shield-harness 0.4.0 → 0.5.0

package/.claude/hooks/lib/automode-detect.js

@@ -0,0 +1,184 @@
+#!/usr/bin/env node
+// automode-detect.js — Claude Code Auto Mode detection & danger assessment
+// Spec: Phase 7 ADR-038 (.reference/PHASE7_8_AUTO_MODE_SELF_EVOLUTION_PLAN.md)
+// Purpose: Detect Auto Mode configuration and classify danger level
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const SETTINGS_LOCAL = path.join(".claude", "settings.local.json");
+const SETTINGS_MAIN = path.join(".claude", "settings.json");
+
+/**
+ * Protections lost when autoMode.soft_deny is configured.
+ * A single soft_deny entry disables ALL classifier default protections.
+ */
+const LOST_PROTECTIONS = [
+  "Default force-push prevention (git push --force)",
+  "Default destructive command blocking (rm -rf, format)",
+  "Default credential access prevention (~/.ssh, ~/.aws)",
+  "Default network isolation (curl|bash, data exfiltration)",
+  "Default file system protection (system files modification)",
+  "Default package execution control (npm install, npx)",
+  "Classifier-based safety judgments for all unlisted tools",
+];
+
+// ---------------------------------------------------------------------------
+// Utility functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Read autoMode section from a settings JSON file.
+ * fail-safe: returns null on any error (file missing, parse error, no autoMode).
+ * @param {string} filePath - Path to settings JSON file
+ * @returns {{ soft_deny: string[], soft_allow: string[], environment: string|null }|null}
+ */
+function readSettingsFile(filePath) {
+  try {
+    if (!fs.existsSync(filePath)) return null;
+    const content = JSON.parse(fs.readFileSync(filePath, "utf8"));
+    const autoMode = content.autoMode;
+    if (!autoMode || typeof autoMode !== "object") return null;
+    return {
+      soft_deny: Array.isArray(autoMode.soft_deny) ? autoMode.soft_deny : [],
+      soft_allow: Array.isArray(autoMode.soft_allow) ? autoMode.soft_allow : [],
+      environment:
+        typeof autoMode.environment === "string" ? autoMode.environment : null,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Classify danger level based on soft_deny and soft_allow counts.
+ * @param {number} softDenyCount
+ * @param {number} softAllowCount
+ * @returns {"safe"|"warn"|"critical"}
+ */
+function classifyDangerLevel(softDenyCount, softAllowCount) {
+  if (softDenyCount > 0) return "critical";
+  if (softAllowCount > 0) return "warn";
+  return "safe";
+}
+
+// ---------------------------------------------------------------------------
+// Main detection function
+// ---------------------------------------------------------------------------
+
+/**
+ * Detect Auto Mode configuration and assess danger level.
+ * Reads settings.local.json (priority) and settings.json, merges results.
+ * fail-safe: never throws, returns safe defaults on any error.
+ *
+ * @returns {{
+ *   detected: boolean,
+ *   danger_level: "safe"|"warn"|"critical",
+ *   reason: string,
+ *   soft_deny_count: number,
+ *   soft_allow_count: number,
+ *   has_environment: boolean,
+ *   environment_snippet: string|null,
+ *   danger_items: string[],
+ *   source: "settings_local"|"settings"|"both"|"none",
+ *   detected_at: string
+ * }}
+ */
+function detectAutoMode() {
+  const detected_at = new Date().toISOString();
+  const base = {
+    detected: false,
+    danger_level: "safe",
+    reason: "not_configured",
+    soft_deny_count: 0,
+    soft_allow_count: 0,
+    has_environment: false,
+    environment_snippet: null,
+    danger_items: [],
+    source: "none",
+    detected_at,
+  };
+
+  try {
+    const localResult = readSettingsFile(SETTINGS_LOCAL);
+    const mainResult = readSettingsFile(SETTINGS_MAIN);
+
+    // No autoMode in either file
+    if (!localResult && !mainResult) {
+      return base;
+    }
+
+    // Determine source
+    const source =
+      localResult && mainResult
+        ? "both"
+        : localResult
+          ? "settings_local"
+          : "settings";
+
+    // Merge soft_deny and soft_allow from both files (deduplicate)
+    const softDeny = [
+      ...new Set([
+        ...(localResult ? localResult.soft_deny : []),
+        ...(mainResult ? mainResult.soft_deny : []),
+      ]),
+    ];
+    const softAllow = [
+      ...new Set([
+        ...(localResult ? localResult.soft_allow : []),
+        ...(mainResult ? mainResult.soft_allow : []),
+      ]),
+    ];
+
+    // Environment: local overrides main
+    const environment =
+      (localResult && localResult.environment) ||
+      (mainResult && mainResult.environment) ||
+      null;
+
+    const dangerLevel = classifyDangerLevel(softDeny.length, softAllow.length);
+
+    // Determine reason code
+    let reason = "configured_safe";
+    if (softDeny.length > 0 && softAllow.length > 0) {
+      reason = "both_present";
+    } else if (softDeny.length > 0) {
+      reason = "soft_deny_present";
+    } else if (softAllow.length > 0) {
+      reason = "soft_allow_only";
+    }
+
+    return {
+      detected: true,
+      danger_level: dangerLevel,
+      reason,
+      soft_deny_count: softDeny.length,
+      soft_allow_count: softAllow.length,
+      has_environment: environment !== null,
+      environment_snippet: environment ? environment.slice(0, 80) : null,
+      danger_items: dangerLevel === "critical" ? [...LOST_PROTECTIONS] : [],
+      source,
+      detected_at,
+    };
+  } catch {
+    return { ...base, reason: "read_error" };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Exports
+// ---------------------------------------------------------------------------
+
+module.exports = {
+  detectAutoMode,
+  classifyDangerLevel,
+  readSettingsFile,
+  LOST_PROTECTIONS,
+  SETTINGS_LOCAL,
+  SETTINGS_MAIN,
+};

package/.claude/hooks/sh-config-guard.js

@@ -14,11 +14,15 @@ const {
   sha256,
   appendEvidence,
 } = require("./lib/sh-utils");
+const {
+  readSettingsFile: readAutoModeSection,
+} = require("./lib/automode-detect");
 
 const HOOK_NAME = "sh-config-guard";
 const SETTINGS_FILE = path.join(".claude", "settings.json");
 const CONFIG_HASH_FILE = path.join(".claude", "logs", "config-hash.json");
 const POLICIES_DIR = path.join(".claude", "policies");
+const SETTINGS_LOCAL = path.join(".claude", "settings.local.json");
 
 // ---------------------------------------------------------------------------
 // Config Analysis
@@ -171,7 +175,7 @@ function extractSecurityFields(settings) {
     }
   }
 
-  return {
+  const result = {
     deny_rules: denyRules,
     hook_count: hookCount,
     hook_events: hookEvents,
@@ -184,7 +188,33 @@ function extractSecurityFields(settings) {
     disableAllHooks: Boolean(settings.disableAllHooks),
     policy_hashes: extractPolicyHashes(),
     policy_metrics: extractPolicyMetrics(),
+    soft_deny_count: 0,
+    soft_allow_count: 0,
   };
+
+  // Auto Mode: read autoMode from both settings files (Phase 7, ADR-038)
+  try {
+    const mainAutoMode = readAutoModeSection(SETTINGS_FILE);
+    const localAutoMode = readAutoModeSection(SETTINGS_LOCAL);
+    const softDeny = [
+      ...new Set([
+        ...(mainAutoMode ? mainAutoMode.soft_deny : []),
+        ...(localAutoMode ? localAutoMode.soft_deny : []),
+      ]),
+    ];
+    const softAllow = [
+      ...new Set([
+        ...(mainAutoMode ? mainAutoMode.soft_allow : []),
+        ...(localAutoMode ? localAutoMode.soft_allow : []),
+      ]),
+    ];
+    result.soft_deny_count = softDeny.length;
+    result.soft_allow_count = softAllow.length;
+  } catch {
+    // Auto Mode detection failure is non-blocking for config-guard
+  }
+
+  return result;
 }
 
 /**
@@ -286,6 +316,24 @@ function detectDangerousMutations(stored, current) {
     }
   }
 
+  // Check 7: Auto Mode soft_deny addition (CRITICAL — all default protections lost)
+  const storedSoftDeny = stored.soft_deny_count || 0;
+  const currentSoftDeny = current.soft_deny_count || 0;
+  if (currentSoftDeny > storedSoftDeny) {
+    reasons.push(
+      `Auto Mode soft_deny added (${storedSoftDeny} → ${currentSoftDeny}) — ALL default protections would be lost`,
+    );
+  }
+
+  // Check 8: Auto Mode soft_allow expansion
+  const storedSoftAllow = stored.soft_allow_count || 0;
+  const currentSoftAllow = current.soft_allow_count || 0;
+  if (currentSoftAllow > storedSoftAllow) {
+    reasons.push(
+      `Auto Mode soft_allow expanded (${storedSoftAllow} → ${currentSoftAllow}) — additional tools auto-approved`,
+    );
+  }
+
   return {
     blocked: reasons.length > 0,
     reasons,

package/.claude/hooks/sh-session-start.js

@@ -18,6 +18,7 @@ const {
 const { detectOpenShell } = require("./lib/openshell-detect");
 const { checkPolicyCompatibility } = require("./lib/policy-compat");
 const { checkPolicyDrift } = require("./lib/policy-drift");
+const { detectAutoMode } = require("./lib/automode-detect");
 
 const HOOK_NAME = "sh-session-start";
 const CLAUDE_MD = "CLAUDE.md";
@@ -263,6 +264,39 @@ try {
     }
   }
 
+  // 2f: Auto Mode detection (Phase 7, ADR-038)
+  let autoModeResult = null;
+  try {
+    autoModeResult = detectAutoMode();
+    session.auto_mode = autoModeResult;
+    writeSession(session);
+
+    if (autoModeResult.danger_level === "critical") {
+      contextParts.push(
+        `[auto-mode] CRITICAL: Auto Mode soft_deny detected (${autoModeResult.soft_deny_count} rules) — ALL default protections lost`,
+      );
+      for (const item of autoModeResult.danger_items.slice(0, 3)) {
+        contextParts.push(`[auto-mode]   Lost: ${item}`);
+      }
+      if (autoModeResult.danger_items.length > 3) {
+        contextParts.push(
+          `[auto-mode]   ... and ${autoModeResult.danger_items.length - 3} more protections lost`,
+        );
+      }
+    } else if (autoModeResult.danger_level === "warn") {
+      contextParts.push(
+        `[auto-mode] WARNING: Auto Mode soft_allow detected — ${autoModeResult.soft_allow_count} rules auto-approved`,
+      );
+    } else if (autoModeResult.detected) {
+      contextParts.push("[auto-mode] Auto Mode configured (safe)");
+    } else {
+      contextParts.push("[auto-mode] Auto Mode: not configured");
+    }
+  } catch {
+    // Auto Mode detection failure is non-blocking
+    contextParts.push("[auto-mode] Auto Mode detection error (non-blocking)");
+  }
+
   // --- Module 3: Version Check (§5.1.4) ---
   // Store baseline hashes for instructions monitoring
   const hashes = {};
@@ -314,6 +348,14 @@ try {
               : 0,
           }
         : null,
+      auto_mode: autoModeResult
+        ? {
+            detected: autoModeResult.detected,
+            danger_level: autoModeResult.danger_level,
+            soft_deny_count: autoModeResult.soft_deny_count,
+            soft_allow_count: autoModeResult.soft_allow_count,
+          }
+        : null,
       policy_compat: policyCompat
         ? {
             compatible: policyCompat.compatible,

