chore(llm-security): v7.3.1 — stabilization patch for forkers and downstream users
No behavior changes. Sets the public stance, tightens documentation, and removes coherence drift so anyone forking or downloading the plugin gets a consistent starting point. Added: - CONTRIBUTING.md — public fork-and-own guide. Why PRs are not accepted, how to fork well, what is welcome via issues. - README "Project scope" section — out-of-scope table naming what is fork-and-own territory (web dashboard, fleet policy, runtime firewall, IDE LSP, compliance pack, ticketing, multi-tenancy, ML detectors, marketplace UI, SSO/SCIM/RBAC) with commercial alternatives. - package.json: bugs.url, CONTRIBUTING/SECURITY/CHANGELOG in files whitelist for npm publishing. Changed: - SECURITY.md rewritten. Supported-versions table from stale 5.1.x to current reality (7.3.x active, 7.0-7.2 best-effort, <7.0 EOL). Best-effort solo response timeline. Scope expanded to bin/. - Scanner VERSION constants synced to plugin version. Was 6.0.0 in dashboard-aggregator and posture-scanner. - package.json repository.url corrected from fromaitochitta/ to open/. - README "Feedback & contributing" links to CONTRIBUTING.md. Fixed: - pre-compact-scan size-cap timing test ceiling raised 500ms -> 1000ms. Was a flake on Intel Mac and CI under load. Design target unchanged (<500ms, documented in CLAUDE.md). Notes: - First patch on the stabilization line (post-2026-05-01). - Wave E attack-simulator scenarios deferred indefinitely; coverage remains at 72. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
4bd7cd5056
commit
62a9335772
12 changed files with 336 additions and 30 deletions
|
|
@ -4,6 +4,72 @@ All notable changes to the LLM Security Plugin are documented in this file.
|
|||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
|
||||
|
||||
## [7.3.1] - 2026-05-01
|
||||
|
||||
Stabilization patch. No behavior changes. Sets the public stance, tightens
|
||||
documentation, and removes coherence drift so forkers and downstream
|
||||
organizations get a consistent starting point.
|
||||
|
||||
### Added
|
||||
|
||||
- `CONTRIBUTING.md` — public fork-and-own guide. Explains why PRs are not
|
||||
accepted on the upstream repo, how to fork well (rename plugin, change
|
||||
security contact, preserve LICENSE, re-establish trust), what is welcome
|
||||
via issues, and the bar for inline-diff suggestions the maintainer may
|
||||
apply directly.
|
||||
- `README.md` "Project scope" section — public statement of stabilization
|
||||
mode (effective 2026-05-01) plus an out-of-scope table naming what is
|
||||
fork-and-own territory: web dashboard, fleet policy server, runtime
|
||||
prompt firewall, IDE LSP, compliance PDF/DOCX pack, enterprise ticketing
|
||||
connectors, multi-tenancy, ML-based detectors, marketplace UI,
|
||||
SSO/SCIM/RBAC. Each row points at the commercial alternative
|
||||
(Snyk, Lakera, Vanta, Splunk SOAR, parry-guard, etc.).
|
||||
- `package.json`: `bugs.url` field, `CONTRIBUTING.md` / `SECURITY.md` /
|
||||
`CHANGELOG.md` added to the `files` whitelist so npm-published artifacts
|
||||
ship with full project documentation.
|
||||
|
||||
### Changed
|
||||
|
||||
- `SECURITY.md` rewritten. Supported-versions table moves from `5.1.x`
|
||||
(stale since v6.0.0) to current reality: 7.3.x active, 7.0–7.2 best-effort,
|
||||
< 7.0 EOL. Adds explicit best-effort solo-project response timeline (7
|
||||
days ack, 14 days triage, 30 days fix for High/Critical), expands scope
|
||||
list to cover `bin/llm-security.mjs`, and notes that out-of-scope
|
||||
vulnerabilities (e.g., adaptive ML-based bypass) get an explanatory
|
||||
response rather than silent ignore.
|
||||
- `README.md` "Feedback & contributing" section now links to
|
||||
`CONTRIBUTING.md` and the new "Project scope" section.
|
||||
- `package.json` `repository.url` corrected from
|
||||
`fromaitochitta/claude-code-llm-security` to
|
||||
`open/claude-code-llm-security` (matches `homepage` and the canonical
|
||||
Forgejo path).
|
||||
- Scanner `VERSION` constants synced to plugin version. Previously
|
||||
`dashboard-aggregator.mjs` and `posture-scanner.mjs` reported `6.0.0`
|
||||
in scan output and SARIF, mismatching the actual plugin version.
|
||||
All three standalone scanners (`dashboard-aggregator`, `posture-scanner`,
|
||||
`ide-extension-scanner`) now report `7.3.1`.
|
||||
|
||||
### Fixed
|
||||
|
||||
- `tests/hooks/pre-compact-scan.test.mjs` size-cap timing test ceiling
|
||||
raised from 500 ms to 1000 ms. The 500 ms hard cap was a flake source
|
||||
on Intel Mac and CI runners under load, while the design target
|
||||
(documented in `CLAUDE.md`) remains <500 ms. The test now catches
|
||||
order-of-magnitude regressions without breaking on hardware/CI noise.
|
||||
|
||||
### Notes
|
||||
|
||||
- This is the first patch on the stabilization line. Future 7.3.x
|
||||
releases will be limited to bug + security fixes and small
|
||||
knowledge-base refreshes that fit the existing deterministic
|
||||
architecture. v8.0.0 remains scheduled as the deprecation cleanup
|
||||
for the env vars and `riskScoreV1` constant deprecated in v7.3.0;
|
||||
see "Project scope" in `README.md` for the longer-term direction.
|
||||
- Wave E (additional attack-simulator scenarios mentioned in the v7.3.0
|
||||
changelog as "deferred to v7.3.1") is now deferred indefinitely.
|
||||
Coverage remains at 72 scenarios. Forkers who want broader red-team
|
||||
coverage are encouraged to extend `knowledge/attack-scenarios.json`.
|
||||
|
||||
## [7.3.0] - 2026-05-01
|
||||
|
||||
Batch C release. Closes 12 implementation tasks (E3, E8-E14, 8.4, 8.6,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue