open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/ultraplan-local/SECURITY.md
Kjell Tore Guttormsen 9ecd225018 feat(ultraplan-local): Spor 3 — semantic plan-critic, examples, CC features, security docs 
- agents/plan-critic.md: rule #7 split into literal blockers (TBD/TODO/FIXME)
  + semantic rubric with 8 deferred-decision tests; calibrated against the
  5-phrase corpus from the v3.1.0 quality brief
- hooks/hooks.json: rebuilt from corrupted state; valid JSON, registers
  PreToolUse(Bash,Write), UserPromptSubmit, PostToolUse(Bash), PreCompact
- hooks/scripts/session-title.mjs: NEW — sets ultra:<cmd>:<slug> session
  title for ultra commands (CC v2.1.94+)
- hooks/scripts/post-bash-stats.mjs: NEW — appends duration_ms per Bash
  call to ultraexecute-stats.jsonl (CC v2.1.97+)
- SECURITY.md: NEW — Forgejo private-issue reporting, supported = current
  minor only, scope = 4 hooks + denylist, hardening recommendations
- docs/architect-bridge-test.md: NEW — manual smoke checklist for the
  ultraplan ↔ ultra-cc-architect bridge
- examples/01-add-verbose-flag/: NEW — calibrated end-to-end (brief +
  research + plan + progress.json) for fork-er onramp; all four artifacts
  pass their validators
- README.md: + Extending the plugin, + Headless multi-session tuning
  (MCP_CONNECTION_NONBLOCKING), + Session titles, + Per-step timing,
  + disableSkillShellExecution recommendation
- CLAUDE.md: documents session-title.mjs and post-bash-stats.mjs
- root README.md: v3.1.0 entry expanded with Spor 2+3 deliverables

CC features adopted: F8, F9, F12 implemented; F3 implemented as Bash
PostToolUse logger; F2 (hook 'if'-field scoping) deferred — universal
protection beats reduced-scope protection for blocked commands.

Tests: 109/109 green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 06:28:44 +02:00

87 lines
3.5 KiB
Markdown
Raw Blame History

# Security Policy — ultraplan-local
## Reporting a vulnerability
Open a **private** issue on Forgejo:
> https://git.fromaitochitta.com/open/ktg-plugin-marketplace
Tag it `security` and mark it private. Do not file public issues for
unpatched vulnerabilities. There is no SLA — this is a solo-maintained
plugin — but acknowledged reports are usually triaged within 7 days.
## Supported versions
Only the **current minor version** receives security fixes. When v3.2.0
ships, v3.1.x stops receiving patches. Pin to the latest minor and
update on the next bump.
| Version | Supported |
|---------|-----------|
| 3.1.x | Yes |
| 3.0.x | No (upgrade to 3.1.x) |
| < 3.0 | No |
## Scope
The plugin's security posture covers:
### Plugin-owned hooks (`hooks/scripts/`)
| Hook | Trigger | Purpose |
|------|---------|---------|
| `pre-bash-executor.mjs` | `PreToolUse` for Bash | BLOCKs known-dangerous shell patterns; WARNs on suspicious ones; fails open on parse errors |
| `pre-write-executor.mjs` | `PreToolUse` for Write | BLOCKs writes to `.git/hooks/`, `~/.ssh/`, `.env`, and other sensitive paths |
| `pre-compact-flush.mjs` | `PreCompact` | Flushes `progress.json` from git history before compaction (P0 drift fix); read-only beyond `progress.json` |
| `session-title.mjs` *(planned, F9)* | `UserPromptSubmit` | Sets session title `ultra:<command>:<slug>` for headless multiplexing |
All hooks are zero-dependency Node.js (`.mjs`) scripts and are designed
to **fail open** — a hook crash never blocks the user's work. Hooks log
to stderr only; they never write to user files outside their declared
scope.
### Prompt-level denylist (`commands/ultraexecute-local.md`)
The execute command embeds a denylist that takes effect even in headless
sessions where hooks may not fire. This is layer 4 of the defense-in-depth
model and protects against plan-injected destructive commands.
### Validators (`lib/validators/*.mjs`)
Read-only. Never write to user files. Used both by hooks and by command
phases to detect malformed artifacts before they propagate.
## Out of scope
- **`ultra-cc-architect` plugin.** Separate plugin with its own
`SECURITY.md`. The architecture-discovery validator in this plugin
treats `architecture/overview.md` as an external contract (drift-WARN,
never drift-FAIL).
- **LLM output content.** The plugin validates artifact *shape*, not
artifact *truthfulness*. A plan that passes `plan-validator --strict`
may still contain hallucinated file paths or unsafe commands; that is
why `pre-bash-executor` exists.
- **The Claude Code CLI itself.** Report Claude Code vulnerabilities to
Anthropic via https://github.com/anthropics/claude-code/issues.
## Hardening recommendations
For fork-ers handling untrusted task briefs or plans:
1. **Set `disableSkillShellExecution: true`** in `~/.claude/settings.json`
(CC v2.1.91+) to prevent Skills from invoking arbitrary shell.
2. **Run plan validation in `--strict` mode** before any execute:
```bash
node ${CLAUDE_PLUGIN_ROOT}/lib/validators/plan-validator.mjs --strict plan.md
```
3. **Review the plan-critic adversarial output** before approving plans
from external sources — semantic rubric (rule #7) catches deferred
decisions that an attacker could exploit.
4. **Pin a CC version floor.** v3.1.0 of this plugin assumes CC ≥
2.1.85 for the `if`-field on hooks; older CC silently ignores the
field, weakening the scoping.
## Past advisories
None as of v3.1.0. This section will list CVE-style entries if any are
discovered.
Reference in a new issue View git blame Copy permalink