Kjell Tore Guttormsen
db80854830
- New scripts/render-report.mjs CLI: stdin/file/stdout modes, ESM import
from ./lib/report-renderers.mjs, kebab→camel renderer-name lookup so
any of the 18 PARSERS works
- Standalone HTML wrap: inlines 6 DS stylesheets (tokens, base, components,
tier2, tier3, tier3-supplement) + local .report-table CSS. Skips fonts.css
→ system-ui fallback via tokens.css (~137 KB self-contained vs ~1 MB
with woff2 bundled)
- 4 skill files wired: commands/{scan,audit,posture,deep-scan}.md — new
step instructs Claude to Write the markdown report to a temp file,
invoke the CLI, and print a markdown-formatted file:// link
- Absolute file:// paths in stdout for Ghostty cmd-click compatibility
- Default output: reports/<command>-<YYYYMMDD-HHmmss>.html relative to CWD
- Smoke-tested: stdin→stdout, file→file roundtrip, all 4 commands produce
valid HTML with DS-aligned page-shell (page__title, verdict-pill-lg,
risk-meter, key-stats, findings__item, recommendation-card)
- Tests 1820/1820 green (same baseline; pre-compact-scan perf-flake from
NEXT-SESSION-PROMPT did not fire on retry)
- Playground untouched (2 scripts, 0 parse failures), report-renderers.mjs
untouched (74 exports, 18 PARSERS, 18 RENDERERS)
Sesjon 4 av 5. v7.7.0 release + 9 remaining skill wirings = sesjon 5.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
62 lines
2.4 KiB
Markdown
62 lines
2.4 KiB
Markdown
---
|
|
name: security:deep-scan
|
|
description: Run deterministic deep-scan — 9 Node.js scanners for Unicode attacks, entropy analysis, permission mapping, dependency auditing, taint tracing, git forensics, network mapping, memory poisoning, and toxic flow analysis
|
|
allowed-tools: Read, Glob, Grep, Bash, Agent
|
|
model: sonnet
|
|
---
|
|
|
|
# /security deep-scan [path]
|
|
|
|
9 deterministic Node.js scanners — entropy, Unicode, typosquatting, git forensics, taint tracing, dep audit, network mapping, memory poisoning, toxic flow analysis.
|
|
|
|
## Step 1: Setup
|
|
|
|
- `$ARGUMENTS` empty → target = cwd. Otherwise target = `$ARGUMENTS` (strip `--deep`).
|
|
- Plugin root = parent of this `commands/` folder.
|
|
- Get temp path: `node -p "require('path').join(require('os').tmpdir(), 'deep-scan-results.json')"`
|
|
|
|
## Step 2: Run Orchestrator
|
|
|
|
```bash
|
|
node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --output-file "<results_file>"
|
|
```
|
|
|
|
Exit 0=ALLOW, 1=WARNING, 2=BLOCK. Stdout = compact aggregate JSON. Full results in file.
|
|
|
|
## Step 3: Show Banner
|
|
|
|
```
|
|
## Deep Scan: [VERDICT]
|
|
Risk Score: X/100 | Findings: XC XH XM XL XI
|
|
Scanners: X ok, X error, X skipped
|
|
```
|
|
|
|
## Step 4: Synthesize Report
|
|
|
|
Spawn `subagent_type: "llm-security:deep-scan-synthesizer-agent"`, `model: "sonnet"`:
|
|
|
|
> Read scan results from: \<results_file\>
|
|
> Read: \<plugin-root\>/knowledge/mitigation-matrix.md
|
|
> Produce complete report with actionable insights. Don't pad.
|
|
|
|
Output the synthesizer's report. If it fails, show banner + CRITICAL/HIGH findings from JSON.
|
|
|
|
## Step 5: HTML Report
|
|
|
|
After producing the markdown deep-scan report (banner + synthesizer output or fallback):
|
|
|
|
1. Compute a temp markdown path:
|
|
```bash
|
|
node -p "require('path').join(require('os').tmpdir(), 'sec-deepscan-' + Date.now() + '.md')"
|
|
```
|
|
2. Use the Write tool to save the **entire markdown report you just produced** (banner + synthesizer narrative + scanner sections + findings) to that temp path. Verbatim.
|
|
3. Run the renderer:
|
|
```bash
|
|
node <plugin-root>/scripts/render-report.mjs deep-scan --in "<temp-md-path>"
|
|
```
|
|
The CLI writes `reports/deep-scan-<YYYYMMDD-HHmmss>.html` relative to CWD and prints `file:///abs/path.html` on stdout.
|
|
4. Append to your response (markdown link, no bare URL):
|
|
|
|
> **HTML-rapport:** [Åpne i nettleser](file:///abs/path.html)
|
|
|
|
If the CLI exits non-zero, mention the error but do not block — the markdown report above is the primary deliverable.
|