Highlights
Adds daemon-side trust-hardening guardrails so a Claude Code session a desktop-share operator grantee spawns on your machine can be confined to a folder root you choose and capped at a session count you choose. The guardrails default off, so single-owner daemons behave exactly as before.
What's new
Two optional fields in ~/.clawborrator/desktop_v1.json:
-
allowed_roots— absolute folder paths CC sessions may spawn under. Asession.createwhose folder does not canonicalize under one of these roots is refused. Without this, anoperatorgrantee can spawn CC in any path on the owner's machine. Recommended for any daemon you intend to share."allowed_roots": ["/home/me/repos", "/home/me/work"]
-
max_concurrent_sessions— cap on alive CC children. Defense in depth."max_concurrent_sessions": 5
Enforced in spawn::precheck_create, the single funnel for create_session, so both the hub-WS session.create op (used by desktop-share grantees) AND the local clawborrator-supervisor new CLI go through the check. Path comparisons canonicalize both sides so symlinks and relative roots compare correctly; a misconfigured root entry is ignored rather than crashing the daemon.
Why this matters
Session sharing exposes an already-running session — the blast radius is that one session. Desktop sharing lets the grantee start new processes on the owner's machine: those run as the owner's OS user, in folders the owner's daemon can reach, on the owner's Claude account. allowed_roots is the recommended hardening for that trust grant. The hub-side feature is in hub_v1 v0.x — DESKTOP-SHARING.md.
Upgrading
Drop in the new binary and restart the daemon. No config migration needed — old configs continue to work as legacy single-owner. Add the two fields manually when you're ready to share.
Commits
ca5e91bDesktop sharing: trust-hardening guardrails for session.create5b16589Bump clawborrator-supervisor to v0.6.0
Full Changelog: v0.5.6...v0.6.0