Kjell Tore Guttormsen
ce3891bdd0
Single-file SPA playground har nå parser + renderer for alle 18 produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8 gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch, registry, clean, threat-model). 18 markdown test-fixtures fungerer som kontrakt-anker for parser-utvikling. Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"- paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean) og matrix-risk (threat-model). Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS / CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy med åpne vilkår) ikke kollapser til ALLOW. Eksponert 11 window-globaler for testing/automasjon (__store, __navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG, __inferVerdict, __inferKeyStats, __renderPageShell, __handlePasteImport, __scheduleRender). 12 Playwright-genererte screenshots i playground/screenshots/v7.5.0/. A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer flagget for v7.5.x patch (skip-link, heading-hierarki på project, aria-live toast). Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json, CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION- konstanter, ROADMAP, marketplace-rot README). Ingen scanner- eller hook-behavior-changes — purely additive surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
118 lines
2.9 KiB
Markdown
118 lines
2.9 KiB
Markdown
# Security Posture — DFT marketplace
|
|
|
|
---
|
|
|
|
## Header
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Report type** | posture |
|
|
| **Target** | ~/repos/dft-marketplace |
|
|
| **Date** | 2026-05-05 |
|
|
| **Version** | llm-security v7.4.0 |
|
|
| **Scope** | 16 categories (13 applicable) |
|
|
| **Frameworks** | OWASP LLM Top 10, EU AI Act, NIST AI RMF |
|
|
| **Triggered by** | /security posture |
|
|
|
|
---
|
|
|
|
## Risk Dashboard
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| **Risk Score** | 22/100 |
|
|
| **Risk Band** | Medium |
|
|
| **Grade** | B |
|
|
| **Verdict** | WARNING |
|
|
|
|
| Severity | Count |
|
|
|----------|------:|
|
|
| Critical | 0 |
|
|
| High | 1 |
|
|
| Medium | 3 |
|
|
| Low | 4 |
|
|
| Info | 6 |
|
|
| **Total** | **14** |
|
|
|
|
---
|
|
|
|
## Overall Score
|
|
|
|
**11 / 13 categories covered (Grade B)**
|
|
|
|
```
|
|
████████████████████░░░░ 84%
|
|
```
|
|
|
|
**Risk Score:** 22/100 (Medium)
|
|
|
|
**Verdict:** WARNING — close one high-severity gap to reach Grade A.
|
|
|
|
---
|
|
|
|
## Category Scorecard
|
|
|
|
| # | Category | Status | Findings |
|
|
|---|----------|--------|---------:|
|
|
| 1 | Deny-First Configuration | PASS | 0 |
|
|
| 2 | Hook Coverage | PASS | 0 |
|
|
| 3 | MCP Server Trust | PARTIAL | 2 |
|
|
| 4 | Secret Management | PASS | 0 |
|
|
| 5 | Permission Hygiene | PARTIAL | 1 |
|
|
| 6 | Memory Hygiene | PASS | 0 |
|
|
| 7 | Supply-Chain Defense | PASS | 1 |
|
|
| 8 | Plugin Trust | PASS | 0 |
|
|
| 9 | IDE Extension Hygiene | PASS | 0 |
|
|
| 10 | Skill Hygiene | PARTIAL | 3 |
|
|
| 11 | Logging & Audit | FAIL | 4 |
|
|
| 12 | Documentation | PASS | 1 |
|
|
| 13 | EU AI Act Coverage | PARTIAL | 2 |
|
|
| 14 | NIST AI RMF Mapping | N-A | 0 |
|
|
| 15 | ISO 42001 Mapping | N-A | 0 |
|
|
| 16 | Datatilsynet Compliance | N-A | 0 |
|
|
|
|
---
|
|
|
|
## Top Findings
|
|
|
|
### High
|
|
|
|
| ID | Category | File | Description |
|
|
|----|----------|------|-------------|
|
|
| PST-001 | Logging & Audit | settings.json | No audit-trail configured (`audit.log_path` unset) |
|
|
|
|
### Medium
|
|
|
|
| ID | Category | File | Description |
|
|
|----|----------|------|-------------|
|
|
| PST-002 | Skill Hygiene | skills/data-summary/SKILL.md | Description >150 chars (verbose) |
|
|
| PST-003 | EU AI Act | (project-level) | No AI Act risk classification documented |
|
|
| PST-004 | MCP Trust | .mcp.json | airbnb-mcp drift advisory pending |
|
|
|
|
---
|
|
|
|
## Quick Wins
|
|
|
|
1. **Enable audit trail** — set `audit.log_path` in `.llm-security/policy.json` (closes PST-001).
|
|
2. **Document AI Act classification** — add risk-level to `CLAUDE.md` (closes PST-003).
|
|
3. **Reset airbnb-mcp baseline** — after legitimate review (closes PST-004).
|
|
|
|
---
|
|
|
|
## Baseline Comparison
|
|
|
|
No baseline saved. Run `/security posture --save-baseline` to track future drift.
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
1. **High:** Enable audit logging — single setting closes the only high-severity gap.
|
|
2. **Medium:** Add AI Act risk classification.
|
|
3. **Medium:** Trim verbose skill descriptions in 3 skills.
|
|
|
|
Estimated effort to Grade A: 30 minutes.
|
|
|
|
---
|
|
|
|
*Posture complete. Grade B, 14 findings, 1.2 seconds.*
|