feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence

Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -183,33 +183,46 @@ not available in Claude Code.
 
 ## Security
 
-Four permission modes, from manual approval to full autonomy:
+This repo doesn't just claim Claude Code is secure — it provides
+evidence. Every defense is configured, scanned, and documented.
 
-1. **Default:** Ask for every action (learning)
-2. **Auto-edit:** Pre-approved patterns (known workflows)
-3. **Auto Mode:** AI classifier reviews each action (autonomous)
-4. **Bypass:** No checks (sandboxed environments only)
+### What the scans found (2026-04-05)
 
-The repo includes working security hooks:
-- `hooks/pre-tool-use.sh` blocks dangerous commands
-- `hooks/post-tool-use.sh` logs all tool executions
-- `.claude/settings.json` has a permission deny list
+- **Deep scan:** 0 critical, 0 high across 51 files and 10 scanners.
+  No secrets, no injection vectors, no supply chain risk.
+- **Posture:** Grade D without llm-security plugin (demo hooks only),
+  Grade B+ with it installed. The gap is runtime hook enforcement.
+- **CVE mapping:** All 9 OpenClaw CVEs mapped to specific defenses.
+  4 eliminated by architecture, 5 blocked by configuration and hooks.
 
-### Why this matters
+Full results: [`security/scan-results.md`](security/scan-results.md)
 
-OpenClaw had 9 CVEs in 4 days (March 2026), 40K+ exposed instances,
-and 824 malicious skills in ClawHub. Claude Code's architecture
-eliminates most of these attack surfaces: no gateway port, no
-public marketplace malware, no plaintext credentials.
+### Defense layers
 
-Read `security/` for the full picture:
-- `openclaw-security-assessment.md` — data-driven comparison with
-  CVE analysis and 10-category head-to-head
-- `nemoclaw-comparison.md` — honest comparison with NemoClaw's
-  enterprise-grade kernel isolation
-- `hook-based-guardrails.md` — building custom security rules
-- `permission-modes-explained.md` — the four modes explained
-- `auto-mode-explained.md` — AI safety classifier for autonomous use
+| Layer | What it does | Configured in |
+|-------|-------------|--------------|
+| Architecture | No gateway, no ports, no multi-user auth | Inherent to Claude Code |
+| Permission model | 16 scoped Bash grants, 26-pattern deny list | `.claude/settings.json` |
+| Demo hooks | Pattern-matching command blocker + audit logger | `hooks/` |
+| Production hooks | 8 hooks covering all CVEs (recommended) | [llm-security plugin](https://git.fromaitochitta.com/open/claude-code-llm-security) |
+| Permission modes | Default, Auto-edit, Auto Mode, Bypass | User selection at startup |
+
+### Key documents
+
+| Document | What it covers |
+|----------|---------------|
+| [`cve-mitigation-map.md`](security/cve-mitigation-map.md) | Each OpenClaw CVE mapped to a specific defense |
+| [`scan-results.md`](security/scan-results.md) | Reproducible posture and deep scan results |
+| [`openclaw-security-assessment.md`](security/openclaw-security-assessment.md) | 10-category head-to-head with CVE analysis |
+| [`nemoclaw-comparison.md`](security/nemoclaw-comparison.md) | Honest comparison with enterprise kernel isolation |
+
+### Verify yourself
+
+```bash
+# With llm-security plugin installed:
+/security posture       # Configuration assessment
+/security deep-scan .   # All 10 deterministic scanners
+```
 
 ## License