feat(commands): E14 part 3 — /security mcp-baseline-reset slash command
Wave C step C3: closes E14 with the user-facing reset command. After a legitimate MCP server upgrade the sticky baseline (added in C1) becomes a stale "what the tool used to say" anchor and every subsequent post-mcp-verify advisory will re-flag the change. /security mcp-baseline-reset lets the user acknowledge the upgrade so the next call seeds a fresh baseline. New files: - scanners/mcp-baseline-reset.mjs — small CLI wrapper around clearBaseline / listBaselines. Modes: --list (read-only), --target <name>, no-args (all). Outputs JSON summary on stdout. Exit 0 always (idempotent). - commands/mcp-baseline-reset.md — dispatcher following mcp-inspect.md shape. Frontmatter: name=security:mcp-baseline-reset, sonnet model, Read/Bash/AskUserQuestion tools. 4-step body (list -> confirm scope -> execute -> confirm result). - tests/scanners/mcp-baseline-reset.test.mjs — 10 CLI tests across --list, --target, clear-all, idempotency, history preservation, and bare-positional sugar. Updated: - commands/security.md — new row in commands table after mcp-inspect. - CLAUDE.md — new commands-table row + new v7.3.0 narrative section describing the baseline schema, cumulative-drift detection, reset semantics, and the LLM_SECURITY_MCP_CACHE_FILE override. - Plugin README.md — new MCP-baseline-reset row in commands table, scanner count 12 standalone -> 13 standalone, new "MCP Description Drift (E14, v7.3.0)" subsection explaining the sticky baseline, cumulative threshold, reset semantics, and env-var override. - Root marketplace README.md — scanner count 22 -> 23 (10 orchestrated + 13 standalone), command count 19 -> 20, test count 1511 -> 1768. Wave C complete: 1738 -> 1768 tests (+30 across C1/C2/C3). Per plan, Wave C does NOT bump the plugin version — that lands at the wave-bundle release. The advisory text in post-mcp-verify already references the new command path so the user has a ready remediation step. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
427b68eca9
commit
001df2ebe8
7 changed files with 454 additions and 5 deletions
|
|
@ -25,6 +25,26 @@ top-level `output.suppressed` (`.llm-security-ignore` rule integer).
|
|||
Out-of-scope but flagged: `commands/scan.md:113-114` retains the v1
|
||||
formula; resolution deferred to Batch B.
|
||||
|
||||
**v7.3.0 — MCP cumulative-drift baseline (in progress, Wave C of Batch C).**
|
||||
Closes E14 from `docs/critical-review-2026-04-20.md`. The
|
||||
`mcp-description-cache.mjs` schema gains a sticky `baseline` slot per
|
||||
tool plus a 10-event rolling `history` array (FIFO). Cumulative drift =
|
||||
`levenshtein(current, baseline) / max(|current|, |baseline|)`; when the
|
||||
ratio crosses `mcp.cumulative_drift_threshold` (default 0.25),
|
||||
`post-mcp-verify.mjs` emits a separate MEDIUM `mcp-cumulative-drift`
|
||||
advisory. The existing per-update >10% drift signal is unchanged — both
|
||||
fire independently. Slow-burn rug-pulls that keep each update under the
|
||||
per-update threshold but cumulatively diverge from baseline are now
|
||||
caught. Baseline survives the 7-day TTL purge so detection persists
|
||||
across the full window. New `/security mcp-baseline-reset` slash command
|
||||
(plus `scanners/mcp-baseline-reset.mjs` CLI: `--list`, `--target <tool>`,
|
||||
or no-args clear-all) lets the user acknowledge a legitimate MCP server
|
||||
upgrade — clearing the baseline causes the next call to seed a fresh
|
||||
one from the incoming description; description, firstSeen, lastSeen, and
|
||||
history are preserved for audit. `LLM_SECURITY_MCP_CACHE_FILE` env var
|
||||
overrides the cache path for end-to-end testing without polluting the
|
||||
user's real `~/.cache/llm-security/mcp-descriptions.json`.
|
||||
|
||||
## Commands
|
||||
|
||||
| Command | Description |
|
||||
|
|
@ -36,6 +56,7 @@ formula; resolution deferred to Batch B.
|
|||
| `/security plugin-audit [path\|url]` | Plugin trust assessment (local or GitHub URL) |
|
||||
| `/security mcp-audit [--live]` | MCP server config audit (add `--live` for runtime inspection) |
|
||||
| `/security mcp-inspect` | Live MCP server inspection — connect via JSON-RPC 2.0, scan tool descriptions |
|
||||
| `/security mcp-baseline-reset` | Reset MCP description baseline cache (E14, v7.3.0) — after legitimate MCP server upgrade |
|
||||
| `/security ide-scan [target\|url]` | Scan installed VS Code + JetBrains extensions/plugins — OR fetch a remote VSIX from Marketplace, OpenVSX, or direct URL (v6.4.0), OR a JetBrains plugin from `plugins.jetbrains.com` (v6.6.0). 7 VS Code checks + 7 JetBrains-specific checks (theme-with-code, broad activation, Premain-Class instrumentation, native binaries, depends-chain, typosquat, shaded jars). Hardened ZIP extractor (zip-slip, symlink, bomb, ratio caps — no fuzz-testing results published to date). Orchestrates reused scanners (UNI/ENT/NET/TNT/MEM/SCR) per extension. Offline by default, `--online` opt-in |
|
||||
| `/security posture` | Quick scorecard (13 categories) |
|
||||
| `/security threat-model` | Interactive STRIDE/MAESTRO session |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue