feat: initial open marketplace with llm-security, config-audit, ultraplan-local

plugins/llm-security/scripts/bump-version.mjs

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+// bump-version.mjs — Update version across all manifest files
+// Usage: npm run bump -- 2.2.0
+//    or: node scripts/bump-version.mjs 2.2.0
+
+import { readFileSync, writeFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..');
+const newVersion = process.argv[2];
+
+if (!newVersion || !/^\d+\.\d+\.\d+$/.test(newVersion)) {
+  console.error('Usage: npm run bump -- <semver>');
+  console.error('Example: npm run bump -- 2.2.0');
+  process.exit(1);
+}
+
+// Read current version from package.json
+const pkgPath = resolve(ROOT, 'package.json');
+const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+const oldVersion = pkg.version;
+
+if (oldVersion === newVersion) {
+  console.log(`Already at version ${newVersion}`);
+  process.exit(0);
+}
+
+// Files that contain the version string
+const targets = [
+  { file: 'package.json', find: `"version": "${oldVersion}"`, replace: `"version": "${newVersion}"` },
+  { file: '.claude-plugin/plugin.json', find: `"version": "${oldVersion}"`, replace: `"version": "${newVersion}"` },
+  { file: 'README.md', find: `version-${oldVersion}-blue`, replace: `version-${newVersion}-blue` },
+];
+
+let updated = 0;
+
+for (const { file, find, replace } of targets) {
+  const filePath = resolve(ROOT, file);
+  try {
+    const content = readFileSync(filePath, 'utf8');
+    if (content.includes(find)) {
+      writeFileSync(filePath, content.replace(find, replace));
+      console.log(`  Updated ${file}`);
+      updated++;
+    } else {
+      console.warn(`  WARNING: ${file} does not contain "${find}"`);
+    }
+  } catch (err) {
+    console.error(`  ERROR: Could not update ${file}: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+console.log(`\nVersion bumped: ${oldVersion} → ${newVersion} (${updated} files updated)`);
+console.log(`\nRemember to add a Version History entry in README.md`);

plugins/llm-security/scripts/v5-orchestrator-prompt.md

@@ -0,0 +1,54 @@
+Du er orkestrator for llm-security v5.0 "Prompt Injection Hardening".
+
+Plan: `/Users/ktg/.claude/plans/ethereal-waddling-rainbow.md`
+Repo: `/Users/ktg/.claude/plugins/marketplaces/plugin-marketplace/plugins/llm-security`
+
+Oppgaven: Kjør alle 8 sesjoner (S1-S8) sekvensielt via `claude -p` med `--dangerously-skip-permissions`. Hver sesjon er en separat headless Claude-invokasjon med fresh context.
+
+For HVER sesjon S1 til S8, gjør dette:
+
+1. Registrer nåværende HEAD og testcount:
+   ```
+   cd /Users/ktg/.claude/plugins/marketplaces/plugin-marketplace/plugins/llm-security
+   BEFORE=$(git rev-parse HEAD)
+   TESTS_BEFORE=$(node --test 2>&1 | grep "^ℹ tests" | awk '{print $3}')
+   ```
+
+2. Kjør sesjonen (bytt ut Sn med aktuell sesjon):
+   ```
+   claude -p "Working directory: /Users/ktg/.claude/plugins/marketplaces/plugin-marketplace/plugins/llm-security
+
+   Read the v5.0 plan at /Users/ktg/.claude/plans/ethereal-waddling-rainbow.md.
+   Execute session Sn completely.
+
+   Steps:
+   1. Read the plan's Sn section carefully — every detail matters
+   2. Implement ALL code changes described there
+   3. Write ALL tests described there
+   4. Run: node --test — fix failures until all pass
+   5. Update CLAUDE.md (test count, hook descriptions) in same commit
+   6. git add <specific files> && git commit -m 'feat(llm-security): Sn - <description>'
+   7. git push origin main
+
+   Rules:
+   - Implement ONLY Sn
+   - All existing tests MUST still pass
+   - If pathguard blocks Write to settings/hooks, use: write to .tmp then mv
+   - No subtree push (done at S8 release)
+   - Report: files changed, tests added, test results" \
+     --dangerously-skip-permissions \
+     --max-turns 100
+   ```
+
+3. Verifiser ETTER hver sesjon:
+   - `node --test` — alle tester passerer (0 failures)
+   - `git log --oneline -1` — commit finnes og inneholder "llm-security"
+   - Testcount økte (forventet: S1 ~45, S2 ~45, S3 ~30, S4 ~50, S5 ~20, S6 ~40, S7 ~10, S8 ~15)
+
+4. Hvis verifisering feiler: STOPP og rapporter hvilken sesjon som feilet og hvorfor. Ikke prøv neste sesjon.
+
+5. Hvis verifisering OK: fortsett til neste sesjon.
+
+Etter S8: kjør `node scanners/attack-simulator.mjs --verbose` og rapporter defense score.
+
+Start nå med S1. Rapporter status etter hver sesjon.

plugins/llm-security/scripts/v5-runner.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+# v5-runner.sh — Automated v5.0 Prompt Injection Hardening runner
+# Runs all 8 sessions sequentially with fresh context between each.
+# Stops on first failure (tests or commit).
+#
+# Usage: bash scripts/v5-runner.sh [start_session]
+#   start_session: S1-S8 (default: S1). Resume from a specific session.
+#
+# Requirements: claude CLI in PATH, Forgejo remote configured.
+
+set -euo pipefail
+
+# Force OAuth/subscription billing — unset API key so claude -p uses Max plan
+unset ANTHROPIC_API_KEY
+
+REPO="/Users/ktg/.claude/plugins/marketplaces/plugin-marketplace/plugins/llm-security"
+PLAN="/Users/ktg/.claude/plans/ethereal-waddling-rainbow.md"
+LOG="$REPO/scripts/v5-runner.log"
+START="${1:-S1}"
+STARTED=false
+
+sessions=(S1 S2 S3 S4 S5 S6 S7 S8)
+
+echo "=== v5.0 Runner started at $(date) ===" | tee "$LOG"
+echo "Starting from: $START" | tee -a "$LOG"
+
+for session in "${sessions[@]}"; do
+  # Skip until we reach the start session
+  if [ "$STARTED" = false ] && [ "$session" != "$START" ]; then
+    continue
+  fi
+  STARTED=true
+
+  echo "" | tee -a "$LOG"
+  echo "=== $session: Starting at $(date) ===" | tee -a "$LOG"
+
+  # Record pre-session state
+  cd "$REPO"
+  BEFORE_COMMIT=$(git rev-parse HEAD)
+  BEFORE_TESTS=$(node --test 2>&1 | grep "^ℹ tests" | awk '{print $3}')
+
+  # Run the session with full permissions
+  cd "$REPO"
+  claude -p "$(cat <<PROMPT
+Working directory: $REPO
+
+Read the v5.0 plan at $PLAN. Execute session $session completely.
+
+Steps:
+1. Read the plan's $session section carefully
+2. Implement ALL code changes described there
+3. Write ALL tests described there
+4. Run the full test suite: node --test
+5. Fix any failures until all tests pass (both new and existing 782+)
+6. Update CLAUDE.md hook/test counts in the same commit
+7. Commit: git add <specific files> && git commit -m "feat(llm-security): $session - <description>"
+8. Push: git push origin main
+
+CRITICAL RULES:
+- Implement ONLY $session — do NOT start other sessions
+- All 782+ existing tests MUST still pass
+- Do NOT use subtree push (will be done at release)
+- If pathguard blocks a write, write to a .tmp file and use: mv file.tmp file
+- Report what you implemented and test results at the end
+PROMPT
+  )" \
+    --dangerously-skip-permissions \
+    2>&1 | tee -a "$LOG"
+
+  CLAUDE_EXIT=$?
+  echo "claude -p exit code: $CLAUDE_EXIT" | tee -a "$LOG"
+
+  # Verify: tests pass
+  cd "$REPO"
+  echo "--- Verifying tests after $session ---" | tee -a "$LOG"
+  TEST_OUTPUT=$(node --test 2>&1)
+  TEST_RESULT=$?
+  AFTER_TESTS=$(echo "$TEST_OUTPUT" | grep "^ℹ tests" | awk '{print $3}')
+  FAILURES=$(echo "$TEST_OUTPUT" | grep "^ℹ fail" | awk '{print $3}')
+
+  if [ "$TEST_RESULT" -ne 0 ] || [ "$FAILURES" != "0" ]; then
+    echo "FAILED: $session — tests did not pass ($FAILURES failures)" | tee -a "$LOG"
+    echo "$TEST_OUTPUT" >> "$LOG"
+    exit 1
+  fi
+
+  # Verify: new commit exists with matching message
+  AFTER_COMMIT=$(git rev-parse HEAD)
+  COMMIT_MSG=$(git log --oneline -1)
+  if [ "$BEFORE_COMMIT" = "$AFTER_COMMIT" ]; then
+    echo "FAILED: $session — no commit was created" | tee -a "$LOG"
+    exit 1
+  fi
+
+  # Verify commit is actually for this session (not from another process)
+  if ! echo "$COMMIT_MSG" | grep -qi "llm-security"; then
+    echo "FAILED: $session — commit '$COMMIT_MSG' does not appear to be from this session" | tee -a "$LOG"
+    exit 1
+  fi
+
+  # Verify new tests were added
+  NEW_TESTS=$((AFTER_TESTS - BEFORE_TESTS))
+  if [ "$NEW_TESTS" -lt 5 ]; then
+    echo "WARNING: $session — only $NEW_TESTS new tests (expected 15+)" | tee -a "$LOG"
+  fi
+
+  echo "$session COMPLETE: $AFTER_TESTS tests (+$NEW_TESTS new), commit $COMMIT_MSG" | tee -a "$LOG"
+  echo "=== $session: Done at $(date) ===" | tee -a "$LOG"
+done
+
+echo "" | tee -a "$LOG"
+echo "=== ALL SESSIONS COMPLETE at $(date) ===" | tee -a "$LOG"
+echo "Final test count: $(node --test 2>&1 | grep '^ℹ tests' | awk '{print $3}')" | tee -a "$LOG"
+echo "Final commit: $(git log --oneline -1)" | tee -a "$LOG"