Commit graph

38 commits

Author SHA1 Message Date
Kjell Tore Guttormsen
d7ed1b2d62 feat(llm-security): add .kt .groovy .scala to taint-tracer CODE_EXTENSIONS 2026-04-18 10:04:32 +02:00
Kjell Tore Guttormsen
7abc2aacd1 docs(llm-security): add knowledge/jetbrains-marketplace-api-notes.md 2026-04-18 10:02:04 +02:00
Kjell Tore Guttormsen
8775c1d316 docs(llm-security): add JetBrains sections to ide-extension-threat-patterns 2026-04-18 10:00:59 +02:00
Kjell Tore Guttormsen
facc15f54a feat(llm-security): seed top-jetbrains-plugins.json + loadJetBrainsBlocklist export
Step 1/17 of ultraplan-2026-04-17-jetbrains-ide-scan.

- Populate top-jetbrains-plugins.json with 56 canonical xmlIds (bundled +
  popular third-party): com.intellij.java, org.jetbrains.kotlin,
  com.jetbrains.python.community, org.rust.lang, com.github.copilot,
  mobi.hsz.idea.gitignore, the legitimate-typo 'Lombook Plugin', etc.
- Add loadJetBrainsBlocklist() export mirroring loadVSCodeBlocklist shape.
  Blocklist is empty by design — no public confirmed-malicious JetBrains
  Marketplace plugins as of 2026-04-17.
- Add tests/scanners/ide-extension-data.test.mjs (9 tests, all pass).
- Fix cache bug in loadTopJetBrains: map normalizeId on cache-hit path too
  (was previously unnormalized on second call).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 09:56:55 +02:00
Kjell Tore Guttormsen
4d0213fe04 docs(llm-security): research brief + URL-support plan for ide-scan
- jetbrains-research-brief.md: 29 sources, confidence 0.88 — input for v6.6.0 JetBrains/IntelliJ extension scanning. Covers plugin format, install paths per OS+product, Marketplace API, threat landscape (zero confirmed-malicious cases), check-mapping table, sandbox reuse verdict, risk register.
- ide-scan-url-support.md: retroactive plan doc for v6.4.0 URL-fetch feature.
2026-04-17 18:47:01 +02:00
Kjell Tore Guttormsen
a9759e0b16 feat(llm-security): OS sandbox for /security ide-scan <url> (v6.5.0)
VSIX fetch + extract for URL targets now runs in a sub-process wrapped by
sandbox-exec (macOS) or bwrap (Linux), reusing the same primitives proven
by the v5.1 git-clone sandbox. Defense-in-depth — even if our own
zip-extract.mjs ever has a bypass, the kernel refuses any write outside
the per-scan temp directory.

New files:
- scanners/lib/vsix-fetch-worker.mjs — sub-process worker. Argv: --url
  --tmpdir; emits one JSON line on stdout (ok/sha256/size/source/extRoot
  or ok:false/error/code). Silent on stderr. Exit 0/1.
- scanners/lib/vsix-sandbox.mjs — wrapper. Exports buildSandboxProfile,
  buildBwrapArgs, buildSandboxedWorker, runVsixWorker. 35s timeout, 1 MB
  stdout cap.

Changes:
- scanners/ide-extension-scanner.mjs: fetchAndExtractVsixUrl is now
  sandbox-aware (useSandbox option, default true). In-process logic
  preserved as fallback. New meta.source.sandbox field:
  'sandbox-exec' | 'bwrap' | 'none' | 'in-process'.
- scan(target, { useSandbox }) defaults to true; tests pass false because
  globalThis.fetch mocks do not cross process boundaries.
- Windows fallback: in-process with meta.warnings advisory.

