open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/playground/test-fixtures/posture.md
Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00

2.9 KiB
Raw Blame History

Security Posture — DFT marketplace

Header

Field Value
Report type posture
Target ~/repos/dft-marketplace
Date 2026-05-05
Version llm-security v7.4.0
Scope 16 categories (13 applicable)
Frameworks OWASP LLM Top 10, EU AI Act, NIST AI RMF
Triggered by /security posture

Risk Dashboard

Metric Value
Risk Score 22/100
Risk Band Medium
Grade B
Verdict WARNING
Severity Count
Critical 0
High 1
Medium 3
Low 4
Info 6
Total 14

Overall Score

11 / 13 categories covered (Grade B)

████████████████████░░░░  84%

Risk Score: 22/100 (Medium)

Verdict: WARNING — close one high-severity gap to reach Grade A.

Category Scorecard

# Category Status Findings
1 Deny-First Configuration PASS 0
2 Hook Coverage PASS 0
3 MCP Server Trust PARTIAL 2
4 Secret Management PASS 0
5 Permission Hygiene PARTIAL 1
6 Memory Hygiene PASS 0
7 Supply-Chain Defense PASS 1
8 Plugin Trust PASS 0
9 IDE Extension Hygiene PASS 0
10 Skill Hygiene PARTIAL 3
11 Logging & Audit FAIL 4
12 Documentation PASS 1
13 EU AI Act Coverage PARTIAL 2
14 NIST AI RMF Mapping N-A 0
15 ISO 42001 Mapping N-A 0
16 Datatilsynet Compliance N-A 0

Top Findings

High

ID Category File Description
PST-001 Logging & Audit settings.json No audit-trail configured (audit.log_path unset)

Medium

ID Category File Description
PST-002 Skill Hygiene skills/data-summary/SKILL.md Description >150 chars (verbose)
PST-003 EU AI Act (project-level) No AI Act risk classification documented
PST-004 MCP Trust .mcp.json airbnb-mcp drift advisory pending

Quick Wins

  1. Enable audit trail — set audit.log_path in .llm-security/policy.json (closes PST-001).
  2. Document AI Act classification — add risk-level to CLAUDE.md (closes PST-003).
  3. Reset airbnb-mcp baseline — after legitimate review (closes PST-004).

Baseline Comparison

No baseline saved. Run /security posture --save-baseline to track future drift.

Recommendations

  1. High: Enable audit logging — single setting closes the only high-severity gap.
  2. Medium: Add AI Act risk classification.
  3. Medium: Trim verbose skill descriptions in 3 skills.

Estimated effort to Grade A: 30 minutes.

Posture complete. Grade B, 14 findings, 1.2 seconds.