claudemd-cli 0.23.21 → 0.23.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +31 -0
  2. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,6 +8,37 @@ All notable changes to the `claudemd` plugin. This changelog tracks plugin artif
8
8
  - **Canonical spec version source**: `spec/CLAUDE.md` top-line title (`# AI-CODING-SPEC vX.Y.Z — Core`) + `spec/CLAUDE-changelog.md` top `##` entry.
9
9
  - **Plugin semver vs spec semver** are independent: plugin patch (0.2.0 → 0.2.1) may ship when spec is unchanged (this release); plugin minor (0.1.9 → 0.2.0) ships when spec minor updates (v0.2.0 shipped spec v6.10.0).
10
10
 
11
+ ## [0.23.23] - 2026-07-03
12
+
13
+ **Patch — a self-audit found a doctor↔audit telemetry-parity gap, then an adversarial §8 false-negative sweep (hardened by a code review) closed four "execute scripts of unknown origin" bypass classes in the pre-bash-safety hook.** Spec content unchanged (stays v6.14.1).
14
+
15
+ ### Fixed — `doctor`: rule-usage counted test-session/probe rows that `audit.js` filters
16
+
17
+ - `scripts/doctor.js`: the `rule-usage` health check derived its deny/bypass counts (and the §0.1 demote verdict downstream of them) from the raw `readHits` output, while the sibling `audit.js` strips manual-probe / sentinel-session rows via `excludeTestSessions`. On the same 30-day window doctor over-reported — `§7-ship-baseline` deny 17 vs audit's 9, `§8-rm-rf-var` 121 vs 101. Both rule-usage consumers (the `groupBySection` count + the demote-candidate token-breakdown loop) now filter identically; the `fail-open` check stays on raw hits by design (its rows are `session_id:null`). Doctor now matches audit.js across every section. Tests: `doctor.test.js` +2 (sentinel-exclusion count + token-breakdown).
18
+
19
+ ### Fixed — §8: four "execute scripts of unknown origin" false negatives in `pre-bash-safety`
20
+
21
+ A 2026-07-03 adversarial audit (feed dangerous commands to the detector, observe allow/deny) plus a `superpowers` code review found the hook enforced only the literal forms of §8's unknown-origin / NPX rules. Four classes now covered — each adds denials only, verified against a false-positive control set:
22
+
23
+ - **Fetch-execute runner family**: the NPX gate matched only literal `npx`; `pnpm dlx` / `yarn dlx` / `bunx` / `npm exec` of an unpinned unknown package bypassed it (identical fetch-execute — `npx` is a shortcut for `npm exec`). `NPX_REGEX` extended to the family, reusing the existing pinned/local/lockfile resolution (already reads pnpm-lock.yaml / yarn.lock). `npm install` / `pnpm install` / `yarn add` stay excluded (the regex requires the `exec` / `dlx` subcommand).
24
+ - **`curl … | sh`** (new Pattern 3): no detector existed for piping or `<()`-substituting a network fetch into a shell. Fires when `curl`/`wget` in command position feeds `sh`/`bash`/`zsh`/`dash`/`ksh`/`ash` (optionally via `sudo`), matched per pipeline segment on the sanitized command. Local/literal sources (`cat x.sh | sh`), non-shell sinks (`| jq`), download-only (`curl -o`), and prose-in-quotes stay allowed. New `§8-curl-sh` telemetry section + `[allow-curl-sh]` bypass token.
25
+ - **rm behind wrappers**: `sudo` / `doas` / `timeout N` / `nice -nN` / `stdbuf` / `ionice` / `chrt` before `rm -rf $VAR` bypassed the segment-start `rm` check. The wrapper-strip loop now handles them (arg-less + flag-bearing, consuming a wrapper's options and numeric/duration args, stopping at the first command word). Stripping only removes prefixes, so a non-rm command or a safe rm (literal path / `$HOME` subpath) never false-denies.
26
+ - **Code review follow-up** (folded in): `sudo -E/-i/-H/-n rm` (sudo is flag-bearing, not arg-less), `npm exec`, and brace-group `{ curl … | sh; }` were caught adversarially after the initial fixes. Documented residuals: option-with-argument wrapper forms (`sudo -u svc rm`, `timeout -s KILL 5 rm`), `eval "$(curl)"`, `find -delete`.
27
+
28
+ Hook tests +50 (206 in `pre-bash-safety.test.sh`); full suite 523 pass. `docs/RULE-HITS-SCHEMA.md` synced (new `§8-curl-sh` section + `allow-curl-sh` token). Findings + deferred residuals recorded in `tasks/s8-false-negative-audit-2026-07-03.md` and `tasks/project-audit-findings-2026-07-03.md`.
29
+
30
+ ## [0.23.22] - 2026-07-02
31
+
32
+ **Patch — follow-up to v0.23.21 (code review): sync the two remaining dedup-key reference docs + harden the `extra` key against future key-order variance.** Spec content unchanged (stays v6.14.1).
33
+
34
+ ### Fixed — two dedup-key reference docs still taught the pre-v0.23.21 4-field model
35
+
36
+ - v0.23.21 extended the `uniqueInvocations` dedup key to `(ts, hook, session_id, tool_use_id, event, extra)` and synced the parse-fn comment + `commands/claudemd-audit.md`, but two other canonical descriptions were left on the old 4-field model — and `scripts/audit.js:70` cross-references the first as authoritative, routing a maintainer straight into the pre-fix "byte-identical multi-emit looks like a bug" misread. Synced both: `hooks/lib/rule-hits.sh:21-25` (the `TOOL_USE_ID` param doc — ships with the plugin) and `docs/RULE-HITS-SCHEMA.md:16` (the `tool_use_id` field row — tracked via the `docs/*` + `!docs/<file>` gitignore allowlist) now carry the 6-field key + the multi-emit "confirm against the source command" caveat. Found by a `superpowers:requesting-code-review` pass on v0.23.21.
37
+
38
+ ### Changed — canonicalize `extra` before the dedup key (defensive hardening)
39
+
40
+ - `scripts/lib/rule-hits-parse.js`: the key serialized `extra` with bare `JSON.stringify`, so double-fire detection silently depended on stable key order. Unreachable for `_real` today (every hook emits `extra` from fixed templates / single-key objects; the only multi-key extra — mem-audit `{missing,drift}` — carries a null `tool_use_id` → lands in `_legacy`), but a future multi-key extra on a `tool_use_id`-bearing hook built from an unordered source (`declare -A`) would let a genuine double-fire evade. New `stableExtraKey()` sorts top-level keys before serializing — behavior-preserving on current data (live-log `pre-bash-safety` `duplicate_rows_real` stays 34). Two direct unit tests added in `tests/scripts/rule-hits-parse.test.js` (reordered-key double-fire still collides → 1 unique / 1 `_real`; distinct-extra multi-emit stays separate → 2 / 0); `uniqueInvocations` previously had no unit-level coverage, only via `audit()`. Also noted: the v0.23.21 key extension incidentally narrows `duplicate_rows_legacy` (distinct event/extra rows at a null `tool_use_id` now count as unique — more correct; `_legacy` is documented non-gating noise). Renamed the v0.9.34 audit test title to state what it verifies (byte-identical collapse) instead of over-claiming the full key. Full suite 519 → 521 pass.
41
+
11
42
  ## [0.23.21] - 2026-07-02
12
43
 
13
44
  **Patch — audit `duplicate_rows_real` over-counted multi-emit hooks as registration double-fires; found by a 30-day /claudemd-audit self-review.** Spec content unchanged (stays v6.14.1).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "claudemd-cli",
3
- "version": "0.23.21",
3
+ "version": "0.23.23",
4
4
  "description": "Standalone CLI for §10-V banned-vocab + transcript scanning. Companion to the claudemd Claude Code plugin (github.com/sdsrss/claudemd) for use in git pre-commit hooks, GitHub Actions, and other agents.",
5
5
  "type": "module",
6
6
  "bin": {