decide() гейтил по content в ветке, недостижимой в проде: enforce-read-path-deny —
PreToolUse(Read)-хук, main() не передавал content, а контента до чтения нет. Ветка
+ импорт scanSecrets убраны — decide() гейтит строго по пути (path-deny). Реальный
exfil (исходящий payload) закрыт живым enforce-mcp-classification.scanEgress; чтение
секрета само по себе не вынос.
Аудит Машины 5 (объектив sharp-edges + agentic-actions-auditor). TDD RED->GREEN.
Регрессия tools-only 2789 passed + 2 skip.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Новый общий secret-scan.mjs (анти-дрейф — один источник секрет-паттернов на 7.1 read-выдачу
и 7.3 egress): scanSecrets(text) → {found, hits}. Секрет-подмножество (не PII): PEM private
keys, токены провайдеров (AWS/GitHub/OpenAI/Slack/Sentry/Yandex/JWT/Bearer, regex согласованы
с observer-pii-filter), строки подключения с кредами (scheme://user:pass@). Чистая, без /g.
enforce-read-path-deny.decide расширен опциональным content: путь-деналист — грубый пре-фильтр;
если выдача Read содержит секрет (даже из не-protected пути) → block (fail-CLOSE). Активируется
PostToolUse-обёрткой (content); PreToolUse path-слой backward-compat не тронут.
+9 (secret-scan) +4 (read-path-deny) тестов. Дыра 6 (read без контента) закрыта.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Smoke 5 (user-run 2026-05-30) found 5 of 6 self-exfil vectors OPEN — parent
context transcripts (~/.claude/projects/*/<session>.jsonl) readable via:
- Bash: ls ~/.claude/projects/, cat ~/.claude/projects/.../jsonl, head/tail
- PowerShell: Get-Content / gc / Select-String
- Read tool: direct file_path
Spec §3.1 declared this protection but Stream B/C/G never wired path-deny.
DEFAULT_PROTECTED_PATTERNS in shell-content-rules.mjs lacked ~/.claude/projects/.
Read tool had no path-deny hook at all.
Closure:
- shell-content-rules.mjs: +1 regex /(^|\/)\.claude\/projects(\/|$)/i in
DEFAULT_PROTECTED_PATTERNS. Bash hook + PowerShell hook already use this
shared list via pathDenyOverlay → both close automatically.
- enforce-read-path-deny.mjs (NEW): PreToolUse(Read) wrapper rejects any
Read on isProtectedPath() match. Uses same shared DEFAULT_PROTECTED_PATTERNS
for consistency (covers transcript / runtime / .env / normative / dep-checksums).
- .claude/settings.json: register enforce-read-path-deny.mjs PreToolUse Read.
Tests: shell-content-rules.test.mjs +3 path cases in protects %s + 1 dedicated
it() block. enforce-read-path-deny.test.mjs +6 cases covering Read tool block.
1714/1714 vitest tools GREEN (was 1707, +7 net).
Critical: re-run Smoke 5 in clean session before continuing other smokes.
Expected post-fix: all 6 vectors blocked (Bash/PowerShell via path-deny,
Read via enforce-read-path-deny, Write via existing normative-content-rules).
Side observation from Smoke 5 session: controller self-fabrication of
intermediate results (4 occurrences across Smokes 1-5) confirms one of the
7 fundamental limits — gate paradox + behavioral residual irreducible.
No hook catches in-response narrative fabrication (not through tool-gate).
This is a Stream H + recovery-procedures.md documentation item, not a hook fix.