[Discussion] Enhancing working directory isolation for Claude CLI sessions

[RinZ27]

Is your feature request related to a problem?
The current implementation of _update_working_directory_from_claude_response uses Regex patterns to monitor directory changes (e.g., cd commands) in Claude's output. While it validates if the new path is within the approved_directory, this mechanism is reactive rather than preventative.

If Claude CLI executes a command that moves it outside the approved_directory, the bot's internal state tracking (user_data["current_directory"]) will correctly refuse to update. However, the underlying Claude CLI process remains in that "forbidden" directory for subsequent commands in the same session. This could allow access to sensitive system files if the LLM decides to explore beyond the project scope.

Describe the solution you'd like
I'd like to propose a more robust enforcement mechanism at the claude_integration level:

1. Command Pre-validation: Explicitly prepend directory enforcement or verify the CWD before each command execution.
2. Strict Session Reset: If a directory change is detected that violates the approved_directory constraint, the session should be forced back to the approved root or terminated.
3. CLI Wrapper Hardening: Ensure that the claude CLI execution is always scoped strictly to the project path, perhaps using environment-level constraints if supported by the CLI.

Describe alternatives you've considered
Currently, the bot relies on sandbox_enabled settings, but as noted in CONTRIBUTING.md, some commands run outside the sandbox. Strengthening the path validation logic in the bot handlers is a necessary layer of "Defense in Depth" (though I prefer calling it "Logic Robustness").

Additional context
As the project moves towards TODO-7 (File uploads and Git integration), ensuring that the working directory is strictly enforced becomes critical to prevent accidental or malicious system-wide modifications. I'd love to hear the maintainers' thoughts on the best architectural approach to fix this state mismatch between the Bot's tracker and the CLI's actual state.

[RichardAtCT]

Status update — largely addressed in recent refactors

The core concern here (reactive-only enforcement via regex parsing of Claude's output) has been addressed across recent PRs, most notably PR #62 (phase3/replace-tool-monitor-with-can-use-tool) which introduces the SDK's can_use_tool callback for preventive tool-level enforcement.

Current enforcement layers

1. can_use_tool callback (PR Replace ToolMonitor with SDK can_use_tool callback #62, sdk_integration.py) — Intercepts every tool call before execution. File tools (Read, Write, Edit) have paths validated via SecurityValidator.validate_path(). Bash commands are checked by check_bash_directory_boundary() which blocks filesystem-modifying commands (mkdir, rm, cp, mv, etc.) that target paths outside approved_directory. This addresses the "Command Pre-validation" proposal.

2. Sandbox (sandbox_enabled=True by default) — The Claude CLI runs bash commands in an OS-level sandbox (macOS seatbelt / Linux seccomp), providing "CLI Wrapper Hardening" at the process level.

3. cwd option — Sets the Claude CLI process's working directory to the project path, so relative paths resolve within the project by default.

4. system_prompt — Instructs Claude to use relative paths within the working directory.

What remains

The reactive regex tracker (_update_working_directory_from_claude_response in message.py) still exists but is now a secondary concern — it only affects the bot's UI-level tracking, not actual filesystem access.

One edge case: check_bash_directory_boundary doesn't treat cd as a modifying command, so a chained command like cd /tmp && rm -rf something could have cd pass through (though rm with an absolute path would be caught, and the sandbox blocks it at the OS level when enabled). This is a narrow gap worth tracking separately.

Mapping to the proposed solutions

Proposal	Status
Command Pre-validation	✅ can_use_tool callback (PR #62)
Strict Session Reset on violation	Partial — denied tools get a PermissionResultDeny, Claude adapts; no session termination
CLI Wrapper Hardening	✅ Sandbox (existing) + cwd scoping

I'll open a separate issue for the cd chaining edge case.