Commit graph

157 commits

Author SHA1 Message Date
6d3c4b5052 chore(llm-security): v7.8.0 — TRG/SIG/AST scanners v7.8.0
Session C of the security-fix track: cut the TRG/SIG/AST release now that the
F-1/F-2/F-3 security gates pass. Pure version-sync — the three scanners shipped
in Steps 1-7 (616e7ff..fc7cf57); no production code changes here.

Version-sync 7.7.2 -> 7.8.0 across every current pointer: .claude-plugin/
plugin.json, package.json, README.md badge, and the CLAUDE.md header + "release
notes" range sentinel. Narrative additions (prior releases kept as history):
- CHANGELOG.md: new [7.8.0] entry (Added: TRG/SIG/AST; Changed: prefix
  registration + knowledge/ packaging).
- docs/version-history.md: new v7.8.0 section describing the three scanners.
- README.md "Recent versions": new 7.8.0 row.
- CLAUDE.md: new v7.8.0 highlights paragraph above the v7.7.2 one.

TRG/SIG/AST recap (built Steps 1-7, behind the security-fix gate):
- TRG (scanners/trigger-scanner.mjs) — trigger/activation-abuse: TRG-shadow /
  TRG-baiting / TRG-broad over name+description frontmatter, decode pipeline
  first (LLM06/AST04).
- SIG (scanners/signature-scanner.mjs) — pure-Node known-malware identity engine
  over raw bytes + decode pipeline; rules in knowledge/signatures.json
  (LLM03/LLM02).
- AST (scanners/ast-taint-scanner.mjs) — parse-only python3 taint helper
  (scanners/lib/py-ast-taint.py) with graceful regex fallback (LLM01/LLM02/AST02).

Release gate: full node --test suite 1863/0 after the doc edits. No scanner,
hook, or command behaviour changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 11:23:11 +02:00
614971c71a chore(llm-security): STATE — Session B (F-2 + F-3) done; next = Session C (release)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 11:10:24 +02:00
dfb663fa61 fix(llm-security): F-2/F-3 — contain path traversal + kill npm-view shell injection
Session B of the security-fix track. Both sinks trusted untrusted strings at a
filesystem/subprocess boundary; same fix family as F-1.

F-2 (HIGH, arbitrary file write) — scanners/auto-cleaner.mjs: applyFixes() did
resolve(targetPath, f.file) with no containment, then wrote the cleaned content
back. f.file is untrusted (scanned-repo filenames, or a fully attacker-chosen
--findings file), so file: "../../.claude/settings.json" let the cleaner modify
files OUTSIDE the scanned tree. Add a prefix-containment check before grouping:
absPath must equal targetPath or start with targetPath + sep, else the finding
is refused and reported as skipped. (Documented residual gap: prefix containment
does not stop a symlink inside the tree pointing out — noted inline.)

F-3 (HIGH, command injection, pre-confirmation) — hooks/scripts/
pre-install-supply-chain.mjs: inspectNpmPackage ran execSafe(`npm view ${spec}
--json`), a shell string. spec derives from package tokens parsed out of the
scanned Bash command, so a metachar-bearing token reached the shell on
PreToolUse(Bash) — BEFORE the install, so it ran even if the user then denied
the command. Switch to spawnSync('npm', ['view', spec, '--json']) (no shell);
spec is passed as one argv element. The static `npm audit --json` execSafe call
is left as-is (no interpolation).

TDD (repro -> red -> green):
- tests/scanners/auto-cleaner-traversal.test.mjs: a "../secret.txt" finding must
  not rewrite the outside file; contained files still get cleaned.
- tests/hooks/supply-chain-injection.test.mjs: `npm install $(>/abs/PWNED)`
  (redirect-only $(...) survives normalizeBashExpansion + the whitespace split)
  must not create the sentinel.

Closing gates: full node --test suite 1863/0 (was 1860; +3); gitleaks clean;
F-1 regression re-run GREEN (sink still closed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 11:09:13 +02:00
f5988f9500 chore(llm-security): STATE — Session A (F-1 + F-5/F-6) done; next = Session B
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 10:19:20 +02:00
e46b5a3256 fix(llm-security): F-1 — eliminate shell-injection RCE in git-forensics scanner
git-forensics ran execSync(`git ${cmd}`), interpolating attacker-controlled
filenames from the SCANNED repo (git ls-files / git log --name-only) into a
shell string. A hostile repo containing a file named `commands/$(touch X).md`
achieved zero-interaction RCE on `/security scan <url>`: gitScan is in the
default scanner array and runs OUTSIDE the git-clone OS sandbox (which wraps
only the clone), so it executed unsandboxed on all platforms.

Convert the git() helper to spawnSync('git', [...args]) with no shell; every
call site now passes discrete tokens (shell quoting removed — git does its own
pathspec globbing). The helper throws on non-zero exit, preserving existing
per-category/per-file try/catch semantics.

TDD: adds a failing-first regression (tests/scanners/git-injection.test.mjs)
that builds a hostile-filename fixture repo and asserts the injected command
never runs. RED against execSync, GREEN after the fix.

Also removes two stray committed root artifacts (F-5/F-6): `--json`
(0-byte redirect husk) and .orphaned_at.

Closing gates: full node --test suite 1860/0; gitleaks clean. F-2/F-3 follow
in Session B.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 10:18:41 +02:00
a96e3b947f chore(llm-security): STATE — security-fix track plan (F-1/F-2/F-3 must-fix) over multiple sessions
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 10:09:11 +02:00
089623af89 chore(llm-security): STATE — TRG/SIG/AST done; v7.8.0 deferred behind security-fix brief
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:51:28 +02:00
fc7cf57da6 docs(llm-security): document TRG/SIG/AST scanners and package knowledge/
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:46:14 +02:00
b0314418f4 feat(llm-security): wire AST scanner into orchestrator and policy
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:41:32 +02:00
40a1e34ee9 feat(llm-security): add AST Python-taint scanner with python3 fallback
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:38:36 +02:00
e46bf12b86 feat(llm-security): wire SIG scanner into orchestrator and policy
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:32:23 +02:00
9e0a09ab1f feat(llm-security): add SIG signature scanner with decode-pipeline matching
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:28:52 +02:00
9f1156866c feat(llm-security): wire TRG scanner into orchestrator and policy
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:24:23 +02:00
92bd99f2a8 docs: security fix brief for next session — F-1 RCE + F-2/F-3 sinks
Action brief from the marketplace-wide review (see docs/review-2026-06-20.md). Three shell/path
injection sinks: F-1 CRITICAL zero-interaction RCE in git-forensics.mjs (execSync shell string +
attacker-controlled filenames; reproduced), F-2 HIGH path-containment write in auto-cleaner.mjs,
F-3 HIGH command injection in the supply-chain hook. Common fix: execSync(string) -> spawnSync(array)
/ input containment. DO AFTER the current active session finishes.

