From 7bcf5fae9da675b4685e09434fee1714a931011c Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 17 Apr 2026 15:35:52 +0200 Subject: [PATCH] docs: update READMEs for llm-security v6.2.0 (9 hooks, PreCompact, Opus 4.7) --- README.md | 9 +++++---- plugins/llm-security/README.md | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index eb7e0e5..7a1d51e 100644 --- a/README.md +++ b/README.md @@ -22,20 +22,21 @@ Then open Claude Code and type `/plugin` to browse and install plugins from the ## Plugins -### [LLM Security](plugins/llm-security/) `v6.1.0` +### [LLM Security](plugins/llm-security/) `v6.2.0` Security scanning, auditing, and threat modeling for agentic AI projects. Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Traps taxonomy (Google DeepMind, 2025). Three layers of protection: -- **Automated enforcement** — 8 hooks that block dangerous operations in real time (prompt injection, secrets in code, destructive commands, supply chain guardrails) -- **Deterministic scanning** — 21 Node.js scanners (10 orchestrated + 11 standalone) for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM, attack simulation +- **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection, secrets in code, destructive commands, supply chain guardrails, transcript scanning before context compaction) +- **Deterministic scanning** — 21 Node.js scanners (10 orchestrated + 11 standalone) for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM, attack simulation. Bash-normalize T1-T6 for obfuscation-resistant denylists - **Advisory analysis** — 18 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation - **Enterprise governance** — Compliance mapping (EU AI Act, NIST AI RMF, ISO 42001), SARIF 2.1.0 output, structured audit trail, policy-as-code, standalone CLI +- **Opus 4.7 aligned** — Agent instructions rewritten for literal instruction-following (system card §6.3.1.1), defense-in-depth posture per §5.2.1, production hardening guide Key commands: `/security posture`, `/security audit`, `/security scan`, `/security threat-model`, `/security plugin-audit` -6 specialized agents · 21 scanners · 8 hooks · 16 knowledge docs · 1264 tests +6 specialized agents · 21 scanners · 9 hooks · 16 knowledge docs · 1274 tests → [Full documentation](plugins/llm-security/README.md) diff --git a/plugins/llm-security/README.md b/plugins/llm-security/README.md index f3c2885..25d0b43 100644 --- a/plugins/llm-security/README.md +++ b/plugins/llm-security/README.md @@ -45,7 +45,7 @@ Claude Code plugins, MCP servers, and agentic workflows introduce attack surface This plugin provides three layers of protection: -- **Automated enforcement** — 8 hooks that block dangerous operations in real time (prompt injection in user input, secrets in code, writes to sensitive paths, destructive shell commands, supply chain guardrails, suspicious tool output, runtime trifecta detection, update notifications) +- **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection in user input, secrets in code, writes to sensitive paths, destructive shell commands, supply chain guardrails, suspicious tool output, runtime trifecta detection, transcript scanning before context compaction, update notifications) - **Deterministic scanning** — 21 Node.js scanners (10 orchestrated + 11 standalone) that perform byte-level analysis LLMs cannot: Shannon entropy, Unicode codepoints, Levenshtein distance for typosquatting, source-to-sink taint flow, DNS resolution, git history forensics, toxic flow analysis, memory poisoning, live MCP inspection, AI-BOM generation, attack simulation - **Advisory analysis** — 18 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation plans @@ -604,7 +604,7 @@ Why ~190 suppressed? A security plugin that documents attack patterns, ships a m ```mermaid flowchart TB - subgraph Runtime["Runtime Defense (8 hooks)"] + subgraph Runtime["Runtime Defense (9 hooks)"] direction LR H1["UserPromptSubmit
Injection scan"] H2["PreToolUse
Secrets · Paths · Bash · Supply chain"] @@ -727,14 +727,15 @@ llm-security/ │ ├── memory-poisoning-scanner.mjs # Injection in CLAUDE.md, memory, rules files │ ├── supply-chain-recheck.mjs # Re-audit installed deps from lockfiles │ └── toxic-flow-analyzer.mjs # Post-processing correlator: lethal trifecta detection -├── hooks/ # 8 automated hooks +├── hooks/ # 9 automated hooks │ ├── hooks.json # Hook registration │ └── scripts/ │ ├── pre-prompt-inject-scan.mjs # 21 critical + 8 high + 15 medium patterns, obfuscation decode, configurable mode │ ├── pre-edit-secrets.mjs # 13 secret patterns, knowledge/ exclusion │ ├── pre-write-pathguard.mjs # 8 path categories (env, ssh, aws, gnupg, creds, hooks, system, settings) -│ ├── pre-bash-destructive.mjs # 8 block + 6 warn rules +│ ├── pre-bash-destructive.mjs # 8 block + 6 warn rules, T1-T6 bash-normalize │ ├── pre-install-supply-chain.mjs # 7 package managers, CVE/typosquat/age-gate +│ ├── pre-compact-scan.mjs # PreCompact: scans transcript tail (500 KB) for injection before compaction, mode: block/warn/off │ ├── post-mcp-verify.mjs # Advisory: ALL tools injection scan, Bash secrets/URLs/size │ ├── post-session-guard.mjs # Advisory: runtime trifecta detection (sliding window, JSONL state) │ └── update-check.mjs # Informational: version check (1x/24h, cached, disable: LLM_SECURITY_UPDATE_CHECK=off)