feat(security): Spec 076 US4 — consensus risk-score + report transparency (T020-T021)

[Dumbris]

Summary

Spec 076 US4 (transparent, consensus-aware findings) — T020 + T021. Branched off origin/main (carries the T1 detect-engine foundation #769 and the ScanFinding.Confidence/Signals fields from T004).

T020 — consensus-additive risk score (FR-006, SC-007)

CalculateRiskScore previously dedup-collapsed agreement: a tool flagged by several independent checks counted the same as one flagged once. The deterministic scanner (Spec 076) emits one ScanFinding per tool whose Signals list every check that fired. The score now weights each (deduplicated) finding by its distinct-signal count, so check agreement raises the composite risk score instead of being collapsed.

• Single-signal warning → 6; same finding with 3 signals → 12 (consensus visible).
• Findings from legacy/Docker scanners carry no signals → weigh 1 → legacy scoring unchanged.
• Cross-scanner de-duplication (same rule_id+location from multiple scanners) is retained — only independent signals within a finding add.

T021 — report transparency (FR-010, SC-007)

• CLI printFindingsList now renders Confidence: and Signals: lines under a finding (skipped when absent, so plain CVE findings stay compact).
• Confirmed confidence/signals serialize through the REST aggregated scan report (report-level marshal test), not just on a bare ScanFinding.
• Doc note under docs/cli/security-commands.md (ENG-9).

Testing

• go test -race ./internal/security/... ./cmd/mcpproxy/ — green
• golangci-lint run --config .github/.golangci.yml ./internal/security/scanner/... ./cmd/mcpproxy/... — 0 issues
• New tests: consensus-raises-score, cross-scanner-dedup-retained, CLI render + absent-field, report-level serialization (all TDD red→green).

Layering note

The additive scoring is inert on main today — Signals is only populated once the US1/US2 detect→scanner wiring (#770/#775) lands; until then every finding weighs 1 and behavior is identical. This is the correct foundational layering (US4 depends on Foundational aggregation only).

Related #MCP-3578

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	5194bce
Status:	✅  Deploy successful!
Preview URL:	https://5b45bf4e.mcpproxy-docs.pages.dev
Branch Preview URL:	https://076-t5-consensus-score.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: 076-t5-consensus-score

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 28262188419 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.