Дмитрий
ded07d3a6b
SG #40 was characterised across all D3 docs as warn-only / does not block. Verified end-to-end: security_reminder_hook.py does sys.exit(2) — a BLOCKING PreToolUse hook (one-time speed-bump per file+rule per session, the retry passes). SG2: on this Windows host the bundled hooks.json hardcodes python3, absent from PATH — the hook never spawned (inert). Fixed with a python3.exe shim in the Python install dir (env-only, not in repo). Normative sync: Tooling v2.5, PSR_v1 v3.5, Pravila v1.19, CLAUDE.md v2.5; ADR-003 amended; automation-graph sec_guidance nd(). Tool counts unchanged (40 positions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
docs/audit — audit procedures and artifacts
This directory is the home of the D3 «Аудит и управление рисками» section of
the automation map (docs/automation-graph.html). It holds repeatable audit
procedures and their artifacts.
Toolset
/security-review— the customized Anthropic security-review command (.claude/commands/security-review.md).- Trail of Bits Skills — the
trailofbitsmarketplace audit plugins. - Security Guidance — the Anthropic inline-vulnerability hook (blocking
PreToolUse, a one-time per-file-and-rule speed-bump). audit-portal— the project skill encoding the 14-phase portal audit.
Boundaries
- Closed decisions and their residual risks →
docs/adr/(see ADR-003). - Open product, business, and legal risks →
docs/Открытые_вопросы_v8_3.md.
Procedures
toolchain-attack-surface.md— manual audit of the Claude Code plugin and MCP-server attack surface.