feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence

Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

security/cve-mitigation-map.md

@@ -0,0 +1,101 @@
+# CVE-to-Mitigation Map
+
+How Claude Code's architecture and configuration defend against
+each OpenClaw CVE disclosed in March 2026. Each row links a
+specific vulnerability to the defense mechanism and where it
+is configured in this repository.
+
+## Mapping
+
+| CVE | CVSS | Attack | Claude Code defense | Where configured | Defense type |
+|-----|------|--------|-------------------|------------------|-------------|
+| CVE-2026-22172 | 9.9 | Client self-declares admin scope | Single-user architecture — no scope model, no multi-user auth layer | Architecture (inherent) | Eliminated |
+| CVE-2026-25253 | 8.8 | WebSocket hijack (one-click RCE) | No gateway, no listening port, no WebSocket server | Architecture (inherent) | Eliminated |
+| CVE-2026-22171 | 8.2 | Arbitrary file write via media path traversal | `pre-write-pathguard.mjs` blocks writes to sensitive paths; settings.json deny list blocks destructive commands | llm-security hook + `.claude/settings.json` | Blocked |
+| CVE-2026-32048 | 7.5 | Sandbox child process escape | Scoped Bash permissions (16 specific commands, not `Bash(*)`); `pre-bash-destructive.mjs` blocks dangerous patterns | `.claude/settings.json` allow list + llm-security hook | Blocked |
+| CVE-2026-32025 | 7.5 | Brute force on localhost auth | No authentication endpoint — single-user, no network service | Architecture (inherent) | Eliminated |
+| CVE-2026-32049 | 7.5 | DoS via oversized media payload | No media ingestion endpoint — files processed locally, no upload handler | Architecture (inherent) | Eliminated |
+| CVE-2026-32032 | 7.0 | Shell injection via SHELL env variable | `pre-bash-destructive.mjs` validates commands; scoped Bash permissions restrict allowed executables | llm-security hook + `.claude/settings.json` | Blocked |
+| CVE-2026-29607 | 6.4 | Approve-then-swap (approval bypass) | Deterministic hook validation on every call (no cached approvals); `post-mcp-verify.mjs` scans all tool output | llm-security hooks | Blocked |
+| CVE-2026-28460 | 5.9 | Line-continuation allowlist bypass | Permission matching in settings.json is not regex-based; hooks validate the actual command, not a display string | `.claude/settings.json` + hooks | Blocked |
+
+## Defense layers
+
+Claude Code's security is layered. No single mechanism is
+sufficient alone:
+
+```
+Layer 1: Architecture
+  └─ No gateway, no ports, no multi-user auth
+  └─ Eliminates: CVE-22172, CVE-25253, CVE-32025, CVE-32049
+
+Layer 2: Permission model (settings.json)
+  └─ Scoped Bash grants (16 specific commands)
+  └─ 26-pattern deny list
+  └─ Write/Edit require explicit user approval
+  └─ Mitigates: CVE-32048, CVE-28460
+
+Layer 3: Hook enforcement (llm-security plugin)
+  └─ PreToolUse: block before execution
+  └─ PostToolUse: scan output after execution
+  └─ UserPromptSubmit: block prompt injection
+  └─ Mitigates: CVE-22171, CVE-32032, CVE-29607, CVE-30741
+
+Layer 4: Runtime monitoring (llm-security plugin)
+  └─ Session guard: sliding window anomaly detection
+  └─ MCP verify: description drift + volume tracking
+  └─ Supply chain: package audit on every install
+  └─ Detects: compound attack chains, slow exfiltration
+```
+
+## What this does NOT cover
+
+- **Kernel-level isolation:** NemoClaw (Landlock, seccomp, netns)
+  provides stronger containment than hooks. Hooks prevent the
+  agent from *attempting* dangerous operations; kernel isolation
+  contains the damage if prevention fails.
+
+- **Multi-tenant separation:** Claude Code is single-user. For
+  multi-tenant scenarios, each user needs their own instance.
+
+- **Network egress filtering:** Claude Code communicates with
+  Anthropic's API over HTTPS. It does not restrict other outbound
+  connections. Use OS-level firewall rules for egress control.
+
+## Prompt injection (CVE-2026-30741)
+
+Not in the original 9 CVEs but documented in OpenClaw's security
+advisories. The llm-security plugin provides 3-layer defense:
+
+1. **Input scanning** (`pre-prompt-inject-scan.mjs`): Blocks
+   injection patterns in user prompts before the LLM sees them.
+   Configurable: block, warn, or off.
+
+2. **Output scanning** (`post-mcp-verify.mjs`): Scans ALL tool
+   output for injection attempts, HTML content traps, and
+   suspicious patterns. Catches injection via MCP tool responses.
+
+3. **Session pattern detection** (`post-session-guard.mjs`):
+   Detects the "lethal trifecta" — untrusted input combined with
+   sensitive data access and an exfiltration sink — using a
+   sliding window of 20 tool calls.
+
+## Supply chain (ClawHub malware)
+
+Not a CVE but a documented incident: 824 malicious skills found
+in ClawHub marketplace (the ClawHavoc campaign). The llm-security
+plugin's `pre-install-supply-chain.mjs` hook covers 7 package
+managers with:
+
+- Per-ecosystem blocklists for known malicious packages
+- Age gate (packages < 72 hours old are flagged)
+- npm audit integration (critical = block, high = warn)
+- PyPI API inspection for suspicious metadata
+- Levenshtein-based typosquat detection
+- OSV.dev batch API for known vulnerabilities
+
+## Sources
+
+CVE data from NVD and OpenClaw security advisories (March 2026).
+See `openclaw-security-assessment.md` for full analysis with
+statistics and category-by-category comparison.