open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

chore(voyage): release v4.3.0 — finalize version-sync + docs (3 re-review findings deferred to v4.3.1)

Browse source 
Bumps .claude-plugin/plugin.json 4.2.0 -> 4.3.0 (package.json, package-lock.json,
and the README badge were already at 4.3.0). Updates the v4.3.0 CHANGELOG entry with
the verified test count (711 pass / 0 fail / 2 skipped, 713 total), a "Re-review
remediation (Sesjon 13-18)" note covering the 11-finding cycle Waves 1-3 closed, and
a "Known issues — deferred to v4.3.1" subsection listing the 3 new findings the Sesjon
18 re-review surfaced in the remediation code (87069b35 SECURITY_INJECTION defense-in-
depth, 4cc3bfc9 PLAN_EXECUTE_DRIFT, c6c64a58 MISSING_TEST). Updates root CLAUDE.md
(voyage v4.0.0 -> v4.3.0, seven-command + playground), root README + plugin README
(test count, Known-limitations note, fixes the stale "trekplan@" install snippet ->
"voyage@"), root marketplace.json (voyage description), and plugin CLAUDE.md (Playground
paragraph). A plan-critic-reviewed Wave-4 remediation plan for the 3 deferred findings
is ready (.claude/plans/, gitignored).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-05-11 21:08:48 +02:00
commit 0f197f6ff6
7 changed files with 23 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
plugins/voyage/CLAUDE.md
View file

@ -235,7 +235,7 @@ Local Docker Compose stack: `examples/observability/`. Operator docs: `docs/obse
**Revise (v4.2):** `/trekrevise --project <dir>` consumes a batch exported from `playground/voyage-playground.html` and folds operator annotations back into the source artifact (`brief.md` / `plan.md` / `review.md`). Phase 1 parse + validate, Phase 2 read source + rollback hygiene (`*.local.bak` via `lib/util/revision-guard.mjs`), Phase 3 parse anchors + validate placement (`lib/parsers/anchor-parser.mjs` — block-boundary discipline), Phase 4 compute revision diff + deterministic SHA-256 digest (`lib/parsers/annotation-digest.mjs`), Phase 5 atomic apply via `lib/util/markdown-write.mjs`, Phase 6 round-trip integrity (`stripAnchors`-of-written equals pre-write body), Phase 7 optional review-gate when target is plan and review.md exists, Phase 8 stats + report. Single-iteration MVP — each batch produces one `revision:` increment with `source_annotations:` audit trail. **Handover 8** (`docs/HANDOVER-CONTRACTS.md`) — additive frontmatter; no `*_version` bump; artifacts written before v4.2 validate as `revision: 0`.
**Playground (v4.3):** `playground/voyage-playground.html` is the operator-facing surface for browsing voyage projects and editing annotations. v4.3 rebuilds the v4.2 playground from the ground up — dashboard-centric layout (`fleet-grid` of `fleet-tile` per artifact), file://-loader with three entry points (`webkitdirectory` directory-picker / drag-drop with `webkitGetAsEntry` recursive walk / URL-parameter `?project=/abs/path`), block-boundary anchor placement matching browser-side `parseAnchor` to Node-side `lib/parsers/anchor-parser.mjs` regex, hidden-by-default sidebar-rail with J/K keyboard navigation, two-opacity pattern (active 100% / inactive 40% / resolved 30% strikethrough), A11Y panel built from DS-primitives, screenshots-spor convention via `window.__voyage` hooks (`navigate` / `scheduleRender` / `getProjectArtifacts`) + `docs/screenshots/`. Path-traversal + symlink/dotfile filter (`isProjectPathSafe`) blocks `..` / `node_modules/` / `dist/` / `build/` / hidden-paths with `aria-live` announces. DOMPurify ≥ 3.1.1 vendored for `sanitizeAnnotation`; HTML-comment indirect prompt-injection mitigation via `parseAnchor`-allowlist gate before `md.render`. Total bundle 388 KB / 460 KB HALT-gate. Test pyramid Groups A-D — Group A 17 static-HTML tests (SC1 10-element checklist + SC3 + SC6 + SC7 tag-level no-CDN), Group B 9 DS-token + theme-toggle + sidebar-tab + keyboard-pattern tests, Group C 7 export-bundle schema + `annotation_digest` SHA-256 validity tests, Group D 4 Playwright e2e (light/dark axe-core delta-baseline + pixel-diff smoke + zero-external-network authoritative gate). See `playground/README.md` + `docs/sc1-checklist-verification.md`.
**Playground (v4.3):** `playground/voyage-playground.html` is the operator-facing surface for browsing voyage projects and editing annotations. v4.3 rebuilds the v4.2 playground from the ground up — dashboard-centric layout (`fleet-grid` of `fleet-tile` per artifact), file://-loader with three entry points (`webkitdirectory` directory-picker / drag-drop with `webkitGetAsEntry` recursive walk / URL-parameter `?project=/abs/path`), block-boundary anchor placement matching browser-side `parseAnchor` to Node-side `lib/parsers/anchor-parser.mjs` regex, hidden-by-default sidebar-rail with J/K keyboard navigation, two-opacity pattern (active 100% / inactive 40% / resolved 30% strikethrough), A11Y panel built from DS-primitives, screenshots-spor convention via `window.__voyage` hooks (`navigate` / `scheduleRender` / `getProjectArtifacts`) + `docs/screenshots/`. Path-traversal + symlink/dotfile filter (`isProjectPathSafe`) blocks `..` / `node_modules/` / `dist/` / `build/` / hidden-paths with `aria-live` announces. DOMPurify ≥ 3.1.1 vendored for `sanitizeAnnotation`; HTML-comment indirect prompt-injection mitigation via `parseAnchor`-allowlist gate before `md.render`. Total bundle 388 KB / 460 KB HALT-gate. Test pyramid Groups A-D — Group A 17 static-HTML tests (SC1 10-element checklist + SC3 + SC6 + SC7 tag-level no-CDN), Group B 9 DS-token + theme-toggle + sidebar-tab + keyboard-pattern tests, Group C 7 export-bundle schema + `annotation_digest` SHA-256 validity tests, Group D 5 Playwright e2e specs (light/dark axe-core absolute zero-violation + pixel-diff smoke + inline-gallery + zero-external-network authoritative gate). See `playground/README.md` + `docs/sc1-checklist-verification.md`. A Sesjon 1318 independent-review remediation cycle closed all 11 findings from the first `/trekreview` (DOMPurify on the artifact body, inline `renderScreenshotGallery`, absolute-zero-violation a11y spec, Phase 9 `plan_critic` injection, fleet-grid CSS parity). **v4.3.0 ships with 3 new re-review findings deferred to v4.3.1:** `87069b35` (`renderScreenshotGallery` interpolates `screenshots[].dataUrl` raw into an `<img src>` — defense-in-depth only, *not* exploitable from the operator file-load path, only via the `window.__voyage.scheduleRender` hook), `4cc3bfc9` (backtick template-literal ES-import specifier at `commands/trekplan.md:745` Phase 9 — SyntaxError; documented fallback keeps `plan.md` valid, just without `plan_critic`), `c6c64a58` (no test for the gallery `dataUrl` injection path). A plan-critic-reviewed Wave-4 remediation plan is ready; see [CHANGELOG.md](CHANGELOG.md) § "Known issues — deferred to v4.3.1".
**Security:** 4-layer defense-in-depth: plugin hooks (pre-bash-executor, pre-write-executor), prompt-level denylist (works in headless sessions), pre-execution plan scan (Phase 2.4), scoped `--allowedTools` replacing `--dangerously-skip-permissions`. Hard Rules 14-16 enforce verify command security, repo-boundary writes, and sensitive path protection.