chore(llm-security): v7.8.3 — docs consistency + version bump (#8,#44,#45,#46,#47)
Bumps plugin to 7.8.3 (package.json, plugin.json, README version badge) and syncs the documentation surfaces that had drifted: orchestrated scanner count 9/10/13 to 14 (#8; the WFL/workflow scanner was omitted from the reference list), posture categories 13 to 16 (#44), red-team scenarios 64 to 72 (#45), tests badge/prose 1822 to 2013 (#46). Corrects the pathguard hook-table matcher and header comment to Edit|Write (follows the #9 fix) and removes the two dangling ROADMAP.md references (#47; the roadmap is not a public file). Adds the v7.8.3 CHANGELOG entry, README Recent-versions row, and CLAUDE.md highlights. The '23 scanners' total is a separate module count and is left unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
This commit is contained in:
parent
14070160ba
commit
4cffa30725
10 changed files with 84 additions and 22 deletions
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"name": "llm-security",
|
||||
"description": "Security scanning, auditing, and threat modeling for Claude Code projects. Detects secrets, validates MCP servers, assesses security posture, and generates threat models aligned with OWASP LLM Top 10.",
|
||||
"version": "7.8.2"
|
||||
"version": "7.8.3"
|
||||
}
|
||||
|
|
|
|||
59
CHANGELOG.md
59
CHANGELOG.md
|
|
@ -6,6 +6,65 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
## [7.8.3] - 2026-07-18
|
||||
|
||||
Security and correctness patch. 47 verified fixes from the v7.8.1/v7.8.2
|
||||
completion-review MEDIUM tier (52 findings triaged: 48 confirmed defects, with
|
||||
3 feature-requests and 1 non-defect scoped out; capability work — the #11
|
||||
persistence detector and #27 AST-taint f-string recall — deferred to v8). No
|
||||
new features, and no CRITICAL/HIGH: every review-claimed HIGH downgraded to
|
||||
MEDIUM on re-verification. 2013 tests, 0 fail.
|
||||
|
||||
### Fixed
|
||||
|
||||
- **Supply-chain gate bypasses.** The offline npm blocklist was skipped for
|
||||
bare/range/tag installs (resolved version never re-checked); non-hoisted
|
||||
nested lockfile keys derived the wrong package name; the yarn.lock matcher
|
||||
both false-BLOCKed a legitimate package (unassociated substrings + unanchored
|
||||
`pkg@`) and missed Yarn Berry's `version:` format; `pip audit` (no such
|
||||
subcommand) made Python CVE detection a permanent silent no-op and, once
|
||||
corrected to `pip-audit`, audited the target instead of the scanner host.
|
||||
- **Hook coverage.** pathguard registered `Write` only, so an Edit to an
|
||||
existing protected file (settings, `.env`, `.ssh`, the hooks themselves)
|
||||
bypassed it — now `Edit|Write`. The trifecta window counted marker lines and
|
||||
could scroll a real leg out. The remote-pipe-to-shell block missed
|
||||
xargs/sudo/tee/env interposition. pre-edit-secrets missed bare provider keys
|
||||
(Anthropic, OpenAI, fine-grained GitHub PAT, Google, JWT).
|
||||
- **Scanner robustness / DoS.** Quadratic ReDoS in the HTML-obfuscation
|
||||
injection patterns (~28s to 4ms); unbounded readline on MCP-server stdout
|
||||
(memory exhaustion / uncaught RangeError); an uncapped same-host redirect loop
|
||||
in the VSIX fetcher; a scalar `policy.json` section override threw an uncaught
|
||||
TypeError; non-atomic writes to the MCP-description and skill-registry caches.
|
||||
- **False positives / negatives.** toxic-flow fabricated CRITICAL trifectas from
|
||||
substring keyword matches (`url` in `curl`); TRG-broad/-baiting fired on scoped
|
||||
phrasing and substrings; a legitimate leading UTF-8 BOM was flagged HIGH; the
|
||||
workflow actor-auth-bypass detector missed the bare `if:` form (Dependabot
|
||||
spoof); the git reflog force-push detector tripped on any `reset` in a commit
|
||||
subject; the diff engine mislabeled unchanged findings on duplicate
|
||||
fingerprints; memory-poisoning double-reported a hex token as base64 + hex.
|
||||
- **Parser divergence / evasion.** YAML block-scalar bodies were re-parsed as
|
||||
top-level keys (name/allowed_tools override) and indented/chomped block-scalar
|
||||
headers (`|2`, `>-`) were unrecognized; the bash normalizer decoded only
|
||||
`\xHH`, not ANSI-C octal/`\u`/`\U`; embedded base64 (opt-in) now reaches the
|
||||
SIG decode pipeline; `.env.local`/`.env.example` were silently skipped by
|
||||
discovery; `collapseLetterSpacing` (multi-space/tab) and `redact(_, _, 0)`
|
||||
(full-URL leak) were fixed; the SIG scanner now honours the documented
|
||||
`custom_rules_path` policy option.
|
||||
- **Docs / version consistency.** Orchestrated scanner count corrected to 14,
|
||||
posture categories to 16, red-team scenarios to 72, tests badge to 2013; SARIF
|
||||
`driver.version` now reflects the real plugin version; the pathguard matcher
|
||||
and persistence-detection documentation were corrected; dangling `ROADMAP.md`
|
||||
references removed.
|
||||
|
||||
### Deferred (to v8)
|
||||
|
||||
- Persistence-command detection (cron/launchctl/rc-files/plist) and the
|
||||
AST-taint f-string/concat/alias recall gap — capability enhancements, not
|
||||
defects in shipped code.
|
||||
- Deterministic detectors for AST09 (bulk knowledge load), AST10/LLM10
|
||||
(unbounded consumption), and MCP05 (path-traversal read sink) — each already
|
||||
covered by the LLM-agent layer.
|
||||
|
||||
## [7.8.2] - 2026-07-18
|
||||
|
||||
Security patch. Fixes five defects from the v7.8.1 completion review, four of
|
||||
|
|
|
|||
14
CLAUDE.md
14
CLAUDE.md
|
|
@ -1,9 +1,11 @@
|
|||
# LLM Security Plugin (v7.8.2)
|
||||
# LLM Security Plugin (v7.8.3)
|
||||
|
||||
Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 1820+ unit, integration, and end-to-end tests (`tests/e2e/` covers the multi-hook attack chain, multi-session state simulation, and the full scan-orchestrator pipeline); mutation-testing coverage not published.
|
||||
Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 2013+ unit, integration, and end-to-end tests (`tests/e2e/` covers the multi-hook attack chain, multi-session state simulation, and the full scan-orchestrator pipeline); mutation-testing coverage not published.
|
||||
|
||||
Release notes for v7.0.0 → v7.8.2: see `docs/version-history.md` — read on demand.
|
||||
|
||||
**v7.8.3 highlights** — Security/correctness patch, no feature changes. 47 verified fixes from the v7.8.1/v7.8.2 completion-review MEDIUM tier (52 findings triaged; 3 missing-detector feature-requests and 1 non-defect scoped out; the #11 persistence detector and #27 AST-taint f-string recall deferred to v8). No CRITICAL/HIGH — every review-claimed HIGH downgraded to MEDIUM on re-verification. Supply-chain gate bypasses closed (npm bare-install blocklist skip, nested-key name derivation, yarn.lock false-BLOCK + Yarn Berry miss, `pip audit`→`pip-audit`); pathguard now covers `Edit`; HTML-pattern ReDoS (28s→4ms) and an MCP-stdout memory-exhaustion DoS fixed; toxic-flow/TRG false positives and a bare-`if:` Dependabot-spoof false negative fixed; YAML block-scalar key-leak and embedded-base64→SIG decode closed; docs/counts synced (14 orchestrated scanners, 16 posture categories, 72 red-team scenarios, 2013 tests).
|
||||
|
||||
**v7.8.2 highlights** — Security patch, no feature changes. Five defects from the v7.8.1 completion review, four sharing one failure mode: **the check reported success without running**. (1) `hooks/scripts/pre-bash-destructive.mjs` did not block `rm -rf /` or `rm -rf ~` — the target alternation `(?:\/|~|\$HOME)\b` ended in a word boundary that cannot hold after `/` or `~` at end-of-command, so the bare forms the rule is named for fell through to WARN (exit 0, command executed) while `/etc` and `$HOME` blocked normally, making the rule look functional from either end. (2) `scanners/entropy-scanner.mjs` matched its test/fixture suppression against the **absolute** path, so any ancestor directory named `test`/`spec`/`fixture`/`mock` silenced every entropy finding in the target while still returning status `ok`; it now keys off the relative path. (3) `scanners/ide-extension-scanner.mjs` guarded only `parseVSCodeExtension`'s bare-`null` failure signal, not `parseIntelliJPlugin`'s truthy `{ manifest: null, warnings }`, so any malformed JetBrains plugin dereferenced `manifest.hasSignature`; the TypeError escaped `mapConcurrent`'s unguarded `Promise.all` and aborted the scan of every other installed extension. Guard widened + per-extension fault isolation. (4) `scanners/content-extractor.mjs` — the remote-scan injection boundary — detected obfuscated injections but did not strip them: a decoded-only `match[0]` never occurs in the raw text, so the literal replace was a silent no-op and the payload reached the agent verbatim via `sanitized_content` alongside a finding announcing it. Removal is now line-level; unattributable multi-line payloads carry `unstripped: true`. This boundary had no direct test coverage before v7.8.2. (5) `scanners/lib/ide-extension-parser.mjs` emptied any plugin.xml field holding a character reference above `0x10FFFF` (`Number.isFinite` bounds nothing) — filed as HIGH, actually lower, since such a document is not well-formed XML.
