You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The session field on Request (src/protocol.rs:12-13) exists but is purely informational — it's printed in the TUI and (with -v) in the daemon log, and that's it. Two different Claude Code projects sharing one workstation hit the same socket, the same TUI gate, and would share the same policy and audit grouping if those existed.
This is fine today because the only gate is the TUI keypress. It stops being fine the moment we add policy: an allowlist that's appropriate for project-A ("this agent may run apt update without prompting") leaks to project-B by default. Same for rate limits, same for audit-log filtering, same for any per-session quota or cooldown.
Proposal
Keep one socket and one daemon — adding per-session sockets multiplies bookkeeping (which one is running? who cleans them up?) for little gain. Instead make session a first-class policy key inside the existing daemon:
Display session more prominently in the TUI prompt — it's the principal that the operator is gating, not just metadata.
The MCP server already sets session: \"sudo-proxy-mcp\" for every call (src/mcp.rs:145). That's the bug this issue exposes: a single MCP server serving multiple Claude Code projects would conflate them. Plumb the project name (or .mcp.json directory hash) through as the session, so each project gets its own bucket.
Naming: bikeshed-prone. session is what's on the wire; consider whether the policy layer should call it principal or tenant internally to keep the concepts separable.
Backwards compatibility: existing sudo-request --session NAME callers and the default \"unknown\" (src/protocol.rs:33-35) must keep working. Stricter validation should reject obviously hostile sessions but not break legitimate ones.
Problem
The
sessionfield onRequest(src/protocol.rs:12-13) exists but is purely informational — it's printed in the TUI and (with-v) in the daemon log, and that's it. Two different Claude Code projects sharing one workstation hit the same socket, the same TUI gate, and would share the same policy and audit grouping if those existed.This is fine today because the only gate is the TUI keypress. It stops being fine the moment we add policy: an allowlist that's appropriate for project-A ("this agent may run
apt updatewithout prompting") leaks to project-B by default. Same for rate limits, same for audit-log filtering, same for any per-session quota or cooldown.Proposal
Keep one socket and one daemon — adding per-session sockets multiplies bookkeeping (which one is running? who cleans them up?) for little gain. Instead make
sessiona first-class policy key inside the existing daemon:sessionstrictly (alphanumerics, dots, dashes, underscores; bounded length). Reject anything else at request parse time. Today it's free-form.src/server.rsrequest-id dedup), any future allowlist (Policy framework: allow / require-approval / deny per (session, host, command) #9), any future rate limit, and audit-log filtering (Append-only audit log of approved requests and outcomes #6) all key offsessionin addition tohost.sessionmore prominently in the TUI prompt — it's the principal that the operator is gating, not just metadata.session: \"sudo-proxy-mcp\"for every call (src/mcp.rs:145). That's the bug this issue exposes: a single MCP server serving multiple Claude Code projects would conflate them. Plumb the project name (or.mcp.jsondirectory hash) through as the session, so each project gets its own bucket.Things to consider:
sessionis what's on the wire; consider whether the policy layer should call itprincipalortenantinternally to keep the concepts separable.sudo-request --session NAMEcallers and the default\"unknown\"(src/protocol.rs:33-35) must keep working. Stricter validation should reject obviously hostile sessions but not break legitimate ones.