feat: initial open marketplace with llm-security, config-audit, ultraplan-local

plugins/llm-security/examples/malicious-skill-demo/run-demo.sh

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+#
+# Malicious Skill Demo — Regression test for the deep-scan pipeline
+# NOTE: Unix/macOS only. Requires bash. Not available on Windows without WSL.
+#
+# Usage:
+#   cd plugins/llm-security
+#   ./examples/malicious-skill-demo/run-demo.sh
+#
+# Expected: BLOCK verdict, 40+ findings across 7 scanners, exit code 2
+
+set -uo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PLUGIN_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
+TARGET="$SCRIPT_DIR/evil-project-health"
+OUTPUT_FILE="$(mktemp)"
+PASS=0
+FAIL=0
+
+cleanup() { rm -f "$OUTPUT_FILE"; }
+trap cleanup EXIT
+
+assert() {
+  local desc="$1" result="$2"
+  if [ "$result" -eq 0 ]; then
+    echo "  PASS: $desc"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL: $desc"
+    FAIL=$((FAIL + 1))
+  fi
+}
+
+echo "=== LLM Security Deep-Scan Regression Test ==="
+echo ""
+echo "Target: $TARGET"
+echo "Scanners: $PLUGIN_DIR/scanners/scan-orchestrator.mjs"
+echo ""
+
+if [ ! -d "$TARGET" ]; then
+  echo "ERROR: Target directory not found: $TARGET"
+  exit 1
+fi
+
+if [ ! -f "$PLUGIN_DIR/scanners/scan-orchestrator.mjs" ]; then
+  echo "ERROR: Scan orchestrator not found. Run from the llm-security plugin root."
+  exit 1
+fi
+
+echo "Running 7 deterministic scanners..."
+echo ""
+
+# Run scan, capture exit code
+node "$PLUGIN_DIR/scanners/scan-orchestrator.mjs" "$TARGET" --output-file "$OUTPUT_FILE" 2>/dev/null
+SCAN_EXIT=$?
+
+echo ""
+echo "--- Assertions ---"
+
+# 1. Exit code should be 2 (BLOCK)
+[ "$SCAN_EXIT" -eq 2 ]
+assert "Exit code is 2 (BLOCK)" $?
+
+# 2. Output file exists and has content
+[ -s "$OUTPUT_FILE" ]
+assert "Output file has content" $?
+
+# 3. Parse JSON and check verdict
+VERDICT=$(node -e "const d=JSON.parse(require('fs').readFileSync('$OUTPUT_FILE','utf-8')); console.log(d.aggregate.verdict)" 2>/dev/null)
+[ "$VERDICT" = "BLOCK" ]
+assert "Verdict is BLOCK" $?
+
+# 4. Total findings >= 40
+TOTAL=$(node -e "const d=JSON.parse(require('fs').readFileSync('$OUTPUT_FILE','utf-8')); console.log(d.aggregate.total_findings)" 2>/dev/null)
+[ "$TOTAL" -ge 40 ]
+assert "Total findings >= 40 (got: $TOTAL)" $?
+
+# 5. Risk score >= 90
+SCORE=$(node -e "const d=JSON.parse(require('fs').readFileSync('$OUTPUT_FILE','utf-8')); console.log(d.aggregate.risk_score)" 2>/dev/null)
+[ "$SCORE" -ge 90 ]
+assert "Risk score >= 90 (got: $SCORE)" $?
+
+# 6. All 7 scanner prefixes present
+for PREFIX in UNI ENT PRM DEP TNT GIT NET; do
+  HAS=$(node -e "
+    const d=JSON.parse(require('fs').readFileSync('$OUTPUT_FILE','utf-8'));
+    const has = Object.values(d.scanners).some(s => s.scanner && s.scanner.toLowerCase().includes('${PREFIX}'.toLowerCase()));
+    if (!has) {
+      // Check findings for the prefix
+      const inFindings = Object.values(d.scanners).some(s => s.findings && s.findings.some(f => f.id && f.id.startsWith('DS-${PREFIX}-')));
+      console.log(inFindings);
+    } else {
+      console.log(has);
+    }
+  " 2>/dev/null)
+  [ "$HAS" = "true" ]
+  assert "Scanner $PREFIX present in output" $?
+done
+
+# 7. At least one CRITICAL finding
+CRITS=$(node -e "const d=JSON.parse(require('fs').readFileSync('$OUTPUT_FILE','utf-8')); console.log(d.aggregate.counts.critical)" 2>/dev/null)
+[ "$CRITS" -ge 1 ]
+assert "At least 1 CRITICAL finding (got: $CRITS)" $?
+
+echo ""
+echo "--- Results ---"
+echo "  Passed: $PASS"
+echo "  Failed: $FAIL"
+echo "  Total:  $((PASS + FAIL))"
+echo ""
+
+if [ "$FAIL" -eq 0 ]; then
+  echo "=== ALL ASSERTIONS PASSED ==="
+  exit 0
+else
+  echo "=== $FAIL ASSERTION(S) FAILED ==="
+  exit 1
+fi