liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 87 Packages Projects Releases Wiki Activity
Files
d74d3113e51d64dfdfd36afa15589dfb07a2c412
portal/docs/audit/toolchain-attack-surface.md
T

62 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Toolchain attack-surface audit (manual procedure)
Part of the `D3 «Аудит и управление рисками»` section. Run this procedure
quarterly, and after any new Claude Code plugin or MCP server is added.
Motivation: the post-ruflo toolchain is large — about 20 ruflo plugins, ~210
MCP tools, and seven MCP servers in `.mcp.json` — and 2026 disclosures (npm
`postinstall` MCP-URL rewriting; the ClaudeBleed script-injection class) make
the toolchain itself a standing attack surface.
## 1. MCP servers
- Review every server in `.mcp.json``command`, `args`, `env`. Flag any
non-pinned `npx` package and any server reachable over the network.
- Confirm no MCP server URL was rewritten by a dependency `postinstall` script.
## 2. Plugins
- List `enabledPlugins` in `~/.claude/settings.json`. For each: source repo,
license, last commit, and the hooks it contributes.
- Flag any plugin that registers a `PreToolUse` hook with `decision: block`.
## 3. Hooks
- Diff the `hooks` blocks of `.claude/settings.json` and
`~/.claude/settings.json` against the last audited snapshot. Investigate any
unexplained change.
## 4. Permissions
- Review `permissions.allow` and `permissions.deny` — no broadened wildcard and
no new unscoped `Bash(*)` beyond what is already recorded.
## 5. Secrets
- Run `gitleaks` over the full history; confirm no token sits in a gitignored
cache file.
## Outcome
Record findings as P0P3 items in `docs/Открытые_вопросы_v8_3.md` (via the
`q-item-add` skill), or as an ADR in `docs/adr/` if a tooling decision results.
## Community auto-auditors — evaluated, deferred (2026-05-17)
The D3 integration evaluated two community plugins that would automate this
procedure. Both were deferred:
- **Claude Code Canary** (`geoffrey-young/anthropic-hackathon-2026`) — a
one-off hackathon entry (9 commits, 2 stars); the author explicitly
disclaims production use. It registers three broad lifecycle hooks
(SessionStart, PreToolUse, PostToolUse) and its design relies on the same
stderr-injection class it defends against. Rejected — unfit for a global
config and a heavy collision with the project hook chain.
- **Plugin Security Auditor** (an mcpmarket aggregator listing) — source
repository, author, and license could not be verified. Installing an
unverifiable plugin to perform security auditing is itself a risk-management
failure. Deferred until a vetted source is found.
Until a vetted auto-auditor exists, this manual procedure is the D3 control for
toolchain attack-surface risk.
Reference in New Issue View Git Blame Copy Permalink