diff --git a/docs/gateway/security/audit-checks.md b/docs/gateway/security/audit-checks.md index d862c997c93..b97df39301d 100644 --- a/docs/gateway/security/audit-checks.md +++ b/docs/gateway/security/audit-checks.md @@ -97,9 +97,9 @@ exhaustive): | `tools.exec.safe_bin_trusted_dirs_risky` | warn | `safeBinTrustedDirs` includes mutable or risky directories | `tools.exec.safeBinTrustedDirs`, `agents.list[].tools.exec.safeBinTrustedDirs` | no | | `skills.workspace.symlink_escape` | warn | Workspace `skills/**/SKILL.md` resolves outside workspace root (symlink-chain drift) | workspace `skills/**` filesystem state | no | | `plugins.extensions_no_allowlist` | warn | Plugins are installed without an explicit plugin allowlist | `plugins.allowlist` | no | -| `plugins.index_unpinned_npm_specs` | warn | Plugin install records are not pinned to immutable npm specs | plugin install metadata | no | -| `plugins.index_missing_integrity` | warn | Plugin install records lack integrity metadata | plugin install metadata | no | -| `plugins.index_version_drift` | warn | Plugin install records drift from installed packages | plugin install metadata | no | +| `plugins.installs_unpinned_npm_specs` | warn | Plugin index records are not pinned to immutable npm specs | plugin install metadata | no | +| `plugins.installs_missing_integrity` | warn | Plugin index records lack integrity metadata | plugin install metadata | no | +| `plugins.installs_version_drift` | warn | Plugin index records drift from installed packages | plugin install metadata | no | | `plugins.code_safety` | warn/critical | Plugin code scan found suspicious or dangerous patterns | plugin code / install source | no | | `plugins.code_safety.entry_path` | warn | Plugin entry path points into hidden or `node_modules` locations | plugin manifest `entry` | no | | `plugins.code_safety.entry_escape` | critical | Plugin entry escapes the plugin directory | plugin manifest `entry` | no | diff --git a/src/security/audit-plugins-trust.test.ts b/src/security/audit-plugins-trust.test.ts index 02bb5c4c64a..52aa3172039 100644 --- a/src/security/audit-plugins-trust.test.ts +++ b/src/security/audit-plugins-trust.test.ts @@ -189,8 +189,8 @@ describe("security audit install metadata findings", () => { ); }, expectedPresent: [ - "plugins.index_unpinned_npm_specs", - "plugins.index_missing_integrity", + "plugins.installs_unpinned_npm_specs", + "plugins.installs_missing_integrity", "hooks.installs_unpinned_npm_specs", "hooks.installs_missing_integrity", ], @@ -224,8 +224,8 @@ describe("security audit install metadata findings", () => { ); }, expectedAbsent: [ - "plugins.index_unpinned_npm_specs", - "plugins.index_missing_integrity", + "plugins.installs_unpinned_npm_specs", + "plugins.installs_missing_integrity", "hooks.installs_unpinned_npm_specs", "hooks.installs_missing_integrity", ], @@ -260,7 +260,7 @@ describe("security audit install metadata findings", () => { stateDir, ); }, - expectedPresent: ["plugins.index_version_drift", "hooks.installs_version_drift"], + expectedPresent: ["plugins.installs_version_drift", "hooks.installs_version_drift"], }, ]; diff --git a/src/security/audit-plugins-trust.ts b/src/security/audit-plugins-trust.ts index 3a4e090f44a..085b38347d2 100644 --- a/src/security/audit-plugins-trust.ts +++ b/src/security/audit-plugins-trust.ts @@ -433,7 +433,7 @@ export async function collectPluginsTrustFindings(params: { .map(([pluginId, record]) => `${pluginId} (${record.spec})`); if (unpinned.length > 0) { findings.push({ - checkId: "plugins.index_unpinned_npm_specs", + checkId: "plugins.installs_unpinned_npm_specs", severity: "warn", title: "Plugin index includes unpinned npm specs", detail: `Unpinned plugin index install records:\n${unpinned.map((entry) => `- ${entry}`).join("\n")}`, @@ -449,7 +449,7 @@ export async function collectPluginsTrustFindings(params: { .map(([pluginId]) => pluginId); if (missingIntegrity.length > 0) { findings.push({ - checkId: "plugins.index_missing_integrity", + checkId: "plugins.installs_missing_integrity", severity: "warn", title: "Plugin index is missing integrity metadata", detail: `Plugin index records missing integrity:\n${missingIntegrity.map((entry) => `- ${entry}`).join("\n")}`, @@ -475,7 +475,7 @@ export async function collectPluginsTrustFindings(params: { } if (pluginVersionDrift.length > 0) { findings.push({ - checkId: "plugins.index_version_drift", + checkId: "plugins.installs_version_drift", severity: "warn", title: "Plugin index records drift from installed package versions", detail: `Detected plugin install metadata drift:\n${pluginVersionDrift.map((entry) => `- ${entry}`).join("\n")}`,