Kjell Tore Guttormsen 3b034d9266 feat(llm-security): v7.7.0 — HTML-rapport for alle 18 skill-kommandoer

Hver /security <cmd> som produserer rapport printer nå en klikkbar
file://-lenke til en self-contained HTML-versjon. Levert over fem
sesjoner; sesjon 5 wirer de 14 resterende skill-filene + slipper
v7.7.0 (versjonsbump + docs).

Sesjon-historikk:
- Sesjon 1 (0dc7ff4) — playground katalog list-view + builder-pane med
  copy-knapp på alle 18 rapporter
- Sesjon 2 (86d6ecd) — playground prosjekt-surface opprydding
  (stub-screen + topbar-splitt)
- Sesjon 3 (fa5fb48) — extract 18 inline parsers + 18 inline renderers
  fra playground til canonical ESM-modul scripts/lib/report-renderers.mjs
  (playground beholder bit-identisk inline-kopi siden ESM import ikke
  fungerer fra file://)
- Sesjon 4 (db80854) — ny zero-dep CLI scripts/render-report.mjs
  (stdin/file/stdout-modus, kebab→camel commandId-routing, ~140 KB
  self-contained HTML med 6 inlined DS-stylesheets + lokal .report-table,
  absolutte file://-paths for Ghostty cmd-click). 4 skills wired:
  scan, audit, posture, deep-scan.
- Sesjon 5 (denne) — 14 resterende skills wired: plugin-audit, mcp-audit,
  mcp-inspect, ide-scan, supply-check, dashboard, pre-deploy, diff,
  watch, registry, clean, harden, threat-model, red-team. Hver skill-fil
  har nå en HTML Report-step som instruerer Claude å skrive markdown
  verbatim, kjøre CLI, og appende klikkbar file://-lenke til respons.

Release-arbeid:
- Versjonsbump v7.6.1 → v7.7.0 i 6 plugin-filer + 2 rot-filer
  (package.json, .claude-plugin/plugin.json, README badge, CLAUDE.md
  header + state-seksjon, docs/version-history.md, plugin Recent versions-
  tabell, rot README plugin-entry, rot CLAUDE.md plugin-katalog)
- CHANGELOG [7.7.0] med full historikk fra sesjon 1-5
- docs/version-history.md v7.7.0-seksjon

Verifisert:
- 18/18 commandIds i CLI gir > 138 KB self-contained HTML
- 1819/1820 tester grønne (pre-compact-scan-perf-flake fyrte under last,
  passerer i isolasjon på 1582 ms — pre-eksisterende, defer til v7.7.x)
- 18/18 skill-filer har HTML Report-step
- Ingen kildefil-treff på 7.6.1 utenfor historiske changelog/version-
  history/README releases-tabell

Ingen scanner- eller hook-atferdsendringer — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-18 13:12:21 +02:00

3.7 KiB

Raw Blame History

name	description	allowed-tools	model
security:diff	Compare scan results against a stored baseline — shows new, resolved, unchanged, and moved findings	Bash, Read, AskUserQuestion	sonnet

/security diff [path]

Run a deterministic deep scan and compare results against a stored baseline. Shows what changed since the last saved scan.

Step 1: Check for Existing Baseline

Determine plugin root (parent of this commands/ folder) and target path from $ARGUMENTS (default .).

Check if a baseline already exists:

ls -la <plugin-root>/reports/baselines/ 2>/dev/null

If baseline files exist for the target, inform the user:

A baseline already exists. Running /security diff will overwrite it with new results.

Use AskUserQuestion to ask: "Overwrite existing baseline and run diff? (The previous baseline will be replaced.)"

If the user declines, exit without scanning. If the user confirms (or no baseline exists yet), proceed to Step 2.

Step 2: Run Scan with Baseline Comparison

node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --baseline --save-baseline

Parse stdout JSON. The scan runs all 9 scanners, diffs against any existing baseline, then saves the new results as the current baseline.

If no baseline exists yet (diff is null in output), this is a first run — report that a baseline has been created and show the current scan summary instead of a diff.

Step 3: Display Results

First run (no prior baseline)

## Baseline Created

No prior baseline found. Current scan saved as baseline.

**Findings:** XC XH XM XL XI | **Risk Score:** X/100 | **Verdict:** ALLOW/WARNING/BLOCK

Run `/security diff` again after making changes to see the delta.

Subsequent runs (diff available)

## Security Diff: <target>

**Baseline:** <baseline_timestamp> → **Current:** <now>

### Summary
| Category | Count |
|----------|-------|
| New      | X     |
| Resolved | X     |
| Moved    | X     |
| Unchanged| X     |

For New findings (sorted critical → info):

### New Findings (X)
| # | Severity | Scanner | Title | File | OWASP |

For Resolved findings:

### Resolved Findings (X)
| # | Severity | Scanner | Title | File | OWASP |

For Moved findings (only if count > 0):

### Moved Findings (X)
| # | Severity | Scanner | Title | File | Previous Location |

Omit Unchanged findings from the output — they add noise. Mention count in summary only.

Step 4: Advisory

If new CRITICAL/HIGH findings: "Action required: X new critical/high findings since baseline."
If resolved > new: "Improving: more findings resolved than introduced."
If new > 0 and resolved == 0: "Regression: X new findings, none resolved."
If new == 0 and resolved == 0: "Stable: no changes since baseline."

Step 5: HTML Report

After producing the markdown diff report above:

Compute a temp markdown path:

node -p "require('path').join(require('os').tmpdir(), 'sec-diff-' + Date.now() + '.md')"

Use the Write tool to save the entire markdown report you just produced (banner with baseline+current timestamps + Summary table + New + Resolved + Moved sections + Advisory) to that temp path. Verbatim.
Run the renderer:
```
node <plugin-root>/scripts/render-report.mjs diff --in "<temp-md-path>"
```
The CLI writes reports/diff-<YYYYMMDD-HHmmss>.html relative to CWD and prints file:///abs/path.html on stdout.
Append to your response (markdown link, no bare URL):

HTML-rapport: Åpne i nettleser

If the CLI exits non-zero, mention the error but do not block — the markdown report above is the primary deliverable.

3.7 KiB Raw Blame History