feat: initial open marketplace with llm-security, config-audit, ultraplan-local

plugins/ultraplan-local/templates/headless-launch-template.md

@@ -0,0 +1,80 @@
+# Headless Launch Script Template
+
+This template is used by the session-decomposer agent to generate a launch script
+for headless execution of decomposed sessions.
+
+## Template
+
+```bash
+#!/usr/bin/env bash
+# Headless launch script — generated by ultraplan-local
+# Master plan: {plan_path}
+# Generated: {date}
+# Sessions: {total_sessions} ({parallel_count} parallel, {sequential_count} sequential)
+
+set -euo pipefail
+
+# Prevent accidental API billing — remove this line if you intend to use API credits
+unset ANTHROPIC_API_KEY
+
+PLAN_DIR="{session_dir}"
+LOG_DIR="{session_dir}/logs"
+mkdir -p "$LOG_DIR"
+
+echo "=== Ultraplan Headless Execution ==="
+echo "Plan: {plan_path}"
+echo "Sessions: {total_sessions}"
+echo ""
+
+# --- Wave {N}: Parallel sessions (no dependencies) ---
+echo "--- Wave {N}: {description} ---"
+
+{# For each parallel session in this wave: }
+claude -p "$(cat "$PLAN_DIR/session-{n}-{slug}.md")" \
+  --dangerously-skip-permissions \
+  > "$LOG_DIR/session-{n}.log" 2>&1 &
+PID_{n}=$!
+echo "Started session {n}: {title} (PID $PID_{n})"
+
+{# After all parallel sessions in this wave: }
+echo "Waiting for Wave {N} to complete..."
+wait $PID_{n1} $PID_{n2}
+echo "Wave {N} complete."
+echo ""
+
+# --- Verify wave results ---
+echo "--- Verifying Wave {N} ---"
+{# For each session in the wave, run its exit condition commands }
+{verify_commands}
+
+# --- Wave {N+1}: Sequential sessions (depends on previous wave) ---
+{# Repeat wave pattern for dependent sessions }
+
+echo ""
+echo "=== All sessions complete ==="
+echo "Review logs in $LOG_DIR/"
+echo "Run final verification: {final_verify_command}"
+```
+
+## Rules for the session-decomposer
+
+When generating a launch script from this template:
+
+1. **Group sessions into waves** by dependency. Sessions with no dependencies
+   or whose dependencies are all in earlier waves can run in the same wave.
+2. **Each wave waits for completion** before the next wave starts.
+3. **Verification runs after each wave** — if verification fails, the script
+   stops and reports which session failed.
+4. **Log each session** to a separate file for debugging.
+5. **Use `claude -p`** with the session spec file as the prompt.
+6. **Use `--dangerously-skip-permissions`** rather than `--allowedTools` — the
+   executor needs flexible tool access and enumerating every tool is fragile.
+7. **Final verification** at the end runs the master plan's verification section.
+8. **Never include secrets** in the generated script.
+9. **Wave verification must be independent.** After each wave completes, run
+   verification commands fresh via Bash — never parse session log files as proof
+   of success. Log files contain executor self-reporting, not ground truth. The
+   command's exit code is the only authoritative verification signal.
+10. **Billing preamble.** Prepend `unset ANTHROPIC_API_KEY` with a comment at
+    the top of the script to prevent accidental API billing. Users who intend
+    to use API credits can remove this line.

plugins/ultraplan-local/templates/plan-template.md

@@ -0,0 +1,195 @@
+# {Task Title}
+
+> **Plan quality: {grade}** ({score}/100) — {APPROVE | APPROVE_WITH_NOTES | REVISE | REPLAN}
+>
+> Generated by ultraplan-local v{version} on {YYYY-MM-DD}
+
+## Context
+
+Why this change is needed. The problem or need it addresses, what prompted it,
+and the intended outcome. Reference the spec file if one was used.
+
+## Architecture Diagram
+
+```mermaid
+graph TD
+    subgraph "Changes in this plan"
+        %% C4-style component diagram showing what the plan touches
+        %% Highlight modified components, new components, and connections
+    end
+```
+
+*Replace with actual Mermaid diagram showing the components this plan modifies,
+their relationships, and the data flow between them.*
+
+## Codebase Analysis
+
+- **Tech stack:** {languages, frameworks, build tools}
+- **Key patterns:** {architecture patterns, conventions observed}
+- **Relevant files:** {paths to files that will be read or modified}
+- **Reusable code:** {existing functions, utilities, abstractions to leverage}
+- **External tech (researched):** {technologies that were looked up via research-scout}
+- **Recent git activity:** {relevant recent commits, active branches, code ownership}
+
+## Research Sources
+
+*Omit this section when no external research was conducted.*
+
+| Technology | Source | Key Findings | Confidence |
+|-----------|--------|--------------|------------|
+| {name}    | {URL}  | {summary}    | {high/med/low} |
+
+## Implementation Plan
+
+Each step targets 1–2 files and one focused change. Steps follow TDD structure
+when the project has tests.
+
+### Step 1: {description}
+
+- **Files:** `path/to/file.ts`
+- **Changes:** {exactly what to modify — no placeholders, no "update as needed"}
+- **Reuses:** {existing function/pattern from codebase, with file path}
+- **Test first:**
+  - File: `path/to/test.ts` *(existing | new)*
+  - Verifies: {what the test checks}
+  - Pattern: `path/to/existing-test.ts` *(follow this style)*
+- **Verify:** `{exact command}` → expected: `{output}`
+- **On failure:** {revert | retry | skip | escalate} — {specific instructions}
+- **Checkpoint:** `git commit -m "{conventional commit message}"`
+
+### Step 2: {description}
+
+- **Files:** `path/to/file.ts`
+- **Changes:** {exactly what to modify}
+- **Reuses:** {existing function/pattern}
+- **Test first:**
+  - File: `path/to/test.ts` *(existing | new)*
+  - Verifies: {what the test checks}
+  - Pattern: `path/to/existing-test.ts`
+- **Verify:** `{exact command}` → expected: `{output}`
+- **On failure:** {revert | retry | skip | escalate} — {specific instructions}
+- **Checkpoint:** `git commit -m "{conventional commit message}"`
+
+*For projects without tests: omit "Test first" and keep "Verify" with a
+concrete command (e.g., run the app, check output, curl an endpoint).*
+
+### Failure recovery rules
+
+- **On failure: revert** — undo this step's changes (`git checkout -- {files}`), do NOT proceed
+- **On failure: retry** — attempt once more with the alternative approach described, then revert if still failing
+- **On failure: skip** — this step is non-critical; continue to next step and note the skip
+- **On failure: escalate** — stop execution entirely; the issue requires human judgment
+- **Checkpoint** — after each step succeeds, commit changes so subsequent failures cannot corrupt completed work
+
+## Alternatives Considered
+
+| Approach | Pros | Cons | Why rejected |
+|----------|------|------|--------------|
+| {name}   | ...  | ...  | ...          |
+
+## Test Strategy
+
+- **Framework:** {test framework and runner}
+- **Existing patterns:** {how tests are structured in this codebase}
+- **New tests in this plan:** {N} tests across {N} steps
+
+### Tests to write
+
+| Type | File | Verifies | Model test |
+|------|------|----------|------------|
+| Unit | `path/to/test` | {what it tests} | `path/to/existing-test` |
+
+*For projects without tests: describe manual verification approach instead.*
+
+## Risks and Mitigations
+
+| Priority | Risk | Location | Impact | Mitigation |
+|----------|------|----------|--------|------------|
+| {Critical/High/Medium/Low} | {description} | `file:line` | {what happens} | {how to handle} |
+
+## Assumptions
+
+*Things the planner could not verify from codebase or research. Each assumption
+is a risk — review before executing.*
+
+| # | Assumption | Why unverifiable | Impact if wrong |
+|---|-----------|-----------------|-----------------|
+| 1 | {what we assumed} | {why we couldn't check} | {what breaks} |
+
+*If this list has 3+ items, the plan may need additional investigation
+before execution.*
+
+## Verification
+
+End-to-end checks that prove the plan was implemented correctly.
+
+- [ ] `{exact command}` → expected: `{exact output or behavior}`
+- [ ] `{exact command}` → expected: `{exact output or behavior}`
+
+## Estimated Scope
+
+- **Files to modify:** {N}
+- **Files to create:** {N}
+- **Complexity:** {low | medium | high}
+
+## Execution Strategy
+
+*Include this section when the plan has more than 5 implementation steps.
+Omit for small plans (≤ 5 steps) — ultraexecute will run them sequentially
+in a single session.*
+
+*The execution strategy groups steps into sessions and organizes sessions
+into waves. Sessions in the same wave can run in parallel. Sessions in
+later waves depend on earlier waves completing first.*
+
+### Session 1: {title}
+- **Steps:** {step numbers, e.g., 1, 2, 3}
+- **Wave:** {wave number}
+- **Depends on:** {session numbers, or "none"}
+- **Scope fence:**
+  - Touch: {files this session may modify}
+  - Never touch: {files reserved for other sessions}
+
+### Session 2: {title}
+- **Steps:** {step numbers}
+- **Wave:** {wave number}
+- **Depends on:** {session numbers, or "none"}
+- **Scope fence:**
+  - Touch: {files}
+  - Never touch: {files}
+
+### Execution Order
+
+- **Wave 1:** {session list} (parallel)
+- **Wave 2:** {session list} (after Wave 1)
+
+### Grouping rules applied
+
+- Steps sharing files → same session
+- Steps in independent modules → separate sessions (parallelizable)
+- 3–5 steps per session (target)
+- Sessions ordered by dependency, waves by independence
+
+## Plan Quality Score
+
+| Dimension | Weight | Score | Notes |
+|-----------|--------|-------|-------|
+| Structural integrity | 0.15 | {0–100} | {step ordering, dependencies} |
+| Step quality | 0.20 | {0–100} | {granularity, specificity, TDD} |
+| Coverage completeness | 0.20 | {0–100} | {spec → steps, no gaps} |
+| Specification quality | 0.15 | {0–100} | {no placeholders, clear criteria} |
+| Risk & pre-mortem | 0.15 | {0–100} | {failure modes addressed} |
+| Headless readiness | 0.15 | {0–100} | {On failure + Checkpoint per step} |
+| **Weighted total** | **1.00** | **{score}** | **Grade: {A/B/C/D}** |
+
+**Adversarial review:**
+- **Plan critic:** {verdict — findings count by severity, key issues}
+- **Scope guardian:** {verdict — ALIGNED / CREEP / GAP / MIXED}
+
+## Revisions
+
+*Added by adversarial review. Omit if no revisions were needed.*
+
+| # | Finding | Severity | Resolution |
+|---|---------|----------|------------|
+| 1 | {what was wrong} | {blocker/major/minor} | {how it was fixed} |

plugins/ultraplan-local/templates/session-spec-template.md

@@ -0,0 +1,65 @@
+# Session {N}: {title}
+
+> From master plan: {plan file path}
+> Session {N} of {total sessions}
+
+## Context
+
+{Why this session exists. What it accomplishes within the larger plan.
+Include enough background that an executor with no prior context can understand
+the purpose and make judgment calls.}
+
+## Dependencies
+
+- **Depends on:** {Session M | "none — can run in parallel"}
+- **Blocks:** {Session P | "none"}
+- **Entry condition:** {what must be true before this session starts — e.g., "Session 2 committed and tests pass"}
+
+## Scope Fence
+
+- **Touch:** {explicit list of files this session may create or modify}
+- **Never touch:** {files that belong to other sessions — hard boundary}
+
+## Steps
+
+### Step 1: {description}
+
+- **Files:** `{path}`
+- **Changes:** {exactly what to modify}
+- **Reuses:** {existing function/pattern, with file path}
+- **Test first:** {test file, what it verifies, pattern to follow}
+- **Verify:** `{exact command}` → expected: `{output}`
+- **On failure:** {revert | retry | skip | escalate} — {specific instructions}
+- **Checkpoint:** `git commit -m "{message}"`
+
+### Step 2: {description}
+
+{same structure as Step 1}
+
+## Exit Condition
+
+All of these must pass before this session is considered complete:
+
+- [ ] `{verification command}` → expected: `{output}`
+- [ ] `{verification command}` → expected: `{output}`
+- [ ] All changes committed with descriptive messages
+- [ ] No uncommitted changes remain (`git status` clean)
+
+## Failure Handling
+
+- If ANY step fails after retry: **stop execution**. Do NOT proceed to later steps.
+- Commit whatever was completed successfully before stopping.
+- Report which step failed, the error message, and what was attempted.
+
+## Handoff State
+
+{What the next session (or final verification) needs to know about this session's
+output. Include: new files created, exports added, configuration changed, APIs
+introduced. This section bridges sessions — it's the "baton" in a relay race.}
+
+## Metadata
+
+- **Master plan:** `{plan file path}`
+- **Steps from plan:** {step N}–{step M}
+- **Estimated complexity:** {low | medium | high}
+- **Model recommendation:** {opus | sonnet} — {rationale}

plugins/ultraplan-local/templates/spec-template.md

@@ -0,0 +1,64 @@
+# Task: {title}
+
+## Goal
+
+What success looks like. One clear paragraph.
+
+## Non-Goals
+
+What is explicitly out of scope for this task.
+
+- {non-goal 1}
+- {non-goal 2}
+
+## Constraints
+
+Technical, time, or resource limitations.
+
+- {constraint 1}
+- {constraint 2}
+
+## Preferences
+
+Preferred patterns, frameworks, libraries, or approaches.
+
+- {preference 1}
+- {preference 2}
+
+## Non-Functional Requirements
+
+Performance, security, accessibility, scalability, or other quality attributes.
+
+- {NFR 1}
+- {NFR 2}
+
+## Success Criteria
+
+Falsifiable conditions that define "done". Each must be checkable by running a
+command or observing a specific system behavior.
+
+- {criterion — e.g., "All existing tests pass: `npm test` exits 0"}
+- {criterion — e.g., "New endpoint returns 200: `curl -s localhost:3000/api/health | jq .status` → "ok""}
+- {criterion — e.g., "No TypeScript errors: `npx tsc --noEmit` exits 0"}
+
+Do NOT write vague criteria:
+- "It should work" (not testable)
+- "The feature is implemented" (not falsifiable)
+- "Performance is acceptable" (no baseline given)
+
+## Prior Attempts
+
+What has been tried before and what happened. Leave blank if this is a fresh task.
+
+## Open Questions
+
+Unresolved items that may affect the plan. Flag these as assumptions if proceeding
+without answers.
+
+- {question 1}
+
+## Metadata
+
+- **Created:** {YYYY-MM-DD}
+- **Mode:** {interview | manual}
+- **Source:** {ultraplan interview | user-provided}