open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/playground/test-fixtures/pre-deploy.md
Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00

4.1 KiB
Raw Blame History

Pre-Deploy Security Checklist

Header

Field Value
Report type pre-deploy
Target DFT data-platform release v3.2.0
Date 2026-05-05
Version llm-security v7.4.0
Scope enterprise gate + production readiness
Frameworks OWASP LLM Top 10, EU AI Act, NSM Grunnprinsipper
Triggered by /security pre-deploy

Risk Dashboard

Metric Value
Risk Score 12/100
Risk Band Low
Grade A
Verdict GO-WITH-CONDITIONS
Severity Count
Critical 0
High 0
Medium 2
Low 3
Info 5
Total 10

Verdict rationale: All gates PASS or PASS-WITH-NOTES. 2 medium conditions: pending Datatilsynet ack on DPIA addendum (expected 2026-05-08) + missing logging-aggregator wire-up. Conditional approval — deployment may proceed once both are resolved.

Traffic Light Categories

Category Status Notes
Identity & Access PASS OIDC + MFA, 89% coverage
Network Isolation PASS Private endpoints + NSG
Data Protection PASS-WITH-NOTES Customer-managed keys; rotation policy verified
Logging & Audit FAIL Logging aggregator not wired (M1 finding)
Compliance PASS-WITH-NOTES DPIA pending Datatilsynet ack (M2)
Secrets Management PASS Key Vault + managed identity
Hooks Coverage PASS All 9 hooks active
MCP Security PASS 0 untrusted servers
Supply Chain PASS 0 critical, 0 high CVEs
Plugin Trust PASS Only first-party plugins
Permission Hygiene PASS No wildcard Bash
Memory Hygiene PASS CLAUDE.md scanned, no poisoning
Performance PASS <500ms hook latency

Findings

Medium

ID Category File Line Description OWASP
PRD-001 Logging infrastructure/observability.bicep 12 Logging aggregator export endpoint missing
PRD-002 Compliance docs/DPIA-2026-04-15.md Datatilsynet ack pending (submitted 2026-04-22, expected response 2026-05-08)

Low

ID Category File Line Description OWASP
PRD-003 Documentation docs/SECURITY.md SLA for security-disclosure response not documented
PRD-004 Documentation docs/RUNBOOK.md Incident-response runbook missing rollback section
PRD-005 Performance hooks/post-mcp-verify.mjs P95 latency 412ms (target <500ms) — within budget but monitoring needed

Info

ID Category File Line Description OWASP
PRD-006 Coverage (env) Production env: Azure North Europe
PRD-007 Coverage (env) Data-classification: Fortrolig
PRD-008 Coverage (compliance) Frameworks: OWASP LLM, EU AI Act, NSM
PRD-009 Coverage (gate) Pre-deploy run by: ci/release.yml
PRD-010 Coverage (history) 4 prior pre-deploy runs in last 90 days, all PASS

Conditions to Resolve

  1. PRD-001 (medium): Wire logging aggregator before deployment. Owner: platform-ops. Blocker.
  2. PRD-002 (medium): Receive Datatilsynet ack OR document silent-period acceptance. Owner: privacy-officer. Blocker until 2026-05-08.

Approvals

Role Approver Date Notes
Security Lead (pending) After PRD-001 resolved
Privacy Officer (pending) After PRD-002 resolved
Platform Owner A. Nilsen 2026-05-04 Signed off subject to conditions

Recommendations

  1. Immediate: Resolve PRD-001 (logging aggregator) before deploying.
  2. High: Confirm Datatilsynet ack OR escalate silent-period exception (PRD-002).
  3. Medium: Document SLA in SECURITY.md (PRD-003) post-deploy — non-blocking.
  4. Medium: Add rollback section to RUNBOOK.md (PRD-004) post-deploy.

Pre-deploy complete. 13 categories, 1 FAIL pending wire-up, conditional GO.