ktg-plugin-marketplace

open/ktg-plugin-marketplace

Fork 0

Commit graph

Author	SHA1	Message	Date
Kjell Tore Guttormsen	a9e377570c	feat(llm-security): v7.0.0 commit 3 — policy-driven entropy thresholds Adds entropy section to DEFAULT_POLICY and wires it into entropy-scanner. Users can now tune false-positive tradeoffs without forking the scanner. Policy shape (.llm-security/policy.json): entropy: thresholds.{critical,high,medium}.{entropy,minLen} — numeric overrides suppress_extensions[] — additive ext skip suppress_line_patterns[] — additional regex suppress_paths[] — relPath substrings Wiring: entropy-scanner calls loadPolicy(targetPath) at scan entry (not orchestrator-passed — avoids signature churn across 10 scanners). Module- level state is reset per scan invocation. Scanner envelope now includes calibration.{policy_source, thresholds, files_skipped_by_*} for synthesizer transparency (Commit 5). Malformed user regex silently skipped. Missing policy.json → built-in defaults (backwards-compatible). entropy.test.mjs: 9/9 still green. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-19 22:02:52 +02:00
Kjell Tore Guttormsen	2c33e9cc64	feat(ci): add CI/CD integration — --fail-on, --compact, pipeline templates Add threshold-based exit codes (--fail-on <severity>) and compact output mode (--compact) to scan-orchestrator and CLI. Pipeline templates for GitHub Actions, Azure DevOps, GitLab CI with SARIF upload. CI/CD guide with Schrems II/NSM compliance documentation. npm publish preparation (files whitelist, .npmignore). Policy ci section for distributable CI defaults. Version 6.1.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-10 14:59:05 +02:00
Kjell Tore Guttormsen	8ec320f40c	feat(governance): add policy-as-code — .llm-security/policy.json for distributable hook configuration New policy-loader.mjs reads .llm-security/policy.json with deep-merge against defaults that exactly match existing hardcoded values. Integrated into all 7 hooks: - pre-prompt-inject-scan: injection.mode (env var still takes precedence) - post-session-guard: trifecta.mode, window_size, long_horizon_window - pre-edit-secrets: secrets.additional_patterns - pre-bash-destructive: destructive.additional_blocked - pre-write-pathguard: pathguard.additional_protected - pre-install-supply-chain: supply_chain.additional_blocked_packages - post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers Backward compatible: no policy file = identical behavior to v5.1.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-10 13:37:02 +02:00

Author

SHA1

Message

Date

Kjell Tore Guttormsen

a9e377570c

feat(llm-security): v7.0.0 commit 3 — policy-driven entropy thresholds

Adds entropy section to DEFAULT_POLICY and wires it into entropy-scanner.
Users can now tune false-positive tradeoffs without forking the scanner.

Policy shape (.llm-security/policy.json):
  entropy:
    thresholds.{critical,high,medium}.{entropy,minLen}  — numeric overrides
    suppress_extensions[]                               — additive ext skip
    suppress_line_patterns[]                            — additional regex
    suppress_paths[]                                    — relPath substrings

Wiring: entropy-scanner calls loadPolicy(targetPath) at scan entry (not
orchestrator-passed — avoids signature churn across 10 scanners). Module-
level state is reset per scan invocation. Scanner envelope now includes
calibration.{policy_source, thresholds, files_skipped_by_*} for
synthesizer transparency (Commit 5).

Malformed user regex silently skipped. Missing policy.json → built-in
defaults (backwards-compatible).

entropy.test.mjs: 9/9 still green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-19 22:02:52 +02:00

Kjell Tore Guttormsen

2c33e9cc64

feat(ci): add CI/CD integration — --fail-on, --compact, pipeline templates

Add threshold-based exit codes (--fail-on <severity>) and compact
output mode (--compact) to scan-orchestrator and CLI. Pipeline
templates for GitHub Actions, Azure DevOps, GitLab CI with SARIF
upload. CI/CD guide with Schrems II/NSM compliance documentation.
npm publish preparation (files whitelist, .npmignore). Policy ci
section for distributable CI defaults. Version 6.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-10 14:59:05 +02:00

Kjell Tore Guttormsen

8ec320f40c

feat(governance): add policy-as-code — .llm-security/policy.json for distributable hook configuration

New policy-loader.mjs reads .llm-security/policy.json with deep-merge against
defaults that exactly match existing hardcoded values. Integrated into all 7 hooks:
- pre-prompt-inject-scan: injection.mode (env var still takes precedence)
- post-session-guard: trifecta.mode, window_size, long_horizon_window
- pre-edit-secrets: secrets.additional_patterns
- pre-bash-destructive: destructive.additional_blocked
- pre-write-pathguard: pathguard.additional_protected
- pre-install-supply-chain: supply_chain.additional_blocked_packages
- post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers

Backward compatible: no policy file = identical behavior to v5.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-10 13:37:02 +02:00

3 commits