liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 51 Packages Projects Releases Wiki Activity
Files
49ea46ab0ee591a495acd064fbffbe9f716b4228
portal/docs/audit/toolchain-attack-surface.md
T

2.5 KiB
Raw Blame History

Toolchain attack-surface audit (manual procedure)

Part of the D3 «Аудит и управление рисками» section. Run this procedure quarterly, and after any new Claude Code plugin or MCP server is added.

Motivation: the post-ruflo toolchain is large — about 20 ruflo plugins, ~210 MCP tools, and seven MCP servers in .mcp.json — and 2026 disclosures (npm postinstall MCP-URL rewriting; the ClaudeBleed script-injection class) make the toolchain itself a standing attack surface.

1. MCP servers

  • Review every server in .mcp.jsoncommand, args, env. Flag any non-pinned npx package and any server reachable over the network.
  • Confirm no MCP server URL was rewritten by a dependency postinstall script.

2. Plugins

  • List enabledPlugins in ~/.claude/settings.json. For each: source repo, license, last commit, and the hooks it contributes.
  • Flag any plugin that registers a PreToolUse hook with decision: block.

3. Hooks

  • Diff the hooks blocks of .claude/settings.json and ~/.claude/settings.json against the last audited snapshot. Investigate any unexplained change.

4. Permissions

  • Review permissions.allow and permissions.deny — no broadened wildcard and no new unscoped Bash(*) beyond what is already recorded.

5. Secrets

  • Run gitleaks over the full history; confirm no token sits in a gitignored cache file.

Outcome

Record findings as P0P3 items in docs/Открытые_вопросы_v8_3.md (via the q-item-add skill), or as an ADR in docs/adr/ if a tooling decision results.

Community auto-auditors — evaluated, deferred (2026-05-17)

The D3 integration evaluated two community plugins that would automate this procedure. Both were deferred:

  • Claude Code Canary (geoffrey-young/anthropic-hackathon-2026) — a one-off hackathon entry (9 commits, 2 stars); the author explicitly disclaims production use. It registers three broad lifecycle hooks (SessionStart, PreToolUse, PostToolUse) and its design relies on the same stderr-injection class it defends against. Rejected — unfit for a global config and a heavy collision with the project hook chain.
  • Plugin Security Auditor (an mcpmarket aggregator listing) — source repository, author, and license could not be verified. Installing an unverifiable plugin to perform security auditing is itself a risk-management failure. Deferred until a vetted source is found.

Until a vetted auto-auditor exists, this manual procedure is the D3 control for toolchain attack-surface risk.

Reference in New Issue View Git Blame Copy Permalink