Compare commits

...

4 commits

Author SHA1 Message Date
0dd46da2f7 chore(llm-security): STATE — v7.8.0 tagged + catalog ref synced 2026-06-20 11:59:03 +02:00
731d61f801 chore(llm-security): STATE — codename scrub complete (history rewritten + force-pushed) 2026-06-20 11:40:27 +02:00
a19e9eb8b2 docs(llm-security): drop internal codename from v7.8.0 notes
Reword the v7.8.0 release notes to refer to the scanners as TRG/SIG/AST only;
the internal codename is removed from CHANGELOG, CLAUDE.md, README, the
version-history section, and STATE. No behaviour or version change.
2026-06-20 11:37:28 +02:00
405874c0c4 chore(llm-security): STATE — v7.8.0 released (Session C); only F-4 (optional) left 2026-06-20 11:23:42 +02:00
5 changed files with 48 additions and 35 deletions

View file

@ -8,8 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
## [7.8.0] - 2026-06-20 ## [7.8.0] - 2026-06-20
TRG/SIG/AST — three new deterministic deep-scan scanners targeting the Three new deterministic deep-scan scanners (TRG/SIG/AST) targeting the
skills/agents attack surface (TRG/SIG/AST). Each ships with its own finding skills/agents attack surface. Each ships with its own finding
prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip
behaviour. Built behind a security-fix gate: the F-1/F-2/F-3 shell-injection behaviour. Built behind a security-fix gate: the F-1/F-2/F-3 shell-injection
and path-traversal fixes landed first. No existing scanner, hook, or command and path-traversal fixes landed first. No existing scanner, hook, or command

View file

@ -4,7 +4,7 @@ Security scanning, auditing, and threat modeling for Claude Code projects. 5 fra
Release notes for v7.0.0 → v7.8.0: see `docs/version-history.md` — read on demand. Release notes for v7.0.0 → v7.8.0: see `docs/version-history.md` — read on demand.
**v7.8.0 highlights** — TRG/SIG/AST: three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse — `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline, so obfuscated known-malware a byte-matcher misses is still caught; rules in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for scope-aware Python taint analysis, falling back to the regex `taint-tracer.mjs` when `python3` is absent; the helper only `ast.parse`s the target, never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 landed first). No existing scanner, hook, or command behaviour changes. **v7.8.0 highlights** — Three new deterministic deep-scan scanners (TRG/SIG/AST) targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse — `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline, so obfuscated known-malware a byte-matcher misses is still caught; rules in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for scope-aware Python taint analysis, falling back to the regex `taint-tracer.mjs` when `python3` is absent; the helper only `ast.parse`s the target, never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 landed first). No existing scanner, hook, or command behaviour changes.
**v7.7.2 highlights** — Language consistency pass. Norwegian had crept into the playground UI strings, the canonical CLI renderer (`scripts/lib/report-renderers.mjs`), the HTML Report-step appended by all 18 skill commands, two agent prompts, and the marketplace + plugin README/CLAUDE.md state sections. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), surface text was translated to English. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high|^høy/`, `/resolution|løsning/`) were preserved. No scanner, hook, or behavior changes. **v7.7.2 highlights** — Language consistency pass. Norwegian had crept into the playground UI strings, the canonical CLI renderer (`scripts/lib/report-renderers.mjs`), the HTML Report-step appended by all 18 skill commands, two agent prompts, and the marketplace + plugin README/CLAUDE.md state sections. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), surface text was translated to English. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high|^høy/`, `/resolution|løsning/`) were preserved. No scanner, hook, or behavior changes.