|
||||
|
||||
**v7.8.1 highlights** — Security patch, no feature changes. Fixes a CRITICAL command injection in `scanners/auto-cleaner.mjs`: `validateContent()` syntax-checked candidate `.mjs`/`.js`/`.cjs` content via ``execSync(`node --check "${tmpPath}"`)``, where `tmpPath` derives from the **untrusted scanned-repo filename**. The v7.8.0 F-2 guard checks path containment but neither strips nor quotes shell metacharacters, so a file named ``x";<command>;".mjs`` closes the interpolated quote and injects a command; since `/security clean` runs live by default, scanning a hostile repository sufficed for arbitrary local command execution (live-PoC verified). Both subprocess sites — the syntax check and the CLI's inline scan-orchestrator fallback — now use `spawnSync` with an argv array, so no shell parses a path. Defense-in-depth: `applyFixes()` refuses findings whose `file` carries shell/control metacharacters, surfaced as `skipped`. `validateContent` is now exported so regression tests can drive the sink directly — the guard would otherwise mask a re-introduced shell.
|
||||
|
|
@ -22,14 +24,14 @@ Release notes for v7.0.0 → v7.8.2: see `docs/version-history.md` — read on d
|
|||
|---------|-------------|
|
||||
| `/security` | Router — lists sub-commands |
|
||||
| `/security scan [path\|url]` | Scan skills/MCP/directories/GitHub repos (+ `--deep` for deterministic scanners) |
|
||||
| `/security deep-scan [path]` | 13 deterministic Node.js scanners (incl. supply chain, memory poisoning, toxic flow + trigger/signature/AST-taint) |
|
||||
| `/security deep-scan [path]` | 14 deterministic Node.js scanners (incl. supply chain, memory poisoning, toxic flow + trigger/signature/AST-taint) |
|
||||
| `/security audit` | Full project audit, A-F grading |
|
||||
| `/security plugin-audit [path\|url]` | Plugin trust assessment (local or GitHub URL) |
|
||||
| `/security mcp-audit [--live]` | MCP server config audit (add `--live` for runtime inspection) |
|
||||
| `/security mcp-inspect` | Live MCP server inspection — connect via JSON-RPC 2.0, scan tool descriptions |
|
||||
| `/security mcp-baseline-reset` | Reset MCP description baseline cache (E14, v7.3.0) — after legitimate MCP server upgrade |
|
||||
| `/security ide-scan [target\|url]` | Scan installed VS Code + JetBrains extensions/plugins, or fetch a remote VSIX/JetBrains plugin via URL. Details: `docs/scanner-reference.md` |
|
||||
| `/security posture` | Quick scorecard (13 categories) |
|
||||
| `/security posture` | Quick scorecard (16 categories) |
|
||||
| `/security threat-model` | Interactive STRIDE/MAESTRO session |
|
||||
| `/security diff [path]` | Compare scan against baseline — shows new/resolved/unchanged/moved |
|
||||
| `/security watch [path] [--interval 6h]` | Continuous monitoring — runs diff on recurring interval via /loop |
|
||||
|
|
@ -38,7 +40,7 @@ Release notes for v7.0.0 → v7.8.2: see `docs/version-history.md` — read on d
|
|||
| `/security clean [path]` | Scan + remediate (auto/semi-auto/manual) |
|
||||
| `/security dashboard` | Cross-project security dashboard — machine-wide posture overview |
|
||||
| `/security harden [path]` | Generate Grade A config — settings.json, CLAUDE.md, .gitignore |
|
||||
| `/security red-team [--category] [--adaptive]` | Attack simulation — 64 scenarios across 12 categories against plugin hooks |
|
||||
| `/security red-team [--category] [--adaptive]` | Attack simulation — 72 scenarios across 12 categories against plugin hooks |
|
||||
| `/security pre-deploy` | Pre-deployment checklist |
|
||||
|
||||
## Agents
|
||||
|
|
@ -60,7 +62,7 @@ Release notes for v7.0.0 → v7.8.2: see `docs/version-history.md` — read on d
|
|||
