Skip to content

Security: gtapps/claude-code-hermit

Security

docs/security.md

Security

Safety model for autonomous hermit agents — deny patterns, defense in depth, and operational recommendations.

Important: Deny patterns are blocklist-based string matches. They block known dangerous commands but cannot prevent all harmful invocations. Always use container isolation when running with bypassPermissions. See Known Limitations below.

Deny Patterns

Block tool invocations regardless of permission mode. Generated by /claude-code-hermit:hatch (step 9) or /claude-code-hermit:docker-setup. Canonical source: state-templates/deny-patterns.json.

Default set (all deployments)

{
  "permissions": {
    "deny": [
      "Bash(rm -rf *)",
      "Bash(chmod 777*)",
      "Bash(*sudo *)",
      "Bash(*> /etc/*)",
      "Bash(curl * | bash*)",
      "Bash(wget * | bash*)",
      "Bash(env)",
      "Bash(printenv)",
      "Bash(cat .env*)",
      "Bash(cat */.env*)",
      "Bash(cat ~/.ssh/*)",
      "Bash(cat ~/.aws/*)",
      "Bash(*API_KEY*)",
      "Bash(*SECRET*)",
      "Bash(*TOKEN*)",
      "Edit(**/.claude-code-hermit/OPERATOR.md)",
      "Write(**/.claude-code-hermit/OPERATOR.md)"
    ]
  }
}

Always-on additions (Docker / tmux)

{
  "permissions": {
    "deny": [
      "Bash(ssh *)",
      "Bash(docker *)",
      "Bash(kubectl *)",
      "Bash(npm publish*)",
      "Bash(git push --force*)",
      "Bash(git push origin main*)",
      "Bash(git reset --hard*)",
      "Bash(*--no-verify*)"
    ]
  }
}

/claude-code-hermit:docker-setup applies both sets (default + always-on). /claude-code-hermit:hatch hardened mode applies both sets minus docker/kubectl/ssh (valid on host). Hatch minimal mode applies the default set only.

Defense in Depth

Layer Where Enforcement
Deny patterns settings.json Mechanical*
Agent-level rules agents/*.md Instruction-following
Hook enforcement hooks.json Mechanical
Config isolation Named volume Mechanical
Container isolation Docker/VM Mechanical
OPERATOR.md OPERATOR.md Instruction-following

* Deny rule caveat: There are reported bugs where Edit/Write deny rules in settings.json are not always enforced — Claude Code has been observed editing files that match a deny pattern. Deny rules are the correct approach and best available option, but can't be treated as airtight today. For OPERATOR.md specifically, Claude Code's built-in .claude/ directory protection adds a second layer. Combined, OPERATOR.md modification is unlikely but not impossible until Anthropic fixes deny rule enforcement.

Recommendations

  • Strict hook profile for always-on agents (no performance penalty)
  • Session budget of $5-10 for overnight sessions
  • Heartbeat for 24/7 monitoring — detects stalled agents, changed conditions, rate limits
  • Network: allow only api.anthropic.com, your channel API, and github.com when possible
  • Secrets: don't mount ~/.aws/, ~/.ssh/ into containers. Use scoped API keys.
  • Review session reports before pushing — check for leaked paths, credentials, or connection strings

Known limitations

  • Egress filtering is documented but not enforced. Bridge networking isolates from localhost but the container can still reach the internet. A successful prompt injection can exfiltrate data to external hosts. Future: iptables rules or Docker network egress policy in the wizard.
  • No input sanitization. Content fetched from external APIs enters Claude's context unsanitized. Deny patterns cannot catch injection via fetched content — that's an instruction-following boundary, not a mechanical one. Future: pre-processing hook that strips known injection patterns.
  • Deny patterns are a blocklist. They catch commands you anticipated. Equivalent commands not on the list execute normally. Bind mount scope and network isolation are stronger defenses for novel attacks.

Security Checklist

  • Docker/VM if using permission_mode: "bypassPermissions" — see Always-On Setup
  • Non-root user inside container
  • Deny patterns configured
  • Config isolation via named volume (default) — no host ~/.claude bind-mount
  • No host mounts beyond project directory
  • No production credentials accessible
  • Strict hook profile
  • Session budget set
  • Heartbeat enabled
  • OPERATOR.md includes approval constraints and hard rules
  • Session reports reviewed before pushing
  • state/ directory gitignored (contains runtime observations, not config)
  • Only official plugins (claude-plugins-official) in docker.recommended_plugins
  • Third-party plugins installed manually after review — not auto-installed

Plugin Security

Plugins run with the same permissions as Hermit. In Docker mode (bypassPermissions), this means full unrestricted execution — no permission prompts, no human review.

Policy: The entrypoint only auto-installs plugins from claude-plugins-official (Anthropic's official marketplace). Third-party plugins are never auto-installed, regardless of config. They must be installed manually inside the container after the operator reviews the plugin source.

No auto-updates: The entrypoint installs plugins on first boot but never auto-updates them. Plugin updates are operator-initiated via /claude-code-hermit:hermit-evolve or image rebuild.

Hermit does not vet, audit, or take responsibility for any plugin. Even official plugins should be understood before enabling. You are responsible for evaluating what you install.

See Recommended Plugins for the full list and installation instructions.

There aren’t any published security advisories