config-audit/scanners
Kjell Tore Guttormsen e8afb148d3 fix(acr): conflict-detector segregates plugin-bundled configs (M-BUG-2)
CNF compared every discovered settings.json/hooks.json pairwise regardless of
origin, so it treated installed plugins' bundled configs — each plugin's own
settings.json/hooks.json plus its shipped test fixtures and examples under
~/.claude/plugins/ — as if they were the user's authored cascade. A "conflict"
between two plugins' bundled test fixtures is not something a user can resolve,
yet these dominated the count: 339 CNF findings on this machine (315 high-sev
permission allow/deny "conflicts", 18 duplicate-hook, 6 settings-key), almost all
sourced from plugin-internal fixtures. The Conflicts grade was F on pure noise.
Fix: CNF excludes any file whose path is under `.claude/plugins/` from conflict
analysis (new isPluginBundled predicate; absPath marker). Kept CNF-local rather
than a discovery-level skip on purpose: an active plugin's contributed
hooks.json/.mcp.json legitimately lives in plugins/cache and other scanners need
it — only conflict analysis must ignore plugin-bundled files. Same class as
M-BUG-8 (non-live config trees treated as live). Suite 1344/0 (+3: plugin-bundled
exclusion, discovery-side sanity, over-exclusion guard). Frozen v5.0.0 + SC-5
snapshots untouched (marketplace-medium has no plugins/ paths), no re-seed.
Dogfood ~/.claude CNF 339->0 (F-grade was 100% plugin-bundled noise; the ~3
genuine user-scope local settings have no actual conflicting keys, matching the
plan C5 "real surface ~3 files" prediction).

Follow-up (not in this fix): classifyScope tags plugin-bundled files by checking
basePath instead of the file's own path, so scope:'plugin' is effectively dead
for a ~/.claude-rooted scan. Fixing it would let every scanner trust the scope
field, but that is a discovery-layer change beyond this bug's scope.
2026-06-26 17:24:08 +02:00
..
lib fix(acr): SET typo-gates unknown-key false positives (M-BUG-10) 2026-06-26 15:15:14 +02:00
agent-listing-scanner.mjs feat(scanner): add AGT per-agent description bloat advisory (v5.9 B1-rest) 2026-06-23 16:27:24 +02:00
cache-prefix-scanner.mjs fix(acr): CPS ignores fenced/inline code + CC-stable path vars (M-BUG-7) 2026-06-26 12:45:14 +02:00
campaign-cli.mjs feat(campaign): cross-repo prioritized backlog (v5.7 Fase 2 Block 4b) 2026-06-23 02:44:21 +02:00
campaign-export-cli.mjs feat(campaign): plan export + execution-by-reuse (v5.7 Fase 2 Block 4c) 2026-06-23 10:08:04 +02:00
campaign-write-cli.mjs feat(campaign): refresh-tokens live cross-repo token sweep (v5.9 B2b-2) [skip-docs] 2026-06-23 17:23:15 +02:00
claude-md-linter.mjs feat(skl,cml): --context-window calibration, advisory when unknown (v5.11 B8) [skip-docs] 2026-06-23 21:44:52 +02:00
collision-scanner.mjs feat(config-audit): cross-plugin collision scanner COL (v5 N6) [skip-docs] 2026-05-01 07:46:15 +02:00
conflict-detector.mjs fix(acr): conflict-detector segregates plugin-bundled configs (M-BUG-2) 2026-06-26 17:24:08 +02:00
disabled-in-schema-scanner.mjs feat(dis): flag forbidden-param permission rules CC silently ignores 2026-06-19 14:04:25 +02:00
drift-cli.mjs feat(humanizer): forbidden-words lint runner + test wrapper (SC-3) [skip-docs] 2026-05-01 18:11:15 +02:00
feature-gap-scanner.mjs feat(hooks): additionalContext injection advisory + filter-before lever (v5.10 B5) [skip-docs] 2026-06-23 20:28:33 +02:00
fix-cli.mjs feat(humanizer): forbidden-words lint runner + test wrapper (SC-3) [skip-docs] 2026-05-01 18:11:15 +02:00
fix-engine.mjs fix(hkv,rul): add 3 verified hook events; correct globs-rule wording 2026-06-20 09:56:00 +02:00
hook-validator.mjs feat(hooks): additionalContext injection advisory + filter-before lever (v5.10 B5) [skip-docs] 2026-06-23 20:28:33 +02:00
import-resolver.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
knowledge-refresh-cli.mjs feat(knowledge): knowledge-refresh — living register, deterministic stale core + web poll (v5.7 Chunk 3) 2026-06-21 19:22:57 +02:00
manifest.mjs fix(manifest): classify ~/.claude.json:projects MCP as per-repo delta, not shared [skip-docs] 2026-06-23 17:14:28 +02:00
mcp-config-validator.mjs feat(tokens): MCP tool-schema deferral check + CLI-over-MCP lever (v5.10 B4) 2026-06-23 19:59:14 +02:00
optimization-lens-scanner.mjs feat(opt): optimization lens CA-OPT-001 (procedure→skill) — v5.7 Fase 1 Chunk 2a 2026-06-20 23:10:03 +02:00
optimize-lens-cli.mjs feat(opt): optimization lens Chunk 2b — opus prose-judgment analyzer + /config-audit optimize 2026-06-21 14:01:18 +02:00
output-style-scanner.mjs feat(ost): v5.6 C — output-style scanner (CA-OST, count 13→14) 2026-06-20 21:02:44 +02:00
plugin-health-scanner.mjs feat(plh): flag plugin-agent frontmatter Claude Code ignores (v5.5.0 / E) 2026-06-20 11:11:12 +02:00
posture.mjs feat(skl,cml): --context-window calibration, advisory when unknown (v5.11 B8) [skip-docs] 2026-06-23 21:44:52 +02:00
rollback-engine.mjs feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
rules-validator.mjs fix(acr): RUL resolves rule glob against the rule's own project root, not the scan root (M-BUG-9) 2026-06-26 10:56:39 +02:00
scan-orchestrator.mjs feat(skl,cml): --context-window auto model→window probe (v5.12 B8b) [skip-docs] 2026-06-23 22:29:12 +02:00
self-audit.mjs feat(skill-listing): add SKL scanner for the skill-listing token budget 2026-06-18 17:36:28 +02:00
settings-validator.mjs fix(acr): SET typo-gates unknown-key false positives (M-BUG-10) 2026-06-26 15:15:14 +02:00
skill-listing-scanner.mjs feat(skl,cml): --context-window calibration, advisory when unknown (v5.11 B8) [skip-docs] 2026-06-23 21:44:52 +02:00
token-hotspots-cli.mjs feat(discovery): version-aware cache filtering + --exclude-cache flag (v5.9 B3a) [skip-docs] 2026-06-23 17:57:22 +02:00
token-hotspots.mjs fix(acr): token estimator discounts block-level HTML comments (M-BUG-6) 2026-06-26 14:29:24 +02:00
whats-active.mjs feat(humanizer): wire humanizer into 6 remaining CLIs with --raw 2026-05-01 17:47:09 +02:00