# Toolchain attack-surface audit (manual procedure) Part of the `D3 «Аудит и управление рисками»` section. Run this procedure quarterly, and after any new Claude Code plugin or MCP server is added. Motivation: the post-ruflo toolchain is large — about 20 ruflo plugins, ~210 MCP tools, and seven MCP servers in `.mcp.json` — and 2026 disclosures (npm `postinstall` MCP-URL rewriting; the ClaudeBleed script-injection class) make the toolchain itself a standing attack surface. ## 1. MCP servers - Review every server in `.mcp.json` — `command`, `args`, `env`. Flag any non-pinned `npx` package and any server reachable over the network. - Confirm no MCP server URL was rewritten by a dependency `postinstall` script. ## 2. Plugins - List `enabledPlugins` in `~/.claude/settings.json`. For each: source repo, license, last commit, and the hooks it contributes. - Flag any plugin that registers a `PreToolUse` hook with `decision: block`. ## 3. Hooks - Diff the `hooks` blocks of `.claude/settings.json` and `~/.claude/settings.json` against the last audited snapshot. Investigate any unexplained change. ## 4. Permissions - Review `permissions.allow` and `permissions.deny` — no broadened wildcard and no new unscoped `Bash(*)` beyond what is already recorded. ## 5. Secrets - Run `gitleaks` over the full history; confirm no token sits in a gitignored cache file. ## Outcome Record findings as P0–P3 items in `docs/Открытые_вопросы_v8_3.md` (via the `q-item-add` skill), or as an ADR in `docs/adr/` if a tooling decision results. ## Community auto-auditors — evaluated, deferred (2026-05-17) The D3 integration evaluated two community plugins that would automate this procedure. Both were deferred: - **Claude Code Canary** (`geoffrey-young/anthropic-hackathon-2026`) — a one-off hackathon entry (9 commits, 2 stars); the author explicitly disclaims production use. It registers three broad lifecycle hooks (SessionStart, PreToolUse, PostToolUse) and its design relies on the same stderr-injection class it defends against. Rejected — unfit for a global config and a heavy collision with the project hook chain. - **Plugin Security Auditor** (an mcpmarket aggregator listing) — source repository, author, and license could not be verified. Installing an unverifiable plugin to perform security auditing is itself a risk-management failure. Deferred until a vetted source is found. Until a vetted auto-auditor exists, this manual procedure is the D3 control for toolchain attack-surface risk.