Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
5.1 KiB
STATE — llm-security
👉 NESTE — START HER (fresh session, Opus 4.8 xhigh) — the MEDIUM sweep: v7.8.2 SHIPPED — all 5 HIGH from the completion review are fixed, released, tagged, catalog-synced and pushed. Next is the MEDIUM tier (52 findings) from the same review. Expect it to be its own release (v7.8.3 or v7.9.0), not a continuation of v7.8.2. Same discipline that worked this session: verify each finding against the code FIRST (STATE's own descriptions proved wrong 3x — see below), Iron Law per defect, one commit each. Triage first: 52 MEDIUMs will contain duplicates and non-defects — do a verification pass and report the real count before planning the release.
Review output (harvest source): confirmed array + per-finding adversarial reasoning in task
w8s4rsaw8 output: …/dfcab047-5467-4484-ab1a-5d6526439f78/tasks/w8s4rsaw8.output (result.confirmed,
59 items). Durable journal: ~/.claude/projects/-Users-…-llm-security/ f99dcf73-d344-4377-b8ba-09fe878f32a2/subagents/workflows/wf_99daed37-f8b/journal.jsonl.
Lesson from v7.8.2 — the review's own text is a premiss, not a fact
Three of five findings were described inaccurately in STATE/the review. Verify before acting:
- Paths were wrong: hooks live in
hooks/scripts/, the parser inscanners/lib/. - Blast radius was understated (the rm-block also missed
/*,-fr, and sudo-prefixed forms). - Severity was overstated once: the char-ref defect does NOT break the no-throw contract
(
safe()catches it) and needs non-well-formed XML, so it is below HIGH. Said so in the commit. - The old
pre-bash-destructive.test.mjshad encoded the bug as expected behaviour with a wrong root-cause NOTE. Green suites can be green because the test was shaped around the defect — when a test comment explains why something isn't caught, treat it as a lead, not a spec.
⚠️ NEVER git add -A in this repo
Did it this session and swept the 3 parked docs into a release commit aimed at a PUBLIC mirror. Caught before push and amended out, but the guard is: stage explicit paths, always.
PARKED — v8 family strategy (behind an operator visibility decision, DO NOT PUSH)
4 of 6 deliverables written, LOCAL ONLY: docs/JOBS-TO-BE-DONE.md, docs/FAMILY-MAP.md,
docs/commons-extraction-plan.md, docs/roadmap.md [gitignored]. Remaining v8 docs (do NOT start
until visibility is decided): formal docs/completion-review-2026-07-17.md and V8-ANNOUNCEMENT.md.
DO NOT PUSH the 3 untracked docs: origin open/llm-security.git is a PUBLIC mirror; they describe
cross-repo strategy + a sibling (claude-code-llm-wiki, "Private pending Anthropic ToS").
NOTE: docs/FAMILY-MAP.md:42 says v7.8.0/1863 tests — stale, fix when the parking ends.
Ground truth (verified 2026-07-18)
npm test= 1901/0 green at tip (1865 + 36 new). Run withnpm test—node --test tests/is NOT valid; the script isnode --test 'tests/**/*.test.mjs'.- v7.8.2 released: tag
v7.8.2pushed, catalog ref bumped,check-versions.mjs= 0 ERROR (the one WARN isokr, pre-existing and unrelated). - Test-pollution trap (hit and fixed):
jetbrains-parser.test.mjsasserts globally that nollmsec-jb-*dir survives in tmpdir. Any new test using that mkdtemp prefix fails it order-dependently — passed one full run, failed the next. Pick a non-colliding prefix. - Exported for testability, do not "tidy" away:
validateContent(auto-cleaner, v7.8.1),stripInjection(content-extractor, v7.8.2),scanOneExtension(ide-extension-scanner).content-extractor.mjsnow runsmain()behind anisMainguard — CLI re-verified working. - Known residual gap (documented, not a bug to re-file):
stripInjectioncannot attribute a payload encoded ACROSS lines; those findings carryunstripped: trueby design. Whole-file redaction was considered and rejected (normalizeForScan base64-decodes any long blob). - Prior security: F-1/2/3/5/6 fixed; F-4 open (optional/LOW); B1/B2/E14 fixed.
Position taken (strategic anchor)
llm-security consolidates; growth at family level (security-commons + llm-retrieval-guard
sibling for the LLM08 write→retrieval seam). JS/TS AST-taint parity + post-clone CLAUDE.md-poisoning
stay here; research artifact-scanners (model/pickle, .ipynb, insecure-ML) relocate to commons/guard.
v8.0.0 = deprecation cleanup (LLM_SECURITY_* env-vars + riskScoreV1) + behaviour-preserving commons
extraction + verified fixes + docs consistency.
Continuity
origin = Forgejo open/llm-security (PUBLIC, never GitHub). Push window: weekdays 20:00–23:00;
weekends/holidays anytime. STATE.md is intentionally TRACKED + committed (.gitignore:19-20 NOTE).
Disclosure convention: a security fix to public code is committed but HELD until its release tag
exists, so the exploit description never lands before the fixed version. Fix, bump, tag, catalog, push.
Release mechanics: catalog/scripts/release-plugin.mjs <plugin> --version X.Y.Z (dry-run by
default; --create-tag, then --write --commit --push). It refuses unless plugin.json == README
badge == target. Push the plugin repo's commits BEFORE --create-tag.