@hegemonart/get-design-done 1.60.1 → 1.60.2

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "Get Design Done — 5-stage agent-orchestrated design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 agents, 96 skills, 39 connection integrations, two MCP servers, opt-in SQLite state backbone, bidirectional Figma write-back, and a reflector-driven self-improvement loop. Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, and more.",
-    "version": "1.60.1"
+    "version": "1.60.2"
   },
   "plugins": [
     {
       "name": "get-design-done",
       "source": "./",
       "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (gdd-state for typed STATE mutators, gdd-mcp for 13 read-only project-priming tools), tier-aware routing with cost telemetry, and defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer). Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
-      "version": "1.60.1",
+      "version": "1.60.2",
       "author": {
         "name": "hegemonart"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "get-design-done",
   "short_name": "gdd",
-  "version": "1.60.1",
+  "version": "1.60.2",
   "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store for O(1) design-surface lookups, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (`gdd-state` for typed STATE mutators, `gdd-mcp` for 13 read-only project-priming tools), tier-aware agent routing with cost telemetry, defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer), and a cross-runtime install layer for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
   "author": {
     "name": "hegemonart",

package/CHANGELOG.md

@@ -4,6 +4,28 @@ All notable changes to get-design-done are documented here. Versions follow [sem
 
 ---
 
+## [1.60.2] - 2026-06-13
+
+**Security & CI hardening** - bring the SAST/dependency-audit gates the project lacked, and close the one untrusted-link gap in the injection scanner, *before* the detection engine lands its large new surface. Sourced from a reconciliation against the upstream framework's recent releases (`.planning/audits/UPSTREAM-GSD-CORE-DIFF-2026-06-13.md`).
+
+### Added
+
+- **CodeQL / SAST workflow** (`.github/workflows/codeql.yml`) - `javascript-typescript` with the `security-extended` query suite, on push / PR / weekly schedule. Analysis-only (alerts surface in the Security tab; the job is non-blocking on pre-existing findings). A regression guard for every future PR, established now on a clean tree.
+- **`npm audit` production gate in CI** - `npm audit --omit=dev --audit-level=high` in the security job. Scoped to production dependencies (what ships to consumers); dev-only advisories don't gate the build. Currently green.
+- **Dangerous-link scheme detection in the injection scanner** - `scripts/injection-patterns.cjs` now flags `javascript:` URIs, `data:text/html` / `data:` script payloads, userinfo-credential URLs (`scheme://user:pass@host`), and secret-bearing query params (cross-referenced to the redaction token shapes). These flow from untrusted markdown read by the Read hook and the design-authority watcher's feed ingest, which previously had zero coverage for them. Pattern count 21 to 27; both the runtime hook and the CI scanner auto-consume the new patterns. Tightly anchored with negative fixtures so legitimate `https://`, `mailto:`, `data:image`, and ordinary query strings are not flagged.
+
+### Changed
+
+- **`hono` override `>=4.12.23`** added to `package.json` (transitive via `@modelcontextprotocol/sdk`). Precautionary / future-proofing - our `npm audit` does not currently flag the resolved `hono@4.12.21`; this pins the dependency forward regardless. Resolves to `4.12.25`.
+
+### Breaking changes
+
+None.
+
+5,143/5,143 tests pass.
+
+---
+
 ## [1.60.1] - 2026-06-10
 
 **Security hardening** - two HIGH-severity vulnerabilities closed before the upcoming rebrand copies the foundation layer across every runtime. Both were reachable by a prompt-injected agent, undercutting the trust boundary the plugin's own scanners exist to defend. Each fix ships with failing-then-passing regression tests; an independent adversarial audit confirmed both vectors are dead with no surviving bypass.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hegemonart/get-design-done",
-  "version": "1.60.1",
+  "version": "1.60.2",
   "description": "A design-quality pipeline for AI coding agents: brief, explore, plan, design, and verify UI work against your design system.",
   "author": "Hegemon",
   "homepage": "https://github.com/hegemonart/get-design-done",
@@ -156,6 +156,7 @@
   },
   "overrides": {
     "fast-json-patch": "^3.1.1",
+    "hono": ">=4.12.23",
     "qs": ">=6.15.2"
   }
 }

