release: v5.3.0 — permission-rule & plugin-hygiene hardening (DIS/CML/PLH)
Five additive scanner findings extend existing scanners (count stays 13): DIS forbidden-param rules (Tool(param:value) on a canonicalizing field — deny/ask = false security, allow = dead config) and ineffective allow-wildcards + Tool(*) deny-all; CML context-window-scaled 40.0k-char CLAUDE.md budget mirroring CC's startup warning; PLH plugin namespace collision (two plugins declaring the same name). PLH cross-plugin command-name overlap reframed HIGH → LOW (namespacing keeps both reachable). feature-gap recommends disableBundledSkills under skill-listing pressure. Version sync: plugin.json 5.2.0→5.3.0, README version badge + What's New + version-history row + TOC anchor (tests badge already 936+, scanner count stays 13), CHANGELOG [5.3.0] entry, 3 knowledge-backing entries. 936/936 tests; self-audit configGrade A 97, pluginGrade A 100, readmeCheck.passed:true; gitleaks clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
This commit is contained in:
parent
891f9506bf
commit
fe686b6594
5 changed files with 118 additions and 13 deletions
38
README.md
38
README.md
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
*AI-generated: all code produced by Claude Code through dialog-driven development. [Full disclosure →](../../README.md#ai-generated-code-disclosure)*
|
||||
|
||||

|
||||

|
||||

|
||||

|
||||

|
||||
|
|
@ -21,7 +21,7 @@ A Claude Code plugin that checks configuration health, suggests context-aware im
|
|||
|
||||
## Table of Contents
|
||||
|
||||
- [What's New in v5.2.0](#whats-new-in-v520)
|
||||
- [What's New in v5.3.0](#whats-new-in-v530)
|
||||
- [What Is This?](#what-is-this)
|
||||
- [The Configuration Problem](#the-configuration-problem)
|
||||
- [Quick Start](#quick-start)
|
||||
|
|
@ -45,16 +45,31 @@ A Claude Code plugin that checks configuration health, suggests context-aware im
|
|||
|
||||
---
|
||||
|
||||
## What's New in v5.2.0
|
||||
## What's New in v5.3.0
|
||||
|
||||
**Claude Code 2.1.114→181 compatibility + skill-listing budget.** A new orchestrated
|
||||
scanner, **SKL**, checks the model's skill-listing token budget: `CA-SKL-001` flags any
|
||||
active skill description over the 1,536-char listing cap (silently truncated by CC 2.1.105),
|
||||
and `CA-SKL-002` flags when the summed descriptions exceed the listing budget (~2% of context).
|
||||
Five validators were refreshed for the settings and hook surface that shipped across
|
||||
CC 2.1.114–181 (new settings keys, `xhigh` effort, `MessageDisplay` + post-session hook
|
||||
events), and an adversarial gap-review eliminated a batch of false positives in the MCP and
|
||||
permissions scanners. → **13 orchestrated deterministic scanners** (+ standalone plugin-health).
|
||||
**Permission-rule & plugin-hygiene hardening.** Five additive scanner findings extend the
|
||||
permission, CLAUDE.md, and plugin surfaces — no new scanner, so the count stays **13**:
|
||||
|
||||
- **DIS forbidden-param rules** — flags `Tool(param:value)` whose key is the tool's own
|
||||
canonicalizing field (`command`/`file_path`/`path`/`notebook_path`/`url`), which Claude Code
|
||||
silently ignores with a startup warning. Severity by intent: deny/ask = false security
|
||||
(medium), allow = dead config (low). Valid forms (`Bash(npm:*)`, `WebFetch(domain:host)`,
|
||||
`Agent(model:opus)`) are never flagged.
|
||||
- **DIS ineffective allow-wildcards** — unanchored tool-name globs in `permissions.allow`
|
||||
(`*`, `B*`, `mcp__*`) that CC silently skips, plus `Tool(*)` treated as deny-all
|
||||
(`Bash(*)` ≡ `Bash`) so a bare allow killed by it is reported as dead config.
|
||||
- **CML context-window-scaled char budget** — mirrors CC's own *"Large CLAUDE.md will impact
|
||||
performance (X chars > 40.0k)"* startup warning; anchors on the conservative 200k window and
|
||||
discloses the relaxed ~200,000-char figure at 1M context. Char-keyed, complementary to the
|
||||
existing line checks.
|
||||
- **PLH plugin namespace collision** — flags two or more plugins declaring the same `name` in
|
||||
`plugin.json`; their namespaces collapse and Claude Code silently drops the loser's components.
|
||||
- **feature-gap `disableBundledSkills` lever** — recommends disabling bundled skills when the
|
||||
active skill listing is over budget (remediation companion to `CA-SKL-002`).
|
||||
|
||||
The cross-plugin command-name finding is reframed from a HIGH conflict to a **LOW ambiguity** to
|
||||
match Claude Code's namespacing (`/name:command` keeps both commands reachable). `--json` and
|
||||
`--raw` output remain byte-stable.
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -603,6 +618,7 @@ This plugin is cautious by design — configuration files are important, and a b
|
|||
|
||||
| Version | Date | Highlights |
|
||||
|---------|------|-----------|
|
||||
| **5.3.0** | 2026-06-19 | Permission-rule & plugin-hygiene hardening. Five additive scanner findings extend existing scanners (count stays **13**): DIS forbidden-param rules (`Tool(param:value)` on a canonicalizing field — deny/ask = false security, allow = dead config) and ineffective allow-wildcards + `Tool(*)` deny-all; CML context-window-scaled 40.0k-char CLAUDE.md budget mirroring CC's startup warning; PLH plugin namespace collision (two plugins declaring the same `name`); feature-gap `disableBundledSkills` lever under skill-listing pressure. PLH cross-plugin command-name overlap reframed HIGH → LOW (namespacing keeps both reachable). `--json`/`--raw` byte-stable. 936 tests |
|
||||
| **5.2.0** | 2026-06-18 | CC 2.1.114→181 compatibility + skill-listing budget. New orchestrated scanner **SKL** (`CA-SKL-001` 1,536-char listing cap, `CA-SKL-002` listing-budget sum) → 13 orchestrated scanners. Five validators refreshed for CC 2.1.114–181 settings/hook surface (`xhigh` effort, `MessageDisplay` + post-session events, 28 hook events). False positives eliminated in MCP (auto-injected/POSIX env vars, invented `trust` field) and permissions (param-aware DIS/CNF). Hermetic HOME isolation across all CLI-spawning tests. 875 tests |
|
||||
| **5.1.0** | 2026-05-01 | Plain-language UX humanizer. Default output of all 18 commands now leads with prose; findings grouped by user-impact category (Configuration mistake, Conflict, Wasted tokens, Missed opportunity, Dead config) and led by urgency phrase (Fix this now → FYI). New `--raw` flag preserves v5.0.0 verbatim output for tooling that scrapes stderr; `--json` is unchanged and byte-stable. New scanner-lib modules: `humanizer.mjs`, `humanizer-data.mjs` with TRANSLATIONS for 13 scanner prefixes. Self-audit terminal output also humanized. 792 tests (+157 humanizer-tester) |
|
||||
| **5.0.0** | 2026-05-01 | Reality-based token-optimization. 3 new scanners (CPS cache-prefix, DIS dead tools, COL plugin collisions) → 12 deterministic scanners. New `/config-audit manifest` and `--accurate-tokens` API calibration. Severity-weighted scoring (`scoringVersion: 'v5'`). MCP token estimates 15 → 500+. Plugin Hygiene as 10th quality area. Knowledge: cache-stability replaces 200-line rule, cache-telemetry recipe. **Breaking:** F2 token magnitude jump, F3 severity weighting, F5 Pattern D removed, N1 `CA-TOK-*` glob now matches CA-TOK-005. 635 tests |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue