tanmay/Regolith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security improvements: per-group session isolation, remove built-in Gmail

Browse Source 
- Isolate Claude sessions per-group (data/sessions/{group}/.claude/)
  to prevent cross-group access to conversation history
- Remove Gmail MCP from built-in (now available via /add-gmail skill)
- Add SECURITY.md documenting the security model
- Move docs to docs/ folder (SPEC.md, REQUIREMENTS.md, SECURITY.md)
- Update documentation to reflect changes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gavrielc
2026-02-02 00:07:45 +02:00
parent 22eb525805
commit 05a29d562f
10 changed files with 153 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.claude/skills/debug/SKILL.md
View File

@@ -19,8 +19,8 @@ src/container-runner.ts container/agent-runner/
│ │
├── data/env/env ──────────────> /workspace/env-dir/env
├── groups/{folder} ───────────> /workspace/group
├── data/ipc ──────────────────> /workspace/ipc
├── ~/.claude/ ────────────────> /home/node/.claude/ (sessions)
├── data/ipc/{folder} ────────> /workspace/ipc
├── data/sessions/{folder}/.claude/ ──> /home/node/.claude/ (isolated per-group)
└── (main only) project root ──> /workspace/project
```
@@ -171,14 +171,7 @@ mounts.push({
### 6. MCP Server Failures
If an MCP server fails to start, the agent may exit. Test MCP servers individually:
```bash
# Test Gmail MCP
container run --rm --entrypoint /bin/bash nanoclaw-agent:latest -c '
npx -y @gongrzhe/server-gmail-autoauth-mcp --help
'
```
If an MCP server fails to start, the agent may exit. Check the container logs for MCP initialization errors.
## Manual Container Testing
@@ -267,7 +260,7 @@ container run --rm --entrypoint /bin/bash nanoclaw-agent:latest -c '
## Session Persistence
Claude sessions are stored in `~/.claude/projects/` on the host, mounted to `/home/node/.claude/projects/` inside the container.
Claude sessions are stored per-group in `data/sessions/{group}/.claude/` for security isolation. Each group has its own session directory, preventing cross-group access to conversation history.
**Critical:** The mount path must match the container user's HOME directory:
- Container user: `node`
@@ -277,11 +270,11 @@ Claude sessions are stored in `~/.claude/projects/` on the host, mounted to `/ho
To clear sessions:
```bash
# Clear all sessions
rm -rf ~/.claude/projects/
# Clear all sessions for all groups
rm -rf data/sessions/
# Clear sessions for a specific group
rm -rf ~/.claude/projects/*workspace-group*/
rm -rf data/sessions/{groupFolder}/.claude/
# Also clear the session ID from NanoClaw's tracking
echo '{}' > data/sessions.json