View file

@ -628,7 +628,7 @@ demonstrations — each with `README.md`, fixture, run script, and
| Version | Date | Highlights | | Version | Date | Highlights |
|---------|------|------------| |---------|------|------------|
| **7.8.0** | 2026-06-20 | **TRG/SIG/AST — TRG/SIG/AST deep-scan scanners.** Three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse: `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline (base64/hex/url/entity/unicode, homoglyph fold, rot13), so obfuscated known-malware a byte-matcher misses is still caught; rules ship in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for variable-level, scope-aware Python taint analysis — higher recall than the ~70% regex `taint-tracer.mjs` — and falls back to the regex tracer when `python3` is unavailable, so the scan never hard-fails; the helper only `ast.parse`s the target and never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 shell-injection + path-traversal fixes landed first). 1863 tests, 0 fail. | | **7.8.0** | 2026-06-20 | **TRG/SIG/AST deep-scan scanners.** Three new deterministic deep-scan scanners targeting the skills/agents attack surface, each with its own finding prefix, OWASP/AST mapping, policy block, and graceful-skip behaviour. **TRG** (`scanners/trigger-scanner.mjs`) inspects command/agent/skill `name` + `description` frontmatter for activation-surface abuse: `TRG-shadow` (name collides with a built-in and intercepts it), `TRG-baiting` (maximally-activating phrases that bait indiscriminate invocation), `TRG-broad` (generic name + universal-applicability claim); descriptions pass the decode pipeline first so obfuscated baiting still trips (LLM06/AST04). **SIG** (`scanners/signature-scanner.mjs`) is a pure-Node known-malware *identity* engine (webshells, reverse shells, cryptominers, hacktools) that tests each signature against both raw bytes and the decode pipeline (base64/hex/url/entity/unicode, homoglyph fold, rot13), so obfuscated known-malware a byte-matcher misses is still caught; rules ship in `knowledge/signatures.json` (LLM03/LLM02). **AST** (`scanners/ast-taint-scanner.mjs`) shells out to a PARSE-ONLY `python3` helper (`scanners/lib/py-ast-taint.py`) for variable-level, scope-aware Python taint analysis — higher recall than the ~70% regex `taint-tracer.mjs` — and falls back to the regex tracer when `python3` is unavailable, so the scan never hard-fails; the helper only `ast.parse`s the target and never executes it (LLM01/LLM02/AST02). Built behind a security-fix gate (F-1/F-2/F-3 shell-injection + path-traversal fixes landed first). 1863 tests, 0 fail. |
| **7.7.2** | 2026-05-19 | **Language consistency pass.** Norwegian had crept into surface text across v7.5-v7.7. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), this release translates: the HTML Report-step appended by all 18 skill commands, the canonical CLI renderer `scripts/lib/report-renderers.mjs` (display strings + JS comments), the playground UI strings, the `skill-scanner-agent` and `mcp-scanner-agent` system prompts, the Recent versions table and playground architecture prose in this README, the v7.7.x highlights in `CLAUDE.md`, and the llm-security entries in the marketplace root `README.md` + `CLAUDE.md`, plus six table cells in `docs/scanner-reference.md`. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high\|^høy/`, `/resolution\|løsning/`) were preserved. No scanner, hook, or behavior changes — purely surface text. | | **7.7.2** | 2026-05-19 | **Language consistency pass.** Norwegian had crept into surface text across v7.5-v7.7. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), this release translates: the HTML Report-step appended by all 18 skill commands, the canonical CLI renderer `scripts/lib/report-renderers.mjs` (display strings + JS comments), the playground UI strings, the `skill-scanner-agent` and `mcp-scanner-agent` system prompts, the Recent versions table and playground architecture prose in this README, the v7.7.x highlights in `CLAUDE.md`, and the llm-security entries in the marketplace root `README.md` + `CLAUDE.md`, plus six table cells in `docs/scanner-reference.md`. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high\|^høy/`, `/resolution\|løsning/`) were preserved. No scanner, hook, or behavior changes — purely surface text. |
