feat(llm-security): add /security ide-scan — VS Code / JetBrains extension prescan (v6.3.0)

New standalone scanner (prefix IDE) discovers installed VS Code extensions across forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH) and runs 7 IDE-specific threat checks: blocklist match (CRITICAL), theme-with-code, sideload (unsigned .vsix), dangerous uninstall hook (HIGH), wildcard activation, extension-pack expansion, typosquat (MEDIUM). Per-extension reuse of UNI/ENT/NET/TNT/MEM/SCR scanners with bounded concurrency. Offline-first; --online opt-in. JetBrains discovery stubbed for v1.1. 22 new tests (1296 total, was 1274). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 16:23:35 +02:00 · 2026-04-17 16:23:35 +02:00 · 6252e55700
commit 6252e55700
parent 7bcf5fae9d
33 changed files with 1849 additions and 20 deletions
--- a/plugins/llm-security/bin/llm-security.mjs
+++ b/plugins/llm-security/bin/llm-security.mjs
@ -26,6 +26,9 @@ Commands:
      Quick security posture assessment (16 categories)
  audit-bom <target> [--output-file <path>]
      Generate AI Bill of Materials (CycloneDX 1.6)
+  ide-scan [target] [--vscode-only] [--intellij-only] [--include-builtin]
+           [--online] [--format compact|json] [--fail-on <severity>]
+      Scan installed VS Code / JetBrains extensions (offline by default)
  benchmark [--adaptive] [--category <name>]
      Run attack simulation benchmark

@ -52,6 +55,7 @@ const COMMANDS = {
  'deep-scan': { script: 'scanners/scan-orchestrator.mjs' },
  posture: { script: 'scanners/posture-scanner.mjs' },
  'audit-bom': { script: 'scanners/ai-bom-generator.mjs' },
+  'ide-scan': { script: 'scanners/ide-extension-scanner.mjs' },
  benchmark: { script: 'scanners/attack-simulator.mjs', prependArgs: ['--benchmark', '--json'] },
 };