# Full Security Audit — DFT marketplace

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | audit |
| **Target** | ~/repos/dft-marketplace |
| **Date** | 2026-05-05 |
| **Version** | llm-security v7.4.0 |
| **Scope** | 7 audit dimensions, 10 OWASP categories |
| **Frameworks** | OWASP LLM Top 10, OWASP Agentic |
| **Triggered by** | /security audit |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Risk Score** | 31/100 |
| **Risk Band** | Medium |
| **Grade** | C |
| **Verdict** | WARNING |

| Severity | Count |
|----------|------:|
| Critical | 0 |
| High | 4 |
| Medium | 8 |
| Low | 7 |
| Info | 9 |
| **Total** | **28** |

**Verdict rationale:** Posture base grade B downgraded to C after agent-level findings (4 high). No critical, but `Logging & Audit` and `Permission Hygiene` need attention.

---

## Executive Summary

Full audit combined posture-scanner output with skill-scanner-agent and mcp-scanner-agent narratives. 28 findings across 14 files. Most concentrated in agent definitions (over-permissioned tool lists) and `.claude/settings.json` (missing audit log + wildcard Bash). Recommendation: address top 3 actions to reach Grade B; six more to reach Grade A.

---

## Radar Axes

| Axis | Score |
|------|------:|
| Deny-First Configuration | 4 |
| Hook Coverage | 5 |
| MCP Trust | 3 |
| Secrets Management | 5 |
| Permission Hygiene | 2 |
| Supply-Chain Defense | 4 |
| Logging & Audit | 1 |

---

## Category Assessment

### Category 1 — Deny-First Configuration

| Status | PASS |

**Evidence:** `.claude/settings.json` has `permissions.defaultMode: "deny"`. Explicit allow-list in place.

**Recommendations:** None — Grade A on this axis.

### Category 2 — Hook Coverage

| Status | PASS |

**Evidence:** 9 hooks active (PreToolUse: 4, PostToolUse: 2, UserPromptSubmit: 1, PreCompact: 1, others: 1).

**Recommendations:** Consider adding PreCompact-poisoning detection if not already covered.

### Category 5 — Permission Hygiene

| Status | PARTIAL |

**Evidence:** 3 agents have `Write` in tool list. 1 has `Bash` without sub-command restriction.

**Recommendations:** Tighten tool lists to minimum-necessary set. Use `Bash(git:*)` instead of `Bash(*)`.

### Category 11 — Logging & Audit

| Status | FAIL |

**Evidence:** No `audit.log_path` configured. No SIEM integration. No JSONL audit-trail.

**Recommendations:** Enable `audit.log_path` immediately — closes 1 high + 3 medium findings.

(Categories 3, 4, 6-10, 12-13 follow same format — see envelope JSON for full breakdown)

---

## Risk Matrix (Likelihood × Impact)

| Category | Likelihood | Impact | Score |
|----------|-----------:|-------:|------:|
| Logging gap (PST-001) | 4 | 4 | 16 |
| Permission sprawl | 3 | 4 | 12 |
| MCP drift (airbnb-mcp) | 3 | 3 | 9 |
| AI Act classification missing | 2 | 3 | 6 |

---

## Action Plan

### IMMEDIATE (this week)

1. Enable audit-trail: set `audit.log_path` in `.llm-security/policy.json`
2. Tighten 3 over-permissioned agents (drop `Write` where unused)
3. Investigate airbnb-mcp drift — reset baseline only after review

### HIGH (this month)

4. Document AI Act risk classification in `CLAUDE.md`
5. Replace `Bash(*)` with `Bash(git:*, npm:*)` in `.claude/settings.json`
6. Bump 2 dependencies to clear OSV advisories

### MEDIUM (next quarter)

7. Add SECURITY.md disclosure policy
8. Trim verbose skill descriptions (3 files)
9. Document hook rationale in plugin CLAUDE.md

---

## Positive Findings

- All hooks active and non-bypassed
- No critical findings
- Posture scanner runtime < 2s (well-tuned)
- Memory hygiene clean

---

*Audit complete. 28 findings, Grade C, 14.7 seconds.*