VSIX fetch + extract for URL targets now runs in a sub-process wrapped by
sandbox-exec (macOS) or bwrap (Linux), reusing the same primitives proven
by the v5.1 git-clone sandbox. Defense-in-depth — even if our own
zip-extract.mjs ever has a bypass, the kernel refuses any write outside
the per-scan temp directory.
New files:
- scanners/lib/vsix-fetch-worker.mjs — sub-process worker. Argv: --url
--tmpdir; emits one JSON line on stdout (ok/sha256/size/source/extRoot
or ok:false/error/code). Silent on stderr. Exit 0/1.
- scanners/lib/vsix-sandbox.mjs — wrapper. Exports buildSandboxProfile,
buildBwrapArgs, buildSandboxedWorker, runVsixWorker. 35s timeout, 1 MB
stdout cap.
Changes:
- scanners/ide-extension-scanner.mjs: fetchAndExtractVsixUrl is now
sandbox-aware (useSandbox option, default true). In-process logic
preserved as fallback. New meta.source.sandbox field:
'sandbox-exec' | 'bwrap' | 'none' | 'in-process'.
- scan(target, { useSandbox }) defaults to true; tests pass false because
globalThis.fetch mocks do not cross process boundaries.
- Windows fallback: in-process with meta.warnings advisory.
Tests:
- 8 new tests in tests/scanners/vsix-sandbox.test.mjs (per-platform
profile generation, worker arg construction, live worker exit
behavior on invalid URLs — no network).
- Existing URL tests updated to opt out of sandbox (useSandbox: false).
- 1344 → 1352 tests, all green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Pre-installation verification of VS Code extensions via URL — fetch a remote
VSIX, extract it in a hardened sandbox, and run the existing IDE scanner
pipeline against it. No npm dependencies.
Sources:
- VS Code Marketplace (publisher.gallery.vsassets.io direct download)
- OpenVSX (open-vsx.org official API)
- Direct .vsix HTTPS URLs
Defenses:
- HTTPS-only, TLS verified, manual redirect with per-source host whitelist
- 30s total timeout via AbortController
- 50MB compressed cap, 500MB uncompressed, 100x expansion ratio
- Zero-dep ZIP extractor: zip-slip, absolute paths, drive letters, NUL bytes,
symlinks (Unix mode 0xA000), depth limits, ZIP64 rejected, encrypted rejected
- SHA-256 streamed during fetch, surfaced in meta.source
- Temp dir cleanup in all paths (try/finally)
Files:
- scanners/lib/vsix-fetch.mjs (HTTPS fetcher, host whitelist, streaming SHA-256)
- scanners/lib/zip-extract.mjs (zero-dep parser with hardening caps)
- knowledge/marketplace-api-notes.md (endpoint reference)
- 3 test files (48 tests added: vsix-fetch, zip-extract, ide-extension-url)
Tests: 1296 → 1344 (all green).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Masks non-empty '...' content before T5/T2-T4 run so literal strings such
as `echo '${IFS}'` are not rewritten. Empty '' pairs are stripped first
so c''u''rl -> curl evasion keeps resolving. ANSI-C $'...' is decoded
before masking.
Caught by the false-positive probe added in Step 3 of ultraplan-v6.2.0.
New read-only command that shows everything Claude Code actually loads for a
given repo — plugins, skills, MCP servers, hooks, CLAUDE.md cascade — with
source attribution (user/project/plugin) and rough token estimates. Helps
identify candidates for disabling without guessing.
Added:
- scanners/lib/active-config-reader.mjs — pure async helper: readActiveConfig,
detectGitRoot, walkClaudeMdCascade, readClaudeJsonProjectSlice (longest-prefix
matching for .claude.json projects), enumeratePlugins, enumerateSkills,
readActiveHooks, readActiveMcpServers, estimateTokens (markdown 4 c/tok,
json 3.5 c/tok, frontmatter cap 150 tokens, item flat 15)
- scanners/whats-active.mjs — thin CLI shim: --json, --output-file, --verbose,
--suggest-disables
- commands/whats-active.md — renders tables via Read tool; honors UX rules
- tests/lib/active-config-reader.test.mjs — 36 tests, all green (integration
fixture built in tmpdir with fake HOME, .claude.json prefix matching,
plugin discovery, hook/MCP merge from all scopes)
Verified:
- Performance budget: <2s wall-clock (smoke test: 102ms on real repo)
- Token estimates within ±20% of hand-computed values
- Read-only: no writeFile/mkdir/unlink in production code
- Self-audit: Plugin Health scanner reports 0 findings (Grade A)
- Full test suite: 522 tests, 512 pass (10 pre-existing conflict-detector
failures on main — unrelated to this change, reproducible on clean HEAD)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wave 1 of a 6-session parallel build revealed three failure modes:
(1) hallucinated completion (status=completed after 2/5 steps, last
tool call was an arbitrary file review), (2) fail-late bash (3/6
sessions had push blocked inside sub-agent sandbox after all work
was done), (3) no objective verification (plans were prose).
v1.7 closes all three by making the plan an executable contract.
Per-step YAML manifest (expected_paths, commit_message_pattern,
bash_syntax_check, forbidden_paths, must_contain) is the objective
completion predicate. Plan-critic dimension 10 (Manifest quality)
is a hard gate. Session decomposer propagates manifests verbatim
and emits an obligatory Step 0 pre-flight (git push --dry-run,
exit 77 sentinel) in every session spec.
ultraexecute-local gets Phase 7.5 (independent manifest audit from
git log + filesystem, ignoring agent bookkeeping) and Phase 7.6
(bounded recovery dispatch, recovery_depth ≤ 2). Hard Rule 17
forbids marking a step passed without manifest verification. Hard
Rule 18 forbids ending on an arbitrary tool call before reporting.
Division of labor is made explicit:
- /ultraresearch-local gathers context (no build decisions)
- /ultraplan-local produces an executable contract (manifests,
plan-critic gate)
- /ultraexecute-local executes disciplined (does NOT compensate
for weak plans — escalates)
Code complete. Docs partial (Arbeidsdeling table + manifest section
added to plugin + marketplace READMEs). Verification tests
(10-sequence) pending — see REMEMBER.md.
Backward compat: v1.6 plans without plan_version marker get
legacy mode with synthesized manifests and legacy_plan: true in
progress file. Plan-critic emits advisory, not block.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Version bump v1.1.0 → v1.2.0 across all docs (CLAUDE.md, README.md,
root README.md, plugin.json, CHANGELOG.md). Documents new scripts
(state-updater, clipboard-helper, ical-generator), reduced interactive
steps, auto-clipboard, progressive onboarding, and MCP carousel pipeline.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds pruneContentHistory call to session-start.mjs after week rollover.
Uses dynamic import() for state-updater.mjs. Non-critical: silently
skipped on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pure functions for post tracking (streak, week rollover, first_post_date),
content history pruning, and follower count updates. 19 tests green.
Follows week-rollover.mjs pattern (pure functions) + queue-manager.mjs
pattern (I/O wrapper with atomic writes).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Step 5b in batch.md generates a .ics calendar file from the queue,
giving users 15-minute reminders in their calendar app before each
scheduled post. Supports macOS Calendar, Google Calendar, Outlook.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pure-function iCal generator with CRLF endings, line folding at 75 octets,
VALARM reminders, VTIMEZONE, and special character escaping. 16 tests green.
Standalone CLI mode: node ical-generator.mjs --from-queue --output path.ics
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Text overlay VERIFIED: Nano Banana Pro renders readable text on dark
gradient backgrounds at 3:4 aspect ratio (closest to LinkedIn 4:5).
Header and subtitle both legible. Mermaid Chart available but untested.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
npx llm-security requires npm publishing which hasn't happened.
Updated 3 references to use node bin/llm-security.mjs which works today.
CI templates and docs intentionally kept as-is (designed for future npm).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
quick.md:
- Replace 8-option post type menu with context inference
- Auto-select CTA based on post type
- Remove proactive alternative version offering
- AskUserQuestion: 0 in main flow (was 1 implicit menu)
react.md:
- Auto-select strongest angle instead of 3-option AskUserQuestion
- Replace 6-option refinement AskUserQuestion with plain text options
- Same treatment for comparison path (Step 4b)
- AskUserQuestion: 1 in main flow (multi-URL only, was 3)
pipeline.md:
- Skip ideation ask if topic provided with command invocation
- Auto-propose planned topic without AskUserQuestion
- Inline angle selection (auto-select strongest)
- AskUserQuestion: 2 in main flow (ideation fallback + scheduling, was 3)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Skip topic ask if user provided one with command invocation
- Auto-select strongest angle instead of 3-option AskUserQuestion menu
- Infer format from content type instead of interactive selection
- Present ONE draft without proactive alternative versions
- Replace refinement AskUserQuestion with plain text options
Net result: 0 AskUserQuestion calls in main flow (was 2).
User provides topic → gets ONE draft → clipboard-ready.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Badges, intro, commands, scanner table, Mermaid diagram, directory tree,
and knowledge base section all had counts frozen at v3-v4 era. Updated
to match actual filesystem: 21 scanners (10+11), 18 commands, 16 knowledge
files, 16 posture categories, 1264 tests. Added missing bin/, ci/, docs/
directories and all standalone scanners to directory tree.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds Bash to allowed-tools and clipboard-helper.mjs auto-copy to:
post.md, quick.md, react.md, pipeline.md, first-post.md,
video.md, multiplatform.md, carousel.md.
Each command auto-copies the final post/caption text to clipboard
after presenting the draft. Replaces manual copy-paste instructions
in first-post.md (=== COPY FROM HERE ===) with auto-copy.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
TDD: 13 tests written first, then implementation.
Exports copyToClipboard(text) and clipboardAvailable() — never throws.
Supports darwin (pbcopy), win32 (clip), linux (xclip/xsel fallback).
Dual standalone/import mode following personalization-score.mjs pattern.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add threshold-based exit codes (--fail-on <severity>) and compact
output mode (--compact) to scan-orchestrator and CLI. Pipeline
templates for GitHub Actions, Azure DevOps, GitLab CI with SARIF
upload. CI/CD guide with Schrems II/NSM compliance documentation.
npm publish preparation (files whitelist, .npmignore). Policy ci
section for distributable CI defaults. Version 6.1.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
process.exit() terminates before pipe buffers drain, truncating output
at 64KB when piped through another Node.js process on macOS. Affects
scan-orchestrator (SARIF output) and supply-chain-recheck-cli.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New policy-loader.mjs reads .llm-security/policy.json with deep-merge against
defaults that exactly match existing hardcoded values. Integrated into all 7 hooks:
- pre-prompt-inject-scan: injection.mode (env var still takes precedence)
- post-session-guard: trifecta.mode, window_size, long_horizon_window
- pre-edit-secrets: secrets.additional_patterns
- pre-bash-destructive: destructive.additional_blocked
- pre-write-pathguard: pathguard.additional_protected
- pre-install-supply-chain: supply_chain.additional_blocked_packages
- post-mcp-verify: mcp.volume_threshold_bytes, mcp.trusted_servers
Backward compatible: no policy file = identical behavior to v5.1.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New audit-trail.mjs writes structured events to LLM_SECURITY_AUDIT_LOG path.
Integrated into post-session-guard at 6 warning emission points: trifecta,
escalation-after-input, data flow, volume threshold, slow-burn, behavioral drift.
No-op when env var not set — zero overhead for existing users.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New sarif-formatter.mjs converts scan envelope to OASIS SARIF 2.1.0 standard.
Maps severity to SARIF levels, findings to results with locations and rules.
scan-orchestrator accepts --format sarif|json (default: json).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extends posture scanner from 13 to 16 categories with three governance/compliance
checks. New categories are advisory (not in CRITICAL_CATEGORIES) — existing Grade A
projects remain Grade A. VERSION bumped to 6.0.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove file limit (was 10, now processes all critical+high+medium)
- Increase max-turns to 200 and timeout to 60min
- Add medium priority to update filter
- Update README KB note to reflect automated weekly updates
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Additional factual updates from batch 3 research:
- responsible-ai-training-awareness.md: module renamed
"Azure AI Studio" → "Microsoft Foundry" (3 occurrences)
- transparency-documentation-standards.md: ISO/IEC 42001 scope expanded
to include Copilot Studio, Microsoft Foundry, Security Copilot,
GitHub Copilot, Dragon Copilot
- ai-act-compliance-guide.md: same ISO 42001 scope expansion
- human-in-the-loop-oversight.md: AI approval stages in Copilot Studio
(GPT-o3 as AI approver, new Human in the loop connector)
- continuous-improvement-feedback-loops.md: MLflow 3 Feedback vs
Expectation assessment types, Genie Code trace analysis
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
