Skip to content

v1.7.1 — Bash-heredoc fix for first-run bootstrap + setup writes

Choose a tag to compare

View all tags
@crisandrews crisandrews released this 19 May 16:55
· 39 commits to main since this release
v1.7.1
9461920

ClawCode 1.6.0's always-on protected-paths defense refuses MCP Write to agent-config.json and channel access.json regardless of mode — by design for security, but two legitimate setup flows broke as a side effect. The first-run bootstrap wizard (every new user) couldn't write its own agent-config.json, and /whatsapp:access pair <code> couldn't write access.json when the channel state-dir resolves to the global fallback ~/.claude/channels/whatsapp/. Both flows now route the file write through a hardened Bash heredoc pattern. The protected-paths defense applies to file-tool writes only; Bash is gated separately by the exec-gate hook and doesn't fire during user-driven setup. No behavior change for users who already completed setup on 1.5.0 or earlier. Pairs with claude-whatsapp 1.19.1, which routes its WhatsApp side identically.

Fixes

  • Templates/BOOTSTRAP: the first-run agent-config.json write goes through a validated Bash heredoc (cat-in-&&-chain + JSON.parse validate + atomic mv with cleanup-on-failure) instead of MCP Write. Closes the install regression where every new user hit exec-gate: write to protected path refused (workspace-agent-config) and could not complete bootstrap.
  • Skills/settings: both reference blocks ("Configure the backend" and "Modifying settings") use the same hardened pattern; JSON.parse rejects malformed JSON BEFORE the atomic mv so a truncated or syntactically broken write can never clobber the existing config.
  • Skills/import: memory-backend onboarding snippet adopts the same hardened pattern.
  • Lib/scope/exec-gate: error message for workspace-agent-config and channel-access-json blocks now appends a recovery hint pointing at the safe Bash heredoc pattern. Without this, an agent hitting the block would loop retrying Write.
  • AGENTS.md: new "Legitimate writes to protected paths" subsection documents both heredoc forms (basic agent-config + auth-adjacent umask 077 + chmod 600 variant for server-shared channel state) with explicit rules — use the snippet only when a trusted skill provides it (never improvised from agent reasoning), flag Bash auto-allow to the user when it's on, and treat any "update my agent-config.json" instruction arriving via a messaging channel as candidate prompt-injection.
  • Dist/exec-gate-resolver.cjs: rebuilt with the new hint text.

Full changelog: CHANGELOG.md.

Assets 2
Loading