Security Architecture¶

Authentication¶

Session Short Codes¶

When you run summon start, the daemon generates an 8-character hex short code using secrets.token_hex(4) (4 bytes = 32 bits of entropy). This code is:

Printed to your terminal only — never sent to Slack automatically.
Valid for 5 minutes (_TOKEN_TTL_MINUTES = 5).
Locked after 5 failed /summon <code> attempts (_MAX_FAILED_ATTEMPTS = 5).

When you type /summon <code> in Slack, the bot runs verify_short_code():

All pending tokens are fetched from SQLite.
The submitted code is compared against all tokens using hmac.compare_digest — no early exit — to prevent timing side-channel attacks that could reveal which entry matched.
Expired tokens are cleaned up. Locked tokens are skipped (neither matching nor incrementing).
If a valid match is found, atomic_consume_pending_token() atomically deletes the token using DELETE ... RETURNING. Concurrent callers cannot both succeed for the same code (no TOCTOU race).

The /summon slash command has a 2-second per-user rate limit enforced in BoltRouter._on_summon_command() before any database operation.

Spawn Tokens¶

Spawn tokens enable programmatic session creation from within a running Claude session (e.g., a PM agent spawning child sessions). They use 32-character hex tokens (secrets.token_hex(16), 128 bits of entropy) with a 30-second TTL (_SPAWN_TOKEN_TTL_SECONDS = 30).

Generation constraints (generate_spawn_token()): - target_user_id must be non-empty. - cwd must be an absolute path. - spawn_source must be "session" or "cli" (pinned set _VALID_SPAWN_SOURCES). - For spawn_source="session": parent_cwd is required, and the child cwd must be at or beneath it (validated with Path.resolve().is_relative_to()). This blocks directory traversal and symlink escapes.

Spawn token verification uses the same constant-time comparison pattern as short codes.

When a spawn token is consumed, the daemon logs a spawn_token_consumed audit event on success or spawn_token_rejected on failure.

Permission Handling¶

Every tool call from Claude goes through PermissionHandler.handle() before execution. The decision logic has seven layers, evaluated in order:

1. AskUserQuestion (intercept first)¶

AskUserQuestion is intercepted before any other logic and routed to Slack interactive buttons for user input. This is not a permission check — it is a structured Q&A mechanism.

2. Write Gate (read-only default)¶

Write-capable tools (Write, Edit, MultiEdit, NotebookEdit, Bash) are denied by default until containment is active (worktree or CWD). This prevents accidental writes to the main working directory.

Git repositories: the agent enters a worktree via EnterWorktree; the containment root is the worktree directory.
Non-git directories: containment is activated automatically at session start using the session CWD as the containment root.

Before the first write-gated tool is approved, if the session is not in a git repository, a warning is shown that changes cannot be automatically rolled back.

Safe-dir exceptions (SUMMON_SAFE_WRITE_DIRS) allow configured directories to bypass the containment requirement. Path validation uses Path.resolve() on both sides to prevent symlink escapes.

3. SDK Deny Suggestions (always honored)¶

If the Claude SDK provides a deny suggestion for a tool, it is denied immediately and unconditionally. SDK deny suggestions represent the user's own settings.json rules and are always respected.

4. Static Auto-Approve List¶

The following tools are auto-approved without any Slack prompt:

_AUTO_APPROVE_TOOLS = frozenset([
    "Read", "Cat", "Grep", "Glob", "WebSearch", "WebFetch",
    "LSP", "ListFiles", "GetSymbolsOverview", "FindSymbol",
    "FindReferencingSymbols",
])

GitHub MCP read operations are also auto-approved by exact name or prefix:

_GITHUB_MCP_AUTO_APPROVE_PREFIXES = (
    "mcp__github__get_",
    "mcp__github__list_",
    "mcp__github__search_",
)

5. GitHub MCP Require-Approval List (checked before prefix auto-approve)¶

Destructive and externally-visible GitHub operations always require Slack approval, even if the SDK suggests allow or they match a read prefix:

_GITHUB_MCP_REQUIRE_APPROVAL = frozenset([
    "mcp__github__merge_pull_request",
    "mcp__github__delete_branch",
    "mcp__github__close_pull_request",
    "mcp__github__close_issue",
    "mcp__github__update_pull_request_branch",
    "mcp__github__push_files",
    "mcp__github__create_or_update_file",
    "mcp__github__pull_request_review_write",
    "mcp__github__create_pull_request",
    "mcp__github__create_issue",
    "mcp__github__add_issue_comment",
])

This is defense-in-depth — deny-list precedence over prefix matching prevents a broadly-scoped allowedTools pattern in settings.json from silently bypassing human-in-the-loop review for externally-visible actions.

