Metadata-only refresh per the SAP namespace policy (Florian/Klaus/Avital,
2026-05-04). No slug renames, no new entries.
- sap-mdk-server: expand author from {"name":"SAP"} to the unified
SAP SE block with ospo@sap.com.
- ui5: add unified UI5 author block (openui5@sap.com per Florian's
carve-out for the SAPUI5/OpenUI5 brand).
- ui5-typescript-conversion: same UI5 author block as ui5.
Split out of #1616 to keep that PR scoped to sap-hana-cli only.
* Tighten policy scan: hook scope, telemetry, disclosure; make blocking
policy/prompt.md — adds Part 2 (hook scope and disclosure):
- Enumerate every registered hook and read its source.
- Flag has_broad_scope_hooks when UserPromptSubmit/PreToolUse/
PostToolUse runs without a project-relevance gate, or any hook
reads user data beyond the plugin's stated scope — regardless of
whether it makes network calls.
- Flag has_undisclosed_telemetry when any hook or shipped code calls
a non-MCP host without explicit disclosure + opt-out.
- Flag description_matches_behavior=false when the install
description would not lead a reasonable user to expect the
hooks/telemetry/data-access found.
- passes=false when any of the above trip. Violations must cite the
specific hook/file and what the user wasn't told.
The bar is now "handles user data responsibly," not merely "isn't
malicious." A non-malicious plugin that observes more than its stated
purpose justifies will fail.
policy/schema.json — adds required hooks[], has_broad_scope_hooks,
has_undisclosed_telemetry, description_matches_behavior.
scan-plugins.yml:
- fail-on-findings: true (blocking — loosen later if FP rate too high)
- workflow_dispatch with scan_all input for full re-review of all
external entries
- timeout-minutes: 360 (full scan of 117 entries at ~96s each ≈ 3h)
- trigger on .github/policy/** so prompt edits get scanned
* Bump vercel SHA to test the tightened scan against it
* Adopt validate-plugins action suite; pin all external SHAs
Replaces the hand-rolled marketplace validator and bot-based bump
workflow with the shared composite actions (pinned at f846a0b).
marketplace.json:
- 62 external entries that were missing a `sha` are now pinned to
their current upstream HEAD (resolved via git ls-remote).
Workflows:
- validate-plugins.yml: invariants I1-I11 + claude plugin validate +
diff-gated clone-at-SHA validation of changed external entries.
SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15
known data issues (vendored dirs without manifests; one dotted
name) are cleaned up.
- bump-plugin-shas.yml: bot-free weekly refresh. Validates each new
SHA with claude plugin validate before opening one PR; works with
the default GITHUB_TOKEN (contents:write + pull-requests:write).
- scan-plugins.yml: Claude policy scan of changed external entries.
Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set.
Removed:
- validate-marketplace.yml + the two TS helper scripts (superseded
by step 11/20 of validate-plugins).
validate-frontmatter.yml is kept — it's complementary (targeted
checks on agent/skill/command files for in-repo plugins).
* Remove 5 external entries that fail validation at HEAD
Step 30 (clone at pinned SHA + claude plugin validate) fails for
these at their current HEAD:
aiven Unrecognized key "logo" in plugin.json
atlassian-forge-skills skill YAML frontmatter parse error
sagemaker-ai skill YAML frontmatter parse error
speakai no plugin manifest at repo root
stagehand no plugin manifest at repo root
These can be re-added once the upstream repos are fixed.
* Wire scan-plugins to the detailed policy prompt
Adds .github/policy/prompt.md and schema.json (the full security
review rubric — malicious code, privacy, deception, safety
circumvention, exfiltration; plus network-call and software-install
flags) and points scan-plugins at it via the policy-prompt input.
With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs
the actual policy review on changed external entries instead of
no-op'ing.
* Bump scan-plugins action pin to include L11/L12 fixes
* Add cwc-makers plugin: /keep-thinking Cardputer onboarding
Packages the Code-with-Claude Makers (claude.com/cwc-makers) Cardputer
experience as a one-command flow for event attendees:
- commands/keep-thinking.md: user entry point — clones
moremas/build-with-claude and runs the m5-onboard provisioning flow
- skills/m5-onboard/SKILL.md: vendored from upstream onboard/SKILL.md;
Installation section replaced with clone-location note; explicit
'relay physical button steps to user' directive added
- skills/cardputer-buddy/SKILL.md: post-onboarding app iteration
All three are user-invocable; /keep-thinking is the intended entry
point. Skill content is Apache-2.0 from the upstream repo.
Linear: CC-1975
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
🏠 Remote-Dev: homespace
* Rename /keep-thinking → /start-making
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
🏠 Remote-Dev: homespace
* Rename /start-making → /maker-setup
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
🏠 Remote-Dev: homespace
Adobe's Creative Cloud skills for image editing, design automation,
background removal, vectorization, and retouching. Points at the
plugins/creative-cloud/adobe-for-creativity subdir of adobe/skills.