| **7.7.1** | 2026-05-18 | **Playground UX strip.** Operator feedback immediately after v7.7.0: the home surface led with three project tracks (Re-onboard / New project / Command catalog) even though the catalog was the important entry point. Minimum strip delivered as three atomic commits (`b732eee` + `2a6f73f` + `81b7beb`): (1) the router always forces `activeSurface = 'catalog'` (the onboarding/home/project render functions are preserved in source but no longer routable); (2) the topbar `Home` and `Re-onboard` buttons removed, `Catalog` retained; (3) the breadcrumb org-name (`shared.organization.name` from demo state) replaced with a static `llm-security` neutral scope anchor. Fix: the hardcoded `'Plugin v7.6.1'` on line 6933 of `renderHome` (template literal not caught by the v7.7.0 grep) was synced. The onboarding concept is documented as a v7.8.0 candidate (per-command context injection) in `ROADMAP.md`. No scanner or hook behavior changes. | | **7.7.1** | 2026-05-18 | **Playground UX strip.** Operator feedback immediately after v7.7.0: the home surface led with three project tracks (Re-onboard / New project / Command catalog) even though the catalog was the important entry point. Minimum strip delivered as three atomic commits (`b732eee` + `2a6f73f` + `81b7beb`): (1) the router always forces `activeSurface = 'catalog'` (the onboarding/home/project render functions are preserved in source but no longer routable); (2) the topbar `Home` and `Re-onboard` buttons removed, `Catalog` retained; (3) the breadcrumb org-name (`shared.organization.name` from demo state) replaced with a static `llm-security` neutral scope anchor. Fix: the hardcoded `'Plugin v7.6.1'` on line 6933 of `renderHome` (template literal not caught by the v7.7.0 grep) was synced. The onboarding concept is documented as a v7.8.0 candidate (per-command context injection) in `ROADMAP.md`. No scanner or hook behavior changes. |
| **7.7.0** | 2026-05-18 | **HTML report for all 18 skill commands.** Every `/security <cmd>` that produces a report now prints a clickable `file://` link to a self-contained HTML version. Delivered across 5 sessions. (1) Playground catalog list-view + builder-pane with a copy button. (2) Playground project-surface cleanup (stub-screen handling, topbar split). (3) The 18 inline parsers + renderers in the playground HTML were moved to a canonical ESM module `scripts/lib/report-renderers.mjs` (the playground keeps a bit-identical inline copy since ESM `import` does not work from `file://`). (4) New zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout mode, kebab→camel commandId routing, inlines 6 DS stylesheets + a local `.report-table` CSS, ~140 KB self-contained HTML, system-font fallback, absolute `file://` paths for Ghostty cmd-click. (5) All 18 skills wired (4 in session 4: scan/audit/posture/deep-scan; 14 in session 5: plugin-audit/mcp-audit/mcp-inspect/ide-scan/supply-check/dashboard/pre-deploy/diff/watch/registry/clean/harden/threat-model/red-team). Output: `reports/<command>-<YYYYMMDD-HHmmss>.html` relative to CWD. No scanner or hook behavior changes — purely additive. | | **7.7.0** | 2026-05-18 | **HTML report for all 18 skill commands.** Every `/security <cmd>` that produces a report now prints a clickable `file://` link to a self-contained HTML version. Delivered across 5 sessions. (1) Playground catalog list-view + builder-pane with a copy button. (2) Playground project-surface cleanup (stub-screen handling, topbar split). (3) The 18 inline parsers + renderers in the playground HTML were moved to a canonical ESM module `scripts/lib/report-renderers.mjs` (the playground keeps a bit-identical inline copy since ESM `import` does not work from `file://`). (4) New zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout mode, kebab→camel commandId routing, inlines 6 DS stylesheets + a local `.report-table` CSS, ~140 KB self-contained HTML, system-font fallback, absolute `file://` paths for Ghostty cmd-click. (5) All 18 skills wired (4 in session 4: scan/audit/posture/deep-scan; 14 in session 5: plugin-audit/mcp-audit/mcp-inspect/ide-scan/supply-check/dashboard/pre-deploy/diff/watch/registry/clean/harden/threat-model/red-team). Output: `reports/<command>-<YYYYMMDD-HHmmss>.html` relative to CWD. No scanner or hook behavior changes — purely additive. |

