# Secure Claude Code Multi-Agent Bridge Production-lean MCP server enabling two Claude Code CLI sessions to communicate securely. > ⚠️ **Beta Software**: Suitable for development/testing. See [Security Policy](SECURITY.md) before production use. ## ⚠️ YOLO Mode Warning This project includes an optional YOLO mode for command execution. This is inherently dangerous and should only be used: - In isolated development environments - With explicit user confirmation - By users who understand the risks See [YOLO_MODE.md](YOLO_MODE.md) and [SECURITY.md](SECURITY.md) for details. ## Policy Compliance This project complies with: - [Anthropic Acceptable Use Policy](https://www.anthropic.com/legal/aup) - [Anthropic Responsible Scaling Policy](https://www.anthropic.com/responsible-scaling-policy) Users are responsible for ensuring appropriate use and maintaining human oversight of all operations. ## Security Features ✅ - **HMAC Authentication**: Session tokens prevent spoofing - **Automatic Secret Redaction**: Filters API keys, passwords, private keys - **Atomic Messaging**: SQLite WAL mode prevents race conditions - **Audit Trail**: All actions logged with timestamps - **Token Expiration**: Conversations expire after 3 hours - **Schema Validation**: Strict JSON schemas for all tools - **No Auto-Execution**: Bridge returns proposals only - no command execution - **YOLO Guard**: Multi-stage confirmation for command execution (when enabled) - **Rate Limiting**: 10 req/min, 100 req/hour, 500 req/day per session ## Installation ```bash # Install dependencies pip install mcp # Make scripts executable chmod +x claude_bridge_secure.py bridge_cli.py # Test the bridge python3 claude_bridge_secure.py --help ``` ## Quick Start ### 1. Configure MCP Server Add to `~/.claude.json`: ```json { "mcpServers": { "bridge": { "command": "python3", "args": ["/absolute/path/to/claude_bridge_secure.py"], "env": {} } } } ``` Or use project-scoped config in `.mcp.json` at your project root. ### 2. Start Session A (Backend Developer) ```bash cd ~/projects/backend claude-code --prompt " You are Session A in a multi-agent collaboration. Role: Backend API Developer Instructions: 1. Use create_conversation tool with: - my_role: 'backend_developer' - partner_role: 'frontend_developer' 2. Save your conversation_id and token (keep token secret!) 3. Communicate using: - send_to_partner (to send messages) - check_messages (poll every 30 seconds) - update_my_status (keep partner informed) 4. IMPORTANT: Include your token in every tool call for authentication Task: Design and implement REST API for a todo application. Coordinate with Session B on API contract before implementing. Poll for messages regularly with: check_messages " ``` ### 3. Start Session B (Frontend Developer) ```bash cd ~/projects/frontend claude-code --prompt " You are Session B in a multi-agent collaboration. Role: Frontend React Developer Instructions: 1. Get conversation_id and your token from Session A (They should share these securely) 2. Check for messages from Session A: check_messages with conversation_id and your token 3. Reply using send_to_partner 4. Poll for new messages every 30 seconds Task: Build React frontend for todo application. Coordinate with Session A on API requirements before implementing. " ``` ## Tool Reference ### create_conversation Initializes a secure conversation and returns tokens. ```json { "my_role": "backend_developer", "partner_role": "frontend_developer" } ``` **Returns:** ```json { "conversation_id": "conv_a1b2c3d4e5f6g7h8", "session_a_token": "64-char-hex-token", "session_b_token": "64-char-hex-token", "expires_at": "2025-10-26T17:00:00Z" } ``` ### send_to_partner Send authenticated, redacted message to partner. ```json { "conversation_id": "conv_...", "session_id": "a", "token": "your-session-token", "message": "Proposed API endpoint: POST /todos", "action_type": "proposal", "files_involved": ["api/routes.py"] } ``` ### check_messages Atomically read and mark messages as read. ```json { "conversation_id": "conv_...", "session_id": "b", "token": "your-session-token" } ``` ### update_my_status Heartbeat mechanism to show liveness. ```json { "conversation_id": "conv_...", "session_id": "a", "token": "your-session-token", "status": "working" } ``` Status values: `working`, `waiting`, `blocked`, `complete` ### check_partner_status See if partner is alive and what they're doing. ```json { "conversation_id": "conv_...", "session_id": "a", "token": "your-session-token" } ``` ## Management CLI ```bash # List all conversations python3 bridge_cli.py list # Show conversation details and messages python3 bridge_cli.py show conv_a1b2c3d4e5f6g7h8 # Get tokens (use carefully!) python3 bridge_cli.py tokens conv_a1b2c3d4e5f6g7h8 # View audit log python3 bridge_cli.py audit python3 bridge_cli.py audit conv_a1b2c3d4e5f6g7h8 100 # Clean up expired conversations python3 