docs: add full-depth plugin review (pilot, 2026-06-20)

Pilot review for a marketplace-wide review method. config-audit v5.4.0 (posture A,
plugin-health 0) + llm-security (A-, 0 critical/high/medium) + structure + version.
Verdict: strong, low-risk plugin. 2 Low nits (assert cycle-ID before rm in oppsett.md:457;
SECURITY.md:57 key-storage guidance). Read-only review; this file is the only artifact.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
This commit is contained in:
Kjell Tore Guttormsen 2026-06-20 07:28:54 +02:00
commit cff9ac0447

50
docs/review-2026-06-20.md Normal file
View file

@ -0,0 +1,50 @@
# Plugin review — okr (2026-06-20)
> Full-depth review, run as the **pilot** for a marketplace-wide review method (validated here
> before scaling to the other 9 plugins). Tooling: config-audit **v5.4.0** scanners (run from
> source) + llm-security posture assessor + structure/version checks. Read-only; this file is the
> only artifact written.
## Verdict
**okr is a strong, low-risk plugin.** No critical/high/medium security findings, config posture A,
version-consistent. Two Low documentation/hardening nits are the only actionable items; neither
blocks anything.
## Results by dimension
| Dimension | Tool | Result |
|-----------|------|--------|
| Config posture | config-audit `posture` | **A** overall — CLAUDE.md A, Settings/Hooks/Rules/MCP/Conflicts/Plugin-Hygiene A 100, Token-Efficiency A 90. Only weak area: **Feature Coverage D 40** (an opportunity, not a defect). |
| Plugin health | config-audit `plugin-health` | **0 findings.** (An earlier run reported 10× "command missing `model`"; that was an over-report in the scanner — `model` is an optional command field. Fixed in config-audit `a5cfc33` during this pilot.) |
| Security posture | llm-security posture assessor | **A** (risk ~6/100, ALLOW/Install). 0 critical/high/medium. 9 OWASP-LLM categories mostly A; B on deny-first/secrets/path/destructive only because explicit `settings.json`/guard-hooks are absent — not defects for a read-mostly content plugin. |
| Structure / hygiene | manual | README 280L, CHANGELOG ✓, CLAUDE.md 77L, LICENSE ✓. All 7 agents carry `name`+`description`+`model`; all 10 commands carry `name`+`description`+`allowed-tools` (no `model` — which is fine, it's optional). |
| Version consistency | catalog version-gate | **OK**`plugin.json` 1.3.0 == README badge == catalog `ref` v1.3.0… see note below. |
## Actionable findings
| ID | Severity | Location | Finding |
|----|----------|----------|---------|
| OKR-01 | Low | `commands/oppsett.md:457` | `rm -rf .claude/okr/syklus/[id]/` is human-gated (`AskUserQuestion`, line 450) and path-scoped, but a malformed/empty `[id]` could collapse the glob. **Recommend:** assert `[id]` is non-empty and matches the cycle-ID regex (`T[1-3]-YYYY`) before the `rm`. |
| OKR-02 | Low | `SECURITY.md:57` | Says Linear API keys are "stored locally in `okr.local.md`", while the template/best-practice text recommends env vars. Mitigated (`*.local.md` is gitignored), but the guidance could lead a user to paste a token. **Recommend:** steer keys to `.mcp.json`/env only. |
| — | Info | `agents/fremdriftssporer-agent.md`, `commands/oppsett.md:193`, `hooks/scripts/inject-okr-context.mjs` | Linear MCP write-back (user's own credentials), a read-only `~/.claude/settings.json` detection, and a bounded (≤50 files) hook context-injection — all traced to evidence and **cleared** (not risks). |
## Note — version drift (separate from this review)
`plugin.json` is 1.3.0 and the catalog `ref` is v1.3.0 → consistent. (Earlier in the marketplace
sweep, okr showed as version-OK in `catalog/scripts/check-versions.mjs`; the 2 WARN plugins were
linkedin-studio and ms-ai-architect, not okr.)
## What the pilot validated (for the other 9 plugins)
1. **The method works from config-audit source (v5.4.0)** — no dependency on the installed plugin
version. The 4 dimensions ran cleanly against a sibling repo, read-only.
2. **It surfaced a real tooling bug, not just plugin findings** — config-audit's plugin-health
required optional CC frontmatter fields (`model`/`tools`/`name`/`allowed-tools`). Fixed before
scaling, so the other 9 reviews get signal, not 1029 spurious medium findings each.
3. **The security pass clears false-positive-prone patterns** (MCP tool calls, a gated `rm -rf`, a
global-settings read, documentation URLs) by tracing each to evidence rather than flagging on
pattern alone — confirmed on this near-clean baseline.
4. **Expect heavier exercise on write/Bash-heavy plugins** (e.g. ms-ai-architect, voyage,
linkedin-studio) — okr's 7 agents are Read/Glob-only, so destructive-command and path-guard
categories were lightly tested here.