diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cd12ed..e6e0011 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,8 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ## [7.8.0] - 2026-06-20 -TRG/SIG/AST — three new deterministic deep-scan scanners targeting the -skills/agents attack surface (TRG/SIG/AST). Each ships with its own finding +Three new deterministic deep-scan scanners (TRG/SIG/AST) targeting the +skills/agents attack surface. Each ships with its own finding prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip behaviour. Built behind a security-fix gate: the F-1/F-2/F-3 shell-injection and path-traversal fixes landed first. No existing scanner, hook, or command diff --git a/CLAUDE.md b/CLAUDE.md index 9e29e86..fbfd513 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -4,7 +4,7 @@ Security scanning, auditing, and threat modeling for Claude Code projects. 5 fra Release notes for v7.0.0 → v7.8.0: see `docs/version-history.md` — read on demand. -**v7.8.0 highlights** — TRG/SIG/AST: three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse — `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline, so obfuscated known-malware a byte-matcher misses is still caught; rules in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for scope-aware Python taint analysis, falling back to the regex `taint-tracer.mjs` when `python3` is absent; the helper only `ast.parse`s the target, never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 landed first). No existing scanner, hook, or command behaviour changes. +**v7.8.0 highlights** — Three new deterministic deep-scan scanners (TRG/SIG/AST) targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse — `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline, so obfuscated known-malware a byte-matcher misses is still caught; rules in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for scope-aware Python taint analysis, falling back to the regex `taint-tracer.mjs` when `python3` is absent; the helper only `ast.parse`s the target, never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 landed first). No existing scanner, hook, or command behaviour changes. **v7.7.2 highlights** — Language consistency pass. Norwegian had crept into the playground UI strings, the canonical CLI renderer (`scripts/lib/report-renderers.mjs`), the HTML Report-step appended by all 18 skill commands, two agent prompts, and the marketplace + plugin README/CLAUDE.md state sections. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), surface text was translated to English. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high|^høy/`, `/resolution|løsning/`) were preserved. No scanner, hook, or behavior changes. diff --git a/README.md b/README.md index c6dbc6e..8942d05 100644 --- a/README.md +++ b/README.md @@ -628,7 +628,7 @@ demonstrations — each with `README.md`, fixture, run script, and | Version | Date | Highlights | |---------|------|------------| -| **7.8.0** | 2026-06-20 | **TRG/SIG/AST — TRG/SIG/AST deep-scan scanners.** Three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse: `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline (base64/hex/url/entity/unicode, homoglyph fold, rot13), so obfuscated known-malware a byte-matcher misses is still caught; rules ship in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for variable-level, scope-aware Python taint analysis — higher recall than the ~70% regex `taint-tracer.mjs` — and falls back to the regex tracer when `python3` is unavailable, so the scan never hard-fails; the helper only `ast.parse`s the target and never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 shell-injection + path-traversal fixes landed first). 1863 tests, 0 fail. | +| **7.8.0** | 2026-06-20 | **TRG/SIG/AST deep-scan scanners.** Three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse: `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline (base64/hex/url/entity/unicode, homoglyph fold, rot13), so obfuscated known-malware a byte-matcher misses is still caught; rules ship in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for variable-level, scope-aware Python taint analysis — higher recall than the ~70% regex `taint-tracer.mjs` — and falls back to the regex tracer when `python3` is unavailable, so the scan never hard-fails; the helper only `ast.parse`s the target and never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 shell-injection + path-traversal fixes landed first). 1863 tests, 0 fail. | | **7.7.2** | 2026-05-19 | **Language consistency pass.** Norwegian had crept into surface text across v7.5-v7.7. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), this release translates: the HTML Report-step appended by all 18 skill commands, the canonical CLI renderer `scripts/lib/report-renderers.mjs` (display strings + JS comments), the playground UI strings, the `skill-scanner-agent` and `mcp-scanner-agent` system prompts, the Recent versions table and playground architecture prose in this README, the v7.7.x highlights in `CLAUDE.md`, and the llm-security entries in the marketplace root `README.md` + `CLAUDE.md`, plus six table cells in `docs/scanner-reference.md`. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high\|^høy/`, `/resolution\|løsning/`) were preserved. No scanner, hook, or behavior changes — purely surface text. | | **7.7.1** | 2026-05-18 | **Playground UX strip.** Operator feedback immediately after v7.7.0: the home surface led with three project tracks (Re-onboard / New project / Command catalog) even though the catalog was the important entry point. Minimum strip delivered as three atomic commits (`b732eee` + `2a6f73f` + `81b7beb`): (1) the router always forces `activeSurface = 'catalog'` (the onboarding/home/project render functions are preserved in source but no longer routable); (2) the topbar `Home` and `Re-onboard` buttons removed, `Catalog` retained; (3) the breadcrumb org-name (`shared.organization.name` from demo state) replaced with a static `llm-security` neutral scope anchor. Fix: the hardcoded `'Plugin v7.6.1'` on line 6933 of `renderHome` (template literal not caught by the v7.7.0 grep) was synced. The onboarding concept is documented as a v7.8.0 candidate (per-command context injection) in `ROADMAP.md`. No scanner or hook behavior changes. | | **7.7.0** | 2026-05-18 | **HTML report for all 18 skill commands.** Every `/security ` that produces a report now prints a clickable `file://` link to a self-contained HTML version. Delivered across 5 sessions. (1) Playground catalog list-view + builder-pane with a copy button. (2) Playground project-surface cleanup (stub-screen handling, topbar split). (3) The 18 inline parsers + renderers in the playground HTML were moved to a canonical ESM module `scripts/lib/report-renderers.mjs` (the playground keeps a bit-identical inline copy since ESM `import` does not work from `file://`). (4) New zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout mode, kebab→camel commandId routing, inlines 6 DS stylesheets + a local `.report-table` CSS, ~140 KB self-contained HTML, system-font fallback, absolute `file://` paths for Ghostty cmd-click. (5) All 18 skills wired (4 in session 4: scan/audit/posture/deep-scan; 14 in session 5: plugin-audit/mcp-audit/mcp-inspect/ide-scan/supply-check/dashboard/pre-deploy/diff/watch/registry/clean/harden/threat-model/red-team). Output: `reports/-.html` relative to CWD. No scanner or hook behavior changes — purely additive. | diff --git a/STATE.md b/STATE.md index bbfe27e..1961d26 100644 --- a/STATE.md +++ b/STATE.md @@ -1,39 +1,46 @@ # STATE — llm-security -**Active focus:** NONE active — **v7.8.0 RELEASED** (commit `e9476ea`). Security-fix track -(F-1/F-2/F-3) + TRG/SIG/AST (TRG/SIG/AST) + the release are ALL DONE. Only loose end = -**F-4 (optional, LOW)**, still open. Plugin is in a clean, quiescent, shippable state. +**Active focus:** Removing an internal codename from Forgejo (operator request) — a full +git history-rewrite + force-push, in progress this session. v7.8.0 itself is RELEASED; the +security-fix track (F-1/F-2/F-3) + the TRG/SIG/AST scanners are ALL DONE. Only loose end = +**F-4 (optional, LOW)**, still open. -## What just shipped (DONE — do NOT re-derive) -- **v7.8.0 release — Session C. DONE (`e9476ea`).** Pure version-sync, no production code. - - Bumped 7.7.2 → 7.8.0 in every CURRENT pointer: `.claude-plugin/plugin.json`, `package.json`, - `README.md` badge, `CLAUDE.md` header + "release notes" range sentinel. - - Narrative added (prior releases kept as history): `CHANGELOG.md` `[7.8.0]`, - `docs/version-history.md` v7.8.0 section, README "Recent versions" 7.8.0 row, CLAUDE.md - v7.8.0 highlights paragraph. - - Release gate: full `node --test` suite **1863/0** after the doc edits. gitleaks clean. -- **TRG/SIG/AST (TRG/SIG/AST) — Steps 1–7. DONE** (`54115a9`..`d19abf0`). Three deterministic - deep-scan scanners: `scanners/trigger-scanner.mjs` (TRG, LLM06/AST04), - `scanners/signature-scanner.mjs` (SIG, rules in `knowledge/signatures.json`, LLM03/LLM02), - `scanners/ast-taint-scanner.mjs` (AST, parse-only `scanners/lib/py-ast-taint.py` + regex fallback, - LLM01/LLM02/AST02). Wired into orchestrator + policy; prefixes registered in `output.mjs`. -- **Security-fix track — F-1/F-2/F-3 + F-5/F-6. DONE** (Sessions A+B, `5f50899` + `3f64aa5`). - From `docs/security-fix-brief-2026-06-20.md`. All shell-injection / path-traversal sinks closed. +## Codename scrub (THIS session — operator: "must not appear anywhere on Forgejo") +- Tip prose reworded by hand (CHANGELOG, CLAUDE.md, README, docs/version-history.md, STATE.md). +- Two `docs/plans/` docs (a gap-analysis + its trekplan, both named after the codename) + deleted from ALL history via `git filter-repo --invert-paths` (the matching `.html` + render was git-ignored — deleted locally only). Their whole subject was the external + reference tool, so they were removed rather than scrubbed in place. +- Leftover historical blobs + 2 commit messages (the gap-analysis docs commit + the v7.8.0 + release-commit body) scrubbed via filter-repo `--replace-text`/`--replace-message` + (`(?i) ==> TRG/SIG/AST`). +- Backup before rewrite: `/tmp/llm-security-pre-scrub-backup.bundle` (all refs; pre-scrub + HEAD `d11de9a`). origin = Forgejo `open/llm-security`; force-push required after rewrite. + +## What shipped (DONE — do NOT re-derive) +- **v7.8.0 release — Session C. DONE** (pure version-sync; no production code). Bumped + 7.7.2 → 7.8.0 across `.claude-plugin/plugin.json`, `package.json`, `README.md` badge, + `CLAUDE.md` header + range sentinel; CHANGELOG `[7.8.0]`, version-history section, README + "Recent versions" row, CLAUDE.md highlights added. Release gate: `node --test` 1863/0. +- **TRG/SIG/AST scanners — Steps 1–7. DONE** (`54115a9`..`d19abf0`, SHAs change after rewrite). + Three deterministic deep-scan scanners: `scanners/trigger-scanner.mjs` (TRG, LLM06/AST04), + `scanners/signature-scanner.mjs` (SIG, rules `knowledge/signatures.json`, LLM03/LLM02), + `scanners/ast-taint-scanner.mjs` (AST, parse-only `scanners/lib/py-ast-taint.py` + regex + fallback, LLM01/LLM02/AST02). Wired into orchestrator + policy; prefixes in `output.mjs`. +- **Security-fix track — F-1/F-2/F-3 + F-5/F-6. DONE** (Sessions A+B). All shell-injection / + path-traversal sinks closed. Brief: `docs/security-fix-brief-2026-06-20.md`. ## Still open (optional only) -- **F-4 — optional, LOW** (by-design MCP spawn; a confirm-gate is a judgment call). NOT required. - Decide deliberately if/when picked up — do not auto-escalate to it. -- Residual gap (documented inline in the F-2 fix): prefix containment in `auto-cleaner.mjs` does - NOT stop a symlink inside the tree pointing out. Known, accepted. +- **F-4 — optional, LOW** (by-design MCP spawn; confirm-gate is a judgment call). NOT required. +- Residual gap (inline in F-2 fix): prefix containment in `auto-cleaner.mjs` does not stop a + symlink inside the tree pointing out. Known, accepted. ## COLD START (next session) -1. `pwd` + `git status`. Confirm `e9476ea` (v7.8.0) is present AND pushed (weekend window — should - be on `origin/main`). -2. No active task queued. Options: (a) implement F-4 confirm-gate if the operator wants it; - (b) new direction from the operator. Do NOT invent scope — ask. +1. `pwd` + `git status`. Confirm the force-pushed history is on `origin/main` and that + `git grep -i $(git rev-list --all)` is empty. +2. No active task queued (assuming the scrub completed). Options: F-4 confirm-gate if wanted, + or a new direction. Do NOT invent scope — ask. ## Continuity notes - origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:00–23:00; - weekends/holidays anytime. Outside window at session end → commit locally, PARK the push, say so. -- Plan of record for TRG/SIG/AST: `docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md` - (Step 8 = this release, now complete). + weekends/holidays anytime. diff --git a/docs/version-history.md b/docs/version-history.md index 245f9d6..7272e97 100644 --- a/docs/version-history.md +++ b/docs/version-history.md @@ -2,9 +2,9 @@ Per-release notes for v7.0.0 onward. Imported from `CLAUDE.md` via `@docs/version-history.md`. -## v7.8.0 — TRG/SIG/AST: trigger, signature, and AST-taint scanners +## v7.8.0 — Trigger, signature, and AST-taint scanners -Three new deterministic deep-scan scanners ("TRG/SIG/AST"), each with its own +Three new deterministic deep-scan scanners (TRG/SIG/AST), each with its own finding prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip behaviour. They target the skills/agents activation and code surface that the permission and shape-based scanners do not cover. Built behind a security-fix