llm-safe-haven
mcp
Basarisiz
Health Uyari
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Basarisiz
- os.homedir — User home directory access in hooks/audit-logger.js
- process.env — Environment variable access in hooks/audit-logger.js
- fs module — File system access in hooks/audit-logger.js
- rm -rf — Recursive force deletion command in hooks/bash-firewall.js
- process.env — Environment variable access in hooks/bash-firewall.js
- exec() — Shell command execution in hooks/config-guard.js
- fs module — File system access in lib/agents/aider.js
Permissions Gecti
- Permissions — No dangerous permissions requested
Bu listing icin henuz AI raporu yok.
One-liner for AI solo developers to fasten the security bolts on their systems
README.md
LLM Safe Haven
Harden your AI coding agent in 60 seconds.
npx llm-safe-haven
What It Does
Detects your installed agents, installs security hooks, and scores your setup:
LLM Safe Haven -- Security Scorecard
Detected agents:
+ Claude Code -- Level 3 (hooks + audit + sandbox)
+ Cursor -- Level 1 (ignore files + advice)
. Windsurf -- not installed
Security Level: 2 of 4
+--------------------------------------+
| ##########.......... Level 2: Guarded |
+--------------------------------------+
Supported Agents
| Agent | Tier | What It Configures |
|---|---|---|
| Claude Code | Full | Hooks (bash-firewall, secret-guard, config-guard, audit-logger), settings.json, sandbox, audit logging |
| Cursor | Solid | .cursorignore, workspace trust guidance |
| Windsurf | Solid | .codeiumignore, limitation warnings |
| Cline | Solid | .clineignore |
| Continue.dev | Solid | .continueignore |
| Aider | Solid | .aiderignore, .env warnings |
| Codex CLI | Solid | .codexignore, sandbox guidance |
Commands
npx llm-safe-haven # Install hooks and harden (default)
npx llm-safe-haven audit # Check security posture
npx llm-safe-haven audit --json # Machine-readable for CI
npx llm-safe-haven scan # Find exposed .env files
npx llm-safe-haven scan --supply-chain # Scan for Miasma/Shai-Hulud IOCs (macOS/Linux)
npx llm-safe-haven update # Update hooks to latest
npx llm-safe-haven --dry-run # Preview without changing anything
Security Levels
| Level | Name | What It Means |
|---|---|---|
| 0 | Exposed | No hardening |
| 1 | Basic | Hooks installed |
| 2 | Guarded | + Audit logging + no .env files |
| 3 | Hardened | + Credential proxy + deny rules |
| 4 | Fortified | + Container isolation + network restrictions |
Go Deeper
- Threat Model -- OWASP Agentic Top 10 for solo devs (30+ real incidents)
- Supply Chain Defense -- npm worm case studies + the
scan --supply-chainIOC scanners - Claude Code Hardening -- Full guide with hooks, sandbox, permissions
- Cursor Hardening -- 7 CVEs documented, hardening steps
- Windsurf Hardening -- Honest assessment of limitations
- Devin Hardening -- Cloud agent security model
- GitHub Copilot Hardening -- 4 modes, 5 CVEs
- Aider Hardening -- No sandbox, but minimal attack surface
- Credential Management -- Why env vars fail, proxy architecture
- Testing & Detection -- Canary tokens, honeypots, incident response
- References -- 64+ curated security resources
Why This Exists
In April 2026, three AI coding agents leaked secrets through a single prompt injection.
We hit the same problems, filed issues, built solutions, and documented everything.
Key issues from our investigation:
- anthropics/claude-code#52471 -- Sandbox blocks credential managers
Contributing
Add a new agent module: create lib/agents/your-agent.js implementing the standard
interface (detect, harden, audit). See lib/agents/cursor.js
for a template.
License
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi