docs(llm-security): drop internal codename from v7.8.0 notes
Reword the v7.8.0 release notes to refer to the scanners as TRG/SIG/AST only; the internal codename is removed from CHANGELOG, CLAUDE.md, README, the version-history section, and STATE. No behaviour or version change.
This commit is contained in:
parent
405874c0c4
commit
a19e9eb8b2
5 changed files with 42 additions and 35 deletions
|
|
@ -8,8 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
|
|||
|
||||
## [7.8.0] - 2026-06-20
|
||||
|
||||
TRG/SIG/AST — three new deterministic deep-scan scanners targeting the
|
||||
skills/agents attack surface (TRG/SIG/AST). Each ships with its own finding
|
||||
Three new deterministic deep-scan scanners (TRG/SIG/AST) targeting the
|
||||
skills/agents attack surface. Each ships with its own finding
|
||||
prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip
|
||||
behaviour. Built behind a security-fix gate: the F-1/F-2/F-3 shell-injection
|
||||
and path-traversal fixes landed first. No existing scanner, hook, or command
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ Security scanning, auditing, and threat modeling for Claude Code projects. 5 fra
|
|||
|
||||
Release notes for v7.0.0 → v7.8.0: see `docs/version-history.md` — read on demand.
|
||||
|
||||
**v7.8.0 highlights** — TRG/SIG/AST: three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse — `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline, so obfuscated known-malware a byte-matcher misses is still caught; rules in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for scope-aware Python taint analysis, falling back to the regex `taint-tracer.mjs` when `python3` is absent; the helper only `ast.parse`s the target, never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 landed first). No existing scanner, hook, or command behaviour changes.
|
||||
**v7.8.0 highlights** — Three new deterministic deep-scan scanners (TRG/SIG/AST) targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse — `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline, so obfuscated known-malware a byte-matcher misses is still caught; rules in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for scope-aware Python taint analysis, falling back to the regex `taint-tracer.mjs` when `python3` is absent; the helper only `ast.parse`s the target, never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 landed first). No existing scanner, hook, or command behaviour changes.
|
||||
|
||||
**v7.7.2 highlights** — Language consistency pass. Norwegian had crept into the playground UI strings, the canonical CLI renderer (`scripts/lib/report-renderers.mjs`), the HTML Report-step appended by all 18 skill commands, two agent prompts, and the marketplace + plugin README/CLAUDE.md state sections. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), surface text was translated to English. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high|^høy/`, `/resolution|løsning/`) were preserved. No scanner, hook, or behavior changes.
|
||||
|
||||
|
|
|
|||
|
|
@ -628,7 +628,7 @@ demonstrations — each with `README.md`, fixture, run script, and
|
|||
|
||||
| Version | Date | Highlights |
|
||||
|---------|------|------------|
|
||||
| **7.8.0** | 2026-06-20 | **TRG/SIG/AST — TRG/SIG/AST deep-scan scanners.** Three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse: `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline (base64/hex/url/entity/unicode, homoglyph fold, rot13), so obfuscated known-malware a byte-matcher misses is still caught; rules ship in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for variable-level, scope-aware Python taint analysis — higher recall than the ~70% regex `taint-tracer.mjs` — and falls back to the regex tracer when `python3` is unavailable, so the scan never hard-fails; the helper only `ast.parse`s the target and never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 shell-injection + path-traversal fixes landed first). 1863 tests, 0 fail. |
|
||||
| **7.8.0** | 2026-06-20 | **TRG/SIG/AST deep-scan scanners.** Three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse: `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline (base64/hex/url/entity/unicode, homoglyph fold, rot13), so obfuscated known-malware a byte-matcher misses is still caught; rules ship in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for variable-level, scope-aware Python taint analysis — higher recall than the ~70% regex `taint-tracer.mjs` — and falls back to the regex tracer when `python3` is unavailable, so the scan never hard-fails; the helper only `ast.parse`s the target and never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 shell-injection + path-traversal fixes landed first). 1863 tests, 0 fail. |
|
||||
