# Security Threat Model

- Episode ID: `epi-20260409-48f2f9f7d2ca`
- Scope: `shared`
- Created: `2026-04-09T20:23:03Z`

## Question

What are the security vulnerabilities and attack vectors in Claude Code?

## Summary

Claude Code has 8 security layers from build-time elimination to server-side kill switches. Despite this, fundamental vulnerabilities exist because the safety mechanism and attack surface are the same thing — safety enforcement is inside the model reasoning layer. Key attack vectors: compaction laundering (malicious CLAUDE.md instructions survive compaction), 50-subcommand deny-cap bypass (Adversa AI CVE), 3-parser bash differentials, and early-allow short-circuits in validators. The 29-30% false-claims rate and 3.2% secret leak rate (2x baseline) are measurable consequences of missing post-edit verification in external builds.

## Findings

- Compaction laundering turns a cooperative model into an unwitting proxy — the model is not jailbroken, the context is weaponized

• 4 CVEs share the same root cause: safety boundary is inside the model reasoning layer, not below it
• Auto mode classifier has 17% false-negative rate on real overeager actions

• Claude Code commits leak secrets at 3.2% rate vs 1.5% baseline per GitGuardian 2026

  Lessons

  • The safety mechanism and the attack surface are the same thing — Canyon Road one-sentence critique
  • Self-verification does not work for LLMs — a 3-layer agent-verifier-auditor system is needed

  References

  none