From 5f6f453b8da62653ee9f1a6460fcb04dc4695b56 Mon Sep 17 00:00:00 2001
From: YeonGyu-Kim <code.yeon.gyu@gmail.com>
Date: Thu, 9 Apr 2026 21:26:51 +0900
Subject: [PATCH] fix(cli): warn when launched from home dir or filesystem root
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Users launching claw from their home directory (or /) have no project
boundary — the agent can read/search the entire machine, often far beyond
the intended scope. kapcomunica in #claw-code reported exactly this:
'it searched my entire computer.'

Add warn_if_broad_cwd() called at prompt and REPL startup:
- checks if CWD == $HOME or CWD has no parent (fs root)
- prints a clear warning to stderr:
    Warning: claw is running from a very broad directory (/home/user).
    The agent can read and search everything under this path.
    Consider running from inside your project: cd /path/to/project && claw

Warning fires on both claw (REPL) and claw prompt '...' paths.
Does not fire from project subdirectories. Uses std::env::var_os("HOME"),
no extra deps.

159 CLI tests pass, fmt clean.
---
 rust/crates/rusty-claude-cli/src/main.rs | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/rust/crates/rusty-claude-cli/src/main.rs b/rust/crates/rusty-claude-cli/src/main.rs
index e2c156d..fe5273f 100644
--- a/rust/crates/rusty-claude-cli/src/main.rs
+++ b/rust/crates/rusty-claude-cli/src/main.rs
@@ -226,6 +226,7 @@ fn run() -> Result<(), Box<dyn std::error::Error>> {
             base_commit,
             reasoning_effort,
         } => {
+            warn_if_broad_cwd();
             run_stale_base_preflight(base_commit.as_deref());
             // Only consume piped stdin as prompt context when the permission
             // mode is fully unattended. In modes where the permission
@@ -2887,6 +2888,25 @@ fn run_resume_command(
 /// Stale-base preflight: verify the worktree HEAD matches the expected base
 /// commit (from `--base-commit` flag or `.claw-base` file). Emits a warning to
 /// stderr when the HEAD has diverged.
+/// Warn when the working directory is very broad (home directory or filesystem
+/// root). claw scopes its file-system access to the working directory, so
+/// starting from a home folder can expose/scan far more than intended.
+fn warn_if_broad_cwd() {
+    let Ok(cwd) = env::current_dir() else { return };
+    let is_home = env::var_os("HOME")
+        .map(|h| PathBuf::from(h) == cwd)
+        .unwrap_or(false);
+    let is_root = cwd.parent().is_none();
+    if is_home || is_root {
+        eprintln!(
+            "Warning: claw is running from a very broad directory ({}).\n\
+             The agent can read and search everything under this path.\n\
+             Consider running from inside your project: cd /path/to/project && claw",
+            cwd.display()
+        );
+    }
+}
+
 fn run_stale_base_preflight(flag_value: Option<&str>) {
     let cwd = match env::current_dir() {
         Ok(cwd) => cwd,
@@ -2906,6 +2926,7 @@ fn run_repl(
     base_commit: Option<String>,
     reasoning_effort: Option<String>,
 ) -> Result<(), Box<dyn std::error::Error>> {
+    warn_if_broad_cwd();
     run_stale_base_preflight(base_commit.as_deref());
     let resolved_model = resolve_repl_model(model);
     let mut cli = LiveCli::new(resolved_model, true, allowed_tools, permission_mode)?;