# Security Posture — DFT marketplace

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | posture |
| **Target** | ~/repos/dft-marketplace |
| **Date** | 2026-05-05 |
| **Version** | llm-security v7.4.0 |
| **Scope** | 16 categories (13 applicable) |
| **Frameworks** | OWASP LLM Top 10, EU AI Act, NIST AI RMF |
| **Triggered by** | /security posture |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Risk Score** | 22/100 |
| **Risk Band** | Medium |
| **Grade** | B |
| **Verdict** | WARNING |

| Severity | Count |
|----------|------:|
| Critical | 0 |
| High | 1 |
| Medium | 3 |
| Low | 4 |
| Info | 6 |
| **Total** | **14** |

---

## Overall Score

**11 / 13 categories covered (Grade B)**

```
████████████████████░░░░  84%
```

**Risk Score:** 22/100 (Medium)

**Verdict:** WARNING — close one high-severity gap to reach Grade A.

---

## Category Scorecard

| # | Category | Status | Findings |
|---|----------|--------|---------:|
| 1 | Deny-First Configuration | PASS | 0 |
| 2 | Hook Coverage | PASS | 0 |
| 3 | MCP Server Trust | PARTIAL | 2 |
| 4 | Secret Management | PASS | 0 |
| 5 | Permission Hygiene | PARTIAL | 1 |
| 6 | Memory Hygiene | PASS | 0 |
| 7 | Supply-Chain Defense | PASS | 1 |
| 8 | Plugin Trust | PASS | 0 |
| 9 | IDE Extension Hygiene | PASS | 0 |
| 10 | Skill Hygiene | PARTIAL | 3 |
| 11 | Logging & Audit | FAIL | 4 |
| 12 | Documentation | PASS | 1 |
| 13 | EU AI Act Coverage | PARTIAL | 2 |
| 14 | NIST AI RMF Mapping | N-A | 0 |
| 15 | ISO 42001 Mapping | N-A | 0 |
| 16 | Datatilsynet Compliance | N-A | 0 |

---

## Top Findings

### High

| ID | Category | File | Description |
|----|----------|------|-------------|
| PST-001 | Logging & Audit | settings.json | No audit-trail configured (`audit.log_path` unset) |

### Medium

| ID | Category | File | Description |
|----|----------|------|-------------|
| PST-002 | Skill Hygiene | skills/data-summary/SKILL.md | Description >150 chars (verbose) |
| PST-003 | EU AI Act | (project-level) | No AI Act risk classification documented |
| PST-004 | MCP Trust | .mcp.json | airbnb-mcp drift advisory pending |

---

## Quick Wins

1. **Enable audit trail** — set `audit.log_path` in `.llm-security/policy.json` (closes PST-001).
2. **Document AI Act classification** — add risk-level to `CLAUDE.md` (closes PST-003).
3. **Reset airbnb-mcp baseline** — after legitimate review (closes PST-004).

---

## Baseline Comparison

No baseline saved. Run `/security posture --save-baseline` to track future drift.

---

## Recommendations

1. **High:** Enable audit logging — single setting closes the only high-severity gap.
2. **Medium:** Add AI Act risk classification.
3. **Medium:** Trim verbose skill descriptions in 3 skills.

Estimated effort to Grade A: 30 minutes.

---

*Posture complete. Grade B, 14 findings, 1.2 seconds.*