Disclosure hold: this brief + review-2026-06-20.md (ff9bd13) are committed locally but NOT pushed;
push both only together with the F-1 fix (the brief carries a working RCE repro payload).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-20 09:23:19 +02:00
616e7ff18c feat(llm-security): add TRG trigger-abuse scanner
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:19:54 +02:00
ff9bd13c6f docs: add full-depth plugin review (2026-06-20)
Grade B− — exceptionally disciplined design, but one CRITICAL zero-interaction RCE (F-1) plus two HIGH shell/path sinks. PUSH PARKED pending responsible-disclosure decision. Part of the marketplace-wide review (config-audit v5.4.0 + llm-security + structure + version). Read-only; this file is the only artifact.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-20 09:14:11 +02:00
7736c0bde2 docs(llm-security): TRG/SIG/AST gap analysis + reviewed execution plan
Brief + 8-step trekplan for 3 new dep-free scanners: TRG (trigger-abuse),
SIG (signature engine over the decode pipeline), AST (Python AST taint).
Adversarial review fixed 3 blockers + 7 majors on draft 1 (59/D -> 86/B).

STATE.md prepped as a self-contained cold-start for /trekexecute next session.
Un-gitignore STATE.md (global ~/.claude rule overrides old polyrepo convention);
ignore generated plan annotation HTML. No scanner code yet.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2026-06-20 09:00:24 +02:00
0ef780fd69 chore(gitignore): add session/local-state baseline (polyrepo split) 2026-06-18 10:21:13 +02:00
3db6b65aba chore(llm-security): v7.7.2 — language consistency pass v7.7.2
~/.claude/CLAUDE.md specifies English for code and documentation,
Norwegian for dialog only. Norwegian had crept into surface text
across v7.5-v7.7. Translated to English in eight surfaces.

No scanner, hook, or behavior changes — purely surface text.

- 18 skill commands: the HTML Report-step now reads "HTML report:
  [Open in browser]" instead of "HTML-rapport: [Åpne i nettleser]"
- scripts/lib/report-renderers.mjs: key-stat labels, lede defaults,
  table headers, maturity-ladder descriptions, action-tier labels,
  clean buckets, dry-run/apply copy, and JS comments. Regex
  alternations /^high|^høy/ and /resolution|løsning/i preserved.
- playground/llm-security-playground.html: same renderer changes
  mirrored bit-identical, plus playground-only UI strings (catalog,
  breadcrumb aria-label, theme toggle, builder-modal hint,
  guide-panel "no projects yet", delete confirmation, alert/copy).
  Demo-state fixture content for dft-komplett-demo preserved
  (intentional Norwegian persona).
- agents/skill-scanner-agent.md + agents/mcp-scanner-agent.md:
  Generaliseringsgrense + Parallell Read-strategi sections translated
  to Generalization boundary + Parallel Read strategy.
- README.md: playground architecture prose + Recent versions table
  (v7.5.0 — v7.7.1).
- CLAUDE.md: v7.7.1 highlights translated, new v7.7.2 highlights
  added.
- ../../README.md: llm-security v7.5.0 — v7.7.1 bullets.
- ../../CLAUDE.md: llm-security catalog entry.
- docs/scanner-reference.md: six runnable-examples table cells.
- docs/version-history.md: new v7.7.2 entry. v7.5-v7.7 narrative
  sections left in original language (deferred per operator).
- Version bumped 7.7.1 → 7.7.2 in package.json,
  .claude-plugin/plugin.json, README badge + Recent versions,
  CLAUDE.md header + state, docs/version-history.md, playground
  renderHome hardcoded string, root README + CLAUDE.md llm-security
  entries.

Tests: 1820/1820 green. CLI smoke-test: 18/18 commandIds produce
>138 KB self-contained HTML. Browser-dogfood verified.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-19 06:47:44 +02:00
b626ba0c5e chore(llm-security): v7.7.1 release — formaliser playground UX-strip-fixes
Tre fixes commited etter v7.7.0-tagen (adffb60 + 52afd12 + 02a66f3) viste
versjons-inkonsistens: package.json + plugin.json + README badge + CLAUDE.md
header satt fortsatt på v7.7.0 mens commit-meldinger og inline-kommentarer
refererte v7.7.1 som om det var en release. Per feedback_version_sync.md
skal alle versjonsreferanser stemme — denne commiten lukker gapet.

Endringer:
- package.json: 7.7.0 → 7.7.1
- .claude-plugin/plugin.json: 7.7.0 → 7.7.1
- plugin README badge: version-7.7.0-blue → version-7.7.1-blue
- plugin README "Recent versions"-tabell: ny [7.7.1]-rad
- plugin CLAUDE.md header + v7.7.1-highlights state-seksjon
- docs/version-history.md: ny v7.7.1-seksjon
- playground HTML linje 6935: 'Plugin v7.7.0' → 'Plugin v7.7.1'
  (samme template-litteral som v7.7.0-bumpen ikke fanget, nå synket)
- CHANGELOG.md: ny [7.7.1]-seksjon med full Changed/Fixed/Notes
- rot README llm-security-entry: v7.7.0 → v7.7.1 + ny v7.7.1-bullet
- rot CLAUDE.md plugin-katalog: v7.7.1-bump

Verifisert:
- 1820/1820 tester grønne (pre-compact-flake fyrte ikke)
- CLI rapporterer fornuftig feilmelding på tom input
- Ingen kildefil-treff på 7.7.0 utenfor CHANGELOG/version-history/REMEMBER/TODO/ROADMAP

Ingen ny atferd. Kun versjons-synking + dokumentasjon av tre fixes som var
deployert som ad-hoc-commits.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 21:38:27 +02:00
02a66f3c77 fix(llm-security): playground topbar — fjern orgName fra breadcrumb
Etter v7.7.1-strippen ble onboarding fjernet, men topbar viste fortsatt
demo-state-organisasjonsnavnet ('Direktoratet for digital tjeneste-
utvikling') hentet fra shared.organization. Det er ikke meningsfullt
lenger siden onboarding ikke kan endre verdien.

Erstattet med statisk 'llm-security' som nøytralt scope-anker. Crumb-
parameteren (f.eks. 'Katalog') beholdes som suffix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 21:09:02 +02:00
52afd12cc1 feat(llm-security): playground v7.7.1 — katalog som eneste levende overflate
Operatør-tilbakemelding etter v7.7.0: hjem-overflaten ledet fortsatt med
prosjekter (Re-onboard / Nytt prosjekt / Command-katalog) — katalog var
tredje kort, sekundært bak prosjekt-tracks. Brukeren ba om å fjerne
onboarding + prosjekter og beholde katalog ('Vi legger til funksjonalitet
senere').

Minimum-strip (gammel kode bevart, kun routing + topbar endret):

- renderActive(): tvinger alltid activeSurface til 'catalog'.
  Onboarding/home/project-render-funksjonene er bevart men ikke rutbare.
- Init-default endret fra 'home' til 'catalog' (også for migrerte states).
- Topbar: 'Hjem' og 'Re-onboard'-knappene fjernet. 'Katalog' beholdt
  sammen med Eksporter/Importer/tema-toggle.

Konsekvens: playgrounden lander direkte i Command-katalog (20 kommandoer
med list-view + builder-pane + copy-knapp fra sesjon 1). Project-state +
onboarding-state forblir i IndexedDB men ingen UI-vei dit. Når funksjon-
alitet legges til igjen kan routeren utvides og topbar-knapper restaureres.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 21:01:18 +02:00
adffb60908 fix(llm-security): playground hardkodet versjon v7.6.1 → v7.7.0
Hjem-overflaten viste fortsatt 'Plugin v7.6.1' i meta-linja fordi
versjon-strengen er hardkodet inline i renderHome (line 6933), ikke
synkronisert med package.json. Fanget post-release.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 20:49:05 +02:00
7f9e57bb37 feat(llm-security): v7.7.0 — HTML-rapport for alle 18 skill-kommandoer
Hver /security <cmd> som produserer rapport printer nå en klikkbar
file://-lenke til en self-contained HTML-versjon. Levert over fem
sesjoner; sesjon 5 wirer de 14 resterende skill-filene + slipper
v7.7.0 (versjonsbump + docs).

Sesjon-historikk:
- Sesjon 1 (de23a63) — playground katalog list-view + builder-pane med
  copy-knapp på alle 18 rapporter
- Sesjon 2 (ea8da55) — playground prosjekt-surface opprydding
  (stub-screen + topbar-splitt)
- Sesjon 3 (01a8947) — extract 18 inline parsers + 18 inline renderers
  fra playground til canonical ESM-modul scripts/lib/report-renderers.mjs
  (playground beholder bit-identisk inline-kopi siden ESM import ikke
  fungerer fra file://)
- Sesjon 4 (c7748d5) — ny zero-dep CLI scripts/render-report.mjs
  (stdin/file/stdout-modus, kebab→camel commandId-routing, ~140 KB
  self-contained HTML med 6 inlined DS-stylesheets + lokal .report-table,
  absolutte file://-paths for Ghostty cmd-click). 4 skills wired:
  scan, audit, posture, deep-scan.
- Sesjon 5 (denne) — 14 resterende skills wired: plugin-audit, mcp-audit,
  mcp-inspect, ide-scan, supply-check, dashboard, pre-deploy, diff,
  watch, registry, clean, harden, threat-model, red-team. Hver skill-fil
  har nå en HTML Report-step som instruerer Claude å skrive markdown
  verbatim, kjøre CLI, og appende klikkbar file://-lenke til respons.

Release-arbeid:
- Versjonsbump v7.6.1 → v7.7.0 i 6 plugin-filer + 2 rot-filer
  (package.json, .claude-plugin/plugin.json, README badge, CLAUDE.md
  header + state-seksjon, docs/version-history.md, plugin Recent versions-
  tabell, rot README plugin-entry, rot CLAUDE.md plugin-katalog)
- CHANGELOG [7.7.0] med full historikk fra sesjon 1-5
- docs/version-history.md v7.7.0-seksjon

Verifisert:
- 18/18 commandIds i CLI gir > 138 KB self-contained HTML
- 1819/1820 tester grønne (pre-compact-scan-perf-flake fyrte under last,
  passerer i isolasjon på 1582 ms — pre-eksisterende, defer til v7.7.x)
- 18/18 skill-filer har HTML Report-step
- Ingen kildefil-treff på 7.6.1 utenfor historiske changelog/version-
  history/README releases-tabell

Ingen scanner- eller hook-atferdsendringer — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 13:12:21 +02:00
c7748d56ba feat(llm-security): playground v7.6.2-dev — render-report CLI + wire 4 skills (scan, audit, posture, deep-scan) [skip-docs]
- New scripts/render-report.mjs CLI: stdin/file/stdout modes, ESM import
  from ./lib/report-renderers.mjs, kebab→camel renderer-name lookup so
  any of the 18 PARSERS works
- Standalone HTML wrap: inlines 6 DS stylesheets (tokens, base, components,
  tier2, tier3, tier3-supplement) + local .report-table CSS. Skips fonts.css
  → system-ui fallback via tokens.css (~137 KB self-contained vs ~1 MB
  with woff2 bundled)
- 4 skill files wired: commands/{scan,audit,posture,deep-scan}.md — new
  step instructs Claude to Write the markdown report to a temp file,
  invoke the CLI, and print a markdown-formatted file:// link
- Absolute file:// paths in stdout for Ghostty cmd-click compatibility
- Default output: reports/<command>-<YYYYMMDD-HHmmss>.html relative to CWD
- Smoke-tested: stdin→stdout, file→file roundtrip, all 4 commands produce
  valid HTML with DS-aligned page-shell (page__title, verdict-pill-lg,
  risk-meter, key-stats, findings__item, recommendation-card)
- Tests 1820/1820 green (same baseline; pre-compact-scan perf-flake from
  NEXT-SESSION-PROMPT did not fire on retry)
- Playground untouched (2 scripts, 0 parse failures), report-renderers.mjs
  untouched (74 exports, 18 PARSERS, 18 RENDERERS)

Sesjon 4 av 5. v7.7.0 release + 9 remaining skill wirings = sesjon 5.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 12:56:03 +02:00
01a894701e refactor(llm-security): playground v7.6.2-dev — extract 18 renderers til scripts/lib/report-renderers.mjs [skip-docs]
Ny scripts/lib/report-renderers.mjs ESM-modul (3042 linjer, 74 named
exports + PARSERS/RENDERERS routing-maps + KEY_STATS_CONFIG):

- 18 main renderers (renderScan, renderDeepScan, renderPluginAudit,
  renderMcpAudit, renderIdeScan, renderPosture, renderAudit,
  renderDashboard, renderHarden, renderRedTeam, renderMcpInspect,
  renderSupplyCheck, renderPreDeploy, renderDiff, renderWatch,
  renderRegistry, renderClean, renderThreatModel)
- 12 renderer helpers (renderEmptyState, renderFindingsBlock,
  renderRecommendationsList, mapSeverityToCardLevel, renderRiskMeter,
  renderSmallMultiples, renderRadarSvg, renderToxicFlow, renderMatLadder,
  renderSuppressedGroup, renderCodepointReveal, renderTopRisks)
- 3 page-shell helpers (renderPageShell, renderVerdictPill,
  renderKeyStatsGrid)
- 18 parsers + 15 parser helpers (parseTableRow, parseTable, parseSections,
  extractField, parseRiskDashboard, parseFindingsTables, etc.)
- Verdict + key-stats inference (normalizeVerdict, inferVerdict,
  KEY_STATS_CONFIG, inferKeyStats)
- escapeHtml / escapeAttr

Canonical source for sesjon 4 CLI (scripts/render-report.mjs).

playground/llm-security-playground.html beholdes UENDRET (Fallback 2 fra
brief): file:// + ESM import er blokkert i Chrome/Firefox uten flags, så
playground beholder inline-kopi for single-file file:// distribusjon.
Sync-invariant dokumentert i modul-header.

Bit-identisk verifisering: alle 18 renderer-bodies character-for-character
identiske mellom .mjs og playground inline (extract → dedent 4-space →
diff). Smoke-test: parseScan + renderScan/renderPosture/renderAudit
produserer forventet DS-aligned HTML.

Tester: 1819/1820 grønne (samme baseline som sesjon 2; kjent pre-existing
flaky pre-compact-scan perf-test). JS-parse av playground: 0 failures.
2026-05-18 12:42:28 +02:00
ea8da55ee0 feat(llm-security): playground v7.6.2-dev — prosjekt-surface opprydding + topbar-splitt [skip-docs]
- renderCommandSubCard: collapsed-by-default + click-to-expand uten remount
- renderProjectSurface: stub-screens (Oversikt/Kontekst/Eksport) fjernet, kun Rapporter-tab
- renderTopbar: split-pattern (primær nav venstre / state-IO høyre)
2026-05-18 12:23:57 +02:00
ef1f8d97e9 chore: WIP marketplace doc adjustments across plugins
Pre-trekexecute snapshot of in-progress CLAUDE.md/SKILL.md edits and
extracted docs/ files. Captured as one commit so /trekexecute claude-design
can run against a clean working tree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 12:04:02 +02:00
de23a630b8 feat(llm-security): playground v7.6.2-dev — katalog list-view + builder-pane [skip-docs]
- renderCatalogSurface rewritten to list-view (1 rad per kommando),
  filter-chips (Alle/Rapport/Verktoy + 6 kategori-chips) + sok
- Builder-pane (modal) med live-preview: pipeline-strengen oppdateres
  mens skjema fylles ut. Kopier-knapp er primaer CTA med clipboard API +
  textarea-fallback for file:// (allerede eksisterende).
- Smart prefill fra store.state.shared via 'from: shared' fields i
  renderCommandForm. Pane-state skriver ikke tilbake til shared (scope
  'cat', ingen project-save). Felles-felt markert med 'felles'-badge.
- Forstegangsbesok lander pa home (fjernet onboarding auto-redirect).
  Re-onboard tilgjengelig via topbar.

Sesjon 1 av 5 i v7.7.0-lopet. CSS-additioner: catalog-filter-chips,
catalog-chip, catalog-list, catalog-row, builder-modal.

Tester: 1822/1822 gronne. Static JS-parse OK. Browser-walkthrough
gjenstar — verifiseres manuelt for v7.7.0 release. Docs oppdateres ved
v7.7.0-release i Sesjon 5 (samlet commit).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 11:56:44 +02:00
a66f7f28c9 chore: roll up in-progress changes across plugins
- claude-design: scaffold new plugin (plugin.json, CHANGELOG, README)
- llm-security: playground design-system updates (tokens, components,
  tier3 supplement, new tier4 project-view CSS)
- ms-ai-architect: v2 mockup screenshots + local screenshot script
- voyage: annotate.mjs update

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 21:02:23 +02:00
6b3ece96a8 docs: add Communication patterns section to all plugin CLAUDE.md
Standardize named-markdown-link guidance across all plugins so file://
references render as independently clickable links in terminals like
Ghostty (bare file:// URLs only make the first clickable).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 21:01:45 +02:00
330dca4b71 docs(llm-security): tre doc-nivåer oppdatert for v7.6.1
CLAUDE.md OBLIGATORISK-regel: enhver feature-endring som pusher til
Forgejo MÅ oppdatere alle tre doc-nivåer i SAMME commit eller umiddelbart
etter. v7.6.1-fix-commit (97b054c) bumpet kun versjons-badgen — denne
oppfølgings-commit-en lukker doc-gapet.

- plugins/llm-security/README.md: ny [7.6.1] history-tabell-rad
- plugins/llm-security/CLAUDE.md: header bumpet v7.6.0 → v7.6.1 +
  ny v7.6.1-blurb (alle 6 fix-detaljer)
- README.md (rot): llm-security versjons-rad bumpet v7.6.0 → v7.6.1 +
  v7.6.1 history-bullet over v7.6.0-bullet

Ingen kodeendringer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 14:44:55 +02:00
97b054c703 fix(llm-security): playground v7.6.1 — visuelle bugs i v7.6.0
Seks bugs fanget av maintainer ved manuell verifisering i nettleser etter
v7.6.0-release. Alle skyldes mismatch mellom DS-klasser og hvordan
playground-rendrere brukte dem, eller manglende DS-implementasjoner av
klasser playground-rendrere antok eksisterte.

Fixes:
- renderFindingsBlock brukte .findings outer-class som DS har som
  2-kolonners grid (360px list + 1fr detail-panel) — headeren havnet
  i venstre kolonne, items i høyre, brutt layout i alle 18 rapporter
  med findings. Erstattet med .report-meta + h4 + findings__list >
  findings__group + findings__group-header + findings__items
  (korrekt DS-mønster, kun list-delen).
- .report-table manglet helt i DS men brukes i 7+ rendrere (OWASP,
  Supply chain, Scanner Risk Matrix, Plugin-meta, Permission-matrise,
  Live-meter, Siste runs, Godkjenninger, Mitigation roadmap). Lagt
  lokal CSS-implementasjon i playground-HTML style-blokk: border-
  collapse, zebra-hover, header-styling. Komplementerer DS-tokens
  uten å modifisere vendor.
- renderPreDeploy traffic-lights brukte .sm-card__grade som er fast
  28x28 px (én A-F-bokstav) — kuttet PASS til AS og PASS-WITH-NOTES
  til PASS-WITH-... i alle traffic-light-cards. Erstattet med
  bredde-tilpasset status-pill via inline styling (severity-soft +
  on tokens).
- Threat-model matrix-bobler ikke klikkbare. Erstattet span med
  button type=button data-threat-id + aria-label. Click-handler
  scroller til tilsvarende rad i Trusler-tabellen og fremhever
  den i 1.6 sek.
- Radar-labels overlappet ved 6+ akser fordi alle brukte
  text-anchor=middle. Økt SVG-størrelse 280 → 380, radius 105 → 125.
  Bytter text-anchor fra middle til start/end basert på horisontal-
  posisjon.
- recommendation-card__body tekstoverflyt på lange single-line tekster
  (vilkår, owner-tags, dato). Lagt overflow-wrap: anywhere;
  word-break: break-word i lokal style-blokk.

Verifisering:
- 4/4 fix-spesifikke smoke-tester passerer
- 18/18 renderere produserer fortsatt komplett HTML mot
  dft-komplett-demo (regresjons-test)
- Filendring playground.html 10677 → 10753 linjer (+76 netto)

Versjonsbump v7.6.0 → v7.6.1 (patch — bugfix-only, ingen scanner- eller
hook-atferdsendringer):
- plugins/llm-security/.claude-plugin/plugin.json
- plugins/llm-security/package.json
- plugins/llm-security/README.md (badge)
- plugins/llm-security/CHANGELOG.md ([7.6.1] entry)
- plugins/llm-security/playground/llm-security-playground.html (footer)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 14:33:19 +02:00
0a70c6f44f feat(llm-security): playground v7.6.0 — Tier 3 referanse-case komplett
Komplett integrasjon av playground-design-system Tier 3-komponenter
i playground-en. Playground er nå referanse-case for hva DS-en kan
levere når alle komponenter brukes som tilsiktet. Levert over 5 sesjoner
med atomic commits per sesjon.

Endringer i v7.6.0 (fase 1-7):
- Fjernet ~30 duplikat-CSS-deklarasjoner (DS vinner cascade)
- Page-shell harmonisert (page__header-klynge på alle 4 overflater)
- Scope-identitet via badge--scope-security
- verdict-pill-lg erstatter custom verdict-pill
- Onboarding wizard via Tier 3 form-progress + fp-step
- Tier 3 spesialkomponenter integrert:
  - tfa-flow + tfa-leg + tfa-arrow (toxic-flow-rapport)
  - mat-ladder + mat-step (posture-modenhet)
  - suppressed-group (narrative-audit)
  - codepoint-reveal + cp-tag/cp-zw/cp-bidi (UNI-funn)
  - top-risks + top-risk[data-severity] (rangert funn-listing)
  - recommendation-card[data-severity] (clean/harden/audit/posture/
    pre-deploy/plugin-audit advisory)
  - risk-meter (band-visualisering 0-100 på 5 archetypes)
  - card--severity-{level} (findings-cards modifier)

5 nye DS-helpers + mapSeverityToCardLevel + parseNarrativeAudit.
renderRecommendationsList utvidet med severity-param. renderHarden-rewrite
fra diff-row-struktur til recommendation-card med action-mapping.

Ingen scanner/hook-atferd berørt. Kun visuelt og strukturelt.
A11Y-rapport oppdatert (WCAG 2.1 AA bekreftet, severity-soft fargepar
verifisert, semantiske elementer erstatter generic div).

Versjon bumpet v7.5.0 → v7.6.0:
- plugins/llm-security/.claude-plugin/plugin.json
- plugins/llm-security/package.json
- plugins/llm-security/README.md (badge + Playground-seksjon + history)
- plugins/llm-security/CLAUDE.md (header + ny v7.6.0-blurb)
- plugins/llm-security/CHANGELOG.md ([7.6.0] entry)
- README.md (rot — llm-security-rad + history-bullet)
- plugins/llm-security/playground/llm-security-playground.html (footer)

Filendring playground.html totalt over 5 sesjoner: 10209 → 10677 linjer
(+468 netto). Per-sesjons-commits: eb8f676 (Sesjon 1, fase 1-2),
8197957 (Sesjon 2, fase 3-4), 569542d (Sesjon 3, fase 5a-d),
4c4a5ec (Sesjon 4, fase 5e-h).

Verifisering bekreftet:
- 18/18 renderere passerer regresjons-smoke-test mot dft-komplett-demo
- Grep-criteria oppfylt: top-risks 5, recommendation-card 32,
  risk-meter 7 (5 archetypes), card--severity- 4, verdict-pill-lg 20,
  fp-step 12, badge--scope-security 5, tfa-flow 3, mat-ladder 2,
  suppressed-group 8, codepoint-reveal 12
- Window-globaler intakt, JS parse OK, demo-state JSON parse OK

Kjent begrensning: parsed.findings er tom for deep-scan/audit demo-
fixturer (parser-begrensning, defensiv design — dokumentert i CHANGELOG
+ A11Y-rapport, sporet for v7.6.x patch).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 14:12:59 +02:00
4c4a5ec562 feat(llm-security): playground v7.6.0 fase 5e-h — Tier 3 spesialkomponenter (del 2) [skip-docs]
- top-risks + top-risk: rangert top-funn-listing per rapport
  (renderTopRisks helper, integrert i renderScan, renderDeepScan,
  renderPluginAudit, renderPosture, renderAudit — ekskluderer info-funn,
  default 5 toppfunn med data-severity-tinted left-border)
- recommendation-card: data-severity-attributtet utvidet på alle
  inline-bruk (Trust-verdict, Quick wins, Action plan tiers, Vilkår)
  pluss /security clean (per-bucket advisory-cards) og /security harden
  (intro snapshot + per-recommendation diff-cards med action-type-mapping
  CREATE→positive / APPEND→medium / MERGE→low / SKIP→low)
- risk-meter: lagt til på renderDeepScan og renderAudit conditional på
  data.risk_score — utvider eksisterende bruk (renderScan, renderPluginAudit,
  renderRedTeam) til 5 archetypes
- card--severity-{level}: severity-color border-modifier på .findings__item
  i renderFindingsBlock (delt helper) pluss inline-bruk i renderAudit
  category-cards og renderDiff row-items

Ny helper-funksjon mapSeverityToCardLevel(input) normaliserer severity-
strenger og action-types til DS Tier 3-konvensjonene
(critical/high/medium/low/positive). renderRecommendationsList får valgfri
severity-param som default fall-back til 'low'.

Verifisering bekreftet:
- top-risks: 5 forekomster (≥1 ✓)
- recommendation-card: 32 (≥1 ✓ — utvidet fra 4)
- risk-meter: 7 (≥3 ✓ — 5 archetypes bruker helper)
- card--severity-: 4 (≥4 ✓ — findings__item + 2 inline-steder)
- Sesjon 2-3 anker intakte (verdict-pill-lg 20, fp-step 12,
  badge--scope-security 5, tfa-flow 3, mat-ladder 2, suppressed-group 8,
  codepoint-reveal 12)
- Window-globaler intakt
- JS parse: OK (node --check på ekstrahert main JS)
- demo-state JSON parse: OK (3 prosjekter, 18 rapporter)
- HTML-balanse: 3 script / 3 /script / 1 style
- Smoke-test mot demo-data: 5/7 renderere viser komplett markup;
  renderDeepScan og renderAudit har tomme findings-arrays i demo så
  top-risks/card--severity rendrer korrekt tomt (defensiv design,
  bevisst per Sesjon 3 observasjon 2)

Filendring: 10545 → 10677 linjer (+132 netto).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 14:00:04 +02:00
569542d6eb feat(llm-security): playground v7.6.0 fase 5a-d — Tier 3 spesialkomponenter (del 1) [skip-docs]
Integrer fire llm-security-spesifikke Tier 3-komponenter:
- tfa-flow + tfa-leg + tfa-arrow: visualiserer lethal-trifecta-kjede
  i toxic-flow-rapport (untrusted-input → sensitive-access → exfil-sink)
- mat-ladder + mat-step: posture-modenhet over kategorier i posture-rapport
- suppressed-group: narrative-audit (v7.1.1) i scan-rapport executive summary
- codepoint-reveal + cp-tag: side-ved-side reveal for Unicode-steganografi
  i mcp-inspect-rapport (visible vs decoded)

Endringer:
- Fire nye render-helpers (renderToxicFlow, renderMatLadder,
  renderSuppressedGroup, renderCodepointReveal) i hovedscriptet, plassert
  før renderScan/Deep/Posture/MCP-Inspect.
- parseScan + parseDeepScan utvidet med narrative_audit-felt via ny
  parseNarrativeAudit-helper som ekstraherer "**Suppressed signals:**"-
  blokken fra raw_markdown.
- renderScan: meterHtml + suppressedHtml + toxicHtml + owaspHtml + ...
- renderDeepScan: suppressedHtml + toxicHtml + smHtml + matrixHtml + ...
- renderPosture: overall + ladderHtml + smHtml + quickHtml + ...
- renderMcpInspect: invHtml + cpHtml (rebuilt via renderCodepointReveal)

Verifisert:
- tfa-flow=3, mat-ladder=2, suppressed-group=8, codepoint-reveal=12 i HTML
- verdict-pill-lg=20, fp-step=12, scope-security=5 (Sesjon 2-kriterier intakte)
- form-progress__step strict singular=0 (DS canonical bevart)
- Window-globaler intakt (24 unike __-prefiksede globaler)
- JS parse OK (node --check), JSON-state parse OK (3 prosjekter, 18 rapporter)
- HTML-balanse OK (3 script-tags, 1 style-blokk)
- Smoke-test mot demo-data: alle 4 helpers rendrer non-empty HTML med
  forventede DS-klasser

Master-plan: plugins/llm-security/playground/V7.6.0-PLAN.local.md (Sesjon 3 av 5).
Sesjon 4 (fase 5e-h: top-risks, recommendation-card, risk-meter, card--severity-*)
neste, deretter Sesjon 5 (verifisering, docs, release).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 13:25:35 +02:00
8197957f84 feat(llm-security): playground v7.6.0 fase 3-4 — scope-identitet + Tier 3 form-progress [skip-docs]
Fase 3: badge--scope-security som identitets-chip på alle prosjekt- og
rapport-cards (signal "denne er llm-security"). Plassert i topbar
(app-header__brand), fleet-tile-meta, command-subcard card__head,
catalog-card card__head, og onboarding form-progress autosave-blokk.
verdict-pill-lg (DS Tier 2 + Tier 3 supplement) erstatter custom
verdict-pill — nå med __verdict + valgfri __sub-struktur. renderPageShell
aksepterer opts.verdictSub som videresendes til renderVerdictPill.

Fase 4: Onboarding wizard bruker DS Tier 3 form-progress + fp-step med
data-state="done|in-progress|pending" og __num/__name — erstatter
playground-ens lokale form-progress__step-implementasjon. Steps wrappet
i form-progress__steps-container per DS-mønster. Aside har nå
form-progress__autosave-blokk med scope-badge og fullført-counter.

CSS-blokken som tidligere overstyrte DS for .verdict-pill og
.form-progress__heading/__step/__step-marker/--done er fjernet —
DS Tier 3 supplement vinner cascade-en.

Verifisering: verdict-pill-lg=20 (>=12), badge--scope-security=5 (>=5),
fp-step=12 (>=5), .verdict-pill\b i style-blokk=0, form-progress__step
strict singular=0 (3 naive treff er DS-canonical __steps-plural).
14 window-globaler intakt. JS parse OK, demo-state JSON OK,
HTML-balansert (3/3 script, 1/1 style).

Sesjon 2 av 5 i v7.6.0-pipeline. Foundation (sesjon 1) ga eb8f676.
Neste: Tier 3 spesialkomponenter del 1 (fase 5a-d) i sesjon 3.
Docs (plugin README/CLAUDE/rot-README/CHANGELOG) oppdateres i Sesjon 5
per master-plan; derav [skip-docs] her.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 13:13:03 +02:00
eb8f6761e1 feat(llm-security): playground v7.6.0 fase 1-2 — fjern DS-duplikater + page-shell harmonisering
Slett ~50 duplikat-CSS-deklarasjoner fra playground-ens <style>-blokk
som overstyrte DS Tier 3 supplement uten gevinst (.app-shell, .tab-list,
.fleet-tile*, .form-progress, .eyebrow, .page__*, .key-stat*, .field-*,
.expansion (ekskl. body), .stack-*, .card*, .tracks*, .checkbox-row).

JS-fix: 4 modifier-strenger oppdatert fra forkortede ('crit', 'med')
til DS-konsistente fulle navn ('critical', 'medium') i renderKeyStatsGrid-data.

Konsekvens: DS vinner cascade-en, eliminerer subtile visuelle drift
mellom playground og referanse-scenarioer.

Page-shell harmonisering: alle 4 overflater (onboarding, home, catalog,
project) bruker nå DS page__header-klyngen via renderPageShell. Onboarding
konvertert fra custom <header class="onboarding-header"> til samme mønster.
renderPageShell utvidet med opts.meta (page__meta) og opts.hero
(page__header--hero modifier). Hero-mønster på home med
clamp(36px, 5vw, 56px) og letter-spacing -0.025em.

Behold til Sesjon 2: .verdict-pill (erstattes av verdict-pill-lg fase 3),
.form-progress__step* (erstattes av fp-step fase 4), .multi-select
(bevisst input-box-look), .expansion__body (markup-mismatch m/ DS-anim).

Forberedelse til v7.6.0 — Tier 3 referanse-case.
2026-05-06 12:55:25 +02:00
e64343be86 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00
992fd8edfe feat(llm-security): playground Fase 1 — single-file SPA skjelett [skip-docs]
Mirror av ms-ai-architect playground-arkitektur, tilpasset llm-security:

- 4 overflater (onboarding/home/catalog/project) med surface-router
- IndexedDB persistens (llm-security-playground-v1) + localStorage fallback
- Theme-bootstrap med FOUC-prevention og localStorage-persist
- 20 kommandoer i CATALOG (5 kategorier: discover/posture/findings-ops/
  hardening/adversarial/mcp-ops) med full input_fields + report_archetype
- 5-gruppers onboarding (organisasjon/scope/profil/plattform/compliance)
  med form-progress sidebar
- Home: 3 tracks + fleet-grid prosjektliste + tom-state med demo-data
- Katalog: ekspanderbare grupper med live-søk og forhåndsvisning
- Prosjekt-stub: 4 screen-tabs + 6 kategori-tabs + per-kommando
  skjema/paste-import/rapport-soner
- Demo-state: Direktoratet for digital tjenesteutvikling med 2 prosjekter
- Eksport/import (JSON envelope), action-handlers (35), modal-portal

PARSERS + RENDERERS er tomme routing-objekter — fylles i Fase 2 (10 høy-prio
kommandoer) og Fase 3 (resterende 10). Paste-import viser «parser ikke
implementert»-guide-panel for kommandoer uten parser, og lagrer rå markdown
i state for fremtidig parsing.

Vendor: 27 filer synket fra shared/playground-design-system/
(MANIFEST.json sjekksum-låst, source_commit 487f7ae).

Verifisert: node --check OK (2737 linjer, 113733 char inline JS),
HTML-tag-balanse OK. Manuell smoke-test gjenstår.

Docs (plugin README, CLAUDE.md, rot-README) bumpes ved Fase 3-fullføring
sammen med plugin.json v7.5.0. Derfor [skip-docs] her.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 18:47:45 +02:00
8c3de5c09e chore(llm-security): v7.4.0 — examples + e2e suite minor
Bumps from v7.3.1 to v7.4.0. Purely additive surface — no scanner
or hook behavior changes, no breaking changes.

Headline content (already merged on main since v7.3.1):

- examples/ utvidelse — seven runnable demonstration walkthroughs
  shipped over three sessions (sesjon 1 pre-existing
  prompt-injection-showcase + lethal-trifecta-walkthrough,
  mcp-rug-pull, supply-chain-attack, poisoned-claude-md,
  bash-evasion-gallery, toxic-agent-demo, pre-compact-poisoning).
  Each is self-contained: README + fixture + run-script +
  expected-findings testable contract. State-isolation pattern
  (PID-suffixed JSONL or env-overrides like
  LLM_SECURITY_MCP_CACHE_FILE) keeps the user's real cache and
  /tmp state untouched.
- tests/e2e/ — three new suites totalling 45 tests:
  attack-chain.test.mjs (17), multi-session.test.mjs (9),
  scan-pipeline.test.mjs (19). Test count 1777 to 1822. These
  exercise the framework as a coordinated system rather than as
  isolated unit-tests.

Version sync (8 files):

- package.json
- .claude-plugin/plugin.json
- CLAUDE.md (header)
- README.md (badge + Recent versions tabellen new row)
- CHANGELOG.md (Unreleased to [7.4.0] - 2026-05-05 with summary)
- scanners/dashboard-aggregator.mjs VERSION constant
- scanners/ide-extension-scanner.mjs VERSION constant
- scanners/posture-scanner.mjs VERSION constant

Stabilization-stance unchanged. v8.0.0 remains the planned
deprecation-cleanup release. v7.x continues as the stable line.

Tests: 1822/1822 grønne lokalt etter bump.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 15:34:02 +02:00
5e21ebdc91 feat(llm-security): add pre-compact-poisoning example for PreCompact hook [skip-docs]
Runnable demonstration of hooks/scripts/pre-compact-scan.mjs (the
only PreCompact hook in the plugin) detecting both a CRITICAL
injection pattern and an AWS-shaped credential inside a synthetic
JSONL transcript, exercised across all three values of
LLM_SECURITY_PRECOMPACT_MODE plus a benign-transcript control case
in block mode that proves the gate is not a brick wall.

The transcript is generated at runtime in a per-invocation tempdir
under os.tmpdir() and the directory is removed in a finally block,
so the user's real ~/.claude/projects/.../transcripts/ are never
touched. The AWS-shaped key uses the same 'AK' + 'IA' + ...
fragmentation idiom as tests/e2e/attack-chain.test.mjs so this
source contains no literal credentials and pre-edit-secrets does
not block writes during development.

Nine independent assertions (9/9 must pass):
- block mode + poisoned: exit 2, decision=block JSON, reason text
  covers both injection and AWS labels (3 assertions)
- warn mode + poisoned: exit 0, systemMessage JSON, no decision
  field (2 assertions)
- off mode + poisoned: exit 0, no JSON on stdout (2 assertions)
- block mode + benign: exit 0, no decision=block JSON (2 assertions)

OWASP / framework mapping: LLM01, LLM02, ASI01, AT-1, AT-3.

Docs updated: plugin README "Other runnable examples", plugin
CLAUDE.md "Examples" tabellen, CHANGELOG [Unreleased] Added.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 15:23:10 +02:00
4f5857f452 feat(llm-security): add toxic-agent-demo example for TFA scanner [skip-docs]
Single-component lethal-trifecta walkthrough that drives
scanners/toxic-flow-analyzer.mjs against a deliberately
misconfigured fixture plugin. The fixture agent declares
tools: [Bash, Read, WebFetch], which alone covers all three
trifecta legs (input surface + data access + exfil sink). No
hooks/hooks.json is shipped, so TFA's mitigation logic finds
no active guards and emits a CRITICAL "Lethal trifecta:"
finding without downgrade.

Plugin marker is plugin.fixture.json (recognised by isPlugin())
rather than .claude-plugin/plugin.json — the latter is blocked
by the plugin's own pre-write-pathguard hook, and
plugin.fixture.json exists in isPlugin() specifically so
example fixtures can self-mark without touching guarded paths.

Three independent assertions (3/3 must pass): direct trifecta
present and CRITICAL; finding mentions the exfil-helper
component; description confirms "no hook guards detected"
(proves the mitigation path stayed inactive). expected-findings.md
documents the contract.

OWASP / framework mapping: ASI01, ASI02, ASI05, LLM01, LLM02, LLM06.

Docs updated: plugin README "Other runnable examples", plugin
CLAUDE.md "Examples" tabellen, CHANGELOG [Unreleased] Added.
[skip-docs] is appropriate because examples don't change what
the plugin "synes å dekke utad" — marketplace root README is
unaffected.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 15:15:04 +02:00
e7e332bcd6 feat(llm-security): add 3 more runnable threat examples [skip-docs]
Three new self-contained, runnable threat demonstrations under
examples/, continuing the batch started in 24b65b3. Each example
has README.md + run-*.mjs + expected-findings.md and uses
state-isolation discipline so the user's real cache/state files
are never polluted.

- examples/supply-chain-attack/ — two-layer demonstration:
  pre-install-supply-chain (PreToolUse) blocks compromised
  event-stream version 3.3.6 and emits a scope-hop advisory for
  the @evilcorp scope; dep-auditor (DEP scanner, offline) flags
  5 typosquat dependencies plus a curl-piped install-script
  vector in the fixture package.json. Maps to LLM03/LLM05/ASI04.

- examples/poisoned-claude-md/ — all 6 memory-poisoning detectors
  fire on a deliberately poisoned CLAUDE.md plus a fixture
  agent file under .claude/agents (E15/v7.2.0 surface):
  detectInjection, detectShellCommands, detectSuspiciousUrls,
  detectCredentialPaths, detectPermissionExpansion,
  detectEncodedPayloads. No agent runtime needed — scanner
  imported directly. Maps to LLM01/LLM06/ASI04.

- examples/bash-evasion-gallery/ — one disguised variant per
  T1 through T9 evasion technique fed through pre-bash-destructive,
  verified BLOCK after bash-normalize strips the evasion. T8
  base64-pipe-shell uses its own BLOCK_RULE. The canonical
  destructive form uses a path token rather than the bare slash
  (regex word-boundary requires it). Source-string fragmentation
  pattern reused from the e2e attack-chain test. Maps to
  LLM06/ASI01/LLM01.

Plugin README "Other runnable examples" section + plugin
CLAUDE.md "Examples" table + CHANGELOG Unreleased/Added
all updated. Marketplace root README unchanged
([skip-docs] for marketplace-level gate — plugin's outward
coverage is unchanged, only demonstrations were added).
2026-05-05 15:01:20 +02:00
24b65b3f27 feat(llm-security): add lethal-trifecta + mcp-rug-pull example contents [skip-docs]
Companion to 075f159 (which only carried the doc updates — the example
directories themselves were left out of staging by mistake). This
commit adds the actual example mappes:

- examples/lethal-trifecta-walkthrough/{README.md, run-trifecta.mjs,
  expected-findings.md}
- examples/mcp-rug-pull/{README.md, run-rug-pull.mjs,
  expected-findings.md}

Plus plugin CLAUDE.md "Examples (runnable demonstrations)" section
with a 4-row table covering malicious-skill-demo, prompt-injection-
showcase, lethal-trifecta-walkthrough, and mcp-rug-pull plus the
state-isolation discipline notes.

Marketplace root README unchanged since plugin's outward coverage
is unchanged ([skip-docs] covers the marketplace-level gate).
2026-05-05 14:45:39 +02:00
075f159c1f feat(llm-security): add lethal-trifecta + mcp-rug-pull examples [skip-docs]
Two new self-contained, runnable threat demonstrations under examples/:

- lethal-trifecta-walkthrough/ — feeds 5 hook calls (WebFetch, Read .env,
  Bash curl POST + suppression follow-ups) into post-session-guard and
  verifies the Rule-of-Two advisory fires exactly on leg 3. State
  isolated via run-script PID so /tmp/llm-security-session-*.jsonl is
  not polluted. Treffer post-session-guard, ASI01/ASI02, LLM01/LLM02.

- mcp-rug-pull/ — mutates an MCP tool description across 8 stages.
  Each per-update <10% Levenshtein, cumulative reaches 32.2% by stage
  7 — proves the v7.3.0 (E14) mcp-cumulative-drift MEDIUM advisory
  catches slow-burn rug-pulls that the per-update detection would
  miss. Uses LLM_SECURITY_MCP_CACHE_FILE to isolate cache. Treffer
  post-mcp-verify, mcp-description-cache.mjs, OWASP MCP05/LLM03/ASI04.

Each example: README.md + run-*.mjs + expected-findings.md.
Plugin README "Other runnable examples" section + CHANGELOG
[Unreleased] Added bullets + plugin CLAUDE.md "Examples" section
all updated in this commit. Marketplace root README unchanged
since plugin's outward coverage is unchanged ([skip-docs]
covers the marketplace-level gate).
2026-05-05 14:45:15 +02:00
b5d29f8cd6 test(llm-security): add e2e suite proving framework works as coordinated system
Three new files in tests/e2e/ (45 tests, 1777 -> 1822):

- attack-chain.test.mjs (17): full hook stack against attack payloads in
  sequence -- prompt injection at the gate; T1/T5/T8 bash evasions;
  pathguard on .env / .ssh; secrets hook on AWS-shaped keys and PEM
  headers; markdown link-title and HTML-comment poisoning in tool
  output; trifecta accumulation over a single session with dedup on
  the next benign call.

- multi-session.test.mjs (9): state persistence across simulated
  session boundaries. Uses the fact that a hook child's process.ppid
  equals the test runner's process.pid, so writing the session state
  file directly simulates "previous session" history. Covers slow-burn
  trifecta (legs spread >50 calls), MCP cumulative description drift
  via LLM_SECURITY_MCP_CACHE_FILE override, and pre-compact transcript
  poisoning in warn / block / clean / missing-file modes.

- scan-pipeline.test.mjs (19): scan-orchestrator + all 10 scanners +
  toxic-flow correlator against poisoned-project (BLOCK / 95 / Extreme)
  and grade-a-project (WARNING / 48 / High). Asserts envelope shape,
  verdict, risk_score, severity counts, OWASP coverage, scanner
  enumeration, and a narrative-coherence cross-check that the BLOCK
  scan strictly outranks the WARNING scan along every axis.

Test files build credential-shaped payloads at runtime via concatenation
so they contain no literal matches for the pre-edit-secrets regexes
(memory rule feedback_secrets_hook_test_fixtures.md).

Doc updates in same commit per marketplace policy:
- CLAUDE.md header: 1777+ -> 1822+ tests, mentions tests/e2e/
- README.md badge tests-1777 -> tests-1822, body text updated
- CHANGELOG.md: new [Unreleased] Added section describing scope

No version bump. No behavior changes outside tests/.
2026-05-05 12:06:57 +02:00
c68c395927 docs: introduce GOVERNANCE.md and unify fork-and-own blurb
Establish a single governance document at marketplace root and copy
it into each of the 9 plugins so every plugin folder remains 100%
self-contained. Replace the inconsistent provocative blurb across
all READMEs with a uniform fork-and-own paragraph that links to
the local GOVERNANCE.md.

[skip-docs]

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-03 14:57:00 +02:00
Kjell Tore Guttormsen
43ca4bd5e8 chore(privacy): scrub real-org references from plugin internals (phase 2)
Same bulk replacement applied to plugin-internal KB, examples, fixtures,
tests, and docs. Real organization names, persona names, internal system
identifiers, and domain-specific terms replaced with fictional generic
public-sector entity (DDT) and generic terminology.

Scope:
- okr/ — examples, governance, framework, integrations, sources
- ms-ai-architect/ — KB references (engineering, governance, security,
  infrastructure, advisor), tests/fixtures, agents, docs
- linkedin-thought-leadership/ — voice samples, network-builder,
  examples (genericized identifying headlines to "[your organization]")
- llm-security/ — research notes, scan report

Manual genericization beyond bulk replace:
- okr SKILL.md "Primary user / Domain" — generic Norwegian public sector
- linkedin-voice SKILL.md headline placeholder
- network-builder.md headline placeholder
- high-engagement-posts.md voice sample employer line + hashtag

Phase 3 (factual-attribution review) remains: a few KB files attribute
publicly known transport-sector docs/datasets (e.g. håndbok V440, NVDB)
to the fictional DDT after bulk replace. Needs manual semantic review
to either remove or restore correct citation without re-introducing
affiliation references.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-03 04:28:15 +02:00
Kjell Tore Guttormsen
be41a22f1a fix(llm-security): correct distribution URLs to marketplace path
The plugin lives in ktg-plugin-marketplace and is distributed via the
Claude Code marketplace mechanism. There is no standalone
open/claude-code-llm-security repo; references to it were aspirational
and never realized.

- package.json: homepage now deep-links to plugins/llm-security/ in the
  marketplace; repository.url uses the marketplace repo with directory
  field (npm convention for monorepo plugins); bugs.url routes to
  marketplace issue tracker.
- CLAUDE.md: "Public Repository" section replaced with "Distribution"
  section documenting the marketplace install path.
- CONTRIBUTING.md: issue tracker URL points at marketplace issues with
  [llm-security] prefix convention.
- CHANGELOG.md: v7.3.1 entry rewritten to reflect actual change
  (URLs corrected to marketplace, not "fixed from one wrong URL to
  another wrong URL").

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 06:20:54 +02:00