feat(llm-security): /security ide-scan <url> — Marketplace/OpenVSX/direct VSIX (v6.4.0)

Pre-installation verification of VS Code extensions via URL — fetch a remote
VSIX, extract it in a hardened sandbox, and run the existing IDE scanner
pipeline against it. No npm dependencies.

Sources:
- VS Code Marketplace (publisher.gallery.vsassets.io direct download)
- OpenVSX (open-vsx.org official API)
- Direct .vsix HTTPS URLs

Defenses:
- HTTPS-only, TLS verified, manual redirect with per-source host whitelist
- 30s total timeout via AbortController
- 50MB compressed cap, 500MB uncompressed, 100x expansion ratio
- Zero-dep ZIP extractor: zip-slip, absolute paths, drive letters, NUL bytes,
  symlinks (Unix mode 0xA000), depth limits, ZIP64 rejected, encrypted rejected
- SHA-256 streamed during fetch, surfaced in meta.source
- Temp dir cleanup in all paths (try/finally)

Files:
- scanners/lib/vsix-fetch.mjs (HTTPS fetcher, host whitelist, streaming SHA-256)
- scanners/lib/zip-extract.mjs (zero-dep parser with hardening caps)
- knowledge/marketplace-api-notes.md (endpoint reference)
- 3 test files (48 tests added: vsix-fetch, zip-extract, ide-extension-url)

Tests: 1296 → 1344 (all green).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

README.md

@@ -22,21 +22,21 @@ Then open Claude Code and type `/plugin` to browse and install plugins from the
 
 ## Plugins
 
-### [LLM Security](plugins/llm-security/) `v6.3.0`
+### [LLM Security](plugins/llm-security/) `v6.4.0`
 
 Security scanning, auditing, and threat modeling for agentic AI projects.
 
 Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Traps taxonomy (Google DeepMind, 2025). Three layers of protection:
 
 - **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection, secrets in code, destructive commands, supply chain guardrails, transcript scanning before context compaction)
-- **Deterministic scanning** — 22 Node.js scanners (10 orchestrated + 12 standalone) for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM, attack simulation, IDE extension prescan. Bash-normalize T1-T6 for obfuscation-resistant denylists
+- **Deterministic scanning** — 22 Node.js scanners (10 orchestrated + 12 standalone) for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM, attack simulation, IDE extension prescan (now with URL fetch from Marketplace / OpenVSX / direct VSIX, hardened ZIP extractor for zip-slip / symlinks / bombs). Bash-normalize T1-T6 for obfuscation-resistant denylists
 - **Advisory analysis** — 19 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation
 - **Enterprise governance** — Compliance mapping (EU AI Act, NIST AI RMF, ISO 42001), SARIF 2.1.0 output, structured audit trail, policy-as-code, standalone CLI
 - **Opus 4.7 aligned** — Agent instructions rewritten for literal instruction-following (system card §6.3.1.1), defense-in-depth posture per §5.2.1, production hardening guide
 
 Key commands: `/security posture`, `/security audit`, `/security scan`, `/security ide-scan`, `/security threat-model`, `/security plugin-audit`
 
-6 specialized agents · 22 scanners · 9 hooks · 18 knowledge docs · 1296 tests
+6 specialized agents · 22 scanners · 9 hooks · 19 knowledge docs · 1344 tests
 
 → [Full documentation](plugins/llm-security/README.md)