From 02fd29f6859545fee34c4d0b4d57a5535b6d5ec7 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 10 Apr 2026 15:15:16 +0200 Subject: [PATCH] =?UTF-8?q?docs(readme):=20update=20README=20body=20for=20?= =?UTF-8?q?v6.0+v6.1=20=E2=80=94=20fix=20stale=20counts=20and=20tables?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Badges, intro, commands, scanner table, Mermaid diagram, directory tree, and knowledge base section all had counts frozen at v3-v4 era. Updated to match actual filesystem: 21 scanners (10+11), 18 commands, 16 knowledge files, 16 posture categories, 1264 tests. Added missing bin/, ci/, docs/ directories and all standalone scanners to directory tree. Co-Authored-By: Claude Opus 4.6 --- plugins/llm-security/README.md | 168 ++++++++++++++++++++++----------- 1 file changed, 114 insertions(+), 54 deletions(-) diff --git a/plugins/llm-security/README.md b/plugins/llm-security/README.md index ac62be9..2b64808 100644 --- a/plugins/llm-security/README.md +++ b/plugins/llm-security/README.md @@ -7,9 +7,9 @@ ![Version](https://img.shields.io/badge/version-6.1.0-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Agents](https://img.shields.io/badge/agents-6-orange) -![Scanners](https://img.shields.io/badge/scanners-16-cyan) +![Scanners](https://img.shields.io/badge/scanners-21-cyan) ![Hooks](https://img.shields.io/badge/hooks-8-red) -![Knowledge](https://img.shields.io/badge/knowledge_docs-15-green) +![Knowledge](https://img.shields.io/badge/knowledge_docs-16-green) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that provides security scanning, auditing, and threat modeling for agentic AI projects. Built on [OWASP LLM Top 10 (2025)](https://genai.owasp.org/llm-top-10/), [OWASP Agentic AI Top 10](https://genai.owasp.org/agentic-ai/), and the [AI Agent Traps](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438) taxonomy (Google DeepMind, 2025), with threat intelligence from ToxicSkills, ClawHavoc, MCPTox, Pillar Security, Invariant Labs, and Operant AI research. @@ -46,20 +46,20 @@ Claude Code plugins, MCP servers, and agentic workflows introduce attack surface This plugin provides three layers of protection: - **Automated enforcement** — 8 hooks that block dangerous operations in real time (prompt injection in user input, secrets in code, writes to sensitive paths, destructive shell commands, supply chain guardrails, suspicious tool output, runtime trifecta detection, update notifications) -- **Deterministic scanning** — 11 Node.js scanners (9 orchestrated + 2 standalone) that perform byte-level analysis LLMs cannot: Shannon entropy, Unicode codepoints, Levenshtein distance for typosquatting, source-to-sink taint flow, DNS resolution, git history forensics, toxic flow analysis, memory poisoning, live MCP inspection -- **Advisory analysis** — 15 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation plans +- **Deterministic scanning** — 21 Node.js scanners (10 orchestrated + 11 standalone) that perform byte-level analysis LLMs cannot: Shannon entropy, Unicode codepoints, Levenshtein distance for typosquatting, source-to-sink taint flow, DNS resolution, git history forensics, toxic flow analysis, memory poisoning, live MCP inspection, AI-BOM generation, attack simulation +- **Advisory analysis** — 18 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation plans Key capabilities: - **Supply chain gate** — scan any plugin, MCP server, or agent file before installation with ALLOW/WARNING/BLOCK verdicts -- **Full project audit** — evaluate 9 security categories with A-F grading and prioritized action items +- **Full project audit** — evaluate 16 security categories with A-F grading and prioritized action items - **Plugin trust assessment** — dedicated plugin audit with Install/Review/Do Not Install verdict - **MCP server audit** — focused