feat: initial open marketplace with llm-security, config-audit, ultraplan-local

2026-04-06 18:47:49 +02:00 · 2026-04-06 18:47:49 +02:00 · f93d6abdae
commit f93d6abdae
380 changed files with 65935 additions and 0 deletions
--- a/plugins/llm-security/SECURITY.md
+++ b/plugins/llm-security/SECURITY.md
@ -0,0 +1,44 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 3.0.x   | Yes       |
+| < 3.0   | No        |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this plugin, please report it responsibly.
+
+**Do NOT open a public issue.** Instead:
+
+1. Email: **security@fromaitochitta.com**
+2. Include:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Affected component (scanner, hook, agent, etc.)
+   - Potential impact
+
+**Response timeline:**
+- Acknowledgment within 48 hours
+- Assessment within 7 days
+- Fix or mitigation within 30 days for confirmed vulnerabilities
+
+## Scope
+
+This policy covers:
+- Hook scripts (`hooks/scripts/*.mjs`)
+- Deterministic scanners (`scanners/*.mjs`)
+- Scanner shared library (`scanners/lib/*.mjs`)
+- Agent definitions (`agents/*.md`)
+- Command definitions (`commands/*.md`)
+
+Out of scope:
+- The malicious-skill-demo fixture (intentionally vulnerable for testing)
+- Knowledge base content (derived from published OWASP standards)
+- Template files (output formatting only)
+
+## Disclosure
+
+Confirmed vulnerabilities will be disclosed after a fix is available, with credit to the reporter unless anonymity is requested.