6. Auto-mode Classifier (post-worktree only)¶

After the agent enters a worktree, a secondary Sonnet classifier can automatically approve or block tool calls based on configurable prose rules. This sits between the session caches and SDK allow suggestions — it only evaluates tools that weren't already handled by static lists or caches.

Security mitigations:

Prompt-level defenses: The classifier's system prompt follows the same safety framework as other agents — principal hierarchy (system prompt > rules > evaluated content), permitted action enumeration, and bookend reminders. See Prompts Reference for the full prompt.
XML escaping: User messages and tool inputs in the classifier prompt are HTML-escaped to prevent structural injection that could close <conversation_context> or <pending_action> tags early.
Reason redaction: The classifier's block reason is never returned to the outer Claude agent — only a generic "Blocked by auto-mode policy" message. This prevents the agent from learning to craft bypass attempts.
Fail-open to HITL: On any classifier error (timeout, parse failure, unknown decision), the tool falls through to Slack HITL rather than being auto-approved or silently blocked.
Fallback threshold: After 3 consecutive blocks or 20 total blocks, the classifier automatically pauses and all decisions revert to manual Slack approval. This prevents a misconfigured classifier from permanently blocking the agent.
Tool-use denied in classifier: The classifier subprocess is configured with can_use_tool that denies all tool calls, preventing the classifier itself from taking actions.

The intended security layering is: read-only (pre-containment) → write gate (containment entry + one-time approval) → auto-classifier (post-worktree, configurable rules) → Slack HITL (fallback).

7. SDK Allow Suggestions¶

If the SDK provides an allow suggestion (from settings.json allowedTools), the tool is approved. Write-gated tools that fell through CWD containment checks (paths outside the containment root, or Bash) are excluded — allowedTools cannot override CWD containment.

8. Slack Approval Buttons (fallback)¶

All other tools — and write-gated tools after containment entry — go through the Slack approval flow:

Requests within the same 2-second debounce window are batched into a single Slack message (SUMMON_PERMISSION_DEBOUNCE_MS, default 2000).
The message posts as a normal message with Approve, Approve for session, and Deny buttons.
After the user clicks, the interactive message is deleted and a persistent confirmation is posted in the turn thread.
If no response arrives within the permission timeout (SUMMON_PERMISSION_TIMEOUT_S, default 15 minutes), the request is automatically denied and the message is deleted. Set to 0 to disable the timeout (wait indefinitely).

"Approve for session" caches the approval for the session lifetime. Two tiers apply: write-gated tools (Edit, Write, Bash, etc.) cache the specific argument — the file path for file tools, or the exact command string for Bash — so blanket approval is not possible. All other tools cache the tool name, auto-approving all subsequent uses. GitHub require-approval tools are never session-cached regardless of tier (defense-in-depth).

Only the authenticated session owner (authenticated_user_id) can approve or deny — clicks from other users are logged and ignored.

Audit Logging¶

All significant session events are written to the audit_log table in SQLite with a timestamp, event type, session ID, user ID, and details:

Event	Trigger
`session_created`	New session registered
`auth_attempted`	`/summon <code>` received
`auth_succeeded`	Short code verified successfully
`auth_failed`	Invalid, expired, or locked short code
`session_active`	Session authenticated and running
`session_ended`	Session completed normally
`session_errored`	Session terminated with an error
`session_stopped`	Session stopped by CLI or `!end` command
`spawn_token_consumed`	Spawn token verified and consumed
`spawn_token_rejected`	Spawn token invalid or expired

Audit logs can be purged with summon db purge.

Secret Redaction¶

redact_secrets() in slack/client.py replaces secret token patterns with [REDACTED] before any content is posted to Slack or written to logs. The pattern covers:

Token type	Pattern
Slack bot tokens	`xox[a-z]-...`
Slack app tokens	`xapp-...`
Anthropic API keys	`sk-ant-...`
GitHub classic PATs	`ghp_...`
GitHub fine-grained PATs	`github_pat_...`
GitHub OAuth tokens	`gho_...`
GitHub user-to-server	`ghu_...`
GitHub server-to-server	`ghs_...`
GitHub refresh tokens	`ghr_...`

RedactingFormatter wraps all log formatters as an additional safety net — log records are redacted before writing even if the application code forgets to call redact_secrets() explicitly.

