Security Model
claude-code's security architecture has 8 layers from build-time elimination to server-side kill switches. Despite this depth, a fundamental architectural critique applies: the safety mechanism and the attack surface are the same thing.
Eight Security Layers
| # | Layer | Mechanism |
|---|---|---|
| 1 | Build-time elimination | Bun dead-code strips internal features from external binary |
| 2 | Server-side flags | growthbook kill switches — tengu_* flags disable behaviors remotely |
| 3 | Configuration rules | 8-source priority system with user settings highest priority |
| 4 | AI safety classifier | auto-mode-classifier — separate Sonnet call evaluates risk |
| 5 | Dangerous pattern detection | Hardcoded blocks for interpreters, networking, privilege escalation |
| 6 | Filesystem validation | Symlink escape prevention, glob containment |
| 7 | Trust dialog | Explicit consent for project-scoped dangerous settings |
| 8 | Bypass kill switch | Instant server-side disable without client update |
Known Attack Vectors
Compaction Laundering
The compaction-pipeline can launder malicious instructions: content in CLAUDE.md or any read file survives compaction and emerges as "genuine user directives." The model is cooperative — it follows what it believes are user instructions.
Bash Security Bypasses
The bash-security validator chain has 3 structural vulnerabilities: early-allow short-circuits, three-parser differentials, and the 50-subcommand deny-cap overflow (CVE patched in v2.1.90).
False Claims Rate
three-layer-verification documents a 29-30% false-claims rate. The verification gate is employee-only (USER_TYPE === 'ant'), leaving external users with no post-edit verification.
The One-Sentence Critique
Canyon Road's analysis across 14 AI tool CVEs in 12 months: "The safety mechanism and the attack surface were the same thing." All four Claude Code CVEs share this root cause — the safety enforcement boundary is inside the model's reasoning layer, not below it.
Anti-Distillation
anti-distillation-defenses: fake tools, signed chain-of-thought, native-attestation (Zig DRM), and system-prompt-fingerprinting prevent competitors from reverse-engineering Claude Code's behavior through API observation.