package/.claude/permissions-spec.json

@@ -85,6 +85,11 @@
         "rationale": "Local settings protection",
         "threat_id": "T-03"
       },
+      {
+        "rule": "Edit(.claude/settings.local.json)",
+        "rationale": "Local settings protection — Auto Mode injection prevention (Phase 7, ADR-038)",
+        "threat_id": "T-03"
+      },
       {
         "rule": "Write(.claude/permissions-spec.json)",
         "rationale": "Permissions SoT self-protection",
@@ -443,7 +448,7 @@
     ]
   },
   "expected_counts": {
-    "deny": 43,
+    "deny": 44,
     "ask": 4,
     "allow": 49
   }

package/README.ja.md

@@ -6,7 +6,7 @@
 
 > フック駆動の自動判定で安全な自律開発を実現
 
-> **v0.4.0**: 22 フック、4 層防御（L1 権限 + L2 フック + L3 サンドボックス + L3b OpenShell）、391 テスト（OWASP AITG 攻撃シミュレーション 108 テスト含む）。
+> **v0.5.0**: 22 フック、4 層防御（L1 権限 + L2 フック + L3 サンドボックス + L3b OpenShell）、426 テスト（OWASP AITG 攻撃シミュレーション 108 テスト + Auto Mode 防御テスト 35 テスト含む）。
 
 [![English](https://img.shields.io/badge/lang-English-blue?style=flat-square)](README.md)
 [![日本語](https://img.shields.io/badge/lang-日本語-red?style=flat-square)](#)
@@ -52,30 +52,30 @@ npx shield-harness init [--profile minimal|standard|strict]
 
 ## フックカタログ
 
-| #   | フック           | イベント              | 責務                                            |
-| --- | ---------------- | --------------------- | ----------------------------------------------- |
-| 1   | permission       | PreToolUse            | ツール使用の 4 カテゴリ分類                     |
-| 2   | gate             | PreToolUse            | Bash コマンドの 7 攻撃ベクトル検査              |
-| 3   | injection-guard  | PreToolUse            | 9 カテゴリ 50+ パターンのインジェクション検出   |
-| 4   | data-boundary    | PreToolUse            | 本番データ境界 + 管轄追跡                       |
-| 5   | quiet-inject     | PreToolUse            | quiet フラグ自動注入                            |
-| 6   | evidence         | PostToolUse           | SHA-256 ハッシュチェーン証跡                    |
-| 7   | output-control   | PostToolUse           | 出力トランケーション + トークン予算             |
-| 8   | dep-audit        | PostToolUse           | パッケージインストール検出                      |
-| 9   | lint-on-save     | PostToolUse           | 自動 lint 実行                                  |
-| 10  | session-start    | SessionStart          | セッション初期化 + 整合性ベースライン           |
-| 11  | session-end      | SessionEnd            | クリーンアップ + 統計                           |
-| 12  | circuit-breaker  | Stop                  | リトライ上限 (3 回)                             |
-| 13  | config-guard     | ConfigChange          | 設定変更の監視 + OpenShell ポリシーファイル保護 |
-| 14  | user-prompt      | UserPromptSubmit      | ユーザー入力のインジェクション検査              |
-| 15  | permission-learn | PermissionRequest     | 権限学習ガード                                  |
-| 16  | elicitation      | Elicitation           | フィッシング + スコープガード                   |
-| 17  | subagent         | SubagentStart         | サブエージェント予算制約 (25%)                  |
-| 18  | instructions     | InstructionsLoaded    | ルールファイル整合性監視                        |
-| 19  | precompact       | PreCompact            | コンパクション前バックアップ                    |
-| 20  | postcompact      | PostCompact           | コンパクション後復元 + 検証                     |
-| 21  | worktree         | WorktreeCreate/Remove | セキュリティ伝播 + 証跡マージ                   |
-| 22  | task-gate        | TaskCompleted         | テストゲート                                    |
+| #   | フック           | イベント              | 責務                                                             |
+| --- | ---------------- | --------------------- | ---------------------------------------------------------------- |
+| 1   | permission       | PreToolUse            | ツール使用の 4 カテゴリ分類                                      |
+| 2   | gate             | PreToolUse            | Bash コマンドの 7 攻撃ベクトル検査                               |
+| 3   | injection-guard  | PreToolUse            | 9 カテゴリ 50+ パターンのインジェクション検出                    |
+| 4   | data-boundary    | PreToolUse            | 本番データ境界 + 管轄追跡                                        |
+| 5   | quiet-inject     | PreToolUse            | quiet フラグ自動注入                                             |
+| 6   | evidence         | PostToolUse           | SHA-256 ハッシュチェーン証跡                                     |
+| 7   | output-control   | PostToolUse           | 出力トランケーション + トークン予算                              |
+| 8   | dep-audit        | PostToolUse           | パッケージインストール検出                                       |
+| 9   | lint-on-save     | PostToolUse           | 自動 lint 実行                                                   |
+| 10  | session-start    | SessionStart          | セッション初期化 + 整合性ベースライン                            |
+| 11  | session-end      | SessionEnd            | クリーンアップ + 統計                                            |
+| 12  | circuit-breaker  | Stop                  | リトライ上限 (3 回)                                              |
+| 13  | config-guard     | ConfigChange          | 設定変更の監視 + OpenShell ポリシーファイル保護 + Auto Mode 保護 |
+| 14  | user-prompt      | UserPromptSubmit      | ユーザー入力のインジェクション検査                               |
+| 15  | permission-learn | PermissionRequest     | 権限学習ガード                                                   |
+| 16  | elicitation      | Elicitation           | フィッシング + スコープガード                                    |
+| 17  | subagent         | SubagentStart         | サブエージェント予算制約 (25%)                                   |
+| 18  | instructions     | InstructionsLoaded    | ルールファイル整合性監視                                         |
+| 19  | precompact       | PreCompact            | コンパクション前バックアップ                                     |
+| 20  | postcompact      | PostCompact           | コンパクション後復元 + 検証                                      |
+| 21  | worktree         | WorktreeCreate/Remove | セキュリティ伝播 + 証跡マージ                                    |
+| 22  | task-gate        | TaskCompleted         | テストゲート                                                     |
 
 ## パイプライン
 
@@ -189,7 +189,7 @@ OpenShell なしの場合、Shield Harness は Layer 1-2 防御にフォール
 ## テスト
 
 ```bash
-# 全テスト実行（391 テスト、OWASP AITG 攻撃シミュレーション 108 テスト含む）
+# 全テスト実行（426 テスト、攻撃シミュレーション含む）
 npm test
 
 # 攻撃シミュレーションテストのみ実行
@@ -204,6 +204,19 @@ node --test tests/attack-sim-*.test.js
 | attack-sim-agentic-limits     | AITG-APP-06: Agentic Behavior Limits   | 18       |
 | attack-sim-sandbox-escape     | NVIDIA 3-axis: Sandbox Escape          | 15       |
 | attack-sim-defense-chain      | SAIF: Defense-in-depth Chain           | 12       |
+| attack-sim-automode-bypass    | Auto Mode: soft_deny/soft_allow bypass | 15       |
+
+## Auto Mode 対応 (v0.5.0)
+
+Shield Harness はセッション開始時に Claude Code の Auto Mode（Research Preview）設定を検知し、危険な設定を防御します:
+
+| 設定                   | リスク                                                  | Shield Harness の対応                                               |
+| ---------------------- | ------------------------------------------------------- | ------------------------------------------------------------------- |
+| `autoMode.soft_deny`   | **CRITICAL** — 分類器のデフォルト保護が全て無効化される | config-guard が追加をブロック、session-start が CRITICAL 警告を出力 |
+| `autoMode.soft_allow`  | WARN — 特定ツールが自動許可される                       | config-guard が拡大をブロック、session-start が WARNING を出力      |
+| `autoMode.environment` | 安全 — 情報のみ                                         | 検知してセッションに記録                                            |
+
+既存の全フック（PreToolUse, PostToolUse）は Auto Mode でも通常通り発火します。`permissions.deny` ルールは絶対的に維持されます。
 
 ## チャンネル連携
 

package/README.md

@@ -4,7 +4,7 @@
 
 **Hook-driven auto-defense security harness for Claude Code**
 
-> **v0.4.0**: 22 hooks, 4-layer defense (L1 Permissions + L2 Hooks + L3 Sandbox + L3b OpenShell), 391 tests including 108 OWASP AITG attack simulation tests.
+> **v0.5.0**: 22 hooks, 4-layer defense (L1 Permissions + L2 Hooks + L3 Sandbox + L3b OpenShell), 426 tests including 108 OWASP AITG attack simulations + 35 Auto Mode defense tests.
 
 [![English](https://img.shields.io/badge/lang-English-blue?style=flat-square)](#)
 [![日本語](https://img.shields.io/badge/lang-日本語-red?style=flat-square)](README.ja.md)
@@ -50,30 +50,30 @@ npx shield-harness init [--profile minimal|standard|strict]
 
 ## Hook Catalog
 
-| #   | Hook             | Event                 | Responsibility                                                |
-| --- | ---------------- | --------------------- | ------------------------------------------------------------- |
-| 1   | permission       | PreToolUse            | 4-category tool usage classification                          |
-| 2   | gate             | PreToolUse            | 7 attack vector inspection for Bash commands                  |
-| 3   | injection-guard  | PreToolUse            | 9-category 50+ pattern injection detection                    |
-| 4   | data-boundary    | PreToolUse            | Production data boundary + jurisdiction tracking              |
-| 5   | quiet-inject     | PreToolUse            | Auto-inject quiet flags                                       |
-| 6   | evidence         | PostToolUse           | SHA-256 hash chain evidence                                   |
-| 7   | output-control   | PostToolUse           | Output truncation + token budget                              |
-| 8   | dep-audit        | PostToolUse           | Package install detection                                     |
-| 9   | lint-on-save     | PostToolUse           | Auto lint execution                                           |
-| 10  | session-start    | SessionStart          | Session init + integrity baseline                             |
-| 11  | session-end      | SessionEnd            | Cleanup + statistics                                          |
-| 12  | circuit-breaker  | Stop                  | Retry limit (3 attempts)                                      |
-| 13  | config-guard     | ConfigChange          | Settings change monitoring + OpenShell policy file protection |
-| 14  | user-prompt      | UserPromptSubmit      | User input injection scanning                                 |
-| 15  | permission-learn | PermissionRequest     | Permission learning guard                                     |
