Display trust score as N/100 instead of raw decimal

[thebenignhacker]

Summary

• Trust score now displays as 47/100 instead of 0.47 for consistency with opena2a CLI
• Fix INT-003 DVAA health check timeout (2s race instead of hanging for 10s)
• Version bump to 0.10.2

Test plan

• All 915 tests pass (was 914 due to DVAA timeout)
• formatTrustCheck shows 47/100 not 0.47
• formatTrustBatch shows 47/100 not 0.47

[github-actions]

Claude Code Review

Security Review: PR #50

VERDICT: APPROVE

SUMMARY

This PR introduces cosmetic formatting changes to trust score display (converting decimal to percentage notation), bumps the version to 0.10.2, and fixes a test race condition in INT-003 by adding a 2-second timeout to the DVAA health check. The changes are minimal, well-contained, and introduce no security or correctness issues. The timeout fix uses Promise.race() with a hardcoded delay, which is a safe pattern for preventing test hangs. No command injection, prototype pollution, path traversal, or other security vulnerabilities are present in the modified code.

ANALYSIS

Changes Reviewed

1. CHANGELOG.md — Documentation only, no code impact
2. package.json — Version bump from 0.10.1 to 0.10.2, no dependency changes
3. INT-003 test file (line 189-192) — Adds Promise.race() timeout wrapper around dvaa.health() call
4. src/cli.ts (lines 4750, 4804) — Trust score formatting changes from toFixed(2) to Math.round(score * 100)/100

Security Verification

Test timeout fix (INT-003.prompt-injection-response.test.ts:189-192)

• Pattern: Promise.race() with hardcoded 2-second timeout
• Mitigation check: Timeout value is a numeric literal (2000), not user input ✓
• No command execution, no external input involved ✓

Trust score formatting (src/cli.ts:4750, 4804)

• Pattern: Math.round(answer.trustScore * 100)
• Input source: answer.trustScore comes from the ai-trust library's TrustAnswer type
• Verification: No user-controlled input reaches Math.round(), operates on validated trust scores (0.0-1.0 range per library contract)
• No injection vector: Output is interpolated into template string with no shell/eval context ✓

Type safety check

• trustScore field is typed as number in the ai-trust package's TypeScript definitions
• Math.round() safely handles all numeric inputs including NaN/Infinity (returns integer or NaN)
• Output string formatting adds /100 suffix, no security implications ✓

Correctness Verification

• Trust score conversion logic: Math.round(0.47 * 100) → 47 → "47/100" is mathematically correct
• Test timeout prevents indefinite hang when DVAA service is unavailable (addresses the stated "10s hang" issue)
• No breaking changes to CLI interface or public API
• Exit codes unchanged

Common False Positive Check

• No command injection (no exec/spawn calls in diff)
• No prototype pollution (no object manipulation)
• No regex patterns introduced
• No file system operations
• No network requests with user-controlled URLs

All changes are purely presentational or test infrastructure improvements with no security surface area.

---

Reviewed 4 files changed (2714 bytes)