feat: consolidated open build — KAIROS, bridge, cleanup, feature flags, security

[Flo5k5]

Summary

Consolidated PR merging all open work into a single coherent changeset, rebased on latest main. Supersedes PRs #633, #637, #644, #667, #668.

Partially addresses #654 — the bridge server provides HTTP/SSE infrastructure for web-based session interaction.

Changes (4 commits, 62 files, +2171/-942)

1. Security guidance (#668, 2 files)

• Replace Anthropic-internal refusal language with positive security guidance for red teaming and CTFs
• Simplify FileReadTool mitigation logic

2. Cleanup + open features (#637 + #644, 35 files, -1200 lines)

• Remove ~45 dead USER_TYPE=ant guards across 28+ files
• Open 13 useful features: agent nesting, effort persistence, plan mode interview, sandbox config
• Key: src/constants/tools.ts — unlock recursive agent spawning

3. Feature flags + runtime defaults (#667 + #633, 3 files)

• Activate 18 build-time flags: KAIROS, BRIDGE_MODE, AGENT_TRIGGERS, ULTRATHINK, TOKEN_BUDGET, HISTORY_PICKER, EXTRACT_MEMORIES, FORK_SUBAGENT, etc.
• Add _openBuildDefaults in GrowthBook stub for centralized runtime gate control
• Bridge flags enabled: tengu_ccr_bridge, tengu_bridge_repl_v2, tengu_kairos_brief
• Priority chain: ~/.claude/feature-flags.json > _openBuildDefaults > defaultValue

4. KAIROS + local bridge server (22 files, new)

KAIROS assistant mode:

• src/assistant/: gate, API, session discovery stub
• src/proactive/: no-op stubs for proactive mode
• src/tools/SleepTool/: interruptible sleep (0-5min)
• src/commands/assistant/, src/commands/proactive.ts: /assistant, /proactive

Local bridge server:

• packages/bridge-server/: standalone Bun server emulating CCR v2 protocol
• 10+ endpoints: sessions, JWT, SSE streaming, events, file upload
• --port, --host 0.0.0.0 for Tailscale/WireGuard remote access

BRIDGE_MODE activation:

• bridgeEnabled.ts: bypass OAuth check, let _openBuildDefaults control gates
• bridgeConfig.ts: add localhost:4080 fallback + default token
• initReplBridge.ts: skip org policy check with token override

Tools:

• SendUserFileTool: file delivery via BriefTool attachment pipeline
• PushNotificationTool: OS-native notifications (osascript/notify-send)
• MonitorMcpDetailDialog: detail UI for monitor background tasks

Runtime activation

# Start bridge server:
bun run packages/bridge-server --port 4080

# Connect CLI:
CLAUDE_BRIDGE_BASE_URL=http://localhost:4080 openclaude

# Assistant mode: { "assistant": true } in settings
# Coordinator: CLAUDE_CODE_COORDINATOR_MODE=1
# Override flags: ~/.claude/feature-flags.json

PRs superseded

PR	Content
#633	Included in #667 (AGENT_TRIGGERS=true)
#637	Cleanup dead USER_TYPE branches
#644	Open USER_TYPE-gated features
#667	Enable 15+ feature flags + runtime defaults
#668	Positive security guidance

Test plan

• bun run build — 211 files pre-processed
• bun run smoke — version OK
• bun test — 809 pass, 10 fail (pre-existing)
• Bridge server: health + full protocol test (session → JWT → events → 409)
• CLI ↔ bridge server end-to-end connection
• SendUserFileTool upload to bridge
• PushNotificationTool OS notification
• Remote access via --host 0.0.0.0

[Copilot]

Pull request overview

Activates the “KAIROS” assistant/daemon mode in the open build by wiring in assistant-mode infrastructure, adding stubs for proactive mode, introducing an interruptible Sleep tool, exposing new /assistant and /proactive commands, and updating the build pipeline to reliably constant-fold feature() flags under Bun v1.3.9+.

