ci: gate external plugin entries on community scan merge

Adds a stateless check that fails if any added external marketplace.json
entry (keyed by name+sha) is not already present on
claude-plugins-community main.

This repo runs no security scan — the scan is in claude-plugins-community.
Without this check, the only thing preventing a bypass is the PR body
convention of linking to a community PR, and a human remembering to look.

The check:
- Diffs marketplace.json base→head, extracts external entries (source is
  an object, not a vendored string path), keyed by {name, sha}
- Fails if any added key is absent from community main
- Catches new entries AND sha bumps (new sha → new scan required)
- Skips cosmetic edits (description/category) and removals
- Gives a precise diagnosis on failure: SHA mismatch vs entry absent
- Rejects new entries with no sha pin (scan anchor is meaningless)

Fetch uses gh api with the workflow token, not raw.githubusercontent
(which flakes with curl exit 56). Works same-org whether community is
public or private.

.claude-plugin/marketplace.json

@@ -251,30 +251,6 @@
         }
       }
     },
-    {
-      "name": "ruby-lsp",
-      "description": "Ruby language server for code intelligence and analysis",
-      "version": "1.0.0",
-      "author": {
-        "name": "Anthropic",
-        "email": "support@anthropic.com"
-      },
-      "source": "./plugins/ruby-lsp",
-      "category": "development",
-      "strict": false,
-      "lspServers": {
-        "ruby-lsp": {
-          "command": "ruby-lsp",
-          "extensionToLanguage": {
-            ".rb": "ruby",
-            ".rake": "ruby",
-            ".gemspec": "ruby",
-            ".ru": "ruby",
-            ".erb": "erb"
-          }
-        }
-      }
-    },
     {
       "name": "agent-sdk-dev",
       "description": "Development kit for working with the Claude Agent SDK",
@@ -704,33 +680,10 @@
       "description": "Semgrep catches security vulnerabilities in real-time and guides Claude to write secure code from the start.",
       "category": "security",
       "source": {
-        "source": "git-subdir",
-        "url": "https://github.com/semgrep/mcp-marketplace.git",
-        "path": "plugin"
+        "source": "url",
+        "url": "https://github.com/semgrep/mcp-marketplace.git"
       },
       "homepage": "https://github.com/semgrep/mcp-marketplace.git"
-    },
-    {
-      "name": "pagerduty",
-      "description": "Enhance code quality and security through PagerDuty risk scoring and incident correlation. Score pre-commit diffs against historical incident data and surface deployment risk before you ship.",
-      "category": "monitoring",
-      "source": {
-        "source": "url",
-        "url": "https://github.com/PagerDuty/claude-code-plugins.git",
-        "sha": "b16c23e0d790deceaa7a6182616d0e36673f2eae"
-      },
-      "homepage": "https://github.com/PagerDuty/claude-code-plugins"
-    },
-    {
-      "name": "postman",
-      "description": "Full API lifecycle management for Claude Code. Sync collections, generate client code, discover APIs, run tests, create mocks, publish docs, and audit security. Powered by the Postman MCP Server.",
-      "category": "development",
-      "source": {
-        "source": "url",
-        "url": "https://github.com/Postman-Devrel/postman-claude-code-plugin.git",
-        "sha": "0714280351c1a137e79aad465a66730511ffbd57"
-      },
-      "homepage": "https://learning.postman.com/docs/developer/postman-mcp-server/"
     }
   ]
 }

.github/scripts/validate-marketplace.ts

@@ -1,77 +0,0 @@
-#!/usr/bin/env bun
-/**
- * Validates marketplace.json: well-formed JSON, plugins array present,
- * each entry has required fields, and no duplicate plugin names.
- *
- * Usage:
- *   bun validate-marketplace.ts <path-to-marketplace.json>
- */
-
-import { readFile } from "fs/promises";
-
-async function main() {
-  const filePath = process.argv[2];
-  if (!filePath) {
-    console.error("Usage: validate-marketplace.ts <path-to-marketplace.json>");
-    process.exit(2);
-  }
-
-  const content = await readFile(filePath, "utf-8");
-
-  let parsed: unknown;
-  try {
-    parsed = JSON.parse(content);
-  } catch (err) {
-    console.error(
-      `ERROR: ${filePath} is not valid JSON: ${err instanceof Error ? err.message : err}`
-    );
-    process.exit(1);
-  }
-
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    console.error(`ERROR: ${filePath} must be a JSON object`);
-    process.exit(1);
-  }
-
-  const marketplace = parsed as Record<string, unknown>;
-  if (!Array.isArray(marketplace.plugins)) {
-    console.error(`ERROR: ${filePath} missing "plugins" array`);
-    process.exit(1);
-  }
-
-  const errors: string[] = [];
-  const seen = new Set<string>();
-  const required = ["name", "description", "source"] as const;
-
-  marketplace.plugins.forEach((p, i) => {
-    if (!p || typeof p !== "object") {
-      errors.push(`plugins[${i}]: must be an object`);
-      return;
-    }
-    const entry = p as Record<string, unknown>;
-    for (const field of required) {
-      if (!entry[field]) {
-        errors.push(`plugins[${i}] (${entry.name ?? "?"}): missing required field "${field}"`);
-      }
-    }
-    if (typeof entry.name === "string") {
-      if (seen.has(entry.name)) {
-        errors.push(`plugins[${i}]: duplicate plugin name "${entry.name}"`);
-      }
-      seen.add(entry.name);
-    }
-  });
-
-  if (errors.length) {
-    console.error(`ERROR: ${filePath} has ${errors.length} validation error(s):`);
-    for (const e of errors) console.error(`  - ${e}`);
-    process.exit(1);
-  }
-
-  console.log(`OK: ${marketplace.plugins.length} plugins, no duplicates, all required fields present`);
-}
-
-main().catch((err) => {
-  console.error("Fatal error:", err);
-  process.exit(2);
-});

.github/workflows/validate-marketplace.yml

@@ -1,17 +0,0 @@
-name: Validate Marketplace JSON
-
-on:
-  pull_request:
-    paths:
-      - '.claude-plugin/marketplace.json'
-
-jobs:
-  validate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: oven-sh/setup-bun@v2
-
-      - name: Validate marketplace.json
-        run: bun .github/scripts/validate-marketplace.ts .claude-plugin/marketplace.json

.github/workflows/verify-community-merged.yml

@@ -0,0 +1,160 @@
+name: Verify community scan merged
+
+# Enforces the invariant: any external plugin entry added to this repo's
+# marketplace.json must already exist (same name, same SHA) on
+# claude-plugins-community main.
+#
+# claude-plugins-community is the security scan gate. This repo has no
+# scan — the merge click here is a mirror, not an approval. If an entry
+# isn't on community main, either the scan hasn't run, hasn't passed,
+# or someone is trying to bypass the gate.
+#
+# Vendored entries (source: "./path") are skipped — they're authored
+# in-repo and reviewed here directly.
+
+on:
+  pull_request:
+    paths:
+      - '.claude-plugin/marketplace.json'
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@v4
+        with:
+          # Need base ref too, to diff and find what's new
+          fetch-depth: 0
+
+      - name: Find added external entries
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          base="${{ github.event.pull_request.base.sha }}"
+          head="${{ github.event.pull_request.head.sha }}"
+
+          # Pull both versions of marketplace.json
+          git show "$base:.claude-plugin/marketplace.json" > /tmp/base.json
+          git show "$head:.claude-plugin/marketplace.json" > /tmp/head.json
+
+          # An "external" entry is one whose .source is an object (url-kind
+          # or git-subdir). Vendored entries have .source as a string path.
+          # Key each by name+sha — that pair is what the community scan
+          # pinned its result to.
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/base.json | sort > /tmp/base-ext.jsonl
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/head.json | sort > /tmp/head-ext.jsonl
+
+          # Added = in head but not in base. This catches:
+          #   - brand new entries
+          #   - SHA bumps on existing entries (new sha = new scan needed)
+          #   - name changes (new name = new identity)
+          # It deliberately does NOT catch:
+          #   - removals (no scan needed to delete)
+          #   - description/category/homepage edits (cosmetic, scan irrelevant)
+          comm -13 /tmp/base-ext.jsonl /tmp/head-ext.jsonl > /tmp/added.jsonl
+
+          count=$(wc -l < /tmp/added.jsonl)
+          echo "Found $count added/changed external entries:"
+          cat /tmp/added.jsonl
+          echo "count=$count" >> "$GITHUB_OUTPUT"
+
+      - name: Fetch community main marketplace
+        if: steps.diff.outputs.count != '0'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          # gh api uses the workflow's GITHUB_TOKEN — works whether
+          # the community repo is public or private (as long as this
+          # repo's Actions have read access, which same-org repos do
+          # by default). More reliable than raw.githubusercontent.com
+          # which occasionally flakes with curl exit 56.
+          gh api \
+            -H "Accept: application/vnd.github.raw" \
+            "repos/anthropics/claude-plugins-community/contents/.claude-plugin/marketplace.json?ref=main" \
+            > /tmp/community.json
+          echo "Community main has $(jq '.plugins | length' /tmp/community.json) entries"
+
+      - name: Check each added entry exists in community main
+        if: steps.diff.outputs.count != '0'
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          # Build the same name+sha keyset for community
+          jq -c '.plugins[]
+                 | select(.source | type == "object")
+                 | {name, sha: .source.sha}' /tmp/community.json | sort > /tmp/community-ext.jsonl
+
+          fail=0
+          while IFS= read -r entry; do
+            name=$(jq -r .name <<< "$entry")
+            sha=$(jq -r '.sha // "∅"' <<< "$entry")
+            short=${sha:0:8}
+
+            # Reject new entries without a SHA pin outright. The scan
+            # result is meaningless if it isn't anchored to a commit.
+            # (Old pre-invariant entries won't hit this — they're in
+            # base too, so they don't show up in the added diff.)
+            if [[ "$sha" == "∅" || "$sha" == "null" ]]; then
+              echo "::error title=Community::'$name' has no source.sha. External entries must be SHA-pinned so the scan result is anchored to a commit."
+              fail=1
+              continue
+            fi
+
+            if grep -qxF "$entry" /tmp/community-ext.jsonl; then
+              echo "::notice title=Community::✓ '$name' @ $short found in community main"
+            else
+              # Give a precise diagnosis: is the name there with a
+              # different SHA (scan ran on a different commit), or
+              # is it entirely absent (scan never ran / PR not merged)?
+              alt_sha=$(jq -r --arg n "$name" \
+                '.plugins[] | select(.name == $n and (.source | type == "object")) | .source.sha // "∅"' \
+                /tmp/community.json)
+              if [[ -n "$alt_sha" && "$alt_sha" != "∅" ]]; then
+                echo "::error title=Community::'$name' exists in community main at SHA ${alt_sha:0:8}, not $short. The scan ran on a different commit — re-pin this entry to match, or open a new community PR with the new SHA."
+              else
+                echo "::error title=Community::'$name' @ $short not found in community main. Merge the community PR first, then re-run this check."
+              fi
+              fail=1
+            fi
+          done < /tmp/added.jsonl
+
+          if [[ $fail -eq 1 ]]; then
+            {
+              echo "### ❌ Community scan gate not satisfied"
+              echo ""
+              echo "One or more external plugin entries in this PR are not present"
+              echo "on [\`claude-plugins-community\` main](https://github.com/anthropics/claude-plugins-community/blob/main/.claude-plugin/marketplace.json)."
+              echo ""
+              echo "This repo does not run a security scan. The scan runs in"
+              echo "\`claude-plugins-community\` — entries must land there first."
+              echo ""
+              echo "**To fix:** merge the corresponding community PR, then re-run"
+              echo "this workflow."
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          {
+            echo "### ✓ Community scan gate satisfied"
+            echo ""
+            echo "All added external entries found in \`claude-plugins-community\` main."
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: No external entries changed
+        if: steps.diff.outputs.count == '0'
+        run: |
+          echo "::notice::No external plugin entries added or changed — nothing to verify."
+          echo "### ✓ No external entries to verify" >> "$GITHUB_STEP_SUMMARY"

plugins/ruby-lsp/README.md

@@ -1,31 +0,0 @@
-# ruby-lsp
-
-Ruby language server for Claude Code, providing code intelligence and analysis.
-
-## Supported Extensions
-`.rb`, `.rake`, `.gemspec`, `.ru`, `.erb`
-
-## Installation
-
-### Via gem (recommended)
-```bash
-gem install ruby-lsp
-```
-
-### Via Bundler
-Add to your Gemfile:
-```ruby
-gem 'ruby-lsp', group: :development
-```
-
-Then run:
-```bash
-bundle install
-```
-
-## Requirements
-- Ruby 3.0 or later
-
-## More Information
-- [Ruby LSP Website](https://shopify.github.io/ruby-lsp/)
-- [GitHub Repository](https://github.com/Shopify/ruby-lsp)