aa21e59ac2
Four-layer security model for ultraexecute-local and headless sessions: Layer 1 — Plugin hooks: pre-bash-executor.mjs (13 BLOCK + 8 WARN rules with bash evasion normalization) and pre-write-executor.mjs (8 path guard rules blocking .git/hooks, .claude/settings, shell configs, .env, SSH/AWS). Layer 2 — Prompt-level security rules: denylist in ultraexecute-local.md Sub-step D and session-spec-template.md Security Constraints section. These are the only rules that work in headless child sessions. Layer 3 — Pre-execution plan validation: new Phase 2.4 scans all Verify and Checkpoint commands against denylist before execution begins. Layer 4 — Replace --dangerously-skip-permissions with scoped --allowedTools "Read,Write,Edit,Bash,Glob,Grep" --permission-mode bypassPermissions in ultraexecute-local.md, headless-launch-template.md, and session-decomposer.md. Blocks Agent, MCP, WebSearch in child sessions. Also adds Hard Rules 14-16: verify command security check, no writing outside repository root, no writing to security-sensitive paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
24 lines
480 B
JSON
24 lines
480 B
JSON
{
|
|
"hooks": {
|
|
"PreToolUse": [
|
|
{
|
|
"matcher": "Bash",
|
|
"hooks": [
|
|
{
|
|
"type": "command",
|
|
"command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/scripts/pre-bash-executor.mjs"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"matcher": "Write",
|
|
"hooks": [
|
|
{
|
|
"type": "command",
|
|
"command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/scripts/pre-write-executor.mjs"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|