# Security

This directory contains evidence that Claude Code handles the
security challenges documented in OpenClaw's CVE disclosures
(March 2026). Not just claims — scan data, CVE mappings, and
reproducible configuration.

## Documents

| File | What it covers |
|------|---------------|
| `cve-mitigation-map.md` | Each OpenClaw CVE mapped to a specific Claude Code defense |
| `scan-results.md` | Posture and deep scan results (reproducible, dated 2026-04-05) |
| `openclaw-security-assessment.md` | Data-driven 10-category comparison with CVE analysis |
| `permission-modes-explained.md` | The four permission modes and when to use each |
| `auto-mode-explained.md` | Auto Mode: AI safety classifier for autonomous execution |
| `hook-based-guardrails.md` | Building custom security with PreToolUse hooks |
| `nemoclaw-comparison.md` | Honest comparison with NemoClaw's enterprise security |

## The evidence chain

1. **Architecture eliminates 4 CVEs** — No gateway, no ports,
   no multi-user auth means CVE-2026-22172, CVE-2026-25253,
   CVE-2026-32025, and CVE-2026-32049 cannot occur.
   See `cve-mitigation-map.md`.

2. **Configuration blocks 5 CVEs** — Scoped Bash permissions
   (16 grants, 26 deny patterns) and hook enforcement prevent
   the remaining attack vectors. See `.claude/settings.json`
   and `hooks/README.md`.

3. **Code is clean** — Deep scan (10 scanners, 51 files): zero
   secrets, zero injection vectors, zero supply chain risk,
   zero Unicode attacks. See `scan-results.md`.

4. **The gap is documented** — Posture Grade D without
   llm-security plugin, Grade B+ with it. The gap is runtime
   hook enforcement, not code or configuration quality.
   See `scan-results.md`.

## How to verify

```bash
# Clone and scan yourself:
git clone https://git.fromaitochitta.com/open/claude-code-complete-agent.git
cd claude-code-complete-agent

# With llm-security plugin installed:
/security posture          # Configuration assessment
/security scan .           # Code-level scan
/security deep-scan .      # All 10 deterministic scanners
```

## Honest gaps

- **No kernel isolation.** NemoClaw (Landlock, seccomp, netns)
  provides stronger containment than hooks.
- **No network egress filtering.** Use OS-level firewall rules.
- **Single-user only.** No multi-tenant separation.

See `nemoclaw-comparison.md` for the full honest assessment.