open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/commands/posture.md
Kjell Tore Guttormsen db80854830 feat(llm-security): playground v7.6.2-dev — render-report CLI + wire 4 skills (scan, audit, posture, deep-scan) [skip-docs] 
- New scripts/render-report.mjs CLI: stdin/file/stdout modes, ESM import
  from ./lib/report-renderers.mjs, kebab→camel renderer-name lookup so
  any of the 18 PARSERS works
- Standalone HTML wrap: inlines 6 DS stylesheets (tokens, base, components,
  tier2, tier3, tier3-supplement) + local .report-table CSS. Skips fonts.css
  → system-ui fallback via tokens.css (~137 KB self-contained vs ~1 MB
  with woff2 bundled)
- 4 skill files wired: commands/{scan,audit,posture,deep-scan}.md — new
  step instructs Claude to Write the markdown report to a temp file,
  invoke the CLI, and print a markdown-formatted file:// link
- Absolute file:// paths in stdout for Ghostty cmd-click compatibility
- Default output: reports/<command>-<YYYYMMDD-HHmmss>.html relative to CWD
- Smoke-tested: stdin→stdout, file→file roundtrip, all 4 commands produce
  valid HTML with DS-aligned page-shell (page__title, verdict-pill-lg,
  risk-meter, key-stats, findings__item, recommendation-card)
- Tests 1820/1820 green (same baseline; pre-compact-scan perf-flake from
  NEXT-SESSION-PROMPT did not fire on retry)
- Playground untouched (2 scripts, 0 parse failures), report-renderers.mjs
  untouched (74 exports, 18 PARSERS, 18 RENDERERS)

Sesjon 4 av 5. v7.7.0 release + 9 remaining skill wirings = sesjon 5.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 12:56:03 +02:00

2.4 KiB
Raw Blame History

name description allowed-tools model
security:posture Quick security posture assessment — scorecard with grade, coverage status, and top recommendations Read, Glob, Grep, Bash sonnet

/security posture

Quick security scorecard — grade, coverage, top recommendations. Deterministic scanner, <2 sec.

Step 1: Run Scanner

Run the deterministic posture scanner:

node <this plugin's scanners/posture-scanner.mjs> [target-path or cwd]

Parse the JSON output. The result contains:

  • scoring.grade (A-F), scoring.pass_rate, scoring.pass/partial/fail/na
  • risk.score (0-100), risk.band, risk.verdict
  • categories[] with id, name, status, findings_count, evidence
  • findings[] with severity, title, description, owasp, recommendation
  • counts with critical/high/medium/low/info

Step 2: Format Scorecard

Present the results as a scorecard:

# Security Posture — [project name]

| Field | Value |
|-------|-------|
| **Grade** | [A-F] |
| **Risk Score** | [N]/100 ([band]) |
| **Verdict** | [verdict] |
| **Duration** | [N]ms |

## Category Scorecard

| # | Category | Status | Findings |
|---|----------|--------|----------|
[one row per category, status as PASS/PARTIAL/FAIL/N-A]

## Top Findings

[List critical and high findings with title, file, and recommendation]

## Quick Wins

[List low-effort fixes from findings]

Step 3: Closing

  • Grade A/B: "Posture solid. Re-run after major changes."
  • Grade C: "Run /security audit for detailed findings."
  • Grade D/F: "Significant exposure. Run /security audit before production use."

Step 4: HTML Report

After producing the markdown scorecard above:

  1. Compute a temp markdown path:

    node -p "require('path').join(require('os').tmpdir(), 'sec-posture-' + Date.now() + '.md')"

  2. Use the Write tool to save the entire markdown scorecard you just produced (header + Category Scorecard table + Top Findings + Quick Wins + closing) to that temp path. Verbatim.

  3. Run the renderer:

    node <plugin-root>/scripts/render-report.mjs posture --in "<temp-md-path>"

    The CLI writes reports/posture-<YYYYMMDD-HHmmss>.html relative to CWD and prints file:///abs/path.html on stdout.

  4. Append to your response (markdown link, no bare URL):

    HTML-rapport: Åpne i nettleser

If the CLI exits non-zero, mention the error but do not block — the markdown scorecard above is the primary deliverable.