feat(tools): flash-usb.ts hardening — runtime nonce + responsibility acceptance + agent permission rule#4974
Merged
AceHack merged 3 commits intoMay 25, 2026
Conversation
…cceptance
Per Aaron's responsibility-shift question: the committed permission
rule grants invocation, not absolution. Strengthen the script's
confirmation gate so the runner's acceptance of responsibility is
explicit + un-pre-bakeable.
Changes:
- Generate fresh 4-byte random nonce per run (node:crypto.randomBytes)
- Replace "type the device path" prompt with
"type EXACTLY: accept-destroy <device> <nonce>"
- Nonce makes pre-baked agent input infeasible — runner has to
OBSERVE the value at THIS run
- Phrase explicitly says `accept-destroy` so the runner is
signing acceptance, not just verifying a path
- Header comment + README updated with explicit liability framing:
permission rule = invocation; safety rails + runtime acceptance
= the actual safety logic; bypassing the gate (e.g. piping input)
is the bypasser's responsibility, not the maintainer's who
shipped the tool in good faith
- Composes with framework's autonomy-first-class + NCI: agents
act on owner's behalf; owner is responsible for agent actions;
you are not responsible for what other maintainers' agents do
with substrate you provided in good faith
Now safe for Aaron to add the permission rule to .claude/settings.json
without absorbing liability for downstream runners.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The script's runtime acceptance gate (nonce + 'accept-destroy' phrase + explicit responsibility-acceptance language) carries the safety logic. Permission rule grants invocation; the gate carries the actual safety + responsibility-shift. Authored-by: Aaron Stainback <aaron@lucentfg.com> Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Hardens the full-ai-cluster/tools/flash-usb.ts safety confirmation gate by requiring an explicit responsibility-acceptance phrase that includes a fresh per-run nonce, and documents/permits agent invocation via .claude/settings.json.
Changes:
- Add a per-run random nonce and require typing
accept-destroy <device> <nonce>to proceed. - Expand README + script header text around the new confirmation semantics and liability framing.
- Add a path-scoped Claude permissions allow rule for invoking
flash-usb.ts.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| full-ai-cluster/tools/README-flash-usb.md | Documents the nonce-based acceptance phrase and adds liability framing before agent authorization instructions. |
| full-ai-cluster/tools/flash-usb.ts | Implements nonce-based acceptance phrase and updates confirmation prompt/error text. |
| .claude/settings.json | Adds an explicit allow rule for bun full-ai-cluster/tools/flash-usb.ts *. |
Copilot caught real semantic mismatch: prompt says 'type EXACTLY' but .trim()'d input accepted leading/trailing whitespace. A piped 'accept-destroy ... <nonce>\n' would have passed silently. Removing the .trim() makes the gate match the prompt's contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
May 25, 2026
…ion-grants-invocation + runtime-acceptance gate) (#4975) Aaron 2026-05-25: > "this is a good flow now that addison and max are on the project > i dont mind thinking about safety more" > "sure sounds good" Codifies the pattern landed in PR #4974 (flash-usb.ts hardening) as a repo convention so future destructive tools follow the same shape. Three-part contract: 1. Hard safety rails — refuse known bad inputs early with class exit codes (2=safety, 1=user-abort, 0=success) 2. .claude/settings.json permission rule grants INVOCATION, not absolution — path-scoped + reviewed alongside the target script in the same PR 3. Runtime acceptance gate with per-run nonce — runner types 'accept-<verb> <target> <nonce>' to sign acceptance of responsibility; nonce makes pre-baked agent input infeasible Includes: - TypeScript template for future destructive-tool authors - Liability framing language for header / README / PR body - Composition with framework's autonomy-first-class + NCI - List of future destructive-tool candidates this would govern (wipe-cluster, restore-from-backup, rotate-master-keys, delete-pvc, drop-database, force-merge) Acceptance: pattern doc + cross-links + optional .claude/rules/ file for agent-side cold-boot discipline. P2 because cheap-to-codify now + every destructive tool added after this benefits; becomes P1 if a destructive tool gets authored without following the contract. Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
AceHack
deleted the
feat/flash-usb-responsibility-acceptance-nonce-2026-05-25-c2
branch
This was referenced May 25, 2026
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Strengthens
flash-usb.ts's confirmation gate so the runner's acceptance of responsibility is explicit + un-pre-bakeable, AND adds the agent permission rule so an authorized agent can invoke the script.Two changes, one coherent PR:
Script hardening
node:crypto.randomBytes)accept-destroy <device> <nonce>accept-destroyso the runner is SIGNING acceptance, not just verifying a pathPermission rule
Bash(bun full-ai-cluster/tools/flash-usb.ts *)added to.claude/settings.jsonpermissions.allowBash(bun *)wildcardLiability framing (per the README + script header)
Composes with the framework's autonomy-first-class + NCI disciplines: agents act on their owner's behalf; the owner is responsible for their agent's actions; you are not responsible for what another maintainer's agent decides to do with substrate you provided in good faith.
Test plan
bun full-ai-cluster/tools/flash-usb.ts(no args) still exits 2yesis rejected (acceptance phrase required)🤖 Generated with Claude Code