Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere

Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-05 22:15:47 +02:00

3.4 KiB

Raw Blame History

Watch — Continuous Monitoring

Header

Field	Value
Report type	watch
Target	~/repos/dft-marketplace
Date	2026-05-05
Last Run	2026-05-05 14:32
Interval	6h
Version	llm-security v7.4.0
Scope	recurring scan diff
Triggered by	/security watch . --interval 6h

Risk Dashboard

Metric	Value
Risk Score	31/100
Risk Band	Medium
Grade	B
Verdict	WARNING

Severity	Count
Critical	0
High	1
Medium	3
Low	1
Info	4
Total	9

Verdict rationale: Latest scan introduced 1 HIGH (new Edit(*) permission) compared to baseline 6h ago. Watch sent notify event to configured channels.

Live Meter

Metric	Value
Active	yes
Runs (last 24h)	4
Last delta	+1 high, +0 medium
Next run	2026-05-05 20:32
Notify channels	email, webhook

Recent History

Run	Time	Grade	Risk Score	Δ vs prev
Current	2026-05-05 14:32	B	31	+6
-6h	2026-05-05 08:32	B	25	-2
-12h	2026-05-05 02:32	B	27	0
-18h	2026-05-04 20:32	B	27	-3
-24h	2026-05-04 14:32	B	30	—

Findings

High

ID	Category	File	Line	Description	OWASP
WAT-001	Permissions	.claude/settings.json	8	Newly-introduced `Edit(*)` wildcard (last commit: 4a8c1f, 23min ago)	ASI04

Medium

ID	Category	File	Line	Description	OWASP
WAT-002	Injection	commands/research-v2.md	22	New command file added	LLM01
WAT-003	MCP Trust	.mcp.json	28	Per-update drift continues on `postgres-readonly`	MCP05
WAT-004	Supply Chain	package-lock.json	5103	New dep `husky@9.0.11` < 72h old	LLM03

Low

ID	Category	File	Line	Description	OWASP
WAT-005	Documentation	docs/CHANGELOG.md	144	Sensitive path reference added (not exploitable)	—

Info

ID	Category	File	Line	Description	OWASP
WAT-006	Cron	(config)	—	Cron handle: 4f8c (PID 12842)	—
WAT-007	Cron	(config)	—	Run-script: ~/.cache/llm-security/watch/run.sh	—
WAT-008	Coverage	(target)	—	Lines scanned: 18420	—
WAT-009	Coverage	(target)	—	Files scanned: 312	—

Notify Events

Time	Event	Channel	Status
2026-05-05 14:32	new-finding (high)	email	sent
2026-05-05 14:32	new-finding (high)	webhook	200 OK

Recommendations

Immediate: Investigate commit 4a8c1f — Edit(*) wildcard addition warrants reverting or scope-narrowing.
High: Review newly-added commands/research-v2.md for injection-vector placement.
Medium: Drift on postgres-readonly has been continuous for 4 runs — may be legitimate upstream change. Run /security mcp-baseline-reset --target postgres-readonly after manual verification.
Medium: Wait 24h before pinning husky@9.0.11 (currently <72h since publish).

Watch active. Next run scheduled 2026-05-05 20:32 (6h interval).

3.4 KiB Raw Blame History