diff --git a/HARDENING-PLAN.md b/HARDENING-PLAN.md
new file mode 100644
index 0000000..fd39072
--- /dev/null
+++ b/HARDENING-PLAN.md
@@ -0,0 +1,87 @@
+# Hardening Plan: Claude Code Complete Agent
+
+Make this repo a demonstrable proof that Claude Code handles
+OpenClaw's security challenges — not just a claim, but evidence.
+
+## Context
+
+`security/openclaw-security-assessment.md` documents 9 OpenClaw
+CVEs and maps them to Claude Code mitigations. But the repo itself
+doesn't yet demonstrate these mitigations. The hooks are demo
+shell scripts, settings.json is basic, and no scan data exists.
+
+## Tasks
+
+### 1. Harden settings.json
+
+Replace the demo allow/deny lists with a production-quality
+permission model that maps to specific OpenClaw CVEs.
+
+**Current state:** Basic glob patterns (`Bash(ls:*)`, `Bash(rm -rf *)`)
+**Target state:** Scoped permissions with clear security rationale
+
+File: `.claude/settings.json`
+
+Reference: llm-security `reference-config-generator.mjs` output
+for what Grade A looks like.
+
+### 2. Upgrade hooks to production quality
+
+The current `hooks/pre-tool-use.sh` and `hooks/post-tool-use.sh`
+are demo bash scripts with grep-based pattern matching. Replace
+with hooks that demonstrate real security patterns.
+
+**Option A:** Document which llm-security hooks cover which CVEs
+and recommend users install the llm-security plugin.
+
+**Option B:** Include lightweight standalone hooks in this repo
+that demonstrate the patterns (not the full llm-security suite).
+
+Option A is more honest. Option B duplicates work.
+
+Files: `hooks/`, `.claude/settings.json` (hook config)
+
+### 3. Create CVE-to-mitigation mapping
+
+Add a document that explicitly connects each OpenClaw CVE to
+the specific Claude Code feature or configuration that prevents it.
+
+| CVE | Attack | Claude Code defense | Where configured |
+|-----|--------|-------------------|------------------|
+| CVE-2026-22172 | Client self-declares scope | Single-user, no scope model | Architecture |
+| CVE-2026-25253 | WebSocket hijack | No gateway/port | Architecture |
+| CVE-2026-32048 | Sandbox child escape | Permission hooks | settings.json |
+| CVE-2026-30741 | Prompt injection RCE | pre-prompt-inject-scan | llm-security plugin |
+| ... | ... | ... | ... |
+
+File: `security/cve-mitigation-map.md`
+
+### 4. Run security scan and include results
+
+Run `/security posture` and `/security scan` against the repo.
+Include the results as documentation (not raw JSON — formatted
+summary with grade).
+
+File: `security/scan-results.md`
+
+### 5. Update security/README.md
+
+Add the new documents to the index. Rewrite the intro to
+position the security/ directory as evidence, not just docs.
+
+### 6. Update README.md security section
+
+Reference the scan results and CVE mapping. The security section
+should answer: "How do I know this is actually secure?"
+
+## Verification
+
+- [ ] `settings.json` has scoped permissions (not `Bash(*)`)
+- [ ] Each OpenClaw CVE maps to a specific defense in this repo
+- [ ] Security scan results included and show Grade B or higher
+- [ ] README security section references evidence, not just claims
+- [ ] All changes committed and pushed to Forgejo
+
+## Estimated scope
+
+6 files modified/created. One session. No dependencies added.