shield-harness 0.1.0 → 0.2.0

package/.claude/hooks/lib/permissions-validator.js

@@ -0,0 +1,211 @@
+#!/usr/bin/env node
+// permissions-validator.js — Validates alignment between permissions-spec.json and settings.json
+// Part of the permanent countermeasure system for design-implementation divergence prevention
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Load and validate permissions-spec.json.
+ * @param {string} specPath - Path to permissions-spec.json
+ * @returns {{ deny: string[], ask: string[], allow: string[], expected_counts: object }}
+ * @throws {Error} If file is missing, invalid JSON, or malformed
+ */
+function loadPermissionsSpec(specPath) {
+  if (!fs.existsSync(specPath)) {
+    throw new Error(`Permissions spec not found: ${specPath}`);
+  }
+
+  const raw = fs.readFileSync(specPath, "utf8");
+  let spec;
+  try {
+    spec = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`Permissions spec is not valid JSON: ${err.message}`);
+  }
+
+  if (!spec.permissions) {
+    throw new Error("Permissions spec missing 'permissions' field");
+  }
+
+  const perms = spec.permissions;
+  const deny = (perms.deny || []).map((entry) =>
+    typeof entry === "string" ? entry : entry.rule,
+  );
+  const ask = (perms.ask || []).map((entry) =>
+    typeof entry === "string" ? entry : entry.rule,
+  );
+  const allow = (perms.allow || []).map((entry) =>
+    typeof entry === "string" ? entry : entry.rule,
+  );
+
+  return {
+    deny,
+    ask,
+    allow,
+    expected_counts: spec.expected_counts || null,
+  };
+}
+
+/**
+ * Load permissions from settings.json.
+ * @param {string} settingsPath - Path to settings.json
+ * @returns {{ deny: string[], ask: string[], allow: string[] }}
+ * @throws {Error} If file is missing, invalid JSON, or missing permissions
+ */
+function loadSettingsPermissions(settingsPath) {
+  if (!fs.existsSync(settingsPath)) {
+    throw new Error(`Settings file not found: ${settingsPath}`);
+  }
+
+  const raw = fs.readFileSync(settingsPath, "utf8");
+  let settings;
+  try {
+    settings = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`Settings file is not valid JSON: ${err.message}`);
+  }
+
+  const perms = settings.permissions || {};
+  return {
+    deny: perms.deny || [],
+    ask: perms.ask || [],
+    allow: perms.allow || [],
+  };
+}
+
+/**
+ * Compute the set difference: items in setA but not in setB.
+ * @param {string[]} setA
+ * @param {string[]} setB
+ * @returns {string[]}
+ */
+function setDiff(setA, setB) {
+  const bSet = new Set(setB);
+  return setA.filter((item) => !bSet.has(item));
+}
+
+/**
+ * Diff permissions spec against settings.json.
+ * @param {{ deny: string[], ask: string[], allow: string[] }} spec
+ * @param {{ deny: string[], ask: string[], allow: string[] }} settings
+ * @returns {object} Diff result with missing/extra rules per category
+ */
+function diffPermissions(spec, settings) {
+  const result = {
+    missingDeny: setDiff(spec.deny, settings.deny),
+    extraDeny: setDiff(settings.deny, spec.deny),
+    missingAsk: setDiff(spec.ask, settings.ask),
+    extraAsk: setDiff(settings.ask, spec.ask),
+    missingAllow: setDiff(spec.allow, settings.allow),
+    extraAllow: setDiff(settings.allow, spec.allow),
+  };
+
+  result.totalMissing =
+    result.missingDeny.length +
+    result.missingAsk.length +
+    result.missingAllow.length;
+  result.totalExtra =
+    result.extraDeny.length + result.extraAsk.length + result.extraAllow.length;
+  result.aligned = result.totalMissing === 0 && result.totalExtra === 0;
+
+  return result;
+}
+
+/**
+ * Validate alignment between permissions-spec.json and settings.json.
+ * @param {string} specPath
+ * @param {string} settingsPath
+ * @returns {{ aligned: boolean, diff: object, summary: string, counts: string }}
+ */
+function validateAlignment(specPath, settingsPath) {
+  const spec = loadPermissionsSpec(specPath);
+  const settings = loadSettingsPermissions(settingsPath);
+  const diff = diffPermissions(spec, settings);
+
+  const counts = `${spec.deny.length} deny, ${spec.ask.length} ask, ${spec.allow.length} allow`;
+
+  if (diff.aligned) {
+    return { aligned: true, diff, summary: "All rules aligned", counts };
+  }
+
+  const parts = [];
+  if (diff.missingDeny.length > 0) {
+    parts.push(`${diff.missingDeny.length} deny rules missing from settings`);
+  }
+  if (diff.extraDeny.length > 0) {
+    parts.push(`${diff.extraDeny.length} extra deny rules in settings`);
+  }
+  if (diff.missingAsk.length > 0) {
+    parts.push(`${diff.missingAsk.length} ask rules missing from settings`);
+  }
+  if (diff.extraAsk.length > 0) {
+    parts.push(`${diff.extraAsk.length} extra ask rules in settings`);
+  }
+  if (diff.missingAllow.length > 0) {
+    parts.push(`${diff.missingAllow.length} allow rules missing from settings`);
+  }
+  if (diff.extraAllow.length > 0) {
+    parts.push(`${diff.extraAllow.length} extra allow rules in settings`);
+  }
+
+  const summary = parts.join("; ");
+  return { aligned: false, diff, summary, counts };
+}
+
+/**
+ * Format a human-readable report of the alignment diff.
+ * @param {{ aligned: boolean, diff: object, summary: string }} result
+ * @returns {string}
+ */
+function formatReport(result) {
+  if (result.aligned) {
+    return "Permissions alignment: OK";
+  }
+
+  const lines = ["Permissions alignment: DIVERGENCE DETECTED", ""];
+  const { diff } = result;
+
+  if (diff.missingDeny.length > 0) {
+    lines.push("Missing deny rules (in spec but not in settings.json):");
+    diff.missingDeny.forEach((r) => lines.push(`  - ${r}`));
+    lines.push("");
+  }
+  if (diff.extraDeny.length > 0) {
+    lines.push("Extra deny rules (in settings.json but not in spec):");
+    diff.extraDeny.forEach((r) => lines.push(`  - ${r}`));
+    lines.push("");
+  }
+  if (diff.missingAsk.length > 0) {
+    lines.push("Missing ask rules (in spec but not in settings.json):");
+    diff.missingAsk.forEach((r) => lines.push(`  - ${r}`));
+    lines.push("");
+  }
+  if (diff.extraAsk.length > 0) {
+    lines.push("Extra ask rules (in settings.json but not in spec):");
+    diff.extraAsk.forEach((r) => lines.push(`  - ${r}`));
+    lines.push("");
+  }
+  if (diff.missingAllow.length > 0) {
+    lines.push("Missing allow rules (in spec but not in settings.json):");
+    diff.missingAllow.forEach((r) => lines.push(`  - ${r}`));
+    lines.push("");
+  }
+  if (diff.extraAllow.length > 0) {
+    lines.push("Extra allow rules (in settings.json but not in spec):");
+    diff.extraAllow.forEach((r) => lines.push(`  - ${r}`));
+    lines.push("");
+  }
+
+  return lines.join("\n");
+}
+
+module.exports = {
+  loadPermissionsSpec,
+  loadSettingsPermissions,
+  setDiff,
+  diffPermissions,
+  validateAlignment,
+  formatReport,
+};

