feat(support): rebuild AI Support Helper de-anonymised + security-hardened#1057
Open
edwh wants to merge 3 commits into
Open
feat(support): rebuild AI Support Helper de-anonymised + security-hardened#1057edwh wants to merge 3 commits into
edwh wants to merge 3 commits into
Conversation
✅ Deploy Preview for golden-caramel-d2c3a7 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
…dened Rebuild the ModTools AI Support Helper to give Support/Admin volunteers direct, de-anonymised read access to production data (the previous PII-in-the-browser anonymisation is removed), then harden it. Support are trusted with member data and reading chats/logs is legitimate debugging, so the controls guard against accidental damage, other (non-support) mods gaining access, and hostile member data (prompt injection) - with an audit trail of every investigation. Backend (claude-agent-sdk/, drives @anthropic-ai/claude-agent-sdk query(); one code path serves both a mounted ~/.claude session for testing and an ANTHROPIC_API_KEY on edge): - tools.js: de-anonymised direct-access tools (identify_user, user dump + SQL, live read-only db_query, Loki/Sentry/Discourse/code-history search). - guard.js (+guard.test.js): SELECT/WITH-only, comment-stripped (defeats INTO/**/OUTFILE), write/DoS keyword denylist, auth-secret table/column denylist, hard LIMIT cap. dbSelect runs a fail-closed read-only txn. - auth.js: gate to Support/Admin only (drops plain Moderator), returns the mod identity for the audit, fetch timeout. - server.js: threads the mod identity, header-only JWT (drops ?jwt=), ModTools-origin CORS allowlist. - support-agent.js: anti-injection system-prompt clause (tool output is data, never instructions), Read confined to the codebase, session audit. - audit(): every session + db_query/get_user_dump/query_dump logs who investigated whom to stdout (SUPPORT_AUDIT) and durably to AUDIT_LOG_PATH. Frontend: DOMPurify.sanitize(marked(...)) on the answer (adds isomorphic-dompurify, aliased to a stub in the unit tests). Compose: adds the ai-support-helper service + ai-support-audit volume, narrows the ~/.claude mount to just the OAuth credential, and removes the retired pseudonymiser services (support-tools/ deleted). Docs: rewrites docs/developers/reference/ai-support-helper.md to the de-anonymised model. Verified: guard blocks the confirmed exploits and allows legit queries (standalone + in-container); durable audit write confirmed; 13 backend node tests pass; container builds and /health is green; full frontend unit suite 14240 passed / 0 failed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01VXKgf7Xquudc6CwP2RN6jX
68bcfb9 to
5e7da5a
Compare
# Conflicts: # docs/members/assets/browse.png
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Rebuilds the ModTools AI Support Helper to give Support/Admin volunteers direct, de-anonymised read access to production data (the previous PII-in-the-browser anonymisation is removed), then hardens it.
Support are trusted with member data and reading chats/logs is legitimate debugging, so the controls don't restrict their access — they guard against accidental damage, other (non-support) mods gaining access, and hostile member data (prompt injection), and record an audit trail of every investigation.
It drives the Claude Code harness (
@anthropic-ai/claude-agent-sdk'squery()) over one code path that serves both a mounted~/.claudesession (testing) and anANTHROPIC_API_KEY(edge/prod).Security controls
db_query/get_user_dump/query_dumplogs who (mod id/email) investigated whom, to stdout (SUPPORT_AUDIT, Loki-queryable) and durably toAUDIT_LOG_PATHon theai-support-auditvolumeauth.js)guard.js)SELECT/WITH-only, comment-stripped (defeatsINTO/**/OUTFILE), write/DoS keyword denylist, auth-secret table/column denylist, hardLIMITcap;dbSelectruns a fail-closed read-only txnReadconfined to the codebase; write/exec tools disallowed~/.claudemount narrowed to just.credentials.json; edge/prod uses the API key with no mountDOMPurify.sanitize(marked(...))on the rendered answer?jwt=); CORS restricted to ModTools originsAlso removes the retired pseudonymiser services (
support-tools/deleted) and rewritesdocs/developers/reference/ai-support-helper.mdto the de-anonymised model.Verification
/healthis green.docker-compose configand docs-freshness pass.🤖 Generated with Claude Code
https://claude.ai/code/session_01VXKgf7Xquudc6CwP2RN6jX