Follow-up from PR #132 (independent reviewer Finding 1).
#132 made the TUI path block the host's CLAUDE.md + auto-memory (CLAUDE_CODE_DISABLE_CLAUDE_MDS + CLAUDE_CODE_DISABLE_AUTO_MEMORY), verified live with a marker on both hosts. That covers the two highest-volume injection vectors. It does not demonstrably cover other host-context sources a proxied turn could still inherit:
- enterprise / managed-policy settings (
managed-settings.json)
- host
~/.claude/settings.json instruction-bearing fields
.claude/ project settings (mitigated today: the TUI cwd is a fresh scratch dir)- output styles / custom slash-command + skill dirs
Risk today: low — this code is gated to the single-user A-path (ADR 0007), MCP is hard-disabled (--strict-mcp-config --disallowedTools mcp__*), and the scratch cwd has no project .claude/. Becomes load-bearing for the B-path (guest keys / multi-user), where a host operator's settings must not steer guest turns.
Also (scope split from #132): the -p path suppresses host context via the gated CLAUDE_NO_CONTEXT env var, whereas TUI is now unconditional. For proxy-purity consistency, consider making -p unconditional too (note: -p already passes --system-prompt which replaces the default prompt, so its exposure differs — needs its own measurement).
Acceptance: enumerate each residual vector, decide block-vs-document per the A-path/B-path boundary, add marker-style live verification for any we choose to close.
Refs PR #132, ADR 0007.
Follow-up from PR #132 (independent reviewer Finding 1).
#132 made the TUI path block the host's CLAUDE.md + auto-memory (
CLAUDE_CODE_DISABLE_CLAUDE_MDS+CLAUDE_CODE_DISABLE_AUTO_MEMORY), verified live with a marker on both hosts. That covers the two highest-volume injection vectors. It does not demonstrably cover other host-context sources a proxied turn could still inherit:managed-settings.json)~/.claude/settings.jsoninstruction-bearing fields.claude/project settings (mitigated today: the TUI cwd is a fresh scratch dir)Risk today: low — this code is gated to the single-user A-path (ADR 0007), MCP is hard-disabled (
--strict-mcp-config --disallowedTools mcp__*), and the scratch cwd has no project.claude/. Becomes load-bearing for the B-path (guest keys / multi-user), where a host operator's settings must not steer guest turns.Also (scope split from #132): the
-ppath suppresses host context via the gatedCLAUDE_NO_CONTEXTenv var, whereas TUI is now unconditional. For proxy-purity consistency, consider making-punconditional too (note:-palready passes--system-promptwhich replaces the default prompt, so its exposure differs — needs its own measurement).Acceptance: enumerate each residual vector, decide block-vs-document per the A-path/B-path boundary, add marker-style live verification for any we choose to close.
Refs PR #132, ADR 0007.