release: v5.5.0 — steering-model I (A+E)
Bundles the two v5.5.0 features already on main: - A (f3aadb5): RUL/CML compaction-durability findings (both LOW) — a large (>50-line) path-scoped rule and a nested CLAUDE.md are not re-injected after compaction. - E (f75ed56): PLH flags plugin-agent hooks/mcpServers/permissionMode frontmatter Claude Code ignores for plugin subagents (permissionMode MEDIUM false-security, rest LOW). Additive — scanner count stays 13, --json/--raw byte-stable. Suite 961 pass. self-audit A/A (config 93, plugin 100), readmeCheck passed, mismatches []. Version synced: plugin.json 5.4.1->5.5.0, README version badge + version-history row, CHANGELOG [5.5.0] section. Foundation (active-config-reader enumeration) + B deferred to v5.6. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
This commit is contained in:
parent
9eba0f6169
commit
dac1db48c5
3 changed files with 31 additions and 2 deletions
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"name": "config-audit",
|
||||
"description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine",
|
||||
"version": "5.4.1",
|
||||
"version": "5.5.0",
|
||||
"author": {
|
||||
"name": "Kjell Tore Guttormsen"
|
||||
},
|
||||
|
|
|
|||
28
CHANGELOG.md
28
CHANGELOG.md
|
|
@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
|
|||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [5.5.0] - 2026-06-20
|
||||
|
||||
### Summary
|
||||
"Steering-model I" — two additive findings on the compaction-durability / dead-config theme,
|
||||
extending the existing RUL, CML, and PLH scanners (scanner count stays **13**; `--json` and `--raw`
|
||||
remain byte-stable). Both are anchored to the live Claude Code docs (`code.claude.com/docs`) per the
|
||||
project's verification duty. The Foundation work (active-config-reader enumeration) and feature B are
|
||||
deferred to v5.6 — A and E are additive to existing scanners and do not consume it.
|
||||
|
||||
### Added
|
||||
- **RUL / CML compaction-durability findings (A)** — per the official "what survives compaction"
|
||||
model (`context-window.md`), only the project-root CLAUDE.md and unscoped rules are re-injected
|
||||
after a context compaction. Two structural findings, both severity **LOW**: a large (>50-line)
|
||||
**path-scoped** rule reloads only on a matching file read and is not re-injected after compaction,
|
||||
so a must-hold rule can silently drop mid-session (RUL); a **nested** (subdirectory) CLAUDE.md is
|
||||
not re-injected after compaction — only the project root is (CML).
|
||||
- **PLH plugin-agent ignored-frontmatter finding (E)** — plugin subagents silently ignore
|
||||
`hooks`/`mcpServers`/`permissionMode` frontmatter (honored only for user/project agents in
|
||||
`.claude/agents/`). Setting them in a plugin agent is dead config: `permissionMode` is **MEDIUM**
|
||||
(it implies a restriction Claude Code does not apply — false security); `hooks`/`mcpServers` are
|
||||
**LOW**. Additive to PLH's agent-frontmatter loop; one humanizer pattern covers the three fields.
|
||||
|
||||
### Known limitations
|
||||
- The lightweight frontmatter parser (`scanners/lib/yaml-parser.mjs`) reads inline `paths: "a, b"`
|
||||
but not YAML block sequences (`paths:\n - a`), so a block-sequence-scoped rule is still seen as
|
||||
unscoped and the RUL durability check (A) does not fire on it. Pre-existing and broader than A;
|
||||
to be fixed in the v5.6 Foundation work.
|
||||
|
||||
## [5.4.1] - 2026-06-20
|
||||
|
||||
### Summary
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
*AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)*
|
||||
|
||||

|
||||

|
||||

|
||||

|
||||

|
||||
|
|
@ -647,6 +647,7 @@ This plugin is cautious by design — configuration files are important, and a b
|
|||
|
||||
| Version | Date | Highlights |
|
||||
|---------|------|-----------|
|
||||
| **5.5.0** | 2026-06-20 | "Steering-model I" — two additive compaction-durability / dead-config findings (count stays **13**, `--json`/`--raw` byte-stable). Per the official "what survives compaction" model: RUL flags a large (>50-line) **path-scoped** rule not re-injected after compaction (LOW); CML flags a **nested** (subdir) CLAUDE.md not re-injected after compaction (LOW). PLH flags a plugin agent setting `hooks`/`mcpServers`/`permissionMode` — Claude Code ignores these for plugin subagents, so it's dead config (`permissionMode` = MEDIUM false-security, `hooks`/`mcpServers` = LOW). Known limitation: the frontmatter parser reads inline `paths:` but not YAML block sequences (deferred to v5.6 Foundation). 961 tests |
|
||||
| **5.4.1** | 2026-06-20 | Scanner-correctness patch (count stays **13**, `--json`/`--raw` byte-stable). HKV: added `Setup`/`UserPromptExpansion`/`PostToolBatch` to the valid-event set (a valid hook using one was wrongly flagged "will never fire"), and **removed** `post-session` (the 2.1.169 `post-session` is a self-hosted-runner workspace-lifecycle hook, **not** a settings.json event — absent from `hooks.md`; verified 2026-06-20). RUL: globs-rule wording corrected — only `paths:` is documented, so the finding drops the unverified "deprecated/legacy" claim and steers to the documented field. PLH: optional `model`/`tools`/`name`/`allowed-tools` frontmatter no longer required; CLAUDE.md component-section required only for components the plugin actually ships. 954 tests |
|
||||
| **5.4.0** | 2026-06-19 | Plugin-hygiene & settings-validation hardening. Three additive findings extend existing PLH and SET scanners (count stays **13**): PLH plugin-folder shadowing (`CA-PLH-015` — a `plugin.json` component-path key in the *replaces* set `commands`/`agents`/`outputStyles` pointing at a custom path while the default folder still exists) mirroring CC's `/doctor` & `claude plugin list` warning; PLH `skills:`-array validation (`CA-PLH-016` — each entry must resolve to a directory in the plugin root; flags `non-string`/`escapes-root`/`not-found`/`not-a-directory`) mirroring `claude plugin validate`; SET `autoMode` structure (only `environment`/`allow`/`soft_deny`/`hard_deny` string arrays) + dead-config (`autoMode` in shared `.claude/settings.json` is not read by CC). `--json`/`--raw` byte-stable. 949 tests |
|
||||
| **5.3.0** | 2026-06-19 | Permission-rule & plugin-hygiene hardening. Five additive scanner findings extend existing scanners (count stays **13**): DIS forbidden-param rules (`Tool(param:value)` on a canonicalizing field — deny/ask = false security, allow = dead config) and ineffective allow-wildcards + `Tool(*)` deny-all; CML context-window-scaled 40.0k-char CLAUDE.md budget mirroring CC's startup warning; PLH plugin namespace collision (two plugins declaring the same `name`); feature-gap `disableBundledSkills` lever under skill-listing pressure. PLH cross-plugin command-name overlap reframed HIGH → LOW (namespacing keeps both reachable). `--json`/`--raw` byte-stable. 936 tests |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue