feat(llm-security): add /security ide-scan — VS Code / JetBrains extension prescan (v6.3.0)

New standalone scanner (prefix IDE) discovers installed VS Code extensions
across forks (Cursor, Windsurf, VSCodium, code-server, Insiders, Remote-SSH)
and runs 7 IDE-specific threat checks: blocklist match (CRITICAL),
theme-with-code, sideload (unsigned .vsix), dangerous uninstall hook (HIGH),
wildcard activation, extension-pack expansion, typosquat (MEDIUM).

Per-extension reuse of UNI/ENT/NET/TNT/MEM/SCR scanners with bounded
concurrency. Offline-first; --online opt-in. JetBrains discovery stubbed
for v1.1. 22 new tests (1296 total, was 1274).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

plugins/llm-security/commands/ide-scan.md

@@ -0,0 +1,88 @@
+---
+name: security:ide-scan
+description: Scan installed VS Code / IntelliJ extensions for supply-chain risk, typosquats, obfuscation, and malicious patterns
+allowed-tools: Read, Glob, Grep, Bash
+model: sonnet
+---
+
+# /security ide-scan
+
+Scan installed IDE extensions (VS Code + forks like Cursor/Windsurf/VSCodium/code-server; JetBrains is v1.1 stub).
+
+Runs the IDE scanner plus reused scanners (UNI, ENT, NET, TNT, MEM, SCR) per extension. Offline by default.
+
+## Step 1: Run Scanner
+
+Run the IDE extension scanner:
+
+```
+node <this plugin's scanners/ide-extension-scanner.mjs> [target]
+```
+
+Arguments (pass through as provided by the user):
+- `[target]` — omit, `.`, or `all` to discover all installed extensions. Absolute path to an extracted extension directory for single-scan mode.
+- `--vscode-only` / `--intellij-only` — restrict discovery
+- `--include-builtin` — include Microsoft builtin extensions (default: excluded)
+- `--online` — enable Marketplace/OSV.dev lookups (opt-in; default: fully offline)
+- `--format compact|json` — output format
+- `--fail-on <severity>` — exit 1 if findings at/above severity
+
+Parse the JSON output. The result contains:
+- `meta.scanner`, `meta.version`, `meta.target`, `meta.extensions_discovered` (per type), `meta.roots_scanned`, `meta.warnings`
+- `extensions[]` — per-extension results with `id`, `version`, `type`, `publisher`, `source`, `is_builtin`, `signed`, `scanner_results` (IDE/UNI/ENT/NET/TNT/MEM/SCR), `aggregate` (counts, risk_score, risk_band, verdict), `warnings`
+- `aggregate` — top-level counts, risk_score, risk_band, verdict, extensions_total, extensions_blocked, extensions_warning
+
+## Step 2: Format Report
+
+Present the results:
+
+```
+# IDE Extension Scan
+
+| Field | Value |
+|-------|-------|
+| **Scanner** | ide-extension-scanner v[version] |
+| **Target** | [target] |
+| **Roots** | [comma-separated roots_scanned] |
+| **Extensions** | [vscode] VS Code, [jetbrains] JetBrains |
+| **Top Verdict** | [ALLOW/WARNING/BLOCK] |
+| **Risk** | [risk_score]/100 ([risk_band]) |
+| **Duration** | [duration_ms]ms |
+
+## Counts
+
+crit=[N] high=[N] medium=[N] low=[N] info=[N]
+
+## Per-Extension Results
+
+[One row per extension, sorted: BLOCK first, then WARNING, then ALLOW with findings]
+
+| Extension | Version | Source | Verdict | Risk | Top Issue |
+|-----------|---------|--------|---------|------|-----------|
+
+Omit ALLOW rows with zero findings unless the user passed `--verbose`.
+
+## Top Findings
+
+[For each extension with verdict != ALLOW, list up to 3 findings as:
+  - [SEV] [SCANNER]: title — file:line — recommendation]
+
+## Warnings
+
+[Any top-level or per-extension `warnings` entries, if present]
+```
+
+## Step 3: Recommendations
+
+- `aggregate.verdict === 'BLOCK'`: "One or more extensions are block-listed. Uninstall immediately — `code --uninstall-extension <id>`."
+- `aggregate.verdict === 'WARNING'`: "High/medium findings detected. Review the Top Findings list. Audit suspicious extensions before continuing."
+- `aggregate.verdict === 'ALLOW'` and counts.info > 0: "Extensions look clean. Info-level findings are observational only."
+- `aggregate.extensions_total === 0`: "No extensions discovered. Run `code --list-extensions` to confirm, or pass a specific path."
+
+If the user has many sideloaded (`source=vsix`) extensions: suggest re-installing from Marketplace where possible.
+
+## Notes
+
+- First run with no `--online` is fully offline.
+- JetBrains discovery is deferred to v1.1 (see `knowledge/ide-extension-threat-patterns.md`).
+- Pass a single extracted extension directory to scan just one extension.

plugins/llm-security/commands/security.md

@@ -21,6 +21,7 @@ Based on OWASP LLM Top 10 (2025) and OWASP Agentic AI Top 10.
 | `/security plugin-audit [path\|url]` | Dedicated plugin security audit with trust verdict | Before installing a third-party plugin |
 | `/security mcp-audit [--live]` | Focused audit of all installed MCP servers | After adding MCP servers or on suspicion |
 | `/security mcp-inspect` | Live inspection — connect to MCP servers, scan tool descriptions | Verify running servers have safe tool descriptions |
+| `/security ide-scan [target]` | Scan installed VS Code / JetBrains extensions for supply-chain risk, typosquats, malicious patterns | After installing new extensions or periodic review |
 | `/security posture` | Quick security posture scorecard | Daily/weekly health check |
 | `/security threat-model` | Interactive STRIDE/MAESTRO threat modeling session | When designing new architecture |
 | `/security diff [path]` | Compare scan against stored baseline — shows new/resolved/moved | Track security changes over time |
@@ -37,6 +38,7 @@ Based on OWASP LLM Top 10 (2025) and OWASP Agentic AI Top 10.
 - **New to security?** Start with `/security posture` for a quick health check
 - **Evaluating a plugin?** Run `/security plugin-audit path/to/plugin` for a full trust assessment
 - **Inspecting live MCP servers?** Run `/security mcp-inspect` to connect and scan tool descriptions
+- **Installed IDE extensions?** Run `/security ide-scan` to audit VS Code / Cursor / Windsurf extensions
 - **Evaluating a remote plugin?** Run `/security plugin-audit https://github.com/user/repo`
 - **Scanning a remote repo?** Run `/security scan https://github.com/user/repo`
 - **Scanning individual files?** Run `/security scan path/to/file` for targeted analysis