open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/ultraplan-local/SECURITY.md
Kjell Tore Guttormsen 6bca3fbf00 docs(ultraplan-local): remove ultra-cc-architect references (SC-6 doc-rydding) 
Step 12 of v3.4.1 plan. Surgical line-by-line generalization of references
to the ultra-cc-architect plugin (no longer publicly distributed):

- CLAUDE.md: 8 hits → "opt-in upstream architect plugin (not bundled)"
- README.md: 9 hits including bare slug at line 646 (removed entirely);
  rephrased to "no longer publicly distributed" with the architecture/
  filesystem slot still supported by /ultraplan-local
- SECURITY.md: 1 hit → generalized "Opt-in upstream architect step"

CHANGELOG.md historical references preserved per brief; appended a
2026-05-04 note at top of [3.0.0] block stating the plugin is no longer
publicly distributed but the architecture/overview.md slot remains
supported for any compatible producer.

The architecture/overview.md filesystem contract (Handover 3, EXTERNAL,
drift-WARN) is unchanged — anyone implementing a compatible producer
can plug in.

361 tests still green (no regressions). doc-consistency pins for
/ultracontinue-local and Handover 7 § Lifecycle still pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 17:53:08 +02:00

88 lines
3.5 KiB
Markdown
Raw Blame History

# Security Policy — ultraplan-local
## Reporting a vulnerability
Open a **private** issue on Forgejo:
> https://git.fromaitochitta.com/open/ktg-plugin-marketplace
Tag it `security` and mark it private. Do not file public issues for
unpatched vulnerabilities. There is no SLA — this is a solo-maintained
plugin — but acknowledged reports are usually triaged within 7 days.
## Supported versions
Only the **current minor version** receives security fixes. When v3.2.0
ships, v3.1.x stops receiving patches. Pin to the latest minor and
update on the next bump.
| Version | Supported |
|---------|-----------|
| 3.1.x | Yes |
| 3.0.x | No (upgrade to 3.1.x) |
| < 3.0 | No |
## Scope
The plugin's security posture covers:
### Plugin-owned hooks (`hooks/scripts/`)
| Hook | Trigger | Purpose |
|------|---------|---------|
| `pre-bash-executor.mjs` | `PreToolUse` for Bash | BLOCKs known-dangerous shell patterns; WARNs on suspicious ones; fails open on parse errors |
| `pre-write-executor.mjs` | `PreToolUse` for Write | BLOCKs writes to `.git/hooks/`, `~/.ssh/`, `.env`, and other sensitive paths |
| `pre-compact-flush.mjs` | `PreCompact` | Flushes `progress.json` from git history before compaction (P0 drift fix); read-only beyond `progress.json` |
| `session-title.mjs` *(planned, F9)* | `UserPromptSubmit` | Sets session title `ultra:<command>:<slug>` for headless multiplexing |
All hooks are zero-dependency Node.js (`.mjs`) scripts and are designed
to **fail open** — a hook crash never blocks the user's work. Hooks log
to stderr only; they never write to user files outside their declared
scope.
### Prompt-level denylist (`commands/ultraexecute-local.md`)
The execute command embeds a denylist that takes effect even in headless
sessions where hooks may not fire. This is layer 4 of the defense-in-depth
model and protects against plan-injected destructive commands.
### Validators (`lib/validators/*.mjs`)
Read-only. Never write to user files. Used both by hooks and by command
phases to detect malformed artifacts before they propagate.
## Out of scope
- **Opt-in upstream architect step.** Any external producer of
`architecture/overview.md` ships its own security posture. The
architecture-discovery validator in this plugin treats
`architecture/overview.md` as an external contract (drift-WARN, never
drift-FAIL).
- **LLM output content.** The plugin validates artifact *shape*, not
artifact *truthfulness*. A plan that passes `plan-validator --strict`
may still contain hallucinated file paths or unsafe commands; that is
why `pre-bash-executor` exists.
- **The Claude Code CLI itself.** Report Claude Code vulnerabilities to
Anthropic via https://github.com/anthropics/claude-code/issues.
## Hardening recommendations
For fork-ers handling untrusted task briefs or plans:
1. **Set `disableSkillShellExecution: true`** in `~/.claude/settings.json`
(CC v2.1.91+) to prevent Skills from invoking arbitrary shell.
2. **Run plan validation in `--strict` mode** before any execute:
```bash
node ${CLAUDE_PLUGIN_ROOT}/lib/validators/plan-validator.mjs --strict plan.md
```
3. **Review the plan-critic adversarial output** before approving plans
from external sources — semantic rubric (rule #7) catches deferred
decisions that an attacker could exploit.
4. **Pin a CC version floor.** v3.1.0 of this plugin assumes CC ≥
2.1.85 for the `if`-field on hooks; older CC silently ignores the
field, weakening the scoping.
## Past advisories
None as of v3.1.0. This section will list CVE-style entries if any are
discovered.
Reference in a new issue View git blame Copy permalink