diff --git a/plugins/llm-security/CLAUDE.md b/plugins/llm-security/CLAUDE.md
index 8bf8dad..6ac7205 100644
--- a/plugins/llm-security/CLAUDE.md
+++ b/plugins/llm-security/CLAUDE.md
@@ -42,7 +42,7 @@ Security scanning, auditing, and threat modeling for Claude Code projects. 5 fra
 |--------|-------|---------|---------|
 | `pre-prompt-inject-scan.mjs` | UserPromptSubmit | — | Block prompt injection, warn on manipulation (incl. oversight evasion, HTML obfuscation, MEDIUM advisory for leetspeak/homoglyphs/zero-width/multi-lang). Unicode Tag steganography detection. Mode: `LLM_SECURITY_INJECTION_MODE=block\|warn\|off` |
 | `pre-edit-secrets.mjs` | PreToolUse | `Edit\|Write` | Block credentials in files |
-| `pre-bash-destructive.mjs` | PreToolUse | `Bash` | Block rm -rf, curl\|sh, fork bombs, eval. Bash evasion normalization (empty quotes, ${} expansion, backslash splitting via `bash-normalize.mjs`) |
+| `pre-bash-destructive.mjs` | PreToolUse | `Bash` | Block rm -rf, curl\|sh, fork bombs, eval. Bash evasion normalization (T1-T6 via `bash-normalize.mjs`: empty quotes, ${} expansion, backslash splitting, IFS, ANSI-C hex) — defense-in-depth mot T1-T6; Claude Code 2.1.98+ dekker harness-nivå |
 | `pre-install-supply-chain.mjs` | PreToolUse | `Bash` | Block compromised packages across ALL ecosystems. Bash evasion normalization before gate matching |
 | `pre-write-pathguard.mjs` | PreToolUse | `Write` | Block writes to .env, .ssh/, .aws/, credentials, settings |
 | `post-mcp-verify.mjs` | PostToolUse | — (all) | Injection scan on ALL tool output (incl. MEDIUM patterns, HITL traps, sub-agent spawn, NL indirection, cognitive load, hybrid P2SQL/recursive/XSS). HTML content trap detection. Bash-specific: secrets/URLs/size. MCP: description drift detection (MCP05), per-tool volume tracking |
@@ -161,6 +161,8 @@ Prompt injection is **structurally unsolvable** with current architectures (join
 - **Architectural constraints** — CaMeL-inspired data flow tagging, sub-agent delegation tracking, HITL trap detection
 - **Honest documentation** — Known Limitations section acknowledges what deterministic hooks cannot detect
 
+**Bash evasion layers (T1-T6):** `bash-normalize.mjs` collapses six known obfuscation techniques before gate matching as a defense-in-depth layer. T1 empty quotes (`rm''-rf`), T2 `${}` parameter expansion, T3 backslash continuation, T4 tab/whitespace splitting, T5 `${IFS}` word-splitting, T6 ANSI-C hex quoting (`$'\x72\x6d'`). These layers complement — not replace — Claude Code 2.1.98+ harness-level protections. Full reference: `docs/security-hardening-guide.md`.
+
 **What v5.0 cannot do:**
 - Prevent adaptive attacks from motivated human red-teamers (100% ASR per joint paper)
 - Fix CLAUDE.md loading before hooks (platform limitation)