open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/ultraplan-local/SECURITY.md
Kjell Tore Guttormsen 14ecda886c feat(voyage)!: bulk content rewrite ultra -> voyage/trek prose [skip-docs] 
Sed-pipeline (16 patterns, longest-match-first) sweeper residuelle ultra*-treff
i prose, command-narrativ, agent-prompts, hook-kommentarer, doc-prosa.

Pipeline-utvidelser fra V4-prompten:
- BSD-syntax [[:<:]]ultra[[:>:]] istedenfor \bultra\b (BSD sed mangler \b)
- 6 compound-patterns for ultraplan/ultraexecute/ultraresearch/ultrabrief/
  ultrareview/ultracontinue uten -local-suffiks
- ultra*-stats glob -> trek*-stats glob
- Linje-eksklusjon redusert til ultra-cc-architect (Q8); session-state-
  eksklusjonen var over-protektiv
- File-eksklusjon utvidet til settings.json, package.json, plugin.json,
  hele .claude/-treet (gitignored + V5-territorium)

Q8-undantak holdt: architecture-discovery.mjs + project-discovery.mjs urort.
Filnavn-konvensjon holdt: .session-state.local.json + *.local.* preservert.

Manuell narrative-fix: tests/lib/agent-frontmatter.test.mjs linje 10
mangled "/ultra*-local" til "/voyage*-local" (ingen slik kommando finnes);
korrigert til "/trek*".

Residualer utenfor scope (V5 handterer): package.json + .claude-plugin/
plugin.json (Step 12-14 versjons-bump). .claude/* er gitignored
spec-historikk med tilsiktet BEFORE/AFTER-narrativ.

Part of voyage-rebrand session 3 (Wave 4 / Step 10).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 15:08:20 +02:00

88 lines
3.5 KiB
Markdown
Raw Blame History

# Security Policy — trekplan
## Reporting a vulnerability
Open a **private** issue on Forgejo:
> https://git.fromaitochitta.com/open/ktg-plugin-marketplace
Tag it `security` and mark it private. Do not file public issues for
unpatched vulnerabilities. There is no SLA — this is a solo-maintained
plugin — but acknowledged reports are usually triaged within 7 days.
## Supported versions
Only the **current minor version** receives security fixes. When v3.2.0
ships, v3.1.x stops receiving patches. Pin to the latest minor and
update on the next bump.
| Version | Supported |
|---------|-----------|
| 3.1.x | Yes |
| 3.0.x | No (upgrade to 3.1.x) |
| < 3.0 | No |
## Scope
The plugin's security posture covers:
### Plugin-owned hooks (`hooks/scripts/`)
| Hook | Trigger | Purpose |
|------|---------|---------|
| `pre-bash-executor.mjs` | `PreToolUse` for Bash | BLOCKs known-dangerous shell patterns; WARNs on suspicious ones; fails open on parse errors |
| `pre-write-executor.mjs` | `PreToolUse` for Write | BLOCKs writes to `.git/hooks/`, `~/.ssh/`, `.env`, and other sensitive paths |
| `pre-compact-flush.mjs` | `PreCompact` | Flushes `progress.json` from git history before compaction (P0 drift fix); read-only beyond `progress.json` |
| `session-title.mjs` *(planned, F9)* | `UserPromptSubmit` | Sets session title `voyage:<command>:<slug>` for headless multiplexing |
All hooks are zero-dependency Node.js (`.mjs`) scripts and are designed
to **fail open** — a hook crash never blocks the user's work. Hooks log
to stderr only; they never write to user files outside their declared
scope.
### Prompt-level denylist (`commands/trekexecute.md`)
The execute command embeds a denylist that takes effect even in headless
sessions where hooks may not fire. This is layer 4 of the defense-in-depth
model and protects against plan-injected destructive commands.
### Validators (`lib/validators/*.mjs`)
Read-only. Never write to user files. Used both by hooks and by command
phases to detect malformed artifacts before they propagate.
## Out of scope
- **Opt-in upstream architect step.** Any external producer of
`architecture/overview.md` ships its own security posture. The
architecture-discovery validator in this plugin treats
`architecture/overview.md` as an external contract (drift-WARN, never
drift-FAIL).
- **LLM output content.** The plugin validates artifact *shape*, not
artifact *truthfulness*. A plan that passes `plan-validator --strict`
may still contain hallucinated file paths or unsafe commands; that is
why `pre-bash-executor` exists.
- **The Claude Code CLI itself.** Report Claude Code vulnerabilities to
Anthropic via https://github.com/anthropics/claude-code/issues.
## Hardening recommendations
For fork-ers handling untrusted task briefs or plans:
1. **Set `disableSkillShellExecution: true`** in `~/.claude/settings.json`
(CC v2.1.91+) to prevent Skills from invoking arbitrary shell.
2. **Run plan validation in `--strict` mode** before any execute:
```bash
node ${CLAUDE_PLUGIN_ROOT}/lib/validators/plan-validator.mjs --strict plan.md
```
3. **Review the plan-critic adversarial output** before approving plans
from external sources — semantic rubric (rule #7) catches deferred
decisions that an attacker could exploit.
4. **Pin a CC version floor.** v3.1.0 of this plugin assumes CC ≥
2.1.85 for the `if`-field on hooks; older CC silently ignores the
field, weakening the scoping.
## Past advisories
None as of v3.1.0. This section will list CVE-style entries if any are
discovered.
Reference in a new issue View git blame Copy permalink