llm-security/STATE.md
2026-07-18 09:35:21 +02:00

5.1 KiB
Raw Blame History

STATE — llm-security

👉 NESTE — START HER (fresh session, Opus 4.8 xhigh) — the MEDIUM sweep: v7.8.2 SHIPPED — all 5 HIGH from the completion review are fixed, released, tagged, catalog-synced and pushed. Next is the MEDIUM tier (52 findings) from the same review. Expect it to be its own release (v7.8.3 or v7.9.0), not a continuation of v7.8.2. Same discipline that worked this session: verify each finding against the code FIRST (STATE's own descriptions proved wrong 3x — see below), Iron Law per defect, one commit each. Triage first: 52 MEDIUMs will contain duplicates and non-defects — do a verification pass and report the real count before planning the release.

Review output (harvest source): confirmed array + per-finding adversarial reasoning in task w8s4rsaw8 output: …/dfcab047-5467-4484-ab1a-5d6526439f78/tasks/w8s4rsaw8.output (result.confirmed, 59 items). Durable journal: ~/.claude/projects/-Users-…-llm-security/ f99dcf73-d344-4377-b8ba-09fe878f32a2/subagents/workflows/wf_99daed37-f8b/journal.jsonl.

Lesson from v7.8.2 — the review's own text is a premiss, not a fact

Three of five findings were described inaccurately in STATE/the review. Verify before acting:

  • Paths were wrong: hooks live in hooks/scripts/, the parser in scanners/lib/.
  • Blast radius was understated (the rm-block also missed /*, -fr, and sudo-prefixed forms).
  • Severity was overstated once: the char-ref defect does NOT break the no-throw contract (safe() catches it) and needs non-well-formed XML, so it is below HIGH. Said so in the commit.
  • The old pre-bash-destructive.test.mjs had encoded the bug as expected behaviour with a wrong root-cause NOTE. Green suites can be green because the test was shaped around the defect — when a test comment explains why something isn't caught, treat it as a lead, not a spec.

⚠️ NEVER git add -A in this repo

Did it this session and swept the 3 parked docs into a release commit aimed at a PUBLIC mirror. Caught before push and amended out, but the guard is: stage explicit paths, always.

PARKED — v8 family strategy (behind an operator visibility decision, DO NOT PUSH)

4 of 6 deliverables written, LOCAL ONLY: docs/JOBS-TO-BE-DONE.md, docs/FAMILY-MAP.md, docs/commons-extraction-plan.md, docs/roadmap.md [gitignored]. Remaining v8 docs (do NOT start until visibility is decided): formal docs/completion-review-2026-07-17.md and V8-ANNOUNCEMENT.md. DO NOT PUSH the 3 untracked docs: origin open/llm-security.git is a PUBLIC mirror; they describe cross-repo strategy + a sibling (claude-code-llm-wiki, "Private pending Anthropic ToS"). NOTE: docs/FAMILY-MAP.md:42 says v7.8.0/1863 tests — stale, fix when the parking ends.

Ground truth (verified 2026-07-18)

  • npm test = 1901/0 green at tip (1865 + 36 new). Run with npm testnode --test tests/ is NOT valid; the script is node --test 'tests/**/*.test.mjs'.
  • v7.8.2 released: tag v7.8.2 pushed, catalog ref bumped, check-versions.mjs = 0 ERROR (the one WARN is okr, pre-existing and unrelated).
  • Test-pollution trap (hit and fixed): jetbrains-parser.test.mjs asserts globally that no llmsec-jb-* dir survives in tmpdir. Any new test using that mkdtemp prefix fails it order-dependently — passed one full run, failed the next. Pick a non-colliding prefix.
  • Exported for testability, do not "tidy" away: validateContent (auto-cleaner, v7.8.1), stripInjection (content-extractor, v7.8.2), scanOneExtension (ide-extension-scanner). content-extractor.mjs now runs main() behind an isMain guard — CLI re-verified working.
  • Known residual gap (documented, not a bug to re-file): stripInjection cannot attribute a payload encoded ACROSS lines; those findings carry unstripped: true by design. Whole-file redaction was considered and rejected (normalizeForScan base64-decodes any long blob).
  • Prior security: F-1/2/3/5/6 fixed; F-4 open (optional/LOW); B1/B2/E14 fixed.

Position taken (strategic anchor)

llm-security consolidates; growth at family level (security-commons + llm-retrieval-guard sibling for the LLM08 write→retrieval seam). JS/TS AST-taint parity + post-clone CLAUDE.md-poisoning stay here; research artifact-scanners (model/pickle, .ipynb, insecure-ML) relocate to commons/guard. v8.0.0 = deprecation cleanup (LLM_SECURITY_* env-vars + riskScoreV1) + behaviour-preserving commons extraction + verified fixes + docs consistency.

Continuity

origin = Forgejo open/llm-security (PUBLIC, never GitHub). Push window: weekdays 20:0023:00; weekends/holidays anytime. STATE.md is intentionally TRACKED + committed (.gitignore:19-20 NOTE). Disclosure convention: a security fix to public code is committed but HELD until its release tag exists, so the exploit description never lands before the fixed version. Fix, bump, tag, catalog, push. Release mechanics: catalog/scripts/release-plugin.mjs <plugin> --version X.Y.Z (dry-run by default; --create-tag, then --write --commit --push). It refuses unless plugin.json == README badge == target. Push the plugin repo's commits BEFORE --create-tag.