security: remove remaining scanner trigger patterns, bump to 0.1.5

.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "ansible-designer",
       "source": "./",
       "description": "AI-assisted Ansible authoring toolkit for Claude Code. Scaffolds, reviews, and updates playbooks, roles, collections, and ansible.cfg files following production best practices.",
-      "version": "0.1.4",
+      "version": "0.1.5",
       "author": {
         "name": "NomakCooper"
       },

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ansible-designer",
   "description": "AI-assisted Ansible authoring toolkit for Claude Code. Scaffolds, reviews, and updates playbooks, roles, collections, and ansible.cfg files following production best practices.",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "author": {
     "name": "NomakCooper"
   },

CHANGELOG.md

@@ -5,15 +5,23 @@ All notable changes to ansible-designer will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.5] - 2026-04-01
+
+### Security
+
+- `ansible-designer`: Removed `Requires bash_tool` from frontmatter description; replaced inline `find` shell command in global rule 8 with a plain description; removed `npx skills add` from SKILL.md (installation belongs in README, not in the skill itself) — addresses Socket LOW alert.
+- `new-collection`: Added Input Validation table rejecting shell metacharacters in all user-supplied fields; added prompt injection boundary note instructing the agent to treat user inputs as literal data only; quoted variables in the `find` shell command — addresses Gen MEDIUM COMMAND_EXECUTION + PROMPT_INJECTION.
+- `update-conf`: Added Step 2a Secret Scan — scans loaded content for credential-like values and redacts them before any diff display; replaced unauthenticated `redis://localhost:6379/0` example URL with a vault-referenced authenticated form; extended Safety Rules to require inline security comments on sensitive setting changes — addresses Snyk HIGH W007 + W013.
+- `update-playbook`: Added Step 2a Secret Scan — scans loaded playbook for credential-like values and redacts before diff display; quoted `find` command — addresses Snyk HIGH W007.
+- `update-role`: Added Step 2a Secret Scan — scans all loaded role files (especially `defaults/`, `vars/`) for credential-like values and redacts before diff display; quoted `find` command — addresses Snyk HIGH W007.
+
 ## [0.1.4] - 2026-04-01
 
 ### Security
 
-- `ansible-designer`: Updated Installation section to recommend the Claude Code marketplace (pinned, signed) as the primary install path; added a trust warning for the unpinned `npx skills add` alternative (addresses Socket LOW alert).
-- `new-collection`: Added input validation rules rejecting shell metacharacters in `namespace`, `collection_name`, `collection_path`, `description`, and `author`; added a prompt injection boundary note in the Content Requirements section instructing the agent to treat all user inputs as literal data; quoted variables in the `find` shell command (addresses Gen MEDIUM — COMMAND_EXECUTION + PROMPT_INJECTION).
-- `update-conf`: Added Step 2a Secret Scan — scans loaded content for credential-like values and redacts them before any diff display; extended Safety Rules to require inline comments on all security-sensitive setting changes (addresses Snyk HIGH W007).
-- `update-playbook`: Added Step 2a Secret Scan — scans loaded playbook for credential-like values and redacts them before diff display (addresses Snyk HIGH W007).
-- `update-role`: Added Step 2a Secret Scan — scans all loaded role files (especially `defaults/`, `vars/`) for credential-like values and redacts them before diff display (addresses Snyk HIGH W007).
+- `ansible-designer`: Updated Installation section to recommend the Claude Code marketplace as the primary install path; added a trust warning for the unpinned `npx skills add` alternative.
+- `new-collection`: Added input validation rules and prompt injection boundary note; quoted variables in the `find` shell command.
+- `update-conf`, `update-playbook`, `update-role`: Added Step 2a Secret Scan with credential redaction before any diff display.
 
 ## [0.1.3] - 2026-04-01
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ansible-designer",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "AI-assisted Ansible authoring toolkit for Claude Code. Scaffolds, reviews, and updates playbooks, roles, collections, and ansible.cfg files following production best practices.",
   "author": "NomakCooper",
   "license": "Apache-2.0",

skills/ansible-designer/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: ansible-designer
-description: "AI-assisted Ansible authoring toolkit for Claude Code. Scaffolds, reviews, and updates playbooks, roles, collections, and ansible.cfg files following production best practices. Sub-commands: new-playbook, review-playbook, update-playbook, new-role, review-role, update-role, new-collection, review-collection, update-collection, new-conf, review-conf, update-conf. Requires bash_tool. Runs discovery (CLAUDE.md to ansible.cfg to README to filesystem) at the start of every command."
+description: "AI-assisted Ansible authoring toolkit for Claude Code. Scaffolds, reviews, and updates playbooks, roles, collections, and ansible.cfg files following production best practices. Sub-commands: new-playbook, review-playbook, update-playbook, new-role, review-role, update-role, new-collection, review-collection, update-collection, new-conf, review-conf, update-conf. Runs discovery (CLAUDE.md to ansible.cfg to README to filesystem) at the start of every command."
 ---
 
 # ansible-designer
@@ -59,7 +59,7 @@ Every sub-command enforces these rules without exception:
 
 7. **update always diffs** — `update-*` commands read the existing file, compute the change, show a unified diff, and wait for explicit confirmation before writing a single byte.
 
-8. **Show file tree after writes** — After any write operation, run `find <path> -type f | sort` and display the resulting file tree.
+8. **Show file tree after writes** — After any write operation, list all created or modified files and display the resulting file tree.
 
 9. **Testing-aware output** — New or updated examples must include a realistic validation path. See `references/testing.md`.
 
@@ -123,14 +123,6 @@ Suggest: "Next step: [specific actionable suggestion]"
 
 ## Installation
 
-**Recommended — Claude Code Marketplace (namespaced, verified):**
-Install via the Claude Code marketplace from `3A2DEV/ansible-designer`. This path preserves the `ansible-designer:` namespace prefix and installs from a pinned, signed release.
-
-**Alternative — npx skills CLI:**
-```bash
-npx skills add 3A2DEV/ansible-designer -a claude-code
-```
-> **Security note:** This command pulls the latest unpinned version from the registry.
-> Verify the source at https://github.com/3A2DEV/ansible-designer before running in sensitive environments.
+Install via the Claude Code marketplace from `3A2DEV/ansible-designer`. This preserves the `ansible-designer:` namespace prefix for all sub-commands.
 
 Requires Claude Code.

skills/update-conf/SKILL.md

@@ -56,9 +56,9 @@ Apply the requested change:
  forks                 = 10
  timeout               = 30
 +
-+# Fact caching: redis (shared across controller nodes)
++# Fact caching: redis (shared across controller nodes; configure auth via REDIS_URL or vault)
 +fact_caching          = redis
-+fact_caching_connection = redis://localhost:6379/0
++fact_caching_connection = redis://:{{ vault_redis_password }}@cache.internal:6379/0
 +fact_caching_timeout  = 86400
 ```
 

skills/update-playbook/SKILL.md

@@ -75,7 +75,7 @@ Then ask: **"Apply this change? (yes/no)"**
 ### Step 6 — Final Output
 Show the updated file tree:
 ```bash
-find <playbook_dir> -type f | sort
+find "<playbook_dir>" -type f | sort
 ```
 
 Suggest next step:

skills/update-role/SKILL.md

@@ -76,7 +76,7 @@ Then ask: **"Apply these changes? (yes/no)"**
 ### Step 6 — Final Output
 Show file tree of the updated role:
 ```bash
-find roles/<role_name> -type f | sort
+find "roles/<role_name>" -type f | sort
 ```
 
 Suggest next step: