shield-harness 0.1.0 → 0.3.0

package/.claude/hooks/sh-injection-guard.js

@@ -13,6 +13,7 @@ const {
   nfkcNormalize,
   loadPatterns,
   appendEvidence,
+  trackDeny,
 } = require("./lib/sh-utils");
 
 // Zero-width character regex (checked BEFORE pattern matching to prevent bypass)
@@ -92,11 +93,20 @@ if (require.main === module) {
         detail: "Zero-width character detected in raw input",
         session_id: sessionId,
       });
-      deny(
-        "[sh-injection-guard] Zero-width character detected. " +
-          "Invisible characters can be used to bypass security patterns. " +
-          "Category: zero_width (severity: high)",
-      );
+      const zwTracker = trackDeny("injection:zero_width");
+      if (zwTracker.exceeded) {
+        deny(
+          "[sh-injection-guard] PROBING DETECTED: zero_width denied " +
+            zwTracker.count +
+            " times. User confirmation required.",
+        );
+      } else {
+        deny(
+          "[sh-injection-guard] Zero-width character detected. " +
+            "Invisible characters can be used to bypass security patterns. " +
+            "Category: zero_width (severity: high)",
+        );
+      }
       return;
     }
 
@@ -140,11 +150,20 @@ if (require.main === module) {
               pattern: patternStr,
               session_id: sessionId,
             });
-            deny(
-              `[sh-injection-guard] Injection pattern detected. ` +
-                `Category: ${categoryName} (severity: ${severity}). ` +
-                `Description: ${category.description || "N/A"}`,
+            const patternTracker = trackDeny(
+              `injection:${categoryName}:${patternStr}`,
             );
+            if (patternTracker.exceeded) {
+              deny(
+                `[sh-injection-guard] PROBING DETECTED: ${categoryName} denied ${patternTracker.count} times. User confirmation required.`,
+              );
+            } else {
+              deny(
+                `[sh-injection-guard] Injection pattern detected. ` +
+                  `Category: ${categoryName} (severity: ${severity}). ` +
+                  `Description: ${category.description || "N/A"}`,
+              );
+            }
             return;
           }
 

package/.claude/hooks/sh-pipeline.js

@@ -318,6 +318,42 @@ try {
           }
         }
 
+        // Permissions alignment gate (permanent countermeasure — Requirement 1: Hard Gate)
+        const PERM_SPEC_FILE = path.join(".claude", "permissions-spec.json");
+        if (fs.existsSync(PERM_SPEC_FILE)) {
+          try {
+            const {
+              validateAlignment,
+            } = require("./lib/permissions-validator");
+            const alignResult = validateAlignment(
+              PERM_SPEC_FILE,
+              path.join(".claude", "settings.json"),
+            );
+            if (!alignResult.aligned) {
+              updateBacklog(taskId, {
+                stage_status: "stg2_blocked",
+                stg_history_push: {
+                  gate: "stg2_blocked",
+                  passed_at: timestamp,
+                  reason: "permissions_divergence",
+                },
+              });
+              appendEvidence({
+                hook: HOOK_NAME,
+                action: "stg2_blocked",
+                reason: "permissions_divergence",
+                diff_summary: alignResult.summary,
+              });
+              summary = `STG2 BLOCKED: permissions divergence — ${alignResult.summary}`;
+              break;
+            }
+          } catch (err) {
+            // fail-close: validation error also blocks STG2
+            summary = `STG2 BLOCKED: permissions check error — ${err.message}`;
+            break;
+          }
+        }
+
         // Update backlog
         updateBacklog(taskId, {
           stage_status: "stg2_passed",

package/.claude/hooks/sh-session-start.js

@@ -123,6 +123,29 @@ try {
     );
   }
 
+  // 1e: Permissions alignment check (permanent countermeasure)
+  const PERM_SPEC_FILE = path.join(".claude", "permissions-spec.json");
+  if (fs.existsSync(PERM_SPEC_FILE)) {
+    try {
+      const { validateAlignment } = require("./lib/permissions-validator");
+      const result = validateAlignment(PERM_SPEC_FILE, SETTINGS_FILE);
+      if (result.aligned) {
+        contextParts.push(
+          `[gate-check] Permissions alignment: OK (${result.counts})`,
+        );
+      } else {
+        contextParts.push(
+          "[gate-check] WARNING: Permissions divergence detected",
+        );
+        contextParts.push(`[gate-check] ${result.summary}`);
+      }
+    } catch (err) {
+      contextParts.push(
+        `[gate-check] WARNING: Permissions check failed: ${err.message}`,
+      );
+    }
+  }
+
   // --- Module 2: Env Check (§5.1.2) ---
 
   // 2a: OS detection
@@ -137,6 +160,7 @@ try {
   session.session_start = new Date().toISOString();
   session.retry_count = 0;
   session.stop_hook_active = false;
+  session.deny_tracker = {};
   contextParts.push("[env-check] Session initialized, token budget set");
 
   // 2c: OpenShell detection (Layer 3b, ADR-037)
@@ -245,6 +269,10 @@ try {
           }
         : { available: false, reason: openshellResult.reason },
       session_id: input.sessionId,
+      sandbox_state: openshellResult.available ? "active" : "inactive",
+      sandbox_version: openshellResult.version || null,
+      sandbox_policy_enforced:
+        openshellResult.available && openshellResult.container_running,
       policy_compat: policyCompat
         ? {
             compatible: policyCompat.compatible,

package/.claude/permissions-spec.json

@@ -0,0 +1,440 @@
+{
+  "version": "1.0.0",
+  "profile": "standard",
+  "generated_from": "DETAILED_DESIGN.md §6 + §8.4",
+  "description": "Permissions SoT for shield-harness. Changes here must be reflected in settings.json. Protected by deny rules to prevent unauthorized modification.",
+  "permissions": {
+    "deny": [
+      {
+        "rule": "Read(~/.ssh/**)",
+        "rationale": "SSH key exfiltration prevention",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Read(~/.aws/**)",
+        "rationale": "AWS credentials protection",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Read(~/.gnupg/**)",
+        "rationale": "GPG key protection",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Read(**/.env)",
+        "rationale": "Environment variable file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(**/.env.*)",
+        "rationale": "Environment variable file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(**/credentials*)",
+        "rationale": "Credential file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Edit(.claude/hooks/**)",
+        "rationale": "Hook tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/rules/**)",
+        "rationale": "Rule tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/skills/**)",
+        "rationale": "Skill tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/settings.json)",
+        "rationale": "Settings self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/permissions-spec.json)",
+        "rationale": "Permissions SoT self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/hooks/**)",
+        "rationale": "Hook tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/rules/**)",
+        "rationale": "Rule tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/skills/**)",
+        "rationale": "Skill tampering prevention",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/settings.json)",
+        "rationale": "Settings self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/settings.local.json)",
+        "rationale": "Local settings protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/permissions-spec.json)",
+        "rationale": "Permissions SoT self-protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Bash(rm -rf /)",
+        "rationale": "System destruction prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(rm -rf ~)",
+        "rationale": "Home directory destruction prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(del /s /q C:\\\\)",
+        "rationale": "Windows system destruction prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(format *)",
+        "rationale": "Disk format prevention",
+        "threat_id": "T-04"
+      },
+      {
+        "rule": "Bash(cat */.ssh/*)",
+        "rationale": "SSH key display prevention",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Bash(type *\\\\.ssh\\\\*)",
+        "rationale": "Windows SSH key display prevention",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Bash(curl *)",
+        "rationale": "Network isolation - data exfiltration prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(wget *)",
+        "rationale": "Network isolation - data exfiltration prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(Invoke-WebRequest *)",
+        "rationale": "Windows network isolation",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(nc *)",
+        "rationale": "Network reconnaissance prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(ncat *)",
+        "rationale": "Network reconnaissance prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(nmap *)",
+        "rationale": "Network scanning prevention",
+        "threat_id": "T-05"
+      },
+      {
+        "rule": "Bash(git push --force *)",
+        "rationale": "Force push prevention",
+        "threat_id": "T-06"
+      },
+      {
+        "rule": "Bash(npm publish *)",
+        "rationale": "Unauthorized package publication prevention",
+        "threat_id": "T-06"
+      },
+      {
+        "rule": "Edit(tasks/backlog.yaml)",
+        "rationale": "Backlog SoT protection (§8.4)",
+        "threat_id": "T-07"
+      },
+      {
+        "rule": "Write(tasks/backlog.yaml)",
+        "rationale": "Backlog SoT protection (§8.4)",
+        "threat_id": "T-07"
+      },
+      {
+        "rule": "Read(./**/*.pem)",
+        "rationale": "Certificate private key protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(./**/*.key)",
+        "rationale": "Key file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(./**/*secret*)",
+        "rationale": "Secret file protection",
+        "threat_id": "T-02"
+      },
+      {
+        "rule": "Read(~/.config/gcloud/**)",
+        "rationale": "GCP credential protection",
+        "threat_id": "T-01"
+      },
+      {
+        "rule": "Edit(.shield-harness/**)",
