feat: initial open marketplace with llm-security, config-audit, ultraplan-local

plugins/config-audit/tests/fixtures/broken-plugin/.claude-plugin/plugin.json

@@ -0,0 +1,3 @@
+{
+  "name": "broken-plugin"
+}

plugins/config-audit/tests/fixtures/broken-plugin/agents/bad-agent.md

@@ -0,0 +1,8 @@
+---
+name: bad-agent
+description: Missing model and tools
+---
+
+# Bad Agent
+
+No model or tools in frontmatter.

plugins/config-audit/tests/fixtures/broken-plugin/commands/no-frontmatter.md

@@ -0,0 +1,3 @@
+# A command without frontmatter
+
+This command has no YAML frontmatter.

plugins/config-audit/tests/fixtures/broken-project/.claude/rules/big-unscoped.md

@@ -0,0 +1,60 @@
+Coding Standards and Best Practices
+
+All code must be reviewed before merging to the main branch.
+Every function must have a clear, single responsibility.
+Variable names must be descriptive and follow camelCase convention.
+Constants must be named in UPPER_SNAKE_CASE.
+Avoid magic numbers; use named constants instead.
+Keep line length under 120 characters.
+Use four spaces for indentation, never tabs.
+Files must end with a newline character.
+Remove trailing whitespace from all lines.
+Do not commit commented-out code.
+Delete dead code instead of leaving it in place.
+Write self-documenting code; comments explain why, not what.
+All TODO comments must reference a ticket number.
+Do not use abbreviations that are not widely understood.
+Use positive variable names; prefer isActive over isNotInactive.
+Avoid double negatives in conditional expressions.
+Keep nesting levels to a maximum of three.
+Extract complex conditions into named boolean variables.
+Use early returns to reduce nesting.
+Avoid else after return.
+Keep functions under 40 lines of code.
+Keep files under 300 lines of code.
+Split large files into smaller, focused modules.
+Use named exports, not default exports.
+Group imports: standard library, external, internal.
+Sort import groups alphabetically.
+Do not use wildcard imports.
+Remove unused imports before committing.
+Use absolute imports for cross-module dependencies.
+Use relative imports only within the same module.
+Avoid circular dependencies between modules.
+Use barrel files only at module boundaries.
+Do not re-export from multiple barrel files.
+Prefer named interfaces over inline type definitions.
+Use generic types to avoid duplication.
+Avoid type assertions unless absolutely necessary.
+Do not use ts-ignore comments without explanation.
+Enable strict mode in tsconfig.
+Use unknown instead of any for unsafe types.
+Prefer type narrowing over type assertions.
+Use discriminated unions for complex state.
+Model optional fields explicitly with undefined.
+Avoid null; prefer undefined.
+Use optional chaining for nullable access.
+Use nullish coalescing for defaults.
+Do not mix null and undefined in the same API.
+Use enums for finite sets of values.
+Prefer const enums for performance-sensitive code.
+Do not extend enums dynamically.
+Use readonly arrays and objects where mutation is unintended.
+Prefer immutable data structures in shared state.
+Avoid mutations in pure functions.
+Use spread operators for shallow copies.
+Use structuredClone for deep copies.
+Do not mutate function parameters.
+Return new objects from transformation functions.
+Use Array methods over imperative loops where readable.
+Avoid side effects in map and filter callbacks.

plugins/config-audit/tests/fixtures/broken-project/.claude/rules/dead-rule.md

@@ -0,0 +1,6 @@
+---
+globs: nonexistent-dir/**/*.xyz
+---
+
+# Dead Rule
+This rule matches nothing.

plugins/config-audit/tests/fixtures/broken-project/.claude/settings.json

@@ -0,0 +1,7 @@
+{
+  "includeCoAuthoredBy": true,
+  "alwaysThinkingEnabled": "yes",
+  "effortLevel": "turbo",
+  "unknownKey123": true,
+  "hooks": ["not", "an", "object"]
+}

plugins/config-audit/tests/fixtures/broken-project/.mcp.json

@@ -0,0 +1,24 @@
+{
+  "mcpServers": {
+    "sse-server": {
+      "type": "sse",
+      "url": "https://api.example.com/mcp"
+    },
+    "unknown-type-server": {
+      "type": "grpc",
+      "command": "grpc-server"
+    },
+    "no-trust-server": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-filesystem"]
+    },
+    "missing-env-server": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "server", "${MISSING_API_KEY}", "--token", "${SECRET_TOKEN}"],
+      "extraField": true,
+      "anotherUnknown": "value"
+    }
+  }
+}

plugins/config-audit/tests/fixtures/broken-project/CLAUDE.md

@@ -0,0 +1,262 @@
+Always use TypeScript for all code
+Use ESLint and Prettier for code formatting.
+Run linting before every commit.
+Keep functions small and focused.
+TODO: fix this linting config
+Write unit tests for all business logic.
+Use dependency injection where possible.
+Avoid global state.
+Always use TypeScript for all code
+Document all public APIs with JSDoc.
+Use interfaces over type aliases for objects.
+Prefer readonly properties when possible.
+Never use var, always use const or let.
+TODO: fix this type definition
+Use async/await instead of raw promises.
+Handle errors explicitly, never swallow them.
+Log errors with full context.
+Use structured logging (JSON format).
+Always use TypeScript for all code
+Validate all inputs at service boundaries.
+Sanitize all outputs before sending to clients.
+Never hardcode secrets or credentials.
+Use environment variables for configuration.
+TODO: fix this environment variable handling
+Always use TypeScript for all code
+Keep configuration separate from code.
+Use feature flags for experimental features.
+Write integration tests for critical paths.
+Use mocks for external dependencies in unit tests.
+Prefer composition over inheritance.
+Keep modules loosely coupled.
+Use dependency inversion principle.
+Separate concerns between layers.
+Use repository pattern for data access.
+Service layer should not know about HTTP.
+Controllers should not contain business logic.
+Use DTOs for data transfer between layers.
+Validate DTOs at the entry point.
+Use class-validator for DTO validation.
+Use class-transformer for serialization.
+Keep response shapes consistent.
+Document API endpoints with OpenAPI.
+Version your APIs from the start.
+Use semantic versioning.
+Tag releases in git.
+Write a changelog for every release.
+Squash commits before merging to main.
+Write meaningful commit messages.
+Use conventional commits format.
+Link commits to issue tracker entries.
+Review your own code before asking for review.
+Use pull requests for all changes.
+Require at least one review before merging.
+Use CI checks to enforce quality gates.
+Run tests in CI on every pull request.
+Use branch protection rules on main.
+Delete branches after merge.
+Keep the main branch always deployable.
+Use feature branches for development.
+Rebase on main before merging.
+Resolve conflicts locally before pushing.
+Keep pull requests small and focused.
+Add screenshots for UI changes.
+Write a test plan in the PR description.
+Reference related issues in pull requests.
+Assign reviewers explicitly.
+Respond to review comments promptly.
+Mark resolved conversations.
+Do not merge your own pull requests.
+Check that all CI checks pass before merging.
+Prefer squash merge strategy.
+Update the changelog after merging.
+Close related issues after merge.
+Deploy after every merge to main.
+Monitor deployments after release.
+Roll back immediately if errors spike.
+Use blue-green deployments for zero downtime.
+Automate deployments using CI/CD pipelines.
+Store infrastructure as code.
+Use Terraform for infrastructure management.
+Review infrastructure changes before applying.
+Use remote state for Terraform.
+Lock Terraform provider versions.
+Document infrastructure decisions in ADRs.
+Keep secrets out of infrastructure code.
+Use a secrets manager for production secrets.
+Rotate secrets regularly.
+Audit access to secrets.
+Use RBAC for authorization.
+Apply least privilege principle.
+Review permissions quarterly.
+Log all privileged operations.
+Use multi-factor authentication everywhere.
+Enforce password policies.
+Use SSO where possible.
+Scan dependencies for vulnerabilities.
+Update dependencies regularly.
+Pin dependency versions in production.
+Use a lock file for all package managers.
+Review licenses of all dependencies.
+Avoid dependencies with no maintenance.
+Prefer smaller, focused packages.
+Check bundle size impact of new dependencies.
+Remove unused dependencies.
+Run npm audit on every CI build.
+Address high severity vulnerabilities immediately.
+Track open vulnerabilities in issue tracker.
+Set up automated dependency update PRs.
+Review Dependabot PRs weekly.
+Test dependency upgrades in a staging environment.
+Keep Node.js version up to date.
+Use LTS versions of Node.js.
+Document the required Node.js version.
+Use .nvmrc or .node-version files.
+Enforce Node.js version in CI.
+Use Docker for local development environments.
+Keep Docker images small.
+Use multi-stage builds for production images.
+Scan Docker images for vulnerabilities.
+Do not run containers as root.
+Use read-only filesystems where possible.
