docs(llm-security): v7.1.1 — narrative coherence patch
Documents the v7.1.1 narrative-coherence patch in CLAUDE.md (mini-block appended after the v7.0.0 paragraph) and CHANGELOG.md (new [7.1.1] section per Keep a Changelog convention, placed above [7.1.0]). Plan: .claude/plans/ultraplan-2026-04-29-report-coherence.md Brief: .claude/ultraplan-spec-2026-04-29-report-coherence.md Verification gates passed: - npm test: 1522/1522 (was 1511; +11 from new narrative test) - node --test tests/lib/severity.test.mjs: 86/86 (co-monotonicity sweep at lines 252-303 unchanged and green) - node --test tests/scanners/skill-scanner-narrative.test.mjs: 11/11 - Orchestrator against fixture: WARNING / 48 / 1 HIGH (HITL trap caught correctly, no whiplash) - SARIF inline check via toSARIF import: sarif-version 2.1.0, runs: 1 - Zero remaining v1 cutoffs in agent + template Out of scope but flagged for Batch B (deferred to v7.2.0): - commands/scan.md:113-114 retains v1 risk formula Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
5cfbc70472
commit
b18cb329ef
2 changed files with 80 additions and 0 deletions
|
|
@ -10,6 +10,21 @@ Security scanning, auditing, and threat modeling for Claude Code projects. 5 fra
|
|||
|
||||
See `docs/security-hardening-guide.md` §6 for the calibration story.
|
||||
|
||||
**v7.1.1 — Scan-rapport narrative coherence (patch).** Three coordinated
|
||||
edits address the whiplash symptom that survived v7.0.0 (numbers fixed,
|
||||
narrative still walked findings back as "false positive" in prose):
|
||||
(a) `agents/skill-scanner-agent.md` Step 2.5 mandates context-first
|
||||
severity assignment — every signal has exactly one disposition (suppressed
|
||||
OR reported), no per-finding walk-back; (b) `templates/unified-report.md`
|
||||
gains a `### Narrative Audit` block in Executive Summary surfacing
|
||||
`summary.narrative_audit.suppressed_findings.{count, by_category}` from
|
||||
the agent's trailing JSON; (c) both files updated from stale v1
|
||||
risk-formula constants to the v2 model that has been authoritative in
|
||||
`severity.mjs` since v7.0.0. Counter is distinct from the existing
|
||||
top-level `output.suppressed` (`.llm-security-ignore` rule integer).
|
||||
Out-of-scope but flagged: `commands/scan.md:113-114` retains the v1
|
||||
formula; resolution deferred to Batch B.
|
||||
|
||||
## Commands
|
||||
|
||||
| Command | Description |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue