ktg-plugin-marketplace

open/ktg-plugin-marketplace

Fork 0

Commit graph

Author	SHA1	Message	Date
Kjell Tore Guttormsen	8d8d4e7002	feat(red-team): 8 new evasion-arsenal scenarios for v7.2.0 (E1/E4/E5/E7/E16/E17) Adds attack-simulator coverage for the new defenses landed earlier in Batch B. All eight scenarios pass against the current hooks (72/72, zero gaps). E15 (memory-poisoning glob) and E18 (entropy markdown-image CDN allowlist) are scanner-only and have unit/integration coverage in their respective scanner test files. unicode-evasion (pre-prompt-inject-scan): UNI-007 E1 PUA-A range hidden Unicode → HIGH advisory UNI-008 E1 PUA-B range hidden Unicode → HIGH advisory UNI-009 E16 Greek-Latin homoglyph fold → CRITICAL block mcp-output (post-mcp-verify): MCP-005 E4 Markdown link-title injection → markdown-link-title-injection MCP-006 E5 SVG <desc> injection → svg-element-injection MCP-007 E5 SVG <foreignObject> injection → svg-element-injection MCP-008 E7 HTML comment-node injection (no marker) → html-comment-injection session-trifecta (post-session-guard): TRI-004 E17 Escalation-after-input (WebFetch → Task) → escalation-after-input advisory Payload helpers `buildPuaAPayload` / `buildPuaBPayload` shift each character into Supplementary Private Use Area-A / -B respectively. The Greek-fold payload uses Greek ι (U+03B9 → i) and ο (U+03BF → o) so foldHomoglyphs reproduces the canonical "ignore previous instructions" CRITICAL pattern. Total: 64 → 72 scenarios. Refs: Batch B Wave 6 / Step 14 / v7.2.0	2026-04-29 15:35:32 +02:00
Kjell Tore Guttormsen	6073952b97	fix(injection): E16 ASCII fast-path + UNI-003 expectation update (v7.2.0) Two follow-up fixes after E16 + E17 landed: 1. foldHomoglyphs ASCII fast-path - scanForInjection calls foldHomoglyphs on every scan (raw + normalized). - Pre-fix: NFKC normalization runs unconditionally, even on pure ASCII inputs where it's a no-op. - Result: benchmark.test.mjs timed out at 120s on the full suite. - Fix: charCodeAt sweep for >=128, short-circuit return s when all ASCII. NFKC and HOMOGLYPH_MAP iteration only run when non-ASCII chars are present (the actual attack case). - Verified: benchmark.test.mjs passes within timeout. 2. Attack-scenario UNI-003 expectation - Pre-E16: "Homoglyph Cyrillic-Latin mixing" payload triggered only a MEDIUM "obfuscation present" advisory (exit 0, stdout match "MEDIUM"). - Post-E16: the same payload is folded to Latin BEFORE pattern matching, so it now matches CRITICAL "ignore previous instructions" and blocks (exit 2). - This is the intended v7.2.0 behavior — not a regression. Updated expectation: exit_code 2, stdout_match "block". Renamed scenario to "now blocked via E16 fold, v7.2.0". Suite: pre-compact-scan flake remains (perf-budget under load, passes isolated). All other tests green.	2026-04-29 14:44:41 +02:00
Kjell Tore Guttormsen	f93d6abdae	feat: initial open marketplace with llm-security, config-audit, ultraplan-local	2026-04-06 18:47:49 +02:00

Author

SHA1

Message

Date

Kjell Tore Guttormsen

8d8d4e7002

feat(red-team): 8 new evasion-arsenal scenarios for v7.2.0 (E1/E4/E5/E7/E16/E17)

Adds attack-simulator coverage for the new defenses landed earlier in
Batch B. All eight scenarios pass against the current hooks (72/72,
zero gaps). E15 (memory-poisoning glob) and E18 (entropy markdown-image
CDN allowlist) are scanner-only and have unit/integration coverage in
their respective scanner test files.

  unicode-evasion (pre-prompt-inject-scan):
    UNI-007  E1  PUA-A range hidden Unicode               → HIGH advisory
    UNI-008  E1  PUA-B range hidden Unicode               → HIGH advisory
    UNI-009  E16 Greek-Latin homoglyph fold               → CRITICAL block

  mcp-output (post-mcp-verify):
    MCP-005  E4  Markdown link-title injection            → markdown-link-title-injection
    MCP-006  E5  SVG <desc> injection                     → svg-element-injection
    MCP-007  E5  SVG <foreignObject> injection            → svg-element-injection
    MCP-008  E7  HTML comment-node injection (no marker)  → html-comment-injection

  session-trifecta (post-session-guard):
    TRI-004  E17 Escalation-after-input (WebFetch → Task) → escalation-after-input advisory

Payload helpers `buildPuaAPayload` / `buildPuaBPayload` shift each
character into Supplementary Private Use Area-A / -B respectively.
The Greek-fold payload uses Greek ι (U+03B9 → i) and ο (U+03BF → o)
so foldHomoglyphs reproduces the canonical "ignore previous
instructions" CRITICAL pattern.

Total: 64 → 72 scenarios.

Refs: Batch B Wave 6 / Step 14 / v7.2.0

2026-04-29 15:35:32 +02:00

Kjell Tore Guttormsen

6073952b97

fix(injection): E16 ASCII fast-path + UNI-003 expectation update (v7.2.0)

Two follow-up fixes after E16 + E17 landed:

1. foldHomoglyphs ASCII fast-path
   - scanForInjection calls foldHomoglyphs on every scan (raw + normalized).
   - Pre-fix: NFKC normalization runs unconditionally, even on pure
     ASCII inputs where it's a no-op.
   - Result: benchmark.test.mjs timed out at 120s on the full suite.
   - Fix: charCodeAt sweep for >=128, short-circuit return s when
     all ASCII. NFKC and HOMOGLYPH_MAP iteration only run when
     non-ASCII chars are present (the actual attack case).
   - Verified: benchmark.test.mjs passes within timeout.

2. Attack-scenario UNI-003 expectation
   - Pre-E16: "Homoglyph Cyrillic-Latin mixing" payload triggered only
     a MEDIUM "obfuscation present" advisory (exit 0, stdout match
     "MEDIUM").
   - Post-E16: the same payload is folded to Latin BEFORE pattern
     matching, so it now matches CRITICAL "ignore previous instructions"
     and blocks (exit 2).
   - This is the intended v7.2.0 behavior — not a regression. Updated
     expectation: exit_code 2, stdout_match "block". Renamed scenario
     to "now blocked via E16 fold, v7.2.0".

Suite: pre-compact-scan flake remains (perf-budget under load,
passes isolated). All other tests green.

2026-04-29 14:44:41 +02:00

Kjell Tore Guttormsen

f93d6abdae

feat: initial open marketplace with llm-security, config-audit, ultraplan-local

2026-04-06 18:47:49 +02:00

3 commits