open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/ultraplan-local/SECURITY.md
Kjell Tore Guttormsen 14ecda886c feat(voyage)!: bulk content rewrite ultra -> voyage/trek prose [skip-docs] 
Sed-pipeline (16 patterns, longest-match-first) sweeper residuelle ultra*-treff
i prose, command-narrativ, agent-prompts, hook-kommentarer, doc-prosa.

Pipeline-utvidelser fra V4-prompten:
- BSD-syntax [[:<:]]ultra[[:>:]] istedenfor \bultra\b (BSD sed mangler \b)
- 6 compound-patterns for ultraplan/ultraexecute/ultraresearch/ultrabrief/
  ultrareview/ultracontinue uten -local-suffiks
- ultra*-stats glob -> trek*-stats glob
- Linje-eksklusjon redusert til ultra-cc-architect (Q8); session-state-
  eksklusjonen var over-protektiv
- File-eksklusjon utvidet til settings.json, package.json, plugin.json,
  hele .claude/-treet (gitignored + V5-territorium)

Q8-undantak holdt: architecture-discovery.mjs + project-discovery.mjs urort.
Filnavn-konvensjon holdt: .session-state.local.json + *.local.* preservert.

Manuell narrative-fix: tests/lib/agent-frontmatter.test.mjs linje 10
mangled "/ultra*-local" til "/voyage*-local" (ingen slik kommando finnes);
korrigert til "/trek*".

Residualer utenfor scope (V5 handterer): package.json + .claude-plugin/
plugin.json (Step 12-14 versjons-bump). .claude/* er gitignored
spec-historikk med tilsiktet BEFORE/AFTER-narrativ.

Part of voyage-rebrand session 3 (Wave 4 / Step 10).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 15:08:20 +02:00

3.5 KiB
Raw Blame History

Security Policy — trekplan

Reporting a vulnerability

Open a private issue on Forgejo:

https://git.fromaitochitta.com/open/ktg-plugin-marketplace

Tag it security and mark it private. Do not file public issues for unpatched vulnerabilities. There is no SLA — this is a solo-maintained plugin — but acknowledged reports are usually triaged within 7 days.

Supported versions

Only the current minor version receives security fixes. When v3.2.0 ships, v3.1.x stops receiving patches. Pin to the latest minor and update on the next bump.

Version Supported
3.1.x Yes
3.0.x No (upgrade to 3.1.x)
< 3.0 No

Scope

The plugin's security posture covers:

Plugin-owned hooks (hooks/scripts/)

Hook Trigger Purpose
pre-bash-executor.mjs PreToolUse for Bash BLOCKs known-dangerous shell patterns; WARNs on suspicious ones; fails open on parse errors
pre-write-executor.mjs PreToolUse for Write BLOCKs writes to .git/hooks/, ~/.ssh/, .env, and other sensitive paths
pre-compact-flush.mjs PreCompact Flushes progress.json from git history before compaction (P0 drift fix); read-only beyond progress.json
session-title.mjs (planned, F9) UserPromptSubmit Sets session title voyage:<command>:<slug> for headless multiplexing

All hooks are zero-dependency Node.js (.mjs) scripts and are designed to fail open — a hook crash never blocks the user's work. Hooks log to stderr only; they never write to user files outside their declared scope.

Prompt-level denylist (commands/trekexecute.md)

The execute command embeds a denylist that takes effect even in headless sessions where hooks may not fire. This is layer 4 of the defense-in-depth model and protects against plan-injected destructive commands.

Validators (lib/validators/*.mjs)

Read-only. Never write to user files. Used both by hooks and by command phases to detect malformed artifacts before they propagate.

Out of scope

  • Opt-in upstream architect step. Any external producer of architecture/overview.md ships its own security posture. The architecture-discovery validator in this plugin treats architecture/overview.md as an external contract (drift-WARN, never drift-FAIL).
  • LLM output content. The plugin validates artifact shape, not artifact truthfulness. A plan that passes plan-validator --strict may still contain hallucinated file paths or unsafe commands; that is why pre-bash-executor exists.
  • The Claude Code CLI itself. Report Claude Code vulnerabilities to Anthropic via https://github.com/anthropics/claude-code/issues.

Hardening recommendations

For fork-ers handling untrusted task briefs or plans:

  1. Set disableSkillShellExecution: true in ~/.claude/settings.json (CC v2.1.91+) to prevent Skills from invoking arbitrary shell.
  2. Run plan validation in --strict mode before any execute: 
    node ${CLAUDE_PLUGIN_ROOT}/lib/validators/plan-validator.mjs --strict plan.md
  3. Review the plan-critic adversarial output before approving plans from external sources — semantic rubric (rule #7) catches deferred decisions that an attacker could exploit.
  4. Pin a CC version floor. v3.1.0 of this plugin assumes CC ≥ 2.1.85 for the if-field on hooks; older CC silently ignores the field, weakening the scoping.

Past advisories

None as of v3.1.0. This section will list CVE-style entries if any are discovered.