| `pre-edit-secrets.mjs` | PreToolUse | `Edit\|Write` | Block credentials in files |
|
||||
| `pre-bash-destructive.mjs` | PreToolUse | `Bash` | Block rm -rf, curl\|sh, fork bombs, eval. Bash evasion normalization (T1-T6 via `bash-normalize.mjs`) — defense-in-depth |
|
||||
| `pre-install-supply-chain.mjs` | PreToolUse | `Bash` | Block compromised packages across ALL ecosystems. Bash evasion normalization before gate matching |
|
||||
| `pre-write-pathguard.mjs` | PreToolUse | `Write` | Block writes to .env, .ssh/, .aws/, credentials, settings |
|
||||
| `pre-write-pathguard.mjs` | PreToolUse | `Edit\|Write` | Block writes to .env, .ssh/, .aws/, credentials, settings |
|
||||
| `post-mcp-verify.mjs` | PostToolUse | — (all) | Injection scan on ALL tool output. MCP per-update drift + cumulative drift vs sticky baseline (E14, v7.3.0). Per-tool volume tracking |
|
||||
| `post-session-guard.mjs` | PostToolUse | — (all) | Runtime trifecta detection (Rule of Two). Sliding window + long-horizon. Behavioral drift (Jensen-Shannon). Mode: `LLM_SECURITY_TRIFECTA_MODE=block\|warn\|off` (default: warn) |
|
||||
| `update-check.mjs` | UserPromptSubmit | — | Checks for newer versions (max 1x/24h, cached). Disable: `LLM_SECURITY_UPDATE_CHECK=off` |
|
||||
|
|
|
|||
13
README.md
13
README.md
|
|
@ -6,14 +6,14 @@
|
|||
|
||||
*AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)*
|
||||
|
||||

|
||||

|
||||

|
||||

|
||||

|
||||

|
||||

|
||||

|
||||

|
||||

|
||||

|
||||
|
||||
A Claude Code plugin that provides security scanning, auditing, and threat modeling for agentic AI projects. Built on [OWASP LLM Top 10 (2025)](https://genai.owasp.org/llm-top-10/), [OWASP Agentic AI Top 10 (ASI01-ASI10)](https://genai.owasp.org/agentic-ai/), OWASP Skills Top 10 (AST01-AST10), MCP Top 10, and the [AI Agent Traps](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438) taxonomy (Google DeepMind, 2025), grounded in published research from ToxicSkills, ClawHavoc, MCPTox, Pillar Security, Invariant Labs, GHSL Security Lab, and Operant AI.
|
||||
|
|
@ -226,7 +226,7 @@ All hooks are Node.js `.mjs` for cross-platform compatibility (macOS, Linux, Win
|
|||
|
||||
23 scanners. Zero external dependencies. All output JSON.
|
||||
|
||||
### Orchestrated (10) — run via `node scanners/scan-orchestrator.mjs <target>` or `/security deep-scan`
|
||||
### Orchestrated (14) — run via `node scanners/scan-orchestrator.mjs <target>` or `/security deep-scan`
|
||||
|
||||
| Scanner | Prefix | Detects | OWASP |
|
||||
|---------|--------|---------|-------|
|
||||
|
|
@ -262,7 +262,7 @@ All hooks are Node.js `.mjs` for cross-platform compatibility (macOS, Linux, Win
|
|||
| `auto-cleaner.mjs` | Remediation engine — 16 fix operations, atomic writes, post-fix validation |
|
||||
| `content-extractor.mjs` | Pre-extracts evidence from untrusted repos and strips injection patterns before LLM exposure |
|
||||
| `watch-cron.mjs` | Cron wrapper for background scanning |
|
||||
| `scan-orchestrator.mjs` | Entry point that runs all 10 orchestrated scanners |
|
||||
| `scan-orchestrator.mjs` | Entry point that runs all 14 orchestrated scanners |
|
||||
|
||||
**Why deterministic?** LLMs are powerful at semantic analysis — intent, social engineering, context. They cannot reliably calculate Shannon entropy, measure Levenshtein distance between package names, trace taint flow across function boundaries, or detect individual Unicode codepoints. These scanners fill that gap.
|
||||
|
||||
|
|
@ -425,7 +425,7 @@ These gaps are surfaced advisorily through `/security threat-model` and `/securi
|
|||
|
||||
This is a **solo open-source project in stabilization mode** as of 2026-05-01.
|
||||
The current feature set (5 frameworks, 23 scanners, 9 hooks, 6 agents,
|
||||
20 commands, 22 knowledge files, 1822+ tests including a dedicated end-to-end suite) is the natural plateau for
|
||||
20 commands, 22 knowledge files, 2013+ tests including a dedicated end-to-end suite) is the natural plateau for
|
||||
what a deterministic + advisory plugin can defend against without crossing
|
||||
into commercial-grade territory. Going forward, work focuses on:
|
||||
|
||||
|
|
@ -628,11 +628,12 @@ demonstrations — each with `README.md`, fixture, run script, and
|
|||
|
||||
| Version | Date | Highlights |
|
||||
|---------|------|------------|
|
||||
| **7.8.3** | 2026-07-18 | **Completion-review MEDIUM sweep — 47 verified fixes, no CRITICAL/HIGH.** 52 findings triaged (48 confirmed; 3 feature-requests + 1 non-defect scoped out; the #11 persistence detector and #27 AST-taint f-string recall deferred to v8). Supply-chain gate bypasses (npm bare-install blocklist skip, nested-key name derivation, yarn.lock false-BLOCK + Yarn Berry miss, `pip audit` no-op). Hook coverage (pathguard now `Edit|Write`; trifecta window no longer diluted by markers; pipe-to-shell interposition; bare provider-key patterns). Scanner robustness (HTML-pattern ReDoS 28s to 4ms; MCP-stdout memory exhaustion; VSIX redirect loop; scalar-policy TypeError; atomic cache writes). False positives/negatives (toxic-flow substring trifectas, TRG scoped-phrase FPs, leading-BOM HIGH, bare-`if:` Dependabot-spoof FN, reflog `reset` FP, diff duplicate-fingerprint mislabel, hex double-report). Parser divergence (YAML block-scalar key leak + indicators, ANSI-C octal/unicode, embedded-base64 to SIG, `.env.local` discovery). Docs consistency (scanner count 14, posture 16, red-team 72, SARIF version, dangling `ROADMAP.md`). 2013 tests, 0 fail. |
|
||||
| **7.8.2** | 2026-07-18 | **Silent-failure fixes from the completion review (HIGH).** Five defects, four sharing one failure mode: the check reported success without running. `hooks/scripts/pre-bash-destructive.mjs` did not block `rm -rf /` or `rm -rf ~` — the target alternation ended in a `\b` that cannot hold after a non-word character, so the bare forms the rule is named for fell through to WARN (exit 0, command executed) while `/etc` and `$HOME` blocked normally. `scanners/entropy-scanner.mjs` matched its test/fixture suppression against the **absolute** path, so any ancestor directory named `test`/`spec`/`fixture`/`mock` silenced every finding in the target and still returned status `ok`. `scanners/ide-extension-scanner.mjs` guarded only `parseVSCodeExtension`'s bare-`null` failure signal, not `parseIntelliJPlugin`'s truthy `{ manifest: null }`, so any malformed JetBrains plugin threw a TypeError that escaped `mapConcurrent`'s unguarded `Promise.all` and aborted the scan of every other extension. `scanners/content-extractor.mjs` detected obfuscated injections but did not remove them: a decoded-only `match[0]` never occurs in the raw text, so the literal replace was a no-op and the payload reached the LLM agent verbatim through `sanitized_content` — removal is now line-level, with unattributable multi-line payloads flagged `unstripped`. `scanners/lib/ide-extension-parser.mjs` emptied any plugin.xml field containing a character reference above `0x10FFFF`. No feature changes. 1901 tests, 0 fail. |
|
||||
| **7.8.1** | 2026-07-18 | **Auto-cleaner command-injection fix (CRITICAL).** `scanners/auto-cleaner.mjs` syntax-checked candidate `.mjs`/`.js`/`.cjs` content via ``execSync(`node --check "${tmpPath}"`)``, where `tmpPath` derives from the untrusted scanned-repo **filename**. The v7.8.0 F-2 guard checks path containment but does not strip or quote shell metacharacters, so a file named ``x";<command>;".mjs`` closes the interpolated quote and injects a command — and `/security clean` runs live by default, making a hostile repository sufficient for arbitrary local command execution. Reproduced with a live PoC before the fix. Both subprocess sites (syntax check + the CLI scan-orchestrator fallback) now use `spawnSync` with an argv array, so no shell parses a path. Defense-in-depth: `applyFixes()` refuses findings whose `file` carries shell/control metacharacters, reported as `skipped`. Regression coverage is split across both layers so the guard cannot mask a re-introduced shell in the sink. No feature changes. 1865 tests, 0 fail. |
|
||||
| **7.8.0** | 2026-06-20 | **TRG/SIG/AST deep-scan scanners.** Three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse: `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline (base64/hex/url/entity/unicode, homoglyph fold, rot13), so obfuscated known-malware a byte-matcher misses is still caught; rules ship in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for variable-level, scope-aware Python taint analysis — higher recall than the ~70% regex `taint-tracer.mjs` — and falls back to the regex tracer when `python3` is unavailable, so the scan never hard-fails; the helper only `ast.parse`s the target and never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 shell-injection + path-traversal fixes landed first). 1863 tests, 0 fail. |
|
||||
| **7.7.2** | 2026-05-19 | **Language consistency pass.** Norwegian had crept into surface text across v7.5-v7.7. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), this release translates: the HTML Report-step appended by all 18 skill commands, the canonical CLI renderer `scripts/lib/report-renderers.mjs` (display strings + JS comments), the playground UI strings, the `skill-scanner-agent` and `mcp-scanner-agent` system prompts, the Recent versions table and playground architecture prose in this README, the v7.7.x highlights in `CLAUDE.md`, and the llm-security entries in the marketplace root `README.md` + `CLAUDE.md`, plus six table cells in `docs/scanner-reference.md`. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high\|^høy/`, `/resolution\|løsning/`) were preserved. No scanner, hook, or behavior changes — purely surface text. |
|
||||
| **7.7.1** | 2026-05-18 | **Playground UX strip.** Operator feedback immediately after v7.7.0: the home surface led with three project tracks (Re-onboard / New project / Command catalog) even though the catalog was the important entry point. Minimum strip delivered as three atomic commits (`b732eee` + `2a6f73f` + `81b7beb`): (1) the router always forces `activeSurface = 'catalog'` (the onboarding/home/project render functions are preserved in source but no longer routable); (2) the topbar `Home` and `Re-onboard` buttons removed, `Catalog` retained; (3) the breadcrumb org-name (`shared.organization.name` from demo state) replaced with a static `llm-security` neutral scope anchor. Fix: the hardcoded `'Plugin v7.6.1'` on line 6933 of `renderHome` (template literal not caught by the v7.7.0 grep) was synced. The onboarding concept is documented as a v7.8.0 candidate (per-command context injection) in `ROADMAP.md`. No scanner or hook behavior changes. |
|
||||
| **7.7.1** | 2026-05-18 | **Playground UX strip.** Operator feedback immediately after v7.7.0: the home surface led with three project tracks (Re-onboard / New project / Command catalog) even though the catalog was the important entry point. Minimum strip delivered as three atomic commits (`b732eee` + `2a6f73f` + `81b7beb`): (1) the router always forces `activeSurface = 'catalog'` (the onboarding/home/project render functions are preserved in source but no longer routable); (2) the topbar `Home` and `Re-onboard` buttons removed, `Catalog` retained; (3) the breadcrumb org-name (`shared.organization.name` from demo state) replaced with a static `llm-security` neutral scope anchor. Fix: the hardcoded `'Plugin v7.6.1'` on line 6933 of `renderHome` (template literal not caught by the v7.7.0 grep) was synced. The onboarding concept is documented as a v7.8.0 candidate (per-command context injection). No scanner or hook behavior changes. |
|
||||
| **7.7.0** | 2026-05-18 | **HTML report for all 18 skill commands.** Every `/security <cmd>` that produces a report now prints a clickable `file://` link to a self-contained HTML version. Delivered across 5 sessions. (1) Playground catalog list-view + builder-pane with a copy button. (2) Playground project-surface cleanup (stub-screen handling, topbar split). (3) The 18 inline parsers + renderers in the playground HTML were moved to a canonical ESM module `scripts/lib/report-renderers.mjs` (the playground keeps a bit-identical inline copy since ESM `import` does not work from `file://`). (4) New zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout mode, kebab→camel commandId routing, inlines 6 DS stylesheets + a local `.report-table` CSS, ~140 KB self-contained HTML, system-font fallback, absolute `file://` paths for Ghostty cmd-click. (5) All 18 skills wired (4 in session 4: scan/audit/posture/deep-scan; 14 in session 5: plugin-audit/mcp-audit/mcp-inspect/ide-scan/supply-check/dashboard/pre-deploy/diff/watch/registry/clean/harden/threat-model/red-team). Output: `reports/<command>-<YYYYMMDD-HHmmss>.html` relative to CWD. No scanner or hook behavior changes — purely additive. |
|
||||
| **7.6.1** | 2026-05-06 | **Playground v7.6.0 visual patch.** Six bugs caught during maintainer verification in the browser. All were mismatches between DS classes and renderer usage (or missing DS implementations the playground assumed existed). (1) `renderFindingsBlock` used the `.findings` outer class, which is the DS 2-column list+detail grid → replaced with `<section class="report-meta">` + the correct `findings__list > findings__group` pattern. (2) `.report-table` was missing entirely from the DS but used in 7+ renderers → local CSS implementation in the playground HTML. (3) `renderPreDeploy` traffic-lights used `.sm-card__grade` (28×28 px for one A-F letter) for "PASS"/"PASS-WITH-NOTES"/"FAIL" → replaced with a width-adapting status pill. (4) Threat-model matrix bubbles were not clickable → `<button>` with `data-threat-id` + click handler that scrolls to the Threats table. (5) Radar labels overlapped at 6+ axes → SVG 280→380, R 105→125, dynamic `text-anchor` (start/end/middle) based on horizontal position. (6) `recommendation-card__body` overflow on long text → `overflow-wrap: anywhere`. 4/4 fix-specific smoke tests + 18/18 renderer regression passing. No scanner or hook behavior changes — purely additive surface. |
