# phone_opus

`phone_opus` is a deliberately narrow MCP server for consultative Claude Code
calls.

It exposes one blocking domain tool:

- `consult`: run the system `claude` install in print mode, wait for the answer,
  and return the response plus execution metadata
  - pass `session_id` from a previous response to resume that Claude Code conversation
  - a fixed consult prefix is prepended before the caller-supplied prompt
  - pass `background: true` to queue the consult and get back a job handle instead of blocking
- `consult_job`: inspect one background consult job and receive the final result once it completes
- `consult_jobs`: list recent background consult jobs

The server keeps the public MCP session in a durable host, isolates the actual
Claude invocation in a disposable worker, and ships standard health and
telemetry surfaces:

- `health_snapshot`
- `telemetry_snapshot`

## Runtime posture

Each `consult` call runs Claude Code with:

- the system `claude` binary
- `--model claude-opus-4-6`
- `--effort max`
- a baked-in consult prefix telling Claude it is acting in read-only advisory mode for another model and should return a prioritized actionable report
- no configured MCP servers (`--strict-mcp-config --mcp-config '{"mcpServers":{}}'`)
- a read-only built-in toolset:
  - `Bash,Read,Grep,Glob,LS,WebFetch,WebSearch`
- `--dangerously-skip-permissions`
- an external `systemd-run --user` sandbox instead of Claude's internal permission gate
  - the filesystem stays globally read-only under `ProtectSystem=strict`
  - `phone_opus` gives Claude a separate persistent home and XDG state under its own state root
  - `/tmp` and `/var/tmp` stay writable
  - when the consulted `cwd` sits inside a writable tree such as `/tmp/...`, that consulted tree is remounted read-only so Claude cannot accidentally edit the target repo
- internet access remains available

## Development

Run the fast gate with:

```bash
python check.py
```

Run the server locally with:

```bash
cargo run -- mcp serve
```