+Set resource limits on containers.
+Use health checks in Docker containers.
+Use named volumes for persistent data.
+Document Docker networking configuration.
+Use docker-compose for local multi-service setups.
+Version docker-compose files.
+Keep docker-compose files out of production.
+Use Kubernetes for orchestration in production.
+Define resource requests and limits for pods.
+Use namespaces for environment separation.
+Apply network policies between services.
+Use readiness and liveness probes.
+Configure horizontal pod autoscaling.
+Use persistent volume claims for stateful services.
+Back up persistent volumes regularly.
+Test backup restoration periodically.
+Monitor disk usage on all nodes.
+Set up alerts for critical system metrics.
+Use a centralized logging solution.
+Retain logs for at least 90 days.
+Archive logs to cold storage after 30 days.
+Set up log-based alerting for errors.
+Use distributed tracing for microservices.
+Correlate logs and traces using request IDs.
+Monitor API latency percentiles.
+Set SLOs for all critical services.
+Track error budget consumption.
+Conduct post-mortems for all incidents.
+Document runbooks for common incidents.
+Keep runbooks up to date.
+Test runbooks regularly.
+Practice chaos engineering.
+Define recovery time objectives.
+Define recovery point objectives.
+Test disaster recovery procedures annually.
+Document on-call procedures.
+Rotate on-call responsibilities.
+Compensate on-call fairly.
+Track on-call incidents and burnout signals.
+Hold regular architecture review meetings.
+Document decisions in architecture decision records.
+Review and update ADRs as systems evolve.
+Share architectural knowledge across the team.
+Hold regular tech debt review sessions.
+Prioritize tech debt alongside features.
+Track tech debt in the issue tracker.
+Set a tech debt budget per sprint.
+Refactor incrementally, not in big bang rewrites.
+Write tests before refactoring.
+Measure test coverage trends over time.
+Aim for meaningful coverage, not 100 percent.
+Use mutation testing to assess test quality.
+Avoid testing implementation details.
+Test behavior, not structure.
+Keep tests independent and isolated.
+Use test data factories for complex objects.
+Reset state between tests.
+Avoid hardcoded test data.
+Use realistic test data where possible.
+Anonymize personal data in test datasets.
+Never use production data in development.
+Use database migrations for schema changes.
+Test migrations before applying to production.
+Make migrations reversible.
+Run migrations in a transaction.
+Seed databases for development and testing.
+Keep seed data minimal and representative.
+Document database schema changes.
+Index columns used in frequent queries.
+Monitor query performance in production.
+Use query explain plans to diagnose slow queries.
+Avoid N+1 queries.
+Cache aggressively but invalidate correctly.
+Use Redis for distributed caching.
+Set TTLs on all cache entries.
+Monitor cache hit rates.
+Warm caches after deployment.
+Use CDN for static assets.
+Enable HTTP/2 and HTTP/3 where possible.
+Compress responses with gzip or brotli.
+Minimize JavaScript bundle sizes.
+Lazy load non-critical resources.
+Measure and budget page load performance.
+Use Lighthouse for performance auditing.
+Set performance regression budgets in CI.
+Monitor Core Web Vitals in production.
+Use server-side rendering for SEO-critical pages.
+Pre-render static pages where possible.
+Use incremental static regeneration when applicable.
+Test accessibility with automated tools.
+Fix all critical accessibility issues before launch.
+Test with real assistive technologies.
+Follow WCAG 2.1 AA guidelines.
+Provide text alternatives for all images.
+Ensure sufficient color contrast.
+Make all interactive elements keyboard accessible.
+Use semantic HTML elements.
+Add ARIA attributes only when necessary.
+Test with users with disabilities when possible.
+Document accessibility decisions.
+Include accessibility in the definition of done.
+Train the team on accessibility basics.
+Review accessibility in code review.
+Track accessibility issues separately.
+Prioritize accessibility issues appropriately.
+Celebrate accessibility improvements.
+Share accessibility learnings across projects.
+Stay up to date with accessibility standards.
+Advocate for accessibility in product planning.
+Perform regular security audits.
+Use static analysis tools for security scanning.
+Integrate SAST into CI pipelines.
+Review OWASP Top 10 annually.
+Train developers on secure coding practices.
+Track security findings in the issue tracker.
+Address critical security issues within 24 hours.
+Address high security issues within one week.
+Conduct penetration testing before major releases.
+Document security threat models.
+Review threat models when architecture changes.
+Use Content Security Policy headers.
+Set security headers on all HTTP responses.
+Use HTTPS everywhere.
+Redirect HTTP to HTTPS.
+Use HSTS with a long max-age.
+Validate and escape all user input.
+Use parameterized queries for database access.
+Avoid SQL string concatenation.
+Use prepared statements.
+Sanitize file paths before using them.
+Use allowlists for file extension validation.
+Never trust client-supplied file names.
+Limit file upload sizes.
+Scan uploaded files for malware.
+Store uploaded files outside the web root.
+Use signed URLs for serving uploaded files.
+Expire signed URLs appropriately.
+Audit file access logs regularly.
+Use rate limiting on all public endpoints.
+@imports/a.md
+@docs/nonexistent.md

plugins/config-audit/tests/fixtures/broken-project/hooks/hooks.json

@@ -0,0 +1,26 @@
+{
+  "hooks": {
+    "InvalidEvent": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "echo test"
+          }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "matcher": {"tool": "Bash"},
+        "hooks": [
+          {
+            "type": "invalid_type",
+            "command": "echo test",
+            "timeout": 500
+          }
+        ]
+      }
+    ]
+  }
+}

plugins/config-audit/tests/fixtures/broken-project/imports/a.md

@@ -0,0 +1,3 @@
+# Import A
+Shared content from file A.
+@b.md

plugins/config-audit/tests/fixtures/broken-project/imports/b.md

@@ -0,0 +1,3 @@
+# Import B
+Shared content from file B.
+@a.md

plugins/config-audit/tests/fixtures/conflict-project/.claude/settings.json

@@ -0,0 +1,16 @@
+{
+  "model": "claude-sonnet-4-5",
+  "effortLevel": "high",
+  "permissions": {
+    "allow": ["Bash(npm run *)", "Read(src/**)"],
+    "deny": []
+  },
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [{ "type": "command", "command": "echo project-hook" }]
+      }
+    ]
+  }
+}

plugins/config-audit/tests/fixtures/conflict-project/CLAUDE.md

@@ -0,0 +1,7 @@
+# Conflict Test Project
+
+## Overview
+A test project with intentional configuration conflicts across scopes.
+
+## Commands
+- `npm test` — Run tests

plugins/config-audit/tests/fixtures/fixable-project/.claude/rules/readme.txt

@@ -0,0 +1,2 @@
+This rule file has the wrong extension.
+It should be .md to be loaded by Claude Code.

plugins/config-audit/tests/fixtures/fixable-project/.claude/rules/typescript.md

@@ -0,0 +1,8 @@
+---
+globs: "**/*.ts"
+---
+
+# TypeScript Rules
+
+- Use strict mode
+- Prefer interfaces over types

plugins/config-audit/tests/fixtures/fixable-project/.claude/settings.json

@@ -0,0 +1,14 @@
+{
+  "apiProvider": "anthropic",
+  "permissions": {
+    "allow": []
+  },
+  "alwaysThinkingEnabled": "true",
+  "effortLevel": "turbo",
+  "hooks": [
+    {
+      "event": "PreToolUse",
+      "command": "echo ok"
+    }
+  ]
+}

plugins/config-audit/tests/fixtures/fixable-project/.config-audit-ignore

@@ -0,0 +1,2 @@
+# Suppress known feature gap findings for this test fixture
+CA-GAP-*

plugins/config-audit/tests/fixtures/fixable-project/CLAUDE.md

@@ -0,0 +1,7 @@
+# Fixable Project
+
+This is a minimal CLAUDE.md for the fixable-project fixture.
+
+## Rules
+
+- Follow TypeScript conventions

plugins/config-audit/tests/fixtures/fixable-project/hooks/hooks.json

@@ -0,0 +1,18 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": {
+          "tool": "Bash"
+        },
+        "hooks": [
+          {
+            "type": "command",
+            "command": "echo ok",
+            "timeout": "5000"
+          }
+        ]
+      }
+    ]
+  }
+}

plugins/config-audit/tests/fixtures/healthy-project/.claude/rules/typescript.md

@@ -0,0 +1,6 @@
+---
+paths: src/**/*.ts
+---
+
+# TypeScript Rules
+Use strict TypeScript. No `any` types.

plugins/config-audit/tests/fixtures/healthy-project/.claude/settings.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-settings.json",
+  "permissions": {
+    "allow": ["Bash(npm run *)"],
+    "deny": ["Read(./.env)"]
+  }
+}

plugins/config-audit/tests/fixtures/healthy-project/.claude/shared.md

@@ -0,0 +1,7 @@
+# Shared Configuration
+
+Common patterns and conventions shared across the project.
+
+## Naming Conventions
+- Use camelCase for variables and functions
+- Use PascalCase for classes and types

plugins/config-audit/tests/fixtures/healthy-project/.mcp.json

@@ -0,0 +1,16 @@
+{
+  "mcpServers": {
+    "memory": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-memory"],
+      "trust": "workspace"
+    },
+    "filesystem": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"],
+      "trust": "trusted"
+    }
+  }
+}

plugins/config-audit/tests/fixtures/healthy-project/CLAUDE.md

@@ -0,0 +1,17 @@
+# My Project
+
+## Overview
+A sample project for testing config-audit scanners.
+
+## Commands
+- `npm run build` — Build the project
+- `npm test` — Run tests
+
+## Architecture
+Standard Node.js project structure.
+
+## Conventions
+- TypeScript preferred
+- Conventional commits
+
+@.claude/shared.md

plugins/config-audit/tests/fixtures/healthy-project/hooks/hooks.json

@@ -0,0 +1,16 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "echo ok",
+            "timeout": 5000
+          }
+        ]
+      }
+    ]
+  }
+}

plugins/config-audit/tests/fixtures/healthy-project/src/index.ts

@@ -0,0 +1 @@
+export {};

plugins/config-audit/tests/fixtures/minimal-project/CLAUDE.md

@@ -0,0 +1 @@
+# Project

plugins/config-audit/tests/fixtures/test-plugin/.claude-plugin/plugin.json

@@ -0,0 +1,5 @@
+{
+  "name": "test-plugin",
+  "description": "A test plugin for config-audit plugin-health scanner",
+  "version": "1.0.0"
+}

plugins/config-audit/tests/fixtures/test-plugin/CLAUDE.md

@@ -0,0 +1,21 @@
+# Test Plugin
+
+A test plugin for validating plugin-health scanner.
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/test-plugin:test-cmd` | A test command |
+
+## Agents
+
+| Agent | Role | Model |
+|-------|------|-------|
+| test-agent | Test agent | sonnet |
+
+## Hooks
+
+| Event | Script | Purpose |
+|-------|--------|---------|
+| PreToolUse | test-hook.mjs | Test hook |

plugins/config-audit/tests/fixtures/test-plugin/agents/test-agent.md

@@ -0,0 +1,10 @@
+---
+name: test-agent
+description: A test agent for validation
+model: sonnet
+tools: ["Read", "Glob"]
+---
+
+# Test Agent
+
+A test agent.

plugins/config-audit/tests/fixtures/test-plugin/commands/test-cmd.md

@@ -0,0 +1,10 @@
+---
+name: test-plugin:test-cmd
+description: A test command
+allowed-tools: Read, Bash
+model: sonnet
+---
+
+# Test Command
+
+This is a test command.

plugins/config-audit/tests/fixtures/test-plugin/hooks/hooks.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "echo test"
+          }
+        ]
+      }
+    ]
+  }
+}