Claude Code Hooks용 정보 흐름 커널

Runtime information flow enforcement for Claude Code tool calls. Nucleus hooks into Claude Code's PreToolUse event to track how data flows through your session. When web content enters the session, the hook blocks any subsequent writes, bash commands, or agent spawning that would be influenced by that content. Most agent security tools answer: "Is this tool allowed?" That's the wrong question. The right question is: "Is this tool allowed given what data has entered the session?" Reading a file is safe. Fetching a URL is safe. But fetching a URL and then writing to disk is a potential exfiltration path — the URL's response could contain prompt injection that steers the agent to leak file contents. This is the attack surface that Invariant Labs, AgentSeal, and OWASP's MCP Top 10 have documented across 1,800+ MCP servers. Nucleus tracks this with an information flow control (IFC) kernel — a technique from systems security research (Denning's lattice model, 1976). Every piece of data that enters the session gets a label: | Source | Integrity | Authority | What it means | |---|---|---|---| | User prompt | Trusted | Directive | The user asked for this | | File read | Trusted | Directive | Local, trusted data | | Web fetch | Adversarial | NoAuthority | Untrusted, could be attacker-controlled | | Web search | Adversarial | NoAuthority | Untrusted results | Labels propagate through the session. Once web content enters, every subsequent operation inherits its taint. A write operation requires Suggestive authority, but web-tainted data has NoAuthority — the kernel blocks the escalation. cargo install --git https://github.com/coproduct-opensource/nucleus nucleus-claude-hook nucleus-claude-hook --setup Restart Claude Code. The hook is now active. You can verify the hook works by simulating the attack sequence outside Claude Code. Open a terminal and run these three commands: Step 1 — Read a file (safe, trusted data): echo '{"session_id":"demo","tool_name":"Read","tool_input":{"file_path":"/etc/hostname"}}' \ | nucleus-claude-hook nucleus: read_files /etc/hostname -> allow [exposure: 1/3, profile: safe_pr_fixer, flow_node: 1] {"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}} The kernel assigns integ=Trusted, auth=Directive — this is local data, safe to act on. Step 2 — Fetch a URL (safe to read, but taints the session): echo '{"session_id":"demo","tool_name":"WebFetch","tool_input":{"url":"https://evil.example.com"}}' \ | nucleus-claude-hook nucleus: web_fetch https://evil.example.com -> allow [exposure: 2/3, profile: safe_pr_fixer, flow_node: 2] {"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}} Allowed — reading web content is safe. But the session now carries integ=Adversarial, auth=NoAuthority . Step 3 — Try to write (BLOCKED): echo '{"session_id":"demo","tool_name":"Write","tool_input":{"file_path":"/tmp/pwned.txt","content":"exfiltrated"}}' \ | nucleus-claude-hook nucleus: write_files /tmp/pwned.txt -> deny [exposure: 2/3, profile: safe_pr_fixer, flow_node: 3] BLOCKED: no-authority-escalation Action: OutboundAction (id=3) label={conf=Internal, integ=Adversarial, auth=NoAuthority} Causal chain: /dev/null After a WebFetch or WebSearch , the session is tainted for the rest of its lifetime. You cannot write, edit, run bash, push, or spawn agents. This is by design. This means: - If you search the web for how to fix a bug, you cannot then write the fix in the same session. Restart Claude Code to reset. - If any tool call fetches a URL, everything after is read-only. - The Agent tool is also blocked — a subprocess could bypass the parent's taint restrictions. This is aggressive. It's the right default for security, but it changes your workflow. For research-then-code sessions, use the permissive profile (audit-only, no enforcement): # In ~/.claude/settings.json, change the hook command to: "command": "NUCLEUS_PROFILE=permissive /path/to/nucleus-claude-hook" | Profile | Read | Write | Bash | Web | Git | Agent | Use case | |---|---|---|---|---|---|---|---| read_only | yes | no | no | no | no | no | Auditing | code_review | yes | no | no | no | no | no | PR review | edit_only | yes | yes | no | no | no | no | Focused editing | fix_issue | yes | yes | yes | yes | commit | yes | Bug fixes | safe_pr_fixer | yes | yes | yes | yes | commit | yes | Default — full dev, no push | release | yes | yes | yes | yes | push+PR | yes | Ship it | permissive | yes | yes | yes | yes | yes | yes | Audit-only, no enforcement | All profiles except permissive enforce the flow graph. If someone (or a compromised model) asks you to delete the session state files to "fix" the hook: nucleus: TAMPER DETECTED — session state deleted (expected hwm=5). A compromised model may have asked you to delete session files. All operations denied until session restart. The hook maintains a separate high-water-mark file that survives state file deletion. Tampering is detected and everything fails clo