config-audit/scanners
Kjell Tore Guttormsen 76d5eda101 feat(plh): validate plugin.json skills:-array entries (CA-PLH-016)
PLH now validates each entry of a plugin.json `skills` field (string|array):
every entry must resolve to an existing directory inside the plugin root.
One finding per bad entry (medium, plugin-hygiene), problem ∈ {non-string,
escapes-root, not-found, not-a-directory}. Mirrors `claude plugin validate`.
String|array normalized so a non-string top-level value is caught too.

Verifiseringsplikt: the plan's "CC suggests the parent directory" error text
is NOT in the primary docs — dropped. Only the four primary-source-verified
conditions are asserted (escape backed by the path-traversal rule).

Tests +3 (941->944). Scanner count unchanged (13). --json/--raw byte-stable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-19 21:56:57 +02:00
..
lib feat(plh): validate plugin.json skills:-array entries (CA-PLH-016) 2026-06-19 21:56:57 +02:00
cache-prefix-scanner.mjs fix(tokens): refresh stale "Opus 4.7" framing to model-neutral + Opus 4.8 anchor 2026-06-18 15:27:36 +02:00
claude-md-linter.mjs feat(cml): context-window-scaled CLAUDE.md char budget (mirrors CC 40.0k warning) 2026-06-19 13:34:40 +02:00
collision-scanner.mjs feat(config-audit): cross-plugin collision scanner COL (v5 N6) [skip-docs] 2026-05-01 07:46:15 +02:00
conflict-detector.mjs fix(permissions): param-aware DIS dead-allow + CNF conflict matching 2026-06-18 13:06:20 +02:00
disabled-in-schema-scanner.mjs feat(dis): flag forbidden-param permission rules CC silently ignores 2026-06-19 14:04:25 +02:00
drift-cli.mjs feat(humanizer): forbidden-words lint runner + test wrapper (SC-3) [skip-docs] 2026-05-01 18:11:15 +02:00
feature-gap-scanner.mjs feat(feature-gap): recommend disableBundledSkills under skill-listing pressure 2026-06-18 21:38:19 +02:00
fix-cli.mjs feat(humanizer): forbidden-words lint runner + test wrapper (SC-3) [skip-docs] 2026-05-01 18:11:15 +02:00
fix-engine.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
hook-validator.mjs test(fix-cli): close missed HOME-leak — isolate spawns + lock SKL/COL out 2026-06-18 18:50:20 +02:00
import-resolver.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
manifest.mjs feat(humanizer): wire humanizer into 6 remaining CLIs with --raw 2026-05-01 17:47:09 +02:00
mcp-config-validator.mjs fix(mcp-config-validator): remove invented trust field (verify-first) 2026-06-18 14:22:56 +02:00
plugin-health-scanner.mjs feat(plh): validate plugin.json skills:-array entries (CA-PLH-016) 2026-06-19 21:56:57 +02:00
posture.mjs feat(humanizer): forbidden-words lint runner + test wrapper (SC-3) [skip-docs] 2026-05-01 18:11:15 +02:00
rollback-engine.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
rules-validator.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
scan-orchestrator.mjs feat(skill-listing): add SKL scanner for the skill-listing token budget 2026-06-18 17:36:28 +02:00
self-audit.mjs feat(skill-listing): add SKL scanner for the skill-listing token budget 2026-06-18 17:36:28 +02:00
settings-validator.mjs feat(skill-listing): add SKL scanner for the skill-listing token budget 2026-06-18 17:36:28 +02:00
skill-listing-scanner.mjs refactor(skl): extract skill-listing budget to shared lib (single source of truth) 2026-06-18 21:23:01 +02:00
token-hotspots-cli.mjs fix(tokens): refresh stale "Opus 4.7" framing to model-neutral + Opus 4.8 anchor 2026-06-18 15:27:36 +02:00
token-hotspots.mjs fix(tokens): refresh stale "Opus 4.7" framing to model-neutral + Opus 4.8 anchor 2026-06-18 15:27:36 +02:00
whats-active.mjs feat(humanizer): wire humanizer into 6 remaining CLIs with --raw 2026-05-01 17:47:09 +02:00