Changes:

• Add assistant-mode modules (src/assistant/*) and assistant/proactive commands (src/commands/*) to enable and inspect KAIROS behavior at runtime.
• Introduce SleepTool (interruptible, settings-clamped) and proactive-mode stubs to satisfy gated imports without enabling full ticking.
• Update the build script to pre-process feature('FLAG') calls into boolean literals and flip multiple feature flags on in the open build; enable team memory by default and add a settings knob for bypass-permissions availability.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
scripts/build.ts	Enables KAIROS-related flags and replaces the broken bun:bundle shim with in-place source pre-processing + restore.
src/assistant/gate.ts	Open-build runtime gate for KAIROS via local GrowthBook stub / feature-flags file.
src/assistant/index.ts	Assistant-mode detection, team bootstrap for in-process subagents, and system-prompt addendum loading.
src/assistant/sessionDiscovery.ts	Open-build stub for remote session discovery (returns none).
src/commands/assistant/index.ts	Re-export entrypoint for the /assistant command module.
src/commands/assistant/assistant.ts	Implements /assistant command and provides stub wizard exports used by dialog launchers.
src/commands/proactive.ts	Adds /proactive toggle command (using the proactive stub module).
src/proactive/index.ts	Proactive-mode state stub (activate/deactivate/pause/subscribe) without tick scheduling.
src/proactive/useProactive.ts	No-op React hook stub to satisfy gated imports in the REPL UI.
src/tools/SleepTool/SleepTool.ts	New interruptible sleep tool, enabled only when KAIROS is active; clamps sleep duration via settings.
src/memdir/teamMemPaths.ts	Defaults the team-memory feature gate to enabled when auto-memory is enabled.
src/utils/permissions/permissionSetup.ts	Adds support for permissions.allowBypassPermissionsMode when deciding bypass-mode availability.
src/utils/settings/settings.ts	Registers permissions.allowBypassPermissionsMode for managed-settings logging key expansion.
src/utils/settings/types.ts	Adds permissions.allowBypassPermissionsMode to the settings schema.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

preProcessFeatureFlags() runs before the try/finally; if it throws (e.g., unreadable file/dir) the process exits without restoring any already-modified source files. Move the pre-processing call inside the try and ensure restoreModifiedFiles() runs in a finally that covers both pre-processing and Bun.build().

Suggested change

	preProcessFeatureFlags(join(import.meta.dir, '..', 'src'))
	const numModified = modifiedFiles.size
	try {
	let numModified = 0
	try {
	preProcessFeatureFlags(join(import.meta.dir, '..', 'src'))
	numModified = modifiedFiles.size

[Copilot]

settings.maxSleepDurationMs is documented as allowing -1 for “indefinite sleep (waits for user input)”, but the tool never special-cases maxSleep === -1; it just removes the cap and still uses setTimeout(duration_ms). Consider implementing an abort-signal-only wait when maxSleepDurationMs is -1 (and/or guarding against extremely large duration_ms causing setTimeout overflow).

[Copilot]

The abort listener cleanup uses a second setTimeout(duration_ms + 1) to removeEventListener, which schedules an extra timer per sleep and can keep the listener around until that timer fires. Prefer removing the listener in the main timer completion path (and in onAbort) instead of creating a cleanupTimer.

Suggested change

	const timer = setTimeout(resolve, duration_ms)
	const abortController = (context as { abortController?: AbortController }).abortController
	if (!abortController) return
	if (abortController.signal.aborted) {
	clearTimeout(timer)
	resolve()
	return
	}
	let cleanupTimer: ReturnType<typeof setTimeout> | undefined
	const onAbort = () => {
	clearTimeout(timer)
	if (cleanupTimer !== undefined) clearTimeout(cleanupTimer)
	resolve()
	}
	abortController.signal.addEventListener('abort', onAbort, { once: true })
	// Clean up listener on normal completion to avoid leak
	cleanupTimer = setTimeout(() => {
	abortController.signal.removeEventListener('abort', onAbort)
	}, duration_ms + 1)
	const abortController = (context as { abortController?: AbortController }).abortController
	let settled = false
	let onAbort: (() => void) | undefined
	const finish = () => {
	if (settled) return
	settled = true
	if (abortController && onAbort) {
	abortController.signal.removeEventListener('abort', onAbort)
	}
	resolve()
	}
	const timer = setTimeout(() => {
	finish()
	}, duration_ms)
	if (!abortController) return
	if (abortController.signal.aborted) {
	clearTimeout(timer)
	finish()
	return
	}
	onAbort = () => {
	clearTimeout(timer)
	finish()
	}
	abortController.signal.addEventListener('abort', onAbort, { once: true })

[Copilot]

The header comment says this stub keeps proactive mode “permanently off”, but activateProactive()/deactivateProactive() do flip the _active flag and notify subscribers. Update the comment to match the actual behavior (e.g., “no tick scheduling” rather than “permanently off”).

Suggested change

	* returning safe "off" defaults is sufficient. A full implementation would
	* fire periodic <tick> prompts; this stub keeps the mode permanently off
	* while satisfying the API contract.
	* returning safe defaults is sufficient. A full implementation would
	* fire periodic <tick> prompts; this stub preserves the API's state-change
	* behavior but does not schedule or emit proactive ticks.

[Copilot]

This command is described as “Toggle assistant mode”, but it only reports status and instructs the user to edit settings.json + restart. Update the command description/header to reflect that it’s a status/help command (or implement actual toggling if that’s intended).

[Vasanthdev2004]

Review: PR #660 — Consolidated open build: KAIROS, bridge, cleanup, feature flags, security (head 01e875a)

CI green ✅. 93 files, +3661/-1031.

Assessment

This PR consolidates 5 previously separate PRs (#633, #637, #644, #667, #668) plus new KAIROS/bridge work. I previously approved #637 and #644, and requested changes on #667 and #668.

✅ What's improved from the sub-PRs

Feature flag runtime gates (#667 concern — partially addressed):
The _openBuildDefaults layer in the GrowthBook stub now provides a 3-tier priority: ~/.claude/feature-flags.json > _openBuildDefaults > defaultValue. This means EXTRACT_MEMORIES (via tengu_passport_quail) will be enabled in the open build even if the GrowthBook default is false. Tests cover this. ✅

Bridge server auth:
The bridge server properly authenticates requests with JWT + Bearer token. Worker endpoints have separate auth. This is well-designed. ✅

🔴 Still-blocked concerns from #668

Security guidance still removes authorization/scope gating:

// Before (#668):
"Assist with authorized security testing... Refuse requests for destructive techniques, DoS attacks, mass targeting..."

// After (this PR):
"Assist with security testing... Dual-use security tools can be used in pentesting engagements, red team operations, CTF..."

Two problems remain:

1. "authorized" was removed — This removes the expectation that the user has clear authorization context. Without it, the guidance provides no basis to distinguish a red team engagement from an unauthenticated attack.
2. The refusal clause was removed — "Refuse requests for destructive techniques, DoS attacks, mass targeting, supply chain compromise, or detection evasion for malicious purposes" is gone. The replacement text implicitly allows these by omission.

I understand the open-build philosophy of not imposing Anthropic-internal refusal language. But the fix should be to replace the Anthropic-specific refusal with open-build-appropriate safety guidance (e.g., "Exercise caution with techniques that could cause harm without clear authorization context"), not to remove all safety gating.

---

🟡 Non-blocking (from Copilot review + my observations)

1. preProcessFeatureFlags() runs before try/finally — if it throws, modified source files aren't restored. Move inside the try block.
2. SleepTool -1 indefinite sleep — documented but not implemented; maxSleep === -1 just removes the cap instead of waiting for user input.
3. Abort listener cleanup — extra setTimeout(duration_ms + 1) creates unnecessary timer. Prefer once event or AbortSignal.timeout().
4. activateProactive() comment mismatch — comment says "permanently off" but code toggles _active.
5. /assistant command description — says "Toggle" but only reports status + instructs manual edit.

New KAIROS/bridge additions

• src/assistant/ — Gate, API, session discovery stub. Reasonable skeleton. ✅
• src/proactive/ — No-op stubs. Clean. ✅
• src/tools/SleepTool/ — Interruptible sleep. Good concept, minor issues noted above.
• Bridge server — Auth, SSE, session management. Well-structured. ✅

---

Verdict: Needs changes 🔧

The _openBuildDefaults fix addresses the #667 runtime gate concern. But the #668 security guidance concern remains: removing both "authorized" and the refusal clause creates a blanket green light for dual-use tools without authorization context. Please restore authorization-aware language appropriate for the open build.

[Darkatek7]

I opened a focused follow-up PR with the review-unblock fixes here:

• fix: address review feedback for KAIROS open-build PR Flo5k5/openclaude#1

Scope:

1. move preProcessFeatureFlags() inside try in scripts/build.ts so restore always runs
2. restore authorization-aware safety wording in src/constants/cyberRiskInstruction.ts
3. fix SleepTool so maxSleepDurationMs = -1 behaves as interrupt-only sleep and simplify abort cleanup
4. update the proactive stub comment to match behavior
5. change /assistant wording from “toggle” to status/help wording

Verification on the follow-up branch:

• bun install
• bun run build ✅
• bun test still has broader pre-existing failures on the PR branch, so I kept scope to the review fixes only

If it helps, the patch can also be cherry-picked from commit 6ab8b5a (fix: address PR 660 review feedback).

[jatmn]

closing as stale, please feel free to re-open later with more focused PR's this one currently spiders out far too broadly