package/.claude/hooks/lib/sh-utils.js

@@ -306,6 +306,25 @@ function loadPatterns() {
   }
 }
 
+// --- Repeat Deny Tracking (§4.5 FR-04-07) ---
+
+const REPEAT_DENY_THRESHOLD = 3;
+
+/**
+ * Track deny occurrences per pattern key in session.
+ * Increments deny_tracker[patternKey] in session.json.
+ * @param {string} patternKey - Identifier for the denied pattern
+ * @returns {{ exceeded: boolean, count: number }}
+ */
+function trackDeny(patternKey) {
+  const session = readSession();
+  if (!session.deny_tracker) session.deny_tracker = {};
+  const count = (session.deny_tracker[patternKey] || 0) + 1;
+  session.deny_tracker[patternKey] = count;
+  writeSession(session);
+  return { exceeded: count >= REPEAT_DENY_THRESHOLD, count };
+}
+
 module.exports = {
   // Constants
   SH_DIR,
@@ -337,4 +356,7 @@ module.exports = {
   loadPatterns,
   // Hash Chain
   verifyHashChain,
+  // Deny Tracking
+  trackDeny,
+  REPEAT_DENY_THRESHOLD,
 };

package/.claude/hooks/sh-gate.js

@@ -12,6 +12,7 @@ const {
   nfkcNormalize,
   normalizePath,
   appendEvidence,
+  trackDeny,
 } = require("./lib/sh-utils");
 
 // ---------------------------------------------------------------------------
@@ -324,7 +325,14 @@ if (require.main === module) {
         normalizedCommand,
         input.sessionId,
       );
-      deny(`[sh-gate] Blocked: ${match.label}`);
+      const tracker = trackDeny(`gate:${match.label}`);
+      if (tracker.exceeded) {
+        deny(
+          `[sh-gate] PROBING DETECTED: "${match.label}" denied ${tracker.count} times. User confirmation required.`,
+        );
+      } else {
+        deny(`[sh-gate] Blocked: ${match.label}`);
+      }
       return;
     }
 

package/.claude/hooks/sh-injection-guard.js

@@ -13,6 +13,7 @@ const {
   nfkcNormalize,
   loadPatterns,
   appendEvidence,
+  trackDeny,
 } = require("./lib/sh-utils");
 
 // Zero-width character regex (checked BEFORE pattern matching to prevent bypass)
@@ -92,11 +93,20 @@ if (require.main === module) {
         detail: "Zero-width character detected in raw input",
         session_id: sessionId,
       });
-      deny(
-        "[sh-injection-guard] Zero-width character detected. " +
-          "Invisible characters can be used to bypass security patterns. " +
-          "Category: zero_width (severity: high)",
-      );
+      const zwTracker = trackDeny("injection:zero_width");
+      if (zwTracker.exceeded) {
+        deny(
+          "[sh-injection-guard] PROBING DETECTED: zero_width denied " +
+            zwTracker.count +
+            " times. User confirmation required.",
+        );
+      } else {
+        deny(
+          "[sh-injection-guard] Zero-width character detected. " +
+            "Invisible characters can be used to bypass security patterns. " +
+            "Category: zero_width (severity: high)",
+        );
+      }
       return;
     }
 
@@ -140,11 +150,20 @@ if (require.main === module) {
               pattern: patternStr,
               session_id: sessionId,
             });
-            deny(
-              `[sh-injection-guard] Injection pattern detected. ` +
-                `Category: ${categoryName} (severity: ${severity}). ` +
-                `Description: ${category.description || "N/A"}`,
+            const patternTracker = trackDeny(
+              `injection:${categoryName}:${patternStr}`,
             );
+            if (patternTracker.exceeded) {
+              deny(
+                `[sh-injection-guard] PROBING DETECTED: ${categoryName} denied ${patternTracker.count} times. User confirmation required.`,
+              );
+            } else {
+              deny(
+                `[sh-injection-guard] Injection pattern detected. ` +
+                  `Category: ${categoryName} (severity: ${severity}). ` +
+                  `Description: ${category.description || "N/A"}`,
+              );
+            }
             return;
           }
 

package/.claude/hooks/sh-pipeline.js

@@ -318,6 +318,42 @@ try {
           }
         }
 
+        // Permissions alignment gate (permanent countermeasure — Requirement 1: Hard Gate)
+        const PERM_SPEC_FILE = path.join(".claude", "permissions-spec.json");
+        if (fs.existsSync(PERM_SPEC_FILE)) {
+          try {
+            const {
+              validateAlignment,
+            } = require("./lib/permissions-validator");
+            const alignResult = validateAlignment(
+              PERM_SPEC_FILE,
+              path.join(".claude", "settings.json"),
+            );
+            if (!alignResult.aligned) {
+              updateBacklog(taskId, {
+                stage_status: "stg2_blocked",
+                stg_history_push: {
+                  gate: "stg2_blocked",
+                  passed_at: timestamp,
+                  reason: "permissions_divergence",
+                },
+              });
+              appendEvidence({
+                hook: HOOK_NAME,
+                action: "stg2_blocked",
+                reason: "permissions_divergence",
+                diff_summary: alignResult.summary,
+              });
+              summary = `STG2 BLOCKED: permissions divergence — ${alignResult.summary}`;
+              break;
+            }
+          } catch (err) {
+            // fail-close: validation error also blocks STG2
+            summary = `STG2 BLOCKED: permissions check error — ${err.message}`;
+            break;
+          }
+        }
+
         // Update backlog
         updateBacklog(taskId, {
           stage_status: "stg2_passed",

package/.claude/hooks/sh-session-start.js

@@ -123,6 +123,29 @@ try {
     );
   }
 
+  // 1e: Permissions alignment check (permanent countermeasure)
+  const PERM_SPEC_FILE = path.join(".claude", "permissions-spec.json");
+  if (fs.existsSync(PERM_SPEC_FILE)) {
+    try {
+      const { validateAlignment } = require("./lib/permissions-validator");
+      const result = validateAlignment(PERM_SPEC_FILE, SETTINGS_FILE);
+      if (result.aligned) {
+        contextParts.push(
+          `[gate-check] Permissions alignment: OK (${result.counts})`,
+        );
+      } else {
+        contextParts.push(
+          "[gate-check] WARNING: Permissions divergence detected",
+        );
+        contextParts.push(`[gate-check] ${result.summary}`);
+      }
+    } catch (err) {
+      contextParts.push(
+        `[gate-check] WARNING: Permissions check failed: ${err.message}`,
+      );
+    }
+  }
+
   // --- Module 2: Env Check (§5.1.2) ---
 
   // 2a: OS detection
@@ -137,6 +160,7 @@ try {
   session.session_start = new Date().toISOString();
   session.retry_count = 0;
   session.stop_hook_active = false;
+  session.deny_tracker = {};
   contextParts.push("[env-check] Session initialized, token budget set");
 
   // 2c: OpenShell detection (Layer 3b, ADR-037)

package/.claude/permissions-spec.json

@@ -0,0 +1,440 @@
+{
+  "version": "1.0.0",
+  "profile": "standard",
+  "generated_from": "DETAILED_DESIGN.md §6 + §8.4",
+  "description": "Permissions SoT for shield-harness. Changes here must be reflected in settings.json. Protected by deny rules to prevent unauthorized modification.",
+  "permissions": {
+    "deny": [
+      {
+        "rule": "Read(~/.ssh/**)",
+        "rationale": "SSH key exfiltration prevention",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Read(~/.aws/**)",
+        "rationale": "AWS credentials protection",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Read(~/.gnupg/**)",
+        "rationale": "GPG key protection",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Read(**/.env)",
+        "rationale": "Environment variable file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(**/.env.*)",
+        "rationale": "Environment variable file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(**/credentials*)",
+        "rationale": "Credential file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Edit(.claude/hooks/**)",
+        "rationale": "Hook tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/rules/**)",
+        "rationale": "Rule tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/skills/**)",
+        "rationale": "Skill tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/settings.json)",
+        "rationale": "Settings self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/permissions-spec.json)",
+        "rationale": "Permissions SoT self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/hooks/**)",
+        "rationale": "Hook tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/rules/**)",
+        "rationale": "Rule tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/skills/**)",
+        "rationale": "Skill tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/settings.json)",
+        "rationale": "Settings self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/settings.local.json)",
+        "rationale": "Local settings protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/permissions-spec.json)",
+        "rationale": "Permissions SoT self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Bash(rm -rf /)",
+        "rationale": "System destruction prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(rm -rf ~)",
+        "rationale": "Home directory destruction prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(del /s /q C:\\\\)",
+        "rationale": "Windows system destruction prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(format *)",
+        "rationale": "Disk format prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(cat */.ssh/*)",
+        "rationale": "SSH key display prevention",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Bash(type *\\\\.ssh\\\\*)",
+        "rationale": "Windows SSH key display prevention",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Bash(curl *)",
+        "rationale": "Network isolation - data exfiltration prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(wget *)",
+        "rationale": "Network isolation - data exfiltration prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(Invoke-WebRequest *)",
+        "rationale": "Windows network isolation",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(nc *)",
+        "rationale": "Network reconnaissance prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(ncat *)",
+        "rationale": "Network reconnaissance prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(nmap *)",
+        "rationale": "Network scanning prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(git push --force *)",
+        "rationale": "Force push prevention",
+        "threat_id": "T-06"
+      },
+      {
+        "rule": "Bash(npm publish *)",
+        "rationale": "Unauthorized package publication prevention",
+        "threat_id": "T-06"
+      },
+      {
+        "rule": "Edit(tasks/backlog.yaml)",
+        "rationale": "Backlog SoT protection (§8.4)",
+        "threat_id": "T-07"
+      },
+      {
+        "rule": "Write(tasks/backlog.yaml)",
+        "rationale": "Backlog SoT protection (§8.4)",
+        "threat_id": "T-07"
+      },
+      {
+        "rule": "Read(./**/*.pem)",
+        "rationale": "Certificate private key protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(./**/*.key)",
+        "rationale": "Key file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(./**/*secret*)",
+        "rationale": "Secret file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(~/.config/gcloud/**)",
+        "rationale": "GCP credential protection",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Edit(.shield-harness/**)",
+        "rationale": "Session data protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.shield-harness/**)",
+        "rationale": "Session data protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/patterns/**)",
+        "rationale": "Injection pattern protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/patterns/**)",
+        "rationale": "Injection pattern protection",
+        "threat_id": "T-03"
+      }
+    ],
+    "ask": [
+      {
+        "rule": "Bash(git push *)",
+        "rationale": "Remote push requires confirmation",
+        "threat_id": "T-06"
+      },
+      {
+        "rule": "Edit(.claude/**)",
+        "rationale": "Config changes require confirmation",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Bash(npm install *)",
+        "rationale": "Dependency changes require confirmation",
+        "threat_id": "T-08"
+      },
+      {
+        "rule": "Bash(npx *)",
+        "rationale": "Arbitrary package execution requires confirmation",
+        "threat_id": "T-08"
+      }
+    ],
+    "allow": [
+      {
+        "rule": "Bash(git status)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git diff *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git log *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git branch *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git show *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git blame *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git stash list)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git stash show *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(npm test)",
+        "rationale": "Safe build/test operation"
+      },
+      {
+        "rule": "Bash(npm run *)",
+        "rationale": "Safe build/test operation"
+      },
+      {
+        "rule": "Bash(npm list *)",
+        "rationale": "Read-only npm operation"
+      },
+      {
+        "rule": "Bash(npm outdated)",
+        "rationale": "Read-only npm operation"
+      },
+      {
+        "rule": "Bash(npm audit *)",
+        "rationale": "Security audit operation"
+      },
+      {
+        "rule": "Bash(node --version)",
+        "rationale": "Version check"
+      },
+      {
+        "rule": "Bash(bun --version)",
+        "rationale": "Version check"
+      },
+      {
+        "rule": "Bash(python3 --version)",
+        "rationale": "Version check"
+      },
+      {
+        "rule": "Bash(ls *)",
+        "rationale": "Read-only filesystem operation"
+      },
+      {
+        "rule": "Bash(dir *)",
+        "rationale": "Windows read-only filesystem operation"
+      },
+      {
+        "rule": "Bash(cat *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(head *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(tail *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(wc *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(find *)",
+        "rationale": "Read-only filesystem operation"
+      },
+      {
+        "rule": "Bash(grep *)",
+        "rationale": "Read-only search operation"
+      },
+      {
+        "rule": "Bash(rg *)",
+        "rationale": "Read-only search operation"
+      },
+      {
+        "rule": "Bash(ag *)",
+        "rationale": "Read-only search operation"
+      },
+      {
+        "rule": "Bash(which *)",
+        "rationale": "Read-only command lookup"
+      },
+      {
+        "rule": "Bash(type *)",
+        "rationale": "Read-only command lookup"
+      },
+      {
+        "rule": "Bash(file *)",
+        "rationale": "Read-only file type detection"
+      },
+      {
+        "rule": "Bash(pwd)",
+        "rationale": "Read-only directory info"
+      },
+      {
+        "rule": "Bash(whoami)",
+        "rationale": "Read-only user info"
+      },
+      {
+        "rule": "Bash(date)",
+        "rationale": "Read-only system info"
+      },
+      {
+        "rule": "Bash(uname *)",
+        "rationale": "Read-only system info"
+      },
+      {
+        "rule": "Bash(echo *)",
+        "rationale": "Safe output operation"
+      },
+      {
+        "rule": "Bash(jq *)",
+        "rationale": "Read-only JSON processing"
+      },
+      {
+        "rule": "Bash(sed *)",
+        "rationale": "Text processing"
+      },
+      {
+        "rule": "Bash(awk *)",
+        "rationale": "Text processing"
+      },
+      {
+        "rule": "Bash(sort *)",
+        "rationale": "Read-only text operation"
+      },
+      {
+        "rule": "Bash(uniq *)",
+        "rationale": "Read-only text operation"
+      },
+      {
+        "rule": "Read(**)",
+        "rationale": "Full read access (deny rules exclude sensitive paths)"
+      },
+      {
+        "rule": "Glob(*)",
+        "rationale": "Read-only filesystem search"
+      },
+      {
+        "rule": "Grep(*)",
+        "rationale": "Read-only content search"
+      },
+      {
+        "rule": "WebSearch(*)",
+        "rationale": "Read-only web search"
+      },
+      {
+        "rule": "WebFetch(*)",
+        "rationale": "Read-only web fetch"
+      },
+      {
+        "rule": "Task(*)",
+        "rationale": "Internal task management"
+      },
+      {
+        "rule": "Skill(*)",
+        "rationale": "Internal skill execution"
+      },
+      {
+        "rule": "TodoWrite(*)",
+        "rationale": "Internal todo management"
+      },
+      {
+        "rule": "Bash(diff *)",
+        "rationale": "Read-only file comparison"
+      },
+      {
+        "rule": "Bash(tree *)",
+        "rationale": "Read-only directory view"
+      }
+    ]
+  },
+  "expected_counts": {
+    "deny": 41,
+    "ask": 4,
+    "allow": 49
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shield-harness",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Security harness for Claude Code — hooks-driven, zero-hassle defense",
   "bin": {
     "shield-harness": "./bin/shield-harness.js"
@@ -10,6 +10,7 @@
     ".claude/patterns/",
     ".claude/policies/",
     ".claude/rules/",
+    ".claude/permissions-spec.json",
     "bin/"
   ],
   "scripts": {
@@ -21,7 +22,8 @@
     "test:boundary": "node --test tests/data-boundary-evasion.test.js",
     "test:output": "node --test tests/output-security.test.js",
     "test:ocsf": "node --test tests/ocsf-mapper.test.js",
-    "test:policy-compat": "node --test tests/policy-compat.test.js"
+    "test:policy-compat": "node --test tests/policy-compat.test.js",
+    "test:permissions": "node --test tests/permissions-alignment.test.js"
   },
   "keywords": [
     "claude-code",