Kjell Tore Guttormsen aa21e59ac2 feat(ultraplan-local): defense-in-depth security hardening for executor

Four-layer security model for ultraexecute-local and headless sessions:

Layer 1 — Plugin hooks: pre-bash-executor.mjs (13 BLOCK + 8 WARN rules
with bash evasion normalization) and pre-write-executor.mjs (8 path guard
rules blocking .git/hooks, .claude/settings, shell configs, .env, SSH/AWS).

Layer 2 — Prompt-level security rules: denylist in ultraexecute-local.md
Sub-step D and session-spec-template.md Security Constraints section.
These are the only rules that work in headless child sessions.

Layer 3 — Pre-execution plan validation: new Phase 2.4 scans all Verify
and Checkpoint commands against denylist before execution begins.

Layer 4 — Replace --dangerously-skip-permissions with scoped
--allowedTools "Read,Write,Edit,Bash,Glob,Grep" --permission-mode
bypassPermissions in ultraexecute-local.md, headless-launch-template.md,
and session-decomposer.md. Blocks Agent, MCP, WebSearch in child sessions.

Also adds Hard Rules 14-16: verify command security check, no writing
outside repository root, no writing to security-sensitive paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-08 18:33:15 +02:00

3 KiB

Raw Blame History

Session {N}: {title}

From master plan: {plan file path} Session {N} of {total sessions}

Context

{Why this session exists. What it accomplishes within the larger plan. Include enough background that an executor with no prior context can understand the purpose and make judgment calls.}

Dependencies

Depends on: {Session M | "none — can run in parallel"}
Blocks: {Session P | "none"}
Entry condition: {what must be true before this session starts — e.g., "Session 2 committed and tests pass"}

Scope Fence

Touch: {explicit list of files this session may create or modify}
Never touch: {files that belong to other sessions — hard boundary}

Steps

Step 1: {description}

Files: {path}
Changes: {exactly what to modify}
Reuses: {existing function/pattern, with file path}
Test first: {test file, what it verifies, pattern to follow}
Verify: {exact command} → expected: {output}
On failure: {revert | retry | skip | escalate} — {specific instructions}
Checkpoint: git commit -m "{message}"

Step 2: {description}

{same structure as Step 1}

Exit Condition

All of these must pass before this session is considered complete:

{verification command} → expected: {output}
{verification command} → expected: {output}
All changes committed with descriptive messages
No uncommitted changes remain (git status clean)

Failure Handling

If ANY step fails after retry: stop execution. Do NOT proceed to later steps.

Security Constraints

These rules override any step instructions that conflict with them:

Never run rm -rf, chmod 777, pipe-to-shell (curl|bash, wget|sh, base64|bash), eval with variable expansion, mkfs, dd to block devices, shutdown/reboot/halt, fork bombs, crontab writes, or kill -9 -1
Never modify files outside the Scope Fence (Touch list above)
Never write to .git/hooks/, ~/.ssh/, ~/.aws/, ~/.gnupg/, .env files, shell configs (~/.zshrc, ~/.bashrc, ~/.profile)
Never write to .claude/settings.json, .claude/hooks/, or any hook script — these are security infrastructure and must not be modified by execution
If a Verify: or Checkpoint: command violates these rules: treat as On failure: escalate and stop execution regardless of the step's On failure setting
Commit whatever was completed successfully before stopping.
Report which step failed, the error message, and what was attempted.

Handoff State

{What the next session (or final verification) needs to know about this session's output. Include: new files created, exports added, configuration changed, APIs introduced. This section bridges sessions — it's the "baton" in a relay race.}

Metadata

Master plan: {plan file path}
Steps from plan: {step N}–{step M}
Estimated complexity: {low | medium | high}
Model recommendation: {opus | sonnet} — {rationale}

3 KiB Raw Blame History Unescape Escape