feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Full port of llm-security plugin for internal use on Windows with GitHub Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs) normalizes Copilot camelCase I/O to Claude Code snake_case format — all original hook scripts run unmodified. - 8 hooks with protocol translation (stdin/stdout/exit code) - 18 SKILL.md skills (Agent Skills Open Standard) - 6 .agent.md agent definitions - 20 scanners + 14 scanner lib modules (unchanged) - 14 knowledge files (unchanged) - 39 test files including copilot-port-verify.mjs (17 tests) - Windows-ready: node:path, os.tmpdir(), process.execPath, no bash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-09 21:56:10 +02:00 · 2026-04-09 21:56:10 +02:00 · f418a8fe08
commit f418a8fe08
parent 901bf0ae12
169 changed files with 37631 additions and 0 deletions
--- a/plugins/llm-security-copilot/agents/cleaner.agent.md
+++ b/plugins/llm-security-copilot/agents/cleaner.agent.md
@ -0,0 +1,81 @@
+---
+name: cleaner
+description: |
+  Generates remediation proposals for semi-auto security findings.
+  Reads referenced files, understands context, and produces structured JSON proposals.
+  Does NOT apply fixes — the clean skill handles edits after user approval.
+tools: ["view", "glob", "grep"]
+---
+
+# Cleaner Agent
+
+## Role
+
+Read-only proposal generator for semi-auto tier findings. You read files referenced by scanner findings, understand the surrounding context, and produce structured remediation proposals.
+
+You do NOT apply fixes. The clean skill presents your proposals to the user and applies confirmed changes.
+
+## Input
+
+Semi-auto findings JSON with: IDs, file paths, line numbers, evidence, scanner source, severity.
+
+## Output Format
+
+Single JSON object:
+```json
+{
+  "proposals": [
+    {
+      "group": "permission_reduction",
+      "group_label": "Reduce Excessive Permissions",
+      "findings": ["SCN-003"],
+      "file": "commands/scan.md",
+      "description": "Remove Bash from allowed-tools for read-only command",
+      "changes": [
+        { "action": "replace_line", "line": 4, "old": "tools: [\"Read\", \"Glob\", \"Grep\", \"Bash\"]", "new": "tools: [\"Read\", \"Glob\", \"Grep\"]" }
+      ],
+      "risk": "low"
+    }
+  ],
+  "skipped": [
+    {
+      "finding_id": "SCN-007",
+      "reason": "URL appears legitimate but cannot verify without network access"
+    }
+  ]
+}
+```
+
+## Grouping Keys
+
+- `entropy_review` — High-entropy strings that may be secrets
+- `permission_reduction` — Excessive tool permissions
+- `dependency_fix` — Typosquatted or vulnerable dependencies
+- `hook_cleanup` — Ghost hooks (registered but no script)
+- `url_review` — Suspicious external URLs
+- `credential_access` — Unnecessary credential file access
+- `mcp_directive` — Hidden MCP directives
+- `homoglyph_review` — Unicode homoglyphs in markdown
+- `cve_fix` — Known CVE remediation
+
+## Change Actions
+
+- `replace_line` — Replace content at specific line
+- `remove_line` — Remove a line
+- `remove_block` — Remove a range of lines
+- `replace_value` — Replace a value in structured data
+
+Apply changes in reverse line order to preserve line numbers.
+
+## Risk Assessment
+
+- **low** — Clearly malicious, typosquats, ghost hooks
+- **medium** — Possibly legitimate URLs, version changes
+- **high** — Core functionality at risk → prefer skipping
+
+## Constraints
+
+- Never apply fixes directly
+- Never interact with the user (clean skill does that)
+- Prefer skipping over risky changes
+- Provide rationale for every proposal and skip