docs(brief): add MS AI Security plugin as second consumer; source-trust disposition
Second target consumer named: MS AI Security plugin, an ingestion pipeline over Microsoft Learn content that includes user-generated Q&A (learn.microsoft.com/answers, plus ingested MSDN/Stack Overflow). This is the high-untrust case where the contract is load-bearing, not hygiene. New design principle 4.7: disposition scales with source trust (pinned changelog = WARN; open UGC = quarantine/hard-fail on high severity). Day-1 rationale: architectural controls are cheap to design in, expensive to retrofit (consumer 1 is proving that at its A13). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01HPAmFyEVWbwvmSNVdXTu4d
This commit is contained in:
parent
b505f70485
commit
41473d9db2
1 changed files with 39 additions and 5 deletions
|
|
@ -91,6 +91,16 @@ bearing part. The brief must lead with the contract, not the regex.
|
|||
6. **Fail-secure under compound signals.** Injection-scan hit *and* a transform
|
||||
failure is treated as a probable forced-fallback attack: halt + alert, never
|
||||
an auto-committed verbatim entry.
|
||||
7. **Disposition scales with source trust.** The *same* lexicon should not carry
|
||||
the *same* disposition for every source. A pinned, reputable, single-author
|
||||
source (an official changelog) warrants **WARN** — false positives from
|
||||
legitimate security vocabulary dominate the real signal. An open,
|
||||
user-generated source (a community Q&A forum, scraped web) warrants
|
||||
**QUARANTINE_REVIEW or hard-fail on high-severity hits** — a random
|
||||
contributor emitting a spoofed `<system>` block is not "legitimately
|
||||
discussing injection," and the cost of over-blocking one forum post is far
|
||||
lower than publishing a poisoned one. Source trust level is therefore a
|
||||
first-class input to the disposition policy, not a global constant.
|
||||
|
||||
## 5. Proposed module layout
|
||||
|
||||
|
|
@ -212,16 +222,40 @@ packages the full write-time contract as minimal-dependency code. The search
|
|||
found no such library, but absence of evidence is not proof; a focused survey of
|
||||
PyPI + GitHub topics should confirm before the README makes a novelty claim.
|
||||
|
||||
## 12. Reference implementation
|
||||
## 12. Reference implementation and target consumers
|
||||
|
||||
The contract in §6 is not hypothetical — it is extracted from a working pipeline:
|
||||
the `claude-code-llm-wiki` Stage B enrichment path (`tools/wiki_ingest/`),
|
||||
which already implements sanitize + spotlight-fence + tool-less quarantined SDK
|
||||
call + per-stage credential isolation + schema-validated output + fail-secure
|
||||
`ForcedFallbackHalt`. That pipeline is the reference implementation and the first
|
||||
consumer; this repo generalizes its pattern for reuse. The semantic lexicon seed
|
||||
is the `injection-patterns.mjs` table from the `llm-security` plugin (a pure
|
||||
regex+label+severity dataset, portable as data).
|
||||
`ForcedFallbackHalt`. That pipeline is the reference implementation. The semantic
|
||||
lexicon seed is the `injection-patterns.mjs` table from the `llm-security` plugin
|
||||
(a pure regex+label+severity dataset, portable as data).
|
||||
|
||||
**Target consumers (the reason the library exists):**
|
||||
|
||||
1. **`claude-code-llm-wiki`** — low-untrust source (a pinned, reputable
|
||||
Anthropic changelog). Here the contract is *defense-in-depth hygiene*; the
|
||||
architectural controls already close the severe outcomes, and the lexicon runs
|
||||
at WARN. This consumer is *retrofitting* the output-side widening late (at its
|
||||
A13), which is precisely the cost this library exists to avoid for the next one.
|
||||
2. **MS AI Security plugin** — a heavier ingestion pipeline over **Microsoft
|
||||
Learn** content, which includes genuine **user-generated content**: Microsoft
|
||||
Q&A (`learn.microsoft.com/answers`) is open-contribution, and its knowledge
|
||||
base ingests MSDN Forums and Stack Overflow. This is the *high-untrust* end,
|
||||
where the contract is **load-bearing, not hygiene**, and disposition (§4.7)
|
||||
should default stricter (QUARANTINE_REVIEW / hard-fail on high-severity).
|
||||
*(Disk note: not yet a separate repo; the related existing plugin is
|
||||
`ktg-plugin-marketplace/ms-ai-architect`. Name/repo to be reconciled.)*
|
||||
|
||||
**Why day-1, not retrofit.** The load-bearing parts of the contract are
|
||||
architectural — tool-less quarantine, per-stage credential isolation,
|
||||
output-scan-before-persist, fail-secure disposition. These are cheap to design in
|
||||
and expensive to bolt on after a pipeline exists (consumer 1 is proving that).
|
||||
Adopting the library from day 1 means the *high-untrust* consumer (2) inherits a
|
||||
correct, calibrated contract for free instead of discovering the gap in
|
||||
production. The library's value is not this pipeline; it is every pipeline after
|
||||
it whose input is less trustworthy than a pinned changelog.
|
||||
|
||||
## 13. Open decisions for the operator
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue