visus-mcp 0.6.0 → 0.6.2

package/CONTRIBUTING.md

@@ -0,0 +1,329 @@
+# Contributing to Visus
+
+Thank you for considering contributing to Visus! This project is security-first — all contributions must maintain the sanitization guarantees that protect users. Visus is engineered, not vibe-coded. We expect rigorous testing, clear documentation, and adherence to security best practices.
+
+---
+
+## What We're Looking For
+
+The most valuable contributions to Visus are:
+
+- **New injection pattern categories** (most wanted) — Validated detection patterns for emerging prompt injection techniques
+- **False positive reports** — Cases where Visus incorrectly flags or redacts legitimate content
+- **New PII redaction types** — Additional personally identifiable information patterns (passports, driver's licenses, medical IDs, etc.)
+- **Performance improvements** — Optimizations to the sanitizer pipeline that maintain coverage
+- **Documentation improvements** — Clearer explanations, better examples, tutorial content
+- **Bug reports with reproduction steps** — Detailed reports that help us quickly identify and fix issues
+
+### What is OUT OF SCOPE
+
+To avoid wasted effort, please **do not submit PRs** for:
+
+- Changes that reduce sanitization coverage or allow bypassing the pipeline
+- New tools that don't run content through the sanitizer
+- Dependencies that require Python runtime (Visus is TypeScript-only)
+- Modifications to the security rules defined in CLAUDE.md
+- Changes that introduce `any` types or violate TypeScript strict mode
+
+---
+
+## How to Add a New Injection Pattern
+
+This is the most important contribution type. Follow these steps carefully:
+
+### Step 1: Add the pattern definition
+
+Open `src/sanitizer/patterns.ts` and add your pattern to the `INJECTION_PATTERNS` array. Each pattern requires:
+
+```typescript
+{
+  name: 'your_pattern_name',          // snake_case identifier
+  description: 'What this detects',    // Brief explanation
+  regex: /pattern_here/gi,             // Detection regex (case-insensitive)
+  severity: 'critical',                // critical | high | medium | low
+  action: 'redact'                     // strip | redact | escape
+}
+```
+
+**Example pattern:**
+```typescript
+{
+  name: 'unicode_normalization_attack',
+  description: 'Uses Unicode normalization to hide instructions',
+  regex: /\u0041\u0301.*\b(ignore|admin)\b/gi,  // Á (decomposed) hiding text
+  severity: 'high',
+  action: 'strip'
+}
+```
+
+### Step 2: Add severity classification
+
+Open `src/sanitizer/severity-classifier.ts` and add your pattern category to the correct severity level:
+
+```typescript
+case 'your_pattern_name':
+  return 'CRITICAL';  // or HIGH, MEDIUM, LOW
+```
+
+### Step 3: Add framework mappings
+
+Open `src/sanitizer/framework-mapper.ts` and add mappings for all four compliance frameworks:
+
+```typescript
+your_pattern_name: {
+  owasp_llm: 'LLM01:2025 - Prompt Injection',
+  nist_ai_600_1: 'MS-2.5 - Prompt Injection',
+  mitre_atlas: 'AML.T0051.000 - LLM Prompt Injection',
+  iso_42001: 'A.6.1.5 - AI System Security (Adversarial Input)'
+},
+```
+
+**How to choose mappings:**
+- **OWASP LLM Top 10**: See [OWASP LLM Top 10 (2025)](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
+- **NIST AI 600-1**: See [NIST AI 600-1 Controls](https://csrc.nist.gov/pubs/ai/600/1/final)
+- **MITRE ATLAS**: See [MITRE ATLAS Tactics](https://atlas.mitre.org/)
+- **ISO/IEC 42001**: Use Annex A controls (A.X.X format)
+
+### Step 4: Add test cases
+
+Open `tests/sanitizer.test.ts` and add at least two test cases:
+
+**Positive case** (content that SHOULD be caught):
+```typescript
+it('should detect your_pattern_name', () => {
+  const result = sanitize('Malicious content here that triggers pattern');
+  expect(result.patterns_detected).toContain('your_pattern_name');
+  expect(result.content_modified).toBe(true);
+});
+```
+
+**Negative case** (legitimate content that should NOT be caught):
+```typescript
+it('should NOT flag legitimate content as your_pattern_name', () => {
+  const result = sanitize('Legitimate content that looks similar but is safe');
+  expect(result.patterns_detected).not.toContain('your_pattern_name');
+  expect(result.content_modified).toBe(false);
+});
+```
+
+**Why negative cases matter:** False positives erode trust. Always test that your pattern doesn't fire on legitimate content.
+
+### Step 5: Run tests
+
+```bash
+npm test
+```
+
+All tests must pass (100% pass rate). If any tests fail, fix them before submitting.
+
+### Step 6: Update SECURITY.md
+
+Add your pattern to the appropriate severity section in `SECURITY.md` with an example:
+
+```markdown
+**XX. Your Pattern Name**
+- **Example**: "Text that triggers the pattern"
+- **Action**: Redact/Strip/Escape
+```
+
+---
+
+## How to Report a False Positive
+
+A **false positive** occurs when Visus incorrectly flags or redacts legitimate, non-malicious content. These are **high priority bugs** because they impact usability.
+
+**To report a false positive:**
+
+1. Open a **"False Positive Report"** issue using the GitHub issue template
+2. Include:
+   - The URL or content that triggered the false positive (sanitize if sensitive)
+   - Which pattern category fired (visible in `patterns_detected` field)
+   - What the expected behavior should be
