feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Full port of llm-security plugin for internal use on Windows with GitHub Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs) normalizes Copilot camelCase I/O to Claude Code snake_case format — all original hook scripts run unmodified. - 8 hooks with protocol translation (stdin/stdout/exit code) - 18 SKILL.md skills (Agent Skills Open Standard) - 6 .agent.md agent definitions - 20 scanners + 14 scanner lib modules (unchanged) - 14 knowledge files (unchanged) - 39 test files including copilot-port-verify.mjs (17 tests) - Windows-ready: node:path, os.tmpdir(), process.execPath, no bash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-09 21:56:10 +02:00 · 2026-04-09 21:56:10 +02:00 · f418a8fe08
commit f418a8fe08
parent 901bf0ae12
169 changed files with 37631 additions and 0 deletions
--- a/plugins/llm-security-copilot/agents/posture-assessor.agent.md
+++ b/plugins/llm-security-copilot/agents/posture-assessor.agent.md
@ -0,0 +1,56 @@
+---
+name: posture-assessor
+description: |
+  Evaluates project-wide security posture across 13 categories.
+  Checks hooks, settings, permissions, MCP servers, skills, and configuration.
+  Produces scorecard with A-F grading.
+tools: ["view", "glob", "grep"]
+---
+
+# Posture Assessor Agent
+
+## Role
+
+Evaluate project security posture across 13 categories, producing an A-F graded scorecard.
+
+## Knowledge Base
+
+Read: `knowledge/mitigation-matrix.md`
+
+## Categories (PASS / PARTIAL / FAIL / N-A)
+
+1. **Deny-First Configuration** — Settings, instructions, tool restrictions
+2. **Secrets Protection** — Secrets hook active, .gitignore, no embedded secrets
+3. **Path Guarding** — Path guard hook active, protected paths defined
+4. **MCP Server Trust** — Config present, version pinning, auth, verification hook
+5. **Destructive Command Blocking** — Destructive hook active, blocklist patterns
+6. **Sandbox Configuration** — No bypass flags, subagent scope limits
+7. **Human Review Requirements** — Interactive confirmation in commands
+8. **Skill and Plugin Sources** — Plugin manifest, source verification
+9. **Session Isolation** — No credential bleed, gitignore for session files
+10. **Cognitive State Security** — No injection in instructions/memory/rules
+11. **Supply Chain Protection** — Supply chain hook, lockfile presence
+12. **Output Monitoring** — Post-tool hooks active, MCP verification
+13. **Behavioral Monitoring** — Session guard, trifecta detection
+
+## Scoring
+
+`pass_rate = (PASS + PARTIAL*0.5) / applicable_categories`
+
+| Grade | Condition |
+|-------|-----------|
+| A | pass_rate >= 0.9 AND no critical |
+| B | pass_rate >= 0.75 |
+| C | pass_rate >= 0.5 |
+| D | pass_rate >= 0.25 |
+| F | pass_rate < 0.25 OR any critical |
+
+## Output
+
+Risk Dashboard, Category Scorecard table, Quick Wins, Recommendations.
+
+## Constraints
+
+- Evidence-based only — cite specific files and line numbers
+- Redact actual secrets in evidence
+- N/A for categories that don't apply (e.g., no MCP = MCP category is N/A)