# Changelog All notable changes to the LLM Security Plugin are documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ## [Unreleased] ## [7.7.2] - 2026-05-19 Language consistency pass. Norwegian had crept into surface text across v7.5-v7.7. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), surface text was translated to English. No scanner, hook, or behavior changes — purely surface text. ### Changed - **18 skill commands `commands/*.md`** — the "HTML Report"-step appended by each `/security ` flow now reads `> **HTML report:** [Open in browser](file:///abs/path.html)` (previously Norwegian). - **CLI canonical module `scripts/lib/report-renderers.mjs`** — translated KEY_STATS_CONFIG labels (`TOTALT` → `TOTAL`, `KRITISK` → `CRITICAL`, `HØY` → `HIGH`, `FUNN` → `FINDINGS`, `PROSJEKTER` → `PROJECTS`, `MASKINKLASSE` → `MACHINE GRADE`, `SVAKEST` → `WEAKEST`, `NÅ-GRADE` → `CURRENT GRADE`, `AKSJONER` → `ACTIONS`, `MODUS` → `MODE`), the 5-step maturity ladder descriptions, the suppressed-group desc, 4 table-header sets, the 6 renderer `lede` defaults (plugin-audit, mcp-audit, harden, diff, watch, clean), the action tier labels (Umiddelbar/Høy prioritet/Medium prioritet → Immediate/High priority/ Medium priority), the clean buckets, and the dry-run/apply text. JS comments translated for consistency. Preserved the regex alternations `/^high|^høy/` and `/resolution|løsning/i` — they intentionally match Norwegian-language report markdown. - **Playground `playground/llm-security-playground.html`** — the same display strings as the canonical module (kept bit-identical), plus playground-specific UI text: catalog row labels, search placeholder, breadcrumb aria-label, theme-toggle labels, primary nav aria-label, builder-modal hints, "no projects yet" guide-panel, delete-project confirmation, alert/copy-confirm strings, and the field-from-tag "felles" pill (now "shared"). The hardcoded `Plugin v7.7.1` in `renderHome` bumped to `Plugin v7.7.2`, and `prosjekter`/`kommandoer` there became `projects`/`commands`. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex tokens were preserved. - **Agent prompts `agents/skill-scanner-agent.md` + `agents/mcp-scanner-agent.md`** — translated the `Generaliseringsgrense` and `Parallell Read-strategi` sections (identical content in both files) to `Generalization boundary` and `Parallel Read strategy`. - **`README.md`** — translated the Recent versions table rows for v7.5.0 → v7.7.1 and the playground architecture prose (L495-553). Version badge bumped to 7.7.2. - **`CLAUDE.md`** — translated the v7.7.1 highlights paragraph and added a new v7.7.2 highlights paragraph. Header and "release notes" sentinel bumped to v7.7.2. - **Marketplace root `../../README.md`** — translated the v7.5.0 → v7.7.1 llm-security bullet entries (lines 39-43). Version label in the header bumped to v7.7.2. The voyage and ms-ai-architect entries on lines 90-91 / 192-197 were not touched (strict plugin scope). - **Marketplace root `../../CLAUDE.md`** — translated the llm-security catalog entry on line 13 and bumped its version to v7.7.2. - **`docs/scanner-reference.md`** — translated the six runnable-examples table cells (L114-122) and the surrounding paragraph. - **`docs/version-history.md`** — added a v7.7.2 entry describing this pass. The v7.5.0 → v7.7.1 narrative sections retain the Norwegian they were written in (deferred per operator decision). - **`package.json` + `.claude-plugin/plugin.json`** — version 7.7.1 → 