# STATE β€” llm-security **πŸ‘‰ NESTE β€” START HER (fresh session, Opus 4.8 xhigh) β€” the MEDIUM sweep:** **v7.8.2 SHIPPED** β€” all 5 HIGH from the completion review are fixed, released, tagged, catalog-synced and pushed. Next is the MEDIUM tier (52 findings) from the same review. Expect it to be its own release (v7.8.3 or v7.9.0), not a continuation of v7.8.2. Same discipline that worked this session: **verify each finding against the code FIRST** (STATE's own descriptions proved wrong 3x β€” see below), Iron Law per defect, one commit each. Triage first: 52 MEDIUMs will contain duplicates and non-defects β€” do a verification pass and report the real count before planning the release. **Review output (harvest source):** confirmed array + per-finding adversarial reasoning in task `w8s4rsaw8` output: `…/dfcab047-5467-4484-ab1a-5d6526439f78/tasks/w8s4rsaw8.output` (result.confirmed, 59 items). Durable journal: `~/.claude/projects/-Users-…-llm-security/ f99dcf73-d344-4377-b8ba-09fe878f32a2/subagents/workflows/wf_99daed37-f8b/journal.jsonl`. ## Lesson from v7.8.2 β€” the review's own text is a premiss, not a fact Three of five findings were described inaccurately in STATE/the review. Verify before acting: - Paths were wrong: hooks live in `hooks/scripts/`, the parser in `scanners/lib/`. - Blast radius was understated (the rm-block also missed `/*`, `-fr`, and sudo-prefixed forms). - Severity was overstated once: the char-ref defect does NOT break the no-throw contract (`safe()` catches it) and needs non-well-formed XML, so it is below HIGH. Said so in the commit. - The old `pre-bash-destructive.test.mjs` had **encoded the bug as expected behaviour** with a wrong root-cause NOTE. Green suites can be green because the test was shaped around the defect β€” when a test comment explains why something *isn't* caught, treat it as a lead, not a spec. ## ⚠️ NEVER `git add -A` in this repo Did it this session and swept the 3 parked docs into a release commit aimed at a PUBLIC mirror. Caught before push and amended out, but the guard is: **stage explicit paths, always.** ## PARKED β€” v8 family strategy (behind an operator visibility decision, DO NOT PUSH) 4 of 6 deliverables written, LOCAL ONLY: `docs/JOBS-TO-BE-DONE.md`, `docs/FAMILY-MAP.md`, `docs/commons-extraction-plan.md`, `docs/roadmap.md` [gitignored]. Remaining v8 docs (do NOT start until visibility is decided): formal `docs/completion-review-2026-07-17.md` and `V8-ANNOUNCEMENT.md`. **DO NOT PUSH the 3 untracked docs:** origin `open/llm-security.git` is a PUBLIC mirror; they describe cross-repo strategy + a sibling (`claude-code-llm-wiki`, "Private pending Anthropic ToS"). NOTE: `docs/FAMILY-MAP.md:42` says v7.8.0/1863 tests β€” stale, fix when the parking ends. ## Ground truth (verified 2026-07-18) - **`npm test` = 1901/0 green** at tip (1865 + 36 new). Run with `npm test` β€” `node --test tests/` is NOT valid; the script is `node --test 'tests/**/*.test.mjs'`. - v7.8.2 released: tag `v7.8.2` pushed, catalog ref bumped, `check-versions.mjs` = **0 ERROR** (the one WARN is `okr`, pre-existing and unrelated). - Test-pollution trap (hit and fixed): `jetbrains-parser.test.mjs` asserts globally that no `llmsec-jb-*` dir survives in tmpdir. Any new test using that mkdtemp prefix fails it order-dependently β€” passed one full run, failed the next. Pick a non-colliding prefix. - Exported for testability, do not "tidy" away: `validateContent` (auto-cleaner, v7.8.1), `stripInjection` (content-extractor, v7.8.2), `scanOneExtension` (ide-extension-scanner). `content-extractor.mjs` now runs `main()` behind an `isMain` guard β€” CLI re-verified working. - Known residual gap (documented, not a bug to re-file): `stripInjection` cannot attribute a payload encoded ACROSS lines; those findings carry `unstripped: true` by design. Whole-file redaction was considered and rejected (normalizeForScan base64-decodes any long blob). - Prior security: F-1/2/3/5/6 fixed; F-4 open (optional/LOW); B1/B2/E14 fixed. ## Position taken (strategic anchor) llm-security **consolidates**; growth at **family level** (security-commons + `llm-retrieval-guard` sibling for the LLM08 writeβ†’retrieval seam). JS/TS AST-taint parity + post-clone CLAUDE.md-poisoning stay here; research artifact-scanners (model/pickle, .ipynb, insecure-ML) relocate to commons/guard. v8.0.0 = deprecation cleanup (LLM_SECURITY_* env-vars + riskScoreV1) + behaviour-preserving commons extraction + verified fixes + docs consistency. ## Continuity origin = Forgejo `open/llm-security` (PUBLIC, never GitHub). Push window: weekdays 20:00–23:00; weekends/holidays anytime. STATE.md is intentionally TRACKED + committed (`.gitignore:19-20` NOTE). **Disclosure convention:** a security fix to public code is committed but HELD until its release tag exists, so the exploit description never lands before the fixed version. Fix, bump, tag, catalog, push. **Release mechanics:** `catalog/scripts/release-plugin.mjs --version X.Y.Z` (dry-run by default; `--create-tag`, then `--write --commit --push`). It refuses unless plugin.json == README badge == target. Push the plugin repo's commits BEFORE `--create-tag`.