llm-security/STATE.md
2026-07-18 09:02:02 +02:00

61 lines
4.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# STATE — llm-security
**👉 NESTE — START HER (fresh session, Opus 4.8 xhigh) — v7.8.2: the ~6 HIGH:**
**v7.8.1 SHIPPED** — the CRITICAL auto-cleaner RCE is fixed, released, tagged, catalog-synced and
pushed. Next up is the HIGH tier from the same review. Iron Law per defect (regression test FIRST),
one commit per defect, then ship v7.8.2. All six are in the 59-finding review output (harvest source
below). Order them yourself; suggested by blast radius:
1. `rm -rf /` + `rm -rf ~` bypass the root-block — `hooks/pre-bash-destructive.mjs:24`.
2. Entropy scanner suppresses ALL findings when the ABSOLUTE path contains test/spec/fix —
`scanners/entropy-scanner.mjs:308` (a repo cloned to `/tmp/fix-me/` silently reports nothing).
3. Unparseable JetBrains plugin crashes the whole ide-scan + null-manifest deref —
`scanners/ide-extension-scanner.mjs:684` (likely 1 root cause / 2 findings).
4. Obfuscated injections are reported but NOT stripped from the LLM evidence package —
`scanners/content-extractor.mjs:119` (defeats the remote-scan injection defense).
5. Out-of-range numeric char-ref raises RangeError, breaking the no-throw contract —
`scanners/ide-extension-parser.mjs:147`.
Then the MEDIUM sweep (52 more) — likely its own release, not v7.8.2.
**Review output (harvest source):** confirmed array + per-finding adversarial reasoning in task
`w8s4rsaw8` output: `…/dfcab047-5467-4484-ab1a-5d6526439f78/tasks/w8s4rsaw8.output` (result.confirmed,
59 items). Durable journal (one result-line/agent): `~/.claude/projects/-Users-…-llm-security/
f99dcf73-d344-4377-b8ba-09fe878f32a2/subagents/workflows/wf_99daed37-f8b/journal.jsonl`.
## PARKED — v8 family strategy (behind an operator visibility decision, DO NOT PUSH)
4 of 6 deliverables written, LOCAL ONLY: `docs/JOBS-TO-BE-DONE.md`, `docs/FAMILY-MAP.md`,
`docs/commons-extraction-plan.md`, `docs/roadmap.md` [gitignored]. Remaining v8 docs (do NOT start until
visibility is decided): formal `docs/completion-review-2026-07-17.md` (findings table +
`severity.mjs` framework-coverage map + citations; roadmap B8/P3 reference it) and `V8-ANNOUNCEMENT.md`.
**⚠️ DO NOT PUSH the 3 untracked docs:** origin `open/llm-security.git` is a PUBLIC mirror; docs describe
cross-repo strategy + a sibling (`claude-code-llm-wiki`, "Private pending Anthropic ToS"). Do NOT `git add`
them without a visibility call (accept-public / keep-local `.local.md` / private family home).
NOTE: `docs/FAMILY-MAP.md:42` still says v7.8.0/1863 tests — stale, fix when the parking ends.
## Ground truth (verified 2026-07-18)
- **`npm test` = 1865/0 green** at tip. Run tests with `npm test``node --test tests/` is NOT a valid
invocation (it fails as a harness error, not a regression); the script is `node --test 'tests/**/*.test.mjs'`.
- v7.8.1 released: tag `v7.8.1` pushed, catalog ref bumped, `check-versions.mjs` = **0 ERROR**
(the one WARN is `okr`, pre-existing and unrelated).
- CRITICAL RCE: **reproduced live before the fix** (canary via `$CLEANER_RCE_CANARY` env expansion,
proving a shell parsed the filename), gone after. Both sinks in `scanners/auto-cleaner.mjs` are now
`spawnSync` argv-arrays; `execSync` is no longer imported there.
- Regression coverage is deliberately TWO tests (`tests/scanners/auto-cleaner-rce.test.mjs`): the belt
in `applyFixes` (metachar refusal) stops hostile input BEFORE the sink, so a single applyFixes-level
test would pass without proving the shell was gone. `validateContent` is exported for that reason —
do not "tidy" that export away.
- Prior security: F-1/2/3/5/6 fixed; F-4 open (optional/LOW); B1/B2/E14 fixed.
- Stray `undefined/` (scan artifact, 2026-07-17): **removed**.
## Position taken (strategic anchor)
llm-security **consolidates**; growth at **family level** (security-commons + `llm-retrieval-guard`
sibling for the LLM08 write→retrieval seam). JS/TS AST-taint parity + post-clone CLAUDE.md-poisoning
stay here; research artifact-scanners (model/pickle, .ipynb, insecure-ML) relocate to commons/guard.
v8.0.0 = deprecation cleanup (LLM_SECURITY_* env-vars + riskScoreV1) + behaviour-preserving commons
extraction + verified fixes + docs consistency.
## Continuity
origin = Forgejo `open/llm-security` (PUBLIC, never GitHub). Push window: weekdays 20:0023:00;
weekends/holidays anytime. STATE.md is intentionally TRACKED + committed (`.gitignore:19-20` NOTE).
**Disclosure convention (set this session):** a security fix to public code is committed but HELD until
its release tag exists, so the exploit description in the commit/notes never lands before the fixed
version users can upgrade to. Fix, bump, tag, catalog, push — one sequence.