+   - Domain context (news site, documentation, health info, government, etc.)
+3. **Do NOT include:**
+   - Sensitive URLs or private content in public issues
+   - Personally identifiable information
+
+We take false positives seriously and will prioritize fixes.
+
+---
+
+## Development Setup
+
+### Prerequisites
+
+- **Node.js** 18+ and npm
+- **Git** for version control
+- **macOS / Windows**: No additional setup required
+- **Linux**: Playwright requires system libraries (see README.md)
+
+### Clone and Install
+
+```bash
+git clone https://github.com/visus-mcp/visus-mcp.git
+cd visus-mcp
+npm install
+npm run build
+npm test
+```
+
+**Note about Playwright:** The first run will download Chromium (~170MB). This is normal.
+
+**Note about macOS iCloud:** If you use iCloud Drive, develop in `~/Projects`, NOT `~/Documents`. iCloud sync can interfere with node_modules.
+
+---
+
+## Running Tests
+
+```bash
+npm test                # Full test suite (all 274+ tests)
+npm test -- --watch     # Watch mode for active development
+npm test sanitizer      # Run sanitizer tests only
+npm test -- --coverage  # Generate coverage report
+```
+
+**Test requirements:**
+- All PRs must pass 100% of existing tests
+- New functionality must include new tests
+- Test count should never decrease
+- Minimum 80% code coverage
+
+---
+
+## Security Vulnerability Reporting
+
+**DO NOT open public issues for security vulnerabilities.**
+
+If you discover a security vulnerability in Visus (e.g., a way to bypass the sanitizer, extract PII, or compromise the system):
+
+📧 **Email:** security@lateos.ai
+
+Include in your report:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact assessment
+- Suggested fix (optional)
+
+We aim to respond within 48 hours and will work with you on a coordinated disclosure timeline (typically 90 days).
+
+See [SECURITY.md](./SECURITY.md) for the full disclosure policy.
+
+---
+
+## Pull Request Process
+
+### Before Opening a PR
+
+1. **Fork the repo** and create a feature branch:
+   ```bash
+   git checkout -b feature/your-feature-name
+   ```
+
+2. **Make your changes** with tests:
+   - Write code following TypeScript strict mode
+   - Add test cases for new functionality
+   - Update documentation if needed
+
+3. **Run the test suite**:
+   ```bash
+   npm test
+   ```
+   All tests must pass (100% success rate).
+
+4. **Run the build**:
+   ```bash
+   npm run build
+   ```
+   TypeScript must compile cleanly with zero errors.
+
+5. **Update STATUS.md** if adding a new feature:
+   - Add your feature to the current version section
+   - Use consistent formatting with existing entries
+
+### Opening the PR
+
+1. Push your branch to your fork
+2. Open a PR against the `main` branch
+3. Use the PR template and fill out all sections
+4. Include a clear description of **what** changed and **why**
+5. Reference any related issues (e.g., "Closes #123")
+
+### PR Review Criteria
+
+Your PR will be reviewed for:
+
+- ✅ **Test coverage** — All existing tests pass, new tests added
+- ✅ **TypeScript compliance** — No `any` types, strict mode passes
+- ✅ **Security** — Sanitizer pipeline not bypassed
+- ✅ **Documentation** — Code is well-commented and clear
+- ✅ **Performance** — No significant latency regressions
+
+**PRs that will NOT be merged:**
+- ❌ Reduce test count or coverage
+- ❌ Bypass the sanitizer pipeline
+- ❌ Introduce `any` types or disable strict mode
+- ❌ Break existing functionality
+
+---
+
+## Code Style
+
+### TypeScript Conventions
+
+- **TypeScript strict mode** — No `any` types allowed (use `unknown` if necessary)
+- **Explicit return types** — All functions must declare return types
+- **JSDoc comments** — All public functions must have JSDoc documentation
+- **Error handling** — Never throw raw errors; return typed Result objects
+
+### MCP Tool Registration
+
+All new tools must register with proper MCP annotations:
+
+```typescript
+{
+  name: 'tool_name',
+  description: 'What this tool does',
+  readOnlyHint: true,        // If tool doesn't modify state
+  destructiveHint: false,    // If tool could cause data loss
+  idempotentHint: true,      // If repeated calls have same effect
+  openWorldHint: false       // If tool accesses external resources
+}
+```
+
+### Logging
+
+- **Structured JSON** to stderr only (never `console.log`)
+- **Never log PII** — Use field redaction for sensitive data
+- **Use timestamps** in ISO 8601 format
+
+**Example:**
+```typescript
+console.error(JSON.stringify({
+  timestamp: new Date().toISOString(),
+  event: 'sanitization_completed',
+  patterns_detected: ['role_hijacking'],
+  content_modified: true
+}));
+```
+
+---
+
+## Recognition
+
+Contributors who add validated injection patterns that are merged into the main branch will be credited in:
+
+- **SECURITY.md** under "Community Patterns"
+- **Release notes** for the version that includes their pattern
+- **GitHub Contributors** page
+
+We deeply appreciate the security research community's contributions to making Visus more robust.
+
+---
+
+## Questions?
+
+- **General questions**: Open a [GitHub Discussion](https://github.com/visus-mcp/visus-mcp/discussions)
+- **Bug reports**: Use the [Bug Report issue template](https://github.com/visus-mcp/visus-mcp/issues/new?template=bug_report.md)
+- **Security issues**: Email security@lateos.ai (do NOT open public issues)
+
+**Built with by Lateos**