-| 16  | elicitation      | Elicitation           | Phishing + scope guard                                        |
-| 17  | subagent         | SubagentStart         | Subagent budget constraint (25%)                              |
-| 18  | instructions     | InstructionsLoaded    | Rule file integrity monitoring                                |
-| 19  | precompact       | PreCompact            | Pre-compaction backup                                         |
-| 20  | postcompact      | PostCompact           | Post-compaction restore + verify                              |
-| 21  | worktree         | WorktreeCreate/Remove | Security propagation + evidence merge                         |
-| 22  | task-gate        | TaskCompleted         | Test gate                                                     |
+| #   | Hook             | Event                 | Responsibility                                                                       |
+| --- | ---------------- | --------------------- | ------------------------------------------------------------------------------------ |
+| 1   | permission       | PreToolUse            | 4-category tool usage classification                                                 |
+| 2   | gate             | PreToolUse            | 7 attack vector inspection for Bash commands                                         |
+| 3   | injection-guard  | PreToolUse            | 9-category 50+ pattern injection detection                                           |
+| 4   | data-boundary    | PreToolUse            | Production data boundary + jurisdiction tracking                                     |
+| 5   | quiet-inject     | PreToolUse            | Auto-inject quiet flags                                                              |
+| 6   | evidence         | PostToolUse           | SHA-256 hash chain evidence                                                          |
+| 7   | output-control   | PostToolUse           | Output truncation + token budget                                                     |
+| 8   | dep-audit        | PostToolUse           | Package install detection                                                            |
+| 9   | lint-on-save     | PostToolUse           | Auto lint execution                                                                  |
+| 10  | session-start    | SessionStart          | Session init + integrity baseline                                                    |
+| 11  | session-end      | SessionEnd            | Cleanup + statistics                                                                 |
+| 12  | circuit-breaker  | Stop                  | Retry limit (3 attempts)                                                             |
+| 13  | config-guard     | ConfigChange          | Settings change monitoring + OpenShell policy file protection + Auto Mode protection |
+| 14  | user-prompt      | UserPromptSubmit      | User input injection scanning                                                        |
+| 15  | permission-learn | PermissionRequest     | Permission learning guard                                                            |
+| 16  | elicitation      | Elicitation           | Phishing + scope guard                                                               |
+| 17  | subagent         | SubagentStart         | Subagent budget constraint (25%)                                                     |
+| 18  | instructions     | InstructionsLoaded    | Rule file integrity monitoring                                                       |
+| 19  | precompact       | PreCompact            | Pre-compaction backup                                                                |
+| 20  | postcompact      | PostCompact           | Post-compaction restore + verify                                                     |
+| 21  | worktree         | WorktreeCreate/Remove | Security propagation + evidence merge                                                |
+| 22  | task-gate        | TaskCompleted         | Test gate                                                                            |
 
 ## Pipeline
 
@@ -187,14 +187,14 @@ Policy files are protected by:
 ## Testing
 
