diff --git a/README.md b/README.md
index 5621db2..3b22fa5 100644
--- a/README.md
+++ b/README.md
@@ -54,9 +54,11 @@ Three commands, one pipeline: research first, then plan, then execute.
 - **`/ultraplan-local`** — Interview, 6-8 specialized agents explore the codebase in parallel, adversarial review by plan-critic and scope-guardian. Accepts research briefs via `--research`
 - **`/ultraexecute-local`** — Step-by-step implementation with git checkpoints, automatic failure recovery, and parallel session decomposition
 
+Defense-in-depth security: plugin hooks block destructive commands and sensitive path writes, prompt-level denylist works in headless sessions, pre-execution plan scan catches dangerous commands before they run, scoped `--allowedTools` replaces `--dangerously-skip-permissions` in parallel sessions.
+
 Modes: default, spec-driven, research-enriched, foreground, quick, decompose, export
 
-19 specialized agents · 3 commands · No cloud dependency
+19 specialized agents · 3 commands · 2 security hooks · No cloud dependency
 
 → [Full documentation](plugins/ultraplan-local/README.md)
 
diff --git a/plugins/ultraplan-local/CLAUDE.md b/plugins/ultraplan-local/CLAUDE.md
index c6c0772..99f8894 100644
--- a/plugins/ultraplan-local/CLAUDE.md
+++ b/plugins/ultraplan-local/CLAUDE.md
@@ -81,7 +81,9 @@ Flags can be combined: `--local --fg`, `--external --quick`.
 
 **Decompose:** Parse plan -> Analyze step dependencies -> Group into sessions -> Identify parallel waves -> Generate session specs + dependency graph + launch script.
 
-**Execute:** Parse plan -> Detect Execution Strategy -> Single-session (step loop) or multi-session (parallel waves via `claude -p`) -> Verification -> Report.
+**Execute:** Parse plan -> Security scan (Phase 2.4) -> Detect Execution Strategy -> Single-session (step loop) or multi-session (parallel waves via `claude -p` with scoped `--allowedTools`) -> Verification -> Report.
+
+**Security:** 4-layer defense-in-depth: plugin hooks (pre-bash-executor, pre-write-executor), prompt-level denylist (works in headless sessions), pre-execution plan scan (Phase 2.4), scoped `--allowedTools` replacing `--dangerously-skip-permissions`. Hard Rules 14-16 enforce verify command security, repo-boundary writes, and sensitive path protection.
 
 **Pipeline:** Research briefs feed into planning via `--research`. The planning orchestrator uses brief context to enrich exploration and skip redundant research.
 
diff --git a/plugins/ultraplan-local/README.md b/plugins/ultraplan-local/README.md
index c2e1d8f..758f9e0 100644
--- a/plugins/ultraplan-local/README.md
+++ b/plugins/ultraplan-local/README.md
@@ -263,6 +263,15 @@ If no API key is set, parallel sessions use your subscription and proceed withou
 - **On failure: skip** -- non-critical step, continue
 - **On failure: escalate** -- stop everything, needs human judgment
 
+### Security hardening
+
+The executor implements defense-in-depth security across four layers:
+
+1. **Plugin hooks** — `pre-bash-executor.mjs` blocks 13 categories of destructive commands (rm -rf /, chmod 777, pipe-to-shell, eval injection, disk wipe, shutdown, fork bombs, cron persistence, process killing, history destruction) with bash evasion normalization. `pre-write-executor.mjs` blocks writes to `.git/hooks/`, `.claude/settings.json`, shell configs, `.ssh/`, `.aws/`, and `.env` files
+2. **Prompt-level denylist** — Security rules embedded in the executor command and session spec template that work even in headless `claude -p` sessions where hooks don't run
+3. **Pre-execution plan scan** — Phase 2.4 scans all `Verify:` and `Checkpoint:` commands against the denylist before execution begins, catching dangerous commands before they reach the executor
+4. **Scoped tool access** — Headless child sessions use `--allowedTools "Read,Write,Edit,Bash,Glob,Grep"` instead of `--dangerously-skip-permissions`, blocking Agent spawning, MCP tools, and web access in parallel sessions
+
 ### Headless execution
 
 `/ultraexecute-local` is designed for `claude -p` headless sessions:
@@ -434,6 +443,11 @@ ultraplan-local/
 │   ├── session-spec-template.md   # Session spec format for headless execution
 │   ├── headless-launch-template.md # Launch script template
 │   └── spec-template.md           # Spec file format
+├── hooks/
+│   ├── hooks.json                 # Hook registration (PreToolUse: Bash, Write)
+│   └── scripts/
+│       ├── pre-bash-executor.mjs  # Blocks destructive commands (13 BLOCK + 8 WARN rules)
+│       └── pre-write-executor.mjs # Blocks writes to sensitive paths (8 rules)
 ├── settings.json                  # Default plugin configuration
 ├── CONTRIBUTING.md
 ├── CHANGELOG.md
@@ -441,7 +455,7 @@ ultraplan-local/
 └── README.md
 ```
 
-Pure markdown. No scripts, no dependencies, no platform-specific code.
+Pure markdown commands and agents. Hooks are self-contained Node.js with zero dependencies.
 
 ## Contributing