---
phase: "05"
slug: per-project-instance-isolation
status: verified
threats_open: 0
asvs_level: 1
created: 2026-04-16
---

# Phase 05 — Security

> Per-phase security contract: threat register, accepted risks, and audit trail.

---

## Trust Boundaries

| Boundary | Description | Data Crossing |
|----------|-------------|---------------|
| Host → Sandbox | bwrap mount namespace | `~/.claude` config, per-project projects/ dir, history.jsonl, credentials |
| Sandbox → Host FS | Per-project instance dir | Conversation history, project state (scoped to hash dir) |

---

## Threat Register

| Threat ID | Category | Component | Disposition | Mitigation | Status |
|-----------|----------|-----------|-------------|------------|--------|
| T-05-01 | Tampering | Symlink resolution in `compute_canonical_root` | mitigate | `readlink -f` used to resolve symlinks before hashing; prevents symlink-based path manipulation | closed |
| T-05-02 | Tampering | bwrap overlay mount ordering | mitigate | Direct `~/.claude` bind applied first; per-project projects/ overlay applied after — last-mount-wins semantics correctly isolate per-project state | closed |
| T-05-03 | Injection | INSTANCE_HASH used in filesystem path | mitigate | Hash is hex-only (sha256sum output, `cut -c1-16`); no user-controlled input enters path construction | closed |
| T-05-04 | Information Disclosure | Cross-project Claude projects/ data | mitigate | Each project gets its own `~/.claudebox/projects/$INSTANCE_HASH/` mounted over `~/.claude/projects/`; project A data invisible in project B sandbox | closed |
| T-05-07 | Tampering | GC function path traversal | mitigate | `gc_instances()` scoped exclusively to `$HOME/.claudebox/projects/*/`; cannot escape to arbitrary filesystem paths | closed |

*Status: open · closed*
*Disposition: mitigate (implementation required) · accept (documented risk) · transfer (third-party)*

---

## Accepted Risks Log

No accepted risks.

---

## Security Audit Trail

| Audit Date | Threats Total | Closed | Open | Run By |
|------------|---------------|--------|------|--------|
| 2026-04-16 | 5 | 5 | 0 | gsd-secure-phase (from summaries) |

---

## Sign-Off

- [x] All threats have a disposition (mitigate / accept / transfer)
- [x] Accepted risks documented in Accepted Risks Log
- [x] `threats_open: 0` confirmed
- [x] `status: verified` set in frontmatter

**Approval:** verified 2026-04-16