From 1bdaefc2686f767412b66df120e823e2556d2252 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 26 Jun 2026 18:04:20 +0200 Subject: [PATCH] =?UTF-8?q?release:=20v5.12.5=20=E2=80=94=20"Dogfood=20den?= =?UTF-8?q?oise"=20(M-BUG-2/6/7/8/10=20scanner=20false-positive=20batch)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version-sync for the Fase-3 scanner false-positive batch (code already shipped in bfd577a / dd9db60 / 7e94910 / 3cf5c71 / e8afb14): - plugin.json 5.12.4 -> 5.12.5 - README version badge -> 5.12.5, tests badge 1307 -> 1344, new version-history row - CHANGELOG [5.12.5] section (per-bug Fixed entries) Batch theme: five scanners stop counting non-user / non-live config as the user's authored cascade (plugin-bundled config, frozen backups, doc examples, forward-compatible settings keys). checkReadmeBadges: passed:true (tests 1344, scanners 16, commands 21, agents 7, hooks 4 — all match filesystem). Full suite 1344/0. Frozen v5.0.0 + SC-5 + default-output snapshots byte-stable; no re-seed across all five fixes (each affected fixture's findings are genuinely unchanged). Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01EnUvKEqyEa1m9gy6Aqhdqq --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 57 ++++++++++++++++++++++++++++++++++++++ README.md | 5 ++-- 3 files changed, 61 insertions(+), 3 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index 589062b..4654ec0 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine", - "version": "5.12.4", + "version": "5.12.5", "author": { "name": "Kjell Tore Guttormsen" }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 28dc95d..dfd4e45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,63 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [5.12.5] - 2026-06-26 + +### Summary +"Dogfood denoise" — a samle-release of the Fase-3 scanner false-positive batch: `M-BUG-2/6/7/8/10`, +all dogfooding finds from running config-audit on the maintainer's real `~/.claude`. The shared theme +is **non-user / non-live config wrongly counted as the user's authored cascade**: installed plugins' +bundled config, frozen backup copies, doc examples, and forward-compatible settings keys all produced +findings the user could neither act on nor was responsible for. No new scanner, command, agent, or hook +(counts stay scanners **16**, agents **7**, commands **21**, hooks **4**); all five fixes are byte-stable +— the frozen v5.0.0 + SC-5 + default-output snapshots are untouched and **no fixture was re-seeded** +(verified per bug: each affected fixture's findings are genuinely unchanged because the snapshot fixtures +contain none of the triggering paths/tokens). **1344** tests (+37). + +### Fixed +- **`conflict-detector` segregates plugin-bundled config (`M-BUG-2`).** CNF compared every discovered + `settings.json`/`hooks.json` pairwise regardless of origin, so it treated installed plugins' bundled + configs — each plugin's own settings/hooks plus its shipped fixtures and examples under + `~/.claude/plugins/` — as the user's cascade. A "conflict" between two plugins' bundled test fixtures + is not user-resolvable, yet these dominated the count (dogfood **339** findings: 315 high-sev + allow/deny, 18 duplicate-hook, 6 settings-key — Conflicts grade F on ~100% plugin noise). Fix: a new + `isPluginBundled` predicate excludes any file whose absolute path is under `.claude/plugins/` from + conflict analysis. Kept **CNF-local, not a discovery-level skip** on purpose — an active plugin's + contributed `hooks.json`/`.mcp.json` legitimately lives in `plugins/cache` and other scanners need it; + only conflict analysis must ignore plugin-bundled files. Same class as `M-BUG-8`. Dogfood **339→0** + (the ~3 genuine user-scope local settings have no actually-conflicting keys). +3 tests (plugin-bundled + exclusion, discovery-side sanity, over-exclusion guard). +- **`file-discovery` skips `backups/` (`M-BUG-8`).** A directory named `backups` holds backup COPIES, not + live config, so walking it during an audit produces stale findings. config-audit's own session backups + (`~/.claude/config-audit/backups//files/.../CLAUDE.md`) were the canonical case: a `~/.claude`-scope + audit walked 36 frozen copies as if live, polluting CPS and HKV/RUL. Fix: add `backups` to `SKIP_DIRS` + (broad, name-based — consistent with `vendor`/`dist`/`.cache`). Dogfood files-under-`/backups/` + **36→0**, 717 live config files retained. +3 tests. +- **token estimator discounts block-level HTML comments (`M-BUG-6`).