View file

@ -1,36 +1,49 @@
# STATE — llm-security # STATE — llm-security
**Active focus:** Security-fix track (from `docs/security-fix-brief-2026-06-20.md`). Critical review **Active focus:** NONE active. v7.8.0 RELEASED; security-fix track (F-1/F-2/F-3) +
DONE. Must-fixes **F-1 / F-2 / F-3 ALL DONE** across Sessions A + B. **Next = Session C (release).** TRG/SIG/AST scanners ALL DONE; **internal codename fully scrubbed from Forgejo + force-pushed
TRG/SIG/AST (TRG/SIG/AST) shipped Steps 17; v7.8.0 release (Step 8) stays DEFERRED until Session C. (DONE this session).** Only loose end = **F-4 (optional, LOW)**. Clean, quiescent state.
## Critical-review verdict (DONE — do NOT re-derive) ## Codename scrub (THIS session — operator: "must not appear anywhere on Forgejo") — DONE
- **F-1 / F-2 / F-3 = MUST FIX. ALL DONE.** Verified real, fixes local + mechanical. - Full history-rewrite via `git filter-repo` + **force-push** (`d11de9a``a19e9eb`).
- **F-5 / F-6 = cheap cleanup. DONE** (Session A). Verified: 0 occurrences in any blob across all refs, 0 in any commit message, 0 filenames.
- **F-4 = optional** (LOW, by-design MCP spawn; confirm-gate is a judgment call) — still open. - Tip prose reworded by hand (CHANGELOG, CLAUDE.md, README, docs/version-history.md, STATE.md);
- F-2 prefix containment does NOT stop a symlink-escape — noted inline in the fix; residual gap. scanners now referred to as TRG/SIG/AST only.
- Two `docs/plans/` docs (a gap-analysis + its trekplan, both named after the codename)
deleted from ALL history via `--invert-paths` (the `.html` render was git-ignored — deleted
locally only). Leftover historical blobs + 2 commit messages scrubbed via
`--replace-text`/`--replace-message` (`(?i)<codename> ==> TRG/SIG/AST`).
- Backup of pre-scrub history: `/tmp/llm-security-pre-scrub-backup.bundle` (all refs; old HEAD
`d11de9a`) — LOCAL only, never on Forgejo; delete once satisfied.
- RESIDUAL (server-side): old unreachable objects may linger on Forgejo until git GC. To
guarantee physical removal, run repo housekeeping/GC as Forgejo admin (`ktg`).
## Multi-session plan — FIXES COMPLETE ## What shipped (DONE — do NOT re-derive)
- **Session A — F-1 (CRITICAL) + F-5/F-6. DONE (5f50899, pushed).** `git()` → array-arg `spawnSync`. - **v7.8.0 release — Session C. DONE** (pure version-sync; no production code). Bumped
- **Session B — F-2 + F-3 (both HIGH). DONE (commit 3f64aa5).** 7.7.2 → 7.8.0 across `.claude-plugin/plugin.json`, `package.json`, `README.md` badge,
- F-2 `scanners/auto-cleaner.mjs` (~:776): prefix-containment before write — a finding whose `CLAUDE.md` header + range sentinel; CHANGELOG `[7.8.0]`, version-history section, README
`resolve(target, f.file)` escapes the tree is refused + reported skipped. Repro "Recent versions" row, CLAUDE.md highlights added. Release gate: `node --test` 1863/0.
`tests/scanners/auto-cleaner-traversal.test.mjs` (`../secret.txt`) RED→GREEN. Tagged `v7.8.0` (annotated, commit `6d3c4b5`) + pushed; catalog `ref`/README synced
- F-3 `hooks/scripts/pre-install-supply-chain.mjs` `inspectNpmPackage`: `npm view` now 7.7.2 → 7.8.0 (catalog commit `843254d`) — version-consistency gate → OK.
`spawnSync('npm',['view',spec,'--json'])` (no shell). Repro - **TRG/SIG/AST scanners — Steps 17. DONE** (`54115a9`..`d19abf0`, SHAs change after rewrite).
`tests/hooks/supply-chain-injection.test.mjs` (`$(>/abs/PWNED)`) RED→GREEN. `execSafe` kept for Three deterministic deep-scan scanners: `scanners/trigger-scanner.mjs` (TRG, LLM06/AST04),
the static `npm audit --json` call (no interpolation). `scanners/signature-scanner.mjs` (SIG, rules `knowledge/signatures.json`, LLM03/LLM02),
- Suite 1863/0 (was 1860; +3). gitleaks clean. F-1 repro re-run GREEN (sink still closed). `scanners/ast-taint-scanner.mjs` (AST, parse-only `scanners/lib/py-ast-taint.py` + regex
fallback, LLM01/LLM02/AST02). Wired into orchestrator + policy; prefixes in `output.mjs`.
- **Security-fix track — F-1/F-2/F-3 + F-5/F-6. DONE** (Sessions A+B). All shell-injection /
path-traversal sinks closed. Brief: `docs/security-fix-brief-2026-06-20.md`.
## COLD START (next session = Session C — RELEASE) ## Still open (optional only)
1. `pwd` + `git status`. Confirm 3f64aa5 + the STATE commit are present (and pushed — see notes). - **F-4 — optional, LOW** (by-design MCP spawn; confirm-gate is a judgment call). NOT required.
2. Cut v7.8.0 (TRG/SIG/AST Step 8) now that the B → A security gates pass. Read - Residual gap (inline in F-2 fix): prefix containment in `auto-cleaner.mjs` does not stop a
`docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md` Step 8 + `docs/version-history.md`. symlink inside the tree pointing out. Known, accepted.
3. Version-sync ALL refs before the bump commit (package.json, README badges, CHANGELOG, CLAUDE.md);
check consistency. Optionally add the F-4 confirm-gate. ## COLD START (next session)
1. `pwd` + `git status`. Tip should be `a19e9eb` (or later) on `origin/main`.
2. No active task queued. Options: F-4 confirm-gate if wanted, or a new direction. Do NOT
invent scope — ask. (If the codename ever needs re-checking: `git grep -i <codename>
$(git rev-list --all)` must stay empty.)
## Continuity notes ## Continuity notes
- Disclosure hold LIFTED: F-1 fix + `review-2026-06-20.md` + brief already on `origin/main`. Push - origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:0023:00;
Session-B fixes normally. weekends/holidays anytime.
- origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:0023:00; weekends/
holidays anytime. Outside window at session end → commit locally, PARK the push, say so explicitly.

View file

@ -2,9 +2,9 @@
Per-release notes for v7.0.0 onward. Imported from `CLAUDE.md` via `@docs/version-history.md`. Per-release notes for v7.0.0 onward. Imported from `CLAUDE.md` via `@docs/version-history.md`.
## v7.8.0 — TRG/SIG/AST: trigger, signature, and AST-taint scanners ## v7.8.0 — Trigger, signature, and AST-taint scanners
Three new deterministic deep-scan scanners ("TRG/SIG/AST"), each with its own Three new deterministic deep-scan scanners (TRG/SIG/AST), each with its own
finding prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip finding prefix, OWASP/AST mapping, policy block, fixtures, and graceful-skip
behaviour. They target the skills/agents activation and code surface that the behaviour. They target the skills/agents activation and code surface that the
permission and shape-based scanners do not cover. Built behind a security-fix permission and shape-based scanners do not cover. Built behind a security-fix