diff --git a/plugins/llm-security/CHANGELOG.md b/plugins/llm-security/CHANGELOG.md index 59eb624..8435143 100644 --- a/plugins/llm-security/CHANGELOG.md +++ b/plugins/llm-security/CHANGELOG.md @@ -29,6 +29,25 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). - Test count: 1777 → 1822 (+45). All payloads matching credential regexes are assembled at runtime via concatenation, so test files contain no literal credential-shaped strings (compatible with `pre-edit-secrets`). +- `examples/lethal-trifecta-walkthrough/` — runnable demonstration of + `post-session-guard`'s Rule-of-Two advisory firing when a 5-call + sequence (WebFetch → Read .env → Bash curl POST + suppressed + follow-ups) closes the trifecta in a single 20-call window. State + isolated via the run script's PID; the user's real `/tmp/llm-security- + session-*` files are never touched. README explains the Rule of Two, + the configurable mode (`block`/`warn`/`off`), and the OWASP mapping + (LLM01/LLM02, ASI01/ASI02). `expected-findings.md` documents the + testable contract. +- `examples/mcp-rug-pull/` — runnable demonstration of the v7.3.0 + cumulative-drift advisory (E14, OWASP MCP05) on `post-mcp-verify`. + Mutates an MCP tool description across 8 stages — each step under + the 10% per-update Levenshtein threshold, but cumulatively crossing + 25% from baseline at stage 7. Uses `LLM_SECURITY_MCP_CACHE_FILE` + env override to isolate the cache to a per-run tempdir; the user's + real `~/.cache/llm-security/mcp-descriptions.json` is never touched. + README enumerates the drift profile, points to + `/security mcp-baseline-reset` for legitimate upgrades, and maps + to MCP05 / LLM03 / ASI04. ## [7.3.1] - 2026-05-01 diff --git a/plugins/llm-security/README.md b/plugins/llm-security/README.md index 7017256..8965095 100644 --- a/plugins/llm-security/README.md +++ b/plugins/llm-security/README.md @@ -494,6 +494,25 @@ node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-h /security scan examples/malicious-skill-demo/evil-project-health/ --deep # full pipeline ``` +### Other runnable examples + +The `examples/` directory contains additional self-contained +demonstrations — each with `README.md`, fixture, run script, and +`expected-findings.md`: + +- **`prompt-injection-showcase/`** — 61 payloads across 19 categories + fed to `pre-prompt-inject-scan`, `post-mcp-verify`, and + `pre-bash-destructive`. Run: `node examples/prompt-injection-showcase/run-showcase.mjs` +- **`lethal-trifecta-walkthrough/`** — 5-step Rule-of-Two demonstration + (WebFetch → Read .env → Bash curl POST + suppression follow-ups) + showing `post-session-guard` advisory firing on leg 3. State-isolated + via run-script PID. Run: `node examples/lethal-trifecta-walkthrough/run-trifecta.mjs` +- **`mcp-rug-pull/`** — 8-stage MCP description drift, each step under + the 10% per-update threshold but cumulatively >25% from baseline. + Demonstrates the v7.3.0 cumulative-drift advisory (E14, OWASP MCP05). + Cache isolated via `LLM_SECURITY_MCP_CACHE_FILE`. Run: + `node examples/mcp-rug-pull/run-rug-pull.mjs` + --- ## Recent versions