| **7.7.2** | 2026-05-19 | **Language consistency pass.** Norwegian had crept into surface text across v7.5-v7.7. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), this release translates: the HTML Report-step appended by all 18 skill commands, the canonical CLI renderer `scripts/lib/report-renderers.mjs` (display strings + JS comments), the playground UI strings, the `skill-scanner-agent` and `mcp-scanner-agent` system prompts, the Recent versions table and playground architecture prose in this README, the v7.7.x highlights in `CLAUDE.md`, and the llm-security entries in the marketplace root `README.md` + `CLAUDE.md`, plus six table cells in `docs/scanner-reference.md`. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high\|^høy/`, `/resolution\|løsning/`) were preserved. No scanner, hook, or behavior changes — purely surface text. |
|
||||
| **7.7.1** | 2026-05-18 | **Playground UX strip.** Operator feedback immediately after v7.7.0: the home surface led with three project tracks (Re-onboard / New project / Command catalog) even though the catalog was the important entry point. Minimum strip delivered as three atomic commits (`b732eee` + `2a6f73f` + `81b7beb`): (1) the router always forces `activeSurface = 'catalog'` (the onboarding/home/project render functions are preserved in source but no longer routable); (2) the topbar `Home` and `Re-onboard` buttons removed, `Catalog` retained; (3) the breadcrumb org-name (`shared.organization.name` from demo state) replaced with a static `llm-security` neutral scope anchor. Fix: the hardcoded `'Plugin v7.6.1'` on line 6933 of `renderHome` (template literal not caught by the v7.7.0 grep) was synced. The onboarding concept is documented as a v7.8.0 candidate (per-command context injection) in `ROADMAP.md`. No scanner or hook behavior changes. |
|
||||
| **7.7.0** | 2026-05-18 | **HTML report for all 18 skill commands.** Every `/security <cmd>` that produces a report now prints a clickable `file://` link to a self-contained HTML version. Delivered across 5 sessions. (1) Playground catalog list-view + builder-pane with a copy button. (2) Playground project-surface cleanup (stub-screen handling, topbar split). (3) The 18 inline parsers + renderers in the playground HTML were moved to a canonical ESM module `scripts/lib/report-renderers.mjs` (the playground keeps a bit-identical inline copy since ESM `import` does not work from `file://`). (4) New zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout mode, kebab→camel commandId routing, inlines 6 DS stylesheets + a local `.report-table` CSS, ~140 KB self-contained HTML, system-font fallback, absolute `file://` paths for Ghostty cmd-click. (5) All 18 skills wired (4 in session 4: scan/audit/posture/deep-scan; 14 in session 5: plugin-audit/mcp-audit/mcp-inspect/ide-scan/supply-check/dashboard/pre-deploy/diff/watch/registry/clean/harden/threat-model/red-team). Output: `reports/<command>-<YYYYMMDD-HHmmss>.html` relative to CWD. No scanner or hook behavior changes — purely additive. |
|
||||
|
|
|
|||
65
STATE.md
65
STATE.md
|
|
@ -1,39 +1,46 @@
|
|||
# STATE — llm-security
|
||||
|
||||
**Active focus:** NONE active — **v7.8.0 RELEASED** (commit `e9476ea`). Security-fix track
|
||||
(F-1/F-2/F-3) + TRG/SIG/AST (TRG/SIG/AST) + the release are ALL DONE. Only loose end =
|
||||
**F-4 (optional, LOW)**, still open. Plugin is in a clean, quiescent, shippable state.
|
||||
**Active focus:** Removing an internal codename from Forgejo (operator request) — a full
|
||||
git history-rewrite + force-push, in progress this session. v7.8.0 itself is RELEASED; the
|
||||
security-fix track (F-1/F-2/F-3) + the TRG/SIG/AST scanners are ALL DONE. Only loose end =
|
||||
**F-4 (optional, LOW)**, still open.
|
||||
|
||||
## What just shipped (DONE — do NOT re-derive)
|
||||
- **v7.8.0 release — Session C. DONE (`e9476ea`).** Pure version-sync, no production code.
|
||||
- Bumped 7.7.2 → 7.8.0 in every CURRENT pointer: `.claude-plugin/plugin.json`, `package.json`,
|
||||
`README.md` badge, `CLAUDE.md` header + "release notes" range sentinel.
|
||||
- Narrative added (prior releases kept as history): `CHANGELOG.md` `[7.8.0]`,
|
||||
`docs/version-history.md` v7.8.0 section, README "Recent versions" 7.8.0 row, CLAUDE.md
|
||||
v7.8.0 highlights paragraph.
|
||||
- Release gate: full `node --test` suite **1863/0** after the doc edits. gitleaks clean.
|
||||
- **TRG/SIG/AST (TRG/SIG/AST) — Steps 1–7. DONE** (`54115a9`..`d19abf0`). Three deterministic
|
||||
deep-scan scanners: `scanners/trigger-scanner.mjs` (TRG, LLM06/AST04),
|
||||
`scanners/signature-scanner.mjs` (SIG, rules in `knowledge/signatures.json`, LLM03/LLM02),
|
||||
`scanners/ast-taint-scanner.mjs` (AST, parse-only `scanners/lib/py-ast-taint.py` + regex fallback,
|
||||
LLM01/LLM02/AST02). Wired into orchestrator + policy; prefixes registered in `output.mjs`.
|
||||
- **Security-fix track — F-1/F-2/F-3 + F-5/F-6. DONE** (Sessions A+B, `5f50899` + `3f64aa5`).
|
||||
From `docs/security-fix-brief-2026-06-20.md`. All shell-injection / path-traversal sinks closed.
|
||||
## Codename scrub (THIS session — operator: "must not appear anywhere on Forgejo")
|
||||
- Tip prose reworded by hand (CHANGELOG, CLAUDE.md, README, docs/version-history.md, STATE.md).
