feat(llm-security): add /security ide-scan — VS Code / JetBrains extension prescan (v6.3.0)

New standalone scanner (prefix IDE) discovers installed VS Code extensions
across forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH)
and runs 7 IDE-specific threat checks: blocklist match (CRITICAL),
theme-with-code, sideload (unsigned .vsix), dangerous uninstall hook (HIGH),
wildcard activation, extension-pack expansion, typosquat (MEDIUM).

Per-extension reuse of UNI/ENT/NET/TNT/MEM/SCR scanners with bounded
concurrency. Offline-first; --online opt-in. JetBrains discovery stubbed
for v1.1. 22 new tests (1296 total, was 1274).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

plugins/llm-security/README.md

@@ -4,12 +4,12 @@
 
 *Built for my own Claude Code workflow and shared openly for anyone who finds it useful. This is a solo project — bug reports and feature requests are welcome, but pull requests are not accepted.*
 
-![Version](https://img.shields.io/badge/version-6.2.0-blue)
+![Version](https://img.shields.io/badge/version-6.3.0-blue)
 ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple)
 ![Agents](https://img.shields.io/badge/agents-6-orange)
-![Scanners](https://img.shields.io/badge/scanners-21-cyan)
+![Scanners](https://img.shields.io/badge/scanners-22-cyan)
 ![Hooks](https://img.shields.io/badge/hooks-9-red)
-![Knowledge](https://img.shields.io/badge/knowledge_docs-16-green)
+![Knowledge](https://img.shields.io/badge/knowledge_docs-18-green)
 ![License](https://img.shields.io/badge/license-MIT-lightgrey)
 
 A Claude Code plugin that provides security scanning, auditing, and threat modeling for agentic AI projects. Built on [OWASP LLM Top 10 (2025)](https://genai.owasp.org/llm-top-10/), [OWASP Agentic AI Top 10](https://genai.owasp.org/agentic-ai/), and the [AI Agent Traps](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438) taxonomy (Google DeepMind, 2025), with threat intelligence from ToxicSkills, ClawHavoc, MCPTox, Pillar Security, Invariant Labs, and Operant AI research.
@@ -46,8 +46,8 @@ Claude Code plugins, MCP servers, and agentic workflows introduce attack surface
 This plugin provides three layers of protection:
 
 - **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection in user input, secrets in code, writes to sensitive paths, destructive shell commands, supply chain guardrails, suspicious tool output, runtime trifecta detection, transcript scanning before context compaction, update notifications)
-- **Deterministic scanning** — 21 Node.js scanners (10 orchestrated + 11 standalone) that perform byte-level analysis LLMs cannot: Shannon entropy, Unicode codepoints, Levenshtein distance for typosquatting, source-to-sink taint flow, DNS resolution, git history forensics, toxic flow analysis, memory poisoning, live MCP inspection, AI-BOM generation, attack simulation
-- **Advisory analysis** — 18 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation plans
+- **Deterministic scanning** — 22 Node.js scanners (10 orchestrated + 12 standalone) that perform byte-level analysis LLMs cannot: Shannon entropy, Unicode codepoints, Levenshtein distance for typosquatting, source-to-sink taint flow, DNS resolution, git history forensics, toxic flow analysis, memory poisoning, live MCP inspection, AI-BOM generation, attack simulation, IDE extension prescan
+- **Advisory analysis** — 19 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation plans
 
 Key capabilities:
 
@@ -165,6 +165,7 @@ Or enable directly in `~/.claude/settings.json`:
 | `/security plugin-audit [path\|url]` | Dedicated plugin security audit with Install/Review/Do Not Install verdict (local or GitHub URL) |
 | `/security mcp-audit [--live]` | Focused audit of all installed MCP server configurations (add `--live` for runtime inspection) |
 | `/security mcp-inspect` | Connect to running MCP stdio servers and scan live tool descriptions |
+| `/security ide-scan [target]` | Scan installed VS Code (+ Cursor, Windsurf, VSCodium, code-server) / JetBrains extensions — typosquat, theme-with-code, sideload, broad activation, uninstall hooks, plus UNI/ENT/NET/TNT/MEM/SCR per extension. Offline by default |
 | `/security posture` | Quick security posture scorecard (16 categories incl. compliance) |
 | `/security diff [path]` | Compare scan against stored baseline — shows new/resolved/unchanged/moved findings |
 | `/security watch [path] [--interval 6h]` | Continuous monitoring — runs diff on a recurring interval via /loop |
@@ -365,7 +366,7 @@ For deep scans (`/security scan --deep` or `/security deep-scan`), deterministic
 
 ## Deterministic Scanners
 
-10 orchestrated + 11 standalone Node.js scanner scripts that perform byte-level analysis an LLM cannot. Zero external dependencies. Orchestrated scanners run via `node scanners/scan-orchestrator.mjs <target>` or through `/security deep-scan`. Supports `--fail-on <severity>`, `--compact`, `--format sarif`, `--output-file <path>`.
+10 orchestrated + 12 standalone Node.js scanner scripts that perform byte-level analysis an LLM cannot. Zero external dependencies. Orchestrated scanners run via `node scanners/scan-orchestrator.mjs <target>` or through `/security deep-scan`. Supports `--fail-on <severity>`, `--compact`, `--format sarif`, `--output-file <path>`.
 
 ### Orchestrated (10)
 
@@ -382,13 +383,14 @@ For deep scans (`/security scan --deep` or `/security deep-scan`), deterministic
 | `supply-chain-recheck.mjs` | SCR | Re-audit installed deps from lockfiles against blocklists, OSV.dev batch API, typosquat detection | LLM03 |
 | `toxic-flow-analyzer.mjs` | TFA | Lethal trifecta detection: untrusted input + sensitive data access + exfiltration sink. Cross-component correlation (runs last) | ASI01, ASI02, ASI05 |
 
-### Standalone (11)
+### Standalone (12)
 
 | Scanner | Prefix | Purpose |
 |---------|--------|---------|
 | `scan-orchestrator.mjs` | — | Entry point: runs all 10 orchestrated scanners, outputs JSON |
 | `posture-scanner.mjs` | PST | Deterministic posture assessment, 16 categories (incl. EU AI Act, NIST AI RMF, ISO 42001), <50ms |
 | `mcp-live-inspect.mjs` | MCI | Live MCP server inspection via JSON-RPC 2.0 (tool injection, shadowing, URL/IP) |
+| `ide-extension-scanner.mjs` | IDE | VS Code (+ Cursor, Windsurf, VSCodium, code-server) / JetBrains extension prescan: blocklist, theme-with-code, sideload, broad activation, typosquat, extension-pack expansion, dangerous uninstall hooks — then UNI/ENT/NET/TNT/MEM/SCR per extension |
 | `attack-simulator.mjs` | — | Red-team harness: 64 scenarios, 12 categories, adaptive mutation mode |
 | `ai-bom-generator.mjs` | BOM | CycloneDX 1.6 AI Bill of Materials |
 | `dashboard-aggregator.mjs` | — | Cross-project security dashboard, machine-grade aggregation |
@@ -428,7 +430,7 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W
 
 ## Knowledge Base
 
-16 research-backed reference files grounding all analysis in published threat intelligence:
+18 research-backed reference files grounding all analysis in published threat intelligence:
 
 | File | Scope |
 |------|-------|
@@ -448,6 +450,8 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W
 | `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation |
 | `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing |
 | `typosquat-allowlist.json` | Allowlisted package names to reduce false positives in typosquatting detection |
+| `ide-extension-threat-patterns.md` | 10 IDE-extension detection categories (VS Code + JetBrains) with 2024-2026 case studies (GlassWorm, WhiteCobra, TigerJack, Material Theme) |
+| `top-vscode-extensions.json` | Top ~100 VS Code Marketplace extension IDs (Levenshtein typosquat seed) + blocklist of known-malicious publisher.name entries |
 
 > [!NOTE]
 > All knowledge base content is derived from published OWASP standards and peer-reviewed security research. The knowledge files provide grounding for agent analysis — agents read relevant sections before producing findings.
@@ -619,7 +623,7 @@ flowchart TB
         S3["MCI · PST · BOM<br/>Standalone scanners"]
     end
 
-    subgraph Advisory["Advisory Analysis (6 agents, 18 commands)"]
+    subgraph Advisory["Advisory Analysis (6 agents, 19 commands)"]
         direction LR
         A1["Skill Scanner<br/>7 threat categories"]
         A2["MCP Scanner<br/>5-phase analysis"]
@@ -818,6 +822,7 @@ This plugin provides full-stack security hardening (static analysis + supply cha
 
 | Version | Date | Highlights |
 |---------|------|------------|
+| **6.3.0** | 2026-04-17 | **IDE extension prescan.** New `/security ide-scan` command and `ide-extension-scanner.mjs` (prefix IDE) discover and audit installed VS Code extensions (and forks: Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH; JetBrains is a v1.1 stub). 7 IDE-specific checks: blocklist match, theme-with-code, sideload (`.vsix`), broad activation (`*`, `onStartupFinished`), Levenshtein typosquat ≤2 vs top-100, extension-pack expansion, dangerous `vscode:uninstall` hooks. Per-extension orchestration of UNI/ENT/NET/TNT/MEM/SCR scanners with bounded concurrency. OS-aware discovery via `lib/ide-extension-discovery.mjs` (Platform-specific suffix parsing for `darwin-x64`, `linux-arm64`, etc.). Offline-first; `--online` opt-in for future Marketplace/OSV.dev lookups. New knowledge files: `ide-extension-threat-patterns.md` (10 categories, 2024-2026 case studies from Koi Security — GlassWorm, WhiteCobra, TigerJack, Material Theme), `top-vscode-extensions.json` (typosquat seed + blocklist), `top-jetbrains-plugins.json` (stub). 1296 tests (was 1274). |
 | **6.2.0** | 2026-04-17 | **Opus 4.7 + Claude Code 2.1.112 alignment.** Bash-normalize extended with T5 (`${IFS}` word-splitting) and T6 (ANSI-C `$'\xHH'` hex quoting) layers. New `pre-compact-scan.mjs` PreCompact hook — scans transcript tail (500 KB cap, <500 ms) for injection + credentials before context compaction. Modes: `block` / `warn` / `off` via `LLM_SECURITY_PRECOMPACT_MODE`. Agent files reframed for Opus 4.7's more literal instruction-following (Step 0 generaliseringsgrense + parallell Read-hint in skill-scanner + mcp-scanner). New `docs/security-hardening-guide.md` with env-var reference, sandboxing notes, system-card §5.2.1 / §6.3.1.1 mapping. CLAUDE.md Defense Philosophy links to system card. 1274 tests (was 1264). |
 | **6.1.0** | 2026-04-10 | **CI/CD integration.** `--fail-on <severity>` flag for threshold-based exit codes (exit 1 if findings at/above level). `--compact` output mode (one-liner per finding). Policy `ci` section in `policy.json`. Pipeline templates: GitHub Actions, Azure DevOps, GitLab CI with SARIF upload. CI/CD guide (`docs/ci-cd-guide.md`) with Schrems II/NSM compliance docs. npm publish preparation (`files` whitelist). 1264 tests. |
 | **6.0.0** | 2026-04-10 | **CAISS-readiness release.** Enterprise compliance and governance layer: compliance mapping (EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS), Norwegian regulatory context (Datatilsynet, NSM, Digitaliseringsdirektoratet), SARIF 2.1.0 output format (`--format sarif`), structured JSONL audit trail (`audit-trail.mjs`), AI-BOM generator (CycloneDX 1.6), policy-as-code (`.llm-security/policy.json`), standalone CLI (`bin/llm-security.mjs` — `node bin/llm-security.mjs scan`). Posture scanner expanded to 16 categories (+EU AI Act, NIST AI RMF, ISO 42001). Attack simulator benchmark mode (`--benchmark`). 15 knowledge docs, 16 scanners, 1242+ tests. |