Kjell Tore Guttormsen
ce3891bdd0
Single-file SPA playground har nå parser + renderer for alle 18 produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8 gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch, registry, clean, threat-model). 18 markdown test-fixtures fungerer som kontrakt-anker for parser-utvikling. Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"- paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean) og matrix-risk (threat-model). Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS / CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy med åpne vilkår) ikke kollapser til ALLOW. Eksponert 11 window-globaler for testing/automasjon (__store, __navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG, __inferVerdict, __inferKeyStats, __renderPageShell, __handlePasteImport, __scheduleRender). 12 Playwright-genererte screenshots i playground/screenshots/v7.5.0/. A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer flagget for v7.5.x patch (skip-link, heading-hierarki på project, aria-live toast). Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json, CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION- konstanter, ROADMAP, marketplace-rot README). Ingen scanner- eller hook-behavior-changes — purely additive surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
117 lines
3.4 KiB
Markdown
117 lines
3.4 KiB
Markdown
# Watch — Continuous Monitoring
|
|
|
|
---
|
|
|
|
## Header
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Report type** | watch |
|
|
| **Target** | ~/repos/dft-marketplace |
|
|
| **Date** | 2026-05-05 |
|
|
| **Last Run** | 2026-05-05 14:32 |
|
|
| **Interval** | 6h |
|
|
| **Version** | llm-security v7.4.0 |
|
|
| **Scope** | recurring scan diff |
|
|
| **Triggered by** | /security watch . --interval 6h |
|
|
|
|
---
|
|
|
|
## Risk Dashboard
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| **Risk Score** | 31/100 |
|
|
| **Risk Band** | Medium |
|
|
| **Grade** | B |
|
|
| **Verdict** | WARNING |
|
|
|
|
| Severity | Count |
|
|
|----------|------:|
|
|
| Critical | 0 |
|
|
| High | 1 |
|
|
| Medium | 3 |
|
|
| Low | 1 |
|
|
| Info | 4 |
|
|
| **Total** | **9** |
|
|
|
|
**Verdict rationale:** Latest scan introduced 1 HIGH (new `Edit(*)` permission) compared to baseline 6h ago. Watch sent notify event to configured channels.
|
|
|
|
---
|
|
|
|
## Live Meter
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| **Active** | yes |
|
|
| **Runs (last 24h)** | 4 |
|
|
| **Last delta** | +1 high, +0 medium |
|
|
| **Next run** | 2026-05-05 20:32 |
|
|
| **Notify channels** | email, webhook |
|
|
|
|
---
|
|
|
|
## Recent History
|
|
|
|
| Run | Time | Grade | Risk Score | Δ vs prev |
|
|
|-----|------|-------|-----------:|-----------|
|
|
| Current | 2026-05-05 14:32 | B | 31 | +6 |
|
|
| -6h | 2026-05-05 08:32 | B | 25 | -2 |
|
|
| -12h | 2026-05-05 02:32 | B | 27 | 0 |
|
|
| -18h | 2026-05-04 20:32 | B | 27 | -3 |
|
|
| -24h | 2026-05-04 14:32 | B | 30 | — |
|
|
|
|
---
|
|
|
|
## Findings
|
|
|
|
### High
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| WAT-001 | Permissions | .claude/settings.json | 8 | Newly-introduced `Edit(*)` wildcard (last commit: 4a8c1f, 23min ago) | ASI04 |
|
|
|
|
### Medium
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| WAT-002 | Injection | commands/research-v2.md | 22 | New command file added | LLM01 |
|
|
| WAT-003 | MCP Trust | .mcp.json | 28 | Per-update drift continues on `postgres-readonly` | MCP05 |
|
|
| WAT-004 | Supply Chain | package-lock.json | 5103 | New dep `husky@9.0.11` < 72h old | LLM03 |
|
|
|
|
### Low
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| WAT-005 | Documentation | docs/CHANGELOG.md | 144 | Sensitive path reference added (not exploitable) | — |
|
|
|
|
### Info
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| WAT-006 | Cron | (config) | — | Cron handle: 4f8c (PID 12842) | — |
|
|
| WAT-007 | Cron | (config) | — | Run-script: ~/.cache/llm-security/watch/run.sh | — |
|
|
| WAT-008 | Coverage | (target) | — | Lines scanned: 18420 | — |
|
|
| WAT-009 | Coverage | (target) | — | Files scanned: 312 | — |
|
|
|
|
---
|
|
|
|
## Notify Events
|
|
|
|
| Time | Event | Channel | Status |
|
|
|------|-------|---------|--------|
|
|
| 2026-05-05 14:32 | new-finding (high) | email | sent |
|
|
| 2026-05-05 14:32 | new-finding (high) | webhook | 200 OK |
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
1. **Immediate:** Investigate commit 4a8c1f — `Edit(*)` wildcard addition warrants reverting or scope-narrowing.
|
|
2. **High:** Review newly-added `commands/research-v2.md` for injection-vector placement.
|
|
3. **Medium:** Drift on `postgres-readonly` has been continuous for 4 runs — may be legitimate upstream change. Run `/security mcp-baseline-reset --target postgres-readonly` after manual verification.
|
|
4. **Medium:** Wait 24h before pinning `husky@9.0.11` (currently <72h since publish).
|
|
|
|
---
|
|
|
|
*Watch active. Next run scheduled 2026-05-05 20:32 (6h interval).*
|