Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2.6 KiB
2.6 KiB
STATE — llm-security
Active focus: TRG/SIG/AST-gap scanners (TRG/SIG/AST) — DONE & pushed (Steps 1–7). Release v7.8.0 (Step 8) DEFERRED by operator. The next session is NOT TRG/SIG/AST — it is the security-fix brief (see PREREQUISITE) which must run before we resume/release this track.
PREREQUISITE — do BEFORE continuing TRG/SIG/AST / releasing v7.8.0
- Run the security-fix session:
docs/security-fix-brief-2026-06-20.md(F-1 RCE + F-2/F-3 shell/path injection sinks; from the marketplace-wide reviewdocs/review-2026-06-20.md). Operator instruction (2026-06-20): do NOT interleave it with TRG/SIG/AST work; it gates the v7.8.0 release — don't ship a version with F-1/F-2/F-3 open.
What landed this session (pushed to Forgejo, main @ d19abf0)
- TRG
scanners/trigger-scanner.mjs— shadow/baiting/broad triggers; decode-pipeline on descriptions. + wiring (orchestrator/policy/4 OWASP maps). Commits54115a9,75aeeee. Test 16/0. - SIG
scanners/signature-scanner.mjs+knowledge/signatures.json(webshell/reverse_shell/ cryptominer/hacktool, matched over normalizeForScan/foldHomoglyphs/rot13 — catches obfuscated malware). + wiring. Commitsbac6f6f,76e3543. Test 12/0. - AST
scanners/ast-taint-scanner.mjs+scanners/lib/py-ast-taint.py(PARSE-ONLY ast.parse, scope-aware var taint, 5s timeout, graceful skip when python3 absent). + wiring. Commitse497bb7,b50313e. Test 9/0. Parse-only proven (sentinel: no SENTINEL written). - Docs/packaging
d19abf0— scanner-reference rows + count bumps, output.mjs JSDoc prefixes, orchestrator header (→14),package.jsonfiles[] +=knowledge/. - Full suite 1859/0. Orchestrator runs 14 scanners (trg/sig/ast keys present). Zero-dep holds.
Step 8 (deferred) — release v7.8.0 when ready, AFTER the security fix
- Bump 7.7.2 → 7.8.0 in
.claude-plugin/plugin.json,package.json, README badge (README.md:9), CHANGELOG[7.8.0],docs/version-history.md, CLAUDE.md header. Verify w/ version-consistency grep. Spec: Step 8 ofdocs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md.
Known pre-existing doc drift (out of this plan's scope — flagged, NOT fixed)
docs/scanner-reference.mdorchestrated count/list never countedworkflow(true array = 14, docs now say 13). Per the plan I bumped each count by +3; reconciling the workflow omission needs its own scope.
Continuity
- STATE.md canonical + committed (never gitignored). trekexecute progress scratch deleted (run done;
git history is the durable record). origin = Forgejo
open/llm-security(never GitHub).