|
||||
| **7.6.0** | 2026-05-06 | **Playground Tier 3 reference case.** The playground (`playground/llm-security-playground.html`) raised to a visually and structurally complete reference for the `shared/playground-design-system/` Tier 3 supplement. 8 new DS components integrated into the 18 report renderers: `tfa-flow` + `tfa-leg` + `tfa-arrow` (lethal trifecta chain with `<button>` elements + ARIA), `mat-ladder` + `mat-step` (5-step maturity ladder with thresholds 0/25/50/75/95% PASS), `suppressed-group` (narrative audit from `summary.narrative_audit.suppressed_findings`), `codepoint-reveal` + `cp-tag`/`cp-zw`/`cp-bidi` (Unicode steganography side-by-side), `top-risks` + `top-risk[data-severity]` (ranked top-findings listing, semantic `<ol>`), `recommendation-card[data-severity]` (severity-tinted advisory on `clean`/`harden`/`audit`/`posture`/`pre-deploy`/`plugin-audit`), `risk-meter` (0-100 band visualization across 5 archetypes), `card--severity-{level}` (severity-color modifier on findings cards). Wave 1: `badge--scope-security` (identity chip), `verdict-pill-lg` (DS Tier 3 pill), `form-progress` + `fp-step` (onboarding wizard). Removed ~30 duplicate CSS declarations (DS wins the cascade). 5 new DS helpers + `mapSeverityToCardLevel` + `parseNarrativeAudit`. File size 10209 → 10677 lines. Delivered across 5 sessions, atomic commits. A11Y report updated. No scanner or hook behavior changes — purely additive surface. |
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ Usage: llm-security <command> [options]
|
|||
Commands:
|
||||
scan <target> [--fail-on <critical|high|medium|low>] [--compact]
|
||||
[--format sarif] [--output-file <path>] [--baseline] [--save-baseline]
|
||||
Run deterministic deep-scan (10 scanners)
|
||||
Run deterministic deep-scan (14 scanners)
|
||||
deep-scan <target>
|
||||
Alias for scan
|
||||
posture <target>
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ Integrate llm-security into your CI/CD pipeline for automated security scanning
|
|||
|
||||
## Data Sovereignty
|
||||
|
||||
**The standalone CLI makes zero network calls by default.** All 10 scanners operate locally on your source code using Shannon entropy analysis, regex pattern matching, AST traversal, and git log parsing. No data is transmitted to any external service.
|
||||
**The standalone CLI makes zero network calls by default.** All 14 scanners operate locally on your source code using Shannon entropy analysis, regex pattern matching, AST traversal, and git log parsing. No data is transmitted to any external service.
|
||||
|
||||
**Exception: supply-chain-recheck** — When scanning lockfiles for known vulnerabilities, this scanner optionally queries the [OSV.dev](https://osv.dev/) batch API. This sends only package names and versions (not source code) over HTTPS. To disable: set `LLM_SECURITY_SCR_OFFLINE=1`.
|
||||
|
||||
|
|
|
|||
|
|
@ -4,11 +4,11 @@ Detailed scanner, CLI, CI/CD, knowledge-file and example documentation. Imported
|
|||
|
||||
## Scanners
|
||||
|
||||
**Orchestrated (13):** Run via `node scanners/scan-orchestrator.mjs <target> [--fail-on <severity>] [--compact] [--output-file <path>] [--baseline] [--save-baseline]`.
|
||||
**Orchestrated (14):** Run via `node scanners/scan-orchestrator.mjs <target> [--fail-on <severity>] [--compact] [--output-file <path>] [--baseline] [--save-baseline]`.
|
||||
`--fail-on <critical|high|medium|low>`: exit 1 if findings at/above severity, exit 0 otherwise. `--compact`: one-liner per finding format. Both configurable via `policy.json` `ci` section.
|
||||
With `--output-file`: full JSON to file, compact aggregate to stdout. `--baseline` diffs against stored baseline. `--save-baseline` saves results for future diffs. Baselines stored in `reports/baselines/<target-hash>.json`.
|
||||
|
||||
13 scanners: unicode, entropy, permission, dep-audit, taint, git-forensics, network, memory-poisoning, supply-chain-recheck, toxic-flow, trigger, signature, ast-taint.
|
||||
14 scanners: unicode, entropy, permission, dep-audit, taint, git-forensics, network, memory-poisoning, supply-chain-recheck, workflow, toxic-flow, trigger, signature, ast-taint.
|
||||
|
||||
Lib: `mcp-description-cache.mjs` — caches MCP tool descriptions in `~/.cache/llm-security/mcp-descriptions.json`, detects per-update drift via Levenshtein (>10% = alert), 7-day TTL. v7.3.0 (E14) adds a sticky baseline slot per tool plus a 10-event rolling history; cumulative drift = `levenshtein(current, baseline) / max(|current|,|baseline|)`. When ratio ≥ `mcp.cumulative_drift_threshold` (default 0.25), emits `mcp-cumulative-drift` advisory through `post-mcp-verify.mjs`. Baseline survives TTL purge so slow-burn drift is preserved across the 7-day window. `clearBaseline(tool?)` exposed for the `/security mcp-baseline-reset` command. `LLM_SECURITY_MCP_CACHE_FILE` env var overrides the cache path for testing.