7.7.2. ### Preserved (intentional Norwegian) - Demo-state `dft-komplett-demo` JSON `description`, `system_description`, and parsed-data `"label": "HØY"` / `"label": "NÅ-GRADE"` entries — intentional Norwegian persona for the public-sector reference scenario. - Regex alternations `/^high|^høy/` and `/resolution|løsning/i` in both the canonical renderer and the playground inline copy — they let reports written in Norwegian still parse and route correctly. - `knowledge/norwegian-context.md` and other knowledge files — out of scope. - The v7.5.0 → v7.7.1 entries in CHANGELOG.md and `docs/version-history.md` remain in the language they were written in; rewriting historical release notes was deferred. - `REMEMBER.md`, `TODO.md`, `ROADMAP.md`, `*.local.md`, commit messages, test fixtures, and the `playground/A11Y-RAPPORT.md` artifact. ## [7.7.1] - 2026-05-18 Playground UX-strip etter v7.7.0-operatør-feedback. Hjem-overflaten ledet med prosjekter (Re-onboard / Nytt prosjekt / Command-katalog) — katalog var tredje kort, sekundært bak prosjekt-tracks. Operatør ba om å fjerne onboarding + prosjekter og beholde katalog ("Vi legger til funksjonalitet senere"). Ingen scanner- eller hook-atferdsendringer. ### Changed - **Playground routing — katalog som eneste levende overflate.** `renderActive()` tvinger alltid `activeSurface` til `'catalog'`. `renderOnboardingSurface`/`renderHomeSurface`/`renderProjectSurface`- funksjonene er bevart i kildekoden, men ikke rutbare før funksjonalitet legges til igjen. Init-default endret fra `'home'` til `'catalog'`, også for migrerte states fra IndexedDB. - **Playground topbar — Hjem + Re-onboard-knappene fjernet.** Bare `Katalog`-knappen beholdt i primær navigasjon, sammen med Eksporter/Importer + tema-toggle. Project-state forblir i IndexedDB men ingen UI-vei dit. - **Playground topbar breadcrumb — orgName erstattet med `llm-security`.** Etter at onboarding ble fjernet fra routing var `shared.organization.name` (demo-state) fortsatt synlig i toppen ("Direktoratet for digital tjenesteutvikling · Katalog"). Erstattet med statisk `llm-security · Katalog` som nøytralt scope-anker. ### Fixed - **Hardkodet versjons-streng i `renderHome`.** v7.7.0-versjonsbumpen fanget ikke `'Plugin v7.6.1'` på linje 6933 i `llm-security-playground.html` (template-string-litteral, ikke matching regex-mønster). Bumpet til v7.7.1. ### Notes - v7.7.1 bumpet kun versjons-strenger i 7 filer (`package.json`, `.claude-plugin/plugin.json`, plugin `README.md` badge + Recent versions-tabell, plugin `CLAUDE.md` header + state-seksjon, `docs/version-history.md`, `playground/llm-security-playground.html`, rot `README.md` plugin-entry, rot `CLAUDE.md` plugin-katalog). - Onboarding-konseptet er nå dokumentert som v7.8.0-kandidat (per-kommando kontekst-injeksjon) i ROADMAP.md. ## [7.7.0] - 2026-05-18 HTML-rapport for alle 18 skill-kommandoer som produserer rapport. Hver `/security ` printer nå en klikkbar `file://`-lenke til en self-contained HTML-versjon. Levert over fem sesjoner (UX-arbeid + renderer-extract + CLI + skill-wiring + release). Ingen scanner- eller hook-atferdsendringer — purely additive surface. ### Added - **Playground katalog list-view + builder-pane** (sesjon 1, `0dc7ff4`). Katalog-overflaten fikk list-view (grid-toggle) + builder-pane med copy-knapp på alle 18 rapporter, så onboarding-flytene blir bredere og dypere uten å forlate playground-modusen. - **Playground prosjekt-surface opprydding** (sesjon 2, `86d6ecd`). Stub-screen-håndtering (rapport ikke ferdig parsed → tydelig placeholder i stedet for tom panel), topbar-splitt (navigasjons- trinn vs. eksport-handlinger), generell DS-justering for prosjekt- overflate. - **`scripts/lib/report-renderers.mjs`** (sesjon 3, `fa5fb48`). De 18 inline parserne + 18 inline rendererne i playground-HTML-fila flyttet til canonical ESM-modul. Ren overflate: `import { PARSERS, RENDERERS } from './lib/report-renderers.mjs'`. Playground beholder bit-identisk inline-kopi (ESM `import` fungerer ikke fra `file://` uten Chrome/Firefox-flags). Canonical kilde + playground inline = to overflater, samme atferd. - **`scripts/render-report.mjs` CLI** (sesjon 4, `db80854`). Zero-dep Node-CLI som tar `commandId` + `--in`/`--out`-flags og konverterer markdown-rapporter til self-contained HTML. Stdin/file/stdout-modus, kebab→camel commandId-routing (alle 18 PARSERS fungerer automatisk uten hardkoding). Output inliner 6 DS-stylesheets (`tokens`, `base`, `components`, `tier2`, `tier3`, `tier3-supplement`) + lokal `.report-table`-CSS. ~140 KB self-contained HTML; fonter ikke inlined (ville blåst opp 7x til ~1 MB), `tokens.css` har `-apple-system, BlinkMacSystemFont, system-ui` som fallback. Absolutte `file://`-paths i stdout for Ghostty cmd-click. Default output `reports/-.html` relativt til CWD. - **HTML-rapport for alle 18 skill-kommandoer** (sesjon 4-5). Sesjon 4 wired 4 skills (`scan`, `audit`, `posture`, `deep-scan`). Sesjon 5 wired de 14 resterende (`plugin-audit`, `mcp-audit`, `mcp-inspect`, `ide-scan`, `supply-check`, `dashboard`, `pre-deploy`, `diff`, `watch`, `registry`, `clean`, `harden`, `threat-model`, `red-team`). Hver skill-fil har en avsluttende "HTML Report"-step som instruerer Claude å (1) compute temp md-path, (2) Write hele markdown-rapporten verbatim, (3) kjøre CLI, (4) appende `> **HTML-rapport:** [Åpne i nettleser](file:///abs/sti.html)` til respons. ### Changed - Playground beholder inline-kopi av parserne og rendererne for å forbli single-file `file://`-distribuerbar — ESM `import` fungerer ikke fra `file://`-URLs uten Chrome/Firefox-flags. Canonical kilden i `scripts/lib/report-renderers.mjs` og playground inline-kopien er bit-identisk per release. ### Notes - Pre-existing `pre-compact-scan`-perf-flake (1000 ms terskel under last) gjenstår — defer til v7.7.x patch. - Sync-test mellom `scripts/lib/report-renderers.mjs` og playground inline-kopi planlagt som v7.7.x patch (krever scope-utvidelse til `tests/`). ## [7.6.1] - 2026-05-06 Playground v7.6.0 visuell-patch. Seks bugs fanget under maintainer- verifisering i nettleser; alle skyldes mismatch mellom DS-klasser og hvordan playground-rendrere brukte dem (eller manglende DS-implementasjoner av klasser playground-rendrere antok eksisterte). Ingen scanner- eller hook-behavior-changes. ### Fixed - **`renderFindingsBlock` brukte `.findings` outer-class** som DS har som 2-kolonners grid (`grid-template-columns: 360px 1fr`) for list+detail- panel-layout. Resultat: findings-headeren havnet i venstre 360px- kolonne og items i 1fr-kolonnen, brutt layout i alle 18 rapporter med findings. Erstattet med `

` + `

` + `findingslist > findingsgroup > findingsgroup-header + findingsitems` (korrekt DS-mønster). - `.report-table` mangler i DS men brukes i 7+ rendrere (OWASP- kategorier, Supply chain, Scanner Risk Matrix, Plugin-meta, Permission- matrise, Live-meter, Siste runs, Godkjenninger, Mitigation roadmap). Lagt lokal CSS-implementasjon i playground-HTML `