claudemd-cli 0.23.22 → 0.23.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +19 -0
  2. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,6 +8,25 @@ All notable changes to the `claudemd` plugin. This changelog tracks plugin artif
8
8
  - **Canonical spec version source**: `spec/CLAUDE.md` top-line title (`# AI-CODING-SPEC vX.Y.Z — Core`) + `spec/CLAUDE-changelog.md` top `##` entry.
9
9
  - **Plugin semver vs spec semver** are independent: plugin patch (0.2.0 → 0.2.1) may ship when spec is unchanged (this release); plugin minor (0.1.9 → 0.2.0) ships when spec minor updates (v0.2.0 shipped spec v6.10.0).
10
10
 
11
+ ## [0.23.23] - 2026-07-03
12
+
13
+ **Patch — a self-audit found a doctor↔audit telemetry-parity gap, then an adversarial §8 false-negative sweep (hardened by a code review) closed four "execute scripts of unknown origin" bypass classes in the pre-bash-safety hook.** Spec content unchanged (stays v6.14.1).
14
+
15
+ ### Fixed — `doctor`: rule-usage counted test-session/probe rows that `audit.js` filters
16
+
17
+ - `scripts/doctor.js`: the `rule-usage` health check derived its deny/bypass counts (and the §0.1 demote verdict downstream of them) from the raw `readHits` output, while the sibling `audit.js` strips manual-probe / sentinel-session rows via `excludeTestSessions`. On the same 30-day window doctor over-reported — `§7-ship-baseline` deny 17 vs audit's 9, `§8-rm-rf-var` 121 vs 101. Both rule-usage consumers (the `groupBySection` count + the demote-candidate token-breakdown loop) now filter identically; the `fail-open` check stays on raw hits by design (its rows are `session_id:null`). Doctor now matches audit.js across every section. Tests: `doctor.test.js` +2 (sentinel-exclusion count + token-breakdown).
18
+
19
+ ### Fixed — §8: four "execute scripts of unknown origin" false negatives in `pre-bash-safety`
20
+
21
+ A 2026-07-03 adversarial audit (feed dangerous commands to the detector, observe allow/deny) plus a `superpowers` code review found the hook enforced only the literal forms of §8's unknown-origin / NPX rules. Four classes now covered — each adds denials only, verified against a false-positive control set:
22
+
23
+ - **Fetch-execute runner family**: the NPX gate matched only literal `npx`; `pnpm dlx` / `yarn dlx` / `bunx` / `npm exec` of an unpinned unknown package bypassed it (identical fetch-execute — `npx` is a shortcut for `npm exec`). `NPX_REGEX` extended to the family, reusing the existing pinned/local/lockfile resolution (already reads pnpm-lock.yaml / yarn.lock). `npm install` / `pnpm install` / `yarn add` stay excluded (the regex requires the `exec` / `dlx` subcommand).
24
+ - **`curl … | sh`** (new Pattern 3): no detector existed for piping or `<()`-substituting a network fetch into a shell. Fires when `curl`/`wget` in command position feeds `sh`/`bash`/`zsh`/`dash`/`ksh`/`ash` (optionally via `sudo`), matched per pipeline segment on the sanitized command. Local/literal sources (`cat x.sh | sh`), non-shell sinks (`| jq`), download-only (`curl -o`), and prose-in-quotes stay allowed. New `§8-curl-sh` telemetry section + `[allow-curl-sh]` bypass token.
25
+ - **rm behind wrappers**: `sudo` / `doas` / `timeout N` / `nice -nN` / `stdbuf` / `ionice` / `chrt` before `rm -rf $VAR` bypassed the segment-start `rm` check. The wrapper-strip loop now handles them (arg-less + flag-bearing, consuming a wrapper's options and numeric/duration args, stopping at the first command word). Stripping only removes prefixes, so a non-rm command or a safe rm (literal path / `$HOME` subpath) never false-denies.
26
+ - **Code review follow-up** (folded in): `sudo -E/-i/-H/-n rm` (sudo is flag-bearing, not arg-less), `npm exec`, and brace-group `{ curl … | sh; }` were caught adversarially after the initial fixes. Documented residuals: option-with-argument wrapper forms (`sudo -u svc rm`, `timeout -s KILL 5 rm`), `eval "$(curl)"`, `find -delete`.
27
+
28
+ Hook tests +50 (206 in `pre-bash-safety.test.sh`); full suite 523 pass. `docs/RULE-HITS-SCHEMA.md` synced (new `§8-curl-sh` section + `allow-curl-sh` token). Findings + deferred residuals recorded in `tasks/s8-false-negative-audit-2026-07-03.md` and `tasks/project-audit-findings-2026-07-03.md`.
29
+
11
30
  ## [0.23.22] - 2026-07-02
12
31
 
13
32
  **Patch — follow-up to v0.23.21 (code review): sync the two remaining dedup-key reference docs + harden the `extra` key against future key-order variance.** Spec content unchanged (stays v6.14.1).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "claudemd-cli",
3
- "version": "0.23.22",
3
+ "version": "0.23.23",
4
4
  "description": "Standalone CLI for §10-V banned-vocab + transcript scanning. Companion to the claudemd Claude Code plugin (github.com/sdsrss/claudemd) for use in git pre-commit hooks, GitHub Actions, and other agents.",
5
5
  "type": "module",
6
6
  "bin": {