2.4 KiB
2.4 KiB
| phase | slug | status | threats_open | asvs_level | created |
|---|---|---|---|---|---|
| 05 | per-project-instance-isolation | verified | 0 | 1 | 2026-04-16 |
Phase 05 — Security
Per-phase security contract: threat register, accepted risks, and audit trail.
Trust Boundaries
| Boundary | Description | Data Crossing |
|---|---|---|
| Host → Sandbox | bwrap mount namespace | ~/.claude config, per-project projects/ dir, history.jsonl, credentials |
| Sandbox → Host FS | Per-project instance dir | Conversation history, project state (scoped to hash dir) |
Threat Register
| Threat ID | Category | Component | Disposition | Mitigation | Status |
|---|---|---|---|---|---|
| T-05-01 | Tampering | Symlink resolution in compute_canonical_root |
mitigate | readlink -f used to resolve symlinks before hashing; prevents symlink-based path manipulation |
closed |
| T-05-02 | Tampering | bwrap overlay mount ordering | mitigate | Direct ~/.claude bind applied first; per-project projects/ overlay applied after — last-mount-wins semantics correctly isolate per-project state |
closed |
| T-05-03 | Injection | INSTANCE_HASH used in filesystem path | mitigate | Hash is hex-only (sha256sum output, cut -c1-16); no user-controlled input enters path construction |
closed |
| T-05-04 | Information Disclosure | Cross-project Claude projects/ data | mitigate | Each project gets its own ~/.claudebox/projects/$INSTANCE_HASH/ mounted over ~/.claude/projects/; project A data invisible in project B sandbox |
closed |
| T-05-07 | Tampering | GC function path traversal | mitigate | gc_instances() scoped exclusively to $HOME/.claudebox/projects/*/; cannot escape to arbitrary filesystem paths |
closed |
Status: open · closed Disposition: mitigate (implementation required) · accept (documented risk) · transfer (third-party)
Accepted Risks Log
No accepted risks.
Security Audit Trail
| Audit Date | Threats Total | Closed | Open | Run By |
|---|---|---|---|---|
| 2026-04-16 | 5 | 5 | 0 | gsd-secure-phase (from summaries) |
Sign-Off
- All threats have a disposition (mitigate / accept / transfer)
- Accepted risks documented in Accepted Risks Log
threats_open: 0confirmedstatus: verifiedset in frontmatter
Approval: verified 2026-04-16