Skip to content

Changelog

3.3.0 (2026-06-19)

Features

  • security-assessment: build joern C# CPGs for .NET targets (#278) (9ba5153)

Documentation

  • fp-reduction SKILL.md + security-assessment user guide. (9ba5153)

Miscellaneous

  • plugins: remove deprecated legacy stubs and rename-migration upgrade path (#275) (2048687)

3.2.1 (2026-06-18)

Bug Fixes

  • security-assessment: stop shipping build/test scripts; make runtime scripts discoverable (#263) (5ae7afc)

3.2.0 (2026-06-07)

Features

  • security: per-rule semgrep fixtures + measured fp_rate for the 36 custom rules (#157) (e8bc52f)

Documentation

  • remove implemented and issue-converted design docs (#120) (11aa734)

3.1.1 (2026-06-05)

Miscellaneous

  • convert pending specs/plans to GitHub issues; remove spec/plan files (aea265e)
  • convert pending specs/plans to GitHub issues; remove spec/plan files (cf82c79)
  • scrub stale helper-scripts plan reference in _lib.sh (0d77bd2)

3.1.0 (2026-06-04)

Features

  • security-assessment: add /upgrade command (382b89f)
  • security-assessment: add /upgrade command (3ebd5bb)

3.0.0 (2026-06-02)

⚠ BREAKING CHANGES

  • published plugin ids in the bfinster marketplace are now 'dev-team' and 'security-assessment' (previously 'agentic-dev-team' and 'agentic-security-assessment'). The 'agentic-' prefix carried no information — every plugin in this marketplace is agentic by definition.

Code Refactoring

  • agents: orchestration cluster has no remaining sweep work (12c) (a7c3211)
  • rename plugins to dev-team and security-assessment (a36bba2)
  • security-assessment: sweep references; add install legacy-detection (817e713)

2.2.2 (2026-06-02)

Code Refactoring

  • agents: orchestration cluster has no remaining sweep work (12c) (a7c3211)

2.2.1 (2026-05-12)

Code Refactoring

  • security-assessment: trim agents and apply progressive disclosure (f8d3b21)

2.2.0 (2026-05-01)

Features

  • security-assessment: add Stage 0 devil's advocate + confidence field to fp-reduction (89b34e1)
  • security-assessment: expand Phase 1b with 3 new judgment agents (9dad5ee)
  • security-assessment: Phase 1b expansion + fp-reduction Stage 0/confidence (v2.2.0) (4e77037)
  • security-assessment: recalibrate CRITICAL threshold against opus_repo_scan_test reference (0c221cb)
  • security-assessment: recalibrate CRITICAL threshold against opus_repo_scan_test reference (v2.3.0) (7a3c320)

Miscellaneous

  • security-assessment: release 2.2.0 (6296245)
  • security-assessment: release 2.3.0 (1d61422)

[2.3.0] (2026-05-01)

Features

  • security-assessment: recalibrate severity scoring against opus_repo_scan_test reference framework. CRITICAL is now reserved for findings exploitable immediately with no prerequisites that lead to data breach or fraud bypass (score >= 9). HIGH covers exploitable-with-moderate-effort issues (score 6-8). Earlier threshold of score >= 7 → CRITICAL combined with broad domain-class floors at 7 produced an inverted CRITICAL/HIGH pyramid (e.g. NextGen 198C/95H, Walletron 307C/10H). The recalibrated thresholds restore the proper distribution where HIGH > CRITICAL — validated against the reference's published 7C/12H/7M/3L example output.
  • security-assessment: introduce discriminator-aware domain-class floors. hardcoded-creds floor=9 only when production-reachable; dev-only-fallback discriminator drops to 7 (HIGH). unauth-admin-endpoint floor=9 only when direct privilege escalation is enabled (model swap, token mint, cache flush, fraud bypass); info-disclosure-only discriminator drops to 7 (HIGH). New explicit floor=9 classes for fail-open-scoring, emulation-bypass, and client-controlled-aggregate matching reference S03-FS-01/02/03/04.

Documentation

  • security-assessment: knowledge/severity-floors.json adds score_to_severity thresholds and per-class discriminator fields. Each class rationale now cites the corresponding opus_repo_scan_test reference finding ID for audit traceability.
  • security-assessment: agents/fp-reduction.md floor table updated with reference-finding citations and discriminator guidance.

[2.2.0] (2026-05-01)

Features

  • security-assessment: add recon-driven-scan agent — bridges Phase 0 RECON narrative to concrete file:line evidence. Reads RECON's human-language risk descriptions and validates each described risk has matching code via targeted grep, finding patterns SAST cannot express (inverted-boolean TLS defaults, RCE shapes via expression libraries like Flee/Dynamic LINQ, header-driven SQL connection strings, body-trusted IDOR, masker exception PII fallback, format-preserving tokens). Includes a 28-pattern claim→search library covering unauth gRPC, TLS bypass, PII leak, crypto misuse, exception leak, SQL/code injection, SSRF, and DoS categories. Validated against the NextGen 2026-05-01 portfolio rerun: 12 repos previously scored zero-findings by SAST were re-scanned and produced 75 confirmed findings (8 CRITICAL, 17 HIGH) with zero false alarms. Notable additions the original SAST missed: 2 production SQL injections in search-service, RCE shape via Flee+Dynamic LINQ in profile-custompipes, inverted-boolean TLS bypass library-amplified across all consumer Lambdas in notificationinfrastructure, and expansion of the Jupiter2020$ cross-repo credential reuse chain.
  • security-assessment: Phase 1b is now a 5-agent parallel dispatch — security-review + business-logic-domain-review (via security-review-adapter) + deep-code-reasoning + authorization-logic-review + recon-driven-scan (latter three emit unified-finding-v1 directly, appended via jq).

Documentation

  • security-assessment: Phase 1b parallelization rule, artifacts table, and exec-report agent→phase mapping all updated. Plugin-level CLAUDE.md agent registry updated 11 → 12.

2.1.0 (2026-04-27)

Features

  • security-assessment: ship apply-accepted-risks.sh + primitives contract v1.3.0 (caa62df)
  • security-assessment: ship apply-severity-floors.sh with externalized allow-list (399f300)
  • security-assessment: ship find-ci-files.sh for CI/CD definition discovery (3782dac)
  • security-assessment: ship phase-timer.sh with shell-test harness (652e8a9)

Code Refactoring

  • security-assessment: address /code-review findings (1f61c6e)

Miscellaneous

  • ci: wire helper-script tests + shellcheck into CI (8cb6126)

2.0.0 (2026-04-24)

⚠ BREAKING CHANGES

  • security-assessment: plugin renamed to eliminate prefix collision with the security-review agent that lives in agentic-dev-team. The agent name is contract-stable (per security-primitives-contract.md registry) and does not move. The plugin ships under its new name from 1.0.0 forward.

Code Refactoring

  • security-assessment: rename plugin agentic-security-review → agentic-security-assessment (1.0.0) (9195f22)

Documentation

  • agentic-dev-team: update cross-references to renamed companion plugin + history note on rename docs (87a7a34)
  • security-assessment: update plugin-internal references to new name + CHANGELOG 1.0.0 migration entry (7e0ebc7)

1.0.0 — RENAMED from agentic-security-review (2026-04-24)

BREAKING CHANGE — plugin rename

The plugin has been renamed from agentic-security-review to agentic-security-assessment to eliminate the prefix collision with the security-review agent that lives in agentic-dev-team. The agent name is contract-stable and did not move.

Migration

Existing users must update the following references:

  1. claude plugin install: agentic-security-review@bfinsteragentic-security-assessment@bfinster
  2. .claude/settings.local.json opt-out snippets referencing plugins/agentic-security-review/plugins/agentic-security-assessment/
  3. Any automation, docs, or commit-scope conventions citing the plugin path or name

The plugin's primitives-contract compatibility is unchanged (^1.0.0). The security-review agent ID in the contract registry is unchanged. No runtime behavior change.

Link to spec: docs/specs/plugin-rename-security-assessment.md.

0.3.0 (2026-04-22)

Features

  • security-review: add NATS/messaging semgrep rules and training data inference detection (gaps 1, 6) (fdf87c5)
  • security-review: add serialization rules, base64 scan tool, datastore/Cassandra rules (gaps 2, 4, 5) (48efd6e)
  • security-review: add severity consistency check, cross-cutting section, report verifier (gaps 3, 7, 8) (4b270de)
  • security-review: add Windows PowerShell install script (37930f5)

Bug Fixes

  • security-review: upgrade all agents to opus (5868b30)

0.2.1 (2026-04-22)

Bug Fixes

  • security-review: pin CWE display format to match opus_repo_scan_test reference (74eafe2)

0.2.0 (2026-04-22)

Features

  • fp-reduction: add domain-class severity floors to exploitability scoring (e7addcf)
  • hooks: auto-time every Agent dispatch via PreToolUse+PostToolUse hook (f4fa9ce)
  • per-plugin release-please + registry finalization (Step 20) (5350137)
  • pipeline: multi-target parallelism, Phase-4-reorder, mandatory timing (5f49180)
  • plugin: add install-macos.sh to install tools the plugin calls (e149423)
  • scripts: extract Phase 1c / 2b / CI-scope fixes to deterministic scripts (d620475)
  • security-review: Phase B detection agents + skills (Steps 8, 9, 10, 11) (cac5a43)
  • security-review: Phase B orchestration (Steps 12, 13, 14) (2821822)
  • security-review: PostToolUse auto-scan hook + 4 custom semgrep rulesets (1be4137)
  • security-review: red-team analyzers + /export-pdf (Steps 18 + 19) (b0605aa)
  • security-review: red-team harness scaffold + libs + scope enforcement (Step 15) (2385398)
  • security-review: red-team probes 01-08 (Steps 16 + 17) (1c3d693)
  • security-review: scaffold companion plugin (8324dc2)

Bug Fixes

  • fp-reduction: enforce schema-conformant nested disposition register shape (b4be5ff)
  • scope: CI/CD workflow files explicitly in scope for static + security review (763924f)
  • security-assessment: make ACCEPTED-RISKS suppression an enforced Phase 1c gate (71de667)

Documentation

  • move per-plugin install instructions into each plugin's README (26bca28)

Miscellaneous

  • security-review: gitignore pycache + harness runtime dirs (8f03a46)