diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 53e2f25..e0561fb 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -12,52 +12,92 @@ "plugins": [ { "name": "llm-security", - "source": "./plugins/llm-security", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/llm-security.git", + "ref": "v7.8.0" + }, "description": "Security scanning, auditing, and threat modeling for Claude Code projects. OWASP LLM Top 10 (2025) and Agentic AI Top 10." }, { "name": "config-audit", - "source": "./plugins/config-audit", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/config-audit.git", + "ref": "v5.12.5" + }, "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine" }, { "name": "voyage", - "source": "./plugins/voyage", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/voyage.git", + "ref": "v5.9.1" + }, "description": "Voyage — brief, research, plan, execute, review, continue. Contract-driven Claude Code pipeline with specialized agent swarms, external research triangulation, adversarial review, post-hoc independent review with Handover 6 feedback loop, multi-session resumption, session decomposition, and headless execution. /trekbrief, /trekplan, and /trekreview each end by building a self-contained operator-annotation HTML (scripts/annotate.mjs, modelled on claude-code-100x): pencil-toggle annotation mode, select text or click any element, pick intent (Fiks/Endre/Spørsmål), comment, Copy Prompt, paste back, Claude revises the .md." }, { - "name": "linkedin-thought-leadership", - "source": "./plugins/linkedin-thought-leadership", - "description": "Build LinkedIn thought leadership with algorithmic understanding, strategic consistency, and authentic engagement. Updated for the January 2026 360Brew algorithm change." + "name": "linkedin-studio", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/linkedin-studio.git", + "ref": "v0.5.3" + }, + "description": "LinkedIn Studio — a full-spectrum LinkedIn content engine: feed posts, carousels, video scripts, and long-form newsletter editions, built on algorithmic understanding, strategic consistency, and authentic engagement. Aligned to LinkedIn's 2026 topic-relevance ranking model." }, { "name": "graceful-handoff", - "source": "./plugins/graceful-handoff", - "description": "Produce session-handoff artifacts, commit and push pending work, and print a copy-paste prompt for the next session. Designed for context-constrained models like Opus 4.7." + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/graceful-handoff.git", + "ref": "v3.1.0" + }, + "description": "One-command session handoff into the STATE.md continuity system. At a natural stopping point, overwrites the nearest STATE.md with a complete state-of-play (mandatory '👉 NEXT — START HERE' block) and commits per remote policy. Skill-only, no hooks." }, { "name": "ai-psychosis", - "source": "./plugins/ai-psychosis", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/ai-psychosis.git", + "ref": "v1.2.1" + }, "description": "Meta-awareness tools for healthy AI interaction patterns. Detects reinforcement loops, scope escalation, narrative crystallization, and other compulsive patterns." }, { "name": "ms-ai-architect", - "source": "./plugins/ms-ai-architect", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/ms-ai-architect.git", + "ref": "v1.17.0" + }, "description": "Microsoft AI Solution Architect — structured architecture guidance for the full Microsoft AI stack." }, { "name": "okr", - "source": "./plugins/okr", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/okr.git", + "ref": "v1.6.1" + }, "description": "Expert OKR guidance for Norwegian public sector. Write, review, cascade, track and govern OKR based on Google/Doerr methodology adapted for 4-month tertial cycles." }, { "name": "human-friendly-style", - "source": "./plugins/human-friendly-style", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/human-friendly-style.git", + "ref": "v1.1.0" + }, "description": "Shared Claude Code output style for the ktg-plugin-marketplace. Plain-language tone — explains what and why, hides paths/JSON/stack traces by default, matches the user's language." }, { "name": "claude-design", - "source": "./plugins/claude-design", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/claude-design.git", + "ref": "v0.1.0" + }, "description": "End-to-end facilitator for prompting Claude Design (claude.ai/design) — idea to copy-paste-ready prompt with iteration coaching, citing Anthropic primary sources." } ] diff --git a/.gitignore b/.gitignore index 2d32098..08bc342 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ REMEMBER.md TODO.md ROADMAP.md +STATE.md *.local.md # Per-plugin session directories (plans, research, execution progress) diff --git a/.gitleaksignore b/.gitleaksignore index d47ea0b..7860f5c 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -2,4 +2,4 @@ plugins/llm-security/examples/malicious-skill-demo/evil-project-health/lib/telemetry.mjs:generic-api-key:18 # False positive: word "conversational" matches linkedin-client-id entropy pattern -plugins/linkedin-thought-leadership/hooks/prompts/content-quality-gate.md:linkedin-client-id:14 +plugins/linkedin-studio/hooks/prompts/content-quality-gate.md:linkedin-client-id:14 diff --git a/CLAUDE.md b/CLAUDE.md index af11fc2..1137bc9 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,72 +1,39 @@ -# ktg-plugin-marketplace +# ktg-plugin-marketplace (catalog) -Open-source Claude Code plugin marketplace. Solo project by Kjell Tore Guttormsen. +Catalog repository for the ktg-plugin-marketplace. After the polyrepo migration this repo hosts only +the marketplace manifest and the catalog-level docs; every plugin and the shared design-system live in +their own Forgejo repositories under `https://git.fromaitochitta.com/open/`. -## Repo-struktur +## What lives here -``` -plugins/ - ai-psychosis/ v1.0.0 — Interaction awareness (sycophancy, reinforcement loops) - config-audit/ v3.1.0 — Configuration intelligence (health, opportunities, auto-fix, whats-active) - graceful-handoff/ v2.1.0 — Auto-trigger handoff via Stop hook (skill + JSON pipeline + 4-step model-aware context resolution) - linkedin-thought-leadership/ v1.2.0 — LinkedIn content pipeline + analytics - llm-security/ v7.7.2 — Security scanning, auditing, threat modeling. HTML report output for all 18 skill commands (render-report CLI + canonical ESM module mirrored bit-identical into the playground). v7.7.2 translated the remaining Norwegian surface text in the playground UI, the canonical renderer, the agent prompts, and the README/CLAUDE.md state sections to English. v7.7.1 stripped the playground to the catalog as the only routable surface. - ms-ai-architect/ v1.15.0 — Microsoft AI architecture (Cosmo Skyberg persona) + manual KB-refresh slash command + v3 project-view (sidebar med 17 artifacts + main + import-modal overlay, v2-surface fjernet i v1.15.0) - okr/ v1.0.0 — OKR guidance for Norwegian public sector - voyage/ v5.0.3 — Brief, research, plan, execute, review, continue. Contract-driven Claude Code pipeline (six-command universal pipeline + multi-session resumption + --gates autonomy chain). /trekbrief, /trekplan, and /trekreview each end by running scripts/annotate.mjs against the just-written .md and printing the file:// link to a self-contained operator-annotation HTML modelled on claude-code-100x/build-site.js: pencil-toggle annotation mode, select text or click any element, choose intent (Fiks/Endre/Spørsmål), comment, sidebar groups by section with delete + Copy Prompt, localStorage persistence per artifact path. v5.0.0 removed the v4.2/v4.3 bespoke playground + /trekrevise + Handover 8; v5.0.1 pointed at /playground document-critique (wrong direction); v5.0.2 was operator-led but too thin; v5.0.3 matches the reference the operator pointed at from day one. +- `.claude-plugin/marketplace.json` — the marketplace manifest (plugin entries point at external repos) +- `README.md` — the landing/catalog page +- `CONVENTIONS.md` — marketplace-wide conventions inherited by every plugin repo +- `GOVERNANCE.md` — governance + fork-and-own model +- `.mailmap`, `.gitleaks.toml`, `.gitleaksignore` — shared git-hygiene baselines -shared/ - playground-design-system/ v0.6.0 — Aksel/Digdir-aligned CSS design system + JSON schemas + self-hosted Inter/JetBrains Mono/Source Serif 4 fonts. Tier 1 base + Tier 2 + Tier 3 wave 1+2 (20 components) + Tier 4 project-view-arketype (v0.6.0 — sidebar + main + import-modal overlay). Consumed by ms-ai-architect, okr, llm-security, voyage, config-audit. - playground-examples/ — Reference scenarios (ROS-Lier, OKR-Bærum, security-Direktorat) + showcase landing + 12 isolated Tier 3 wave 2 component demos under components/ -``` +## Catalog maintenance -Hvert plugin er selvstendig med egen CLAUDE.md, README, hooks, agents og commands. `shared/` inneholder marketplace-nivå infrastruktur som flere plugins bygger på. - -## Konvensjoner - -- **Språk:** Norsk dialog, engelsk kode/docs -- **Commits:** Conventional Commits — `type(scope): description` -- **Git:** Forgejo (`git.fromaitochitta.com/open/ktg-plugin-marketplace`). Aldri GitHub. -- **Hooks:** Alltid Node.js (.mjs), aldri bash. Cross-platform. -- **Avhengigheter:** Null npm dependencies i hooks/scannere. `node:test` for tester. -- **Bidrag:** Issues velkommen som signaler. PRs ikke akseptert. Fork-and-own er anbefalt adopsjonsmodell — se `GOVERNANCE.md`. -- **Lisens:** MIT, alle plugins -- **Docs ved endring (OBLIGATORISK):** Enhver feature-endring som pusher til Forgejo MÅ oppdatere alle tre doc-nivåer i SAMME commit eller umiddelbart etter: - 1. Plugin `README.md` — detaljert dokumentasjon av endringen - 2. Plugin `CLAUDE.md` — arkitektur/oversikt - 3. Rot-`README.md` — marketplace-landingssiden (`git.fromaitochitta.com/open/ktg-plugin-marketplace`) -- **Playground-oppdatering:** Ved endring av plugin playground HTML eller delt design-system, følg prosedyren i `shared/PLAYGROUND-MAINTENANCE.md` (4 spor: HTML-endring, DS-endring, screenshots, release). - -## Sesjonsfiler (lokale, gitignored) - -Alle plugins + root har: -- `REMEMBER.md` — Sesjonsstatus, sist gjort, viktige beslutninger -- `TODO.md` — Nærliggende oppgaver (1-4 uker) -- `ROADMAP.md` — Langsiktig retning (kvartal/halvår) - -Disse trackes IKKE i git. Oppdater ved sesjonsslutt. - -## Arbeidsflyt - -1. `cd` til riktig plugin-mappe -2. Les pluginets CLAUDE.md for kontekst -3. Les REMEMBER.md og TODO.md for sesjonsstatus -4. Jobb innenfor scope -5. Oppdater REMEMBER.md ved avslutning - -## Communication patterns - -### Linking to local files - -When pointing to local files in responses, always use markdown link syntax with a descriptive name: - -- Use `[Human-friendly name](file:///absolute/path)` — never bare `file:///...` URLs or autolinks ``. -- Always use absolute paths. Never `~/` or relative paths. -- For multiple files, render as a bullet list of named markdown links. - -Why: bare `file://` URLs only render the first as clickable across multiple lines. Named markdown links make each entry independently clickable and look cleaner. - -Example: - -- [Brief](file:///Users/ktg/.../brief.html) -- [Research summary](file:///Users/ktg/.../research/summary.md) +- Marketplace conventions: see CONVENTIONS.md. +- Adding/updating a plugin entry: edit `.claude-plugin/marketplace.json` (external `source: "url"` with + a pinned `ref`) and re-state the plugin in README.md with its verified version. +- Plugin source, issues, and releases live in each plugin's own repository — not here. +- **Releasing a plugin (canonical path — `scripts/release-plugin.mjs`):** since the polyrepo split, + a release is a TWO-repo act — tag the plugin repo AND bump the catalog `ref`. Forgetting the second + step strands users on the old version (the exact drift this helper exists to prevent). Run + `node scripts/release-plugin.mjs [--version X.Y.Z]` — dry-run by default; it REFUSES unless + `plugin.json` == README badge == the target version AND the `vX.Y.Z` tag exists, then prints the + planned bump. Apply with `--write [--commit] [--push]`; `--create-tag` mints+pushes a missing plugin + tag first. On `--write` it bumps the catalog `ref` AND the catalog README's per-plugin `` `vX.Y.Z` `` + label together (and `git add`s both on `--commit`). Because it only moves both to a verified, tagged, + consistent version, `check-versions.mjs` is green by construction. Never hand-edit a `ref` or a + README label for a release — use this. Pure planner + label reconciler covered by + `scripts/release-plugin.test.mjs`. +- **Version-consistency gate:** run `node scripts/check-versions.mjs` before committing any `ref` + change. For each plugin it checks (against the sibling repo) that the catalog `ref` resolves to a + real git tag (ERROR if dangling — breaks install), that `plugin.json` version == README + version-badge (ERROR), that the catalog README's per-plugin `` `vX.Y.Z` `` label == the catalog + `ref` (ERROR — the human-facing doc must not misstate the installed version), and that the catalog + `ref` matches `plugin.json` version (WARN — catalog lags or an unreleased bump). Exit 1 on any + ERROR; `--strict` also fails on WARN. Pure-function core covered by + `scripts/check-versions.test.mjs` (`node --test scripts/check-versions.test.mjs`). diff --git a/CONVENTIONS.md b/CONVENTIONS.md new file mode 100644 index 0000000..571e5c5 --- /dev/null +++ b/CONVENTIONS.md @@ -0,0 +1,19 @@ +# Conventions — ktg-plugin-marketplace catalog + +> Extracted from the marketplace CLAUDE.md (D6). These are the marketplace-wide conventions +> every plugin repo inherits under fork-and-own. See GOVERNANCE.md for the governance model. + +## Konvensjoner + +- **Språk:** Norsk dialog, engelsk kode/docs +- **Commits:** Conventional Commits — `type(scope): description` +- **Git:** Forgejo-org `git.fromaitochitta.com/open/` — hvert plugin/design-system er sitt eget repo (`open/`), katalogen er `open/ktg-plugin-marketplace`. Aldri GitHub. +- **Hooks:** Alltid Node.js (.mjs), aldri bash. Cross-platform. +- **Avhengigheter:** Null npm dependencies i hooks/scannere. `node:test` for tester. +- **Bidrag:** Issues velkommen som signaler. PRs ikke akseptert. Fork-and-own er anbefalt adopsjonsmodell — se `GOVERNANCE.md`. +- **Lisens:** MIT, alle plugins +- **Docs ved endring (OBLIGATORISK):** Enhver feature-endring som pusher til Forgejo MÅ oppdatere dokumentasjonen. Etter polyrepo-splittet er dette to nivåer i to repo: + 1. **I plugin-repoet** (SAMME commit): `README.md` (detaljert dokumentasjon av endringen) + `CLAUDE.md` (arkitektur/oversikt) + 2. **I katalog-repoet** (`open/ktg-plugin-marketplace`), ved versjonsbump eller endret entry: oppdater `README.md`-landingssiden og `ref` i `.claude-plugin/marketplace.json` (egen commit i katalog-repoet) +- **Playground / design-system:** Playground-HTML er vendored inn i hvert plugin-repo under `playground/vendor/playground-design-system/`. Endringer i det delte design-systemet gjøres i `open/playground-design-system`, tagges der, og re-vendres deretter inn i hver konsument (llm-security, ms-ai-architect, config-audit, okr, voyage). + diff --git a/README.md b/README.md index 0f4df4e..82e4915 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,7 @@ Open-source Claude Code plugins for AI-assisted development, security, and plann Built for my own Claude Code workflow and shared openly for anyone who finds them useful. Solo-maintained, AI-assisted, fork-and-own. Issues are welcome as signals; pull requests are not accepted. See [GOVERNANCE.md](GOVERNANCE.md) for what upstream provides and how this is meant to be used. -## AI-generated code disclosure - -All code in this marketplace is generated by Claude Code through a dialog-based process. I direct, review, test, and validate; Claude writes. Every commit reflects this — treat the plugins as AI-authored, human-curated. +All code here is generated by Claude Code through a dialog-based process: I direct, review, test, and validate; Claude writes. Treat the plugins as AI-authored, human-curated. ## Installation @@ -14,297 +12,181 @@ All code in this marketplace is generated by Claude Code through a dialog-based claude plugin marketplace add https://git.fromaitochitta.com/open/ktg-plugin-marketplace.git ``` -Then open Claude Code and type `/plugin` to browse and install plugins from the marketplace. +Then open Claude Code and type `/plugin` to browse and install. Works with the Claude Code CLI, desktop app, and IDE extensions on macOS, Linux, and Windows. No external dependencies. -## Compatibility - -- Claude Code CLI, desktop app, and IDE extensions -- macOS, Linux, Windows -- No external dependencies (all scanners and hooks are self-contained) +Each plugin keeps its own full README and CHANGELOG; this page is just the catalog. --- ## Plugins -### [LLM Security](plugins/llm-security/) `v7.7.2` +### [LLM Security](https://git.fromaitochitta.com/open/llm-security) `v7.8.0` -Security scanning, auditing, and threat modeling for agentic AI projects. +Security scanning, auditing, and threat modeling for agentic AI projects. Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and Google DeepMind's AI Agent Traps taxonomy. -Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Traps taxonomy (Google DeepMind, 2025). Three layers of protection: +- **Automated enforcement** — 9 hooks block prompt injection, secrets in code, destructive commands, and supply-chain risks in real time +- **Deterministic scanning** — 26 Node.js scanners for entropy, Unicode codepoints, typosquatting, taint flow, git forensics, AI-BOM, trigger/signature/AST-taint, and IDE-extension prescan (VS Code + JetBrains) +- **Advisory analysis** — 20 commands that scan, audit, and model threats with letter-graded reports and remediation +- **Enterprise governance** — EU AI Act / NIST AI RMF / ISO 42001 mapping, SARIF 2.1.0 output, policy-as-code, standalone CLI -- **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection, secrets in code, destructive commands, supply chain guardrails, transcript scanning before context compaction) -- **Deterministic scanning** — 23 Node.js scanners (10 orchestrated + 13 standalone) for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM, attack simulation, IDE extension prescan (VS Code + JetBrains — URL fetch from Marketplace / OpenVSX / direct VSIX / JetBrains Marketplace, hardened ZIP extractor for zip-slip / symlinks / bombs, plus OS sandbox via `sandbox-exec` / `bwrap` so the kernel enforces FS confinement), MCP cumulative-drift baseline reset (E14 — sticky baseline catches slow-burn rug-pulls). Bash-normalize T1-T6 for obfuscation-resistant denylists -- **Advisory analysis** — 20 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation -- **Enterprise governance** — Compliance mapping (EU AI Act, NIST AI RMF, ISO 42001), SARIF 2.1.0 output, structured audit trail, policy-as-code, standalone CLI -- **v7.7.2 language consistency pass (2026-05-19)** — Norwegian had crept into surface text across v7.5-v7.7. Per the `~/.claude/CLAUDE.md` convention (English for code and documentation, Norwegian for dialog only), this release translates the HTML Report-step in all 18 skill commands, the canonical CLI renderer `scripts/lib/report-renderers.mjs`, the playground UI strings, the skill-scanner and mcp-scanner agent prompts, the marketplace + plugin README/CLAUDE.md state sections, and six table cells in `docs/scanner-reference.md`. Demo-state fixture content for the `dft-komplett-demo` project (intentional Norwegian persona) and regex alternations that match Norwegian-language report markdown (`/^high\|^høy/`, `/resolution\|løsning/`) were preserved. No scanner, hook, or behavior changes — purely surface text -- **v7.7.1 playground UX strip (2026-05-18)** — Operator feedback immediately after v7.7.0: the catalog became the only routable surface in the playground (the onboarding/home/project render functions remain in source but are not routable). Topbar simplified to a `Catalog` button + state/theme actions. Breadcrumb org-name replaced with a neutral `llm-security`. The onboarding concept (per-command context injection) is documented as a v7.8.0 candidate in ROADMAP. No scanner or hook behavior changes -- **v7.7.0 HTML report for all 18 skill commands (2026-05-18)** — Every `/security ` that produces a report now prints a clickable `file://` link to a self-contained HTML version. Delivered across five sessions: (1) playground catalog list-view + builder-pane with a copy button; (2) playground project-surface cleanup (stub-screen + topbar split); (3) the 18 inline parsers + renderers moved to a canonical ESM module `scripts/lib/report-renderers.mjs` (the playground keeps a bit-identical inline copy since ESM `import` does not work from `file://`); (4) new zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout mode, kebab→camel commandId routing, inlines 6 DS stylesheets, ~140 KB self-contained HTML with system-font fallback, absolute `file://` paths for Ghostty cmd-click; (5) all 18 skills wired (4 in session 4 + 14 in session 5). No scanner or hook behavior changes — purely additive -- **v7.6.1 playground visual patch (2026-05-06)** — Six bugs caught by the maintainer during manual browser verification after the v7.6.0 release. All were mismatches between DS classes and how playground renderers used them (or missing DS implementations the renderers assumed existed): `renderFindingsBlock` used the `.findings` outer class (the DS 2-column list+detail grid) → replaced with `
` + the correct `findings__list` pattern; `.report-table` was missing entirely from the DS but used in 7+ renderers → local CSS implementation; `renderPreDeploy` traffic-lights used the fixed 28×28 px `.sm-card__grade` for "PASS"/"PASS-WITH-NOTES"/"FAIL" → width-adapting status pill; threat-model matrix bubbles were not clickable → `