jprdonnelly/core
1
0
Fork 0
mirror of synced 2025-12-25 02:14:57 -05:00
Code Issues Projects Releases Wiki Activity

Add traversal example, anti-pattern warning, and fetch counts

Browse Source 
Based on detailed LLM feedback about navigation mistakes:

1. Added explicit statement that prev-security crosses year boundaries
   automatically (e.g., 2025/01 → 2024/11)

2. Added concrete traversal trace example showing the prev-security
   chain for "CVEs since September 2024"

3. Added anti-pattern warning: "Do not fetch year indexes to inspect
   _embedded.months[] and plan fetches manually"

4. Reframed "trust" as capability: O(security-months) not O(all-months)

5. Added expected fetch counts for self-assessment:
   - Latest patch: 2-3 fetches
   - CVEs since [date]: 1 + security months in range
   - CVEs for patch: 2-3 fetches

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Richard Lander
2025-12-08 16:04:44 -08:00
parent e73d403999
commit daa493cb34
2 changed files with 34 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
llms.txt
View File

@@ -45,13 +45,28 @@ Reference:
**"What CVEs since [date]?"** — Timeline with `prev-security`:
1. Timeline Index → year → `latest-security-month` (starts at most recent security month, skipping empty months)
2. Follow `prev-security` links until the month is before target date (stop when `month < target`)
1. Timeline Index → year → `latest-security-month`
2. Follow `prev-security` links until month is before target date
3. Each month index has `_embedded.disclosures[]` with severity, title, affected versions, fix commits
4. Filter by `affected_releases` if user specified versions (e.g., "for my .NET 8 and 9")
5. Only fetch `cve.json` if detailed descriptions or package version ranges are needed
4. Filter by `affected_releases` if user specified versions
5. Only fetch `cve.json` for CVSS vectors, CWE, or package version ranges
The `latest-security-month` and `prev-security` links are pre-computed — trust them to skip non-security months efficiently. This approach also deduplicates CVEs affecting multiple versions.
The `prev-security` links are pre-computed and cross year boundaries automatically (e.g., `2025/01` → `2024/11`). Following them is O(security-months), not O(all-months). No year index fetches needed after the first.
Example traversal for "CVEs since September 2024":
```text
Timeline Index → 2025/index.json
→ latest-security-month → 2025/10 ✓
→ prev-security → 2025/06 ✓
→ prev-security → 2025/04 ✓
→ prev-security → 2025/01 ✓
→ prev-security → 2024/11 ✓ (crosses year boundary)
→ prev-security → 2024/10 ✓
→ prev-security → 2024/08 (before Sept, STOP)
```
**Anti-pattern:** Do not fetch year indexes to inspect `_embedded.months[]` and plan fetches manually. The `prev-security` chain already encodes this — follow it instead.
**"What patch should I install for .NET X?"** — Direct version lookup:
@@ -64,6 +79,14 @@ The `latest-security-month` and `prev-security` links are pre-computed — trust
1. Timeline Index → current year → current month
2. Filter `_embedded.disclosures[]` by `cvss_severity == "CRITICAL"`
**Expected fetch counts** (for self-assessment):
* "Latest patch for .NET X": 23 fetches
* "CVEs since [date]": 1 + number of security months in range
* "CVEs for specific patch": 23 fetches
If your count significantly exceeds these, you may be navigating inefficiently.
## Releases Index
Best for **single-version** queries (e.g., "latest patch for .NET 8").

10
llms/reference.md
View File

@@ -490,14 +490,16 @@ The CVE JSON file provides full details and pre-computed query dictionaries:
**For "CVEs since [date]" queries** (with or without version filter), use `prev-security` to walk backwards:
1. GET `timeline/index.json` → navigate to year → `_links["latest-security-month"].href`
2. Follow `prev-security` links until the month is before target date (stop when `month < target`)
2. Follow `prev-security` links until month is before target date
3. Each month has `_embedded.disclosures[]` with severity, title, affected versions, fix commits
4. Filter by `affected_releases` if user specified versions (e.g., "for my .NET 8 and 9")
5. Only fetch `cve.json` if detailed descriptions or package version ranges are needed
4. Filter by `affected_releases` if user specified versions
5. Only fetch `cve.json` for CVSS vectors, CWE, or package version ranges
6. **Always ask**: "Would you like inline diffs for these fixes?"
7. If yes: **Fetch immediately** — firewall or domain restrictions may block later access
The `latest-security-month` and `prev-security` links are pre-computed — trust them to skip non-security months. This approach also deduplicates CVEs affecting multiple versions (fetched once, not per-version).
The `prev-security` links are pre-computed and cross year boundaries automatically (e.g., `2025/01``2024/11`). Following them is O(security-months), not O(all-months). No year index fetches needed after the first.
**Anti-pattern:** Do not fetch year indexes to inspect `_embedded.months[]` and plan fetches manually. The `prev-security` chain already encodes this — follow it instead.
**For specific month queries**, navigate directly: