open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(ultraplan-local): defense-in-depth security hardening for executor

Browse source 
Four-layer security model for ultraexecute-local and headless sessions:

Layer 1 — Plugin hooks: pre-bash-executor.mjs (13 BLOCK + 8 WARN rules
with bash evasion normalization) and pre-write-executor.mjs (8 path guard
rules blocking .git/hooks, .claude/settings, shell configs, .env, SSH/AWS).

Layer 2 — Prompt-level security rules: denylist in ultraexecute-local.md
Sub-step D and session-spec-template.md Security Constraints section.
These are the only rules that work in headless child sessions.

Layer 3 — Pre-execution plan validation: new Phase 2.4 scans all Verify
and Checkpoint commands against denylist before execution begins.

Layer 4 — Replace --dangerously-skip-permissions with scoped
--allowedTools "Read,Write,Edit,Bash,Glob,Grep" --permission-mode
bypassPermissions in ultraexecute-local.md, headless-launch-template.md,
and session-decomposer.md. Blocks Agent, MCP, WebSearch in child sessions.

Also adds Hard Rules 14-16: verify command security check, no writing
outside repository root, no writing to security-sensitive paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-08 18:33:15 +02:00
commit aa21e59ac2
7 changed files with 539 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

15
plugins/ultraplan-local/templates/session-spec-template.md
View file

@ -48,6 +48,21 @@ All of these must pass before this session is considered complete:
## Failure Handling
- If ANY step fails after retry: **stop execution**. Do NOT proceed to later steps.
## Security Constraints
These rules override any step instructions that conflict with them:
- **Never run** `rm -rf`, `chmod 777`, pipe-to-shell (`curl|bash`, `wget|sh`,
`base64|bash`), `eval` with variable expansion, `mkfs`, `dd` to block devices,
`shutdown`/`reboot`/`halt`, fork bombs, `crontab` writes, or `kill -9 -1`
- **Never modify files** outside the Scope Fence (Touch list above)
- **Never write to** `.git/hooks/`, `~/.ssh/`, `~/.aws/`, `~/.gnupg/`, `.env`
files, shell configs (`~/.zshrc`, `~/.bashrc`, `~/.profile`)
- **Never write to** `.claude/settings.json`, `.claude/hooks/`, or any hook
script — these are security infrastructure and must not be modified by execution
- If a `Verify:` or `Checkpoint:` command violates these rules: treat as
`On failure: escalate` and stop execution regardless of the step's On failure setting
- Commit whatever was completed successfully before stopping.
- Report which step failed, the error message, and what was attempted.