Skip to content

Coding-turn foundation: cwd, env hardening, tool-use events, code/approval wire#69

Open
ankitsejwal wants to merge 1 commit into
mainfrom
feat/lucid-coding-foundation
Open

Coding-turn foundation: cwd, env hardening, tool-use events, code/approval wire#69
ankitsejwal wants to merge 1 commit into
mainfrom
feat/lucid-coding-foundation

Conversation

@ankitsejwal

Copy link
Copy Markdown
Member

First foundation slice of M7 (Lucid works in your repos) — the pieces that are pure TS + fully unit-tested, so they land safely ahead of the on-machine execution work. Backed by the #276 spike (below).

Spike that de-risked this (#276, ran locally on a throwaway repo)

  • Auto mode auto-approves headless. claude -p --permission-mode auto (no allowlist) edited a file with zero prompts, exit 0. --permission-prompt-tool is gone from the CLI — we won't use it.
  • A PreToolUse hook fires and gates under auto mode. It receives {tool_name, tool_input:{command,…}, cwd, session_id} and its deny blocks the tool. So auto mode handles the 99%, and a PreToolUse hook is the escalation path to the phone for the rare 1%.

What's in this PR

  • sharedcode request kind ({repoId, prompt} — the phone never sends a path) added to the harness union; an approval request/response control channel for the permission bridge; reuses the already-reserved tool_call stream event.
  • runtime executorcwd + --permission-mode/--allowedTools support; an exec-env injection blocklist in buildEnv() (strips NODE_OPTIONS, LD_*, DYLD_*, GIT_SSH_COMMAND, GIT_CONFIG*, NPM_CONFIG_*, PYTHONPATH, … — ported from OpenClaw, MIT; hardens every run, not just coding); emits a tool_call event on each tool_use (stream shapes captured from the spike).
  • daemon — forwards tool_call; rejects code requests with a clear "not enabled yet" message until execution lands (later tasks).

Tests / types

shared 17 · runtime 28 · daemon 22 · api 19 — all green; check-types clean across all four.

Deferred (documented, later M7 tasks)

tool_call phase:'end' (tool_result correlation); the actual code execution (worktree + auto mode + PreToolUse→room approval bridge) is #278/#279. This PR is the contract + executor groundwork only.

Shared wire contract: add a `code` request kind ({repoId, prompt}) + an
`approval` request/response control channel (the permission bridge); reuse
the already-reserved `tool_call` stream event.

Executor: cwd + --permission-mode/--allowedTools support; port an exec-env
injection blocklist into buildEnv (strip NODE_OPTIONS/LD_*/DYLD_*/GIT_SSH_COMMAND/
GIT_CONFIG*/NPM_CONFIG_*/PYTHONPATH… — hardens every run); emit a tool_call event
on each tool_use so the phone can show a tool-use timeline (phase:'end' is a
follow-up). Daemon forwards tool_call and rejects code requests with a clear
message until execution lands.

Backed by the #276 spike. Tests: shared 17, runtime 28, daemon 22, api 19.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant