llm-security/STATE.md
2026-07-18 09:35:21 +02:00

69 lines
5.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# STATE — llm-security
**👉 NESTE — START HER (fresh session, Opus 4.8 xhigh) — the MEDIUM sweep:**
**v7.8.2 SHIPPED** — all 5 HIGH from the completion review are fixed, released, tagged,
catalog-synced and pushed. Next is the MEDIUM tier (52 findings) from the same review.
Expect it to be its own release (v7.8.3 or v7.9.0), not a continuation of v7.8.2.
Same discipline that worked this session: **verify each finding against the code FIRST**
(STATE's own descriptions proved wrong 3x — see below), Iron Law per defect, one commit each.
Triage first: 52 MEDIUMs will contain duplicates and non-defects — do a verification pass and
report the real count before planning the release.
**Review output (harvest source):** confirmed array + per-finding adversarial reasoning in task
`w8s4rsaw8` output: `…/dfcab047-5467-4484-ab1a-5d6526439f78/tasks/w8s4rsaw8.output` (result.confirmed,
59 items). Durable journal: `~/.claude/projects/-Users-…-llm-security/
f99dcf73-d344-4377-b8ba-09fe878f32a2/subagents/workflows/wf_99daed37-f8b/journal.jsonl`.
## Lesson from v7.8.2 — the review's own text is a premiss, not a fact
Three of five findings were described inaccurately in STATE/the review. Verify before acting:
- Paths were wrong: hooks live in `hooks/scripts/`, the parser in `scanners/lib/`.
- Blast radius was understated (the rm-block also missed `/*`, `-fr`, and sudo-prefixed forms).
- Severity was overstated once: the char-ref defect does NOT break the no-throw contract
(`safe()` catches it) and needs non-well-formed XML, so it is below HIGH. Said so in the commit.
- The old `pre-bash-destructive.test.mjs` had **encoded the bug as expected behaviour** with a
wrong root-cause NOTE. Green suites can be green because the test was shaped around the defect —
when a test comment explains why something *isn't* caught, treat it as a lead, not a spec.
## ⚠️ NEVER `git add -A` in this repo
Did it this session and swept the 3 parked docs into a release commit aimed at a PUBLIC mirror.
Caught before push and amended out, but the guard is: **stage explicit paths, always.**
## PARKED — v8 family strategy (behind an operator visibility decision, DO NOT PUSH)
4 of 6 deliverables written, LOCAL ONLY: `docs/JOBS-TO-BE-DONE.md`, `docs/FAMILY-MAP.md`,
`docs/commons-extraction-plan.md`, `docs/roadmap.md` [gitignored]. Remaining v8 docs (do NOT start
until visibility is decided): formal `docs/completion-review-2026-07-17.md` and `V8-ANNOUNCEMENT.md`.
**DO NOT PUSH the 3 untracked docs:** origin `open/llm-security.git` is a PUBLIC mirror; they describe
cross-repo strategy + a sibling (`claude-code-llm-wiki`, "Private pending Anthropic ToS").
NOTE: `docs/FAMILY-MAP.md:42` says v7.8.0/1863 tests — stale, fix when the parking ends.
## Ground truth (verified 2026-07-18)
- **`npm test` = 1901/0 green** at tip (1865 + 36 new). Run with `npm test``node --test tests/`
is NOT valid; the script is `node --test 'tests/**/*.test.mjs'`.
- v7.8.2 released: tag `v7.8.2` pushed, catalog ref bumped, `check-versions.mjs` = **0 ERROR**
(the one WARN is `okr`, pre-existing and unrelated).
- Test-pollution trap (hit and fixed): `jetbrains-parser.test.mjs` asserts globally that no
`llmsec-jb-*` dir survives in tmpdir. Any new test using that mkdtemp prefix fails it
order-dependently — passed one full run, failed the next. Pick a non-colliding prefix.
- Exported for testability, do not "tidy" away: `validateContent` (auto-cleaner, v7.8.1),
`stripInjection` (content-extractor, v7.8.2), `scanOneExtension` (ide-extension-scanner).
`content-extractor.mjs` now runs `main()` behind an `isMain` guard — CLI re-verified working.
- Known residual gap (documented, not a bug to re-file): `stripInjection` cannot attribute a
payload encoded ACROSS lines; those findings carry `unstripped: true` by design. Whole-file
redaction was considered and rejected (normalizeForScan base64-decodes any long blob).
- Prior security: F-1/2/3/5/6 fixed; F-4 open (optional/LOW); B1/B2/E14 fixed.
## Position taken (strategic anchor)
llm-security **consolidates**; growth at **family level** (security-commons + `llm-retrieval-guard`
sibling for the LLM08 write→retrieval seam). JS/TS AST-taint parity + post-clone CLAUDE.md-poisoning
stay here; research artifact-scanners (model/pickle, .ipynb, insecure-ML) relocate to commons/guard.
v8.0.0 = deprecation cleanup (LLM_SECURITY_* env-vars + riskScoreV1) + behaviour-preserving commons
extraction + verified fixes + docs consistency.
## Continuity
origin = Forgejo `open/llm-security` (PUBLIC, never GitHub). Push window: weekdays 20:0023:00;
weekends/holidays anytime. STATE.md is intentionally TRACKED + committed (`.gitignore:19-20` NOTE).
**Disclosure convention:** a security fix to public code is committed but HELD until its release tag
exists, so the exploit description never lands before the fixed version. Fix, bump, tag, catalog, push.
**Release mechanics:** `catalog/scripts/release-plugin.mjs <plugin> --version X.Y.Z` (dry-run by
default; `--create-tag`, then `--write --commit --push`). It refuses unless plugin.json == README
badge == target. Push the plugin repo's commits BEFORE `--create-tag`.