chore(release): bump to v6.0.0 — CAISS-readiness release with compliance, governance, CLI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/llm-security/README.md

@@ -4,12 +4,12 @@
 
 *Built for my own Claude Code workflow and shared openly for anyone who finds it useful. This is a solo project — bug reports and feature requests are welcome, but pull requests are not accepted.*
 
-![Version](https://img.shields.io/badge/version-5.1.0-blue)
+![Version](https://img.shields.io/badge/version-6.0.0-blue)
 ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple)
 ![Agents](https://img.shields.io/badge/agents-6-orange)
-![Scanners](https://img.shields.io/badge/scanners-15-cyan)
+![Scanners](https://img.shields.io/badge/scanners-16-cyan)
 ![Hooks](https://img.shields.io/badge/hooks-8-red)
-![Knowledge](https://img.shields.io/badge/knowledge_docs-13-green)
+![Knowledge](https://img.shields.io/badge/knowledge_docs-15-green)
 ![License](https://img.shields.io/badge/license-MIT-lightgrey)
 
 A Claude Code plugin that provides security scanning, auditing, and threat modeling for agentic AI projects. Built on [OWASP LLM Top 10 (2025)](https://genai.owasp.org/llm-top-10/), [OWASP Agentic AI Top 10](https://genai.owasp.org/agentic-ai/), and the [AI Agent Traps](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438) taxonomy (Google DeepMind, 2025), with threat intelligence from ToxicSkills, ClawHavoc, MCPTox, Pillar Security, Invariant Labs, and Operant AI research.
@@ -404,7 +404,7 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W
 
 ## Knowledge Base
 
-9 research-backed reference files grounding all analysis in published threat intelligence:
+15 research-backed reference files grounding all analysis in published threat intelligence:
 
 | File | Scope |
 |------|-------|
@@ -417,12 +417,38 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W
 | `mitigation-matrix.md` | OWASP LLM Top 10 → Claude Code control mapping with verification checks and coverage scores |
 | `top-packages.json` | Top 200 npm + top 100 PyPI package names for typosquatting detection (Levenshtein baseline) |
 | `skill-registry.json` | Seed data for skill signature registry — known fingerprints and risk profiles |
+| `compliance-mapping.md` | EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS — article/control mappings to plugin capabilities |
+| `norwegian-context.md` | Norwegian regulatory landscape — Datatilsynet, NSM, Digitaliseringsdirektoratet guidance for AI security |
+| `prompt-injection-research-2025-2026.md` | 7 research papers (2025-2026) with implications for hook defenses |
+| `deepmind-agent-traps.md` | DeepMind AI Agent Traps — 6 categories, 43 techniques, coverage matrix |
+| `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation |
+| `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing |
 
 > [!NOTE]
 > All knowledge base content is derived from published OWASP standards and peer-reviewed security research. The knowledge files provide grounding for agent analysis — agents read relevant sections before producing findings.
 
 ---
 
+## Compliance & Governance
+
+v6.0.0 adds an enterprise governance layer for standards-aware security operations:
+
+| Capability | Description |
+|------------|-------------|
+| **Compliance Mapping** | Maps plugin capabilities to EU AI Act (Art. 9, 15, 17), NIST AI RMF (Map, Measure, Manage, Govern), ISO 42001 (Annex A), and MITRE ATLAS techniques. Posture categories 14-16 assess compliance readiness. |
+| **Norwegian Context** | Regulatory guidance from Datatilsynet (DPIA for AI), NSM (basic security principles), and Digitaliseringsdirektoratet. Relevant for Norwegian public sector AI deployments. |
+| **SARIF 2.1.0 Output** | `--format sarif` flag on scan/deep-scan produces OASIS SARIF standard output for CI/CD integration (GitHub Advanced Security, Azure DevOps, SonarQube). |
+| **Structured Audit Trail** | JSONL audit events (`audit-trail.mjs`) with ISO 8601 timestamps, OWASP category tags, and SIEM-ready schema. Configurable via `LLM_SECURITY_AUDIT_*` env vars. |
+| **AI-BOM** | CycloneDX 1.6 Bill of Materials for AI components — models, MCP servers, plugins, knowledge files, hooks. `llm-security audit-bom <target>`. |
+| **Policy-as-Code** | `.llm-security/policy.json` for distributable hook configuration. Teams can enforce consistent security thresholds without per-developer env var setup. |
+| **Standalone CLI** | `npx llm-security scan <target>` — runs scanners without Claude Code. Subcommands: `scan`, `posture`, `audit-bom`, `benchmark`. |
+
+### Benchmarks
+
+The attack simulator (`llm-security benchmark`) tests hook defenses with 64 crafted scenarios across 12 categories. Adaptive mode (`--adaptive`) applies 5 mutation rounds per passing scenario (homoglyph substitution, encoding variations, zero-width injection, case alternation, synonym replacement).
+
+---
+
 ## OWASP Coverage
 
 | Category | Automated (Hooks) | Deterministic (Scanners) | Advisory (Commands) | Coverage |
@@ -730,6 +756,7 @@ This plugin provides full-stack security hardening (static analysis + supply cha
 
 | Version | Date | Highlights |
 |---------|------|------------|
+| **6.0.0** | 2026-04-10 | **CAISS-readiness release.** Enterprise compliance and governance layer: compliance mapping (EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS), Norwegian regulatory context (Datatilsynet, NSM, Digitaliseringsdirektoratet), SARIF 2.1.0 output format (`--format sarif`), structured JSONL audit trail (`audit-trail.mjs`), AI-BOM generator (CycloneDX 1.6), policy-as-code (`.llm-security/policy.json`), standalone CLI (`bin/llm-security.mjs` — `npx llm-security scan`). Posture scanner expanded to 16 categories (+EU AI Act, NIST AI RMF, ISO 42001). Attack simulator benchmark mode (`--benchmark`). 15 knowledge docs, 16 scanners, 1242+ tests. |
 | **5.1.0** | 2026-04-07 | **Sandboxed remote cloning.** Defense-in-depth for `git clone` attack surface: (1) 8 git config flags disable hooks, symlinks, filter/smudge drivers, fsmonitor, local file protocol; 4 env vars isolate from system/user config. (2) OS sandbox: macOS `sandbox-exec` + Linux `bubblewrap` restrict file writes to only the clone temp dir. Graceful fallback on Windows (git config only). Post-clone size check (100MB max). UUID-unique evidence filenames prevent race conditions. Cleanup guarantee in scan/plugin-audit commands. 1147 tests (was 1115). |
 | **5.0.0** | 2026-04-06 | **Prompt Injection Hardening (v5.0).** 8-session defense-in-depth overhaul driven by 7 research papers (2025-2026). MEDIUM advisory for obfuscation signals (leetspeak, homoglyphs, zero-width, multi-language). Unicode Tag steganography detection (U+E0000-E007F). Bash expansion normalization (`bash-normalize.mjs`). Rule of Two enforcement (configurable `LLM_SECURITY_TRIFECTA_MODE=block\|warn\|off`). 100-call long-horizon monitoring window with slow-burn trifecta detection. Behavioral drift via Jensen-Shannon divergence. HITL trap detection (approval urgency, summary suppression, scope minimization). Sub-agent delegation tracking (escalation-after-input advisory). NL indirection patterns. Hybrid attacks (P2SQL, recursive injection, XSS-in-agent). CaMeL-inspired data flow tagging (SHA-256 provenance, output-to-input linking). Adaptive red-team (5 mutation rounds per scenario: homoglyph, encoding, zero-width, case alternation, synonym). Knowledge base expanded: `prompt-injection-research-2025-2026.md`, `deepmind-agent-traps.md`, `attack-mutations.json`. Posture scanner expanded to 13 categories (+Prompt Injection Hardening, Rule of Two, Long-Horizon Monitoring). Defense Philosophy section documenting honest limitations. 1115 tests. |
 | **4.5.1** | 2026-04-04 | **Cross-platform support.** Windows/Linux compatibility: `fileURLToPath()`, `path.dirname()`, native `fetch()` replaces `curl` subprocess, fixed tilde expansion regex. 11 files, 782 tests pass. |