Дмитрий
ded07d3a6b
SG #40 was characterised across all D3 docs as warn-only / does not block. Verified end-to-end: security_reminder_hook.py does sys.exit(2) — a BLOCKING PreToolUse hook (one-time speed-bump per file+rule per session, the retry passes). SG2: on this Windows host the bundled hooks.json hardcodes python3, absent from PATH — the hook never spawned (inert). Fixed with a python3.exe shim in the Python install dir (env-only, not in repo). Normative sync: Tooling v2.5, PSR_v1 v3.5, Pravila v1.19, CLAUDE.md v2.5; ADR-003 amended; automation-graph sec_guidance nd(). Tool counts unchanged (40 positions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
25 lines
980 B
Markdown
25 lines
980 B
Markdown
# docs/audit — audit procedures and artifacts
|
|
|
|
This directory is the home of the `D3 «Аудит и управление рисками»` section of
|
|
the automation map (`docs/automation-graph.html`). It holds repeatable audit
|
|
procedures and their artifacts.
|
|
|
|
## Toolset
|
|
|
|
- `/security-review` — the customized Anthropic security-review command
|
|
(`.claude/commands/security-review.md`).
|
|
- Trail of Bits Skills — the `trailofbits` marketplace audit plugins.
|
|
- Security Guidance — the Anthropic inline-vulnerability hook (blocking
|
|
`PreToolUse`, a one-time per-file-and-rule speed-bump).
|
|
- `audit-portal` — the project skill encoding the 14-phase portal audit.
|
|
|
|
## Boundaries
|
|
|
|
- Closed decisions and their residual risks → `docs/adr/` (see ADR-003).
|
|
- Open product, business, and legal risks → `docs/Открытые_вопросы_v8_3.md`.
|
|
|
|
## Procedures
|
|
|
|
- `toolchain-attack-surface.md` — manual audit of the Claude Code plugin and
|
|
MCP-server attack surface.
|