release: v5.5.0 — steering-model I (A+E)

Bundles the two v5.5.0 features already on main:
- A (f3aadb5): RUL/CML compaction-durability findings (both LOW) — a
  large (>50-line) path-scoped rule and a nested CLAUDE.md are not
  re-injected after compaction.
- E (f75ed56): PLH flags plugin-agent hooks/mcpServers/permissionMode
  frontmatter Claude Code ignores for plugin subagents (permissionMode
  MEDIUM false-security, rest LOW).

Additive — scanner count stays 13, --json/--raw byte-stable. Suite 961
pass. self-audit A/A (config 93, plugin 100), readmeCheck passed,
mismatches []. Version synced: plugin.json 5.4.1->5.5.0, README
version badge + version-history row, CHANGELOG [5.5.0] section.

Foundation (active-config-reader enumeration) + B deferred to v5.6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
This commit is contained in:
Kjell Tore Guttormsen 2026-06-20 11:34:51 +02:00
commit dac1db48c5
3 changed files with 31 additions and 2 deletions

View file

@ -1,7 +1,7 @@
{
"name": "config-audit",
"description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine",
"version": "5.4.1",
"version": "5.5.0",
"author": {
"name": "Kjell Tore Guttormsen"
},

View file

@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [5.5.0] - 2026-06-20
### Summary
"Steering-model I" — two additive findings on the compaction-durability / dead-config theme,
extending the existing RUL, CML, and PLH scanners (scanner count stays **13**; `--json` and `--raw`
remain byte-stable). Both are anchored to the live Claude Code docs (`code.claude.com/docs`) per the
project's verification duty. The Foundation work (active-config-reader enumeration) and feature B are
deferred to v5.6 — A and E are additive to existing scanners and do not consume it.
### Added
- **RUL / CML compaction-durability findings (A)** — per the official "what survives compaction"
model (`context-window.md`), only the project-root CLAUDE.md and unscoped rules are re-injected
after a context compaction. Two structural findings, both severity **LOW**: a large (>50-line)
**path-scoped** rule reloads only on a matching file read and is not re-injected after compaction,
so a must-hold rule can silently drop mid-session (RUL); a **nested** (subdirectory) CLAUDE.md is
not re-injected after compaction — only the project root is (CML).
- **PLH plugin-agent ignored-frontmatter finding (E)** — plugin subagents silently ignore
`hooks`/`mcpServers`/`permissionMode` frontmatter (honored only for user/project agents in
`.claude/agents/`). Setting them in a plugin agent is dead config: `permissionMode` is **MEDIUM**
(it implies a restriction Claude Code does not apply — false security); `hooks`/`mcpServers` are
**LOW**. Additive to PLH's agent-frontmatter loop; one humanizer pattern covers the three fields.
### Known limitations
- The lightweight frontmatter parser (`scanners/lib/yaml-parser.mjs`) reads inline `paths: "a, b"`
but not YAML block sequences (`paths:\n - a`), so a block-sequence-scoped rule is still seen as
unscoped and the RUL durability check (A) does not fire on it. Pre-existing and broader than A;
to be fixed in the v5.6 Foundation work.
## [5.4.1] - 2026-06-20
### Summary

View file

@ -6,7 +6,7 @@
*AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)*
![Version](https://img.shields.io/badge/version-5.4.1-blue)
![Version](https://img.shields.io/badge/version-5.5.0-blue)
![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple)
![Scanners](https://img.shields.io/badge/scanners-13-cyan)
![Commands](https://img.shields.io/badge/commands-18-green)
@ -647,6 +647,7 @@ This plugin is cautious by design — configuration files are important, and a b
| Version | Date | Highlights |
|---------|------|-----------|
| **5.5.0** | 2026-06-20 | "Steering-model I" — two additive compaction-durability / dead-config findings (count stays **13**, `--json`/`--raw` byte-stable). Per the official "what survives compaction" model: RUL flags a large (>50-line) **path-scoped** rule not re-injected after compaction (LOW); CML flags a **nested** (subdir) CLAUDE.md not re-injected after compaction (LOW). PLH flags a plugin agent setting `hooks`/`mcpServers`/`permissionMode` — Claude Code ignores these for plugin subagents, so it's dead config (`permissionMode` = MEDIUM false-security, `hooks`/`mcpServers` = LOW). Known limitation: the frontmatter parser reads inline `paths:` but not YAML block sequences (deferred to v5.6 Foundation). 961 tests |
| **5.4.1** | 2026-06-20 | Scanner-correctness patch (count stays **13**, `--json`/`--raw` byte-stable). HKV: added `Setup`/`UserPromptExpansion`/`PostToolBatch` to the valid-event set (a valid hook using one was wrongly flagged "will never fire"), and **removed** `post-session` (the 2.1.169 `post-session` is a self-hosted-runner workspace-lifecycle hook, **not** a settings.json event — absent from `hooks.md`; verified 2026-06-20). RUL: globs-rule wording corrected — only `paths:` is documented, so the finding drops the unverified "deprecated/legacy" claim and steers to the documented field. PLH: optional `model`/`tools`/`name`/`allowed-tools` frontmatter no longer required; CLAUDE.md component-section required only for components the plugin actually ships. 954 tests |
| **5.4.0** | 2026-06-19 | Plugin-hygiene & settings-validation hardening. Three additive findings extend existing PLH and SET scanners (count stays **13**): PLH plugin-folder shadowing (`CA-PLH-015` — a `plugin.json` component-path key in the *replaces* set `commands`/`agents`/`outputStyles` pointing at a custom path while the default folder still exists) mirroring CC's `/doctor` & `claude plugin list` warning; PLH `skills:`-array validation (`CA-PLH-016` — each entry must resolve to a directory in the plugin root; flags `non-string`/`escapes-root`/`not-found`/`not-a-directory`) mirroring `claude plugin validate`; SET `autoMode` structure (only `environment`/`allow`/`soft_deny`/`hard_deny` string arrays) + dead-config (`autoMode` in shared `.claude/settings.json` is not read by CC). `--json`/`--raw` byte-stable. 949 tests |
| **5.3.0** | 2026-06-19 | Permission-rule & plugin-hygiene hardening. Five additive scanner findings extend existing scanners (count stays **13**): DIS forbidden-param rules (`Tool(param:value)` on a canonicalizing field — deny/ask = false security, allow = dead config) and ineffective allow-wildcards + `Tool(*)` deny-all; CML context-window-scaled 40.0k-char CLAUDE.md budget mirroring CC's startup warning; PLH plugin namespace collision (two plugins declaring the same `name`); feature-gap `disableBundledSkills` lever under skill-listing pressure. PLH cross-plugin command-name overlap reframed HIGH → LOW (namespacing keeps both reachable). `--json`/`--raw` byte-stable. 936 tests |