loophole-hunterlisted

# Loophole Hunter ## Overview Hostile audit of the project's Claude Code enforcement surface. It assumes every constraint is bypassable until the enforcement path is traced end-to-end and proven to bind. It enumerates every rule, every hook script, every settings hook wiring, every permission, and every skill body, then hunts for loopholes — places where an intended constraint does not actually constrain: a rule no hook enforces, a hook that fails open, a settings permission that contradicts a rule, a matcher that misses inputs it claims to cover, a hook script that is never wired in, a skill step an agent can rationalize past. It writes a findings report and, on approval, closes each loophole — then re-runs the bypass to prove the loophole is gone. Single-shot: re-validate existing findings, enumerate the surface, file new findings, optionally fix, re-validate. This is not `claude-rules-auditor`. That skill checks whether rules are well-formed and well-placed. This skill checks whether the enforcement — across rules, hooks, settings, and skills together — can be evaded. ## When to Use - Auditing `.claude/rules/`, hook scripts, `.claude/settings.json`, and skills for bypassable or unenforced constraints - A new rule, hook, skill, or settings change was added and you want to confirm it actually binds - Before a release, to prove the enforcement surface has no silent gaps - When asked to "close the loopholes", "harden the Claude Code setup", or "find ways our rules can be