open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/voyage/SECURITY.md
Kjell Tore Guttormsen 7a90d348ad feat(voyage)!: marketplace handoff — rename plugins/ultraplan-local to plugins/voyage [skip-docs] 
Session 5 of voyage-rebrand (V6). Operator-authorized cross-plugin scope.

- git mv plugins/ultraplan-local plugins/voyage (rename detected, history preserved)
- .claude-plugin/marketplace.json: voyage entry replaces ultraplan-local
- CLAUDE.md: voyage row in plugin list, voyage in design-system consumer list
- README.md: bulk rename ultra*-local commands -> trek* commands; ultraplan-local refs -> voyage; type discriminators (type: trekbrief/trekreview); session-title pattern (voyage:<command>:<slug>); v4.0.0 release-note paragraph
- plugins/voyage/.claude-plugin/plugin.json: homepage/repository URLs point to monorepo voyage path
- plugins/voyage/verify.sh: drop URL whitelist exception (no longer needed)

Closes voyage-rebrand. bash plugins/voyage/verify.sh PASS 7/7. npm test 361/361.
2026-05-05 15:37:52 +02:00

88 lines
3.5 KiB
Markdown
Raw Blame History

# Security Policy — trekplan
## Reporting a vulnerability
Open a **private** issue on Forgejo:
> https://git.fromaitochitta.com/open/ktg-plugin-marketplace
Tag it `security` and mark it private. Do not file public issues for
unpatched vulnerabilities. There is no SLA — this is a solo-maintained
plugin — but acknowledged reports are usually triaged within 7 days.
## Supported versions
Only the **current minor version** receives security fixes. When v3.2.0
ships, v3.1.x stops receiving patches. Pin to the latest minor and
update on the next bump.
| Version | Supported |
|---------|-----------|
| 3.1.x | Yes |
| 3.0.x | No (upgrade to 3.1.x) |
| < 3.0 | No |
## Scope
The plugin's security posture covers:
### Plugin-owned hooks (`hooks/scripts/`)
| Hook | Trigger | Purpose |
|------|---------|---------|
| `pre-bash-executor.mjs` | `PreToolUse` for Bash | BLOCKs known-dangerous shell patterns; WARNs on suspicious ones; fails open on parse errors |
| `pre-write-executor.mjs` | `PreToolUse` for Write | BLOCKs writes to `.git/hooks/`, `~/.ssh/`, `.env`, and other sensitive paths |
| `pre-compact-flush.mjs` | `PreCompact` | Flushes `progress.json` from git history before compaction (P0 drift fix); read-only beyond `progress.json` |
| `session-title.mjs` *(planned, F9)* | `UserPromptSubmit` | Sets session title `voyage:<command>:<slug>` for headless multiplexing |
All hooks are zero-dependency Node.js (`.mjs`) scripts and are designed
to **fail open** — a hook crash never blocks the user's work. Hooks log
to stderr only; they never write to user files outside their declared
scope.
### Prompt-level denylist (`commands/trekexecute.md`)
The execute command embeds a denylist that takes effect even in headless
sessions where hooks may not fire. This is layer 4 of the defense-in-depth
model and protects against plan-injected destructive commands.
### Validators (`lib/validators/*.mjs`)
Read-only. Never write to user files. Used both by hooks and by command
phases to detect malformed artifacts before they propagate.
## Out of scope
- **Opt-in upstream architect step.** Any external producer of
`architecture/overview.md` ships its own security posture. The
architecture-discovery validator in this plugin treats
`architecture/overview.md` as an external contract (drift-WARN, never
drift-FAIL).
- **LLM output content.** The plugin validates artifact *shape*, not
artifact *truthfulness*. A plan that passes `plan-validator --strict`
may still contain hallucinated file paths or unsafe commands; that is
why `pre-bash-executor` exists.
- **The Claude Code CLI itself.** Report Claude Code vulnerabilities to
Anthropic via https://github.com/anthropics/claude-code/issues.
## Hardening recommendations
For fork-ers handling untrusted task briefs or plans:
1. **Set `disableSkillShellExecution: true`** in `~/.claude/settings.json`
(CC v2.1.91+) to prevent Skills from invoking arbitrary shell.
2. **Run plan validation in `--strict` mode** before any execute:
```bash
node ${CLAUDE_PLUGIN_ROOT}/lib/validators/plan-validator.mjs --strict plan.md
```
3. **Review the plan-critic adversarial output** before approving plans
from external sources — semantic rubric (rule #7) catches deferred
decisions that an attacker could exploit.
4. **Pin a CC version floor.** v3.1.0 of this plugin assumes CC ≥
2.1.85 for the `if`-field on hooks; older CC silently ignores the
field, weakening the scoping.
## Past advisories
None as of v3.1.0. This section will list CVE-style entries if any are
discovered.
Reference in a new issue View git blame Copy permalink