diff --git a/README.md b/README.md index 584716b..68b93fd 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Then open Claude Code and type `/plugin` to browse and install plugins from the ## Plugins -### [LLM Security](plugins/llm-security/) `v7.0.0` +### [LLM Security](plugins/llm-security/) `v7.1.0` Security scanning, auditing, and threat modeling for agentic AI projects. @@ -40,7 +40,7 @@ Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Trap Key commands: `/security posture`, `/security audit`, `/security scan`, `/security ide-scan`, `/security threat-model`, `/security plugin-audit` -6 specialized agents · 22 scanners · 9 hooks · 20 knowledge docs · 1487 tests +6 specialized agents · 22 scanners · 9 hooks · 20 knowledge docs · 1511 tests → [Full documentation](plugins/llm-security/README.md) diff --git a/plugins/llm-security/.claude-plugin/plugin.json b/plugins/llm-security/.claude-plugin/plugin.json index 1a9177e..2f03d4d 100644 --- a/plugins/llm-security/.claude-plugin/plugin.json +++ b/plugins/llm-security/.claude-plugin/plugin.json @@ -1,5 +1,5 @@ { "name": "llm-security", "description": "Security scanning, auditing, and threat modeling for Claude Code projects. Detects secrets, validates MCP servers, assesses security posture, and generates threat models aligned with OWASP LLM Top 10.", - "version": "7.0.0" + "version": "7.1.0" } diff --git a/plugins/llm-security/CHANGELOG.md b/plugins/llm-security/CHANGELOG.md index 09d5642..d8afde6 100644 --- a/plugins/llm-security/CHANGELOG.md +++ b/plugins/llm-security/CHANGELOG.md @@ -4,6 +4,48 @@ All notable changes to the LLM Security Plugin are documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). +## [7.1.0] - 2026-04-29 + +Patch release closing the highest-impact items from the v7.0.0 adversarial review +(`docs/critical-review-2026-04-20.md`, grade B-). Bug-fixes plus an honesty-sweep on +documentation language. No new features and no behavioral changes outside the listed +fixes. + +### Fixed + +- **Pathguard regex hole — `.env.*.*.*` could be written without blocking** (`hooks/scripts/pre-write-pathguard.mjs`). The old `ENV_PATTERNS` only matched a single dotted segment after `.env`, so `.env.production.local.backup`, `.env.prod.local.bak`, etc. slipped through. Replaced with `/[\\/]\.env(\.[A-Za-z0-9._-]+)*$/` covering arbitrary multi-segment suffixes. `.envrc` continues to be allowed. Commit `751f119`. (Critical-review B1.) +- **Distributed trifecta in BLOCK mode only warned** (`hooks/scripts/post-session-guard.mjs`). The previous block-gate required *both* `LLM_SECURITY_TRIFECTA_MODE=block` *and* a "concentrated" or "sensitive-path" qualifier, so a trifecta whose three legs landed on different MCP servers without a sensitive path was advisory-only. Removed the AND-gate; block mode now blocks any detected trifecta. Commit `36be963`. (Critical-review B2.) +- **JSDoc/CHANGELOG arithmetic for `riskScore({critical: 4})`** (`scanners/lib/severity.mjs:23`, `CHANGELOG.md` v7.0.0 tier description). The actual computation has always been `70 + log2(5)*10 = 93.22 → round → 93`; only the docs said `90`. Fixed; pin test added. (Critical-review B4.) + +### Changed + +- **Honesty-sweep on documentation language** (`CLAUDE.md`, `commands/ide-scan.md`, `knowledge/mitigation-matrix.md`, `docs/security-hardening-guide.md`). Critical-review §9 flagged a set of overclaim phrasings; rewritten while preserving accurate underlying claims: + - "Trustworthy scoring (BREAKING)" → "Severity-dominated risk scoring (v2 model, BREAKING)" + - "Context-aware entropy scanner" → "Rule-based entropy scanner with file-extension skip, 8 line-level suppression rules, and configurable policy" + - "1487 tests" → "1511 unit and integration tests; mutation-testing coverage not published" + - "Fully Schrems II compatible" → "Schrems II compatible in default offline mode. Optional OSV.dev enrichment is a separate compliance consideration" + - "Rule of Two enforcement" → "Rule of Two detection (configurable; default warn; blocks on high-confidence trifectas in opt-in `block` mode)" + - "Hardened ZIP extractor" → suffix " — no fuzz-testing results published to date" + - "defense-in-depth" → preserved, but quantified in `docs/security-hardening-guide.md` §4: "three independent detection layers with documented bypass classes" +- **CaMeL claims toned down** (`hooks/scripts/post-session-guard.mjs:646`, `CLAUDE.md:184`). Implementation is opportunistic byte-matching of truncated output fingerprints (first 200 bytes, SHA-256/16-hex tag) — trivially bypassed by mutation, summarisation, or re-encoding. Renamed framing from "CaMeL-inspired data-flow tagging (SHA-256 provenance tracking)" to "output fingerprint matching (inspired by CaMeL but not a CaMeL capability-tracking implementation)". (Critical-review B8.) +- **Plugin version:** `7.0.0 → 7.1.0` across `package.json`, `.claude-plugin/plugin.json`, `scanners/ide-extension-scanner.mjs` (`VERSION`), README badge, CLAUDE.md header, marketplace root README. Test count `1487 → 1511` in marketplace root README. + +### Tests + +- **+8 tests for B1 pathguard** (`tests/hooks/pre-write-pathguard.test.mjs`): 6 multi-segment BLOCK + 1 `.envrc` ALLOW + 1 sentinel. +- **+1 test for B2 distributed trifecta** (`tests/hooks/post-session-guard.test.mjs`): three legs from different sources blocked under `block` mode. +- **+15 sweep tests + 1 anchor test for verdict/riskBand co-monotonicity** (`tests/lib/severity.test.mjs`): asserts `(verdict, riskBand)` agree under v7.0.0 contract for representative count vectors. Catches future drift between scoring tiers, verdict cutoffs, and riskBand cutoffs. Anchor test pins `riskScore({critical: 4}) === 93` so doc/code drift fails loudly. +- **Total: 1511 tests** (was 1487). All green. + +### Why + +- Pathguard and trifecta-block bugs were live security holes — both fixed at the + hook level so users on the default install get the fix automatically. +- The honesty-sweep is a deliberate response to the critical-review CISO-perspective + (§F): "Would a CISO install this?" — overclaim language was identified as a + blocker for regulated environments. Toning it down does not weaken the actual + defenses; it lets users trust the documentation. + ## [7.0.0] - 2026-04-19 ### BREAKING CHANGES diff --git a/plugins/llm-security/CLAUDE.md b/plugins/llm-security/CLAUDE.md index 74b96df..d99b0db 100644 --- a/plugins/llm-security/CLAUDE.md +++ b/plugins/llm-security/CLAUDE.md @@ -1,4 +1,4 @@ -# LLM Security Plugin (v7.0.0) +# LLM Security Plugin (v7.1.0) Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 1511 unit and integration tests; mutation-testing coverage not published. diff --git a/plugins/llm-security/README.md b/plugins/llm-security/README.md index 6eec5ab..9dbe104 100644 --- a/plugins/llm-security/README.md +++ b/plugins/llm-security/README.md @@ -6,7 +6,7 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-7.0.0-blue) +![Version](https://img.shields.io/badge/version-7.1.0-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Agents](https://img.shields.io/badge/agents-6-orange) ![Scanners](https://img.shields.io/badge/scanners-22-cyan) diff --git a/plugins/llm-security/docs/security-hardening-guide.md b/plugins/llm-security/docs/security-hardening-guide.md index eb7f698..7c51a6c 100644 --- a/plugins/llm-security/docs/security-hardening-guide.md +++ b/plugins/llm-security/docs/security-hardening-guide.md @@ -269,4 +269,19 @@ tools. --- -**Last updated:** 2026-04-19 for v7.0.0. +**Last updated:** 2026-04-29 for v7.1.0. + +### v7.1.0 calibration note + +v7.1.0 is a patch release. No calibration changes; the §6 tuning workflow above is +unchanged. Two hook-level bugs were fixed that affect production posture: + +- `pre-write-pathguard.mjs` now blocks multi-segment `.env.*.*.*` paths (previously a + regex hole let `.env.production.local.backup` through). +- `post-session-guard.mjs` `block` mode now blocks every detected trifecta. Previously + required a "concentrated MCP" or "sensitive path" qualifier, so distributed + trifectas were advisory-only even in block mode. + +If you run with `LLM_SECURITY_TRIFECTA_MODE=block`, expect the false-block rate to +rise after this upgrade — the previous gate suppressed real trifectas. Re-baseline +the warn-mode noise floor before promoting to block, per §3. diff --git a/plugins/llm-security/package.json b/plugins/llm-security/package.json index e63a3fb..e07ea20 100644 --- a/plugins/llm-security/package.json +++ b/plugins/llm-security/package.json @@ -1,6 +1,6 @@ { "name": "llm-security", - "version": "7.0.0", + "version": "7.1.0", "description": "Security scanning, auditing, and threat modeling for Claude Code projects", "type": "module", "bin": { diff --git a/plugins/llm-security/scanners/ide-extension-scanner.mjs b/plugins/llm-security/scanners/ide-extension-scanner.mjs index 752b2a6..b0d1f29 100644 --- a/plugins/llm-security/scanners/ide-extension-scanner.mjs +++ b/plugins/llm-security/scanners/ide-extension-scanner.mjs @@ -49,7 +49,7 @@ import { scan as scanTaint } from './taint-tracer.mjs'; import { scan as scanMemoryPoisoning } from './memory-poisoning-scanner.mjs'; import { scan as scanSupplyChain } from './supply-chain-recheck.mjs'; -const VERSION = '7.0.0'; +const VERSION = '7.1.0'; const SCANNER = 'IDE'; // ---------------------------------------------------------------------------