feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence

Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

security/README.md

@@ -1,17 +1,61 @@
 # Security
 
-Security in Claude Code is layered: permission modes set the
-baseline, hooks enforce custom rules, and settings.json defines
-tool restrictions. This is architecturally different from OpenClaw's
-container-based isolation but achieves the same goal: controlled
-agent behavior.
+This directory contains evidence that Claude Code handles the
+security challenges documented in OpenClaw's CVE disclosures
+(March 2026). Not just claims — scan data, CVE mappings, and
+reproducible configuration.
 
-## Documents in this directory
+## Documents
 
 | File | What it covers |
 |------|---------------|
+| `cve-mitigation-map.md` | Each OpenClaw CVE mapped to a specific Claude Code defense |
+| `scan-results.md` | Posture and deep scan results (reproducible, dated 2026-04-05) |
+| `openclaw-security-assessment.md` | Data-driven 10-category comparison with CVE analysis |
 | `permission-modes-explained.md` | The four permission modes and when to use each |
 | `auto-mode-explained.md` | Auto Mode: AI safety classifier for autonomous execution |
 | `hook-based-guardrails.md` | Building custom security with PreToolUse hooks |
 | `nemoclaw-comparison.md` | Honest comparison with NemoClaw's enterprise security |
-| `openclaw-security-assessment.md` | Data-driven security comparison: OpenClaw CVEs vs Claude Code architecture |
+
+## The evidence chain
+
+1. **Architecture eliminates 4 CVEs** — No gateway, no ports,
+   no multi-user auth means CVE-2026-22172, CVE-2026-25253,
+   CVE-2026-32025, and CVE-2026-32049 cannot occur.
+   See `cve-mitigation-map.md`.
+
+2. **Configuration blocks 5 CVEs** — Scoped Bash permissions
+   (16 grants, 26 deny patterns) and hook enforcement prevent
+   the remaining attack vectors. See `.claude/settings.json`
+   and `hooks/README.md`.
+
+3. **Code is clean** — Deep scan (10 scanners, 51 files): zero
+   secrets, zero injection vectors, zero supply chain risk,
+   zero Unicode attacks. See `scan-results.md`.
+
+4. **The gap is documented** — Posture Grade D without
+   llm-security plugin, Grade B+ with it. The gap is runtime
+   hook enforcement, not code or configuration quality.
+   See `scan-results.md`.
+
+## How to verify
+
+```bash
+# Clone and scan yourself:
+git clone https://git.fromaitochitta.com/open/claude-code-complete-agent.git
+cd claude-code-complete-agent
+
+# With llm-security plugin installed:
+/security posture          # Configuration assessment
+/security scan .           # Code-level scan
+/security deep-scan .      # All 10 deterministic scanners
+```
+
+## Honest gaps
+
+- **No kernel isolation.** NemoClaw (Landlock, seccomp, netns)
+  provides stronger containment than hooks.
+- **No network egress filtering.** Use OS-level firewall rules.
+- **Single-user only.** No multi-tenant separation.
+
+See `nemoclaw-comparison.md` for the full honest assessment.