chore(release): bump to v7.2.0

Batch B release — closes critical-review B-tier scanner defects
(B3, B5, B6, B7) and the v7.2.0 evasion-arsenal hardening patches
(E1, E4, E5, E7, E15, E16, E17, E18). Tests 1522 → 1665+, attack
simulator 64 → 72 (100 % pass).

Version updates across the 6 sync targets:

  - package.json
  - .claude-plugin/plugin.json
  - CLAUDE.md (header + test count: 1511 → 1665+)
  - README.md (badge + Version History row)
  - scanners/ide-extension-scanner.mjs (VERSION constant)
  - ../../README.md (marketplace root)

CHANGELOG [7.2.0] entry per Keep a Changelog with full Added /
Changed / Documentation / Tests / Notes breakdown.

Refs: Batch B Wave 6 / Step 15

plugins/llm-security/CHANGELOG.md

@@ -4,6 +4,134 @@ All notable changes to the LLM Security Plugin are documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [7.2.0] - 2026-04-29
+
+Batch B release. Closes the remaining critical-review B-tier scanner
+defects (B3, B5, B6, B7), lands the v7.2.0 evasion-arsenal hardening
+patches (E1, E4, E5, E7, E15, E16, E17, E18), unifies the v1→v2
+risk-score formula across documentation surfaces, and ships 8 new
+red-team scenarios (64 → 72) plus a polyglot fixture for the entropy
+two-stage pipeline.
+
+### Added
+
+- **B6 destructuring/spread taint propagation** (`scanners/taint-tracer.mjs`).
+  `extractAssignedVariable` now recognises `const { secret: userInput } = req.body`
+  and `const [input, ...rest] = process.argv` — destructured and spread
+  bindings carry their tainted source into downstream usage.
+  `extractAssignedVariable` exported for direct unit testing.
+  `+19 tests`.
+
+- **B7 token-overlap typosquat fallback** (`scanners/lib/string-utils.mjs`,
+  `scanners/dep-auditor.mjs`, `scanners/supply-chain-recheck.mjs`).
+  New `tokenize` / `tokenOverlap` helpers + `TYPOSQUAT_SUSPICIOUS_TOKENS`
+  list catch typosquats that Levenshtein distance misses
+  (e.g. `chalk-color-utility` vs `chalk`). `+21 tests`.
+
+- **E15 `.claude/agents/*.md` memory-poisoning glob** (`scanners/memory-poisoning-scanner.mjs`).
+  Agent definitions are now scanned alongside `CLAUDE.md` and rules.
+  New fixture + `+3 tests`.
+
+- **E1 hidden-Unicode coverage extended to PUA-A and PUA-B**
+  (`scanners/lib/string-utils.mjs`). `containsUnicodeTags` now flags
+  U+F0000–U+FFFFD (Supplementary Private Use Area-A) and U+100000–U+10FFFD
+  (Supplementary Private Use Area-B) in addition to the U+E0000 Tag block.
+  PUA characters do not decode to ASCII (they have no standard mapping)
+  but their presence is suspicious enough to emit a HIGH advisory.
+  `+21 tests`.
+
+- **E16 homoglyph fold before pattern matching**
+  (`scanners/lib/string-utils.mjs`, `scanners/lib/injection-patterns.mjs`).
+  New `foldHomoglyphs` (NFKC + targeted Cyrillic/Greek → Latin map)
+  runs before every pattern match in `scanForInjection`. Attacks like
+  `ignоre previous instructions` (Cyrillic `о`) now trigger the same
+  CRITICAL pattern as the Latin form. ASCII fast-path keeps the helper
+  zero-cost on plain text. `+27 tests`.
+
+- **E17 configurable escalation window + 20-call MEDIUM advisory**
+  (`hooks/scripts/post-session-guard.mjs`). The
+  `LLM_SECURITY_ESCALATION_WINDOW` env-var now overrides the primary
+  escalation-after-input window (default 5). A secondary 20-call
+  MEDIUM advisory catches slow-burn variants outside the primary
+  window. `+5 tests`.
+
+- **E4 markdown link-title injection scan** (`hooks/scripts/post-mcp-verify.mjs`).
+  Every `[text](url "title")` title is HTML-entity-decoded and run
+  through `scanForInjection`. Bypassed the existing HTML-tag-gated
+  checks pre-E4. `+3 tests`.
+
+- **E5 SVG `<desc> / <title> / <metadata> / <foreignObject>` extractor**
