feat: initial open marketplace with llm-security, config-audit, ultraplan-local

plugins/llm-security/commands/supply-check.md

@@ -0,0 +1,47 @@
+---
+name: security:supply-check
+description: Re-audit installed dependencies — check lockfiles against blocklists, OSV.dev CVEs, and typosquat detection
+allowed-tools: Read, Bash
+model: sonnet
+---
+
+# /security supply-check [path]
+
+Re-audit installed dependencies in lockfiles (package-lock.json, yarn.lock, requirements.txt, Pipfile.lock) against blocklists, OSV.dev CVE database, and typosquat detection.
+
+Unlike `deep-scan` (which includes dep-auditor among 9 scanners), this command runs ONLY the supply-chain-recheck scanner for a focused dependency audit.
+
+## Step 1: Setup
+
+- `$ARGUMENTS` empty → target = cwd. Otherwise target = first argument.
+- Plugin root = parent of this `commands/` folder.
+
+## Step 2: Run Scanner
+
+```bash
+node <plugin-root>/scanners/supply-chain-recheck-cli.mjs "<target>"
+```
+
+**Important:** This scanner calls OSV.dev API. If offline, blocklist and typosquat checks still run but CVE detection is skipped (an INFO finding notes this).
+
+The scanner outputs JSON to stdout. Parse it.
+
+## Step 3: Present Results
+
+Show a summary banner:
+
+```
+## Supply Chain Re-check: [target]
+Status: [ok|skipped|error] | Findings: XC XH XM XL XI | Files: N lockfile(s)
+```
+
+If `osv_offline: true` in result, note: "OSV.dev was unreachable — CVE check was skipped. Blocklist and typosquat checks completed."
+
+## Step 4: Detail Findings
+
+For each finding, show:
+- Severity badge and title
+- File (lockfile) and evidence
+- Recommendation
+
+Group by severity (CRITICAL first). If zero findings: "No supply chain issues detected in N lockfile(s)."