|
||||
- Two `docs/plans/` docs (a gap-analysis + its trekplan, both named after the codename)
|
||||
deleted from ALL history via `git filter-repo --invert-paths` (the matching `.html`
|
||||
render was git-ignored — deleted locally only). Their whole subject was the external
|
||||
reference tool, so they were removed rather than scrubbed in place.
|
||||
- Leftover historical blobs + 2 commit messages (the gap-analysis docs commit + the v7.8.0
|
||||
release-commit body) scrubbed via filter-repo `--replace-text`/`--replace-message`
|
||||
(`(?i)<codename> ==> TRG/SIG/AST`).
|
||||
- Backup before rewrite: `/tmp/llm-security-pre-scrub-backup.bundle` (all refs; pre-scrub
|
||||
HEAD `d11de9a`). origin = Forgejo `open/llm-security`; force-push required after rewrite.
|
||||
|
||||
## What shipped (DONE — do NOT re-derive)
|
||||
- **v7.8.0 release — Session C. DONE** (pure version-sync; no production code). Bumped
|
||||
7.7.2 → 7.8.0 across `.claude-plugin/plugin.json`, `package.json`, `README.md` badge,
|
||||
`CLAUDE.md` header + range sentinel; CHANGELOG `[7.8.0]`, version-history section, README
|
||||
"Recent versions" row, CLAUDE.md highlights added. Release gate: `node --test` 1863/0.
|
||||
- **TRG/SIG/AST scanners — Steps 1–7. DONE** (`54115a9`..`d19abf0`, SHAs change after rewrite).
|
||||
Three deterministic deep-scan scanners: `scanners/trigger-scanner.mjs` (TRG, LLM06/AST04),
|
||||
`scanners/signature-scanner.mjs` (SIG, rules `knowledge/signatures.json`, LLM03/LLM02),
|
||||
`scanners/ast-taint-scanner.mjs` (AST, parse-only `scanners/lib/py-ast-taint.py` + regex
|
||||
fallback, LLM01/LLM02/AST02). Wired into orchestrator + policy; prefixes in `output.mjs`.
|
||||
- **Security-fix track — F-1/F-2/F-3 + F-5/F-6. DONE** (Sessions A+B). All shell-injection /
|
||||
path-traversal sinks closed. Brief: `docs/security-fix-brief-2026-06-20.md`.
|
||||
|
||||
## Still open (optional only)
|
||||
- **F-4 — optional, LOW** (by-design MCP spawn; a confirm-gate is a judgment call). NOT required.
|
||||
Decide deliberately if/when picked up — do not auto-escalate to it.
|
||||
- Residual gap (documented inline in the F-2 fix): prefix containment in `auto-cleaner.mjs` does
|
||||
NOT stop a symlink inside the tree pointing out. Known, accepted.
|
||||
- **F-4 — optional, LOW** (by-design MCP spawn; confirm-gate is a judgment call). NOT required.
|
||||
- Residual gap (inline in F-2 fix): prefix containment in `auto-cleaner.mjs` does not stop a
|
||||
symlink inside the tree pointing out. Known, accepted.
|
||||
|
||||
## COLD START (next session)
|
||||
1. `pwd` + `git status`. Confirm `e9476ea` (v7.8.0) is present AND pushed (weekend window — should
|
||||
be on `origin/main`).
|
||||
2. No active task queued. Options: (a) implement F-4 confirm-gate if the operator wants it;
|
||||
(b) new direction from the operator. Do NOT invent scope — ask.
|
||||
1. `pwd` + `git status`. Confirm the force-pushed history is on `origin/main` and that
|
||||
`git grep -i <codename> $(git rev-list --all)` is empty.
|
||||
2. No active task queued (assuming the scrub completed). Options: F-4 confirm-gate if wanted,
|
||||
or a new direction. Do NOT invent scope — ask.
|
||||
|
||||
## Continuity notes
|
||||
- origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:00–23:00;
|
||||
weekends/holidays anytime. Outside window at session end → commit locally, PARK the push, say so.
|
||||
- Plan of record for TRG/SIG/AST: `docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md`
|
||||
(Step 8 = this release, now complete).
|
||||
weekends/holidays anytime.
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@
|
|||
|
||||
Per-release notes for v7.0.0 onward. Imported from `CLAUDE.md` via `@docs/version-history.md`.
|
||||
|
||||
## v7.8.0 — TRG/SIG/AST: trigger, signature, and AST-taint scanners
|
||||
## v7.8.0 — Trigger, signature, and AST-taint scanners
|
||||
|
||||
Three new deterministic deep-scan scanners ("TRG/SIG/AST"), each with its own
|
||||
Three new deterministic deep-scan scanners (TRG/SIG/AST), each with its own
|
||||
finding prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip
|
||||
behaviour. They target the skills/agents activation and code surface that the
|
||||
permission and shape-based scanners do not cover. Built behind a security-fix
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue