From bef82cbab4234b17d6f20e39d6712159fa51f0ed Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 17 Apr 2026 14:48:29 +0200 Subject: [PATCH] docs: add security-hardening-guide with Opus 4.7 + Claude Code 2.1.112 env-vars --- .../docs/security-hardening-guide.md | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 plugins/llm-security/docs/security-hardening-guide.md diff --git a/plugins/llm-security/docs/security-hardening-guide.md b/plugins/llm-security/docs/security-hardening-guide.md new file mode 100644 index 0000000..a052c48 --- /dev/null +++ b/plugins/llm-security/docs/security-hardening-guide.md @@ -0,0 +1,163 @@ +# Security Hardening Guide + +This guide documents the environment variables, sandboxing mechanisms, and hook +modes available in `llm-security`, and how to align them with the capabilities of +Opus 4.7 and Claude Code 2.1.112. + +The guide is opinionated: it describes the configurations the plugin authors run +in production. Deviations are fine, but the defaults here are the tested path. + +--- + +## 1. Environment variables + +### 1.1 Harness-level (Claude Code) + +| Variable | Values | Effect | +|----------|--------|--------| +| `CLAUDE_CODE_EFFORT_LEVEL` | `low` \| `medium` \| `high` \| `xhigh` | Tunes how aggressively the model spends compute per turn. `xhigh` is recommended for security-sensitive planning and audits. | +| `ENABLE_PROMPT_CACHING_1H` | `1` \| unset | Enables 1-hour prompt cache TTL. Reduces cost and latency for repeated context; cache hits do not weaken scanning. | +| `CLAUDE_CODE_SCRIPT_CAPS` | JSON blob | Declares maximum capabilities Claude Code can grant scripts it spawns. Use to lock down hook and command execution. | + +### 1.2 Plugin-specific hook modes + +| Variable | Default | Modes | +|----------|---------|-------| +| `LLM_SECURITY_INJECTION_MODE` | `block` | `block` — exit 2 on critical/high injection patterns. `warn` — advisory via systemMessage. `off` — disables scan. | +| `LLM_SECURITY_TRIFECTA_MODE` | `warn` | `block` — exit 2 when lethal trifecta (untrusted input + sensitive data + exfiltration sink) detected. `warn` — advisory. `off` — disables. | +| `LLM_SECURITY_PRECOMPACT_MODE` | `warn` | `block` — exit 2 on findings during PreCompact. `warn` — advisory via systemMessage. `off` — disables scan. | +| `LLM_SECURITY_PRECOMPACT_MAX_BYTES` | `512000` | Tail size in bytes read from transcript for scanning. Higher values increase coverage at the cost of latency. | +| `LLM_SECURITY_UPDATE_CHECK` | `on` | `off` disables the daily update-check HTTP call. | +| `LLM_SECURITY_AUDIT_*` | unset | Audit trail configuration (destination, format, etc.) for SIEM-ready JSONL output. | + +Apply env vars via shell profile, `.envrc`, or the host MDM. Do not write them +into the repository. + +--- + +## 2. Sandboxing + +### 2.1 macOS — `sandbox-exec` + +`scanners/lib/git-clone.mjs` wraps remote clones in a `sandbox-exec` profile that +restricts file writes to the specific temp directory. This defends against +malicious `.gitattributes` filter/smudge drivers. The plugin uses this path by +default on Darwin. + +### 2.2 Linux — `bubblewrap` (bwrap) + +On Linux, the same flow uses `bwrap` to accomplish equivalent isolation. Works on +Fedora and Arch without configuration. Ubuntu 24.04+ may require a permissive +AppArmor profile (administrator privileges); fallback is git-config flags only, +with a WARN logged in the clone audit trail. + +### 2.3 Windows + +Windows has no equivalent OS sandbox available in default installs. The plugin +falls back to hardened git-config flags (`core.hooksPath=/dev/null`, +`core.symlinks=false`, disabled LFS drivers, `protocol.file.allow=never`, +`transfer.fsckObjects=true`) and environment isolation +(`GIT_CONFIG_NOSYSTEM=1`, `GIT_CONFIG_GLOBAL=/dev/null`, `GIT_ATTR_NOSYSTEM=1`). +A WARN is logged so the caller can weigh the residual risk. + +### 2.4 PID-namespace considerations + +On Linux hosts with user namespaces disabled (some hardened kernels), `bwrap` +may fail to create the PID namespace. Prefer running scans from a normal user +shell; avoid root, which disables user-namespace confinement. + +--- + +## 3. Hook modes in practice + +### 3.1 Start in warn mode + +Every new integration of `llm-security` should begin with all modes set to +`warn`. This yields advisories without breaking workflow, and lets the team +calibrate false-positive rates against their actual repositories. + +### 3.2 Promote to block after baselining + +After a baseline period (typically 1-2 weeks), flip each mode to `block` in this +order: `LLM_SECURITY_INJECTION_MODE`, `LLM_SECURITY_TRIFECTA_MODE`, +`LLM_SECURITY_PRECOMPACT_MODE`. The injection hook is first because false +positives there are the most visible; blocking comes last because the others +build confidence. + +### 3.3 Off mode is a deliberate choice + +Use `off` only when you explicitly need to disable a layer (e.g., during +performance profiling). Prefer `warn` in all other cases — the signal is still +recorded in the audit trail. + +--- + +## 4. Bash normalization (T1-T6) as defense-in-depth + +`scanners/lib/bash-normalize.mjs` collapses six known bash obfuscation +techniques before the denylist gate runs. These are **defense-in-depth** layers +that complement the Claude Code 2.1.98+ harness-level fixes, not a replacement. + +| Layer | Technique | Example | Normalization | +|-------|-----------|---------|---------------| +| T1 | Empty quotes | `rm''-rf /` | strip `''` / `""` between tokens | +| T2 | `${}` expansion | `r${x}m -rf /` | drop `${VAR}` where VAR is unset in scan context | +| T3 | Backslash continuation | `rm\-rf /` | collapse backslash-newline pairs | +| T4 | Tab/whitespace splitting | `rm\t-rf /` | normalize whitespace to single space | +| T5 | `${IFS}` word-splitting | `rm${IFS}-rf${IFS}/` | replace `${IFS}` with space | +| T6 | ANSI-C hex quoting | `$'\x72\x6d' -rf /` | decode `$'\xHH'` to ASCII byte | + +See `CLAUDE.md` §Defense Philosophy for the broader framing. + +--- + +## 5. Alignment with Opus 4.7 (system card references) + +### 5.1 Agent safety evaluations (§5.2.1) + +The Opus 4.7 system card §5.2.1 documents agentic safety evaluations and notes +that multi-layer defenses outperform single-layer defenses against adaptive +attacks. `llm-security` implements this posture: prompt-scan + pathguard + +trifecta-guard + pre-compact-scan operate in depth. A single layer failing does +not compromise the defense. + +### 5.2 Instruction following and hierarchy (§6.3.1.1) + +The Opus 4.7 system card §6.3.1.1 describes tighter adherence to the declared +instruction hierarchy and more literal interpretation of agent instructions. +Consequently: + +- Stacked imperatives (e.g., "NEVER do X / MUST NOT do X") are less useful than + tool-level enforcement. Prefer `tools:` frontmatter to restrict capabilities + at the platform level, so the agent simply does not have the unsafe tool. +- Agent instructions should mark speculation as speculation, and cite evidence + (path, line number) rather than generalizing from one observation. See the + "Step 0 Generaliseringsgrense" note added to `skill-scanner-agent.md` and + `mcp-scanner-agent.md`. +- Parallel Read calls are preferred for independent file reads, documented in + the same Step 0 notes. This reduces latency and aligns with the model's + improved parallel-tool-use behavior. + +### 5.3 Known limitations (system card §6.3) + +Prompt injection is structurally unsolvable in the current architecture. The +system card acknowledges this; so does `CLAUDE.md` §Defense Philosophy. The +hardening described here reduces the attack surface and raises the cost of +attacks but does not eliminate them. + +--- + +## 6. Recommended baseline for production + +1. Set `CLAUDE_CODE_EFFORT_LEVEL=xhigh` for audit and planning sessions. +2. Set `ENABLE_PROMPT_CACHING_1H=1` globally — reduces cost, does not weaken + scanning. +3. All three plugin hook modes: start at `warn`, promote to `block` after + baselining. +4. Keep sandbox wrappers enabled (default on macOS / Linux). +5. Periodically run `/security posture` (13-category scorecard) and + `/security dashboard` (cross-project view) to catch drift. + +--- + +**Last updated:** 2026-04-17 for v6.2.0.