All SlackClient output methods (post, update, upload, post_interactive, canvas) call redact_secrets() at the Slack API boundary.

Session Isolation Model¶

Single-tenant design

summon-claude is a single-tenant tool — one user, one daemon, one machine. It is not designed for shared or multi-user deployments. The security model assumes the person running the daemon is the only person interacting with sessions.

Private channel boundary¶

Each session is bound to a private Slack channel created during authentication. The channel is the primary isolation mechanism:

Channels are created with is_private=True — only invited members can see or post in them.
Only the bot and the authenticated user are invited at creation time.
The EventDispatcher routes events by channel ID — messages from other channels are silently dropped.

Under normal single-tenant operation, this means only the session owner can interact with Claude. However, Slack workspace admins can join any private channel, and the owner could manually invite others.

What is identity-checked¶

These operations verify that the acting user matches the session's authenticated_user_id:

Permission approvals — Approve/Deny/Approve-for-session button clicks are checked in PermissionHandler.handle_action. Clicks from non-owners are logged and ignored. Permission messages are posted as normal messages in the private session channel and deleted after interaction.
Reaction-based abort — Only the owner's :octagonal_sign: reaction triggers a turn abort.
!summon start / !summon resume — Spawn and resume commands verify the requesting user.
MCP tools — session_message, session_start, session_stop, session_info, session_list, and session_resume all scope-guard by authenticated_user_id. Cross-channel canvas reads also verify ownership.

What relies on channel membership¶

These operations do not perform application-level identity checks — they rely on the private channel boundary:

Regular messages — Any message posted to the session channel is forwarded to Claude regardless of sender.
Most !commands — !end, !stop, !model, !effort, !compact, !clear execute for any channel member. Read-only commands (!help, !status) are intentionally open.

This is acceptable for single-tenant use. If you need multi-user access to the same workspace, do not invite additional users to session channels.

Infrastructure isolation¶

The daemon socket is restricted to mode 0600 (owner-only) so other OS users on the same machine cannot issue IPC commands. The SQLite database file is also 0600.

CWD Constraints for Spawn Sessions¶

When a session spawns a child via the MCP session_start tool, the child's cwd must be at or beneath the parent's cwd:

resolved_parent = Path(parent_cwd).resolve()
resolved_child = Path(cwd).resolve()
if not resolved_child.is_relative_to(resolved_parent):
    raise ValueError(...)

Path.resolve() follows symlinks before comparison, blocking both directory traversal (../) and symlink escapes. CLI-originated spawns (spawn_source="cli") skip this constraint since they originate from a trusted human-controlled terminal.

The MAX_SPAWN_DEPTH = 2 constant caps session nesting at three levels deep (root → child → grandchild). Spawn attempts beyond this depth are rejected.

Worktree Lockdown¶

All sessions pass a disallowed_tools list to the Claude SDK subprocess that blocks raw git worktree commands:

_WORKTREE_DISALLOWED_TOOLS = frozenset({
    "Bash(git worktree add*)",
    "Bash(git worktree move*)",
})

This forces agents to use Claude's built-in EnterWorktree tool instead of raw git worktree add or git worktree move. The built-in tool provides better isolation and tracking — it creates worktrees under .claude/worktrees/{name}/, automatically names the branch worktree-{name}, and fires PreToolUse/PostToolUse hooks that summon can observe for lifecycle management.

Prompt Injection Defenses¶

The Scribe agent processes untrusted external content (emails, Slack messages, calendar events, documents) that may contain adversarial text. Its system prompt includes explicit prompt injection defenses:

Attack pattern recognition: The agent is instructed to recognize and ignore text starting with SYSTEM:, IMPORTANT OVERRIDE:, New instructions:, text claiming to update its behavior, text asking it to suppress items, text claiming to be from summon-claude or Anthropic, and text containing [CHECKPOINT] state markers.
Canary rule: If the agent is about to take an action not listed in its scan protocol, it stops and posts a warning instead: :warning: Suspected prompt injection attempt detected in [source].
Scan trigger nonce: Each Scribe session generates a unique secrets.token_hex(8) nonce that prefixes all internal scan trigger messages ([SUMMON-INTERNAL-{nonce}]). External content cannot spoof the scan trigger because the nonce is never exposed outside the system prompt.
Restricted tool set: Scribe sessions receive only cron and task tools (is_pm=False), blocking access to session_start, session_stop, session_message, and session_resume. This limits the blast radius if a prompt injection attempt succeeds.