bridge_cli.py cleanup ``` ## Secret Redaction The bridge automatically redacts: - AWS keys (AKIA...) - Private keys (-----BEGIN...PRIVATE KEY-----) - Bearer tokens - API keys - Passwords - GitHub tokens (ghp_...) - OpenAI keys (sk-...) Redacted content is replaced with placeholders like `AWS_KEY_REDACTED`. ## Security Best Practices ### DO ✅ - Keep session tokens secret - Use separate workspaces for each session - Poll for messages regularly (every 30s) - Update status frequently so partner knows you're alive - Use `action_type` to clarify message intent - Review redaction before sending sensitive info ### DON'T ❌ - Share tokens in chat messages - Commit tokens to version control - Use expired conversations - Send unrestricted command execution requests - Assume messages are end-to-end encrypted (local only) ## Architecture ``` Session A (claude-code) Session B (claude-code) | | |--- MCP Tool Calls ---| | | ↓ | | Bridge Server | | (Python + SQLite) | ↓ | |--- Authenticated, ---|------| Redacted Messages ``` ### Data Flow 1. Session A calls `create_conversation` → Gets conv_id + token_a + token_b 2. Session A shares conv_id + token_b with Session B 3. Session A calls `send_to_partner` → Message redacted → Stored in DB 4. Session B calls `check_messages` → Retrieves + marks read atomically 5. Session B replies via `send_to_partner` 6. Both sessions update status periodically ### Database Schema - **conversations**: Conv ID, roles, tokens, expiration - **messages**: From/to sessions, redacted content, read status - **session_status**: Current status + heartbeat timestamp - **audit_log**: All actions for forensics ## Limitations & Safeguards - **No command execution**: Bridge only passes messages, never executes code - **3-hour expiration**: Conversations auto-expire - **50KB message limit**: Prevents token bloat - **Interactive only**: Human must review all proposed actions - **No file sharing**: Sessions must use shared workspace or Git - **Local-only**: No network transport, Unix socket or stdio only ## Testing ```bash # Basic connectivity test python3 claude_bridge_secure.py /tmp/test.db & BRIDGE_PID=$! # Test tool calls (requires MCP client) # ... test scenarios ... kill $BRIDGE_PID rm /tmp/test.db ``` ## Troubleshooting **"Invalid session token"** - Check token hasn't expired (3 hours) - Verify you're using correct token for your session - Use `bridge_cli.py tokens` to retrieve if lost **"No MCP servers connected"** - Verify `~/.claude.json` has correct absolute path - Restart Claude Code after config changes - Check MCP server logs: `claude-code --mcp-debug` **Messages not appearing** - Confirm both sessions use same conversation_id - Check token authentication with `bridge_cli.py show` - Verify partner sent messages (check audit log) **Redaction too aggressive** - Review redaction patterns in `SecretRedactor.PATTERNS` - Consider adding custom patterns if needed - False positives are safer than leaking secrets ## Use Cases ### 1. API-First Development - Session A: Backend - designs API, implements endpoints - Session B: Frontend - consumes API, provides feedback - **Benefit**: Contract-first design with real-time feedback ### 2. Security Review - Session A: Feature developer - implements functionality - Session B: Security auditor - reviews for vulnerabilities - **Benefit**: Continuous security assessment ### 3. Specialized Expertise - Session A: Python expert - backend services - Session B: TypeScript expert - React frontend - **Benefit**: Each operates in domain of strength ### 4. Parallel Problem-Solving - Session A: Investigates bug in module X - Session B: Implements workaround in module Y - **Benefit**: Non-blocking progress on related tasks ## Advanced Configuration ### Custom Database Location ```bash python3 claude_bridge_secure.py /path/to/custom.db ``` ### Adjust Expiration Time Edit `create_conversation` method: ```python expires_at = datetime.utcnow() + timedelta(hours=6) # 6 hours instead of 3 ``` ### Add Custom Redaction Patterns Edit `SecretRedactor.PATTERNS`: ```python PATTERNS = [ # ... existing patterns ... (r'my_secret_format_[A-Z0-9]{10}', 'CUSTOM_SECRET_REDACTED'), ] ``` ## Production Hardening (Future) Current MVP is designed for local development. For production: - [ ] Add TLS for network transport - [ ] Implement rate limiting per session - [ ] Add message size quotas - [ ] Enable sandboxed command execution (Docker) - [ ] Add Redis pub/sub for real-time notifications - [ ] Implement message encryption at rest - [ ] Add role-based access control - [ ] Enable multi-conversation per session - [ ] Add conversation export/import - [ ] Implement backup/restore ## License MIT - Use responsibly. Not liable for data loss or security issues. ## Credits Inspired by Zen MCP Server's multi-model orchestration concepts. Built for secure local multi-agent coordination without external dependencies.