diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 53e2f25..e0561fb 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -12,52 +12,92 @@ "plugins": [ { "name": "llm-security", - "source": "./plugins/llm-security", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/llm-security.git", + "ref": "v7.8.0" + }, "description": "Security scanning, auditing, and threat modeling for Claude Code projects. OWASP LLM Top 10 (2025) and Agentic AI Top 10." }, { "name": "config-audit", - "source": "./plugins/config-audit", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/config-audit.git", + "ref": "v5.12.5" + }, "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine" }, { "name": "voyage", - "source": "./plugins/voyage", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/voyage.git", + "ref": "v5.9.1" + }, "description": "Voyage — brief, research, plan, execute, review, continue. Contract-driven Claude Code pipeline with specialized agent swarms, external research triangulation, adversarial review, post-hoc independent review with Handover 6 feedback loop, multi-session resumption, session decomposition, and headless execution. /trekbrief, /trekplan, and /trekreview each end by building a self-contained operator-annotation HTML (scripts/annotate.mjs, modelled on claude-code-100x): pencil-toggle annotation mode, select text or click any element, pick intent (Fiks/Endre/Spørsmål), comment, Copy Prompt, paste back, Claude revises the .md." }, { - "name": "linkedin-thought-leadership", - "source": "./plugins/linkedin-thought-leadership", - "description": "Build LinkedIn thought leadership with algorithmic understanding, strategic consistency, and authentic engagement. Updated for the January 2026 360Brew algorithm change." + "name": "linkedin-studio", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/linkedin-studio.git", + "ref": "v0.5.3" + }, + "description": "LinkedIn Studio — a full-spectrum LinkedIn content engine: feed posts, carousels, video scripts, and long-form newsletter editions, built on algorithmic understanding, strategic consistency, and authentic engagement. Aligned to LinkedIn's 2026 topic-relevance ranking model." }, { "name": "graceful-handoff", - "source": "./plugins/graceful-handoff", - "description": "Produce session-handoff artifacts, commit and push pending work, and print a copy-paste prompt for the next session. Designed for context-constrained models like Opus 4.7." + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/graceful-handoff.git", + "ref": "v3.1.0" + }, + "description": "One-command session handoff into the STATE.md continuity system. At a natural stopping point, overwrites the nearest STATE.md with a complete state-of-play (mandatory '👉 NEXT — START HERE' block) and commits per remote policy. Skill-only, no hooks." }, { "name": "ai-psychosis", - "source": "./plugins/ai-psychosis", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/ai-psychosis.git", + "ref": "v1.2.1" + }, "description": "Meta-awareness tools for healthy AI interaction patterns. Detects reinforcement loops, scope escalation, narrative crystallization, and other compulsive patterns." }, { "name": "ms-ai-architect", - "source": "./plugins/ms-ai-architect", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/ms-ai-architect.git", + "ref": "v1.17.0" + }, "description": "Microsoft AI Solution Architect — structured architecture guidance for the full Microsoft AI stack." }, { "name": "okr", - "source": "./plugins/okr", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/okr.git", + "ref": "v1.6.1" + }, "description": "Expert OKR guidance for Norwegian public sector. Write, review, cascade, track and govern OKR based on Google/Doerr methodology adapted for 4-month tertial cycles." }, { "name": "human-friendly-style", - "source": "./plugins/human-friendly-style", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/human-friendly-style.git", + "ref": "v1.1.0" + }, "description": "Shared Claude Code output style for the ktg-plugin-marketplace. Plain-language tone — explains what and why, hides paths/JSON/stack traces by default, matches the user's language." }, { "name": "claude-design", - "source": "./plugins/claude-design", + "source": { + "source": "url", + "url": "https://git.fromaitochitta.com/open/claude-design.git", + "ref": "v0.1.0" + }, "description": "End-to-end facilitator for prompting Claude Design (claude.ai/design) — idea to copy-paste-ready prompt with iteration coaching, citing Anthropic primary sources." } ] diff --git a/.gitignore b/.gitignore index 2d32098..08bc342 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ REMEMBER.md TODO.md ROADMAP.md +STATE.md *.local.md # Per-plugin session directories (plans, research, execution progress) diff --git a/.gitleaksignore b/.gitleaksignore index d47ea0b..7860f5c 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -2,4 +2,4 @@ plugins/llm-security/examples/malicious-skill-demo/evil-project-health/lib/telemetry.mjs:generic-api-key:18 # False positive: word "conversational" matches linkedin-client-id entropy pattern -plugins/linkedin-thought-leadership/hooks/prompts/content-quality-gate.md:linkedin-client-id:14 +plugins/linkedin-studio/hooks/prompts/content-quality-gate.md:linkedin-client-id:14 diff --git a/CLAUDE.md b/CLAUDE.md index fbbc693..1137bc9 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,72 +1,39 @@ -# ktg-plugin-marketplace +# ktg-plugin-marketplace (catalog) -Open-source Claude Code plugin marketplace. Solo project by Kjell Tore Guttormsen. +Catalog repository for the ktg-plugin-marketplace. After the polyrepo migration this repo hosts only +the marketplace manifest and the catalog-level docs; every plugin and the shared design-system live in +their own Forgejo repositories under `https://git.fromaitochitta.com/open/`. -## Repo-struktur +## What lives here -``` -plugins/ - ai-psychosis/ v1.0.0 — Interaction awareness (sycophancy, reinforcement loops) - config-audit/ v3.1.0 — Configuration intelligence (health, opportunities, auto-fix, whats-active) - graceful-handoff/ v2.1.0 — Auto-trigger handoff via Stop hook (skill + JSON pipeline + 4-step model-aware context resolution) - linkedin-thought-leadership/ v1.2.0 — LinkedIn content pipeline + analytics - llm-security/ v7.7.1 — Security scanning, auditing, threat modeling + HTML-rapport for alle 18 skill-kommandoer (render-report CLI + canonical ESM-modul som speiles bit-identisk i playground). v7.7.1 strippet playground til katalog-overflate som eneste rute. - ms-ai-architect/ v1.15.0 — Microsoft AI architecture (Cosmo Skyberg persona) + manual KB-refresh slash command + v3 project-view (sidebar med 17 artifacts + main + import-modal overlay, v2-surface fjernet i v1.15.0) - okr/ v1.0.0 — OKR guidance for Norwegian public sector - voyage/ v5.0.3 — Brief, research, plan, execute, review, continue. Contract-driven Claude Code pipeline (six-command universal pipeline + multi-session resumption + --gates autonomy chain). /trekbrief, /trekplan, and /trekreview each end by running scripts/annotate.mjs against the just-written .md and printing the file:// link to a self-contained operator-annotation HTML modelled on claude-code-100x/build-site.js: pencil-toggle annotation mode, select text or click any element, choose intent (Fiks/Endre/Spørsmål), comment, sidebar groups by section with delete + Copy Prompt, localStorage persistence per artifact path. v5.0.0 removed the v4.2/v4.3 bespoke playground + /trekrevise + Handover 8; v5.0.1 pointed at /playground document-critique (wrong direction); v5.0.2 was operator-led but too thin; v5.0.3 matches the reference the operator pointed at from day one. +- `.claude-plugin/marketplace.json` — the marketplace manifest (plugin entries point at external repos) +- `README.md` — the landing/catalog page +- `CONVENTIONS.md` — marketplace-wide conventions inherited by every plugin repo +- `GOVERNANCE.md` — governance + fork-and-own model +- `.mailmap`, `.gitleaks.toml`, `.gitleaksignore` — shared git-hygiene baselines -shared/ - playground-design-system/ v0.6.0 — Aksel/Digdir-aligned CSS design system + JSON schemas + self-hosted Inter/JetBrains Mono/Source Serif 4 fonts. Tier 1 base + Tier 2 + Tier 3 wave 1+2 (20 components) + Tier 4 project-view-arketype (v0.6.0 — sidebar + main + import-modal overlay). Consumed by ms-ai-architect, okr, llm-security, voyage, config-audit. - playground-examples/ — Reference scenarios (ROS-Lier, OKR-Bærum, security-Direktorat) + showcase landing + 12 isolated Tier 3 wave 2 component demos under components/ -``` +## Catalog maintenance -Hvert plugin er selvstendig med egen CLAUDE.md, README, hooks, agents og commands. `shared/` inneholder marketplace-nivå infrastruktur som flere plugins bygger på. - -## Konvensjoner - -- **Språk:** Norsk dialog, engelsk kode/docs -- **Commits:** Conventional Commits — `type(scope): description` -- **Git:** Forgejo (`git.fromaitochitta.com/open/ktg-plugin-marketplace`). Aldri GitHub. -- **Hooks:** Alltid Node.js (.mjs), aldri bash. Cross-platform. -- **Avhengigheter:** Null npm dependencies i hooks/scannere. `node:test` for tester. -- **Bidrag:** Issues velkommen som signaler. PRs ikke akseptert. Fork-and-own er anbefalt adopsjonsmodell — se `GOVERNANCE.md`. -- **Lisens:** MIT, alle plugins -- **Docs ved endring (OBLIGATORISK):** Enhver feature-endring som pusher til Forgejo MÅ oppdatere alle tre doc-nivåer i SAMME commit eller umiddelbart etter: - 1. Plugin `README.md` — detaljert dokumentasjon av endringen - 2. Plugin `CLAUDE.md` — arkitektur/oversikt - 3. Rot-`README.md` — marketplace-landingssiden (`git.fromaitochitta.com/open/ktg-plugin-marketplace`) -- **Playground-oppdatering:** Ved endring av plugin playground HTML eller delt design-system, følg prosedyren i `shared/PLAYGROUND-MAINTENANCE.md` (4 spor: HTML-endring, DS-endring, screenshots, release). - -## Sesjonsfiler (lokale, gitignored) - -Alle plugins + root har: -- `REMEMBER.md` — Sesjonsstatus, sist gjort, viktige beslutninger -- `TODO.md` — Nærliggende oppgaver (1-4 uker) -- `ROADMAP.md` — Langsiktig retning (kvartal/halvår) - -Disse trackes IKKE i git. Oppdater ved sesjonsslutt. - -## Arbeidsflyt - -1. `cd` til riktig plugin-mappe -2. Les pluginets CLAUDE.md for kontekst -3. Les REMEMBER.md og TODO.md for sesjonsstatus -4. Jobb innenfor scope -5. Oppdater REMEMBER.md ved avslutning - -## Communication patterns - -### Linking to local files - -When pointing to local files in responses, always use markdown link syntax with a descriptive name: - -- Use `[Human-friendly name](file:///absolute/path)` — never bare `file:///...` URLs or autolinks ``. -- Always use absolute paths. Never `~/` or relative paths. -- For multiple files, render as a bullet list of named markdown links. - -Why: bare `file://` URLs only render the first as clickable across multiple lines. Named markdown links make each entry independently clickable and look cleaner. - -Example: - -- [Brief](file:///Users/ktg/.../brief.html) -- [Research summary](file:///Users/ktg/.../research/summary.md) +- Marketplace conventions: see CONVENTIONS.md. +- Adding/updating a plugin entry: edit `.claude-plugin/marketplace.json` (external `source: "url"` with + a pinned `ref`) and re-state the plugin in README.md with its verified version. +- Plugin source, issues, and releases live in each plugin's own repository — not here. +- **Releasing a plugin (canonical path — `scripts/release-plugin.mjs`):** since the polyrepo split, + a release is a TWO-repo act — tag the plugin repo AND bump the catalog `ref`. Forgetting the second + step strands users on the old version (the exact drift this helper exists to prevent). Run + `node scripts/release-plugin.mjs [--version X.Y.Z]` — dry-run by default; it REFUSES unless + `plugin.json` == README badge == the target version AND the `vX.Y.Z` tag exists, then prints the + planned bump. Apply with `--write [--commit] [--push]`; `--create-tag` mints+pushes a missing plugin + tag first. On `--write` it bumps the catalog `ref` AND the catalog README's per-plugin `` `vX.Y.Z` `` + label together (and `git add`s both on `--commit`). Because it only moves both to a verified, tagged, + consistent version, `check-versions.mjs` is green by construction. Never hand-edit a `ref` or a + README label for a release — use this. Pure planner + label reconciler covered by + `scripts/release-plugin.test.mjs`. +- **Version-consistency gate:** run `node scripts/check-versions.mjs` before committing any `ref` + change. For each plugin it checks (against the sibling repo) that the catalog `ref` resolves to a + real git tag (ERROR if dangling — breaks install), that `plugin.json` version == README + version-badge (ERROR), that the catalog README's per-plugin `` `vX.Y.Z` `` label == the catalog + `ref` (ERROR — the human-facing doc must not misstate the installed version), and that the catalog + `ref` matches `plugin.json` version (WARN — catalog lags or an unreleased bump). Exit 1 on any + ERROR; `--strict` also fails on WARN. Pure-function core covered by + `scripts/check-versions.test.mjs` (`node --test scripts/check-versions.test.mjs`). diff --git a/CONVENTIONS.md b/CONVENTIONS.md new file mode 100644 index 0000000..571e5c5 --- /dev/null +++ b/CONVENTIONS.md @@ -0,0 +1,19 @@ +# Conventions — ktg-plugin-marketplace catalog + +> Extracted from the marketplace CLAUDE.md (D6). These are the marketplace-wide conventions +> every plugin repo inherits under fork-and-own. See GOVERNANCE.md for the governance model. + +## Konvensjoner + +- **Språk:** Norsk dialog, engelsk kode/docs +- **Commits:** Conventional Commits — `type(scope): description` +- **Git:** Forgejo-org `git.fromaitochitta.com/open/` — hvert plugin/design-system er sitt eget repo (`open/`), katalogen er `open/ktg-plugin-marketplace`. Aldri GitHub. +- **Hooks:** Alltid Node.js (.mjs), aldri bash. Cross-platform. +- **Avhengigheter:** Null npm dependencies i hooks/scannere. `node:test` for tester. +- **Bidrag:** Issues velkommen som signaler. PRs ikke akseptert. Fork-and-own er anbefalt adopsjonsmodell — se `GOVERNANCE.md`. +- **Lisens:** MIT, alle plugins +- **Docs ved endring (OBLIGATORISK):** Enhver feature-endring som pusher til Forgejo MÅ oppdatere dokumentasjonen. Etter polyrepo-splittet er dette to nivåer i to repo: + 1. **I plugin-repoet** (SAMME commit): `README.md` (detaljert dokumentasjon av endringen) + `CLAUDE.md` (arkitektur/oversikt) + 2. **I katalog-repoet** (`open/ktg-plugin-marketplace`), ved versjonsbump eller endret entry: oppdater `README.md`-landingssiden og `ref` i `.claude-plugin/marketplace.json` (egen commit i katalog-repoet) +- **Playground / design-system:** Playground-HTML er vendored inn i hvert plugin-repo under `playground/vendor/playground-design-system/`. Endringer i det delte design-systemet gjøres i `open/playground-design-system`, tagges der, og re-vendres deretter inn i hver konsument (llm-security, ms-ai-architect, config-audit, okr, voyage). + diff --git a/README.md b/README.md index 9fb3db6..82e4915 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,7 @@ Open-source Claude Code plugins for AI-assisted development, security, and plann Built for my own Claude Code workflow and shared openly for anyone who finds them useful. Solo-maintained, AI-assisted, fork-and-own. Issues are welcome as signals; pull requests are not accepted. See [GOVERNANCE.md](GOVERNANCE.md) for what upstream provides and how this is meant to be used. -## AI-generated code disclosure - -All code in this marketplace is generated by Claude Code through a dialog-based process. I direct, review, test, and validate; Claude writes. Every commit reflects this — treat the plugins as AI-authored, human-curated. +All code here is generated by Claude Code through a dialog-based process: I direct, review, test, and validate; Claude writes. Treat the plugins as AI-authored, human-curated. ## Installation @@ -14,296 +12,181 @@ All code in this marketplace is generated by Claude Code through a dialog-based claude plugin marketplace add https://git.fromaitochitta.com/open/ktg-plugin-marketplace.git ``` -Then open Claude Code and type `/plugin` to browse and install plugins from the marketplace. +Then open Claude Code and type `/plugin` to browse and install. Works with the Claude Code CLI, desktop app, and IDE extensions on macOS, Linux, and Windows. No external dependencies. -## Compatibility - -- Claude Code CLI, desktop app, and IDE extensions -- macOS, Linux, Windows -- No external dependencies (all scanners and hooks are self-contained) +Each plugin keeps its own full README and CHANGELOG; this page is just the catalog. --- ## Plugins -### [LLM Security](plugins/llm-security/) `v7.7.1` +### [LLM Security](https://git.fromaitochitta.com/open/llm-security) `v7.8.0` -Security scanning, auditing, and threat modeling for agentic AI projects. +Security scanning, auditing, and threat modeling for agentic AI projects. Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and Google DeepMind's AI Agent Traps taxonomy. -Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Traps taxonomy (Google DeepMind, 2025). Three layers of protection: +- **Automated enforcement** — 9 hooks block prompt injection, secrets in code, destructive commands, and supply-chain risks in real time +- **Deterministic scanning** — 26 Node.js scanners for entropy, Unicode codepoints, typosquatting, taint flow, git forensics, AI-BOM, trigger/signature/AST-taint, and IDE-extension prescan (VS Code + JetBrains) +- **Advisory analysis** — 20 commands that scan, audit, and model threats with letter-graded reports and remediation +- **Enterprise governance** — EU AI Act / NIST AI RMF / ISO 42001 mapping, SARIF 2.1.0 output, policy-as-code, standalone CLI -- **Automated enforcement** — 9 hooks that block dangerous operations in real time (prompt injection, secrets in code, destructive commands, supply chain guardrails, transcript scanning before context compaction) -- **Deterministic scanning** — 23 Node.js scanners (10 orchestrated + 13 standalone) for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM, attack simulation, IDE extension prescan (VS Code + JetBrains — URL fetch from Marketplace / OpenVSX / direct VSIX / JetBrains Marketplace, hardened ZIP extractor for zip-slip / symlinks / bombs, plus OS sandbox via `sandbox-exec` / `bwrap` so the kernel enforces FS confinement), MCP cumulative-drift baseline reset (E14 — sticky baseline catches slow-burn rug-pulls). Bash-normalize T1-T6 for obfuscation-resistant denylists -- **Advisory analysis** — 20 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation -- **Enterprise governance** — Compliance mapping (EU AI Act, NIST AI RMF, ISO 42001), SARIF 2.1.0 output, structured audit trail, policy-as-code, standalone CLI -- **v7.7.1 playground UX-strip (2026-05-18)** — Operatør-feedback umiddelbart etter v7.7.0: katalog-overflaten ble eneste levende rute i playgrounden (onboarding/home/project-render-funksjonene bevart men ikke rutbare). Topbar forenklet til `Katalog`-knapp + state/tema-handlinger. Breadcrumb-orgname erstattet med nøytralt `llm-security`. Onboarding-konseptet (kontekst-injeksjon per kommando) dokumentert som v7.8.0-kandidat i ROADMAP. Ingen scanner- eller hook-atferdsendringer -- **v7.7.0 HTML-rapport for alle 18 skill-kommandoer (2026-05-18)** — Hver `/security ` som produserer rapport printer nå en klikkbar `file://`-lenke til en self-contained HTML-versjon. Levert over fem sesjoner: (1) playground katalog list-view + builder-pane med copy-knapp; (2) playground prosjekt-surface opprydding (stub-screen + topbar-splitt); (3) 18 inline parserne + rendererne flyttet til canonical ESM-modul `scripts/lib/report-renderers.mjs` (playground beholder bit-identisk inline-kopi siden ESM `import` ikke fungerer fra `file://`); (4) ny zero-dep CLI `scripts/render-report.mjs` — stdin/file/stdout-modus, kebab→camel commandId-routing, inliner 6 DS-stylesheets, ~140 KB self-contained HTML med system-font-fallback, absolutte `file://`-paths for Ghostty cmd-click; (5) alle 18 skills wired (4 i sesjon 4 + 14 i sesjon 5). Ingen scanner- eller hook-atferdsendringer — purely additive -- **v7.6.1 playground visuell-patch (2026-05-06)** — Seks bugs fanget av maintainer ved manuell verifisering i nettleser etter v7.6.0-release. Alle skyldtes mismatch mellom DS-klasser og hvordan playground-rendrere brukte dem (eller manglende DS-implementasjoner av klasser playground-rendrere antok eksisterte): `renderFindingsBlock` brukte `.findings` outer-class (DS' 2-kolonners list+detail-grid) → erstattet med `
` + korrekt `findings__list`-mønster; `.report-table` manglet helt i DS men brukes i 7+ rendrere → lokal CSS-implementasjon; `renderPreDeploy` traffic-lights brukte fast 28×28 px `.sm-card__grade` for "PASS"/"PASS-WITH-NOTES"/"FAIL" → bredde-tilpasset status-pill; threat-model matrix-bobler ikke klikkbare → `