analysis of all installed MCP configurations with trust scoring - **Threat modeling** — interactive STRIDE × MAESTRO 7-layer session with risk matrix - **Pre-deployment checklist** — 10 automated + 3 manual checks before going to production - **Automated remediation** — scan-and-fix pipeline with 3-tier approach (auto/semi-auto/manual) - **Continuous monitoring** — recurring diff scanning via `/security watch` (uses built-in /loop) or system cron via `watch-cron.mjs` -- **Quick posture check** — 30-second scorecard showing your security baseline (13 categories) +- **Quick posture check** — 30-second scorecard showing your security baseline (16 categories) > [!TIP] > Start with `/security posture` for a 30-second baseline, then `/security audit` for the full picture. @@ -124,20 +124,29 @@ Or enable directly in `~/.claude/settings.json`: ``` > /security posture -┌─────────────────────────────────────┐ -│ Security Posture: 6/9 [B] │ -│ ██████████████░░░░░ 67% │ -├─────────────────────────────────────┤ -│ ✅ Secret management │ -│ ✅ Permission model │ -│ ✅ Input validation │ -│ ⚠️ Output handling │ -│ ✅ Supply chain │ -│ ✅ Data protection │ -│ ❌ Logging and monitoring │ -│ ⚠️ Network security │ -│ ✅ Agent autonomy controls │ -└─────────────────────────────────────┘ +┌──────────────────────────────────────────────┐ +│ Security Posture: 8/16 [B] 77% │ +│ ████████████████░░░░░░░░░░ │ +├──────────────────────────────────────────────┤ +│ ✅ Deny-First Config │ +│ ✅ Secrets Protection │ +│ ✅ Path Guarding │ +│ ⚠️ MCP Server Trust │ +│ ✅ Destructive Command Blocking │ +│ ⚠️ Sandbox Config │ +│ ⚠️ Human Review │ +│ ✅ Skill/Plugin Sources │ +│ ⚠️ Session Isolation │ +│ ✅ Cognitive State Security │ +│ ✅ Prompt Injection Hardening │ +│ ⚠️ Rule of Two │ +│ ⚠️ Long-Horizon Monitoring │ +│ ✅ EU AI Act │ +│ ⚠️ NIST AI RMF │ +│ — ISO 42001 │ +├──────────────────────────────────────────────┤ +│ 6 findings (1 high, 3 medium, 2 low) │ +└──────────────────────────────────────────────┘ ``` --- @@ -150,13 +159,13 @@ Or enable directly in `~/.claude/settings.json`: |---------|-------------| | `/security` | Overview of all commands and quick start guide | | `/security scan [path\|url]` | Scan skills, MCP servers, directories, or GitHub repos for security issues | -| `/security scan [path\|url] --deep` | Enhanced scan: LLM agents + 9 deterministic scanners | -| `/security deep-scan [path]` | Run 9 deterministic Node.js scanners directly (entropy, unicode, taint, deps, git, permissions, network, memory poisoning, toxic flow) | +| `/security scan [path\|url] --deep` | Enhanced scan: LLM agents + 10 deterministic scanners | +| `/security deep-scan [path]` | Run 10 deterministic Node.js scanners directly (entropy, unicode, taint, deps, git, permissions, network, memory poisoning, supply chain recheck, toxic flow). Supports `--fail-on `, `--compact`, `--format sarif`, `--output-file ` | | `/security audit` | Full project security audit with A-F grading and remediation plan | | `/security plugin-audit [path\|url]` | Dedicated plugin security audit with Install/Review/Do Not Install verdict (local or GitHub URL) | | `/security mcp-audit [--live]` | Focused audit of all installed MCP server configurations (add `--live` for runtime inspection) | | `/security mcp-inspect` | Connect to running MCP stdio servers and scan live tool descriptions | -| `/security posture` | Quick security posture scorecard (X/10 categories) | +| `/security posture` | Quick security posture scorecard (16 categories incl. compliance) | | `/security diff [path]` | Compare scan against stored baseline — shows new/resolved/unchanged/moved findings | | `/security watch [path] [--interval 6h]` | Continuous monitoring — runs diff on a recurring interval via /loop | | `/security registry [scan\|search]` | Skill signature registry — view stats, scan+register skills, search known fingerprints | @@ -175,7 +184,7 @@ Or enable directly in `~/.claude/settings.json`: | Command | Description | |---------|-------------| | `/security threat-model` | Interactive STRIDE/MAESTRO threat modeling session (15-30 min) | -| `/security red-team [--category]` | Attack simulation — 38 scenarios test hook defenses with crafted payloads | +| `/security red-team [--category] [--adaptive]` | Attack simulation — 64 scenarios across 12 categories test hook defenses. `--adaptive` for mutation-based evasion testing | | `/security pre-deploy` | Pre-deployment security checklist (10 automated + 3 manual checks) | ### Scan @@ -292,7 +301,7 @@ The plugin delegates specialized work to 6 purpose-built agents. Each agent has |-------|------|-------|------------|-------| | `skill-scanner-agent` | 7 threat categories (injection, exfiltration, escalation, scope creep, hidden instructions, toolchain manipulation, persistence) | Opus | `/security scan`, `/security audit`, `/security plugin-audit` | Read, Glob, Grep | | `mcp-scanner-agent` | 5-phase MCP analysis (tool descriptions, source code, dependencies, config, rug pull detection) | Opus | `/security scan`, `/security mcp-audit` | Read, Glob, Grep, Bash | -| `posture-assessor-agent` | 9-category assessment with PASS/PARTIAL/FAIL scoring and A-F grading | Opus | `/security audit`, `/security posture` | Read, Glob, Grep | +| `posture-assessor-agent` | 16-category assessment with PASS/PARTIAL/FAIL scoring and A-F grading | Opus | `/security audit`, `/security posture` | Read, Glob, Grep | | `threat-modeler-agent` | Interactive STRIDE × MAESTRO 7-layer interview with 5-phase workflow | Opus | `/security threat-model` | Read, Glob, Grep, AskUserQuestion | | `deep-scan-synthesizer-agent` | Interprets deterministic scanner JSON into human-readable report with executive summary and prioritized recommendations | Opus | `/security deep-scan`, `/security scan --deep` | Read, Glob, Grep | | `cleaner-agent` | Generates semi-auto remediation proposals for findings requiring human judgment (read-only, returns JSON proposals) | Opus | `/security clean` | Read, Glob, Grep | @@ -333,12 +342,12 @@ For deep scans (`/security scan --deep` or `/security deep-scan`), deterministic ┌───────────────┼───────────────┐ ▼ ▼ ▼ ┌───────────┐ ┌────────────┐ ┌────────────┐ - │ LLM Skill │ │ 8 Det. │ │ MCP │ + │ LLM Skill │ │ 10 Det. │ │ MCP │ │ Scanner │ │ Scanners │ │ Scanner │ └─────┬─────┘ └──────┬─────┘ └──────┬─────┘ │ UNI ENT PRM │ │ DEP TNT GIT │ - │ NET TFA │ + │ NET MEM SCR TFA │ │ │ │ │ ┌──────┴─────┐ │ │ │ Synthesizer│ │ @@ -356,7 +365,9 @@ For deep scans (`/security scan --deep` or `/security deep-scan`), deterministic ## Deterministic Scanners -9 orchestrated + 2 standalone Node.js scanner scripts that perform byte-level analysis an LLM cannot. Zero external dependencies. Orchestrated scanners run via `node scanners/scan-orchestrator.mjs ` or through `/security deep-scan`. +10 orchestrated + 11 standalone Node.js scanner scripts that perform byte-level analysis an LLM cannot. Zero external dependencies. Orchestrated scanners run via `node scanners/scan-orchestrator.mjs ` or through `/security deep-scan`. Supports `--fail-on `, `--compact`, `--format sarif`, `--output-file `. + +### Orchestrated (10) | Scanner | Prefix | Detects | OWASP | |---------|--------|---------|-------| @@ -368,11 +379,24 @@ For deep scans (`/security scan --deep` or `/security deep-scan`), deterministic | `git-forensics.mjs` | GIT | Force pushes, description drift, hook modifications, new outbound URLs, author changes | LLM03 | | `network-mapper.mjs` | NET | Undisclosed URLs, suspicious domains (ngrok, webhook.site), IP-based URLs, DNS analysis | LLM02, LLM03 | | `memory-poisoning-scanner.mjs` | MEM | Injection patterns, shell commands, credential paths, permission expansion, suspicious URLs, encoded payloads in CLAUDE.md/memory/rules files | LLM01, ASI02 | -| `toxic-flow-analyzer.mjs` | TFA | Lethal trifecta detection: untrusted input + sensitive data access + exfiltration sink. Cross-component correlation | ASI01, ASI02, ASI05 | -| `mcp-live-inspect.mjs`* | MCI | Live tool injection (MCP03), tool shadowing (MCP09), URL/IP in descriptions | MCP03, MCP06, MCP09 | -| `watch-cron.mjs`* | — | Standalone cron wrapper: scans all targets in config, writes summary, exits with verdict code | — | +| `supply-chain-recheck.mjs` | SCR | Re-audit installed deps from lockfiles against blocklists, OSV.dev batch API, typosquat detection | LLM03 | +| `toxic-flow-analyzer.mjs` | TFA | Lethal trifecta detection: untrusted input + sensitive data access + exfiltration sink. Cross-component correlation (runs last) | ASI01, ASI02, ASI05 | -\* Standalone scanners — not integrated in scan-orchestrator. `mcp-live-inspect.mjs` connects to running MCP stdio servers via JSON-RPC 2.0. `watch-cron.mjs` is a cron/launchd entry point for background scanning. +### Standalone (11) + +| Scanner | Prefix | Purpose | +|---------|--------|---------| +| `scan-orchestrator.mjs` | — | Entry point: runs all 10 orchestrated scanners, outputs JSON | +| `posture-scanner.mjs` | PST | Deterministic posture assessment, 16 categories (incl. EU AI Act, NIST AI RMF, ISO 42001), <50ms | +| `mcp-live-inspect.mjs` | MCI | Live MCP server inspection via JSON-RPC 2.0 (tool injection, shadowing, URL/IP) | +| `attack-simulator.mjs` | — | Red-team harness: 64 scenarios, 12 categories, adaptive mutation mode | +| `ai-bom-generator.mjs` | BOM | CycloneDX 1.6 AI Bill of Materials | +| `dashboard-aggregator.mjs` | — | Cross-project security dashboard, machine-grade aggregation | +| `reference-config-generator.mjs` | — | Grade A config generation based on posture gaps | +| `supply-chain-recheck-cli.mjs` | — | CLI wrapper for SCR scanner | +| `auto-cleaner.mjs` | — | Remediation engine: 16 fix operations, atomic writes, post-fix validation | +| `content-extractor.mjs` | — | Pre-extracts evidence from untrusted repos, strips injection patterns | +| `watch-cron.mjs` | — | Cron wrapper: scans all targets in config, writes summary, exits with verdict code | **Why deterministic?** LLMs are powerful at semantic analysis — understanding intent, detecting social engineering, assessing context. But they cannot reliably calculate Shannon entropy, measure Levenshtein distance between package names, trace taint flow across function boundaries, or detect individual Unicode codepoints. These scanners fill that gap. @@ -404,7 +428,7 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W ## Knowledge Base -15 research-backed reference files grounding all analysis in published threat intelligence: +16 research-backed reference files grounding all analysis in published threat intelligence: | File | Scope | |------|-------| @@ -423,6 +447,7 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W | `deepmind-agent-traps.md` | DeepMind AI Agent Traps — 6 categories, 43 techniques, coverage matrix | | `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation | | `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing | +| `typosquat-allowlist.json` | Allowlisted package names to reduce false positives in typosquatting detection | > [!NOTE] > All knowledge base content is derived from published OWASP standards and peer-reviewed security research. The knowledge files provide grounding for agent analysis — agents read relevant sections before producing findings. @@ -491,7 +516,7 @@ Evaluate a plugin or MCP server before installing it — locally or from a remot Regular cadence for maintaining security posture: ``` -/security posture # 30-second baseline scorecard (X/9) +/security posture # 30-second baseline scorecard (16 categories) /security audit # Full audit with A-F grade and action items # → Fix critical/high findings /security posture # Verify improvement @@ -587,26 +612,26 @@ flowchart TB H4["Update check"] end - subgraph Scanning["Deterministic Analysis (8+2 scanners)"] + subgraph Scanning["Deterministic Analysis (10+11 scanners)"] direction LR - S1["UNI · ENT · PRM · DEP
TNT · GIT · NET"] + S1["UNI · ENT · PRM · DEP
TNT · GIT · NET · MEM · SCR"] S2["TFA
Toxic flow correlator"] - S3["MCI*
Live MCP inspect"] + S3["MCI · PST · BOM
Standalone scanners"] end - subgraph Advisory["Advisory Analysis (6 agents, 15 commands)"] + subgraph Advisory["Advisory Analysis (6 agents, 18 commands)"] direction LR A1["Skill Scanner
7 threat categories"] A2["MCP Scanner
5-phase analysis"] - A3["Posture · Audit
9 categories, A-F grade"] + A3["Posture · Audit
16 categories, A-F grade"] A4["Threat Model
STRIDE × MAESTRO"] end - subgraph Knowledge["Knowledge Base (9 files)"] + subgraph Knowledge["Knowledge Base (16 files)"] direction LR - K1["4 OWASP frameworks"] + K1["5 OWASP frameworks"] K2["Threat patterns
Skills · MCP · Secrets"] - K3["Mitigation matrix
Registry · Packages"] + K3["Compliance · Research
Registry · Packages"] end Runtime -->|"blocks/warns in real time"| User["Claude Code Session"] @@ -626,33 +651,51 @@ llm-security/ ├── README.md # This file ├── LICENSE # MIT License ├── SECURITY.md # Vulnerability disclosure policy -├── package.json # type: module, engines, test script -├── commands/ # 14 slash commands +├── package.json # type: module, engines, test script, bin field +├── bin/ # Standalone CLI +│ └── llm-security.mjs # npx llm-security scan/posture/audit-bom/benchmark +├── ci/ # CI/CD pipeline templates +│ ├── github-action.yml # GitHub Actions with SARIF upload +│ ├── azure-pipelines.yml # Azure DevOps with SARIF upload +│ └── gitlab-ci.yml # GitLab CI with SARIF upload +├── docs/ # Guides +│ └── ci-cd-guide.md # CI/CD integration guide (Schrems II, NSM) +├── commands/ # 18 slash commands │ ├── security.md # Router + quick start -│ ├── scan.md # Supply chain gate (+ --deep flag) +│ ├── scan.md # Supply chain gate (+ --deep, --fail-on, --compact, --format sarif) │ ├── deep-scan.md # Deterministic-only deep scan │ ├── diff.md # Compare scan against stored baseline │ ├── watch.md # Continuous monitoring via /loop │ ├── registry.md # Skill signature registry +│ ├── supply-check.md # Re-audit installed dependencies │ ├── clean.md # Scan + remediate (auto/semi-auto/manual) +│ ├── dashboard.md # Cross-project security dashboard │ ├── audit.md # Full project audit │ ├── plugin-audit.md # Plugin trust assessment │ ├── mcp-audit.md # MCP-focused audit (+ --live flag) │ ├── mcp-inspect.md # Live MCP server inspection via JSON-RPC 2.0 -│ ├── posture.md # Quick scorecard +│ ├── posture.md # Quick scorecard (16 categories) +│ ├── harden.md # Generate Grade A security config +│ ├── red-team.md # Attack simulation (64 scenarios, adaptive mode) │ ├── threat-model.md # Interactive STRIDE/MAESTRO │ └── pre-deploy.md # Deployment checklist ├── agents/ # 6 specialized agents │ ├── skill-scanner-agent.md # 7 threat categories │ ├── mcp-scanner-agent.md # 5-phase MCP analysis -│ ├── posture-assessor-agent.md # 9-category assessment +│ ├── posture-assessor-agent.md # 16-category assessment │ ├── threat-modeler-agent.md # STRIDE × MAESTRO interview │ ├── deep-scan-synthesizer-agent.md # JSON → human-readable report │ └── cleaner-agent.md # Semi-auto remediation proposals -├── scanners/ # 9 orchestrated + 2 standalone + remediation engine -│ ├── scan-orchestrator.mjs # Entry point — runs all 9 orchestrated, outputs JSON -│ ├── auto-cleaner.mjs # Remediation engine — 16 fix ops, atomic writes -│ ├── content-extractor.mjs # Pre-extracts evidence from untrusted repos, strips injection patterns +├── scanners/ # 10 orchestrated + 11 standalone +│ ├── scan-orchestrator.mjs # Entry point — runs all 10 orchestrated, outputs JSON +│ ├── posture-scanner.mjs # Standalone: 16-category posture assessment, <50ms +│ ├── attack-simulator.mjs # Standalone: red-team harness, 64 scenarios, adaptive mode +│ ├── ai-bom-generator.mjs # Standalone: CycloneDX 1.6 AI Bill of Materials +│ ├── dashboard-aggregator.mjs # Standalone: cross-project dashboard aggregation +│ ├── reference-config-generator.mjs # Standalone: Grade A config generation +│ ├── supply-chain-recheck-cli.mjs # Standalone: CLI for supply chain re-audit +│ ├── auto-cleaner.mjs # Standalone: remediation engine — 16 fix ops, atomic writes +│ ├── content-extractor.mjs # Standalone: pre-extracts evidence, strips injection patterns │ ├── mcp-live-inspect.mjs # Standalone: live MCP server inspection via JSON-RPC 2.0 │ ├── watch-cron.mjs # Standalone: cron wrapper for background scanning │ ├── lib/ @@ -665,7 +708,15 @@ llm-security/ │ │ ├── file-discovery.mjs # Walk tree, filter, binary detect │ │ ├── yaml-frontmatter.mjs # Regex-based frontmatter parser │ │ ├── git-clone.mjs # Sandboxed clone/cleanup (sandbox-exec + git config hardening) -│ │ └── fs-utils.mjs # Backup, restore, cleanup, tmppath (UUID-unique) utilities +│ │ ├── fs-utils.mjs # Backup, restore, cleanup, tmppath (UUID-unique) utilities +│ │ ├── bash-normalize.mjs # Bash evasion normalization (empty quotes, ${}, backslash) +│ │ ├── supply-chain-data.mjs # Shared blocklists and supply chain data +│ │ ├── sarif-formatter.mjs # OASIS SARIF 2.1.0 output formatter +│ │ ├── audit-trail.mjs # Structured JSONL audit events (ISO 8601, OWASP tags) +│ │ ├── bom-builder.mjs # CycloneDX BOM construction +│ │ ├── distribution-stats.mjs # Statistical analysis (Jensen-Shannon divergence) +│ │ ├── policy-loader.mjs # Reads .llm-security/policy.json for distributable config +│ │ └── mcp-description-cache.mjs # MCP tool description caching + drift detection │ ├── unicode-scanner.mjs # Zero-width, Tags, BIDI, homoglyphs │ ├── entropy-scanner.mjs # Shannon entropy, base64/hex detection │ ├── permission-mapper.mjs # Plugin permission analysis @@ -673,6 +724,8 @@ llm-security/ │ ├── taint-tracer.mjs # Source-to-sink data flow tracing │ ├── git-forensics.mjs # Rug pull signals, history analysis │ ├── network-mapper.mjs # URL discovery, DNS, domain classification +│ ├── memory-poisoning-scanner.mjs # Injection in CLAUDE.md, memory, rules files +│ ├── supply-chain-recheck.mjs # Re-audit installed deps from lockfiles │ └── toxic-flow-analyzer.mjs # Post-processing correlator: lethal trifecta detection ├── hooks/ # 8 automated hooks │ ├── hooks.json # Hook registration @@ -685,7 +738,7 @@ llm-security/ │ ├── post-mcp-verify.mjs # Advisory: ALL tools injection scan, Bash secrets/URLs/size │ ├── post-session-guard.mjs # Advisory: runtime trifecta detection (sliding window, JSONL state) │ └── update-check.mjs # Informational: version check (1x/24h, cached, disable: LLM_SECURITY_UPDATE_CHECK=off) -├── knowledge/ # 9 reference files (~3,400 lines) +├── knowledge/ # 16 reference files │ ├── owasp-llm-top10.md │ ├── owasp-agentic-top10.md │ ├── owasp-skills-top10.md # OWASP Skills Top 10 (AST01-AST10) @@ -693,6 +746,13 @@ llm-security/ │ ├── mcp-threat-patterns.md │ ├── secrets-patterns.md │ ├── mitigation-matrix.md +│ ├── compliance-mapping.md # EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS +│ ├── norwegian-context.md # Datatilsynet, NSM, Digitaliseringsdirektoratet +│ ├── deepmind-agent-traps.md # 6 categories, 43 techniques +│ ├── prompt-injection-research-2025-2026.md # 7 research papers +│ ├── attack-scenarios.json # 64 red-team scenarios across 12 categories +│ ├── attack-mutations.json # Synonym tables for adaptive testing +│ ├── typosquat-allowlist.json # False positive reduction │ ├── top-packages.json # Top 200 npm + 100 PyPI for typosquatting │ └── skill-registry.json # Seed data for skill signature registry ├── tests/ # Test suite (node:test, zero external deps) @@ -757,7 +817,7 @@ This plugin provides full-stack security hardening (static analysis + supply cha | Version | Date | Highlights | |---------|------|------------| -| **6.1.0** | 2026-04-10 | **CI/CD integration.** `--fail-on ` flag for threshold-based exit codes (exit 1 if findings at/above level). `--compact` output mode (one-liner per finding). Policy `ci` section in `policy.json`. Pipeline templates: GitHub Actions, Azure DevOps, GitLab CI with SARIF upload. CI/CD guide (`docs/ci-cd-guide.md`) with Schrems II/NSM compliance docs. npm publish preparation (`files` whitelist). 1261+ tests. | +| **6.1.0** | 2026-04-10 | **CI/CD integration.** `--fail-on ` flag for threshold-based exit codes (exit 1 if findings at/above level). `--compact` output mode (one-liner per finding). Policy `ci` section in `policy.json`. Pipeline templates: GitHub Actions, Azure DevOps, GitLab CI with SARIF upload. CI/CD guide (`docs/ci-cd-guide.md`) with Schrems II/NSM compliance docs. npm publish preparation (`files` whitelist). 1264 tests. | | **6.0.0** | 2026-04-10 | **CAISS-readiness release.** Enterprise compliance and governance layer: compliance mapping (EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS), Norwegian regulatory context (Datatilsynet, NSM, Digitaliseringsdirektoratet), SARIF 2.1.0 output format (`--format sarif`), structured JSONL audit trail (`audit-trail.mjs`), AI-BOM generator (CycloneDX 1.6), policy-as-code (`.llm-security/policy.json`), standalone CLI (`bin/llm-security.mjs` — `npx llm-security scan`). Posture scanner expanded to 16 categories (+EU AI Act, NIST AI RMF, ISO 42001). Attack simulator benchmark mode (`--benchmark`). 15 knowledge docs, 16 scanners, 1242+ tests. | | **5.1.0** | 2026-04-07 | **Sandboxed remote cloning.** Defense-in-depth for `git clone` attack surface: (1) 8 git config flags disable hooks, symlinks, filter/smudge drivers, fsmonitor, local file protocol; 4 env vars isolate from system/user config. (2) OS sandbox: macOS `sandbox-exec` + Linux `bubblewrap` restrict file writes to only the clone temp dir. Graceful fallback on Windows (git config only). Post-clone size check (100MB max). UUID-unique evidence filenames prevent race conditions. Cleanup guarantee in scan/plugin-audit commands. 1147 tests (was 1115). | | **5.0.0** | 2026-04-06 | **Prompt Injection Hardening (v5.0).** 8-session defense-in-depth overhaul driven by 7 research papers (2025-2026). MEDIUM advisory for obfuscation signals (leetspeak, homoglyphs, zero-width, multi-language). Unicode Tag steganography detection (U+E0000-E007F). Bash expansion normalization (`bash-normalize.mjs`). Rule of Two enforcement (configurable `LLM_SECURITY_TRIFECTA_MODE=block\|warn\|off`). 100-call long-horizon monitoring window with slow-burn trifecta detection. Behavioral drift via Jensen-Shannon divergence. HITL trap detection (approval urgency, summary suppression, scope minimization). Sub-agent delegation tracking (escalation-after-input advisory). NL indirection patterns. Hybrid attacks (P2SQL, recursive injection, XSS-in-agent). CaMeL-inspired data flow tagging (SHA-256 provenance, output-to-input linking). Adaptive red-team (5 mutation rounds per scenario: homoglyph, encoding, zero-width, case alternation, synonym). Knowledge base expanded: `prompt-injection-research-2025-2026.md`, `deepmind-agent-traps.md`, `attack-mutations.json`. Posture scanner expanded to 13 categories (+Prompt Injection Hardening, Rule of Two, Long-Horizon Monitoring). Defense Philosophy section documenting honest limitations. 1115 tests. |