package/README.md

@@ -1,30 +1,55 @@
 # Visus — Secure Web Access for Claude
 
-> **Every MCP browser tool passes raw web content to your LLM. Visus doesn't.**
+[![npm version](https://img.shields.io/npm/v/visus-mcp?color=crimson&label=npm)](https://www.npmjs.com/package/visus-mcp)
+[![tests](https://img.shields.io/badge/tests-246%20passing-brightgreen)](https://github.com/visus-mcp/visus-mcp)
+[![tools](https://img.shields.io/badge/MCP%20tools-4-blue)](https://github.com/visus-mcp/visus-mcp)
+[![mcp](https://img.shields.io/badge/MCP-compatible-brightgreen)](https://modelcontextprotocol.io)
+[![license](https://img.shields.io/badge/license-MIT-blue)](https://github.com/visus-mcp/visus-mcp/blob/main/LICENSE)
+[![security](https://img.shields.io/badge/frameworks-NIST%20%7C%20OWASP%20%7C%20MITRE%20%7C%20ISO42001-orange)](https://github.com/visus-mcp/visus-mcp/blob/main/SECURITY.md)
+[![iso42001](https://img.shields.io/badge/ISO%2FIEC-42001%3A2023-blueviolet)](https://www.iso.org/standard/81230.html)
 
-Visus is an MCP (Model Context Protocol) tool that provides Claude with secure, sanitized access to web pages. Built by [Lateos](https://lateos.ai), Visus runs **all** fetched content through a comprehensive injection sanitization pipeline before the LLM reads a single character.
+> **Your AI agent shouldn't have to read garbage.**
+> **visus-mcp makes sure it doesn't.**
 
-**Tagline:** *"What the web shows you, Lateos reads safely."*
+When your agent fetches a webpage it reads everything — nav bars, cookie banners, tracking scripts, ads, SEO spam. Every token costs money. Some pages also embed hidden instructions designed to manipulate your agent's behaviour.
+
+Claude handles most of it. But it still has to read all of it first. You still pay for every token.
+
+**visus-mcp is a pre-filter.** It strips the noise before a single character enters Claude's context window — reducing token consumption on bloated pages by up to 70%, redacting PII before it enters conversation history, and producing a compliance-grade audit log when it finds something worth flagging.
+
+Built as infrastructure, not a replacement for Claude's own safety training. The two layers together are stronger than either alone.
+```bash
+npx visus-mcp@0.6.0
+```
+
+*"What the web shows you, Lateos reads safely."*
 
 ---
 
-## The Problem with Other Tools
+## Why Your Agent Is Reading Too Much
 
-Popular MCP browser tools like Firecrawl, Playwright MCP, and ScrapeGraphAI pass untrusted web content directly to your LLM without sanitization. This creates a **critical security vulnerability**:
+A typical news article: **12,000 tokens** of raw HTML.
+The actual article content: **~800 tokens**.
 
-- **Prompt injection attacks** can manipulate AI behavior
-- **Personal identifiable information (PII)** can leak into conversation logs
-- **Malicious instructions** hidden in web pages can compromise your AI agent
+You're paying for the nav bar. The footer. The cookie banner. The analytics scripts. The related articles sidebar. The ads.
 
-Visus solves this by treating **every web page as untrusted input** and sanitizing it before your LLM sees it.
+visus-mcp fetches the same page and delivers:
+- **visus_read** — article content only via Mozilla Readability (~70% token reduction on content-heavy pages)
+- **visus_fetch** — full page with noise stripped and format-converted (JSON/XML/RSS auto-detected)
+- **visus_search** — sanitized DuckDuckGo results, SEO spam removed before it hits context
+
+**Real example from today:** fetching npmjs.com/package/visus-mcp returned 149,589 bytes raw. visus-mcp delivered 44,129 bytes to Claude. Same information. 70% fewer tokens.
+
+**And when a page is actively trying to manipulate your agent** — hidden instructions, obfuscated scripts, role hijacking attempts — visus strips those too and logs them in a structured compliance report. Not because Claude can't handle them. Because your agent shouldn't have to spend tokens reading attack attempts in the first place.
 
 ---
 
 ## How Visus Works
 
 ```
-User provides URL → Playwright Fetch → Injection Sanitizer (43 patterns) →
-PII Redactor → Clean Content → Claude via MCP
+URL → Playwright Render → Format Detection (HTML/JSON/XML/RSS)
+→ Reader Extraction (optional) → Injection Sanitizer (43 patterns)
+→ PII Redactor → Token Ceiling (24k cap) → Clean Content → Claude
 ```
 
 ### Security Pipeline
@@ -32,9 +57,9 @@ PII Redactor → Clean Content → Claude via MCP
 1. **Browser Rendering**: Headless Chromium via Playwright fetches the page
 2. **Injection Detection**: 43 pattern categories scan for prompt injection attempts
 3. **PII Redaction**: Emails, phone numbers, SSNs, credit cards, and IP addresses are redacted
-4. **Clean Delivery**: Only sanitized content reaches your LLM
+4. **Clean Delivery**: Stripped, formatted, token-efficient content reaches your LLM — with a compliance report attached if anything was flagged
 
-**This pipeline cannot be bypassed.** Every tool invocation runs content through the full sanitizer.
+**This pipeline runs before content enters Claude's context window** — reducing token consumption, keeping PII out of conversation history, and generating audit logs when injection patterns are detected.
 
