shield-harness 0.1.0

package/.claude/hooks/sh-worktree.js

@@ -0,0 +1,230 @@
+#!/usr/bin/env node
+// sh-worktree.js — Worktree security propagation & evidence merge
+// Spec: DETAILED_DESIGN.md §5.8
+// Events: WorktreeCreate, WorktreeRemove
+// Target response time: < 200ms
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const {
+  readHookInput,
+  allow,
+  deny,
+  appendEvidence,
+  EVIDENCE_FILE,
+} = require("./lib/sh-utils");
+
+const HOOK_NAME = "sh-worktree";
+
+// Files/directories to copy to worktree
+const COPY_TARGETS = [
+  { src: path.join(".claude", "settings.json"), type: "file" },
+  {
+    src: path.join(".claude", "patterns", "injection-patterns.json"),
+    type: "file",
+  },
+];
+
+// Directories to recursively copy
+const COPY_DIRS = [
+  {
+    src: path.join(".claude", "hooks"),
+    filter: (f) => f.startsWith("sh-") && f.endsWith(".js"),
+  },
+  {
+    src: path.join(".claude", "hooks", "lib"),
+    filter: (f) => f === "sh-utils.js",
+  },
+  { src: path.join(".claude", "rules"), filter: (f) => f.endsWith(".md") },
+];
+
+// ---------------------------------------------------------------------------
+// Copy Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Copy a single file to the worktree, preserving directory structure.
+ * @param {string} srcFile - Relative path from project root
+ * @param {string} worktreePath - Absolute path to worktree root
+ */
+function copyFileToWorktree(srcFile, worktreePath) {
+  if (!fs.existsSync(srcFile)) return;
+
+  const destFile = path.join(worktreePath, srcFile);
+  const destDir = path.dirname(destFile);
+
+  if (!fs.existsSync(destDir)) {
+    fs.mkdirSync(destDir, { recursive: true });
+  }
+
+  fs.copyFileSync(srcFile, destFile);
+}
+
+/**
+ * Copy filtered files from a directory to worktree.
+ * @param {string} srcDir - Relative path from project root
+ * @param {Function} filter - File name filter function
+ * @param {string} worktreePath - Absolute path to worktree root
+ */
+function copyDirToWorktree(srcDir, filter, worktreePath) {
+  if (!fs.existsSync(srcDir)) return;
+
+  const files = fs.readdirSync(srcDir).filter(filter);
+  for (const f of files) {
+    copyFileToWorktree(path.join(srcDir, f), worktreePath);
+  }
+}
+
+/**
+ * Propagate Shield Harness security config to a worktree.
+ * @param {string} worktreePath
+ * @returns {number} Number of files copied
+ */
+function propagateConfig(worktreePath) {
+  let count = 0;
+
+  // Copy individual files
+  for (const { src } of COPY_TARGETS) {
+    if (fs.existsSync(src)) {
+      copyFileToWorktree(src, worktreePath);
+      count++;
+    }
+  }
+
+  // Copy filtered directories
+  for (const { src, filter } of COPY_DIRS) {
+    if (fs.existsSync(src)) {
+      const files = fs.readdirSync(src).filter(filter);
+      for (const f of files) {
+        copyFileToWorktree(path.join(src, f), worktreePath);
+        count++;
+      }
+    }
+  }
+
+  return count;
+}
+
+/**
+ * Merge worktree evidence ledger into main ledger.
+ * @param {string} worktreePath
+ * @returns {number} Number of entries merged
+ */
+function mergeEvidence(worktreePath) {
+  const worktreeLedger = path.join(
+    worktreePath,
+    ".shield-harness",
+    "logs",
+    "evidence-ledger.jsonl",
+  );
+
+  if (!fs.existsSync(worktreeLedger)) return 0;
+
+  const content = fs.readFileSync(worktreeLedger, "utf8").trim();
+  if (!content) return 0;
+
+  const lines = content.split("\n");
+  let merged = 0;
+
+  for (const line of lines) {
+    if (!line.trim()) continue;
+    try {
+      const entry = JSON.parse(line);
+      // Mark as merged from worktree
+      entry.source_worktree = worktreePath;
+      appendEvidence(entry);
+      merged++;
+    } catch {
+      // Skip malformed entries
+    }
+  }
+
+  return merged;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+try {
+  const input = readHookInput();
+  const { hookType } = input;
+  const worktreePath =
+    input.toolInput.worktree_path || input.toolInput.path || "";
+
+  if (!worktreePath) {
+    allow();
+    return;
+  }
+
+  if (hookType === "WorktreeCreate") {
+    // Propagate security config to new worktree
+    const filesCopied = propagateConfig(worktreePath);
+
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "WorktreeCreate",
+        decision: "allow",
+        worktree_path: worktreePath,
+        files_copied: filesCopied,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    allow(
+      `[${HOOK_NAME}] Shield Harness 設定を worktree にコピーしました (${filesCopied} files)`,
+    );
+    return;
+  }
+
+  if (hookType === "WorktreeRemove") {
+    // Merge evidence from worktree
+    const entriesMerged = mergeEvidence(worktreePath);
+
+    try {
+      appendEvidence({
+        hook: HOOK_NAME,
+        event: "WorktreeRemove",
+        decision: "allow",
+        worktree_path: worktreePath,
+        entries_merged: entriesMerged,
+        session_id: input.sessionId,
+      });
+    } catch {
+      // Non-blocking
+    }
+
+    allow(
+      `[${HOOK_NAME}] Worktree 証跡をマージしました (${entriesMerged} entries)`,
+    );
+    return;
+  }
+
+  // Unknown event type — allow passthrough
+  allow();
+} catch (err) {
+  // SECURITY hook — fail-close
+  process.stdout.write(
+    JSON.stringify({
+      reason: `[${HOOK_NAME}] Hook error (fail-close): ${err.message}`,
+    }),
+  );
+  process.exit(2);
+}
+
+// ---------------------------------------------------------------------------
+// Exports (for testing)
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  COPY_TARGETS,
+  COPY_DIRS,
+  propagateConfig,
+  mergeEvidence,
+  copyFileToWorktree,
+  copyDirToWorktree,
+};

package/.claude/patterns/injection-patterns.json

@@ -0,0 +1,137 @@
+{
+  "version": "1.0.0",
+  "categories": {
+    "direct_injection": {
+      "severity": "critical",
+      "description": "Direct prompt injection — bypass instructions embedded in user input (TH-02-1)",
+      "patterns": [
+        "ignore\\s+(all\\s+)?(previous|prior|above|earlier)\\s+(instructions|rules|guidelines|directives)",
+        "disregard\\s+(all\\s+)?(previous|prior|above)\\s+(instructions|rules)",
+        "forget\\s+(all\\s+)?(previous|prior|above)\\s+(instructions|rules|context)",
+        "override\\s+(all\\s+)?(safety|security|restrictions|rules|guidelines)",
+        "bypass\\s+(all\\s+)?(safety|security|restrictions|filters|rules)",
+        "you\\s+must\\s+(now\\s+)?ignore\\s+(all|any|every)",
+        "new\\s+instructions?:\\s",
+        "system\\s*:\\s*(you\\s+are|from\\s+now)"
+      ],
+      "action": "deny"
+    },
+    "indirect_injection": {
+      "severity": "critical",
+      "description": "Indirect prompt injection — instructions embedded in file content or MCP output (TH-02-2)",
+      "patterns": [
+        "\\[SYSTEM\\]",
+        "\\[INST\\]",
+        "<<SYS>>",
+        "<\\|im_start\\|>\\s*system",
+        "BEGIN\\s+HIDDEN\\s+(INSTRUCTIONS?|PROMPT)",
+        "IMPORTANT:\\s*ignore\\s+previous",
+        "AI\\s+INSTRUCTIONS?:\\s",
+        "ASSISTANT\\s+OVERRIDE:\\s"
+      ],
+      "action": "deny"
+    },
+    "role_hijack": {
+      "severity": "critical",
+      "description": "Role hijacking — persona/role override attempts (TH-02-3)",
+      "patterns": [
+        "you\\s+are\\s+(now|no\\s+longer)\\s+(a|an|the)?\\s*\\w+",
+        "act\\s+as\\s+(if\\s+you\\s+are\\s+)?(a|an)?\\s*(unrestricted|unfiltered|jailbroken|DAN)",
+        "pretend\\s+(you\\s+are|to\\s+be)\\s+(a|an)?\\s*(unrestricted|evil|malicious)",
+        "DAN\\s*(mode|prompt|jailbreak)?",
+        "Developer\\s+Mode\\s+(enabled|activated|on)",
+        "jailbreak(ed)?\\s*(mode|prompt)?",
+        "do\\s+anything\\s+now"
+      ],
+      "action": "deny"
+    },
+    "encoding_attack": {
+      "severity": "high",
+      "description": "Encoding/obfuscation attacks — base64, Unicode escape, homoglyph (TH-02-4)",
+      "patterns": [
+        "eval\\s*\\(\\s*atob\\s*\\(",
+        "Buffer\\.from\\s*\\([^)]+,\\s*['\"]base64['\"]\\)",
+        "\\\\u0{0,2}(7[0-9a-fA-F]|[89a-fA-F][0-9a-fA-F])",
+        "\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}",
+        "String\\.fromCharCode\\s*\\(",
+        "\\u200[b-f]",
+        "\\u00ad",
+        "\\ufeff"
+      ],
+      "action": "deny"
+    },
+    "context_manipulation": {
+      "severity": "high",
+      "description": "Context manipulation — fake system messages, delimiter injection (TH-02-5)",
+      "patterns": [
+        "<system[_-]?(message|prompt|reminder)>",
+        "</?(system|assistant|user|human|ai)\\s*>",
+        "---\\s*(system|assistant)\\s*(message|response|output)\\s*---",
+        "\\*\\*\\*\\s*(SYSTEM|ADMIN|ROOT)\\s*(MESSAGE|OVERRIDE|COMMAND)\\s*\\*\\*\\*",
+        "={3,}\\s*(BEGIN|START)\\s*(SYSTEM|ADMIN|OVERRIDE)",
+        "<\\|endoftext\\|>",
+        "<\\|pad\\|>"
+      ],
+      "action": "deny"
+    },
+    "instruction_smuggling": {
+      "severity": "high",
+      "description": "Instruction smuggling — hidden instructions in HTML comments, markdown, etc (TH-02-6)",
+      "patterns": [
+        "<!--\\s*(ignore|override|bypass|system|instruction)",
+        "```\\s*(system|instruction|override|hidden)",
+        "\\[//\\]:\\s*#\\s*\\(",
+        "\\u200b.*\\u200b",
+        "%00",
+        "\\\\0{1,3}[0-7]"
+      ],
+      "action": "deny"
+    },
+    "zero_width": {
+      "severity": "high",
+      "description": "Zero-width character injection — invisible characters used to bypass pattern matching (TH-02-4)",
+      "patterns": [
+        "[\\u200b\\u200c\\u200d\\u200e\\u200f]",
+        "[\\u2028\\u2029]",
+        "[\\u2060\\u2061\\u2062\\u2063\\u2064]",
+        "[\\ufeff]",
+        "[\\u00ad]",
+        "[\\u034f]",
+        "[\\u115f\\u1160]"
+      ],
+      "action": "deny"
+    },
+    "data_exfiltration": {
+      "severity": "high",
+      "description": "Data exfiltration — sensitive data embedded in URLs or external requests (TH-02-7)",
+      "patterns": [
+        "curl\\s+.*(-d|--data|--data-raw|--data-binary)\\s+.*(@/etc/|@~/|@\\.env|@.*\\.pem|@.*\\.key)",
+        "wget\\s+.*--post-data=.*(\\.env|password|secret|token|api.?key)",
+        "curl\\s+.*\\?.*=(\\$[A-Z_]+|\\$\\{[A-Z_]+\\})",
+        "fetch\\s*\\(['\"]https?://[^'\"]+\\?[^'\"]*(?:key|token|secret|password|auth)=",
+        "\\|\\s*curl\\s+",
+        "\\|\\s*nc\\s+",
+        "\\|\\s*wget\\s+"
+      ],
+      "action": "deny"
+    },
+    "privilege_escalation": {
+      "severity": "medium",
+      "description": "Privilege escalation hints — attempts to gain elevated access or modify security controls",
+      "patterns": [
+        "sudo\\s+",
+        "chmod\\s+[0-7]*7[0-7]*\\s+",
+        "chown\\s+root",
+        "setuid",
+        "capabilities?\\s*=",
+        "security\\.yaml|security\\.json|security\\.toml"
+      ],
+      "action": "warn"
+    }
+  },
+  "metadata": {
+    "generated_at": "2026-03-22T12:00:00.000Z",
+    "pattern_count": 62,
+    "sha256": "86059a6935daf72ea23751045f04b4f3740328568715f987570d75bac307ce18"
+  }
+}

package/.claude/policies/openshell-default.yaml

@@ -0,0 +1,65 @@
+# Shield Harness — OpenShell Default Policy Template
+# Schema: OpenShell Policy v1
+# Reference: ADR-037, https://docs.nvidia.com/openshell/latest/reference/policy-schema.html
+#
+# Usage:
+#   openshell sandbox create --policy .claude/policies/openshell-default.yaml -- claude
+#
+# Customize this template for your project's needs.
+# Static policies (filesystem, landlock, process) require sandbox recreation to change.
+# Network policies can be hot-reloaded: openshell policy set <name> --policy <file> --wait
+
+version: 1
+
+# --- Static (locked at sandbox creation) ---
+
+filesystem_policy:
+  include_workdir: true
+  read_only:
+    - /usr
+    - /lib
+    - /etc
+  read_write:
+    - /sandbox
+    - /tmp
+
+landlock:
+  compatibility: best_effort
+
+process:
+  run_as_user: sandbox
+  run_as_group: sandbox
+
+# --- Dynamic (hot-reloadable) ---
+
+network_policies:
+  anthropic_api:
+    name: anthropic-api
+    endpoints:
+      - host: api.anthropic.com
+        port: 443
+        access: full
+    binaries:
+      - path: /usr/local/bin/claude
+
+  github:
+    name: github
+    endpoints:
+      - host: github.com
+        port: 443
+        access: read-only
+      - host: "*.githubusercontent.com"
+        port: 443
+        access: read-only
+    binaries:
+      - path: /usr/bin/git
+
+  npm_registry:
+    name: npm-registry
+    endpoints:
+      - host: registry.npmjs.org
+        port: 443
+        access: read-only
+    binaries:
+      - path: /usr/bin/npm
+      - path: /usr/bin/node

package/.claude/rules/binding-governance.md

@@ -0,0 +1,62 @@
+# Binding Governance Rules
+
+Binding is the governance control layer for shield-harness. It is NOT an LLM — it is a set of rules, gates, and contracts enforced by Claude Code (Orchestra).
+
+## Operating Profiles
+
+| Profile      | Gate Density                     | Use When                                    |
+| ------------ | -------------------------------- | ------------------------------------------- |
+| **Lite**     | STG0 + STG6 only                 | Low-risk tasks (docs, minor edits)          |
+| **Standard** | All STG gates                    | Normal development tasks                    |
+| **Strict**   | All STG gates + mandatory review | Security-sensitive or public-facing changes |
+
+Profile is selected at `/startproject` time based on task risk level.
+
+## STG Gates (Stage Gates)
+
+| Gate | Name           | Purpose                            |
+| ---- | -------------- | ---------------------------------- |
+| STG0 | Requirements   | Task acceptance criteria confirmed |
+| STG1 | Design         | Architecture/approach reviewed     |
+| STG2 | Implementation | Code written and self-reviewed     |
+| STG3 | Verification   | Tests pass, lint clean             |
+| STG4 | Automation     | CI/CD checks pass                  |
+| STG5 | Commit/Push    | Changes committed and pushed       |
+| STG6 | PR/Merge       | Pull request created and merged    |
+
+## fail-close Principle
+
+- When safety conditions are NOT met, Binding STOPS execution
+- On stop: output reason and recovery steps in Japanese
+- Never skip a gate — always fail-close
+
+## Layer Contract
+
+### Orchestra -> Binding (Input)
+
+| Field      | Type   | Description                    |
+| ---------- | ------ | ------------------------------ |
+| profile    | string | "lite" / "standard" / "strict" |
+| task_id    | string | e.g., "TASK-001"               |
+| intent     | string | What the task aims to achieve  |
+| risk_level | string | "low" / "medium" / "high"      |
+| request_id | string | Unique request identifier      |
+
+### Binding -> Orchestra (Output)
+
+| Field               | Type   | Description                                                      |
+| ------------------- | ------ | ---------------------------------------------------------------- |
+| decision            | string | "allow" / "stop"                                                 |
+| failed_steps        | array  | List of failed gate checks                                       |
+| required_actions    | array  | Steps needed to proceed                                          |
+| evidence_paths      | array  | Paths to evidence files                                          |
+| next_state          | string | backlog/STG update result                                        |
+| quality_gate_source | string | Source of blocking/high judgments (CI results, review summaries) |
+| quality_gate_counts | object | { blocking: number, high: number }                               |
+
+## Single Source of Truth
+
+- **Task state**: `tasks/backlog.yaml` is the ONLY authoritative source
+- **Stage status**: Tracked in `stage_status` field within backlog.yaml
+- **Evidence**: Recorded in `evidence` array within each task
+- **Decision log**: Decision log is maintained per-project.

package/.claude/rules/channel-security.md

@@ -0,0 +1,90 @@
+# Channel Security Rules
+
+## Approval-Free Mode (ADR-032)
+
+When `approval_free: true` in pipeline-config.json:
+
+- All security decisions are delegated to hooks (no human approval dialogs)
+- `permissions.deny` rules remain absolute — hooks cannot override them
+- `permissions.ask` rules are promoted to `allow` at SessionStart
+- All hook-based defenses (gate, injection-guard, permission) run at 100%
+
+## Security Invariants
+
+These guarantees hold regardless of approval_free setting:
+
+1. **deny is absolute**: No hook, agent, or automation can override a deny rule
+2. **fail-close**: If a hook cannot determine safety, it denies (exit 2)
+3. **evidence required**: All allow/deny decisions are recorded in evidence-ledger
+4. **no silent bypass**: Hook errors result in deny, not silent allow
+
+## Claude Code Channels Security Harness (ADR-036 §D4)
+
+Claude Code Channels (2026-03-20 公式リリース) は MCP ベースの Telegram/Discord 連携。
+Shield Harness は独自のチャンネル実装を持たず、公式 Channels のセキュリティハーネスとして機能する。
+
+### 対応方針
+
+- 公式 Channels のみサポート（Telegram, Discord）
+- 独自チャンネル実装は行わない（公式 Channels の `--channels` が唯一のプッシュ手段）
+- VS Code パネルモードでの `--channels` 対応は公式の対応を待つ
+- Shield Harness hooks はタグ検知方式で自動追従（環境固有コード不要）
+
+### チャンネルイベント検知
+
+Channel messages arrive as `<channel source="telegram|discord">` events.
+Shield Harness hooks detect this tag automatically on any hook event:
+
+- `UserPromptSubmit`: channel source tag detection → NFKC normalization → injection scan
+- `PreToolUse`: normal gate/permission checks apply to channel-originated commands
+- `PostToolUse`: evidence recording with `source: channel` metadata
+
+### 自動適応保証
+
+以下の理由により、Shield Harness は公式 Channels の環境拡大に自動追従する:
+
+1. hooks は `<channel source="...">` タグの有無で判定（環境非依存）
+2. settings.json の hook 登録は CLI / VS Code 共通
+3. `--channels` が VS Code で有効化された瞬間から Shield Harness のセキュリティゲートが発火
+4. チャンネル無効環境ではイベント自体が到着しないため、誤検知なし（fail-safe）
+
+### チャンネル固有の脅威緩和
+
+- **Injection via channel message**: NFKC normalization + injection-patterns.json scan
+- **Unauthorized sender**: 公式 allowlist（第一防衛線）+ Shield Harness 二重検証
+- **Privilege escalation**: channel messages cannot modify deny rules or hook configuration
+- **Task creation via channel**: requires STG0 gate validation before acceptance
+
+### Implementation Mapping
+
+Hook implementations that handle channel-related security:
+
+| Threat                | Hook                | Function                                                                | Spec       |
+| --------------------- | ------------------- | ----------------------------------------------------------------------- | ---------- |
+| Injection via channel | sh-user-prompt.js   | `scanPatterns()` with `isChannel` flag                                  | §5.4, §8.6 |
+| Severity boost        | sh-user-prompt.js   | `boostSeverity()` — elevates severity by one level for channel messages | §8.6.2     |
+| Channel detection     | sh-user-prompt.js   | `session.source === "channel"` check via `readSession()`                | §8.6.1     |
+| Evidence metadata     | sh-evidence.js      | `is_channel` field in evidence-ledger.jsonl entries                     | §8.6.3     |
+| Data boundary         | sh-data-boundary.js | Jurisdiction tracking applies to channel-originated commands            | §3.4       |
+| Config protection     | sh-config-guard.js  | deny rules and hook config immutable regardless of source               | §5.3       |
+| Task gate             | sh-pipeline.js      | STG0 validation required for channel-originated task creation           | §8.1       |
+
+### Severity Boost Table
+
+Channel messages automatically boost pattern severity by one level:
+
+| Original | Boosted  | Action     |
+| -------- | -------- | ---------- |
+| low      | medium   | warn       |
+| medium   | high     | deny       |
+| high     | critical | deny       |
+| critical | critical | deny (cap) |
+
+### Phase 2 Migration
+
+When `--channels` becomes available in VS Code panel mode:
+
+1. `sh-session-start.js` version-check detects the new capability
+2. additionalContext suggests migration via `npx shield-harness channels migrate`
+3. No hook code changes required — tag-based detection is environment-agnostic
+4. New channel providers (beyond Telegram/Discord) are automatically covered

package/.claude/rules/coding-principles.md

@@ -0,0 +1,79 @@
+# Coding Principles
+
+Core coding rules to always follow.
+
+## Simplicity First
+
+- Choose readable code over complex code
+- Avoid over-abstraction
+- Prioritize "understandable" over "working"
+
+## Single Responsibility
+
+- One function does one thing only
+- One class has one responsibility only
+- Target 200-400 lines per file (max 800)
+
+## Early Return
+
+```python
+# Bad: Deep nesting
+def process(value):
+    if value is not None:
+        if value > 0:
+            return do_something(value)
+    return None
+
+# Good: Early return
+def process(value):
+    if value is None:
+        return None
+    if value <= 0:
+        return None
+    return do_something(value)
+```
+
+## Type Hints Required
+
+All functions must have type annotations:
+
+```python
+def call_llm(
+    prompt: str,
+    model: str = "gpt-4",
+    max_tokens: int = 1000
+) -> str:
+    ...
+```
+
+## Immutability
+
+Create new objects instead of mutating existing ones:
+
+```python
+# Bad: Mutating existing object
+data["new_key"] = value
+
+# Good: Creating new object
+new_data = {**data, "new_key": value}
+```
+
+## Naming Conventions
+
+- **Variables/Functions**: snake_case (English)
+- **Classes**: PascalCase (English)
+- **Constants**: UPPER_SNAKE_CASE (English)
+- **Meaningful names**: `user_count` over `x`
+
+## No Magic Numbers
+
+```python
+# Bad
+if retry_count > 3:
+    ...
+
+# Good
+MAX_RETRIES = 3
+if retry_count > MAX_RETRIES:
+    ...
+```