 ```bash
-# Run all tests (391 tests including 108 OWASP AITG attack simulations)
+# Run all tests (426 tests including attack simulations)
 npm test
 
 # Run attack simulation tests only
 node --test tests/attack-sim-*.test.js
 ```
 
-| Test Suite                    | OWASP Category                         | Tests |
+| Test Suite                    | Category                               | Tests |
 | ----------------------------- | -------------------------------------- | ----- |
 | attack-sim-prompt-injection   | AITG-APP-01: Direct Prompt Injection   | 25    |
 | attack-sim-indirect-injection | AITG-APP-02: Indirect Prompt Injection | 18    |
@@ -202,6 +202,19 @@ node --test tests/attack-sim-*.test.js
 | attack-sim-agentic-limits     | AITG-APP-06: Agentic Behavior Limits   | 18    |
 | attack-sim-sandbox-escape     | NVIDIA 3-axis: Sandbox Escape          | 15    |
 | attack-sim-defense-chain      | SAIF: Defense-in-depth Chain           | 12    |
+| attack-sim-automode-bypass    | Auto Mode: soft_deny/soft_allow bypass | 15    |
+
+## Auto Mode Awareness (v0.5.0)
+
+Shield Harness detects Claude Code's Auto Mode (Research Preview) configuration at session start and protects against dangerous settings:
+
+| Setting                | Risk                                                       | Shield Harness Response                                              |
+| ---------------------- | ---------------------------------------------------------- | -------------------------------------------------------------------- |
+| `autoMode.soft_deny`   | **CRITICAL** — disables all classifier default protections | Config-guard blocks addition; session-start outputs CRITICAL warning |
+| `autoMode.soft_allow`  | WARN — auto-approves specific tools                        | Config-guard blocks expansion; session-start outputs WARNING         |
+| `autoMode.environment` | Safe — informational only                                  | Detected and recorded in session                                     |
+
+All existing hooks (PreToolUse, PostToolUse) fire normally under Auto Mode — `permissions.deny` rules remain absolute. Auto Mode's classifier cannot override hook denials.
 
 ## Channel Integration
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shield-harness",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Security harness for Claude Code — hooks-driven, zero-hassle defense",
   "bin": {
     "shield-harness": "./bin/shield-harness.js"
@@ -27,7 +27,10 @@
     "test:openshell-detect": "node --test tests/openshell-detect.test.js",
     "test:openshell-evidence": "node --test tests/openshell-evidence.test.js",
     "test:tier-policy": "node --test tests/tier-policy-gen.test.js",
-    "test:policy-effectiveness": "node --test tests/policy-effectiveness.test.js"
+    "test:policy-effectiveness": "node --test tests/policy-effectiveness.test.js",
+    "test:automode": "node --test tests/automode-detect.test.js",
+    "test:automode-guard": "node --test tests/config-guard-automode.test.js",
+    "test:attack-automode": "node --test tests/attack-sim-automode-bypass.test.js"
   },
   "keywords": [
     "claude-code",