62 lines
2.5 KiB
Markdown
62 lines
2.5 KiB
Markdown
|
# Toolchain attack-surface audit (manual procedure)
|
|||
|
|
|
|||
|
|
Part of the `D3 «Аудит и управление рисками»` section. Run this procedure
|
|||
|
|
quarterly, and after any new Claude Code plugin or MCP server is added.
|
|||
|
|
|
|||
|
|
Motivation: the post-ruflo toolchain is large — about 20 ruflo plugins, ~210
|
|||
|
|
MCP tools, and seven MCP servers in `.mcp.json` — and 2026 disclosures (npm
|
|||
|
|
`postinstall` MCP-URL rewriting; the ClaudeBleed script-injection class) make
|
|||
|
|
the toolchain itself a standing attack surface.
|
|||
|
|
|
|||
|
|
## 1. MCP servers
|
|||
|
|
|
|||
|
|
- Review every server in `.mcp.json` — `command`, `args`, `env`. Flag any
|
|||
|
|
non-pinned `npx` package and any server reachable over the network.
|
|||
|
|
- Confirm no MCP server URL was rewritten by a dependency `postinstall` script.
|
|||
|
|
|
|||
|
|
## 2. Plugins
|
|||
|
|
|
|||
|
|
- List `enabledPlugins` in `~/.claude/settings.json`. For each: source repo,
|
|||
|
|
license, last commit, and the hooks it contributes.
|
|||
|
|
- Flag any plugin that registers a `PreToolUse` hook with `decision: block`.
|
|||
|
|
|
|||
|
|
## 3. Hooks
|
|||
|
|
|
|||
|
|
- Diff the `hooks` blocks of `.claude/settings.json` and
|
|||
|
|
`~/.claude/settings.json` against the last audited snapshot. Investigate any
|
|||
|
|
unexplained change.
|
|||
|
|
|
|||
|
|
## 4. Permissions
|
|||
|
|
|
|||
|
|
- Review `permissions.allow` and `permissions.deny` — no broadened wildcard and
|
|||
|
|
no new unscoped `Bash(*)` beyond what is already recorded.
|
|||
|
|
|
|||
|
|
## 5. Secrets
|
|||
|
|
|
|||
|
|
- Run `gitleaks` over the full history; confirm no token sits in a gitignored
|
|||
|
|
cache file.
|
|||
|
|
|
|||
|
|
## Outcome
|
|||
|
|
|
|||
|
|
Record findings as P0–P3 items in `docs/Открытые_вопросы_v8_3.md` (via the
|
|||
|
|
`q-item-add` skill), or as an ADR in `docs/adr/` if a tooling decision results.
|
|||
|
|
|
|||
|
|
## Community auto-auditors — evaluated, deferred (2026-05-17)
|
|||
|
|
|
|||
|
|
The D3 integration evaluated two community plugins that would automate this
|
|||
|
|
procedure. Both were deferred:
|
|||
|
|
|
|||
|
|
- **Claude Code Canary** (`geoffrey-young/anthropic-hackathon-2026`) — a
|
|||
|
|
one-off hackathon entry (9 commits, 2 stars); the author explicitly
|
|||
|
|
disclaims production use. It registers three broad lifecycle hooks
|
|||
|
|
(SessionStart, PreToolUse, PostToolUse) and its design relies on the same
|
|||
|
|
stderr-injection class it defends against. Rejected — unfit for a global
|
|||
|
|
config and a heavy collision with the project hook chain.
|
|||
|
|
- **Plugin Security Auditor** (an mcpmarket aggregator listing) — source
|
|||
|
|
repository, author, and license could not be verified. Installing an
|
|||
|
|
unverifiable plugin to perform security auditing is itself a risk-management
|
|||
|
|
failure. Deferred until a vetted source is found.
|
|||
|
|
|
|||
|
|
Until a vetted auto-auditor exists, this manual procedure is the D3 control for
|
|||
|
|
toolchain attack-surface risk.
|