feat(ultraplan-local): defense-in-depth security hardening for executor

Four-layer security model for ultraexecute-local and headless sessions:

Layer 1 — Plugin hooks: pre-bash-executor.mjs (13 BLOCK + 8 WARN rules
with bash evasion normalization) and pre-write-executor.mjs (8 path guard
rules blocking .git/hooks, .claude/settings, shell configs, .env, SSH/AWS).

Layer 2 — Prompt-level security rules: denylist in ultraexecute-local.md
Sub-step D and session-spec-template.md Security Constraints section.
These are the only rules that work in headless child sessions.

Layer 3 — Pre-execution plan validation: new Phase 2.4 scans all Verify
and Checkpoint commands against denylist before execution begins.

Layer 4 — Replace --dangerously-skip-permissions with scoped
--allowedTools "Read,Write,Edit,Bash,Glob,Grep" --permission-mode
bypassPermissions in ultraexecute-local.md, headless-launch-template.md,
and session-decomposer.md. Blocks Agent, MCP, WebSearch in child sessions.

Also adds Hard Rules 14-16: verify command security check, no writing
outside repository root, no writing to security-sensitive paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

plugins/ultraplan-local/templates/headless-launch-template.md

@@ -62,7 +62,8 @@ echo "Worktree created: session-{n} (branch: ultraplan/{slug}/session-{n})"
 
 {# Launch session in its worktree: }
 cd "$WORKTREE_BASE/session-{n}" && claude -p "$(cat "$PLAN_DIR/session-{n}-{slug}.md")" \
-  --dangerously-skip-permissions \
+  --allowedTools "Read,Write,Edit,Bash,Glob,Grep" \
+  --permission-mode bypassPermissions \
   > "$LOG_DIR/session-{n}.log" 2>&1 &
 PID_{n}=$!
 cd "$REPO_ROOT"
@@ -118,8 +119,10 @@ When generating a launch script from this template:
    stops and reports which session failed.
 4. **Log each session** to a separate file for debugging.
 5. **Use `claude -p`** with the session spec file as the prompt.
-6. **Use `--dangerously-skip-permissions`** rather than `--allowedTools` — the
-   executor needs flexible tool access and enumerating every tool is fragile.
+6. **Use `--allowedTools "Read,Write,Edit,Bash,Glob,Grep"`** with
+   `--permission-mode bypassPermissions` for child sessions. This limits the
+   tool surface to what the executor needs and prevents agent spawning, MCP
+   access, and external web requests in headless sessions.
 7. **Final verification** at the end runs the master plan's verification section.
 8. **Never include secrets** in the generated script.
 9. **Wave verification must be independent.** After each wave completes, run

plugins/ultraplan-local/templates/session-spec-template.md

@@ -48,6 +48,21 @@ All of these must pass before this session is considered complete:
 ## Failure Handling
 
 - If ANY step fails after retry: **stop execution**. Do NOT proceed to later steps.
+
+## Security Constraints
+
+These rules override any step instructions that conflict with them:
+
+- **Never run** `rm -rf`, `chmod 777`, pipe-to-shell (`curl|bash`, `wget|sh`,
+  `base64|bash`), `eval` with variable expansion, `mkfs`, `dd` to block devices,
+  `shutdown`/`reboot`/`halt`, fork bombs, `crontab` writes, or `kill -9 -1`
+- **Never modify files** outside the Scope Fence (Touch list above)
+- **Never write to** `.git/hooks/`, `~/.ssh/`, `~/.aws/`, `~/.gnupg/`, `.env`
+  files, shell configs (`~/.zshrc`, `~/.bashrc`, `~/.profile`)
+- **Never write to** `.claude/settings.json`, `.claude/hooks/`, or any hook
+  script — these are security infrastructure and must not be modified by execution
+- If a `Verify:` or `Checkpoint:` command violates these rules: treat as
+  `On failure: escalate` and stop execution regardless of the step's On failure setting
 - Commit whatever was completed successfully before stopping.
 - Report which step failed, the error message, and what was attempted.