diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index d39c1cd..53e2f25 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -12,92 +12,52 @@ "plugins": [ { "name": "llm-security", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/llm-security.git", - "ref": "v7.8.2" - }, + "source": "./plugins/llm-security", "description": "Security scanning, auditing, and threat modeling for Claude Code projects. OWASP LLM Top 10 (2025) and Agentic AI Top 10." }, { "name": "config-audit", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/config-audit.git", - "ref": "v5.12.5" - }, + "source": "./plugins/config-audit", "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine" }, { "name": "voyage", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/voyage.git", - "ref": "v5.9.1" - }, + "source": "./plugins/voyage", "description": "Voyage — brief, research, plan, execute, review, continue. Contract-driven Claude Code pipeline with specialized agent swarms, external research triangulation, adversarial review, post-hoc independent review with Handover 6 feedback loop, multi-session resumption, session decomposition, and headless execution. /trekbrief, /trekplan, and /trekreview each end by building a self-contained operator-annotation HTML (scripts/annotate.mjs, modelled on claude-code-100x): pencil-toggle annotation mode, select text or click any element, pick intent (Fiks/Endre/Spørsmål), comment, Copy Prompt, paste back, Claude revises the .md." }, { - "name": "linkedin-studio", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/linkedin-studio.git", - "ref": "v0.6.0" - }, - "description": "LinkedIn Studio — a full-spectrum LinkedIn content engine: feed posts, carousels, video scripts, and long-form newsletter editions, built on algorithmic understanding, strategic consistency, and authentic engagement. Aligned to LinkedIn's 2026 topic-relevance ranking model." + "name": "linkedin-thought-leadership", + "source": "./plugins/linkedin-thought-leadership", + "description": "Build LinkedIn thought leadership with algorithmic understanding, strategic consistency, and authentic engagement. Updated for the January 2026 360Brew algorithm change." }, { "name": "graceful-handoff", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/graceful-handoff.git", - "ref": "v3.1.0" - }, - "description": "One-command session handoff into the STATE.md continuity system. At a natural stopping point, overwrites the nearest STATE.md with a complete state-of-play (mandatory '👉 NEXT — START HERE' block) and commits per remote policy. Skill-only, no hooks." + "source": "./plugins/graceful-handoff", + "description": "Produce session-handoff artifacts, commit and push pending work, and print a copy-paste prompt for the next session. Designed for context-constrained models like Opus 4.7." }, { "name": "ai-psychosis", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/ai-psychosis.git", - "ref": "v1.2.1" - }, + "source": "./plugins/ai-psychosis", "description": "Meta-awareness tools for healthy AI interaction patterns. Detects reinforcement loops, scope escalation, narrative crystallization, and other compulsive patterns." }, { "name": "ms-ai-architect", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/ms-ai-architect.git", - "ref": "v1.17.0" - }, + "source": "./plugins/ms-ai-architect", "description": "Microsoft AI Solution Architect — structured architecture guidance for the full Microsoft AI stack." }, { "name": "okr", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/okr.git", - "ref": "v1.7.0" - }, + "source": "./plugins/okr", "description": "Expert OKR guidance for Norwegian public sector. Write, review, cascade, track and govern OKR based on Google/Doerr methodology adapted for 4-month tertial cycles." }, { "name": "human-friendly-style", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/human-friendly-style.git", - "ref": "v1.1.0" - }, + "source": "./plugins/human-friendly-style", "description": "Shared Claude Code output style for the ktg-plugin-marketplace. Plain-language tone — explains what and why, hides paths/JSON/stack traces by default, matches the user's language." }, { "name": "claude-design", - "source": { - "source": "url", - "url": "https://git.fromaitochitta.com/open/claude-design.git", - "ref": "v0.1.0" - }, + "source": "./plugins/claude-design", "description": "End-to-end facilitator for prompting Claude Design (claude.ai/design) — idea to copy-paste-ready prompt with iteration coaching, citing Anthropic primary sources." } ] diff --git a/.gitignore b/.gitignore index 08bc342..2d32098 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,6 @@ REMEMBER.md TODO.md ROADMAP.md -STATE.md *.local.md # Per-plugin session directories (plans, research, execution progress) diff --git a/.gitleaksignore b/.gitleaksignore index 7860f5c..d47ea0b 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -2,4 +2,4 @@ plugins/llm-security/examples/malicious-skill-demo/evil-project-health/lib/telemetry.mjs:generic-api-key:18 # False positive: word "conversational" matches linkedin-client-id entropy pattern -plugins/linkedin-studio/hooks/prompts/content-quality-gate.md:linkedin-client-id:14 +plugins/linkedin-thought-leadership/hooks/prompts/content-quality-gate.md:linkedin-client-id:14 diff --git a/CLAUDE.md b/CLAUDE.md index 1137bc9..82a6d8d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,39 +1,72 @@ -# ktg-plugin-marketplace (catalog) +# ktg-plugin-marketplace -Catalog repository for the ktg-plugin-marketplace. After the polyrepo migration this repo hosts only -the marketplace manifest and the catalog-level docs; every plugin and the shared design-system live in -their own Forgejo repositories under `https://git.fromaitochitta.com/open/`. +Open-source Claude Code plugin marketplace. Solo project by Kjell Tore Guttormsen. -## What lives here +## Repo-struktur -- `.claude-plugin/marketplace.json` — the marketplace manifest (plugin entries point at external repos) -- `README.md` — the landing/catalog page -- `CONVENTIONS.md` — marketplace-wide conventions inherited by every plugin repo -- `GOVERNANCE.md` — governance + fork-and-own model -- `.mailmap`, `.gitleaks.toml`, `.gitleaksignore` — shared git-hygiene baselines +``` +plugins/ + ai-psychosis/ v1.0.0 — Interaction awareness (sycophancy, reinforcement loops) + config-audit/ v3.1.0 — Configuration intelligence (health, opportunities, auto-fix, whats-active) + graceful-handoff/ v2.1.0 — Auto-trigger handoff via Stop hook (skill + JSON pipeline + 4-step model-aware context resolution) + linkedin-thought-leadership/ v1.2.0 — LinkedIn content pipeline + analytics + llm-security/ v7.7.0 — Security scanning, auditing, threat modeling + HTML-rapport for alle 18 skill-kommandoer (render-report CLI + canonical ESM-modul som speiles bit-identisk i playground) + ms-ai-architect/ v1.15.0 — Microsoft AI architecture (Cosmo Skyberg persona) + manual KB-refresh slash command + v3 project-view (sidebar med 17 artifacts + main + import-modal overlay, v2-surface fjernet i v1.15.0) + okr/ v1.0.0 — OKR guidance for Norwegian public sector + voyage/ v5.0.3 — Brief, research, plan, execute, review, continue. Contract-driven Claude Code pipeline (six-command universal pipeline + multi-session resumption + --gates autonomy chain). /trekbrief, /trekplan, and /trekreview each end by running scripts/annotate.mjs against the just-written .md and printing the file:// link to a self-contained operator-annotation HTML modelled on claude-code-100x/build-site.js: pencil-toggle annotation mode, select text or click any element, choose intent (Fiks/Endre/Spørsmål), comment, sidebar groups by section with delete + Copy Prompt, localStorage persistence per artifact path. v5.0.0 removed the v4.2/v4.3 bespoke playground + /trekrevise + Handover 8; v5.0.1 pointed at /playground document-critique (wrong direction); v5.0.2 was operator-led but too thin; v5.0.3 matches the reference the operator pointed at from day one. -## Catalog maintenance +shared/ + playground-design-system/ v0.6.0 — Aksel/Digdir-aligned CSS design system + JSON schemas + self-hosted Inter/JetBrains Mono/Source Serif 4 fonts. Tier 1 base + Tier 2 + Tier 3 wave 1+2 (20 components) + Tier 4 project-view-arketype (v0.6.0 — sidebar + main + import-modal overlay). Consumed by ms-ai-architect, okr, llm-security, voyage, config-audit. + playground-examples/ — Reference scenarios (ROS-Lier, OKR-Bærum, security-Direktorat) + showcase landing + 12 isolated Tier 3 wave 2 component demos under components/ +``` -- Marketplace conventions: see CONVENTIONS.md. -- Adding/updating a plugin entry: edit `.claude-plugin/marketplace.json` (external `source: "url"` with - a pinned `ref`) and re-state the plugin in README.md with its verified version. -- Plugin source, issues, and releases live in each plugin's own repository — not here. -- **Releasing a plugin (canonical path — `scripts/release-plugin.mjs`):** since the polyrepo split, - a release is a TWO-repo act — tag the plugin repo AND bump the catalog `ref`. Forgetting the second - step strands users on the old version (the exact drift this helper exists to prevent). Run - `node scripts/release-plugin.mjs [--version X.Y.Z]` — dry-run by default; it REFUSES unless - `plugin.json` == README badge == the target version AND the `vX.Y.Z` tag exists, then prints the - planned bump. Apply with `--write [--commit] [--push]`; `--create-tag` mints+pushes a missing plugin - tag first. On `--write` it bumps the catalog `ref` AND the catalog README's per-plugin `` `vX.Y.Z` `` - label together (and `git add`s both on `--commit`). Because it only moves both to a verified, tagged, - consistent version, `check-versions.mjs` is green by construction. Never hand-edit a `ref` or a - README label for a release — use this. Pure planner + label reconciler covered by - `scripts/release-plugin.test.mjs`. -- **Version-consistency gate:** run `node scripts/check-versions.mjs` before committing any `ref` - change. For each plugin it checks (against the sibling repo) that the catalog `ref` resolves to a - real git tag (ERROR if dangling — breaks install), that `plugin.json` version == README - version-badge (ERROR), that the catalog README's per-plugin `` `vX.Y.Z` `` label == the catalog - `ref` (ERROR — the human-facing doc must not misstate the installed version), and that the catalog - `ref` matches `plugin.json` version (WARN — catalog lags or an unreleased bump). Exit 1 on any - ERROR; `--strict` also fails on WARN. Pure-function core covered by - `scripts/check-versions.test.mjs` (`node --test scripts/check-versions.test.mjs`). +Hvert plugin er selvstendig med egen CLAUDE.md, README, hooks, agents og commands. `shared/` inneholder marketplace-nivå infrastruktur som flere plugins bygger på. + +## Konvensjoner + +- **Språk:** Norsk dialog, engelsk kode/docs +- **Commits:** Conventional Commits — `type(scope): description` +- **Git:** Forgejo (`git.fromaitochitta.com/open/ktg-plugin-marketplace`). Aldri GitHub. +- **Hooks:** Alltid Node.js (.mjs), aldri bash. Cross-platform. +- **Avhengigheter:** Null npm dependencies i hooks/scannere. `node:test` for tester. +- **Bidrag:** Issues velkommen som signaler. PRs ikke akseptert. Fork-and-own er anbefalt adopsjonsmodell — se `GOVERNANCE.md`. +- **Lisens:** MIT, alle plugins +- **Docs ved endring (OBLIGATORISK):** Enhver feature-endring som pusher til Forgejo MÅ oppdatere alle tre doc-nivåer i SAMME commit eller umiddelbart etter: + 1. Plugin `README.md` — detaljert dokumentasjon av endringen + 2. Plugin `CLAUDE.md` — arkitektur/oversikt + 3. Rot-`README.md` — marketplace-landingssiden (`git.fromaitochitta.com/open/ktg-plugin-marketplace`) +- **Playground-oppdatering:** Ved endring av plugin playground HTML eller delt design-system, følg prosedyren i `shared/PLAYGROUND-MAINTENANCE.md` (4 spor: HTML-endring, DS-endring, screenshots, release). + +## Sesjonsfiler (lokale, gitignored) + +Alle plugins + root har: +- `REMEMBER.md` — Sesjonsstatus, sist gjort, viktige beslutninger +- `TODO.md` — Nærliggende oppgaver (1-4 uker) +- `ROADMAP.md` — Langsiktig retning (kvartal/halvår) + +Disse trackes IKKE i git. Oppdater ved sesjonsslutt. + +## Arbeidsflyt + +1. `cd` til riktig plugin-mappe +2. Les pluginets CLAUDE.md for kontekst +3. Les REMEMBER.md og TODO.md for sesjonsstatus +4. Jobb innenfor scope +5. Oppdater REMEMBER.md ved avslutning + +## Communication patterns + +### Linking to local files + +When pointing to local files in responses, always use markdown link syntax with a descriptive name: + +- Use `[Human-friendly name](file:///absolute/path)` — never bare `file:///...` URLs or autolinks ``. +- Always use absolute paths. Never `~/` or relative paths. +- For multiple files, render as a bullet list of named markdown links. + +Why: bare `file://` URLs only render the first as clickable across multiple lines. Named markdown links make each entry independently clickable and look cleaner. + +Example: + +- [Brief](file:///Users/ktg/.../brief.html) +- [Research summary](file:///Users/ktg/.../research/summary.md) diff --git a/CONVENTIONS.md b/CONVENTIONS.md deleted file mode 100644 index 571e5c5..0000000 --- a/CONVENTIONS.md +++ /dev/null @@ -1,19 +0,0 @@ -# Conventions — ktg-plugin-marketplace catalog - -> Extracted from the marketplace CLAUDE.md (D6). These are the marketplace-wide conventions -> every plugin repo inherits under fork-and-own. See GOVERNANCE.md for the governance model. - -## Konvensjoner - -- **Språk:** Norsk dialog, engelsk kode/docs -- **Commits:** Conventional Commits — `type(scope): description` -- **Git:** Forgejo-org `git.fromaitochitta.com/open/` — hvert plugin/design-system er sitt eget repo (`open/`), katalogen er `open/ktg-plugin-marketplace`. Aldri GitHub. -- **Hooks:** Alltid Node.js (.mjs), aldri bash. Cross-platform. -- **Avhengigheter:** Null npm dependencies i hooks/scannere. `node:test` for tester. -- **Bidrag:** Issues velkommen som signaler. PRs ikke akseptert. Fork-and-own er anbefalt adopsjonsmodell — se `GOVERNANCE.md`. -- **Lisens:** MIT, alle plugins -- **Docs ved endring (OBLIGATORISK):** Enhver feature-endring som pusher til Forgejo MÅ oppdatere dokumentasjonen. Etter polyrepo-splittet er dette to nivåer i to repo: - 1. **I plugin-repoet** (SAMME commit): `README.md` (detaljert dokumentasjon av endringen) + `CLAUDE.md` (arkitektur/oversikt) - 2. **I katalog-repoet** (`open/ktg-plugin-marketplace`), ved versjonsbump eller endret entry: oppdater `README.md`-landingssiden og `ref` i `.claude-plugin/marketplace.json` (egen commit i katalog-repoet) -- **Playground / design-system:** Playground-HTML er vendored inn i hvert plugin-repo under `playground/vendor/playground-design-system/`. Endringer i det delte design-systemet gjøres i `open/playground-design-system`, tagges der, og re-vendres deretter inn i hver konsument (llm-security, ms-ai-architect, config-audit, okr, voyage). - diff --git a/README.md b/README.md index 15e9408..8ae6ef9 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,9 @@ Open-source Claude Code plugins for AI-assisted development, security, and plann Built for my own Claude Code workflow and shared openly for anyone who finds them useful. Solo-maintained, AI-assisted, fork-and-own. Issues are welcome as signals; pull requests are not accepted. See [GOVERNANCE.md](GOVERNANCE.md) for what upstream provides and how this is meant to be used. -All code here is generated by Claude Code through a dialog-based process: I direct, review, test, and validate; Claude writes. Treat the plugins as AI-authored, human-curated. +## AI-generated code disclosure + +All code in this marketplace is generated by Claude Code through a dialog-based process. I direct, review, test, and validate; Claude writes. Every commit reflects this — treat the plugins as AI-authored, human-curated. ## Installation @@ -12,181 +14,295 @@ All code here is generated by Claude Code through a dialog-based process: I dire claude plugin marketplace add https://git.fromaitochitta.com/open/ktg-plugin-marketplace.git ``` -Then open Claude Code and type `/plugin` to browse and install. Works with the Claude Code CLI, desktop app, and IDE extensions on macOS, Linux, and Windows. No external dependencies. +Then open Claude Code and type `/plugin` to browse and install plugins from the marketplace. -Each plugin keeps its own full README and CHANGELOG; this page is just the catalog. +## Compatibility + +- Claude Code CLI, desktop app, and IDE extensions +- macOS, Linux, Windows +- No external dependencies (all scanners and hooks are self-contained) --- ## Plugins -### [LLM Security](https://git.fromaitochitta.com/open/llm-security) `v7.8.2` +### [LLM Security](plugins/llm-security/) `v7.7.0` -Security scanning, auditing, and threat modeling for agentic AI projects. Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and Google DeepMind's AI Agent Traps taxonomy. +Security scanning, auditing, and threat modeling for agentic AI projects. -- **Automated enforcement** — 9 hooks block prompt injection, secrets in code, destructive commands, and supply-chain risks in real time -- **Deterministic scanning** — 26 Node.js scanners for entropy, Unicode codepoints, typosquatting, taint flow, git forensics, AI-BOM, trigger/signature/AST-taint, and IDE-extension prescan (VS Code + JetBrains) -- **Advisory analysis** — 20 commands that scan, audit, and model threats with letter-graded reports and remediation -- **Enterprise governance** — EU AI Act / NIST AI RMF / ISO 42001 mapping, SARIF 2.1.0 output, policy-as-code, standalone CLI +Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Traps taxonomy (Google DeepMind, 2025). Three layers of protection: -Key commands: `/security posture`, `/security audit`, `/security scan`, `/security ide-scan`, `/security threat-model` +- **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection, secrets in code, destructive commands, supply chain guardrails, transcript scanning before context compaction) +- **Deterministic scanning** — 23 Node.js scanners (10 orchestrated + 13 standalone) for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM, attack simulation, IDE extension prescan (VS Code + JetBrains — URL fetch from Marketplace / OpenVSX / direct VSIX / JetBrains Marketplace, hardened ZIP extractor for zip-slip / symlinks / bombs, plus OS sandbox via `sandbox-exec` / `bwrap` so the kernel enforces FS confinement), MCP cumulative-drift baseline reset (E14 — sticky baseline catches slow-burn rug-pulls). Bash-normalize T1-T6 for obfuscation-resistant denylists +- **Advisory analysis** — 20 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation +- **Enterprise governance** — Compliance mapping (EU AI Act, NIST AI RMF, ISO 42001), SARIF 2.1.0 output, structured audit trail, policy-as-code, standalone CLI +- **v7.7.0 HTML-rapport for alle 18 skill-kommandoer (2026-05-18)** — Hver `/security ` som produserer rapport printer nå en klikkbar `file://`-lenke til en self-contained HTML-versjon. Levert over fem sesjoner: (1) playground katalog list-view + builder-pane med copy-knapp; (2) playground prosjekt-surface opprydding (stub-screen + topbar-splitt); (3) 18 inline parserne + rendererne flyttet til canonical ESM-modul `scripts/lib/report-renderers.mjs` (playground beholder bit-identisk inline-kopi siden ESM `import` ikke fungerer fra `file://`); (4) ny zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout-modus, kebab→camel commandId-routing, inliner 6 DS-stylesheets, ~140 KB self-contained HTML med system-font-fallback, absolutte `file://`-paths for Ghostty cmd-click; (5) alle 18 skills wired (4 i sesjon 4 + 14 i sesjon 5). Ingen scanner- eller hook-atferdsendringer — purely additive +- **v7.6.1 playground visuell-patch (2026-05-06)** — Seks bugs fanget av maintainer ved manuell verifisering i nettleser etter v7.6.0-release. Alle skyldtes mismatch mellom DS-klasser og hvordan playground-rendrere brukte dem (eller manglende DS-implementasjoner av klasser playground-rendrere antok eksisterte): `renderFindingsBlock` brukte `.findings` outer-class (DS' 2-kolonners list+detail-grid) → erstattet med `
` + korrekt `findings__list`-mønster; `.report-table` manglet helt i DS men brukes i 7+ rendrere → lokal CSS-implementasjon; `renderPreDeploy` traffic-lights brukte fast 28×28 px `.sm-card__grade` for "PASS"/"PASS-WITH-NOTES"/"FAIL" → bredde-tilpasset status-pill; threat-model matrix-bobler ikke klikkbare → `