open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/ultraplan-local/SECURITY.md
Kjell Tore Guttormsen 6bca3fbf00 docs(ultraplan-local): remove ultra-cc-architect references (SC-6 doc-rydding) 
Step 12 of v3.4.1 plan. Surgical line-by-line generalization of references
to the ultra-cc-architect plugin (no longer publicly distributed):

- CLAUDE.md: 8 hits → "opt-in upstream architect plugin (not bundled)"
- README.md: 9 hits including bare slug at line 646 (removed entirely);
  rephrased to "no longer publicly distributed" with the architecture/
  filesystem slot still supported by /ultraplan-local
- SECURITY.md: 1 hit → generalized "Opt-in upstream architect step"

CHANGELOG.md historical references preserved per brief; appended a
2026-05-04 note at top of [3.0.0] block stating the plugin is no longer
publicly distributed but the architecture/overview.md slot remains
supported for any compatible producer.

The architecture/overview.md filesystem contract (Handover 3, EXTERNAL,
drift-WARN) is unchanged — anyone implementing a compatible producer
can plug in.

361 tests still green (no regressions). doc-consistency pins for
/ultracontinue-local and Handover 7 § Lifecycle still pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 17:53:08 +02:00

3.5 KiB
Raw Blame History

Security Policy — ultraplan-local

Reporting a vulnerability

Open a private issue on Forgejo:

https://git.fromaitochitta.com/open/ktg-plugin-marketplace

Tag it security and mark it private. Do not file public issues for unpatched vulnerabilities. There is no SLA — this is a solo-maintained plugin — but acknowledged reports are usually triaged within 7 days.

Supported versions

Only the current minor version receives security fixes. When v3.2.0 ships, v3.1.x stops receiving patches. Pin to the latest minor and update on the next bump.

Version Supported
3.1.x Yes
3.0.x No (upgrade to 3.1.x)
< 3.0 No

Scope

The plugin's security posture covers:

Plugin-owned hooks (hooks/scripts/)

Hook Trigger Purpose
pre-bash-executor.mjs PreToolUse for Bash BLOCKs known-dangerous shell patterns; WARNs on suspicious ones; fails open on parse errors
pre-write-executor.mjs PreToolUse for Write BLOCKs writes to .git/hooks/, ~/.ssh/, .env, and other sensitive paths
pre-compact-flush.mjs PreCompact Flushes progress.json from git history before compaction (P0 drift fix); read-only beyond progress.json
session-title.mjs (planned, F9) UserPromptSubmit Sets session title ultra:<command>:<slug> for headless multiplexing

All hooks are zero-dependency Node.js (.mjs) scripts and are designed to fail open — a hook crash never blocks the user's work. Hooks log to stderr only; they never write to user files outside their declared scope.

Prompt-level denylist (commands/ultraexecute-local.md)

The execute command embeds a denylist that takes effect even in headless sessions where hooks may not fire. This is layer 4 of the defense-in-depth model and protects against plan-injected destructive commands.

Validators (lib/validators/*.mjs)

Read-only. Never write to user files. Used both by hooks and by command phases to detect malformed artifacts before they propagate.

Out of scope

  • Opt-in upstream architect step. Any external producer of architecture/overview.md ships its own security posture. The architecture-discovery validator in this plugin treats architecture/overview.md as an external contract (drift-WARN, never drift-FAIL).
  • LLM output content. The plugin validates artifact shape, not artifact truthfulness. A plan that passes plan-validator --strict may still contain hallucinated file paths or unsafe commands; that is why pre-bash-executor exists.
  • The Claude Code CLI itself. Report Claude Code vulnerabilities to Anthropic via https://github.com/anthropics/claude-code/issues.

Hardening recommendations

For fork-ers handling untrusted task briefs or plans:

  1. Set disableSkillShellExecution: true in ~/.claude/settings.json (CC v2.1.91+) to prevent Skills from invoking arbitrary shell.
  2. Run plan validation in --strict mode before any execute: 
    node ${CLAUDE_PLUGIN_ROOT}/lib/validators/plan-validator.mjs --strict plan.md
  3. Review the plan-critic adversarial output before approving plans from external sources — semantic rubric (rule #7) catches deferred decisions that an attacker could exploit.
  4. Pin a CC version floor. v3.1.0 of this plugin assumes CC ≥ 2.1.85 for the if-field on hooks; older CC silently ignores the field, weakening the scoping.

Past advisories

None as of v3.1.0. This section will list CVE-style entries if any are discovered.