chore(release): bump llm-security to v7.1.0

Closes A4 of v7.1.0 critical-review patch — release artefacts.

- Version bump 7.0.0 → 7.1.0 across active version sources:
  * package.json
  * .claude-plugin/plugin.json
  * CLAUDE.md header
  * README.md badge
  * scanners/ide-extension-scanner.mjs (VERSION constant)
  * marketplace root README plugin entry
- Marketplace root README test count: 1487 → 1511.
- CHANGELOG.md: new [7.1.0] - 2026-04-29 section above [7.0.0],
  documenting B1, B2, B4, B8, honesty-sweep (7 phrases), and
  test-count delta (+24 → 1511 total).
- docs/security-hardening-guide.md: §6 last-updated bump + new
  v7.1.0 calibration note on hook-level fixes (pathguard regex
  hole, distributed-trifecta block-mode bypass).

Historical references to "7.0.0" intentionally preserved in:
- CHANGELOG [7.0.0] entries (history)
- README.md version-history table v5.0.0/v7.0.0 rows (history)
- CLAUDE.md §"v7.0.0 — Severity-dominated risk scoring" (describes
  what changed at v7.0.0 release)
- scanners/ JSDoc comments noting "v7.0.0+" formula provenance
- agents/ + tests/ + knowledge/ provenance comments

Pre-existing untracked/modified tracker noise (.gitignore,
marketplace.json, config-audit/docs, ultraplan-local/docs) is not
part of this commit per the v7.1.0 NEXT-SESSION-PROMPT handoff.

Tests: 1511/1511 green.

README.md

@@ -26,7 +26,7 @@ Then open Claude Code and type `/plugin` to browse and install plugins from the
 
 ## Plugins
 
-### [LLM Security](plugins/llm-security/) `v7.0.0`
+### [LLM Security](plugins/llm-security/) `v7.1.0`
 
 Security scanning, auditing, and threat modeling for agentic AI projects.
 
@@ -40,7 +40,7 @@ Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Trap
 
 Key commands: `/security posture`, `/security audit`, `/security scan`, `/security ide-scan`, `/security threat-model`, `/security plugin-audit`
 
-6 specialized agents · 22 scanners · 9 hooks · 20 knowledge docs · 1487 tests
+6 specialized agents · 22 scanners · 9 hooks · 20 knowledge docs · 1511 tests
 
 → [Full documentation](plugins/llm-security/README.md)
 

plugins/llm-security/.claude-plugin/plugin.json

@@ -1,5 +1,5 @@
 {
   "name": "llm-security",
   "description": "Security scanning, auditing, and threat modeling for Claude Code projects. Detects secrets, validates MCP servers, assesses security posture, and generates threat models aligned with OWASP LLM Top 10.",
-  "version": "7.0.0"
+  "version": "7.1.0"
 }

plugins/llm-security/CHANGELOG.md

@@ -4,6 +4,48 @@ All notable changes to the LLM Security Plugin are documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [7.1.0] - 2026-04-29
+
+Patch release closing the highest-impact items from the v7.0.0 adversarial review
+(`docs/critical-review-2026-04-20.md`, grade B-). Bug-fixes plus an honesty-sweep on
+documentation language. No new features and no behavioral changes outside the listed
+fixes.
+
+### Fixed
+
+- **Pathguard regex hole — `.env.*.*.*` could be written without blocking** (`hooks/scripts/pre-write-pathguard.mjs`). The old `ENV_PATTERNS` only matched a single dotted segment after `.env`, so `.env.production.local.backup`, `.env.prod.local.bak`, etc. slipped through. Replaced with `/[\\/]\.env(\.[A-Za-z0-9._-]+)*$/` covering arbitrary multi-segment suffixes. `.envrc` continues to be allowed. Commit `751f119`. (Critical-review B1.)
+- **Distributed trifecta in BLOCK mode only warned** (`hooks/scripts/post-session-guard.mjs`). The previous block-gate required *both* `LLM_SECURITY_TRIFECTA_MODE=block` *and* a "concentrated" or "sensitive-path" qualifier, so a trifecta whose three legs landed on different MCP servers without a sensitive path was advisory-only. Removed the AND-gate; block mode now blocks any detected trifecta. Commit `36be963`. (Critical-review B2.)
+- **JSDoc/CHANGELOG arithmetic for `riskScore({critical: 4})`** (`scanners/lib/severity.mjs:23`, `CHANGELOG.md` v7.0.0 tier description). The actual computation has always been `70 + log2(5)*10 = 93.22 → round → 93`; only the docs said `90`. Fixed; pin test added. (Critical-review B4.)
+
+### Changed
+
+- **Honesty-sweep on documentation language** (`CLAUDE.md`, `commands/ide-scan.md`, `knowledge/mitigation-matrix.md`, `docs/security-hardening-guide.md`). Critical-review §9 flagged a set of overclaim phrasings; rewritten while preserving accurate underlying claims:
+  - "Trustworthy scoring (BREAKING)" → "Severity-dominated risk scoring (v2 model, BREAKING)"
+  - "Context-aware entropy scanner" → "Rule-based entropy scanner with file-extension skip, 8 line-level suppression rules, and configurable policy"
+  - "1487 tests" → "1511 unit and integration tests; mutation-testing coverage not published"
+  - "Fully Schrems II compatible" → "Schrems II compatible in default offline mode. Optional OSV.dev enrichment is a separate compliance consideration"
+  - "Rule of Two enforcement" → "Rule of Two detection (configurable; default warn; blocks on high-confidence trifectas in opt-in `block` mode)"
+  - "Hardened ZIP extractor" → suffix " — no fuzz-testing results published to date"
+  - "defense-in-depth" → preserved, but quantified in `docs/security-hardening-guide.md` §4: "three independent detection layers with documented bypass classes"
+- **CaMeL claims toned down** (`hooks/scripts/post-session-guard.mjs:646`, `CLAUDE.md:184`). Implementation is opportunistic byte-matching of truncated output fingerprints (first 200 bytes, SHA-256/16-hex tag) — trivially bypassed by mutation, summarisation, or re-encoding. Renamed framing from "CaMeL-inspired data-flow tagging (SHA-256 provenance tracking)" to "output fingerprint matching (inspired by CaMeL but not a CaMeL capability-tracking implementation)". (Critical-review B8.)
+- **Plugin version:** `7.0.0 → 7.1.0` across `package.json`, `.claude-plugin/plugin.json`, `scanners/ide-extension-scanner.mjs` (`VERSION`), README badge, CLAUDE.md header, marketplace root README. Test count `1487 → 1511` in marketplace root README.
+
+### Tests
+
+- **+8 tests for B1 pathguard** (`tests/hooks/pre-write-pathguard.test.mjs`): 6 multi-segment BLOCK + 1 `.envrc` ALLOW + 1 sentinel.
+- **+1 test for B2 distributed trifecta** (`tests/hooks/post-session-guard.test.mjs`): three legs from different sources blocked under `block` mode.
+- **+15 sweep tests + 1 anchor test for verdict/riskBand co-monotonicity** (`tests/lib/severity.test.mjs`): asserts `(verdict, riskBand)` agree under v7.0.0 contract for representative count vectors. Catches future drift between scoring tiers, verdict cutoffs, and riskBand cutoffs. Anchor test pins `riskScore({critical: 4}) === 93` so doc/code drift fails loudly.
+- **Total: 1511 tests** (was 1487). All green.
+
+### Why
+
+- Pathguard and trifecta-block bugs were live security holes — both fixed at the
+  hook level so users on the default install get the fix automatically.
+- The honesty-sweep is a deliberate response to the critical-review CISO-perspective
+  (§F): "Would a CISO install this?" — overclaim language was identified as a
+  blocker for regulated environments. Toning it down does not weaken the actual
+  defenses; it lets users trust the documentation.
+
 ## [7.0.0] - 2026-04-19
 
 ### BREAKING CHANGES

plugins/llm-security/CLAUDE.md

@@ -1,4 +1,4 @@
-# LLM Security Plugin (v7.0.0)
+# LLM Security Plugin (v7.1.0)
 
 Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 1511 unit and integration tests; mutation-testing coverage not published.
 

plugins/llm-security/README.md

@@ -6,7 +6,7 @@
 
 *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)*
 
-![Version](https://img.shields.io/badge/version-7.0.0-blue)
+![Version](https://img.shields.io/badge/version-7.1.0-blue)
 ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple)
 ![Agents](https://img.shields.io/badge/agents-6-orange)
 ![Scanners](https://img.shields.io/badge/scanners-22-cyan)

plugins/llm-security/docs/security-hardening-guide.md

@@ -269,4 +269,19 @@ tools.
 
 ---
 
-**Last updated:** 2026-04-19 for v7.0.0.
+**Last updated:** 2026-04-29 for v7.1.0.
+
+### v7.1.0 calibration note
+
+v7.1.0 is a patch release. No calibration changes; the §6 tuning workflow above is
+unchanged. Two hook-level bugs were fixed that affect production posture:
+
+- `pre-write-pathguard.mjs` now blocks multi-segment `.env.*.*.*` paths (previously a
+  regex hole let `.env.production.local.backup` through).
+- `post-session-guard.mjs` `block` mode now blocks every detected trifecta. Previously
+  required a "concentrated MCP" or "sensitive path" qualifier, so distributed
+  trifectas were advisory-only even in block mode.
+
+If you run with `LLM_SECURITY_TRIFECTA_MODE=block`, expect the false-block rate to
+rise after this upgrade — the previous gate suppressed real trifectas. Re-baseline
+the warn-mode noise floor before promoting to block, per §3.

plugins/llm-security/package.json

@@ -1,6 +1,6 @@
 {
   "name": "llm-security",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "description": "Security scanning, auditing, and threat modeling for Claude Code projects",
   "type": "module",
   "bin": {

plugins/llm-security/scanners/ide-extension-scanner.mjs

@@ -49,7 +49,7 @@ import { scan as scanTaint } from './taint-tracer.mjs';
 import { scan as scanMemoryPoisoning } from './memory-poisoning-scanner.mjs';
 import { scan as scanSupplyChain } from './supply-chain-recheck.mjs';
 
-const VERSION = '7.0.0';
+const VERSION = '7.1.0';
 const SCANNER = 'IDE';
 
 // ---------------------------------------------------------------------------