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ Scanner prefix: MCI. OWASP: MCP03, MCP06, MCP09. Invoked by `mcp-inspect` and `m
|
|||
|
||||
`dashboard-aggregator.mjs` — cross-project security dashboard. Discovers Claude Code projects under ~/ (depth 3) and ~/.claude/plugins/, runs posture-scanner on each, aggregates to machine-grade (weakest link). Cache in `~/.cache/llm-security/dashboard-latest.json` (24h staleness). Run: `node scanners/dashboard-aggregator.mjs [--no-cache] [--max-depth N]`
|
||||
|
||||
`attack-simulator.mjs` — red-team harness. Data-driven: 64 scenarios in 12 categories from `knowledge/attack-scenarios.json`. Payloads constructed at runtime (fragment assembly to avoid triggering hooks on source). Uses `runHook()` from test helper. Adaptive mode (`--adaptive`): 5 mutation rounds per passing scenario (homoglyph, encoding, zero-width, case alternation, synonym). Mutation rules in `knowledge/attack-mutations.json`. Benchmark mode (`--benchmark`): outputs structured pass/fail metrics. Run: `node scanners/attack-simulator.mjs [--category <name>] [--json] [--verbose] [--adaptive] [--benchmark]`
|
||||
`attack-simulator.mjs` — red-team harness. Data-driven: 72 scenarios in 12 categories from `knowledge/attack-scenarios.json`. Payloads constructed at runtime (fragment assembly to avoid triggering hooks on source). Uses `runHook()` from test helper. Adaptive mode (`--adaptive`): 5 mutation rounds per passing scenario (homoglyph, encoding, zero-width, case alternation, synonym). Mutation rules in `knowledge/attack-mutations.json`. Benchmark mode (`--benchmark`): outputs structured pass/fail metrics. Run: `node scanners/attack-simulator.mjs [--category <name>] [--json] [--verbose] [--adaptive] [--benchmark]`
|
||||
|
||||
`ai-bom-generator.mjs` — AI Bill of Materials generator. Discovers AI components (models, MCP servers, plugins, knowledge, hooks) and outputs CycloneDX 1.6 JSON. Scanner prefix: BOM. Run: `node scanners/ai-bom-generator.mjs <target> [--output-file <path>]`
|
||||
|
||||
|
|
@ -95,7 +95,7 @@ Standalone CLI makes zero network calls in default mode. Schrems II compatible i
|
|||
| `skill-registry.json` | Seed data for skill signature registry |
|
||||
| `prompt-injection-research-2025-2026.md` | 7 research papers (2025-2026) with implications for hook defenses |
|
||||
| `deepmind-agent-traps.md` | DeepMind AI Agent Traps — 6 categories, 43 techniques, coverage matrix |
|
||||
| `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation |
|
||||
| `attack-scenarios.json` | 72 red-team scenarios across 12 categories for attack simulation |
|
||||
| `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing |
|
||||
| `compliance-mapping.md` | EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS mappings to plugin capabilities |
|
||||
| `norwegian-context.md` | Norwegian regulatory landscape — Datatilsynet, NSM, Digitaliseringsdirektoratet |
|
||||
|
|
|
|||
|
|
@ -252,4 +252,4 @@ header + state-seksjon, `docs/version-history.md`,
|
|||
`playground/llm-security-playground.html`, rot `README.md` plugin-entry,
|
||||
rot `CLAUDE.md` plugin-katalog, `CHANGELOG.md` `[7.7.1]`-seksjon).
|
||||
Onboarding-konseptet dokumentert som v7.8.0-kandidat (per-kommando
|
||||
kontekst-injeksjon) i `ROADMAP.md`.
|
||||
kontekst-injeksjon).
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#!/usr/bin/env node
|
||||
// Hook: pre-write-pathguard.mjs
|
||||
// Event: PreToolUse (Write)
|
||||
// Event: PreToolUse (Edit|Write)
|
||||
// Purpose: Block writes to sensitive paths (.env, .ssh/, .aws/, credentials, etc.)
|
||||
//
|
||||
// Protocol:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "llm-security",
|
||||
"version": "7.8.2",
|
||||
"version": "7.8.3",
|
||||
"description": "Security scanning, auditing, and threat modeling for Claude Code projects",
|
||||
"type": "module",
|
||||
"bin": {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue