ci: gate external plugin entries on community scan merge

Adds a stateless check that fails if any added external marketplace.json
entry (keyed by name+sha) is not already present on
claude-plugins-community main.

This repo runs no security scan — the scan is in claude-plugins-community.
Without this check, the only thing preventing a bypass is the PR body
convention of linking to a community PR, and a human remembering to look.

The check:
- Diffs marketplace.json base→head, extracts external entries (source is
  an object, not a vendored string path), keyed by {name, sha}
- Fails if any added key is absent from community main
- Catches new entries AND sha bumps (new sha → new scan required)
- Skips cosmetic edits (description/category) and removals
- Gives a precise diagnosis on failure: SHA mismatch vs entry absent
- Rejects new entries with no sha pin (scan anchor is meaningless)

Fetch uses gh api with the workflow token, not raw.githubusercontent
(which flakes with curl exit 56). Works same-org whether community is
public or private.

.claude-plugin/marketplace.json

@@ -251,30 +251,6 @@
         }
       }
     },
-    {
-      "name": "ruby-lsp",
-      "description": "Ruby language server for code intelligence and analysis",
-      "version": "1.0.0",
-      "author": {
-        "name": "Anthropic",
-        "email": "support@anthropic.com"
-      },
-      "source": "./plugins/ruby-lsp",
-      "category": "development",
-      "strict": false,
-      "lspServers": {
-        "ruby-lsp": {
-          "command": "ruby-lsp",
-          "extensionToLanguage": {
-            ".rb": "ruby",
-            ".rake": "ruby",
-            ".gemspec": "ruby",
-            ".ru": "ruby",
-            ".erb": "erb"
-          }
-        }
-      }
-    },
     {
       "name": "agent-sdk-dev",
       "description": "Development kit for working with the Claude Agent SDK",
@@ -704,33 +680,10 @@
       "description": "Semgrep catches security vulnerabilities in real-time and guides Claude to write secure code from the start.",
       "category": "security",
       "source": {
-        "source": "git-subdir",
-        "url": "https://github.com/semgrep/mcp-marketplace.git",
-        "path": "plugin"
+        "source": "url",
+        "url": "https://github.com/semgrep/mcp-marketplace.git"
       },
       "homepage": "https://github.com/semgrep/mcp-marketplace.git"
-    },
-    {
-      "name": "pagerduty",
-      "description": "Enhance code quality and security through PagerDuty risk scoring and incident correlation. Score pre-commit diffs against historical incident data and surface deployment risk before you ship.",
-      "category": "monitoring",
-      "source": {
-        "source": "url",
-        "url": "https://github.com/PagerDuty/claude-code-plugins.git",
-        "sha": "b16c23e0d790deceaa7a6182616d0e36673f2eae"
-      },
-      "homepage": "https://github.com/PagerDuty/claude-code-plugins"
-    },
-    {
-      "name": "postman",
-      "description": "Full API lifecycle management for Claude Code. Sync collections, generate client code, discover APIs, run tests, create mocks, publish docs, and audit security. Powered by the Postman MCP Server.",
-      "category": "development",
-      "source": {
-        "source": "url",
-        "url": "https://github.com/Postman-Devrel/postman-claude-code-plugin.git",
-        "sha": "0714280351c1a137e79aad465a66730511ffbd57"
-      },
-      "homepage": "https://learning.postman.com/docs/developer/postman-mcp-server/"
     }
   ]
 }

.github/workflows/verify-community-merged.yml

@@ -0,0 +1,160 @@
+name: Verify community scan merged
+
+# Enforces the invariant: any external plugin entry added to this repo's
+# marketplace.json must already exist (same name, same SHA) on
+# claude-plugins-community main.
+#
+# claude-plugins-community is the security scan gate. This repo has no
+# scan — the merge click here is a mirror, not an approval. If an entry
+# isn't on community main, either the scan hasn't run, hasn't passed,
+# or someone is trying to bypass the gate.
+#
+# Vendored entries (source: "./path") are skipped — they're authored
+# in-repo and reviewed here directly.
+
+on:
+  pull_request:
+    paths:
+      - '.claude-plugin/marketplace.json'
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@v4
+        with:
+          # Need base ref too, to diff and find what's new
+          fetch-depth: 0
+
+      - name: Find added external entries
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          base="${{ github.event.pull_request.base.sha }}"
+          head="${{ github.event.pull_request.head.sha }}"
+
+          # Pull both versions of marketplace.json
+          git show "$base:.claude-plugin/marketplace.json" > /tmp/base.json
+          git show "$head:.claude-plugin/marketplace.json" > /tmp/head.json
+
+          # An "external" entry is one whose .source is an object (url-kind
+          # or git-subdir). Vendored entries have .source as a string path.
+          # Key each by name+sha — that pair is what the community scan
+          # pinned its result to.
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/base.json | sort > /tmp/base-ext.jsonl
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/head.json | sort > /tmp/head-ext.jsonl
+
+          # Added = in head but not in base. This catches:
+          #   - brand new entries
+          #   - SHA bumps on existing entries (new sha = new scan needed)
+          #   - name changes (new name = new identity)
+          # It deliberately does NOT catch:
+          #   - removals (no scan needed to delete)
+          #   - description/category/homepage edits (cosmetic, scan irrelevant)
+          comm -13 /tmp/base-ext.jsonl /tmp/head-ext.jsonl > /tmp/added.jsonl
+
+          count=$(wc -l < /tmp/added.jsonl)
+          echo "Found $count added/changed external entries:"
+          cat /tmp/added.jsonl
+          echo "count=$count" >> "$GITHUB_OUTPUT"
+
+      - name: Fetch community main marketplace
+        if: steps.diff.outputs.count != '0'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          # gh api uses the workflow's GITHUB_TOKEN — works whether
+          # the community repo is public or private (as long as this
+          # repo's Actions have read access, which same-org repos do
+          # by default). More reliable than raw.githubusercontent.com
+          # which occasionally flakes with curl exit 56.
+          gh api \
+            -H "Accept: application/vnd.github.raw" \
+            "repos/anthropics/claude-plugins-community/contents/.claude-plugin/marketplace.json?ref=main" \
+            > /tmp/community.json
+          echo "Community main has $(jq '.plugins | length' /tmp/community.json) entries"
+
+      - name: Check each added entry exists in community main
+        if: steps.diff.outputs.count != '0'
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          # Build the same name+sha keyset for community
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/community.json | sort > /tmp/community-ext.jsonl
+
+          fail=0
+          while IFS= read -r entry; do
+            name=$(jq -r .name <<< "$entry")
+            sha=$(jq -r '.sha // "∅"' <<< "$entry")
+            short=${sha:0:8}
+
+            # Reject new entries without a SHA pin outright. The scan
+            # result is meaningless if it isn't anchored to a commit.
+            # (Old pre-invariant entries won't hit this — they're in
+            # base too, so they don't show up in the added diff.)
+            if [[ "$sha" == "∅" || "$sha" == "null" ]]; then
+              echo "::error title=Community::'$name' has no source.sha. External entries must be SHA-pinned so the scan result is anchored to a commit."
+              fail=1
+              continue
+            fi
+
+            if grep -qxF "$entry" /tmp/community-ext.jsonl; then
+              echo "::notice title=Community::✓ '$name' @ $short found in community main"
+            else
+              # Give a precise diagnosis: is the name there with a
+              # different SHA (scan ran on a different commit), or
+              # is it entirely absent (scan never ran / PR not merged)?
+              alt_sha=$(jq -r --arg n "$name" \
+                '.plugins[] | select(.name == $n and (.source | type == "object")) | .source.sha // "∅"' \
+                /tmp/community.json)
+              if [[ -n "$alt_sha" && "$alt_sha" != "∅" ]]; then
+                echo "::error title=Community::'$name' exists in community main at SHA ${alt_sha:0:8}, not $short. The scan ran on a different commit — re-pin this entry to match, or open a new community PR with the new SHA."
+              else
+                echo "::error title=Community::'$name' @ $short not found in community main. Merge the community PR first, then re-run this check."
+              fi
+              fail=1
+            fi
+          done < /tmp/added.jsonl
+
+          if [[ $fail -eq 1 ]]; then
+            {
+              echo "### ❌ Community scan gate not satisfied"
+              echo ""
+              echo "One or more external plugin entries in this PR are not present"
+              echo "on [\`claude-plugins-community\` main](https://github.com/anthropics/claude-plugins-community/blob/main/.claude-plugin/marketplace.json)."
+              echo ""
+              echo "This repo does not run a security scan. The scan runs in"
+              echo "\`claude-plugins-community\` — entries must land there first."
+              echo ""
+              echo "**To fix:** merge the corresponding community PR, then re-run"
+              echo "this workflow."
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          {
+            echo "### ✓ Community scan gate satisfied"
+            echo ""
+            echo "All added external entries found in \`claude-plugins-community\` main."
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: No external entries changed
+        if: steps.diff.outputs.count == '0'
+        run: |
+          echo "::notice::No external plugin entries added or changed — nothing to verify."
+          echo "### ✓ No external entries to verify" >> "$GITHUB_STEP_SUMMARY"

plugins/ruby-lsp/LICENSE

@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

plugins/ruby-lsp/README.md

@@ -1,31 +0,0 @@
-# ruby-lsp
-
-Ruby language server for Claude Code, providing code intelligence and analysis.
-
-## Supported Extensions
-`.rb`, `.rake`, `.gemspec`, `.ru`, `.erb`
-
-## Installation
-
-### Via gem (recommended)
-```bash
-gem install ruby-lsp
-```
-
-### Via Bundler
-Add to your Gemfile:
-```ruby
-gem 'ruby-lsp', group: :development
-```
-
-Then run:
-```bash
-bundle install
-```
-
-## Requirements
-- Ruby 3.0 or later
-
-## More Information
-- [Ruby LSP Website](https://shopify.github.io/ruby-lsp/)
-- [GitHub Repository](https://github.com/Shopify/ruby-lsp)