feat(llm-security): playground v7.6.2-dev — render-report CLI + wire 4 skills (scan, audit, posture, deep-scan) [skip-docs]

- New scripts/render-report.mjs CLI: stdin/file/stdout modes, ESM import
  from ./lib/report-renderers.mjs, kebab→camel renderer-name lookup so
  any of the 18 PARSERS works
- Standalone HTML wrap: inlines 6 DS stylesheets (tokens, base, components,
  tier2, tier3, tier3-supplement) + local .report-table CSS. Skips fonts.css
  → system-ui fallback via tokens.css (~137 KB self-contained vs ~1 MB
  with woff2 bundled)
- 4 skill files wired: commands/{scan,audit,posture,deep-scan}.md — new
  step instructs Claude to Write the markdown report to a temp file,
  invoke the CLI, and print a markdown-formatted file:// link
- Absolute file:// paths in stdout for Ghostty cmd-click compatibility
- Default output: reports/<command>-<YYYYMMDD-HHmmss>.html relative to CWD
- Smoke-tested: stdin→stdout, file→file roundtrip, all 4 commands produce
  valid HTML with DS-aligned page-shell (page__title, verdict-pill-lg,
  risk-meter, key-stats, findings__item, recommendation-card)
- Tests 1820/1820 green (same baseline; pre-compact-scan perf-flake from
  NEXT-SESSION-PROMPT did not fire on retry)
- Playground untouched (2 scripts, 0 parse failures), report-renderers.mjs
  untouched (74 exports, 18 PARSERS, 18 RENDERERS)

Sesjon 4 av 5. v7.7.0 release + 9 remaining skill wirings = sesjon 5.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

plugins/llm-security/commands/audit.md

@@ -48,3 +48,23 @@ Recalculate `risk_score = riskScore(counts)` (severity-dominated v2 model — se
 Output: Risk Dashboard, Executive Summary, 10 Category Sections (use scanner evidence + agent narrative), Summary Table, Action Items (IMMEDIATE → HIGH → MEDIUM).
 
 Close with top 2-3 action items. If grade C or lower: suggest `/security threat-model`.
+
+## Step 6: HTML Report
+
+After producing the markdown audit report above:
+
+1. Compute a temp markdown path:
+   ```bash
+   node -p "require('path').join(require('os').tmpdir(), 'sec-audit-' + Date.now() + '.md')"
+   ```
+2. Use the Write tool to save the **entire markdown report you just produced** (Risk Dashboard + Executive Summary + Category Sections + Summary Table + Action Items) to that temp path. Verbatim.
+3. Run the renderer:
+   ```bash
+   node <plugin-root>/scripts/render-report.mjs audit --in "<temp-md-path>"
+   ```
+   The CLI writes `reports/audit-<YYYYMMDD-HHmmss>.html` relative to CWD and prints `file:///abs/path.html` on stdout.
+4. Append to your response (markdown link, no bare URL):
+
+   > **HTML-rapport:** [Åpne i nettleser](file:///abs/path.html)
+
+If the CLI exits non-zero, mention the error but do not block — the markdown audit above is the primary deliverable.

plugins/llm-security/commands/deep-scan.md

@@ -40,3 +40,23 @@ Spawn `subagent_type: "llm-security:deep-scan-synthesizer-agent"`, `model: "sonn
 > Produce complete report with actionable insights. Don't pad.
 
 Output the synthesizer's report. If it fails, show banner + CRITICAL/HIGH findings from JSON.
+
+## Step 5: HTML Report
+
+After producing the markdown deep-scan report (banner + synthesizer output or fallback):
+
+1. Compute a temp markdown path:
+   ```bash
+   node -p "require('path').join(require('os').tmpdir(), 'sec-deepscan-' + Date.now() + '.md')"
+   ```
+2. Use the Write tool to save the **entire markdown report you just produced** (banner + synthesizer narrative + scanner sections + findings) to that temp path. Verbatim.
+3. Run the renderer:
+   ```bash
+   node <plugin-root>/scripts/render-report.mjs deep-scan --in "<temp-md-path>"
+   ```
+   The CLI writes `reports/deep-scan-<YYYYMMDD-HHmmss>.html` relative to CWD and prints `file:///abs/path.html` on stdout.
+4. Append to your response (markdown link, no bare URL):
+
+   > **HTML-rapport:** [Åpne i nettleser](file:///abs/path.html)
+
+If the CLI exits non-zero, mention the error but do not block — the markdown report above is the primary deliverable.

plugins/llm-security/commands/posture.md

@@ -58,3 +58,23 @@ Present the results as a scorecard:
 - Grade A/B: "Posture solid. Re-run after major changes."
 - Grade C: "Run `/security audit` for detailed findings."
 - Grade D/F: "Significant exposure. Run `/security audit` before production use."
+
+## Step 4: HTML Report
+
+After producing the markdown scorecard above:
+
+1. Compute a temp markdown path:
+   ```bash
+   node -p "require('path').join(require('os').tmpdir(), 'sec-posture-' + Date.now() + '.md')"
+   ```
+2. Use the Write tool to save the **entire markdown scorecard you just produced** (header + Category Scorecard table + Top Findings + Quick Wins + closing) to that temp path. Verbatim.
+3. Run the renderer:
+   ```bash
+   node <plugin-root>/scripts/render-report.mjs posture --in "<temp-md-path>"
+   ```
+   The CLI writes `reports/posture-<YYYYMMDD-HHmmss>.html` relative to CWD and prints `file:///abs/path.html` on stdout.
+4. Append to your response (markdown link, no bare URL):
+
+   > **HTML-rapport:** [Åpne i nettleser](file:///abs/path.html)
+
+If the CLI exits non-zero, mention the error but do not block — the markdown scorecard above is the primary deliverable.

plugins/llm-security/commands/scan.md

@@ -155,3 +155,23 @@ If `clone_path != null`:
 
 If `evidence_file != null`:
   Run: `node <plugin-root>/scanners/lib/fs-utils.mjs cleanup "<evidence_file>"`
+
+## Step 8: HTML Report
+
+After producing the markdown report (Step 5) and any cleanup (Step 7):
+
+1. Compute a temp markdown path:
+   ```bash
+   node -p "require('path').join(require('os').tmpdir(), 'sec-scan-' + Date.now() + '.md')"
+   ```
+2. Use the Write tool to save the **entire markdown report you just produced** (banner + all findings sections + any Deep Scan section) to that temp path. Do not summarize — write it verbatim.
+3. Run the renderer:
+   ```bash
+   node <plugin-root>/scripts/render-report.mjs scan --in "<temp-md-path>"
+   ```
+   The CLI writes `reports/scan-<YYYYMMDD-HHmmss>.html` relative to CWD and prints `file:///abs/path.html` on stdout (one line).
+4. Append this to your response (markdown link, no bare URL):
+
+   > **HTML-rapport:** [Åpne i nettleser](file:///abs/path.html)
+
+If the CLI exits non-zero, mention the error but do not block — the markdown report above is the primary deliverable.