+        "rationale": "Session data protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.shield-harness/**)",
+        "rationale": "Session data protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Edit(.claude/patterns/**)",
+        "rationale": "Injection pattern protection",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/patterns/**)",
+        "rationale": "Injection pattern protection",
+        "threat_id": "T-03"
+      }
+    ],
+    "ask": [
+      {
+        "rule": "Bash(git push *)",
+        "rationale": "Remote push requires confirmation",
+        "threat_id": "T-06"
+      },
+      {
+        "rule": "Edit(.claude/**)",
+        "rationale": "Config changes require confirmation",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Bash(npm install *)",
+        "rationale": "Dependency changes require confirmation",
+        "threat_id": "T-08"
+      },
+      {
+        "rule": "Bash(npx *)",
+        "rationale": "Arbitrary package execution requires confirmation",
+        "threat_id": "T-08"
+      }
+    ],
+    "allow": [
+      {
+        "rule": "Bash(git status)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git diff *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git log *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git branch *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git show *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git blame *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git stash list)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(git stash show *)",
+        "rationale": "Read-only git operation"
+      },
+      {
+        "rule": "Bash(npm test)",
+        "rationale": "Safe build/test operation"
+      },
+      {
+        "rule": "Bash(npm run *)",
+        "rationale": "Safe build/test operation"
+      },
+      {
+        "rule": "Bash(npm list *)",
+        "rationale": "Read-only npm operation"
+      },
+      {
+        "rule": "Bash(npm outdated)",
+        "rationale": "Read-only npm operation"
+      },
+      {
+        "rule": "Bash(npm audit *)",
+        "rationale": "Security audit operation"
+      },
+      {
+        "rule": "Bash(node --version)",
+        "rationale": "Version check"
+      },
+      {
+        "rule": "Bash(bun --version)",
+        "rationale": "Version check"
+      },
+      {
+        "rule": "Bash(python3 --version)",
+        "rationale": "Version check"
+      },
+      {
+        "rule": "Bash(ls *)",
+        "rationale": "Read-only filesystem operation"
+      },
+      {
+        "rule": "Bash(dir *)",
+        "rationale": "Windows read-only filesystem operation"
+      },
+      {
+        "rule": "Bash(cat *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(head *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(tail *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(wc *)",
+        "rationale": "Read-only file operation"
+      },
+      {
+        "rule": "Bash(find *)",
+        "rationale": "Read-only filesystem operation"
+      },
+      {
+        "rule": "Bash(grep *)",
+        "rationale": "Read-only search operation"
+      },
+      {
+        "rule": "Bash(rg *)",
+        "rationale": "Read-only search operation"
+      },
+      {
+        "rule": "Bash(ag *)",
+        "rationale": "Read-only search operation"
+      },
+      {
+        "rule": "Bash(which *)",
+        "rationale": "Read-only command lookup"
+      },
+      {
+        "rule": "Bash(type *)",
+        "rationale": "Read-only command lookup"
+      },
+      {
+        "rule": "Bash(file *)",
+        "rationale": "Read-only file type detection"
+      },
+      {
+        "rule": "Bash(pwd)",
+        "rationale": "Read-only directory info"
+      },
+      {
+        "rule": "Bash(whoami)",
+        "rationale": "Read-only user info"
+      },
+      {
+        "rule": "Bash(date)",
+        "rationale": "Read-only system info"
+      },
+      {
+        "rule": "Bash(uname *)",
+        "rationale": "Read-only system info"
+      },
+      {
+        "rule": "Bash(echo *)",
+        "rationale": "Safe output operation"
+      },
+      {
+        "rule": "Bash(jq *)",
+        "rationale": "Read-only JSON processing"
+      },
+      {
+        "rule": "Bash(sed *)",
+        "rationale": "Text processing"
+      },
+      {
+        "rule": "Bash(awk *)",
+        "rationale": "Text processing"
+      },
+      {
+        "rule": "Bash(sort *)",
+        "rationale": "Read-only text operation"
+      },
+      {
+        "rule": "Bash(uniq *)",
+        "rationale": "Read-only text operation"
+      },
+      {
+        "rule": "Read(**)",
+        "rationale": "Full read access (deny rules exclude sensitive paths)"
+      },
+      {
+        "rule": "Glob(*)",
+        "rationale": "Read-only filesystem search"
+      },
+      {
+        "rule": "Grep(*)",
+        "rationale": "Read-only content search"
+      },
+      {
+        "rule": "WebSearch(*)",
+        "rationale": "Read-only web search"
+      },
+      {
+        "rule": "WebFetch(*)",
+        "rationale": "Read-only web fetch"
+      },
+      {
+        "rule": "Task(*)",
+        "rationale": "Internal task management"
+      },
+      {
+        "rule": "Skill(*)",
+        "rationale": "Internal skill execution"
+      },
+      {
+        "rule": "TodoWrite(*)",
+        "rationale": "Internal todo management"
+      },
+      {
+        "rule": "Bash(diff *)",
+        "rationale": "Read-only file comparison"
+      },
+      {
+        "rule": "Bash(tree *)",
+        "rationale": "Read-only directory view"
+      }
+    ]
+  },
+  "expected_counts": {
+    "deny": 41,
+    "ask": 4,
+    "allow": 49
+  }
+}

package/README.ja.md

@@ -111,6 +111,31 @@ Windows ネイティブでは Claude Code のサンドボックス機能（`sand
 
 ### Layer 3b: NVIDIA OpenShell（オプション）
 
+#### なぜ Layer 3b が必要か？
+
+Layer 1（permissions）と Layer 2（hooks）はツール呼び出しの入力テキスト（実行前のコマンド文字列）を検査します。しかし検査を通過したコマンドが実行されると、**OS 上の子プロセスは自由に動作します**。
+
+```
+Layer 1-2（プロセス内）:
+  Claude Code → [Hook が入力を検査] → コマンド実行 → [子プロセスは自由]
+                 ↑ ここしか制御できない
+
+Layer 3b（プロセス外 = カーネルレベル）:
+  Claude Code → コマンド実行 → [Landlock: ファイルアクセス制御]
+                                [Seccomp: syscall 制御]
+                                [Network NS: ネットワーク隔離]
+                ↑ 子プロセスも含めて全てカーネルが制御
+```
+
+| 攻撃ベクトル                         | Layer 1-2 の対処             | すり抜ける理由                        | Layer 3b の防御                       |
+| ------------------------------------ | ---------------------------- | ------------------------------------- | ------------------------------------- |
+| パイプチェーンによるファイル読み取り | パターンマッチング           | `awk`、`python -c` による間接アクセス | Landlock LSM がカーネルレベルで拒否   |
+| Raw ソケット通信                     | `curl`/`wget` の deny ルール | `python`/`node` でソケットを直接操作  | Seccomp BPF がソケット syscall を拒否 |
+| DNS トンネリング                     | sandbox.network（WSL2 のみ） | DNS クエリにデータを埋め込み          | Network Namespace が全 DNS を隔離     |
+| PowerShell ソケット                  | パターンマッチング           | エンコード・難読化                    | Seccomp BPF + Network NS の二重防御   |
+
+**構造的保証**: エージェント自身がガードレールを無効化することは**不可能** — ポリシーはコンテナ外に存在し、サンドボックス作成時にロックされます。
+
 [NVIDIA OpenShell](https://github.com/NVIDIA/OpenShell)（Apache 2.0）は Docker 上で AI エージェントに**カーネルレベルの隔離**を提供します:
 
 | メカニズム   | 対象             | 保護内容                |

package/README.md

@@ -109,6 +109,31 @@ For enterprise environments, supplementing with Windows Firewall outbound rules
 
 ### Layer 3b: NVIDIA OpenShell (Optional)
 
+#### Why Layer 3b?
+
+Layer 1 (permissions) and Layer 2 (hooks) inspect tool call inputs — the command text before execution. Once a command passes these checks, the **spawned child process runs freely at the OS level**.
+
+```
+Layer 1-2 (in-process):
+  Claude Code → [Hook inspects input] → Command execution → [Child process is free]
+                 ↑ Only controls this point
+
+Layer 3b (out-of-process = kernel-level):
+  Claude Code → Command execution → [Landlock: Filesystem access control]
+                                     [Seccomp: Syscall control]
+                                     [Network NS: Network isolation]
+                ↑ Kernel controls ALL processes including children
+```
+
+| Attack Vector            | Layer 1-2 Defense           | Why It Bypasses                        | Layer 3b Defense                      |
+| ------------------------ | --------------------------- | -------------------------------------- | ------------------------------------- |
+| Pipe chain file access   | Pattern matching            | Indirect access via `awk`, `python -c` | Landlock LSM denies at kernel level   |
+| Raw socket communication | `curl`/`wget` deny rules    | Direct socket via `python`/`node`      | Seccomp BPF blocks socket syscalls    |
+| DNS tunneling            | sandbox.network (WSL2 only) | Data embedded in DNS queries           | Network Namespace isolates all DNS    |
+| PowerShell sockets       | Pattern matching            | Encoding/obfuscation                   | Seccomp BPF + Network NS dual defense |
+
+**Structural guarantee**: The agent **cannot** disable its own guardrails — policies exist outside the container and are locked at sandbox creation.
+
 [NVIDIA OpenShell](https://github.com/NVIDIA/OpenShell) (Apache 2.0) provides **kernel-level isolation** for AI agents via Docker:
 
 | Mechanism    | Target     | Protection                |