+  (`hooks/scripts/post-mcp-verify.mjs`). Adversarial text inside SVG
+  containers is invisible in the rendered image but parsed by an
+  agent reading the source. `+3 tests`.
+
+- **E7 generalized HTML comment scan** (`hooks/scripts/post-mcp-verify.mjs`).
+  Pre-E7 the `<!-- AGENT|AI|HIDDEN -->` keyword-restricted CRITICAL
+  pattern fired only on marked comments. Now every `<!-- ... -->`
+  body is decoded and scanned. The keyword pattern still fires
+  (defense-in-depth). `+3 tests`.
+
+- **8 new red-team scenarios** (`knowledge/attack-scenarios.json`).
+  UNI-007/008 (E1 PUA-A/PUA-B), UNI-009 (E16 Greek-Latin homoglyph
+  fold blocks), MCP-005 (E4), MCP-006/007 (E5 desc/foreignObject),
+  MCP-008 (E7), TRI-004 (E17 escalation-after-input).
+  `attack-simulator.mjs` baseline: 64 → 72, 100 % pass.
+
+### Changed
+
+- **B5 entropy two-stage pipeline** (`scanners/entropy-scanner.mjs`).
+  New `classifyFileContext(absPath, lines)` returns
+  `'shader-dominant' | 'markup-dominant' | 'code-dominant' | 'mixed'`,
+  keyed off file extension with a content-density fallback for
+  code-extension files (≥50 % sampled lines matching GLSL/inline-markup
+  → downgrade to `mixed`). `isFalsePositive` now accepts the context
+  and gates rules 11-13 (GLSL / CSS-in-JS / inline-markup
+  line-proximity) on `context !== 'code-dominant'`. Polyglot `.ts`
+  files with embedded GLSL blocks no longer suppress credentials
+  adjacent to shader keywords (the v7.0.0 false-negative class).
+  Conservative defaults preserve existing rule-11 / 12 / 13 behaviour
+  for the single-line `.js` / `.jsx` test fixtures. New fixture
+  `tests/fixtures/entropy/polyglot-ts-with-glsl.ts`. `+3 tests`.
+
+- **E18 entropy rule 18 — markdown-image CDN-aware + secret pre-check**
+  (`scanners/entropy-scanner.mjs`). Pre-E18, every
+  `![…](https?://…)` line was suppressed regardless of host or query.
+  Now suppression requires (host matches `MARKDOWN_IMAGE_CDN_HOSTS`
+  allowlist) AND (no secret-shaped token in query). Non-CDN hosts and
+  CDN hosts carrying `?token=…` / `?api_key=…` / AWS / GitHub / npm
+  prefixes fall through to entropy classification. `+4 tests`.
+
+- **v1 → v2 risk-formula constants unified across docs**
+  (`commands/scan.md`, `commands/audit.md`, `agents/mcp-scanner-agent.md`,
+  `agents/posture-assessor-agent.md`). The four files referenced the
+  legacy v1 `score >= 61` / `score >= 21` / `Critical × 25` constants;
+  authoritative implementation in `scanners/lib/severity.mjs` has been
+  v2 (`BLOCK ≥65`, `WARNING ≥15`, severity-dominated log-scaled tiers)
+  since v7.0.0. `tests/lib/doc-consistency.test.mjs` adds a guard so
+  these surfaces cannot drift back. `+28 tests`.
+
+### Documentation
+
+- **B3 `info` severity is scoring-inert** (`scanners/lib/severity.mjs` JSDoc,
+  `CLAUDE.md`). Documents the long-standing implementation: `info`
+  findings appear in OWASP aggregates but contribute zero to
+  `risk_score`, `verdict`, and `riskBand`. `+1 anchor test`.
+
+### Tests
+
+- **1522 → 1665+** (Wave 1 +29, Wave 2 +43, Wave 3 +53, Wave 4 +9,
+  Wave 5 +7, Wave 6 attack scenarios). All green except the
+  documented `pre-compact-scan` perf-flake (passes 6/6 in isolation,
+  fluctuates around the 500 ms ceiling under full-suite parallelism).
+  `attack-simulator`: 64 → 72 scenarios, 100 % pass.
+
+### Notes
+
+- E15 (`.claude/agents/*.md` glob) and E18 (entropy rule 18 CDN
+  allowlist) are scanner-only — they have unit / integration
+  coverage in their respective scanner test files and no
+  `attack-simulator.mjs` scenario.
+
 ## [7.1.1] - 2026-04-29
 
 Patch release. Closes the narrative-coherence gap that survived v7.0.0: