# Scan Diff Against Baseline

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | diff |
| **Target** | ~/repos/dft-marketplace |
| **Date** | 2026-05-05 |
| **Baseline** | 2026-04-29 |
| **Version** | llm-security v7.4.0 |
| **Scope** | scan + posture diff |
| **Triggered by** | /security diff . |

---

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Current Grade** | B |
| **Baseline Grade** | C |
| **Risk Score** | 28/100 |
| **Risk Band** | Medium |
| **Verdict** | WARNING |

| Severity | New | Resolved | Unchanged |
|----------|----:|---------:|----------:|
| Critical | 0 | 1 | 0 |
| High | 1 | 2 | 1 |
| Medium | 2 | 3 | 4 |
| Low | 0 | 1 | 2 |
| Info | 1 | 0 | 5 |
| **Total** | **4** | **7** | **12** |

**Verdict rationale:** Net improvement (7 resolved, 4 new). Baseline had 1 CRITICAL (resolved), 2 HIGH (resolved). Grade C → B. One new HIGH on permission scope warrants review before celebrating.

---

## New (4)

| ID | Severity | Category | File | Description | OWASP |
|----|----------|----------|------|-------------|-------|
| DIF-001 | high | Permissions | .claude/settings.json | New `Edit(*)` wildcard added in commit 4a8c1f | ASI04 |
| DIF-002 | medium | Injection | commands/research-v2.md | New command introduced indirect-injection vector | LLM01 |
| DIF-003 | medium | Supply Chain | package-lock.json | New dependency `husky@9.0.11` (no prior baseline) | LLM03 |
| DIF-004 | info | Documentation | docs/CHANGELOG.md | Changelog gained sensitive path reference (not exploitable) | — |

---

## Resolved (7)

| ID | Severity | Category | File | Resolution |
|----|----------|----------|------|-----------|
| BAS-001 | critical | Secrets | agents/data-analyst.md | API key removed, env-var reference added |
| BAS-002 | high | Excessive Agency | agents/web-helper.md | Hook policy added blocking [Bash, Read, WebFetch] trifecta |
| BAS-003 | high | MCP Trust | .mcp.json | airbnb-mcp removed |
| BAS-004 | medium | Output Handling | agents/notes.md | Markdown link-title sink sanitized |
| BAS-005 | medium | Memory | CLAUDE.md | Encoded base64 imperative removed |
| BAS-006 | medium | Injection | commands/summarize.md | Indirect-injection wrapped in Trust-Bus |
| BAS-007 | low | Documentation | README.md | Suspicious URL pattern in example removed |

---

## Unchanged (12)

| ID | Severity | Category | File | Notes |
|----|----------|----------|------|-------|
| BAS-008 | high | Permissions | .claude/settings.json | Bash wildcard remains — pending grant-narrowing |
| BAS-009 | medium | Permissions | agents/test-runner.md | Tool list still includes Edit |
| BAS-010 | medium | MCP Trust | .mcp.json | Per-update drift on `postgres-readonly` (12.3% > 10%) |
| BAS-011 | medium | Other | scripts/setup.sh | curl|sh pattern in install hint |
| BAS-012 | medium | Other | tests/fixtures/poisoned.md | Test fixture flagged (intentional) |
| BAS-013 | low | Documentation | docs/setup.md | Outdated security-advisory link |
| BAS-014 | low | Documentation | LICENSE | License file present but old SPDX format |
| BAS-015 | info | Other | .gitignore | Still missing `.env*` exclusion rule |
| BAS-016 | info | Other | LICENSE | (info-level note) |
| BAS-017 | info | Other | CHANGELOG.md | Format compliance note |
| BAS-018 | info | Other | SECURITY.md | Still missing |
| BAS-019 | info | Other | CONTRIBUTING.md | Still missing |

---

## Moved (0)

No findings shifted file-locations between baseline and current.

---

## Recommendations

1. **High:** Audit DIF-001 — `Edit(*)` wildcard adds Edit-to-anywhere capability. Replace with explicit allow-list.
2. **Medium:** Review DIF-002 (commands/research-v2.md) and DIF-003 (husky pin) before merge.
3. **Medium:** Continue working on the 12 unchanged findings — BAS-008 (Bash wildcard) is the highest-impact remaining item.

---

*Diff complete. Net improvement: -3 findings (4 new, 7 resolved). Grade C → B.*