feat(ultraplan-local): defense-in-depth security hardening for executor

Four-layer security model for ultraexecute-local and headless sessions:

Layer 1 — Plugin hooks: pre-bash-executor.mjs (13 BLOCK + 8 WARN rules
with bash evasion normalization) and pre-write-executor.mjs (8 path guard
rules blocking .git/hooks, .claude/settings, shell configs, .env, SSH/AWS).

Layer 2 — Prompt-level security rules: denylist in ultraexecute-local.md
Sub-step D and session-spec-template.md Security Constraints section.
These are the only rules that work in headless child sessions.

Layer 3 — Pre-execution plan validation: new Phase 2.4 scans all Verify
and Checkpoint commands against denylist before execution begins.

Layer 4 — Replace --dangerously-skip-permissions with scoped
--allowedTools "Read,Write,Edit,Bash,Glob,Grep" --permission-mode
bypassPermissions in ultraexecute-local.md, headless-launch-template.md,
and session-decomposer.md. Blocks Agent, MCP, WebSearch in child sessions.

Also adds Hard Rules 14-16: verify command security check, no writing
outside repository root, no writing to security-sensitive paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/ultraplan-local/commands/ultraexecute-local.md

@@ -115,6 +115,82 @@ Steps: {N}
 {if warnings}: Warnings: {list}
 ```
 
+## Phase 2.4 — Pre-execution security scan
+
+**Runs for all modes except dry-run** (dry-run has its own report format).
+
+Scan every `Verify:` and `Checkpoint:` command in the parsed plan against the
+executor security denylist. This catches dangerous commands before execution begins.
+
+### Extract commands
+
+For each step in the plan, extract the command string from:
+- `Verify:` field (the shell command after the backtick-quoted command)
+- `Checkpoint:` field (the git commit command)
+
+Also extract Exit Condition commands if present.
+
+### Check against denylist
+
+For each extracted command, check against these patterns:
+
+**BLOCK patterns (stop execution immediately):**
+
+| Pattern | Threat |
+|---------|--------|
+| `rm` with both `-r` and `-f` flags (any order) | Recursive force delete |
+| `chmod 777` or `chmod -R 777` | World-writable permissions |
+| `curl`/`wget` piped to `bash`/`sh`/`zsh` | Remote code execution |
+| `eval` with `$`, backtick, or `$(` | Code injection via eval |
+| `mkfs` or `dd` writing to `/dev/sd*`, `/dev/nvme*`, `/dev/hd*` | Disk destruction |
+| `shutdown`, `reboot`, `halt`, `poweroff` | System shutdown |
+| `:(){ :\|:& };:` pattern | Fork bomb |
+| `base64` piped to `bash`/`sh` | Obfuscated code execution |
+| `crontab -e` or writing to `/etc/cron*` | Persistence via cron |
+| `kill -9 -1` or `pkill -9 -1` | Kill all user processes |
+| `history -c` or truncating `~/.bash_history` | Evidence destruction |
+
+**WARN patterns (report but continue):**
+
+| Pattern | Concern |
+|---------|---------|
+| `npm install --save`, `pip install`, `cargo add` | Dependency changes during execution |
+| `git push --force` | History rewrite |
+| `git reset --hard` | Discard uncommitted changes |
+
+### Scan output
+
+For each match:
+```
+Security scan: Step {N} — {description}
+  Command: {command}
+  {BLOCKED | WARNING}: {pattern name}
+```
+
+**If ANY BLOCK pattern is found:**
+
+```
+SECURITY SCAN FAILED: {count} dangerous command(s) found in plan.
+
+Blocked commands:
+  Step {N}: {command} → {reason}
+
+This plan contains commands blocked by the executor security policy.
+The plan may have been tampered with or contain hallucinated dangerous commands.
+
+Options:
+  1. Review and fix the plan file: {path}
+  2. Use --dry-run to inspect all commands without executing
+  3. Use --fg for interactive execution (hooks provide additional protection)
+```
+
+Stop execution. Do NOT continue to Phase 2.5.
+
+**If only WARN patterns found:** Continue execution but include warnings in the
+pre-execution summary. Report them in the final output under "Security advisories."
+
+**If clean:** Report `Security scan: PASS ({N} commands checked)` and continue.
+
 ## Phase 2.5 — Execution strategy decision
 
 Determine how to execute this plan:
@@ -321,7 +397,8 @@ Worktree created: session-{N} → {WORKTREE_PATH} (branch: {BRANCH_NAME})
 For each session N in the wave:
 ```bash
 cd "$WORKTREE_PATH" && claude -p "/ultraexecute-local --session {N} {plan-path}" \
-  --dangerously-skip-permissions \
+  --allowedTools "Read,Write,Edit,Bash,Glob,Grep" \
+  --permission-mode bypassPermissions \
   > "$LOG_DIR/session-{N}.log" 2>&1 &
 ```
 
@@ -646,6 +723,31 @@ Read the step's `Files:` and `Changes:` fields. Implement exactly as described.
 
 #### Sub-step D — Verification
 
+**Security check (mandatory):** Before running the Verify command, check it against
+the executor security denylist. If the command matches ANY of these patterns,
+**refuse to execute** — treat as `On failure: escalate` regardless of the plan's
+On failure setting:
+
+- `rm -rf` or `rm -fr` with any path
+- `chmod 777` or `chmod -R 777`
+- Pipe-to-shell: `curl ... | bash`, `wget ... | sh`, `base64 ... | bash`
+- `eval` with variable expansion: `eval $VAR`, `eval $(cmd)`, `` eval `cmd` ``
+- `mkfs`, `dd` writing to block devices (`/dev/sd*`, `/dev/nvme*`)
+- `shutdown`, `reboot`, `halt`, `poweroff`
+- Fork bomb patterns
+- `crontab` writes, `/etc/cron*` modifications
+- `kill -9 -1` or `pkill -9 -1` (kill all processes)
+- `history -c` or truncating `~/.bash_history`
+
+If matched:
+1. Do NOT execute the command
+2. Set step status = "failed"
+3. Log: `SECURITY: Verify command blocked — matches executor denylist: {pattern name}`
+4. Apply `On failure: escalate` regardless of the plan's On failure setting
+5. Include in final report under a "Security blocks" section
+
+If the command passes the security check, run it:
+
 Run the `Verify:` command exactly as written, via Bash.
 
 **Rules:**
@@ -877,3 +979,19 @@ Never let stats failures block the workflow.
     `--no-ff`. If any merge produces a conflict, run `git merge --abort`,
     report the conflicting files, and do not attempt further merges. Never use
     `--force` or `--strategy-option theirs/ours` to silently resolve conflicts.
+
+14. **Verify command security check.** Before executing any `Verify:` or
+    `Checkpoint:` command, check it against the executor security denylist
+    (Sub-step D). If the command matches a blocked pattern, escalate
+    immediately — do not execute, do not retry.
+
+15. **No writing outside the repository.** During step execution, never write
+    files outside the git repository root (`git rev-parse --show-toplevel`).
+    Exception: `.claude/` paths for plans, progress files, and stats.
+    This prevents escape-from-repo attacks where a plan step modifies home
+    directory or system files.
+
+16. **No writing to security-sensitive paths.** Never write to `.git/hooks/`
+    (git hook injection), `~/.ssh/`, `~/.aws/`, `~/.gnupg/`, `.env` files,
+    shell configs (`~/.zshrc`, `~/.bashrc`, `~/.profile`), or
+    `.claude/settings.json` / `.claude/hooks/` (infrastructure self-modification).