If you discover a security vulnerability in this plugin, please report it responsibly:
Email: tenshkumar.k@acheron-tech.com
Do NOT open a public GitHub issue for security vulnerabilities.
We will acknowledge receipt within 48 hours and provide a timeline for resolution.
All 7 hooks in this plugin run locally on your machine. They:
-
Read from stdin — Claude Code's hook protocol sends a JSON payload via stdin containing:
tool_input: The command/file path being usedtool_response: The output of the command (for post-hooks)agent_type,agent_id,session_id: Agent metadata (for subagent hooks)
-
Write to local files — Hooks write only to:
upgrade/state.json— Upgrade progress trackingupgrade/logs/*.jsonl— Audit trail of commands and agent activityupgrade/reports/*.md— Build/test reportslogs/session-audit.jsonl— Command audit log
-
Never make external network calls — No API calls, no telemetry, no analytics.
-
Never read credentials — Hooks do not access environment variables beyond those configured in
settings.json.
The plugin ships with 3 MCP server configurations. These do make external calls:
| Server | External Calls | Purpose |
|---|---|---|
context7 |
Yes — Upstash API | Live Angular/Material/RxJS documentation lookup |
playwright |
No (local) | Browser automation via local Playwright install |
fetch |
Yes — HTTP | Read Angular update guides, changelogs, npm registry |
All MCP servers are clearly labeled in mcp.json with descriptions. playwright is disabled by default.
Hooks use Claude Code's exit code protocol:
exit 0— Allow the action, optionally output contextexit 1— Warn Claude but allow the actionexit 2— Block the action and show an error message
| Version | Supported |
|---|---|
| 1.0.x | ✅ Yes |
This plugin has zero npm dependencies. All hooks use Node.js built-in modules only (fs, path, child_process, readline).