docs: update READMEs for llm-security v6.2.0 (9 hooks, PreCompact, Opus 4.7)

plugins/llm-security/README.md

@@ -45,7 +45,7 @@ Claude Code plugins, MCP servers, and agentic workflows introduce attack surface
 
 This plugin provides three layers of protection:
 
-- **Automated enforcement** — 8 hooks that block dangerous operations in real time (prompt injection in user input, secrets in code, writes to sensitive paths, destructive shell commands, supply chain guardrails, suspicious tool output, runtime trifecta detection, update notifications)
+- **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection in user input, secrets in code, writes to sensitive paths, destructive shell commands, supply chain guardrails, suspicious tool output, runtime trifecta detection, transcript scanning before context compaction, update notifications)
 - **Deterministic scanning** — 21 Node.js scanners (10 orchestrated + 11 standalone) that perform byte-level analysis LLMs cannot: Shannon entropy, Unicode codepoints, Levenshtein distance for typosquatting, source-to-sink taint flow, DNS resolution, git history forensics, toxic flow analysis, memory poisoning, live MCP inspection, AI-BOM generation, attack simulation
 - **Advisory analysis** — 18 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation plans
 
@@ -604,7 +604,7 @@ Why ~190 suppressed? A security plugin that documents attack patterns, ships a m
 
 ```mermaid
 flowchart TB
-    subgraph Runtime["Runtime Defense (8 hooks)"]
+    subgraph Runtime["Runtime Defense (9 hooks)"]
         direction LR
         H1["UserPromptSubmit<br/>Injection scan"]
         H2["PreToolUse<br/>Secrets · Paths · Bash · Supply chain"]
@@ -727,14 +727,15 @@ llm-security/
 │   ├── memory-poisoning-scanner.mjs # Injection in CLAUDE.md, memory, rules files
 │   ├── supply-chain-recheck.mjs   #   Re-audit installed deps from lockfiles
 │   └── toxic-flow-analyzer.mjs    #   Post-processing correlator: lethal trifecta detection
-├── hooks/                         # 8 automated hooks
+├── hooks/                         # 9 automated hooks
 │   ├── hooks.json                 #   Hook registration
 │   └── scripts/
 │       ├── pre-prompt-inject-scan.mjs # 21 critical + 8 high + 15 medium patterns, obfuscation decode, configurable mode
 │       ├── pre-edit-secrets.mjs   #   13 secret patterns, knowledge/ exclusion
 │       ├── pre-write-pathguard.mjs #  8 path categories (env, ssh, aws, gnupg, creds, hooks, system, settings)
-│       ├── pre-bash-destructive.mjs # 8 block + 6 warn rules
+│       ├── pre-bash-destructive.mjs # 8 block + 6 warn rules, T1-T6 bash-normalize
 │       ├── pre-install-supply-chain.mjs # 7 package managers, CVE/typosquat/age-gate
+│       ├── pre-compact-scan.mjs   #   PreCompact: scans transcript tail (500 KB) for injection before compaction, mode: block/warn/off
 │       ├── post-mcp-verify.mjs    #   Advisory: ALL tools injection scan, Bash secrets/URLs/size
 │       ├── post-session-guard.mjs #   Advisory: runtime trifecta detection (sliding window, JSONL state)
 │       └── update-check.mjs      #   Informational: version check (1x/24h, cached, disable: LLM_SECURITY_UPDATE_CHECK=off)