open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/docs/security-hardening-guide.md

360 lines
17 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Hardening Guide
This guide documents the environment variables, sandboxing mechanisms, and hook
modes available in `llm-security`, and how to align them with the capabilities of
Opus 4.7 and Claude Code 2.1.112.
The guide is opinionated: it describes the configurations the plugin authors run
in production. Deviations are fine, but the defaults here are the tested path.
---
## 1. Environment variables
### 1.1 Harness-level (Claude Code)
| Variable | Values | Effect |
|----------|--------|--------|
| `CLAUDE_CODE_EFFORT_LEVEL` | `low` \| `medium` \| `high` \| `xhigh` | Tunes how aggressively the model spends compute per turn. `xhigh` is recommended for security-sensitive planning and audits. |
| `ENABLE_PROMPT_CACHING_1H` | `1` \| unset | Enables 1-hour prompt cache TTL. Reduces cost and latency for repeated context; cache hits do not weaken scanning. |
| `CLAUDE_CODE_SCRIPT_CAPS` | JSON blob | Declares maximum capabilities Claude Code can grant scripts it spawns. Use to lock down hook and command execution. |
### 1.2 Plugin-specific hook modes
| Variable | Default | Modes |
|----------|---------|-------|
| `LLM_SECURITY_INJECTION_MODE` | `block` | `block` — exit 2 on critical/high injection patterns. `warn` — advisory via systemMessage. `off` — disables scan. |
| `LLM_SECURITY_TRIFECTA_MODE` | `warn` | `block` — exit 2 when lethal trifecta (untrusted input + sensitive data + exfiltration sink) detected. `warn` — advisory. `off` — disables. |
| `LLM_SECURITY_PRECOMPACT_MODE` | `warn` | `block` — exit 2 on findings during PreCompact. `warn` — advisory via systemMessage. `off` — disables scan. |
| `LLM_SECURITY_PRECOMPACT_MAX_BYTES` | `512000` | Tail size in bytes read from transcript for scanning. Higher values increase coverage at the cost of latency. |
| `LLM_SECURITY_UPDATE_CHECK` | `on` | `off` disables the daily update-check HTTP call. |
| `LLM_SECURITY_AUDIT_*` | unset | Audit trail configuration (destination, format, etc.) for SIEM-ready JSONL output. |
Apply env vars via shell profile, `.envrc`, or the host MDM. Do not write them
into the repository.
---
## 2. Sandboxing
### 2.1 macOS — `sandbox-exec`
`scanners/lib/git-clone.mjs` wraps remote clones in a `sandbox-exec` profile that
restricts file writes to the specific temp directory. This defends against
malicious `.gitattributes` filter/smudge drivers. The plugin uses this path by
default on Darwin.
### 2.2 Linux — `bubblewrap` (bwrap)
On Linux, the same flow uses `bwrap` to accomplish equivalent isolation. Works on
Fedora and Arch without configuration. Ubuntu 24.04+ may require a permissive
AppArmor profile (administrator privileges); fallback is git-config flags only,
with a WARN logged in the clone audit trail.
### 2.3 Windows
Windows has no equivalent OS sandbox available in default installs. The plugin
falls back to hardened git-config flags (`core.hooksPath=/dev/null`,
`core.symlinks=false`, disabled LFS drivers, `protocol.file.allow=never`,
`transfer.fsckObjects=true`) and environment isolation
(`GIT_CONFIG_NOSYSTEM=1`, `GIT_CONFIG_GLOBAL=/dev/null`, `GIT_ATTR_NOSYSTEM=1`).
A WARN is logged so the caller can weigh the residual risk.
### 2.4 PID-namespace considerations
On Linux hosts with user namespaces disabled (some hardened kernels), `bwrap`
may fail to create the PID namespace. Prefer running scans from a normal user
shell; avoid root, which disables user-namespace confinement.
---
## 3. Hook modes in practice
### 3.1 Start in warn mode
Every new integration of `llm-security` should begin with all modes set to
`warn`. This yields advisories without breaking workflow, and lets the team
calibrate false-positive rates against their actual repositories.
### 3.2 Promote to block after baselining
After a baseline period (typically 1-2 weeks), flip each mode to `block` in this
order: `LLM_SECURITY_INJECTION_MODE`, `LLM_SECURITY_TRIFECTA_MODE`,
`LLM_SECURITY_PRECOMPACT_MODE`. The injection hook is first because false
positives there are the most visible; blocking comes last because the others
build confidence.
### 3.3 Off mode is a deliberate choice
Use `off` only when you explicitly need to disable a layer (e.g., during
performance profiling). Prefer `warn` in all other cases — the signal is still
recorded in the audit trail.
---
## 4. Bash normalization (T1-T6) as defense-in-depth
`scanners/lib/bash-normalize.mjs` collapses six known bash obfuscation
techniques before the denylist gate runs. These are **defense-in-depth** layers
that complement the Claude Code 2.1.98+ harness-level fixes, not a replacement.
The plugin's "defense-in-depth" claim resolves to **three independent detection
layers with documented bypass classes**: (1) the Claude Code harness denylist
(out of plugin scope, evolves with platform); (2) `bash-normalize.mjs` T1-T6
collapse rules; (3) `pre-bash-destructive.mjs` post-normalization pattern match
+ `post-session-guard.mjs` runtime trifecta correlation. Each layer has known
bypasses (see Defense Philosophy in `CLAUDE.md` and `docs/critical-review-2026-04-20.md`
§4 for the evasion arsenal). Stacking layers raises attacker cost; it does not
provide formal worst-case guarantees.
| Layer | Technique | Example | Normalization |
|-------|-----------|---------|---------------|
| T1 | Empty quotes | `rm''-rf /` | strip `''` / `""` between tokens |
| T2 | `${}` expansion | `r${x}m -rf /` | drop `${VAR}` where VAR is unset in scan context |
| T3 | Backslash continuation | `rm\<newline>-rf /` | collapse backslash-newline pairs |
| T4 | Tab/whitespace splitting | `rm\t-rf /` | normalize whitespace to single space |
| T5 | `${IFS}` word-splitting | `rm${IFS}-rf${IFS}/` | replace `${IFS}` with space |
| T6 | ANSI-C hex quoting | `$'\x72\x6d' -rf /` | decode `$'\xHH'` to ASCII byte |
See `CLAUDE.md` §Defense Philosophy for the broader framing.
---
## 5. Alignment with Opus 4.7 (system card references)
### 5.1 Agent safety evaluations (§5.2.1)
The Opus 4.7 system card §5.2.1 documents agentic safety evaluations and notes
that multi-layer defenses outperform single-layer defenses against adaptive
attacks. `llm-security` implements this posture: prompt-scan + pathguard +
trifecta-guard + pre-compact-scan operate in depth. A single layer failing does
not compromise the defense.
### 5.2 Instruction following and hierarchy (§6.3.1.1)
The Opus 4.7 system card §6.3.1.1 describes tighter adherence to the declared
instruction hierarchy and more literal interpretation of agent instructions.
Consequently:
- Stacked imperatives (e.g., "NEVER do X / MUST NOT do X") are less useful than
tool-level enforcement. Prefer `tools:` frontmatter to restrict capabilities
at the platform level, so the agent simply does not have the unsafe tool.
- Agent instructions should mark speculation as speculation, and cite evidence
(path, line number) rather than generalizing from one observation. See the
"Step 0 Generaliseringsgrense" note added to `skill-scanner-agent.md` and
`mcp-scanner-agent.md`.
- Parallel Read calls are preferred for independent file reads, documented in
the same Step 0 notes. This reduces latency and aligns with the model's
improved parallel-tool-use behavior.
### 5.3 Known limitations (system card §6.3)
Prompt injection is structurally unsolvable in the current architecture. The
system card acknowledges this; so does `CLAUDE.md` §Defense Philosophy. The
hardening described here reduces the attack surface and raises the cost of
attacks but does not eliminate them.
---
## 6. Calibration & false positives (v7.0.0+)
Security scanners live or die by their signal-to-noise ratio. A scanner that
cries "extreme" on every project destroys its own credibility — users learn
to ignore findings, and genuine threats slip past. v7.0.0 ships three
calibration layers to keep that from happening.
### 6.1 Risk-score v2 formula
The v1 formula was a sum-and-cap: `critical*25 + high*10 + medium*4 + low*1`,
capped at 100. Every non-trivial scan collapsed to 100/Extreme regardless of
actual distribution. A codebase with 2 mediums and 100 lows scored the same
as a codebase with 5 criticals.
v2 (`scanners/lib/severity.mjs`) is severity-dominated and log-scaled within
tier:
| Finding mix | Score range | Band |
|-------------|-------------|------|
| Critical present | 7095 (1=80, 2=86, 4=90, 10=95) | Critical/Extreme |
| High only | 4065 (1=48, 5=60, 17=65) | High |
| Medium only | 1535 (1=20, 5=28, 50=33) | Medium |
| Low only | 111 (1=4, 10=11) | Low |
| None | 0 | Low |
Verdict cutoffs (`BLOCK ≥65`, `WARNING ≥15`) are locked to the `riskBand()`
boundaries so you can't get a "BLOCK / Medium band" contradiction. The legacy
formula is kept as `riskScoreV1()` for reference only.
**CI impact:** Pipelines with `--fail-on high` keep working (the severity
gate is unaffected). Pipelines with score-based thresholds need recalibration
— old `score >= 21` corresponds roughly to new `score >= 15`.
### 6.2 Context-aware entropy scanner
The entropy scanner flags high-Shannon-entropy strings as possible
credentials. On codebases heavy with shader code, bundled JS, CSS-in-JS or
SQL it produced astronomical false-positive rates. v7.0.0 adds three
suppression layers:
1. **File-extension skip** — whole files with these extensions are never
inspected for entropy findings: `.glsl, .frag, .vert, .shader, .wgsl,
.css, .scss, .sass, .less, .svg` + compound `.min.js, .min.css, .map`. A
skip counter (`calibration.files_skipped_by_extension`) is reported in the
scanner envelope.
2. **Line-level rules 1118** — applied when a line contains any of: GLSL
keywords (`uniform`, `vec3`, `texture2D`…), CSS-in-JS templates
(`styled.…`), inline `<svg>` markup, ffmpeg `filter_complex` syntax,
browser `User-Agent` strings, SQL DDL on a dedicated line
(`^\s*(SELECT|INSERT|…)`), `throw new Error(\`…\`)` templates, or
markdown image syntax with external URL (`![alt](https://cdn…)` — common
in JSON content indexes / article metadata).
3. **Per-project policy override** — `.llm-security/policy.json` `entropy`
section supports:
```json
{
"entropy": {
"thresholds": {
"critical": { "entropy": 5.4, "minLen": 128 },
"high": { "entropy": 5.1, "minLen": 64 },
"medium": { "entropy": 4.7, "minLen": 40 }
},
"suppress_extensions": [".custom"],
"suppress_line_patterns": ["MY_VENDOR_MARKER"],
"suppress_paths": ["vendored/", "generated/"]
}
}
```
The synthesizer agent reports calibration prominently if >80 % of files were
skipped (signals a policy so aggressive the scan is effectively bypassed)
and omits it silently if <5 % were skipped.
### 6.3 Typosquat allowlist
The DEP scanner flags Levenshtein-close package names against a top-N list
to catch typosquats (`lod-ash`, `expres`). On real codebases this tripped on
short-name tools like `knip`, `nx`, `tsx`, `uv`, `ruff`. v7.0.0 extends
`knowledge/typosquat-allowlist.json` with 22 npm + 5 PyPI entries for modern
tools.
### 6.4 Tuning workflow
1. Run `/security deep-scan` on a representative codebase.
2. Read `calibration.files_skipped_by_extension` and `files_skipped_by_path`
from the envelope — are they reasonable?
3. Review the top 10 findings. For each false positive, pick the narrowest
suppression that catches it:
- Whole extension noisy → `suppress_extensions`
- One line pattern recurring → `suppress_line_patterns`
- Whole directory vendored → `suppress_paths`
4. Raise thresholds only as a last resort — you're hiding real signal.
5. Re-scan and verify verdict/band/score make sense relative to the finding
set.
---
## 7. Sandbox Architecture: Why git-clone and vsix-sandbox Stay Separate
The plugin has two sandbox-using consumers — `scanners/lib/git-clone.mjs`
(remote-repo cloning) and `scanners/lib/vsix-sandbox.mjs` (URL-fetched VS Code
/ JetBrains plugin extraction). On the surface they look like duplication
candidates: both call `sandbox-exec` on macOS, both call `bwrap` on Linux,
both fall back to in-process execution on Windows. They are intentionally not
consolidated. This section documents why.
### 7.1 Shared primitives, not shared code paths
The `sandbox-exec` profile builders and `bwrap` argument builders live in
`lib/vsix-sandbox.mjs` and are *reused* from `git-clone.mjs` — the
duplication is conceptual, not literal. Both consumers call:
- `buildSandboxProfile(allowedWriteDir)` — emits the macOS sandbox-exec
S-expression that whitelists writes only to `allowedWriteDir`.
- `buildBwrapArgs(allowedWriteDir, networkAllowed)` — emits the bwrap
argv for a unprivileged-user-namespace container with the same
write-restriction.
- `buildSandboxedWorker(dirs, workerPath)` — wraps a Node sub-process
in the platform-appropriate sandbox.
The kernel-level isolation contract is identical for both consumers.
### 7.2 Distinct setup contracts
What differs is the *git/zip side* of each pipeline. These contracts are
not interchangeable:
| Concern | git-clone.mjs | vsix-sandbox.mjs |
|---------|---------------|------------------|
| Untrusted setup vector | `.gitattributes` filter/smudge drivers | ZIP entries with `..` traversal, symlinks, ratio bombs |
| Pre-fetch hardening | `core.hooksPath=/dev/null`, `core.symlinks=false`, all LFS filters disabled, `protocol.file.allow=never`, `transfer.fsckObjects=true` | ZIP-extractor caps (10 000 entries, 500MB uncomp, 100x ratio, depth 20), entry-by-entry path validation |
| Environment isolation | `GIT_CONFIG_NOSYSTEM=1`, `GIT_CONFIG_GLOBAL=/dev/null`, `GIT_ATTR_NOSYSTEM=1`, `GIT_TERMINAL_PROMPT=0` | None — fetch is plain HTTPS via `lib/vsix-fetch.mjs`, no env-var attack surface |
| Network policy | Network allowed (clone needs HTTPS) | Network allowed in fetch worker only; extraction worker is offline |
| IPC contract | None — git writes its tree directly into the sandboxed temp dir | Single-line JSON on stdout: `{ok, sha256, size, finalUrl, source, extRoot}` |
A unified "do-everything" sandbox helper would either need to know about
git config flags (irrelevant for VSIX), or would need a callback escape
hatch that re-introduces the abstraction tax it was meant to remove.
### 7.3 Consolidation deferred
Three reasons this stays as it is:
1. **Premature abstraction risk on safety-critical code.** Both modules
are on the trust boundary. A bug in shared abstraction would
simultaneously weaken both consumers; today, bugs are isolated.
2. **Two consumers is not enough signal.** The Rule of Three applies:
abstract when a third consumer arrives and the contract becomes clear,
not before.
3. **Distinct review surfaces.** Reviewers reading `git-clone.mjs` get
the full git-attack-surface story in one file; reviewers reading
`vsix-sandbox.mjs` get the full ZIP-attack-surface story in one file.
Splitting either across a generic sandbox helper would force readers
to context-switch to verify the contract.
### 7.4 Trigger condition for revisiting
This decision will be revisited if and when a third sandbox-using
consumer appears in the plugin (e.g., a sandboxed evaluator for
suspicious shell scripts, or a sandboxed PDF/PPTX parser). At that
point the shared contract — write restriction to a temp dir, network
policy, IPC shape — should be lifted into a `lib/sandbox.mjs` module
with the per-consumer setup remaining co-located with its respective
attack-surface logic.
Until then: two consumers, one set of primitives, two co-located
contracts.
---
## 8. Recommended baseline for production
1. Set `CLAUDE_CODE_EFFORT_LEVEL=xhigh` for audit and planning sessions.
2. Set `ENABLE_PROMPT_CACHING_1H=1` globally — reduces cost, does not weaken
scanning.
3. All three plugin hook modes: start at `warn`, promote to `block` after
baselining.
4. Keep sandbox wrappers enabled (default on macOS / Linux).
5. Periodically run `/security posture` (16-category scorecard) and
`/security dashboard` (cross-project view) to catch drift.
6. After first `/security deep-scan`, run the §6.4 tuning workflow once to
calibrate the noise floor for your codebase.
---
**Last updated:** 2026-04-29 for v7.1.0.
### v7.1.0 calibration note
v7.1.0 is a patch release. No calibration changes; the §6 tuning workflow above is
unchanged. Two hook-level bugs were fixed that affect production posture:
- `pre-write-pathguard.mjs` now blocks multi-segment `.env.*.*.*` paths (previously a
regex hole let `.env.production.local.backup` through).
- `post-session-guard.mjs` `block` mode now blocks every detected trifecta. Previously
required a "concentrated MCP" or "sensitive path" qualifier, so distributed
trifectas were advisory-only even in block mode.
If you run with `LLM_SECURITY_TRIFECTA_MODE=block`, expect the false-block rate to
rise after this upgrade — the previous gate suppressed real trifectas. Re-baseline
the warn-mode noise floor before promoting to block, per §3.
Reference in a new issue View git blame Copy permalink