 ---
 
@@ -80,11 +105,16 @@ npx visus-mcp
 
 ### Claude Desktop Configuration
 
-Visus supports three rendering backends:
+> [!NOTE]
+> **No API key required.** The open-source tier works out of the box with `npx visus-mcp`.
+> Sanitization always runs locally — web content never reaches Lateos infrastructure
+> unless you explicitly configure the managed renderer URL.
+
+Visus supports three deployment tiers:
 
-**Example 1 — Phase 1 (Default, No Lambda):**
+**Tier 1 — Open Source / Default (No env vars required):**
 
-Basic configuration using undici HTTP fetch (no JavaScript execution):
+Uses Playwright locally with full JavaScript support. Works immediately, zero configuration:
 
 ```json
 {
@@ -97,9 +127,11 @@ Basic configuration using undici HTTP fetch (no JavaScript execution):
 }
 ```
 
-**Example 2 — Managed Tier (Lateos Endpoint):**
+**Tier 2 — Managed / Lateos (Hosted renderer) — Coming Phase 2:**
 
-Use Lateos managed Lambda renderer with Playwright (supports JavaScript, SPAs):
+> [!NOTE]
+> The hosted Lateos renderer is part of Phase 2 and is not yet publicly available.
+> Sign up for early access at [lateos.ai](https://lateos.ai).
 
 ```json
 {
@@ -108,15 +140,16 @@ Use Lateos managed Lambda renderer with Playwright (supports JavaScript, SPAs):
       "command": "npx",
       "args": ["visus-mcp"],
       "env": {
-        "VISUS_RENDERER_URL": "https://renderer.lateos.ai",
-        "NODE_EXTRA_CA_CERTS": "/path/to/system-ca-bundle.pem"
+        "VISUS_RENDERER_URL": "https://renderer.lateos.ai"
       }
     }
   }
 }
 ```
 
-**Example 3 — BYOC (Your Own Lambda):**
+The sanitization pipeline always runs locally. This config simply routes page rendering (JavaScript execution) through a hosted Playwright Lambda instead of local Playwright. Available Phase 2.
+
+**Tier 3 — BYOC (Bring Your Own Cloud):**
 
 Deploy your own Lambda renderer (see [visus-mcp-renderer](https://github.com/visus-mcp/visus-mcp-renderer)):
 
@@ -127,8 +160,7 @@ Deploy your own Lambda renderer (see [visus-mcp-renderer](https://github.com/vis
       "command": "npx",
       "args": ["visus-mcp"],
       "env": {
-        "VISUS_RENDERER_URL": "https://YOUR_API_ID.execute-api.YOUR_REGION.amazonaws.com",
-        "NODE_EXTRA_CA_CERTS": "/path/to/system-ca-bundle.pem"
+        "VISUS_RENDERER_URL": "https://YOUR_API_ID.execute-api.YOUR_REGION.amazonaws.com"
       }
     }
   }
@@ -137,7 +169,7 @@ Deploy your own Lambda renderer (see [visus-mcp-renderer](https://github.com/vis
 
 Replace `YOUR_API_ID` and `YOUR_REGION` with values from your CDK deployment output.
 
-**CRITICAL SECURITY NOTE:** The sanitizer ALWAYS runs locally, regardless of which renderer you use. Rendered HTML is returned to your local visus-mcp process before Claude sees it. PHI never touches Lateos infrastructure (even when using the managed tier).
+**CRITICAL SECURITY NOTE:** The sanitizer ALWAYS runs locally, regardless of which tier you use. Rendered HTML is returned to your local visus-mcp process before Claude sees it. Web content never touches Lateos infrastructure unless you explicitly configure the managed renderer URL.
 
 Restart Claude Desktop. Visus tools are now available to Claude.
 
@@ -147,7 +179,7 @@ Restart Claude Desktop. Visus tools are now available to Claude.
 
 ### `visus_fetch`
 
-Fetch and sanitize a web page with automatic format detection. Supports HTML, JSON, XML, and RSS/Atom feeds. Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS aligned threat report when injection or PII is detected.
+Fetch and sanitize a web page with automatic format detection. Supports HTML, JSON, XML, and RSS/Atom feeds. Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.
 
 **Supported Formats:**
 - **HTML** (`text/html`, `application/xhtml+xml`) - Standard web pages, returned as-is
@@ -157,7 +189,7 @@ Fetch and sanitize a web page with automatic format detection. Supports HTML, JS
 
 ### `visus_read`
 
-Extract clean article content from a web page using Mozilla Readability (reader mode). Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS aligned threat report when injection or PII is detected.
+Extract clean article content from a web page using Mozilla Readability (reader mode). Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.
 
 **Input:**
 ```json
@@ -189,7 +221,7 @@ Extract clean article content from a web page using Mozilla Readability (reader
 
 ### `visus_search`
 
-Search the web via DuckDuckGo and return sanitized results with prompt injection and PII removed. Use before `visus_fetch` or `visus_read` to safely discover and then read pages. Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS aligned threat report when injection or PII is detected.
+Search the web via DuckDuckGo and return sanitized results with prompt injection and PII removed. Use before `visus_fetch` or `visus_read` to safely discover and then read pages. Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.
 
 **Input:**
 ```json
@@ -222,7 +254,7 @@ All search result titles and snippets are independently sanitized before reachin
 
 ### `visus_fetch_structured`
 
-Extract structured data from a web page according to a schema. Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS aligned threat report when injection or PII is detected.
+Extract structured data from a web page according to a schema. Includes NIST AI 600-1 / OWASP LLM / MITRE ATLAS / ISO/IEC 42001 aligned threat report when injection or PII is detected.
 
 **Input:**
 ```json
@@ -275,7 +307,7 @@ Findings are encoded using [TOON format](https://toonformat.dev) for token effic
 - Pattern ID and category
 - Severity level (CRITICAL, HIGH, MEDIUM, LOW)
 - Confidence score
-- Framework alignments (OWASP LLM Top 10, NIST AI 600-1, MITRE ATLAS)
+- Framework alignments (OWASP LLM Top 10, NIST AI 600-1, MITRE ATLAS, ISO/IEC 42001)
 - Remediation status
 
 ### 2. Markdown Compliance Report (Human-Readable)
@@ -290,11 +322,12 @@ A formatted Markdown table renders cleanly in Claude Desktop and GitHub, showing
 
 ### Framework Alignments
 
-Every detected threat is mapped to three compliance frameworks:
+Every detected threat is mapped to four compliance frameworks:
 
 - **[OWASP LLM Top 10 (2025)](https://owasp.org/www-project-top-10-for-large-language-model-applications/)**: Industry-standard LLM security risks
 - **[NIST AI 600-1](https://csrc.nist.gov/pubs/ai/600/1/final)**: Generative AI Profile for risk management
 - **[MITRE ATLAS](https://atlas.mitre.org/)**: Adversarial Threat Landscape for AI Systems
+- **[ISO/IEC 42001:2023](https://www.iso.org/standard/81230.html)**: International AI Management System standard — Annex A controls for AI system security, data quality, and responsible AI governance. Globally recognized for enterprise and regulatory procurement.
 
 ### When Reports Are Generated
 
@@ -303,6 +336,32 @@ Threat reports are included in tool responses **only when findings exist**:
 - ✅ PII redacted → Report included
 - ❌ Clean content → Report omitted (zero overhead)
 
+### Human-in-the-Loop Security
+
+When Visus detects a **CRITICAL** severity threat, it pauses execution and surfaces a confirmation dialog before returning content:
+
+```
+⚠️ Visus blocked a CRITICAL threat on this page.
+
+2 injection attempt(s) detected on: https://malicious.example.com
+
+Highest severity finding: role_hijacking
+(LLM01:2025 | AML.T0051.000)
+
+Content has been sanitized. Proceed with clean version?
+
+[ ✓ Proceed with sanitized content ]  [ ✓ Include threat report ]
+```
+
+**Three outcomes:**
+- **Accept** → Sanitized content delivered, threat report attached if requested
+- **Decline** → Request blocked, threat details returned for review
+- **No response / timeout** → Sanitized content delivered (fail-safe)
+
+**Important:** HITL triggers only on CRITICAL findings. HIGH/MEDIUM/LOW findings are sanitized silently with threat report attached — no interruption to workflow.
+
+**Security model:** Sanitization is the security gate. HITL is UX. Content is ALWAYS sanitized before reaching the LLM, whether or not you accept the elicitation prompt.
+
 ### Example Threat Report
 
 When a HIGH severity injection is detected:
@@ -313,7 +372,7 @@ When a HIGH severity injection is detected:
 **Generated:** 2026-03-23T14:30:00.000Z
 **Source:** https://malicious.example.com
 **Overall Severity:** HIGH
-**Framework:** OWASP LLM Top 10 | NIST AI 600-1 | MITRE ATLAS
+**Framework:** OWASP LLM Top 10 | NIST AI 600-1 | MITRE ATLAS | ISO/IEC 42001
 
 ### Findings Summary
 | Severity | Count |
@@ -324,9 +383,9 @@ When a HIGH severity injection is detected:
 | 🟢 LOW | 0 |
 
 ### Findings Detail
-| # | Category | Severity | Confidence | OWASP | MITRE |
-|---|---|---|---|---|---|
-| 1 | role_hijacking | CRITICAL | 95% | LLM01:2025 | AML.T0051.000 |
+| # | Category | Severity | Confidence | OWASP | MITRE | ISO 42001 |
+|---|---|---|---|---|---|---|
+| 1 | role_hijacking | CRITICAL | 95% | LLM01:2025 | AML.T0051.000 | A.6.1.5 |
 
 ### Remediation Status
 ✅ All findings sanitized. Content delivered clean.
@@ -698,7 +757,7 @@ Visus is part of the **Lateos** platform — a security-by-design AI agent frame
 
 - **AWS Serverless**: Lambda, Step Functions, API Gateway, Cognito
 - **Security**: Bedrock Guardrails, KMS encryption, Secrets Manager
-- **Validated Patterns**: 43 injection patterns, 122/122 passing tests
+- **Validated Patterns**: 43 injection patterns, 274/274 passing tests
 - **CISSP/CEH-Informed**: Designed by security professionals
 
 Learn more: [lateos.ai](https://lateos.ai) (Phase 2)
@@ -749,17 +808,21 @@ npm start
 
 ## Project Status
 
-**Phase 1** (Current): Open-source MCP tool with local sanitization
+| Version | Status | Highlights |
+|---|---|---|
+| v0.7.0 | ✅ Complete | HITL Elicitation Bridge for CRITICAL threats |
+| v0.6.0 | ✅ Released | Content-Type detection (JSON/XML/RSS) |
+| v0.5.0 | ✅ Released | TOON threat reports, NIST/OWASP/MITRE/ISO42001 |
+| v0.4.0 | ✅ Released | Safe DuckDuckGo search |
+| v0.3.2 | ✅ Released | Reader mode (Mozilla Readability) |
+| v0.3.1 | ✅ Released | Security hardening, 100% compliance |
+| v0.3.0 | ✅ Released | PII allowlist (health authority numbers) |
 
-**Phase 2** (Planned):
-- Lateos cloud integration for audit logging
-- User session relay for authenticated pages
-- Hosted tier with SLA guarantees
+**Phase 3 — Anthropic MCP Directory submission in progress.**
 
-**Phase 3** (Future):
-- Chrome extension for session relay
-- Real-time threat dashboard
-- Custom pattern libraries
+Roadmap: `visus_report` PDF export · Docker image ·
+`visus-file-mcp` (document sanitization) ·
+Chrome extension for authenticated pages (LinkedIn, X, dashboards)
 
 ---
 
@@ -777,7 +840,7 @@ Report vulnerabilities: **security@lateos.ai** or [GitHub Security](https://gith
 
 MIT License
 
-Copyright (c) 2024 Lateos (Leo Chongolnee)
+Copyright (c) 2026 Lateos (Leo Chongolnee)
 
 ---
 
@@ -791,6 +854,9 @@ Inspired by the MCP ecosystem and informed by CISSP/CEH security principles.
 
 ## FAQ
 
+**Q: Does visus-mcp replace Claude's own safety features?**
+A: No — and it's not trying to. Claude handles most injection attempts natively through its safety training. visus-mcp is a pre-filter that runs before content enters Claude's context window. The benefit is efficiency: your agent doesn't spend tokens processing noise, ads, tracking scripts, or known injection patterns that would be stripped anyway. Think of it as a pre-processor, not a replacement for model-level safety. The two layers together are more robust than either alone.
+
 **Q: Does Visus slow down web fetching?**
 A: Minimal overhead. Sanitization adds ~50-200ms per page.