open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

chore(llm-security): v7.3.1 — stabilization patch for forkers and downstream users

Browse source 
No behavior changes. Sets the public stance, tightens documentation, and
removes coherence drift so anyone forking or downloading the plugin gets
a consistent starting point.

Added:
- CONTRIBUTING.md — public fork-and-own guide. Why PRs are not accepted,
  how to fork well, what is welcome via issues.
- README "Project scope" section — out-of-scope table naming what is
  fork-and-own territory (web dashboard, fleet policy, runtime firewall,
  IDE LSP, compliance pack, ticketing, multi-tenancy, ML detectors,
  marketplace UI, SSO/SCIM/RBAC) with commercial alternatives.
- package.json: bugs.url, CONTRIBUTING/SECURITY/CHANGELOG in files
  whitelist for npm publishing.

Changed:
- SECURITY.md rewritten. Supported-versions table from stale 5.1.x to
  current reality (7.3.x active, 7.0-7.2 best-effort, <7.0 EOL).
  Best-effort solo response timeline. Scope expanded to bin/.
- Scanner VERSION constants synced to plugin version. Was 6.0.0 in
  dashboard-aggregator and posture-scanner.
- package.json repository.url corrected from fromaitochitta/ to open/.
- README "Feedback & contributing" links to CONTRIBUTING.md.

Fixed:
- pre-compact-scan size-cap timing test ceiling raised 500ms -> 1000ms.
  Was a flake on Intel Mac and CI under load. Design target unchanged
  (<500ms, documented in CLAUDE.md).

Notes:
- First patch on the stabilization line (post-2026-05-01).
- Wave E attack-simulator scenarios deferred indefinitely; coverage
  remains at 72.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-05-01 06:14:03 +02:00
commit 62a9335772
12 changed files with 336 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

6
plugins/llm-security/tests/hooks/pre-compact-scan.test.mjs
View file

@ -98,12 +98,14 @@ describe('pre-compact-scan hook', () => {
assert.equal(parseOutput(r.stdout), null);
});
it('size-cap: ~1MB transcript completes under 500 ms', async () => {
it('size-cap: ~1MB transcript completes under 1000 ms', async () => {
const start = process.hrtime.bigint();
const r = await runHookWithEnv(SCRIPT, payload(LARGE), { LLM_SECURITY_PRECOMPACT_MODE: 'warn' });
const elapsedMs = Number(process.hrtime.bigint() - start) / 1e6;
assert.equal(r.code, 0, 'hook should not fail on large transcript');
assert.ok(elapsedMs < 500, `expected <500 ms, got ${elapsedMs.toFixed(1)} ms`);
// Design target is <500 ms (see CLAUDE.md). Test ceiling is 2x to absorb
// hardware/CI noise without going silent on order-of-magnitude regressions.
assert.ok(elapsedMs < 1000, `expected <1000 ms ceiling, got ${elapsedMs.toFixed(1)} ms`);
});
it('credential pattern in transcript is detected in warn mode', async () => {