package/scripts/injection-patterns.cjs

@@ -41,6 +41,53 @@ const INJECTION_PATTERNS = [
   { name: 'tar-home-netcat',          re: /\btar\s+c[fzvj]+\s+-\s+~[^\n]*\|\s*(nc|ssh|curl)/ },
   { name: 'env-dot-leak',             re: /process\.env\.[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET)\s*[^;,\n]*(fetch|axios|XMLHttpRequest|http\.request)/ },
   { name: 'ssh-key-cat',              re: /\bcat\s+~?\/?\.ssh\/id_(rsa|ed25519|ecdsa|dsa)\b/ },
+
+  // ── dangerous URL schemes + credential links (60.2 / SEC-CI-03) ──────
+  // These flow from untrusted markdown (Read hook) and RSS/article ingest.
+  // Each regex is anchored tightly to avoid false-positives on the repo's
+  // own shipped docs (the CI scan:injection gate scans them) and is
+  // linear-time (bounded quantifiers, no nested/overlapping repetition).
+
+  // `javascript:` used as a link/href target. The colon must be directly
+  // followed by a non-whitespace payload char — so prose like "JavaScript:"
+  // (a sentence colon, followed by a space) and the bare word "JavaScript"
+  // do NOT match. Preceded by start-of-string or a non-word char so it
+  // anchors on `](javascript:` / `href="javascript:` / `=javascript:`.
+  { name: 'javascript: uri',          re: /(?:^|[^\w])javascript:(?=\S)/i },
+
+  // `data:text/html` URIs (optional ;base64). Will NOT match `data:image/…`,
+  // nor `data: <word>` prose (colon-space): the literal `text/html` is required.
+  { name: 'data:text/html uri',       re: /\bdata:text\/html\b/i },
+
+  // `data:` URI carrying a script payload (covers data: media types beyond
+  // text/html). `[^\s<]{0,200}` is a bounded run (no ReDoS) that also
+  // EXCLUDES `<`, so it cannot reach across a `<script` that appears BEFORE
+  // `data:` on the line (e.g. export-formats.md:27 "…<script> … data: URIs"):
+  // there the char after `data:` is a backtick+space, the run stops at the
+  // space, and no script marker follows. Requires `data:` to be immediately
+  // followed (no space) by payload chars that lead into `<script`/`%3Cscript`.
+  { name: 'data: script payload',     re: /data:[^\s<]{0,200}(?:<script|%3Cscript)/i },
+
+  // userinfo-credential URL: `scheme://user:pass@host`. The `:` must appear
+  // in the userinfo segment BEFORE the `@`, and both must precede the first
+  // `/` of the path (i.e. inside the authority). Mutually-exclusive char
+  // classes on the boundary chars keep it linear. Does NOT match
+  // `mailto:user@host` (no `://`), bare `user@host` (no `://`), a plain
+  // `https://host/path` (no `@`), nor an `@` that appears only in the path.
+  { name: 'userinfo credentials url', re: /:\/\/[^/\s:@]+:[^/\s@]*@/ },
+
+  // Secret-bearing query param. Two linear alternatives:
+  //   (a) a query KEY named like a credential (token/api_key/secret/…)
+  //       followed by `=` and a non-trivial value; OR
+  //   (b) any query value matching a redact.cjs secret SHAPE
+  //       (sk-ant-/sk-/jwt/AIza/ghp_/gh[sour]_/AKIA/xox…).
+  // `[^&\s#]+` and the shape bodies are bounded by their delimiters / fixed
+  // lengths — no catastrophic backtracking. Does NOT match benign params
+  // like `?q=`, `?lang=en`, `?sort=desc`, `?page=2`.
+  {
+    name: 'secret-bearing query param',
+    re: /[?&](?:access_token|client_secret|api[_-]?key|apikey|token|secret|password|auth)=[^&\s#]+|[?&][\w-]{1,40}=(?:sk-ant-[\w-]{20,}|sk-[\w-]{20,}|eyJ[\w-]{10,}\.[\w-]{10,}\.[\w-]{10,}|AIza[\w-]{35}|ghp_[A-Za-z0-9]{36,}|gh[sour]_[A-Za-z0-9]{36,}|AKIA[0-9A-Z]{16}|xox[baprs]-[\w-]{10,})/i,
+  },
 ];
 
 /**