** CLAUDE.md token estimates counted + block-level `` comments toward always-loaded tokens, but CC strips them before injection + (preserved only inside code fences, per `code.claude.com/docs/en/memory`). Fix: new + `stripInjectedHtmlComments` + `effectiveMemoryBytes` in `active-config-reader`; the CML cascade and + `token-hotspots` now size CLAUDE.md from effective (stripped) bytes while raw byte figures stay honest. + Block-level only — inline comments retained (conservative, verified scope). Dogfood `~/.claude` CLAUDE.md + ~3386→3301 tok (~85 tok). +13 tests. +- **`cache-prefix-stability` ignores code + CC-stable path vars (`M-BUG-7`).** CPS flagged + `${CLAUDE_PLUGIN_ROOT}`/`${CLAUDE_PROJECT_DIR}` (CC-provided stable paths) and `{date}`/timestamp tokens + shown in documentation as cache-busters. Fix: skip fenced code blocks, strip inline-code spans, and + whitelist CC-stable vars before pattern-matching. Suppress-only — frozen v5.0.0 snapshots untouched + (CPS yields `findings:[]` there). Dogfood **5→2** (3 doc false-positives suppressed; 2 remaining are + own volatile test fixtures). +6 tests. +- **`settings-validator` typo-gates unknown keys (`M-BUG-10`).** The CC settings schema is passthrough + (verified against the 2.1.193 binary): it forwards unrecognized keys unchanged rather than rejecting + them, so an arbitrary unknown key is forward-compatible, not an error — the finding's "silently ignored" + claim was factually wrong. The only real risk is a TYPO of a real key (the intended setting then + silently has no effect). Fix: flag an unknown key only when it closely matches a known key (new + `levenshtein` helper; edit distance ≤2, both keys ≥4 chars); severity medium→low; honest passthrough + framing in scanner + humanizer. Also refreshed `KNOWN_KEYS` with 6 binary-verified keys + (`agentPushNotifEnabled`, `remoteControlAtStartup`, `skipAutoPermissionPrompt`, + `skipDangerousModePermissionPrompt`, `skipWorkflowUsageWarning`, `tui`). Dogfood + `~/.claude/settings.json` **6→0** (all 6 were false unknown-key findings; 0 typo flags introduced across + 167 walked files). +12 tests. + ## [5.12.4] - 2026-06-26 ### Summary diff --git a/README.md b/README.md index e6e98e9..fd6db59 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ *AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)* -![Version](https://img.shields.io/badge/version-5.12.4-blue) +![Version](https://img.shields.io/badge/version-5.12.5-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Commands](https://img.shields.io/badge/commands-21-green) ![Agents](https://img.shields.io/badge/agents-7-orange) ![Hooks](https://img.shields.io/badge/hooks-4-red) -![Tests](https://img.shields.io/badge/tests-1307-brightgreen) +![Tests](https://img.shields.io/badge/tests-1344-brightgreen) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that checks configuration health, suggests context-aware improvements, and auto-fixes issues — `CLAUDE.md`, `settings.json`, hooks, rules, MCP servers, `@imports`, and plugins. 16 deterministic scanners across 10 quality areas, context-aware feature recommendations, auto-fix with backup/rollback, a prompt-cache-aware Token Hotspots scanner with optional API-calibrated `--accurate-tokens` mode, plus cache-prefix stability, dead-tool, cross-plugin collision, output-style, and always-loaded agent-listing-budget detection. Zero external dependencies. @@ -662,6 +662,7 @@ This plugin is cautious by design — configuration files are important, and a b | Version | Date | Highlights | |---------|------|-----------| +| **5.12.5** | 2026-06-26 | "Dogfood denoise" — a samle-release of the Fase-3 scanner false-positive batch (`M-BUG-2/6/7/8/10`, all dogfooding finds on the maintainer's real machine). Five scanners stop counting non-user / non-live config as the user's: **CNF** (`M-BUG-2`) excludes files under `.claude/plugins/` from conflict analysis (`isPluginBundled`) — installed plugins' bundled settings/hooks/fixtures are not a user-resolvable cascade (dogfood **339→0**, Conflicts was an F on pure plugin noise). **file-discovery** (`M-BUG-8`) adds `backups` to `SKIP_DIRS` — a `backups/` tree holds frozen copies, never live config (dogfood files-under-`/backups/` **36→0**, 717 live retained). **token estimator** (`M-BUG-6`) strips block-level `` HTML comments from CLAUDE.md sizing — CC strips them before injection, so they were never always-loaded tokens (dogfood ~3386→3301, ~85 tok). **CPS** (`M-BUG-7`) skips fenced/inline code and whitelists CC-stable path vars (`${CLAUDE_PLUGIN_ROOT}`/`${CLAUDE_PROJECT_DIR}`) before cache-buster matching (dogfood **5→2**). **SET** (`M-BUG-10`) typo-gates the unknown-settings-key finding — the CC schema is passthrough (verified against the 2.1.193 binary), so an unknown key is forward-compatible, not an error; it now flags only a near-miss of a known key (levenshtein ≤2), severity medium→low, +6 binary-verified `KNOWN_KEYS` (dogfood **6→0**). No count change (scanners **16**, agents **7**, commands **21**, hooks **4**); all five are byte-stable — frozen v5.0.0 + SC-5 + default-output snapshots untouched, no re-seed (each fixture's findings are genuinely unchanged). **1344** tests (+37). | | **5.12.4** | 2026-06-26 | "Rooted rules" — fixes `M-BUG-9` (dogfooding find) in `scanners/rules-validator.mjs`: the RUL "Rule path pattern matches no files" check now resolves a rule's `paths:`/`globs:` pattern against the rule's **own project root** (the dir containing its `.claude/`), not the outer scan root. Previously `countGlobMatches` globbed against the scan target and `collectProjectFiles`' `depth>4` cutoff never reached deep matching files, so a live rule in a **nested repo** (e.g. a marketplace checkout under `~/.claude`) was wrongly flagged "never activates" (high) — a false F-grade for anyone with rules in a nested repo. The fix derives each rule's project root, collects+globs per root (cached), and skips the check for user-global rules (`root === $HOME`), which scope against the active project at runtime. Same scope-conflation family as `M-BUG-1/2`. No count change (scanners **16**, agents **7**, commands **21**); the fix is a no-op when `projectRoot === targetPath` (the common single-repo scan), so frozen v5.0.0 + default-output snapshots stay byte-stable. **1307** tests (+2 TDD: nested-repo false-positive + HOME guard). | | **5.12.3** | 2026-06-26 | "Phantom agents" — fixes `M-BUG-3/4/5` (dogfooding finds) in `scanners/lib/active-config-reader.mjs`: `enumerateAgents` now counts only the agents Claude Code actually **registers**. Per the official subagents doc, an agent needs valid `name`+`description` frontmatter, and CC scans recursively and silently skips frontmatter-less files. The reader previously (`M-BUG-5`) counted every `.md` regardless of frontmatter, (`M-BUG-3`) never recursed into agent subdirs, and (`M-BUG-4`) double-counted when the project dir equals the user dir (scanning `$HOME` — root cause, also affecting rules/output-styles). Real-machine verify: user-agent count **13→0** (all 12 user agents + `REMEMBER.md` are frontmatter-less → CC registers none), HOME `project`-dup **13→0**; corrected always-loaded baseline ≈ **53** (was 66). Agent enumeration is machine-dependent and absent from the frozen snapshots, so the v5.0.0 + SC-5 + default-output snapshots stay byte-stable; no count change (scanners **16**, agents **7**, commands **21**). **1305** tests. | | **5.12.2** | 2026-06-24 | "Honest census" — fixes `M-BUG-1` (dogfooding find): `enumeratePlugins` walked `~/.claude/plugins/marketplaces//plugins/` and ignored both enable-state and the polyrepo cache layout, so it **over-counted phantom agents** from disabled plugins while **missing the entire enabled polyrepo set** (whose plugins live under `cache/`). It now gates on `installed_plugins.json` + `enabledPlugins` and enumerates each plugin from its active `installPath`, with the marketplaces walk as fallback. Fixes `manifest`/`whats-active`/AGT/`token-hotspots` for any user with disabled plugins or a polyrepo marketplace. No count change (scanners **16**, agents **7**, commands **21**); `--json`/`--raw` byte-stable, frozen v5.0.0 + SC-5 + default-output snapshots untouched. Real-machine verify: agent listing 114→104, ghosts gone. **1301** tests. |