open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

docs(scoring): unify scan/audit/mcp-scanner/posture-assessor to v2 formula

Browse source 
Closes the v7.1.1 out-of-scope item: commands/scan.md:113-114 retained
the v1 formula. Exploration found two more v1 surfaces that v7.1.1
missed: commands/audit.md:46 and agents/mcp-scanner-agent.md:419, plus
agents/posture-assessor-agent.md:376 (caught by the new doc-consistency
test). Four files unified to v2 in one atomic commit.

Three-way → four-way verdict-divergence is now closed:
- scanners/lib/severity.mjs (v2, BLOCK ≥65, WARNING ≥15) — authoritative
- agents/skill-scanner-agent.md (v2 since v7.1.1)
- templates/unified-report.md (v2 since v7.1.1)
- commands/scan.md (v2 — this commit)
- commands/audit.md (v2 — this commit)
- agents/mcp-scanner-agent.md (v2 — this commit)
- agents/posture-assessor-agent.md (v2 — this commit)

New: tests/lib/doc-consistency.test.mjs walks commands/ + agents/ and
asserts NO file contains v1 formula tokens. Pinned regex set:
  - score >= 61, score >= 21, score ≥ 61, score ≥ 21
  - critical * 25, Critical × 25
  - min(100, critical*25 ...)

Plus three v2-cutoff anchors asserting commands/scan.md, commands/audit.md,
and agents/mcp-scanner-agent.md document the v2 BLOCK ≥65 cutoff (or
reference riskScore() helper).

Tests: 1523 → 1551 (+28 from doc-consistency: 25 file walks + 3 anchors).
All green.
This commit is contained in:
Kjell Tore Guttormsen 2026-04-29 13:58:25 +02:00
commit d3b1157a08
5 changed files with 92 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
plugins/llm-security/commands/audit.md
View file

@ -43,7 +43,7 @@ After skill scan, spawn `subagent_type: "llm-security:mcp-scanner-agent"`, `mode
## Step 5: Generate Report
Merge posture scanner JSON + agent findings. Use the posture scanner's grade as the baseline.
Recalculate `risk_score = min(100, critical*25 + high*10 + medium*4 + low*1)` including agent findings.
Recalculate `risk_score = riskScore(counts)` (severity-dominated v2 model — see `scanners/lib/severity.mjs`) including agent findings.
Output: Risk Dashboard, Executive Summary, 10 Category Sections (use scanner evidence + agent narrative), Summary Table, Action Items (IMMEDIATE → HIGH → MEDIUM).

4
plugins/llm-security/commands/scan.md
View file

@ -110,8 +110,8 @@ Otherwise (local scan — direct mode):
## Step 5: Aggregate and Report
Combine counts. `risk_score = min(100, critical*25 + high*10 + medium*4 + low*1)`.
Verdict: critical≥1 OR score≥61 → BLOCK, high≥1 OR score≥21 → WARNING, else ALLOW.
Combine counts. `risk_score = riskScore(counts)` (severity-dominated v2 model — see `scanners/lib/severity.mjs`).
Verdict: critical ≥ 1 OR score ≥ 65 → BLOCK; high ≥ 1 OR score ≥ 15 → WARNING; else ALLOW.
Output banner then all findings grouped by severity (critical→info). Each finding:
`### [SEV] Title` with Category, File:line, OWASP, Evidence, Remediation.