feat(ultraplan-local): defense-in-depth security hardening for executor

Four-layer security model for ultraexecute-local and headless sessions:

Layer 1 — Plugin hooks: pre-bash-executor.mjs (13 BLOCK + 8 WARN rules
with bash evasion normalization) and pre-write-executor.mjs (8 path guard
rules blocking .git/hooks, .claude/settings, shell configs, .env, SSH/AWS).

Layer 2 — Prompt-level security rules: denylist in ultraexecute-local.md
Sub-step D and session-spec-template.md Security Constraints section.
These are the only rules that work in headless child sessions.

Layer 3 — Pre-execution plan validation: new Phase 2.4 scans all Verify
and Checkpoint commands against denylist before execution begins.

Layer 4 — Replace --dangerously-skip-permissions with scoped
--allowedTools "Read,Write,Edit,Bash,Glob,Grep" --permission-mode
bypassPermissions in ultraexecute-local.md, headless-launch-template.md,
and session-decomposer.md. Blocks Agent, MCP, WebSearch in child sessions.

Also adds Hard Rules 14-16: verify command security check, no writing
outside repository root, no writing to security-sensitive paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/ultraplan-local/agents/session-decomposer.md

@@ -185,8 +185,9 @@ The script must:
 **Important script conventions:**
 - Use `#!/usr/bin/env bash` shebang
 - Use `set -euo pipefail`
-- Each `claude -p` invocation must use `--dangerously-skip-permissions`. Prepend
-  `unset ANTHROPIC_API_KEY` before each invocation to prevent accidental API billing
+- Each `claude -p` invocation must use `--allowedTools "Read,Write,Edit,Bash,Glob,Grep"`
+  and `--permission-mode bypassPermissions`. Prepend `unset ANTHROPIC_API_KEY`
+  before each invocation to prevent accidental API billing
 - Background processes use `&` and are collected with `wait`
 - PID tracking for wait targets
 - Exit codes propagated correctly