llm-ingestion-pipeline-secu.../tests
Kjell Tore Guttormsen 5397ba15a1 fix(security): harden 5 adversarial-review findings (M1/M2/M3 + m4/m6) via TDD
Pre-release hardening from an independent adversarial review; each fixed
test-first (failing test -> fix -> green). 214 tests pass.

- entropy (M1): decode-and-rescan now runs BEFORE false-positive suppression,
  so an SRI/media-prefixed injection blob is still decoded and lexicon-rescanned.
  Suppression gates only the entropy finding, never the decode.
- output/disposition (M3): the invisible-carrier invariant now holds on the
  persist gate. scan_output flags zero-width/BIDI presence and disposition
  treats those + lexicon:unicode-tags-present as any-tier carriers, so a carrier
  in model output fails secure even under a trusted policy.
- contract (M2): assert_credential_allowlist catches a bare <PROVIDER>_KEY
  (e.g. STRIPE_KEY) that the old regex silently missed (fail-open). Deliberately
  broad: also flags PARTITION_KEY/SORT_KEY as loud, allowlistable FPs -- fail-loud
  beats fail-silent for an isolation control.
- disposition (m6): guard runs decide inside its guarded block -> total
  fail-closed even on a malformed report.
- output (m4): egress placeholder suppression anchors word markers (example,
  todo, ...) to a word boundary, closing a fail-open where a real secret merely
  containing such a word was suppressed.

Docs: CHANGELOG Security subsection; README honest-limit for lexicon dedup (m5,
documented tradeoff, not fixed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HyRCQMocjZ6SmSQ6JidJ2k
2026-07-05 10:45:05 +02:00
..
test_contract.py fix(security): harden 5 adversarial-review findings (M1/M2/M3 + m4/m6) via TDD 2026-07-05 10:45:05 +02:00
test_corpus.py test(showcase): end-to-end multi-vuln pipeline + adversarial/FP corpora (recall) 2026-07-04 23:34:51 +02:00
test_disposition.py fix(security): harden 5 adversarial-review findings (M1/M2/M3 + m4/m6) via TDD 2026-07-05 10:45:05 +02:00
test_entropy.py fix(security): harden 5 adversarial-review findings (M1/M2/M3 + m4/m6) via TDD 2026-07-05 10:45:05 +02:00
test_fence.py feat(fence): randomized unspoofable delimiter + attacker marker-strip (TDD) [skip-docs] 2026-07-04 18:23:35 +02:00
test_grounding.py feat(grounding): SourceGroundingCheck protocol + pass-through default — the semantic-poisoning seam (TDD) [skip-docs] 2026-07-04 22:44:41 +02:00
test_lexicon.py feat(lexicon): JSON injection lexicon + variant-set scan (TDD) [skip-docs] 2026-07-04 17:20:21 +02:00
test_neutralize.py feat(neutralize): opt-in pure defang of active-content output (TDD) [skip-docs] 2026-07-04 18:55:12 +02:00
test_output.py fix(security): harden 5 adversarial-review findings (M1/M2/M3 + m4/m6) via TDD 2026-07-05 10:45:05 +02:00
test_report.py feat: scaffold package + report and sanitize modules (TDD) 2026-07-04 09:24:20 +02:00
test_sanitize.py feat: scaffold package + report and sanitize modules (TDD) 2026-07-04 09:24:20 +02:00
test_showcase.py test(showcase): end-to-end multi-vuln pipeline + adversarial/FP corpora (recall) 2026-07-04 23:34:51 +02:00
test_wiring.py feat(wiring): §6 bookends (prepare_input/screen_output) + full public API + README v0.1 (TDD) 2026-07-04 23:34:28 +02:00