shield-harness 0.3.0 → 0.4.0

package/.claude/hooks/lib/policy-drift.js

@@ -0,0 +1,322 @@
+#!/usr/bin/env node
+// policy-drift.js — Detect drift between permissions-spec.json deny rules and OpenShell policy YAML
+// Part of Shield Harness: ensures policy files stay in sync with the canonical deny rules
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+// --- Dependencies (local modules) ---
+
+const { loadPermissionsSpec } = require("./permissions-validator");
+const { classifyRulesByDomain } = require("./tier-policy-gen");
+
+// --- YAML Parsing (regex-based, no js-yaml dependency) ---
+
+/**
+ * Extract a YAML list section by name.
+ * Expects predictable structure generated by tier-policy-gen.js:
+ *   section_name:
+ *     - item1
+ *     - item2
+ *
+ * @param {string} content - Full YAML file content
+ * @param {string} sectionName - Name of the section (e.g., "deny_read")
+ * @returns {string[]} List of items found under the section
+ */
+function extractYamlList(content, sectionName) {
+  // Match section header followed by indented list items
+  var pattern = new RegExp(
+    sectionName + ":\\n((?:[ \\t]+-[ \\t]+.+\\n)*)",
+    "m",
+  );
+  var match = content.match(pattern);
+  if (!match) return [];
+  return match[1]
+    .split("\n")
+    .filter(function (l) {
+      return l.trim().startsWith("- ");
+    })
+    .map(function (l) {
+      return l.trim().replace(/^-\s+/, "");
+    });
+}
+
+/**
+ * Extract blocked network operations from YAML comment block.
+ * Expects format generated by tier-policy-gen.js:
+ *   # Blocked network operations (from permissions-spec.json deny rules):
+ *   #   - curl *
+ *   #   - wget *
+ *
+ * @param {string} content - Full YAML file content
+ * @returns {string[]} List of blocked network commands
+ */
+function extractBlockedNetworkComments(content) {
+  var pattern =
+    /# Blocked network operations[^\n]*:\n((?:#[ \t]+-[ \t]+.+\n)*)/m;
+  var match = content.match(pattern);
+  if (!match) return [];
+  return match[1]
+    .split("\n")
+    .filter(function (l) {
+      return l.trim().startsWith("#");
+    })
+    .map(function (l) {
+      return l.trim().replace(/^#\s+-\s+/, "");
+    });
+}
+
+/**
+ * Parse all relevant sections from a policy YAML file.
+ * Returns structured data without requiring js-yaml.
+ *
+ * @param {string} content - Full YAML file content
+ * @returns {{
+ *   denyRead: string[],
+ *   denyWrite: string[],
+ *   readWrite: string[],
+ *   blockedNetwork: string[]
+ * }}
+ */
+function parsePolicyYaml(content) {
+  return {
+    denyRead: extractYamlList(content, "deny_read"),
+    denyWrite: extractYamlList(content, "deny_write"),
+    readWrite: extractYamlList(content, "read_write"),
+    blockedNetwork: extractBlockedNetworkComments(content),
+  };
+}
+
+// --- Drift Detection ---
+
+/**
+ * Check drift between permissions-spec deny rules and OpenShell policy YAML.
+ *
+ * Compares the classified deny rules from permissions-spec.json against
+ * the content of policy YAML files in the specified directory.
+ *
+ * Drift rules:
+ *   1. Missing filesystem deny (read): spec denyRead paths not in policy deny_read
+ *   2. Missing filesystem deny (write): spec denyWrite paths not in policy deny_write
+ *   3. Policy allows denied: paths in denyRead/denyWrite that also appear in read_write
+ *   4. Missing network deny: network commands not in blocked network comments
+ *   5. No policy files: skip (no drift reported)
+ *   6. No spec file: skip (no drift reported)
+ *   7. Parse errors: fail-safe (no drift, warning logged)
+ *
+ * @param {{ specPath: string, policyDir: string }} params
+ * @returns {{
+ *   has_drift: boolean,
+ *   warnings: string[],
+ *   details: {
+ *     missing_filesystem_deny: string[],
+ *     missing_network_deny: string[],
+ *     policy_allows_denied: string[]
+ *   },
+ *   checked_at: string
+ * }}
+ */
+function checkPolicyDrift({ specPath, policyDir }) {
+  var emptyResult = {
+    has_drift: false,
+    warnings: [],
+    details: {
+      missing_filesystem_deny: [],
+      missing_network_deny: [],
+      policy_allows_denied: [],
+    },
+    checked_at: new Date().toISOString(),
+  };
+
+  // Rule 6: No spec file — skip silently
+  if (!specPath || !fs.existsSync(specPath)) {
+    return emptyResult;
+  }
+
+  // Rule 5: No policy directory or no .yaml files — skip silently
+  if (!policyDir || !fs.existsSync(policyDir)) {
+    return emptyResult;
+  }
+
+  var policyFiles;
+  try {
+    policyFiles = fs.readdirSync(policyDir).filter(function (f) {
+      return f.endsWith(".yaml") || f.endsWith(".yml");
+    });
+  } catch (e) {
+    return emptyResult;
+  }
+
+  if (policyFiles.length === 0) {
+    return emptyResult;
+  }
+
+  // Load and classify spec deny rules
+  var spec;
+  try {
+    spec = loadPermissionsSpec(specPath);
+  } catch (err) {
+    return {
+      has_drift: false,
+      warnings: ["parse_error: spec load failed \u2014 " + err.message],
+      details: {
+        missing_filesystem_deny: [],
+        missing_network_deny: [],
+        policy_allows_denied: [],
+      },
+      checked_at: new Date().toISOString(),
+    };
+  }
+
+  var classified;
+  try {
+    classified = classifyRulesByDomain(spec.deny);
+  } catch (err) {
+    return {
+      has_drift: false,
+      warnings: [
+        "parse_error: rule classification failed \u2014 " + err.message,
+      ],
+      details: {
+        missing_filesystem_deny: [],
+        missing_network_deny: [],
+        policy_allows_denied: [],
+      },
+      checked_at: new Date().toISOString(),
+    };
+  }
+
+  // Aggregate policy content from all YAML files
+  var aggregated = {
+    denyRead: new Set(),
+    denyWrite: new Set(),
+    readWrite: new Set(),
+    blockedNetwork: new Set(),
+  };
+
+  for (var i = 0; i < policyFiles.length; i++) {
+    var filePath = path.join(policyDir, policyFiles[i]);
+    var content;
+    try {
+      content = fs.readFileSync(filePath, "utf8");
+    } catch (err) {
+      // Rule 7: Parse error — fail-safe
+      return {
+        has_drift: false,
+        warnings: [
+          "parse_error: cannot read " + filePath + " \u2014 " + err.message,
+        ],
+        details: {
+          missing_filesystem_deny: [],
+          missing_network_deny: [],
+          policy_allows_denied: [],
+        },
+        checked_at: new Date().toISOString(),
+      };
+    }
+
+    var parsed;
+    try {
+      parsed = parsePolicyYaml(content);
+    } catch (err) {
+      return {
+        has_drift: false,
+        warnings: [
+          "parse_error: cannot parse " + filePath + " \u2014 " + err.message,
+        ],
+        details: {
+          missing_filesystem_deny: [],
+          missing_network_deny: [],
+          policy_allows_denied: [],
+        },
+        checked_at: new Date().toISOString(),
+      };
+    }
+
+    parsed.denyRead.forEach(function (p) {
+      aggregated.denyRead.add(p);
+    });
+    parsed.denyWrite.forEach(function (p) {
+      aggregated.denyWrite.add(p);
+    });
+    parsed.readWrite.forEach(function (p) {
+      aggregated.readWrite.add(p);
+    });
+    parsed.blockedNetwork.forEach(function (cmd) {
+      aggregated.blockedNetwork.add(cmd);
+    });
+  }
+
+  // --- Compare classified rules against aggregated policy ---
+
+  var warnings = [];
+  var missingFilesystemDeny = [];
+  var missingNetworkDeny = [];
+  var policyAllowsDenied = [];
+
+  // Rule 1: Missing filesystem deny (read)
+  for (var ri = 0; ri < classified.denyRead.length; ri++) {
+    var readPath = classified.denyRead[ri];
+    if (!aggregated.denyRead.has(readPath)) {
+      warnings.push("deny_read missing in policy: " + readPath);
+      missingFilesystemDeny.push(readPath);
+    }
+  }
+
+  // Rule 2: Missing filesystem deny (write)
+  for (var wi = 0; wi < classified.denyWrite.length; wi++) {
+    var writePath = classified.denyWrite[wi];
+    if (!aggregated.denyWrite.has(writePath)) {
+      warnings.push("deny_write missing in policy: " + writePath);
+      missingFilesystemDeny.push(writePath);
+    }
+  }
+
+  // Rule 3: Policy allows denied — conflict detection
+  var allDeniedPaths = new Set(
+    classified.denyRead.concat(classified.denyWrite),
+  );
+  aggregated.readWrite.forEach(function (rwPath) {
+    if (allDeniedPaths.has(rwPath)) {
+      warnings.push("conflict: read_write allows denied path: " + rwPath);
+      policyAllowsDenied.push(rwPath);
+    }
+  });
+
+  // Rule 4: Missing network deny
+  for (var ni = 0; ni < classified.network.length; ni++) {
+    var netCmd = classified.network[ni];
+    if (!aggregated.blockedNetwork.has(netCmd)) {
+      warnings.push(
+        "blocked network command missing in policy comments: " + netCmd,
+      );
+      missingNetworkDeny.push(netCmd);
+    }
+  }
+
+  var hasDrift =
+    missingFilesystemDeny.length > 0 ||
+    missingNetworkDeny.length > 0 ||
+    policyAllowsDenied.length > 0;
+
+  return {
+    has_drift: hasDrift,
+    warnings: warnings,
+    details: {
+      missing_filesystem_deny: missingFilesystemDeny,
+      missing_network_deny: missingNetworkDeny,
+      policy_allows_denied: policyAllowsDenied,
+    },
+    checked_at: new Date().toISOString(),
+  };
+}
+
+module.exports = {
+  // Main entry point
+  checkPolicyDrift: checkPolicyDrift,
+  // Parsing helpers (exported for unit testing)
+  extractYamlList: extractYamlList,
+  extractBlockedNetworkComments: extractBlockedNetworkComments,
+  parsePolicyYaml: parsePolicyYaml,
+};

package/.claude/hooks/sh-config-guard.js

@@ -18,6 +18,7 @@ const {
 const HOOK_NAME = "sh-config-guard";
 const SETTINGS_FILE = path.join(".claude", "settings.json");
 const CONFIG_HASH_FILE = path.join(".claude", "logs", "config-hash.json");
+const POLICIES_DIR = path.join(".claude", "policies");
 
 // ---------------------------------------------------------------------------
 // Config Analysis
@@ -63,10 +64,91 @@ function saveConfigSnapshot(snapshot) {
   fs.writeFileSync(CONFIG_HASH_FILE, JSON.stringify(snapshot, null, 2));
 }
 
+/**
+ * Count items in a YAML list section.
+ * Matches a section header like "deny_read:" followed by indented list items.
+ * @param {string} content - YAML file content
+ * @param {string} sectionName - Name of the YAML section to count
+ * @returns {number} Number of list items in the section
+ */
+function countYamlListItems(content, sectionName) {
+  const regex = new RegExp(sectionName + ":\\n((?:\\s+-\\s+.+\\n)*)", "m");
+  const match = content.match(regex);
+  if (!match) return 0;
+  return match[1].split("\n").filter((l) => l.trim().startsWith("- ")).length;
+}
+
+/**
+ * Count host: entries in network_policies section.
+ * @param {string} content - YAML file content
+ * @returns {number} Number of network endpoint entries
+ */
+function countNetworkEndpoints(content) {
+  const matches = content.match(/^\s+[-\s]*host:\s/gm);
+  return matches ? matches.length : 0;
+}
+
+/**
+ * Scan .claude/policies/ for YAML files and compute SHA-256 hash of each.
+ * @returns {Object.<string, string>} Map of file path to SHA-256 hash
+ */
+function extractPolicyHashes() {
+  const hashes = {};
+  if (!fs.existsSync(POLICIES_DIR)) return hashes;
+  try {
+    const files = fs
+      .readdirSync(POLICIES_DIR)
+      .filter((f) => f.endsWith(".yaml") || f.endsWith(".yml"));
+    for (const file of files) {
+      const filePath = path.join(POLICIES_DIR, file);
+      try {
+        const content = fs.readFileSync(filePath, "utf8");
+        hashes[filePath] = sha256(content);
+      } catch {
+        /* skip unreadable */
+      }
+    }
+  } catch {
+    /* dir read error */
+  }
+  return hashes;
+}
+
+/**
+ * Extract security-critical counts from each YAML policy file.
+ * @returns {Object.<string, { deny_read_count: number, deny_write_count: number, read_write_count: number, network_endpoint_count: number }>}
+ */
+function extractPolicyMetrics() {
+  const metrics = {};
+  if (!fs.existsSync(POLICIES_DIR)) return metrics;
+  try {
+    const files = fs
+      .readdirSync(POLICIES_DIR)
+      .filter((f) => f.endsWith(".yaml") || f.endsWith(".yml"));
+    for (const file of files) {
+      const filePath = path.join(POLICIES_DIR, file);
+      try {
+        const content = fs.readFileSync(filePath, "utf8");
+        metrics[filePath] = {
+          deny_read_count: countYamlListItems(content, "deny_read"),
+          deny_write_count: countYamlListItems(content, "deny_write"),
+          read_write_count: countYamlListItems(content, "read_write"),
+          network_endpoint_count: countNetworkEndpoints(content),
+        };
+      } catch {
+        /* skip */
+      }
+    }
+  } catch {
+    /* dir read error */
+  }
+  return metrics;
+}
+
 /**
  * Extract security-critical fields from settings.
  * @param {Object} settings
- * @returns {{ deny_rules: string[], hook_count: number, hook_events: string[], hook_commands: string[], sandbox: boolean, unsandboxed: boolean, disableAllHooks: boolean }}
+ * @returns {{ deny_rules: string[], hook_count: number, hook_events: string[], hook_commands: string[], sandbox: boolean, unsandboxed: boolean, disableAllHooks: boolean, policy_hashes: Object, policy_metrics: Object }}
  */
 function extractSecurityFields(settings) {
   const denyRules = (settings.permissions && settings.permissions.deny) || [];
@@ -100,6 +182,8 @@ function extractSecurityFields(settings) {
         : true,
     unsandboxed: Boolean(settings.allowUnsandboxedCommands),
     disableAllHooks: Boolean(settings.disableAllHooks),
+    policy_hashes: extractPolicyHashes(),
+    policy_metrics: extractPolicyMetrics(),
   };
 }
 
@@ -156,6 +240,52 @@ function detectDangerousMutations(stored, current) {
     reasons.push("disableAllHooks set to true");
   }
 
+  // Check 6: OpenShell policy file tampering (ADR-037 GA Phase)
+  const storedHashes = stored.policy_hashes || {};
+  const currentHashes = current.policy_hashes || {};
+  const storedMetrics = stored.policy_metrics || {};
+  const currentMetrics = current.policy_metrics || {};
+
+  for (const [filePath, storedHash] of Object.entries(storedHashes)) {
+    if (!(filePath in currentHashes)) {
+      // Policy file was deleted
+      reasons.push(`OpenShell policy file removed: "${filePath}"`);
+      continue;
+    }
+    if (currentHashes[filePath] !== storedHash) {
+      // Policy file changed — check for weakening
+      const sm = storedMetrics[filePath] || {};
+      const cm = currentMetrics[filePath] || {};
+
+      if (
+        sm.deny_read_count > 0 &&
+        (cm.deny_read_count || 0) < sm.deny_read_count
+      ) {
+        reasons.push(
+          `OpenShell policy weakened: deny_read reduced (${sm.deny_read_count} → ${cm.deny_read_count || 0}) in "${filePath}"`,
+        );
+      }
+      if (
+        sm.deny_write_count > 0 &&
+        (cm.deny_write_count || 0) < sm.deny_write_count
+      ) {
+        reasons.push(
+          `OpenShell policy weakened: deny_write reduced (${sm.deny_write_count} → ${cm.deny_write_count || 0}) in "${filePath}"`,
+        );
+      }
+      if ((cm.network_endpoint_count || 0) > (sm.network_endpoint_count || 0)) {
+        reasons.push(
+          `OpenShell policy weakened: network endpoints expanded (${sm.network_endpoint_count || 0} → ${cm.network_endpoint_count}) in "${filePath}"`,
+        );
+      }
+      if ((cm.read_write_count || 0) > (sm.read_write_count || 0)) {
+        reasons.push(
+          `OpenShell policy weakened: read_write paths expanded (${sm.read_write_count || 0} → ${cm.read_write_count}) in "${filePath}"`,
+        );
+      }
+    }
+  }
+
   return {
     blocked: reasons.length > 0,
     reasons,
@@ -272,4 +402,8 @@ module.exports = {
   saveConfigSnapshot,
   extractSecurityFields,
   detectDangerousMutations,
+  extractPolicyHashes,
+  extractPolicyMetrics,
+  countYamlListItems,
+  countNetworkEndpoints,
 };

package/.claude/hooks/sh-session-start.js

@@ -17,6 +17,7 @@ const {
 } = require("./lib/sh-utils");
 const { detectOpenShell } = require("./lib/openshell-detect");
 const { checkPolicyCompatibility } = require("./lib/policy-compat");
+const { checkPolicyDrift } = require("./lib/policy-drift");
 
 const HOOK_NAME = "sh-session-start";
 const CLAUDE_MD = "CLAUDE.md";
@@ -230,6 +231,38 @@ try {
     }
   }
 
+  // 2e: Policy drift check (ADR-037 GA Phase)
+  const POLICIES_DIR = path.join(".claude", "policies");
+  if (fs.existsSync(POLICIES_DIR)) {
+    try {
+      const driftResult = checkPolicyDrift({
+        specPath: PERM_SPEC_FILE,
+        policyDir: POLICIES_DIR,
+      });
+      session.policy_drift = driftResult;
+      writeSession(session);
+
+      if (driftResult.has_drift) {
+        contextParts.push(
+          `[layer-3b] WARNING: Policy drift detected — ${driftResult.warnings.length} issue(s) found`,
+        );
+        for (const warning of driftResult.warnings.slice(0, 3)) {
+          contextParts.push(`[layer-3b]   ${warning}`);
+        }
+        if (driftResult.warnings.length > 3) {
+          contextParts.push(
+            `[layer-3b]   ... and ${driftResult.warnings.length - 3} more`,
+          );
+        }
+        contextParts.push(
+          "[layer-3b] Run: npx shield-harness generate-policy to regenerate",
+        );
+      }
+    } catch {
+      // drift check failure is non-blocking
+    }
+  }
+
   // --- Module 3: Version Check (§5.1.4) ---
   // Store baseline hashes for instructions monitoring
   const hashes = {};
@@ -273,6 +306,14 @@ try {
       sandbox_version: openshellResult.version || null,
       sandbox_policy_enforced:
         openshellResult.available && openshellResult.container_running,
+      policy_drift: session.policy_drift
+        ? {
+            has_drift: session.policy_drift.has_drift,
+            warning_count: session.policy_drift.warnings
+              ? session.policy_drift.warnings.length
+              : 0,
+          }
+        : null,
       policy_compat: policyCompat
         ? {
             compatible: policyCompat.compatible,

package/.claude/permissions-spec.json

@@ -90,6 +90,16 @@
         "rationale": "Permissions SoT self-protection",
         "threat_id": "T-03"
       },
+      {
+        "rule": "Edit(.claude/policies/**)",
+        "rationale": "OpenShell policy file protection (ADR-037 GA)",
+        "threat_id": "T-03"
+      },
+      {
+        "rule": "Write(.claude/policies/**)",
+        "rationale": "OpenShell policy file protection (ADR-037 GA)",
+        "threat_id": "T-03"
+      },
       {
         "rule": "Bash(rm -rf /)",
         "rationale": "System destruction prevention",
@@ -433,7 +443,7 @@
     ]
   },
   "expected_counts": {
-    "deny": 41,
+    "deny": 43,
     "ask": 4,
     "allow": 49
   }

package/.claude/policies/openshell-generated.yaml

@@ -0,0 +1,105 @@
+# Auto-generated by Shield Harness tier-policy-gen
+# Source: permissions-spec.json v1.0.0
+# Profile: standard
+# Generated: 2026-03-24T06:03:59.030Z
+#
+# Usage:
+#   openshell sandbox create --policy <this-file> -- claude
+#
+# Static policies require sandbox recreation to change.
+# Network policies can be hot-reloaded: openshell policy set <name> --policy <file> --wait
+
+version: 1
+
+# --- Static (locked at sandbox creation) ---
+
+filesystem_policy:
+  include_workdir: true
+  deny_read:
+    - ~/.ssh
+    - ~/.aws
+    - ~/.gnupg
+    - **/.env
+    - **/.env.*
+    - **/credentials*
+    - ./**/*.pem
+    - ./**/*.key
+    - ./**/*secret*
+    - ~/.config/gcloud
+  deny_write:
+    - .claude/hooks
+    - .claude/rules
+    - .claude/skills
+    - .claude/settings.json
+    - .claude/permissions-spec.json
+    - .claude/settings.local.json
+    - .claude/policies
+    - tasks/backlog.yaml
+    - .shield-harness
+    - .claude/patterns
+  read_only:
+    - /usr
+    - /lib
+    - /etc
+  read_write:
+    - /sandbox
+    - /tmp
+
+landlock:
+  compatibility: best_effort
+
+process:
+  run_as_user: sandbox
+  run_as_group: sandbox
+
+# --- Dynamic (hot-reloadable) ---
+
+network_policies:
+  anthropic_api:
+    name: anthropic-api
+    endpoints:
+      - host: api.anthropic.com
+        port: 443
+        access: full
+    binaries:
+      - path: /usr/local/bin/claude
+
+  github:
+    name: github
+    endpoints:
+      - host: github.com
+        port: 443
+        access: read-only
+      - host: "*.githubusercontent.com"
+        port: 443
+        access: read-only
+    binaries:
+      - path: /usr/bin/git
+
+  npm_registry:
+    name: npm-registry
+    endpoints:
+      - host: registry.npmjs.org
+        port: 443
+        access: read-only
+    binaries:
+      - path: /usr/bin/npm
+      - path: /usr/bin/node
+
+# Blocked network operations (from permissions-spec.json deny rules):
+#   - curl *
+#   - wget *
+#   - Invoke-WebRequest *
+#   - nc *
+#   - ncat *
+#   - nmap *
+#   - git push --force *
+#   - npm publish *
+
+# Blocked process operations (from permissions-spec.json deny rules):
+#   - rm -rf /
+#   - rm -rf ~
+#   - del /s /q C:\\
+#   - format *
+#   - cat */.ssh/*
+#   - type *\\.ssh\\*

package/README.ja.md

@@ -4,9 +4,9 @@
 
 **Claude Code の全操作を自動防御するセキュリティハーネス**
 
-> 承認ダイアログなしで安全な自律開発を実現
+> フック駆動の自動判定で安全な自律開発を実現
 
-> **Alpha (v0.1.0)**: セキュリティモデルは開発中です。パーミッションルールと設計ドキュメントの整合作業を進めています。本番利用は推奨しません。
+> **v0.4.0**: 22 フック、4 層防御（L1 権限 + L2 フック + L3 サンドボックス + L3b OpenShell）、391 テスト（OWASP AITG 攻撃シミュレーション 108 テスト含む）。
 
 [![English](https://img.shields.io/badge/lang-English-blue?style=flat-square)](README.md)
 [![日本語](https://img.shields.io/badge/lang-日本語-red?style=flat-square)](#)
@@ -16,7 +16,7 @@
 ## Shield Harness とは
 
 Claude Code の全操作を自動防御するセキュリティハーネス。
-承認ダイアログなしで安全な自律開発を実現します。`.claude/` ディレクトリに展開される hooks + rules + permissions による多層防御でエージェントを統制します。
+フック駆動の自動判定で安全な自律開発を実現します。`.claude/` ディレクトリに展開される hooks + rules + permissions による多層防御でエージェントを統制します。
 
 ## クイックスタート
 
@@ -27,13 +27,13 @@ npx shield-harness init [--profile minimal|standard|strict]
 ## なぜ Shield Harness なのか
 
 - **フック駆動の防御**: 22 のセキュリティフックが Claude Code の全操作を監視
-- **承認レスモード**: hooks に全セキュリティ判定を委譲し、人間の承認ダイアログを排除
+- **自動セキュリティ判定**: hooks が全セキュリティ判断をリアルタイムで処理 — 手動承認のボトルネックなし
 - **fail-close 原則**: 安全条件を確認できない場合は自動的に停止
 - **証跡記録**: SHA-256 ハッシュチェーンで全 allow/deny 決定を改ざん不能な形で記録
 
 ## アーキテクチャ概要
 
-3 層防御モデル:
+4 層防御モデル:
 
 | 層       | 防御                   | 実装                                                          |
 | -------- | ---------------------- | ------------------------------------------------------------- |
@@ -52,30 +52,30 @@ npx shield-harness init [--profile minimal|standard|strict]
 
 ## フックカタログ
 
-| #   | フック           | イベント              | 責務                                          |
-| --- | ---------------- | --------------------- | --------------------------------------------- |
-| 1   | permission       | PreToolUse            | ツール使用の 4 カテゴリ分類                   |
-| 2   | gate             | PreToolUse            | Bash コマンドの 7 攻撃ベクトル検査            |
-| 3   | injection-guard  | PreToolUse            | 9 カテゴリ 50+ パターンのインジェクション検出 |
-| 4   | data-boundary    | PreToolUse            | 本番データ境界 + 管轄追跡                     |
-| 5   | quiet-inject     | PreToolUse            | quiet フラグ自動注入                          |
-| 6   | evidence         | PostToolUse           | SHA-256 ハッシュチェーン証跡                  |
-| 7   | output-control   | PostToolUse           | 出力トランケーション + トークン予算           |
-| 8   | dep-audit        | PostToolUse           | パッケージインストール検出                    |
-| 9   | lint-on-save     | PostToolUse           | 自動 lint 実行                                |
-| 10  | session-start    | SessionStart          | セッション初期化 + 整合性ベースライン         |
-| 11  | session-end      | SessionEnd            | クリーンアップ + 統計                         |
-| 12  | circuit-breaker  | Stop                  | リトライ上限 (3 回)                           |
-| 13  | config-guard     | ConfigChange          | 設定変更の監視                                |
-| 14  | user-prompt      | UserPromptSubmit      | ユーザー入力のインジェクション検査            |
-| 15  | permission-learn | PermissionRequest     | 権限学習ガード                                |
-| 16  | elicitation      | Elicitation           | フィッシング + スコープガード                 |
-| 17  | subagent         | SubagentStart         | サブエージェント予算制約 (25%)                |
-| 18  | instructions     | InstructionsLoaded    | ルールファイル整合性監視                      |
-| 19  | precompact       | PreCompact            | コンパクション前バックアップ                  |
-| 20  | postcompact      | PostCompact           | コンパクション後復元 + 検証                   |
-| 21  | worktree         | WorktreeCreate/Remove | セキュリティ伝播 + 証跡マージ                 |
-| 22  | task-gate        | TaskCompleted         | テストゲート                                  |
+| #   | フック           | イベント              | 責務                                            |
+| --- | ---------------- | --------------------- | ----------------------------------------------- |
+| 1   | permission       | PreToolUse            | ツール使用の 4 カテゴリ分類                     |
+| 2   | gate             | PreToolUse            | Bash コマンドの 7 攻撃ベクトル検査              |
+| 3   | injection-guard  | PreToolUse            | 9 カテゴリ 50+ パターンのインジェクション検出   |
+| 4   | data-boundary    | PreToolUse            | 本番データ境界 + 管轄追跡                       |
+| 5   | quiet-inject     | PreToolUse            | quiet フラグ自動注入                            |
+| 6   | evidence         | PostToolUse           | SHA-256 ハッシュチェーン証跡                    |
+| 7   | output-control   | PostToolUse           | 出力トランケーション + トークン予算             |
+| 8   | dep-audit        | PostToolUse           | パッケージインストール検出                      |
+| 9   | lint-on-save     | PostToolUse           | 自動 lint 実行                                  |
+| 10  | session-start    | SessionStart          | セッション初期化 + 整合性ベースライン           |
+| 11  | session-end      | SessionEnd            | クリーンアップ + 統計                           |
+| 12  | circuit-breaker  | Stop                  | リトライ上限 (3 回)                             |
+| 13  | config-guard     | ConfigChange          | 設定変更の監視 + OpenShell ポリシーファイル保護 |
+| 14  | user-prompt      | UserPromptSubmit      | ユーザー入力のインジェクション検査              |
+| 15  | permission-learn | PermissionRequest     | 権限学習ガード                                  |
+| 16  | elicitation      | Elicitation           | フィッシング + スコープガード                   |
+| 17  | subagent         | SubagentStart         | サブエージェント予算制約 (25%)                  |
+| 18  | instructions     | InstructionsLoaded    | ルールファイル整合性監視                        |
+| 19  | precompact       | PreCompact            | コンパクション前バックアップ                    |
+| 20  | postcompact      | PostCompact           | コンパクション後復元 + 検証                     |
+| 21  | worktree         | WorktreeCreate/Remove | セキュリティ伝播 + 証跡マージ                   |
+| 22  | task-gate        | TaskCompleted         | テストゲート                                    |
 
 ## パイプライン
 
@@ -148,10 +148,62 @@ Windows ユーザーにとっての主なメリット:
 
 - ポリシーがエージェントプロセスの**外部**に存在 — エージェント自身がガードレールを無効化できない
 - Docker Desktop + WSL2 バックエンド（一般的な Windows 開発環境）で動作
-- 残余リスクを 5% から 1% 未満に低減
+- Layer 1-2 のパターンマッチング限界による残余リスクを大幅に低減
 - 自由に取り外し可能 — コンテナを停止すれば Shield Harness は Layer 1-2 にフォールバック
 
-> **注意**: OpenShell は Alpha（v0.0.13）— API は将来変更の可能性があります。
+> **注意**: OpenShell は Alpha（v0.0.13）— API は将来変更の可能性があります。Shield Harness 側の GA Phase 統合は完了済み（ADR-037）: config guard によるポリシーファイル保護、ポリシードリフトチェック、全ドキュメント整備が完了しています。
+
+#### セットアップ
+
+**前提条件**: [Docker Desktop](https://www.docker.com/products/docker-desktop/)（Windows では WSL2 バックエンド）
+
+```bash
+# 1. Docker Desktop をインストールし、起動を確認
+#    https://www.docker.com/products/docker-desktop/
+docker --version
+
+# 2. OpenShell CLI のインストール
+pip install openshell
+
+# 3. permissions-spec.json からポリシーを生成
+#    .claude/policies/openshell-generated.yaml が作成されます
+npx shield-harness policy generate
+
+# 4. OpenShell コンテナを起動し、その中で Claude Code を実行
+#    初回実行時に Docker がサンドボックスイメージを自動取得します
+#    コンテナ内ではカーネルレベル制限（Landlock/Seccomp/Network NS）が自動適用されます
+openshell run --policy .claude/policies/openshell-generated.yaml
+```
+
+OpenShell コンテナ内で動作する Claude Code には、Layer 3b のカーネル強制が自動的に適用されます。Shield Harness はセッション開始時にこれを検出します（`sh-session-start.js`）— 追加設定は不要です。
+
+OpenShell なしの場合、Shield Harness は Layer 1-2 防御にフォールバックします（フック保護に劣化なし）。
+
+ポリシーファイルは以下で保護されます:
+
+- `permissions.deny`: `Edit/Write(.claude/policies/**)` でエージェントによる変更をブロック
+- `sandbox.denyWrite`: `.claude/policies` がファイルシステム deny リストに含まれる
+- `sh-config-guard.js`: ハッシュ追跡でポリシーファイルの改竄・弱体化を検出
+- `sh-session-start.js`: セッション開始時のドリフトチェックで spec-policy 整合性を検証
+
+## テスト
+
+```bash
+# 全テスト実行（391 テスト、OWASP AITG 攻撃シミュレーション 108 テスト含む）
+npm test
+
+# 攻撃シミュレーションテストのみ実行
+node --test tests/attack-sim-*.test.js
+```
+
+| テストスイート                | OWASP カテゴリ                         | テスト数 |
+| ----------------------------- | -------------------------------------- | -------- |
+| attack-sim-prompt-injection   | AITG-APP-01: Direct Prompt Injection   | 25       |
+| attack-sim-indirect-injection | AITG-APP-02: Indirect Prompt Injection | 18       |
+| attack-sim-data-leak          | AITG-APP-03: Sensitive Data Leak       | 20       |
+| attack-sim-agentic-limits     | AITG-APP-06: Agentic Behavior Limits   | 18       |
+| attack-sim-sandbox-escape     | NVIDIA 3-axis: Sandbox Escape          | 15       |
+| attack-sim-defense-chain      | SAIF: Defense-in-depth Chain           | 12       |
 
 ## チャンネル連携
 
@@ -180,11 +232,11 @@ Shield Harness は [Semantic Versioning](https://semver.org/) に準拠します
 | `minor` | 新機能（後方互換）、Phase 内 must タスク全完了時 | OCSF 対応、新フック追加、CLI オプション追加 |
 | `major` | 破壊的変更                                       | スキーマ非互換変更、settings 構造変更       |
 
-**リリーストリガー**: `git tag v1.x.x && git push origin v1.x.x` で `release.yml` が自動実行（npm publish + GitHub Release）。セキュリティ修正は即座に patch リリース。
+**リリーストリガー**: `git tag vX.Y.Z && git push origin vX.Y.Z` で `release.yml` が自動実行（npm publish + GitHub Release）。セキュリティ修正は即座に patch リリース。
 
 ## 参考プロジェクト
 
-Shield Harness は 40 以上の Claude Code セキュリティプロジェクトを調査して設計されました。主な参考:
+主な参考プロジェクト:
 
 | プロジェクト                                                                 | 影響を受けた点                                                                                                       |
 | ---------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- |

package/README.md

@@ -2,9 +2,9 @@
 
 # Shield Harness
 
-**Auto-defense security harness for Claude Code — approval-free, safe autonomous development**
+**Hook-driven auto-defense security harness for Claude Code**
 
-> **Alpha (v0.1.0)**: Security model is under active development. Permission rules and design documents are being aligned. Not recommended for production use yet.
+> **v0.4.0**: 22 hooks, 4-layer defense (L1 Permissions + L2 Hooks + L3 Sandbox + L3b OpenShell), 391 tests including 108 OWASP AITG attack simulation tests.
 
 [![English](https://img.shields.io/badge/lang-English-blue?style=flat-square)](#)
 [![日本語](https://img.shields.io/badge/lang-日本語-red?style=flat-square)](README.ja.md)
@@ -25,13 +25,13 @@ npx shield-harness init [--profile minimal|standard|strict]
 ## Why Shield Harness
 
 - **Hooks-driven defense**: 22 security hooks monitor every Claude Code operation
-- **Approval-free mode**: Delegate all security decisions to hooks, eliminating human approval dialogs
+- **Automated security decisions**: Hooks handle all security judgments in real time — no manual approval bottleneck
 - **fail-close principle**: Automatically stops when safety conditions cannot be verified
 - **Evidence recording**: Tamper-proof SHA-256 hash chain records all allow/deny decisions
 
 ## Architecture Overview
 
-3-layer defense model:
+4-layer defense model:
 
 | Layer    | Defense            | Implementation                                     |
 | -------- | ------------------ | -------------------------------------------------- |
@@ -50,30 +50,30 @@ npx shield-harness init [--profile minimal|standard|strict]
 
 ## Hook Catalog
 
-| #   | Hook             | Event                 | Responsibility                                   |
-| --- | ---------------- | --------------------- | ------------------------------------------------ |
-| 1   | permission       | PreToolUse            | 4-category tool usage classification             |
-| 2   | gate             | PreToolUse            | 7 attack vector inspection for Bash commands     |
-| 3   | injection-guard  | PreToolUse            | 9-category 50+ pattern injection detection       |
-| 4   | data-boundary    | PreToolUse            | Production data boundary + jurisdiction tracking |
-| 5   | quiet-inject     | PreToolUse            | Auto-inject quiet flags                          |
-| 6   | evidence         | PostToolUse           | SHA-256 hash chain evidence                      |
-| 7   | output-control   | PostToolUse           | Output truncation + token budget                 |
-| 8   | dep-audit        | PostToolUse           | Package install detection                        |
-| 9   | lint-on-save     | PostToolUse           | Auto lint execution                              |
-| 10  | session-start    | SessionStart          | Session init + integrity baseline                |
-| 11  | session-end      | SessionEnd            | Cleanup + statistics                             |
-| 12  | circuit-breaker  | Stop                  | Retry limit (3 attempts)                         |
-| 13  | config-guard     | ConfigChange          | Settings change monitoring                       |
-| 14  | user-prompt      | UserPromptSubmit      | User input injection scanning                    |
-| 15  | permission-learn | PermissionRequest     | Permission learning guard                        |
-| 16  | elicitation      | Elicitation           | Phishing + scope guard                           |
-| 17  | subagent         | SubagentStart         | Subagent budget constraint (25%)                 |
-| 18  | instructions     | InstructionsLoaded    | Rule file integrity monitoring                   |
-| 19  | precompact       | PreCompact            | Pre-compaction backup                            |
-| 20  | postcompact      | PostCompact           | Post-compaction restore + verify                 |
-| 21  | worktree         | WorktreeCreate/Remove | Security propagation + evidence merge            |
-| 22  | task-gate        | TaskCompleted         | Test gate                                        |
+| #   | Hook             | Event                 | Responsibility                                                |
+| --- | ---------------- | --------------------- | ------------------------------------------------------------- |
+| 1   | permission       | PreToolUse            | 4-category tool usage classification                          |
+| 2   | gate             | PreToolUse            | 7 attack vector inspection for Bash commands                  |
+| 3   | injection-guard  | PreToolUse            | 9-category 50+ pattern injection detection                    |
+| 4   | data-boundary    | PreToolUse            | Production data boundary + jurisdiction tracking              |
+| 5   | quiet-inject     | PreToolUse            | Auto-inject quiet flags                                       |
+| 6   | evidence         | PostToolUse           | SHA-256 hash chain evidence                                   |
+| 7   | output-control   | PostToolUse           | Output truncation + token budget                              |
+| 8   | dep-audit        | PostToolUse           | Package install detection                                     |
+| 9   | lint-on-save     | PostToolUse           | Auto lint execution                                           |
+| 10  | session-start    | SessionStart          | Session init + integrity baseline                             |
+| 11  | session-end      | SessionEnd            | Cleanup + statistics                                          |
+| 12  | circuit-breaker  | Stop                  | Retry limit (3 attempts)                                      |
+| 13  | config-guard     | ConfigChange          | Settings change monitoring + OpenShell policy file protection |
+| 14  | user-prompt      | UserPromptSubmit      | User input injection scanning                                 |
+| 15  | permission-learn | PermissionRequest     | Permission learning guard                                     |
+| 16  | elicitation      | Elicitation           | Phishing + scope guard                                        |
+| 17  | subagent         | SubagentStart         | Subagent budget constraint (25%)                              |
+| 18  | instructions     | InstructionsLoaded    | Rule file integrity monitoring                                |
+| 19  | precompact       | PreCompact            | Pre-compaction backup                                         |
+| 20  | postcompact      | PostCompact           | Post-compaction restore + verify                              |
+| 21  | worktree         | WorktreeCreate/Remove | Security propagation + evidence merge                         |
+| 22  | task-gate        | TaskCompleted         | Test gate                                                     |
 
 ## Pipeline
 
@@ -146,10 +146,62 @@ Key benefits for Windows users:
 
 - Policies exist **outside** the agent process — the agent cannot disable its own guardrails
 - Runs on Docker Desktop + WSL2 backend (typical Windows dev setup)
-- Reduces residual risk from 5% to <1%
+- Significantly reduces residual risk from Layer 1-2 pattern matching limitations
 - Freely removable — stop the container and Shield Harness falls back to Layer 1-2
 
-> **Note**: OpenShell is Alpha (v0.0.13) — APIs may change with future releases.
+> **Note**: OpenShell is Alpha (v0.0.13) — APIs may change with future releases. Shield Harness GA Phase integration is complete (ADR-037): config guard policy file protection, policy drift check, and full documentation are ready.
+
+#### Setup
+
+**Prerequisites**: [Docker Desktop](https://www.docker.com/products/docker-desktop/) (WSL2 backend on Windows)
+
+```bash
+# 1. Install Docker Desktop and verify it is running
+#    https://www.docker.com/products/docker-desktop/
+docker --version
+
+# 2. Install OpenShell CLI
+pip install openshell
+
+# 3. Generate policy from permissions-spec.json
+#    Creates .claude/policies/openshell-generated.yaml
+npx shield-harness policy generate
+
+# 4. Start OpenShell container and run Claude Code inside it
+#    Docker pulls the sandbox image automatically on first run
+#    Kernel-level enforcement (Landlock/Seccomp/Network NS) is active inside the container
+openshell run --policy .claude/policies/openshell-generated.yaml
+```
+
+Claude Code running inside the OpenShell container automatically receives Layer 3b kernel enforcement. Shield Harness detects this at session start (`sh-session-start.js`) — no additional configuration required.
+
+Without OpenShell, Shield Harness falls back to Layer 1-2 defense (no degradation in hook protection).
+
+Policy files are protected by:
+
+- `permissions.deny`: `Edit/Write(.claude/policies/**)` blocks agent modification
+- `sandbox.denyWrite`: `.claude/policies` in filesystem deny list
+- `sh-config-guard.js`: Hash tracking detects policy file tampering or weakening
+- `sh-session-start.js`: Drift check at session start verifies spec-policy alignment
+
+## Testing
+
+```bash
+# Run all tests (391 tests including 108 OWASP AITG attack simulations)
+npm test
+
+# Run attack simulation tests only
+node --test tests/attack-sim-*.test.js
+```
+
+| Test Suite                    | OWASP Category                         | Tests |
+| ----------------------------- | -------------------------------------- | ----- |
+| attack-sim-prompt-injection   | AITG-APP-01: Direct Prompt Injection   | 25    |
+| attack-sim-indirect-injection | AITG-APP-02: Indirect Prompt Injection | 18    |
+| attack-sim-data-leak          | AITG-APP-03: Sensitive Data Leak       | 20    |
+| attack-sim-agentic-limits     | AITG-APP-06: Agentic Behavior Limits   | 18    |
+| attack-sim-sandbox-escape     | NVIDIA 3-axis: Sandbox Escape          | 15    |
+| attack-sim-defense-chain      | SAIF: Defense-in-depth Chain           | 12    |
 
 ## Channel Integration
 
@@ -178,11 +230,11 @@ Shield Harness follows [Semantic Versioning](https://semver.org/):
 | `minor` | New features (backward compatible), Phase must-tasks completed | OCSF support, new hook, CLI option   |
 | `major` | Breaking changes                                               | Schema incompatible, settings change |
 
-**Release trigger**: `git tag v1.x.x && git push origin v1.x.x` triggers `release.yml` (automated npm publish + GitHub Release). Security fixes trigger an immediate patch release.
+**Release trigger**: `git tag vX.Y.Z && git push origin vX.Y.Z` triggers `release.yml` (automated npm publish + GitHub Release). Security fixes trigger an immediate patch release.
 
 ## References
 
-Shield Harness was designed by surveying 40+ Claude Code security projects. Key references:
+Key references:
 
 | Project                                                                      | Influence                                                                                                          |
 | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shield-harness",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "Security harness for Claude Code — hooks-driven, zero-hassle defense",
   "bin": {
     "shield-harness": "./bin/shield-harness.js"