feat(ultraplan-local): defense-in-depth security hardening for executor
Four-layer security model for ultraexecute-local and headless sessions: Layer 1 — Plugin hooks: pre-bash-executor.mjs (13 BLOCK + 8 WARN rules with bash evasion normalization) and pre-write-executor.mjs (8 path guard rules blocking .git/hooks, .claude/settings, shell configs, .env, SSH/AWS). Layer 2 — Prompt-level security rules: denylist in ultraexecute-local.md Sub-step D and session-spec-template.md Security Constraints section. These are the only rules that work in headless child sessions. Layer 3 — Pre-execution plan validation: new Phase 2.4 scans all Verify and Checkpoint commands against denylist before execution begins. Layer 4 — Replace --dangerously-skip-permissions with scoped --allowedTools "Read,Write,Edit,Bash,Glob,Grep" --permission-mode bypassPermissions in ultraexecute-local.md, headless-launch-template.md, and session-decomposer.md. Blocks Agent, MCP, WebSearch in child sessions. Also adds Hard Rules 14-16: verify command security check, no writing outside repository root, no writing to security-sensitive paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
2e125d9030
commit
aa21e59ac2
7 changed files with 539 additions and 6 deletions
|
|
@ -62,7 +62,8 @@ echo "Worktree created: session-{n} (branch: ultraplan/{slug}/session-{n})"
|
|||
|
||||
{# Launch session in its worktree: }
|
||||
cd "$WORKTREE_BASE/session-{n}" && claude -p "$(cat "$PLAN_DIR/session-{n}-{slug}.md")" \
|
||||
--dangerously-skip-permissions \
|
||||
--allowedTools "Read,Write,Edit,Bash,Glob,Grep" \
|
||||
--permission-mode bypassPermissions \
|
||||
> "$LOG_DIR/session-{n}.log" 2>&1 &
|
||||
PID_{n}=$!
|
||||
cd "$REPO_ROOT"
|
||||
|
|
@ -118,8 +119,10 @@ When generating a launch script from this template:
|
|||
stops and reports which session failed.
|
||||
4. **Log each session** to a separate file for debugging.
|
||||
5. **Use `claude -p`** with the session spec file as the prompt.
|
||||
6. **Use `--dangerously-skip-permissions`** rather than `--allowedTools` — the
|
||||
executor needs flexible tool access and enumerating every tool is fragile.
|
||||
6. **Use `--allowedTools "Read,Write,Edit,Bash,Glob,Grep"`** with
|
||||
`--permission-mode bypassPermissions` for child sessions. This limits the
|
||||
tool surface to what the executor needs and prevents agent spawning, MCP
|
||||
access, and external web requests in headless sessions.
|
||||
7. **Final verification** at the end runs the master plan's verification section.
|
||||
8. **Never include secrets** in the generated script.
|
||||
9. **Wave verification must be independent.** After each wave completes, run
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue