ktg-plugin-marketplace

open/ktg-plugin-marketplace

Fork 0

Commit graph

Author	SHA1	Message	Date
Kjell Tore Guttormsen	ad86f5031a	feat(pre-install-supply-chain): E13 — npm scope-hopping MEDIUM advisory with allowlist Adds a scope-hopping detector to the npm install gate. When a user installs `@<scope>/<unscoped>`, the hook now emits a MEDIUM warning on stderr (exit 0, never blocks) if: - `<unscoped>` matches a popular npm package (POPULAR_NPM, ~80 names from knowledge/top-packages.json), AND - `<scope>` is not on NPM_OFFICIAL_SCOPES (built-in 22 entries) or on policy.json `supply_chain.allowed_scopes`. Why: an attacker publishing `@evilcorp/lodash` cannot squat the bare `lodash` name, but they can register an unrelated scope and rely on typo or copy-paste to trick installs. NPM_OFFICIAL_SCOPES anchors the known-good scopes (@types, @reduxjs, @nestjs, …) so legitimate installs stay silent. Implementation: - `scanners/lib/supply-chain-data.mjs`: exports POPULAR_NPM, NPM_OFFICIAL_SCOPES, and `checkScopeHop(name, extraAllowedScopes)` — pure function, no policy/network dependency, fully unit-testable. - `knowledge/typosquat-allowlist.json`: mirrors NPM_OFFICIAL_SCOPES as `npm_official_scopes`. A doc-consistency assertion ensures the two lists never drift. - `hooks/scripts/pre-install-supply-chain.mjs`: imports checkScopeHop, reads `supply_chain.allowed_scopes` from policy, and pushes a warning before existing compromised/audit checks. Tests: - 9 new cases in tests/hooks/pre-install-supply-chain.test.mjs: TP @evilcorp/lodash, TP @attacker/express, allowlist @types, allowlist @reduxjs, allowlist @modelcontextprotocol, FP unscoped name not in top-100, bare unscoped name, policy override, defensive non-string input, NPM_OFFICIAL_SCOPES <-> typosquat-allowlist.json consistency.	2026-04-30 15:38:28 +02:00
Kjell Tore Guttormsen	8ec320f40c	feat(governance): add policy-as-code — .llm-security/policy.json for distributable hook configuration New policy-loader.mjs reads .llm-security/policy.json with deep-merge against defaults that exactly match existing hardcoded values. Integrated into all 7 hooks: - pre-prompt-inject-scan: injection.mode (env var still takes precedence) - post-session-guard: trifecta.mode, window_size, long_horizon_window - pre-edit-secrets: secrets.additional_patterns - pre-bash-destructive: destructive.additional_blocked - pre-write-pathguard: pathguard.additional_protected - pre-install-supply-chain: supply_chain.additional_blocked_packages - post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers Backward compatible: no policy file = identical behavior to v5.1.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-10 13:37:02 +02:00
Kjell Tore Guttormsen	f93d6abdae	feat: initial open marketplace with llm-security, config-audit, ultraplan-local	2026-04-06 18:47:49 +02:00

Author

SHA1

Message

Date

Kjell Tore Guttormsen

ad86f5031a

feat(pre-install-supply-chain): E13 — npm scope-hopping MEDIUM advisory with allowlist

Adds a scope-hopping detector to the npm install gate. When a user
installs `@<scope>/<unscoped>`, the hook now emits a MEDIUM warning
on stderr (exit 0, never blocks) if:
  - `<unscoped>` matches a popular npm package (POPULAR_NPM, ~80
    names from knowledge/top-packages.json), AND
  - `<scope>` is not on NPM_OFFICIAL_SCOPES (built-in 22 entries) or
    on policy.json `supply_chain.allowed_scopes`.

Why: an attacker publishing `@evilcorp/lodash` cannot squat the bare
`lodash` name, but they can register an unrelated scope and rely on
typo or copy-paste to trick installs. NPM_OFFICIAL_SCOPES anchors the
known-good scopes (@types, @reduxjs, @nestjs, …) so legitimate
installs stay silent.

Implementation:
- `scanners/lib/supply-chain-data.mjs`: exports POPULAR_NPM,
  NPM_OFFICIAL_SCOPES, and `checkScopeHop(name, extraAllowedScopes)` —
  pure function, no policy/network dependency, fully unit-testable.
- `knowledge/typosquat-allowlist.json`: mirrors NPM_OFFICIAL_SCOPES as
  `npm_official_scopes`. A doc-consistency assertion ensures the two
  lists never drift.
- `hooks/scripts/pre-install-supply-chain.mjs`: imports checkScopeHop,
  reads `supply_chain.allowed_scopes` from policy, and pushes a
  warning before existing compromised/audit checks.

Tests:
- 9 new cases in tests/hooks/pre-install-supply-chain.test.mjs:
  TP @evilcorp/lodash, TP @attacker/express, allowlist @types,
  allowlist @reduxjs, allowlist @modelcontextprotocol, FP unscoped
  name not in top-100, bare unscoped name, policy override, defensive
  non-string input, NPM_OFFICIAL_SCOPES <-> typosquat-allowlist.json
  consistency.

2026-04-30 15:38:28 +02:00

Kjell Tore Guttormsen

8ec320f40c

feat(governance): add policy-as-code — .llm-security/policy.json for distributable hook configuration

New policy-loader.mjs reads .llm-security/policy.json with deep-merge against
defaults that exactly match existing hardcoded values. Integrated into all 7 hooks:
- pre-prompt-inject-scan: injection.mode (env var still takes precedence)
- post-session-guard: trifecta.mode, window_size, long_horizon_window
- pre-edit-secrets: secrets.additional_patterns
- pre-bash-destructive: destructive.additional_blocked
- pre-write-pathguard: pathguard.additional_protected
- pre-install-supply-chain: supply_chain.additional_blocked_packages
- post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers

Backward compatible: no policy file = identical behavior to v5.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-10 13:37:02 +02:00

Kjell Tore Guttormsen

f93d6abdae

feat: initial open marketplace with llm-security, config-audit, ultraplan-local

2026-04-06 18:47:49 +02:00

3 commits