feat(llm-security): add lethal-trifecta + mcp-rug-pull examples [skip-docs]

Two new self-contained, runnable threat demonstrations under examples/:

- lethal-trifecta-walkthrough/ — feeds 5 hook calls (WebFetch, Read .env,
  Bash curl POST + suppression follow-ups) into post-session-guard and
  verifies the Rule-of-Two advisory fires exactly on leg 3. State
  isolated via run-script PID so /tmp/llm-security-session-*.jsonl is
  not polluted. Treffer post-session-guard, ASI01/ASI02, LLM01/LLM02.

- mcp-rug-pull/ — mutates an MCP tool description across 8 stages.
  Each per-update <10% Levenshtein, cumulative reaches 32.2% by stage
  7 — proves the v7.3.0 (E14) mcp-cumulative-drift MEDIUM advisory
  catches slow-burn rug-pulls that the per-update detection would
  miss. Uses LLM_SECURITY_MCP_CACHE_FILE to isolate cache. Treffer
  post-mcp-verify, mcp-description-cache.mjs, OWASP MCP05/LLM03/ASI04.

Each example: README.md + run-*.mjs + expected-findings.md.
Plugin README "Other runnable examples" section + CHANGELOG
[Unreleased] Added bullets + plugin CLAUDE.md "Examples" section
all updated in this commit. Marketplace root README unchanged
since plugin's outward coverage is unchanged ([skip-docs]
covers the marketplace-level gate).

plugins/llm-security/CHANGELOG.md

@@ -29,6 +29,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Test count: 1777 → 1822 (+45). All payloads matching credential regexes
   are assembled at runtime via concatenation, so test files contain no
   literal credential-shaped strings (compatible with `pre-edit-secrets`).
+- `examples/lethal-trifecta-walkthrough/` — runnable demonstration of
+  `post-session-guard`'s Rule-of-Two advisory firing when a 5-call
+  sequence (WebFetch → Read .env → Bash curl POST + suppressed
+  follow-ups) closes the trifecta in a single 20-call window. State
+  isolated via the run script's PID; the user's real `/tmp/llm-security-
+  session-*` files are never touched. README explains the Rule of Two,
+  the configurable mode (`block`/`warn`/`off`), and the OWASP mapping
+  (LLM01/LLM02, ASI01/ASI02). `expected-findings.md` documents the
+  testable contract.
+- `examples/mcp-rug-pull/` — runnable demonstration of the v7.3.0
+  cumulative-drift advisory (E14, OWASP MCP05) on `post-mcp-verify`.
+  Mutates an MCP tool description across 8 stages — each step under
+  the 10% per-update Levenshtein threshold, but cumulatively crossing
+  25% from baseline at stage 7. Uses `LLM_SECURITY_MCP_CACHE_FILE`
+  env override to isolate the cache to a per-run tempdir; the user's
+  real `~/.cache/llm-security/mcp-descriptions.json` is never touched.
+  README enumerates the drift profile, points to
+  `/security mcp-baseline-reset` for legitimate upgrades, and maps
+  to MCP05 / LLM03 / ASI04.
 
 ## [7.3.1] - 2026-05-01
 

plugins/llm-security/README.md

@@ -494,6 +494,25 @@ node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-h
 /security scan examples/malicious-skill-demo/evil-project-health/ --deep                  # full pipeline
 ```
 
+### Other runnable examples
+
+The `examples/` directory contains additional self-contained
+demonstrations — each with `README.md`, fixture, run script, and
+`expected-findings.md`:
+
+- **`prompt-injection-showcase/`** — 61 payloads across 19 categories
+  fed to `pre-prompt-inject-scan`, `post-mcp-verify`, and
+  `pre-bash-destructive`. Run: `node examples/prompt-injection-showcase/run-showcase.mjs`
+- **`lethal-trifecta-walkthrough/`** — 5-step Rule-of-Two demonstration
+  (WebFetch → Read .env → Bash curl POST + suppression follow-ups)
+  showing `post-session-guard` advisory firing on leg 3. State-isolated
+  via run-script PID. Run: `node examples/lethal-trifecta-walkthrough/run-trifecta.mjs`
+- **`mcp-rug-pull/`** — 8-stage MCP description drift, each step under
+  the 10% per-update threshold but cumulatively >25% from baseline.
+  Demonstrates the v7.3.0 cumulative-drift advisory (E14, OWASP MCP05).
+  Cache isolated via `LLM_SECURITY_MCP_CACHE_FILE`. Run:
+  `node examples/mcp-rug-pull/run-rug-pull.mjs`
+
 ---
 
 ## Recent versions