ci: gate external plugin entries on community scan merge

Adds a stateless check that fails if any added external marketplace.json
entry (keyed by name+sha) is not already present on
claude-plugins-community main.

This repo runs no security scan — the scan is in claude-plugins-community.
Without this check, the only thing preventing a bypass is the PR body
convention of linking to a community PR, and a human remembering to look.

The check:
- Diffs marketplace.json base→head, extracts external entries (source is
  an object, not a vendored string path), keyed by {name, sha}
- Fails if any added key is absent from community main
- Catches new entries AND sha bumps (new sha → new scan required)
- Skips cosmetic edits (description/category) and removals
- Gives a precise diagnosis on failure: SHA mismatch vs entry absent
- Rejects new entries with no sha pin (scan anchor is meaningless)

Fetch uses gh api with the workflow token, not raw.githubusercontent
(which flakes with curl exit 56). Works same-org whether community is
public or private.

.github/workflows/close-external-prs.yml

@@ -36,7 +36,7 @@ jobs:
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: context.payload.pull_request.number,
-              body: `Thanks for your interest! This repo only accepts contributions from Anthropic team members. If you'd like to submit a plugin to the marketplace, please submit your plugin [here](https://docs.google.com/forms/d/e/1FAIpQLSdeFthxvjOXUjxg1i3KrOOkEPDJtn71XC-KjmQlxNP63xYydg/viewform).`
+              body: `Thanks for your interest! This repo only accepts contributions from Anthropic team members. If you'd like to submit a plugin to the marketplace, please submit your plugin [here](https://clau.de/plugin-directory-submission).`
             });
 
             await github.rest.pulls.update({

.github/workflows/verify-community-merged.yml

@@ -0,0 +1,160 @@
+name: Verify community scan merged
+
+# Enforces the invariant: any external plugin entry added to this repo's
+# marketplace.json must already exist (same name, same SHA) on
+# claude-plugins-community main.
+#
+# claude-plugins-community is the security scan gate. This repo has no
+# scan — the merge click here is a mirror, not an approval. If an entry
+# isn't on community main, either the scan hasn't run, hasn't passed,
+# or someone is trying to bypass the gate.
+#
+# Vendored entries (source: "./path") are skipped — they're authored
+# in-repo and reviewed here directly.
+
+on:
+  pull_request:
+    paths:
+      - '.claude-plugin/marketplace.json'
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@v4
+        with:
+          # Need base ref too, to diff and find what's new
+          fetch-depth: 0
+
+      - name: Find added external entries
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          base="${{ github.event.pull_request.base.sha }}"
+          head="${{ github.event.pull_request.head.sha }}"
+
+          # Pull both versions of marketplace.json
+          git show "$base:.claude-plugin/marketplace.json" > /tmp/base.json
+          git show "$head:.claude-plugin/marketplace.json" > /tmp/head.json
+
+          # An "external" entry is one whose .source is an object (url-kind
+          # or git-subdir). Vendored entries have .source as a string path.
+          # Key each by name+sha — that pair is what the community scan
+          # pinned its result to.
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/base.json | sort > /tmp/base-ext.jsonl
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/head.json | sort > /tmp/head-ext.jsonl
+
+          # Added = in head but not in base. This catches:
+          #   - brand new entries
+          #   - SHA bumps on existing entries (new sha = new scan needed)
+          #   - name changes (new name = new identity)
+          # It deliberately does NOT catch:
+          #   - removals (no scan needed to delete)
+          #   - description/category/homepage edits (cosmetic, scan irrelevant)
+          comm -13 /tmp/base-ext.jsonl /tmp/head-ext.jsonl > /tmp/added.jsonl
+
+          count=$(wc -l < /tmp/added.jsonl)
+          echo "Found $count added/changed external entries:"
+          cat /tmp/added.jsonl
+          echo "count=$count" >> "$GITHUB_OUTPUT"
+
+      - name: Fetch community main marketplace
+        if: steps.diff.outputs.count != '0'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          # gh api uses the workflow's GITHUB_TOKEN — works whether
+          # the community repo is public or private (as long as this
+          # repo's Actions have read access, which same-org repos do
+          # by default). More reliable than raw.githubusercontent.com
+          # which occasionally flakes with curl exit 56.
+          gh api \
+            -H "Accept: application/vnd.github.raw" \
+            "repos/anthropics/claude-plugins-community/contents/.claude-plugin/marketplace.json?ref=main" \
+            > /tmp/community.json
+          echo "Community main has $(jq '.plugins | length' /tmp/community.json) entries"
+
+      - name: Check each added entry exists in community main
+        if: steps.diff.outputs.count != '0'
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          # Build the same name+sha keyset for community
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/community.json | sort > /tmp/community-ext.jsonl
+
+          fail=0
+          while IFS= read -r entry; do
+            name=$(jq -r .name <<< "$entry")
+            sha=$(jq -r '.sha // "∅"' <<< "$entry")
+            short=${sha:0:8}
+
+            # Reject new entries without a SHA pin outright. The scan
+            # result is meaningless if it isn't anchored to a commit.
+            # (Old pre-invariant entries won't hit this — they're in
+            # base too, so they don't show up in the added diff.)
+            if [[ "$sha" == "∅" || "$sha" == "null" ]]; then
+              echo "::error title=Community::'$name' has no source.sha. External entries must be SHA-pinned so the scan result is anchored to a commit."
+              fail=1
+              continue
+            fi
+
+            if grep -qxF "$entry" /tmp/community-ext.jsonl; then
+              echo "::notice title=Community::✓ '$name' @ $short found in community main"
+            else
+              # Give a precise diagnosis: is the name there with a
+              # different SHA (scan ran on a different commit), or
+              # is it entirely absent (scan never ran / PR not merged)?
+              alt_sha=$(jq -r --arg n "$name" \
+                '.plugins[] | select(.name == $n and (.source | type == "object")) | .source.sha // "∅"' \
+                /tmp/community.json)
+              if [[ -n "$alt_sha" && "$alt_sha" != "∅" ]]; then
+                echo "::error title=Community::'$name' exists in community main at SHA ${alt_sha:0:8}, not $short. The scan ran on a different commit — re-pin this entry to match, or open a new community PR with the new SHA."
+              else
+                echo "::error title=Community::'$name' @ $short not found in community main. Merge the community PR first, then re-run this check."
+              fi
+              fail=1
+            fi
+          done < /tmp/added.jsonl
+
+          if [[ $fail -eq 1 ]]; then
+            {
+              echo "### ❌ Community scan gate not satisfied"
+              echo ""
+              echo "One or more external plugin entries in this PR are not present"
+              echo "on [\`claude-plugins-community\` main](https://github.com/anthropics/claude-plugins-community/blob/main/.claude-plugin/marketplace.json)."
+              echo ""
+              echo "This repo does not run a security scan. The scan runs in"
+              echo "\`claude-plugins-community\` — entries must land there first."
+              echo ""
+              echo "**To fix:** merge the corresponding community PR, then re-run"
+              echo "this workflow."
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          {
+            echo "### ✓ Community scan gate satisfied"
+            echo ""
+            echo "All added external entries found in \`claude-plugins-community\` main."
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: No external entries changed
+        if: steps.diff.outputs.count == '0'
+        run: |
+          echo "::notice::No external plugin entries added or changed — nothing to verify."
+          echo "### ✓ No external entries to verify" >> "$GITHUB_STEP_SUMMARY"

plugins/ralph-loop/hooks/stop-hook.sh

@@ -24,6 +24,16 @@ MAX_ITERATIONS=$(echo "$FRONTMATTER" | grep '^max_iterations:' | sed 's/max_iter
 # Extract completion_promise and strip surrounding quotes if present
 COMPLETION_PROMISE=$(echo "$FRONTMATTER" | grep '^completion_promise:' | sed 's/completion_promise: *//' | sed 's/^"\(.*\)"$/\1/')
 
+# Session isolation: the state file is project-scoped, but the Stop hook
+# fires in every Claude Code session in that project. If another session
+# started the loop, this session must not block (or touch the state file).
+# Legacy state files without session_id fall through (preserves old behavior).
+STATE_SESSION=$(echo "$FRONTMATTER" | grep '^session_id:' | sed 's/session_id: *//' || true)
+HOOK_SESSION=$(echo "$HOOK_INPUT" | jq -r '.session_id // ""')
+if [[ -n "$STATE_SESSION" ]] && [[ "$STATE_SESSION" != "$HOOK_SESSION" ]]; then
+  exit 0
+fi
+
 # Validate numeric fields before arithmetic operations
 if [[ ! "$ITERATION" =~ ^[0-9]+$ ]]; then
   echo "⚠️  Ralph loop: State file corrupted" >&2
@@ -77,35 +87,39 @@ if ! grep -q '"role":"assistant"' "$TRANSCRIPT_PATH"; then
   exit 0
 fi
 
-# Extract last assistant message with explicit error handling
-LAST_LINE=$(grep '"role":"assistant"' "$TRANSCRIPT_PATH" | tail -1)
-if [[ -z "$LAST_LINE" ]]; then
-  echo "⚠️  Ralph loop: Failed to extract last assistant message" >&2
+# Extract the most recent assistant text block.
+#
+# Claude Code writes each content block (text/tool_use/thinking) as its own
+# JSONL line, all with role=assistant. So slurp the last N assistant lines,
+# flatten to text blocks only, and take the last one.
+#
+# Capped at the last 100 assistant lines to keep jq's slurp input bounded
+# for long-running sessions.
+LAST_LINES=$(grep '"role":"assistant"' "$TRANSCRIPT_PATH" | tail -n 100)
+if [[ -z "$LAST_LINES" ]]; then
+  echo "⚠️  Ralph loop: Failed to extract assistant messages" >&2
   echo "   Ralph loop is stopping." >&2
   rm "$RALPH_STATE_FILE"
   exit 0
 fi
 
-# Parse JSON with error handling
-LAST_OUTPUT=$(echo "$LAST_LINE" | jq -r '
-  .message.content |
-  map(select(.type == "text")) |
-  map(.text) |
-  join("\n")
+# Parse the recent lines and pull out the final text block.
+# `last // ""` yields empty string when no text blocks exist (e.g. a turn
+# that is all tool calls). That's fine: empty text means no <promise> tag,
+# so the loop simply continues.
+# (Briefly disable errexit so a jq failure can be caught by the $? check.)
+set +e
+LAST_OUTPUT=$(echo "$LAST_LINES" | jq -rs '
+  map(.message.content[]? | select(.type == "text") | .text) | last // ""
 ' 2>&1)
+JQ_EXIT=$?
+set -e
 
 # Check if jq succeeded
-if [[ $? -ne 0 ]]; then
+if [[ $JQ_EXIT -ne 0 ]]; then
   echo "⚠️  Ralph loop: Failed to parse assistant message JSON" >&2
   echo "   Error: $LAST_OUTPUT" >&2
-  echo "   This may indicate a transcript format issue" >&2
-  echo "   Ralph loop is stopping." >&2
-  rm "$RALPH_STATE_FILE"
-  exit 0
-fi
-
-if [[ -z "$LAST_OUTPUT" ]]; then
-  echo "⚠️  Ralph loop: Assistant message contained no text content" >&2
+  echo "   This may indicate a transcript format issue." >&2
   echo "   Ralph loop is stopping." >&2
   rm "$RALPH_STATE_FILE"
   exit 0

plugins/ralph-loop/scripts/setup-ralph-loop.sh

@@ -141,6 +141,7 @@ cat > .claude/ralph-loop.local.md <<EOF
 ---
 active: true
 iteration: 1
+session_id: ${CLAUDE_CODE_SESSION_ID:-}
 max_iterations: $MAX_ITERATIONS
 completion_promise: $COMPLETION_PROMISE_YAML
 started_at: "$(date -u +%Y-%m-%dT%H:%M:%SZ)"