Background
The Tier 1 compliance audits + fm_audit_posture (shipped in v1.7.0 / v1.7.1) report PBX security posture against deterministic pattern-based checks. They surface real findings but:
- They're heuristic. A clean audit doesn't mean the PBX is secure — it means none of the patterns we look for matched. Novel attack patterns aren't caught.
- They're not a substitute for a professional security review. Frogman is experimental; the audit checks reflect the most common toll-fraud chain links, not every possible failure mode.
- They report what they see in FreePBX data. Commercial modules, custom dialplan in
extensions_custom.conf, fail2ban policy, network-perimeter config, and host-level Linux security are all out of scope.
Admins running these audits in chat could come away with false confidence ("Frogman says my system is clean, must be fine") if they don't know the scope.
Proposed enhancement
Add a one-line disclaimer to the chat output of every fm_audit_* tool result. Something like:
⚠️ This audit is a heuristic pattern check, not a complete security review. A clean result means no known patterns matched — verify findings independently and treat as one signal among many.
Placement options:
- At the top of every audit's chat output — most visible, but visually noisy if the user runs several audits in a session
- At the bottom of every audit's chat output — less disruptive, may be missed
- Once per session (track in session state, show on first audit run) — minimizes noise, but state-tracking complexity
- Only on
fm_audit_posture (the meta-tool admins are most likely to run as their "is my system safe?" check) — narrowest, highest-leverage placement
My recommendation: option 1 — disclaimer at the top, treated as part of the audit's report header. Disclaimer is short enough that visual noise is minimal, and admins benefit from the reminder every time. If chat-noise becomes a complaint, escalate to option 3.
The disclaimer should also probably appear in the tool's description() field so it's visible in the tool catalog and any documentation generated from descriptions.
Scope
- Update the formatter cases for
fm_audit_voicemail_pins, fm_audit_extension_secrets, fm_audit_orphan_dids, fm_audit_outbound_international, fm_audit_posture in Frogman.class.php::formatToolResult()
- Update the
description() method on each of those tools in Tools/Audit*.php
- Wording to be decided (draft above as a starting point)
Out of scope (deliberately not in this issue)
- HTTP / GraphQL / MCP / CLI consumers of these tools — they get the structured data and render it themselves; the disclaimer can live in the description() field but doesn't need to be threaded into every consumer's display logic
- Adding a similar disclaimer to non-audit tools
Severity / priority
Enhancement, not a bug. Real but low-urgency — current users may be the only ones running this and they're already calibrated. Worth landing before broader user adoption.
Related
- v1.7.0 release notes (Tier 1 audit tools)
- v1.7.1 release notes (posture meta-tool + chat-formatter hardening)
feedback_messaging_voice.md (Claude memory, internal) — Mike's preference for "experimental warnings" in public-facing surfaces
Background
The Tier 1 compliance audits +
fm_audit_posture(shipped in v1.7.0 / v1.7.1) report PBX security posture against deterministic pattern-based checks. They surface real findings but:extensions_custom.conf, fail2ban policy, network-perimeter config, and host-level Linux security are all out of scope.Admins running these audits in chat could come away with false confidence ("Frogman says my system is clean, must be fine") if they don't know the scope.
Proposed enhancement
Add a one-line disclaimer to the chat output of every
fm_audit_*tool result. Something like:Placement options:
fm_audit_posture(the meta-tool admins are most likely to run as their "is my system safe?" check) — narrowest, highest-leverage placementMy recommendation: option 1 — disclaimer at the top, treated as part of the audit's report header. Disclaimer is short enough that visual noise is minimal, and admins benefit from the reminder every time. If chat-noise becomes a complaint, escalate to option 3.
The disclaimer should also probably appear in the tool's
description()field so it's visible in the tool catalog and any documentation generated from descriptions.Scope
fm_audit_voicemail_pins,fm_audit_extension_secrets,fm_audit_orphan_dids,fm_audit_outbound_international,fm_audit_postureinFrogman.class.php::formatToolResult()description()method on each of those tools inTools/Audit*.phpOut of scope (deliberately not in this issue)
Severity / priority
Enhancement, not a bug. Real but low-urgency — current users may be the only ones running this and they're already calibrated. Worth landing before broader user adoption.
Related
feedback_messaging_voice.md(Claude memory, internal) — Mike's preference for "experimental warnings" in public-facing surfaces