Tests:
- 8 new tests in tests/scanners/vsix-sandbox.test.mjs (per-platform
  profile generation, worker arg construction, live worker exit
  behavior on invalid URLs — no network).
- Existing URL tests updated to opt out of sandbox (useSandbox: false).
- 1344 → 1352 tests, all green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 17:28:57 +02:00
Kjell Tore Guttormsen
b88880f757 feat(llm-security): /security ide-scan <url> — Marketplace/OpenVSX/direct VSIX (v6.4.0)
Pre-installation verification of VS Code extensions via URL — fetch a remote
VSIX, extract it in a hardened sandbox, and run the existing IDE scanner
pipeline against it. No npm dependencies.

Sources:
- VS Code Marketplace (publisher.gallery.vsassets.io direct download)
- OpenVSX (open-vsx.org official API)
- Direct .vsix HTTPS URLs

Defenses:
- HTTPS-only, TLS verified, manual redirect with per-source host whitelist
- 30s total timeout via AbortController
- 50MB compressed cap, 500MB uncompressed, 100x expansion ratio
- Zero-dep ZIP extractor: zip-slip, absolute paths, drive letters, NUL bytes,
  symlinks (Unix mode 0xA000), depth limits, ZIP64 rejected, encrypted rejected
- SHA-256 streamed during fetch, surfaced in meta.source
- Temp dir cleanup in all paths (try/finally)

Files:
- scanners/lib/vsix-fetch.mjs (HTTPS fetcher, host whitelist, streaming SHA-256)
- scanners/lib/zip-extract.mjs (zero-dep parser with hardening caps)
- knowledge/marketplace-api-notes.md (endpoint reference)
- 3 test files (48 tests added: vsix-fetch, zip-extract, ide-extension-url)

Tests: 1296 → 1344 (all green).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 17:16:26 +02:00
Kjell Tore Guttormsen
acf0d8077d feat(llm-security): add /security ide-scan — VS Code / JetBrains extension prescan (v6.3.0)
New standalone scanner (prefix IDE) discovers installed VS Code extensions
across forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH)
and runs 7 IDE-specific threat checks: blocklist match (CRITICAL),
theme-with-code, sideload (unsigned .vsix), dangerous uninstall hook (HIGH),
wildcard activation, extension-pack expansion, typosquat (MEDIUM).

Per-extension reuse of UNI/ENT/NET/TNT/MEM/SCR scanners with bounded
concurrency. Offline-first; --online opt-in. JetBrains discovery stubbed
for v1.1. 22 new tests (1296 total, was 1274).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 16:23:35 +02:00
Kjell Tore Guttormsen
ce82d86a47 docs: update READMEs for llm-security v6.2.0 (9 hooks, PreCompact, Opus 4.7) 2026-04-17 15:35:52 +02:00
Kjell Tore Guttormsen
61a266acf8 chore(release): v6.2.0 — bash-normalize T5/T6, PreCompact hook, hardening guide 2026-04-17 14:55:26 +02:00
Kjell Tore Guttormsen
8dcbb5ab70 docs(claude-md): link Defense Philosophy to Opus 4.7 system card 2026-04-17 14:50:07 +02:00
Kjell Tore Guttormsen
151fe50028 docs: add security-hardening-guide with Opus 4.7 + Claude Code 2.1.112 env-vars 2026-04-17 14:48:29 +02:00
Kjell Tore Guttormsen
71ac02ca13 refactor(agents): add Step 0 + parallel-read hint to mcp-scanner-agent 2026-04-17 14:46:30 +02:00
Kjell Tore Guttormsen
8649926e35 refactor(agents): reduce stacked imperatives in skill-scanner-agent for Opus 4.7 2026-04-17 14:46:06 +02:00
Kjell Tore Guttormsen
6f798f28b3 feat(hooks): register PreCompact event in hooks.json 2026-04-17 14:45:13 +02:00
Kjell Tore Guttormsen
b3ef078450 test(hooks): cover pre-compact-scan happy-path, modes, size-cap 2026-04-17 14:44:52 +02:00
Kjell Tore Guttormsen
cca65aad88 feat(hooks): add pre-compact-scan hook skeleton 2026-04-17 14:40:50 +02:00
Kjell Tore Guttormsen
17b8c8fa16 docs(claude-md): reframe bash-normalize as defense-in-depth layer 2026-04-17 14:37:03 +02:00
Kjell Tore Guttormsen
5a3d005f34 test(scanners): cover bash-normalize T5 IFS + T6 hex + false-positive probe 2026-04-17 14:29:15 +02:00
Kjell Tore Guttormsen
09e42934b1 fix(scanners): preserve single-quoted regions through bash-normalize pipeline
Masks non-empty '...' content before T5/T2-T4 run so literal strings such
as `echo '${IFS}'` are not rewritten. Empty '' pairs are stripped first
so c''u''rl -> curl evasion keeps resolving. ANSI-C $'...' is decoded
before masking.

