
  launch; fail-closed if deployment fails.
- internal/switcher/account_switcher.go relaunchDedicatedSessions: redeploys
  hook before --resume after account failover; fail-open (log + continue)
  since the initial deployment is still in place.

Blocks (exit 2, stderr shown to model):
- rm -rf targeting /, ~, $HOME, /etc, /var, /usr, /boot
- dd of=/dev/{sd,nvme,disk,hd,mmcblk}*, mkfs*
- git push --force (but allows --force-with-lease)
- git reset --hard on main|master|production
- sudo outside short allowlist (systemctl, journalctl, cp, install, apt*)
- curl|sh, bash <(curl ...), eval "$(curl ...)", fork bomb, crontab -e
- chmod 777 on system paths / home
- Writes to .claude/settings*.json, .claude/hooks/, ~/.ssh/authorized_keys,
  shell rc files, /etc/sudoers*, /etc/systemd/*

Warn-only (logged, not blocked):
- kubectl delete, helm uninstall, terraform destroy
- DROP TABLE, TRUNCATE TABLE, DELETE FROM ... WHERE 1=1

Hook script is embedded via //go:embed so a single binary release carries
the authoritative copy. Every launch rewrites the deployed file with mode
0555 (anti-tamper); the hook itself also blocks writes to .claude/hooks/
for defense in depth.

Decision: Olivier, 2026-04-19 — Option A now, Option C (two pools) tracked
separately. Complements FNDG-04 input sanitization in secuaas-mcp.

Tests: 8 unit/integration tests in internal/safety/, plus a dispatcher-level
test verifying the hook is written before launch. go vet clean, go test ./...
all pass.

Refs: FNDG-04 audit (secuaas-mcp branch audit/mcp-stdio-2026-04-18)
Task:  .agent-queue/inbox/20260418-211102-fndg-04b-*.md

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-19 17:48:27 +00:00

account_switcher.go

feat(safety): PreToolUse hook gating destructive tool calls (FNDG-04b, Option A)

2026-04-19 17:48:27 +00:00

account_switcher_test.go

fix(switcher+symlinks): rollback on ensure failure (Bug #1 ) + requiredShared contract test (Bug #10 )

2026-04-16 19:53:48 +00:00