mirror of
https://github.com/anthropics/claude-plugins-official.git
synced 2026-03-21 11:53:08 +00:00
355be7d582
Closes H1 #3617646 via the proper path — plugin userConfig with sensitive: true routes tokens to keychain (macOS) or .credentials.json 0600 (elsewhere) instead of world-readable .env files. Requires claude-cli-internal#23383 (PLUGIN_OPTIONS ungate + per-server sensitive split). Changes per plugin: - plugin.json: add userConfig.{PLATFORM}_BOT_TOKEN with sensitive: true - .mcp.json: add env block with ${user_config.{PLATFORM}_BOT_TOKEN} - server.ts: update comment + error message to point to /plugin reconfigure instead of .env file The .env read loop stays as a legacy fallback for existing users — process.env wins (injected value takes precedence), so no migration forced. New users get prompted at enable time via CC's built-in dialog; token lands in keychain, never touches settings.json. /telegram:configure and /discord:configure skills are NOT removed in this PR — they still work for the legacy .env path. Follow-up: repurpose or remove after a grace period once cli#23383 is released. 🏠 Remote-Dev: homespace