Caught by the false-positive probe added in Step 3 of ultraplan-v6.2.0.
2026-04-17 14:29:02 +02:00
Kjell Tore Guttormsen
c462d0ed32 feat(scanners): extend bash-normalize with T5 IFS + T6 ANSI-C hex quoting 2026-04-17 13:59:15 +02:00
Kjell Tore Guttormsen
4fa904fb3c docs(readme): replace npx references with node bin/ (not yet on npm)
npx llm-security requires npm publishing which hasn't happened.
Updated 3 references to use node bin/llm-security.mjs which works today.
CI templates and docs intentionally kept as-is (designed for future npm).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 15:20:44 +02:00
Kjell Tore Guttormsen
4bcfcbfe42 docs(readme): update README body for v6.0+v6.1 — fix stale counts and tables
Badges, intro, commands, scanner table, Mermaid diagram, directory tree,
and knowledge base section all had counts frozen at v3-v4 era. Updated
to match actual filesystem: 21 scanners (10+11), 18 commands, 16 knowledge
files, 16 posture categories, 1264 tests. Added missing bin/, ci/, docs/
directories and all standalone scanners to directory tree.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 15:15:16 +02:00
Kjell Tore Guttormsen
b61c631975 feat(ci): add CI/CD integration — --fail-on, --compact, pipeline templates
Add threshold-based exit codes (--fail-on <severity>) and compact
output mode (--compact) to scan-orchestrator and CLI. Pipeline
templates for GitHub Actions, Azure DevOps, GitLab CI with SARIF
upload. CI/CD guide with Schrems II/NSM compliance documentation.
npm publish preparation (files whitelist, .npmignore). Policy ci
section for distributable CI defaults. Version 6.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 14:59:05 +02:00
Kjell Tore Guttormsen
08201510ac fix(scanners): use process.exitCode instead of process.exit() after stdout.write
process.exit() terminates before pipe buffers drain, truncating output
at 64KB when piped through another Node.js process on macOS. Affects
scan-orchestrator (SARIF output) and supply-chain-recheck-cli.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 14:11:31 +02:00
Kjell Tore Guttormsen
9fa89d6111 chore(release): bump to v6.0.0 — CAISS-readiness release with compliance, governance, CLI
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 14:03:10 +02:00
Kjell Tore Guttormsen
1a5f8676ad feat(cli): add standalone CLI wrapper — npx llm-security scan without Claude Code
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 13:58:25 +02:00
Kjell Tore Guttormsen
367bae3939 feat(governance): add policy-as-code — .llm-security/policy.json for distributable hook configuration
New policy-loader.mjs reads .llm-security/policy.json with deep-merge against
defaults that exactly match existing hardcoded values. Integrated into all 7 hooks:
- pre-prompt-inject-scan: injection.mode (env var still takes precedence)
- post-session-guard: trifecta.mode, window_size, long_horizon_window
- pre-edit-secrets: secrets.additional_patterns
- pre-bash-destructive: destructive.additional_blocked
- pre-write-pathguard: pathguard.additional_protected
- pre-install-supply-chain: supply_chain.additional_blocked_packages
- post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers

Backward compatible: no policy file = identical behavior to v5.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 13:37:02 +02:00
Kjell Tore Guttormsen
04116e0b30 feat(scanner): add AI-BOM generator — CycloneDX 1.6 format for AI supply chain transparency
New bom-builder.mjs discovers AI components (models, MCP servers, plugins,
knowledge files, hooks) and builds CycloneDX 1.6 JSON BOMs.
CLI entry point: node scanners/ai-bom-generator.mjs <target>.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 13:29:30 +02:00
Kjell Tore Guttormsen
482d9320b7 feat(governance): add structured JSONL audit trail with SIEM-ready schema
New audit-trail.mjs writes structured events to LLM_SECURITY_AUDIT_LOG path.
Integrated into post-session-guard at 6 warning emission points: trifecta,
escalation-after-input, data flow, volume threshold, slow-burn, behavioral drift.
No-op when env var not set — zero overhead for existing users.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 13:25:59 +02:00
Kjell Tore Guttormsen
fd323437c0 feat(scanner): add SARIF 2.1.0 output format to scan-orchestrator (--format sarif)
New sarif-formatter.mjs converts scan envelope to OASIS SARIF 2.1.0 standard.
Maps severity to SARIF levels, findings to results with locations and rules.
scan-orchestrator accepts --format sarif|json (default: json).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 13:22:59 +02:00
Kjell Tore Guttormsen
7b96e19cbe feat(posture): add EU AI Act, NIST AI RMF, ISO 42001 compliance categories (14-16)
Extends posture scanner from 13 to 16 categories with three governance/compliance
checks. New categories are advisory (not in CRITICAL_CATEGORIES) — existing Grade A
projects remain Grade A. VERSION bumped to 6.0.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 13:17:25 +02:00
Kjell Tore Guttormsen
941eb441f8 feat(scanner): add --benchmark mode to attack-simulator with structured reporting 2026-04-10 13:02:58 +02:00
Kjell Tore Guttormsen
07cfd89a1e feat(knowledge): add MITRE ATLAS IDs to OWASP files + Norwegian regulatory context 2026-04-10 12:49:10 +02:00
Kjell Tore Guttormsen
4b63f73b53 feat(knowledge): add compliance-mapping document — EU AI Act, NIST AI RMF, ISO 42001 2026-04-10 12:29:14 +02:00
Kjell Tore Guttormsen
85efea701c docs: standardize installation instructions across all plugins
All 6 plugin READMEs now use identical installation section:
marketplace-first approach with /plugin browsing, then direct
settings.json as alternative. Replaces inconsistent mix of
git clone, plugin add, and JSON-only instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 15:10:24 +02:00
Kjell Tore Guttormsen
3082ec355a chore: fix metadata gaps and add root CLAUDE.md
- llm-security SECURITY.md: update supported versions 3.0.x → 5.1.x
- config-audit plugin.json: add license, repository, keywords
- Add root CLAUDE.md with repo structure and conventions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 13:10:22 +02:00
Kjell Tore Guttormsen
f153f969a0 feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command
Add /ultraresearch-local for structured research combining local codebase
analysis with external knowledge via parallel agent swarms. Produces research
briefs with triangulation, confidence ratings, and source quality assessment.

New command: /ultraresearch-local with modes --quick, --local, --external, --fg.
New agents: research-orchestrator (opus), docs-researcher, community-researcher,
security-researcher, contrarian-researcher, gemini-bridge (all sonnet).
New template: research-brief-template.md.

Integration: --research flag in /ultraplan-local accepts pre-built research
briefs (up to 3), enriches the interview and exploration phases. Planning
orchestrator cross-references brief findings during synthesis.

Design principle: Context Engineering — right information to right agent at
right time. Research briefs are structured artifacts in the pipeline:
ultraresearch → brief → ultraplan --research → plan → ultraexecute.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 08:58:35 +02:00