docs(brief): add MS AI Security plugin as second consumer; source-trust disposition

Second target consumer named: MS AI Security plugin, an ingestion
pipeline over Microsoft Learn content that includes user-generated Q&A
(learn.microsoft.com/answers, plus ingested MSDN/Stack Overflow). This
is the high-untrust case where the contract is load-bearing, not
hygiene. New design principle 4.7: disposition scales with source trust
(pinned changelog = WARN; open UGC = quarantine/hard-fail on high
severity). Day-1 rationale: architectural controls are cheap to design
in, expensive to retrofit (consumer 1 is proving that at its A13).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HPAmFyEVWbwvmSNVdXTu4d
This commit is contained in:
Kjell Tore Guttormsen 2026-07-04 06:26:55 +02:00
commit 41473d9db2

View file

@ -91,6 +91,16 @@ bearing part. The brief must lead with the contract, not the regex.
6. **Fail-secure under compound signals.** Injection-scan hit *and* a transform
failure is treated as a probable forced-fallback attack: halt + alert, never
an auto-committed verbatim entry.
7. **Disposition scales with source trust.** The *same* lexicon should not carry
the *same* disposition for every source. A pinned, reputable, single-author
source (an official changelog) warrants **WARN** — false positives from
legitimate security vocabulary dominate the real signal. An open,
user-generated source (a community Q&A forum, scraped web) warrants
**QUARANTINE_REVIEW or hard-fail on high-severity hits** — a random
contributor emitting a spoofed `<system>` block is not "legitimately
discussing injection," and the cost of over-blocking one forum post is far
lower than publishing a poisoned one. Source trust level is therefore a
first-class input to the disposition policy, not a global constant.
## 5. Proposed module layout
@ -212,16 +222,40 @@ packages the full write-time contract as minimal-dependency code. The search
found no such library, but absence of evidence is not proof; a focused survey of
PyPI + GitHub topics should confirm before the README makes a novelty claim.
## 12. Reference implementation
## 12. Reference implementation and target consumers
The contract in §6 is not hypothetical — it is extracted from a working pipeline:
the `claude-code-llm-wiki` Stage B enrichment path (`tools/wiki_ingest/`),
which already implements sanitize + spotlight-fence + tool-less quarantined SDK
call + per-stage credential isolation + schema-validated output + fail-secure
`ForcedFallbackHalt`. That pipeline is the reference implementation and the first
consumer; this repo generalizes its pattern for reuse. The semantic lexicon seed
is the `injection-patterns.mjs` table from the `llm-security` plugin (a pure
regex+label+severity dataset, portable as data).
`ForcedFallbackHalt`. That pipeline is the reference implementation. The semantic
lexicon seed is the `injection-patterns.mjs` table from the `llm-security` plugin
(a pure regex+label+severity dataset, portable as data).
**Target consumers (the reason the library exists):**
1. **`claude-code-llm-wiki`** — low-untrust source (a pinned, reputable
Anthropic changelog). Here the contract is *defense-in-depth hygiene*; the
architectural controls already close the severe outcomes, and the lexicon runs
at WARN. This consumer is *retrofitting* the output-side widening late (at its
A13), which is precisely the cost this library exists to avoid for the next one.
2. **MS AI Security plugin** — a heavier ingestion pipeline over **Microsoft
Learn** content, which includes genuine **user-generated content**: Microsoft
Q&A (`learn.microsoft.com/answers`) is open-contribution, and its knowledge
base ingests MSDN Forums and Stack Overflow. This is the *high-untrust* end,
where the contract is **load-bearing, not hygiene**, and disposition (§4.7)
should default stricter (QUARANTINE_REVIEW / hard-fail on high-severity).
*(Disk note: not yet a separate repo; the related existing plugin is
`ktg-plugin-marketplace/ms-ai-architect`. Name/repo to be reconciled.)*
**Why day-1, not retrofit.** The load-bearing parts of the contract are
architectural — tool-less quarantine, per-stage credential isolation,
output-scan-before-persist, fail-secure disposition. These are cheap to design in
and expensive to bolt on after a pipeline exists (consumer 1 is proving that).
Adopting the library from day 1 means the *high-untrust* consumer (2) inherits a
correct, calibrated contract for free instead of discovering the gap in
production. The library's value is not this pipeline; it is every pipeline after
it whose input is less trustworthy than a pinned changelog.
## 13. Open decisions for the operator