# Security Policy — trekplan

## Reporting a vulnerability

Open a **private** issue on Forgejo:

> https://git.fromaitochitta.com/open/ktg-plugin-marketplace

Tag it `security` and mark it private. Do not file public issues for
unpatched vulnerabilities. There is no SLA — this is a solo-maintained
plugin — but acknowledged reports are usually triaged within 7 days.

## Supported versions

Only the **current minor version** receives security fixes. When v3.2.0
ships, v3.1.x stops receiving patches. Pin to the latest minor and
update on the next bump.

| Version | Supported |
|---------|-----------|
| 3.1.x   | Yes       |
| 3.0.x   | No (upgrade to 3.1.x) |
| < 3.0   | No        |

## Scope

The plugin's security posture covers:

### Plugin-owned hooks (`hooks/scripts/`)

| Hook | Trigger | Purpose |
|------|---------|---------|
| `pre-bash-executor.mjs` | `PreToolUse` for Bash | BLOCKs known-dangerous shell patterns; WARNs on suspicious ones; fails open on parse errors |
| `pre-write-executor.mjs` | `PreToolUse` for Write | BLOCKs writes to `.git/hooks/`, `~/.ssh/`, `.env`, and other sensitive paths |
| `pre-compact-flush.mjs` | `PreCompact` | Flushes `progress.json` from git history before compaction (P0 drift fix); read-only beyond `progress.json` |
| `session-title.mjs` *(planned, F9)* | `UserPromptSubmit` | Sets session title `voyage:<command>:<slug>` for headless multiplexing |

All hooks are zero-dependency Node.js (`.mjs`) scripts and are designed
to **fail open** — a hook crash never blocks the user's work. Hooks log
to stderr only; they never write to user files outside their declared
scope.

### Prompt-level denylist (`commands/trekexecute.md`)

The execute command embeds a denylist that takes effect even in headless
sessions where hooks may not fire. This is layer 4 of the defense-in-depth
model and protects against plan-injected destructive commands.

### Validators (`lib/validators/*.mjs`)

Read-only. Never write to user files. Used both by hooks and by command
phases to detect malformed artifacts before they propagate.

## Out of scope

- **Opt-in upstream architect step.** Any external producer of
  `architecture/overview.md` ships its own security posture. The
  architecture-discovery validator in this plugin treats
  `architecture/overview.md` as an external contract (drift-WARN, never
  drift-FAIL).
- **LLM output content.** The plugin validates artifact *shape*, not
  artifact *truthfulness*. A plan that passes `plan-validator --strict`
  may still contain hallucinated file paths or unsafe commands; that is
  why `pre-bash-executor` exists.
- **The Claude Code CLI itself.** Report Claude Code vulnerabilities to
  Anthropic via https://github.com/anthropics/claude-code/issues.

## Hardening recommendations

For fork-ers handling untrusted task briefs or plans:

1. **Set `disableSkillShellExecution: true`** in `~/.claude/settings.json`
   (CC v2.1.91+) to prevent Skills from invoking arbitrary shell.
2. **Run plan validation in `--strict` mode** before any execute:
   ```bash
   node ${CLAUDE_PLUGIN_ROOT}/lib/validators/plan-validator.mjs --strict plan.md
   ```
3. **Review the plan-critic adversarial output** before approving plans
   from external sources — semantic rubric (rule #7) catches deferred
   decisions that an attacker could exploit.
4. **Pin a CC version floor.** v3.1.0 of this plugin assumes CC ≥
   2.1.85 for the `if`-field on hooks; older CC silently ignores the
   field, weakening the scoping.

## Past advisories

None as of v3.1.0. This section will list CVE-style entries if any are
discovered.