Add plugin marketplace picker#284
Conversation
puneetdixit200
changed the title
|
@puneetdixit200 PR is in Draft mode, are you planning to do more work? |
|
@pjdoland this looks good to me, could you also review? |
There was a problem hiding this comment.
Thanks for putting this together. The backend handler, route ordering, manifest path resolution, and the path-traversal validation all look solid. Three things I think are worth considering before this lands:
-
Removing the freeform input is a regression for power users. Someone who already knows
myplugin@officialnow has to scroll a dropdown to install it. Could the dialog keep a 'Specify manually' option (toggle or second tab) that restores the existing text field? The previous helper text explicitly promoted theplugin@marketplaceshorthand. -
No way to refresh a stale marketplace cache. The endpoint reads whatever Claude last wrote to
~/.claude/plugins/marketplaces/<name>/.claude-plugin/marketplace.json. If a user added the marketplace months ago and a new plugin shipped yesterday, it won't appear in the picker, and without the manual input from (1) they can't install it from the UI at all. Either surface a refresh button (claude plugin marketplace update <name>) or keep the freeform fallback as a safety valve. -
Fallback inconsistency with #280. That PR adds
p.name ?? p.idfor installed plugins to handle Claude CLI version skew. The newpluginEntryName(plugin)here is onlyString(plugin.name ?? '').trim()and silently filters out entries with an empty name. If a marketplace manifest happens to useidfor some entries (same skew that motivates #280), they'd drop out of the picker. Worth aligning the two paths so the same fallback applies.
|
@puneetdixit200 can you address the comments from @pjdoland above |
|
@puneetdixit200 can you resolve the conflicts? |
…marketplace-picker # Conflicts: # src/components/plugins-panel.tsx
Promotes the [Unreleased] CHANGELOG snapshot to [5.0.0] - 2026-05-22 and expands it to cover everything merged into upstream/main after PR plmbr#287's docs refresh. Bumps package.json to 5.0.0. CHANGELOG additions cover the post-plmbr#287 surface: - Settings tabs: plugin marketplace picker (plmbr#284), plugin marketplace details + Update button (plmbr#303), per-workspace MCP disable (plmbr#286), JSON-paste path in Add MCP server (plmbr#285). - Launchers: hide-with-policy (plmbr#288), brand icons for Codex / opencode (plmbr#325, plmbr#333), per-launch directory picker (plmbr#332). - Chat sidebar and agentic UX: workspace @-mention in Claude mode (plmbr#327), reload-open-files-on-disk (plmbr#330), steered system prompt away from over-eager notebook creation (plmbr#336). - Skills: multi-manifest support (plmbr#321), tracks-upstream for user- imported skills (plmbr#322), HTTP kill switch for the reconciler (plmbr#291). - Accessibility: full sub-section covering plmbr#305-plmbr#320. - Security: shell-tool sandbox (plmbr#290), Claude UI-bridge sandbox (plmbr#323), 0o600 on encrypted token (plmbr#293), env-secret scrubbing (plmbr#295), MCP config shape validation (plmbr#299), XSS allowlist (plmbr#296), Copilot WS auth + origin (plmbr#301), GHE host detection (plmbr#292), fastmcp -> mcp SDK swap (plmbr#324). - Fixed: session listing unification (plmbr#310), session preview unwrap (plmbr#331), down-area runtime throw (plmbr#330 follow-up), WS message-handler leak (plmbr#294). - Removed: fastmcp dependency, history.jsonl session gate. Adds a Migration note covering the five behavior changes operators should review before upgrading from 4.x: fastmcp swap, path sandboxes, history.jsonl gate removal, workspace @-mention pointer shape, and the Copilot WebSocket auth/origin tightening. Two reviewer rounds (six personas each) applied: - Round 1 caught security overclaims (plmbr#293, plmbr#299, plmbr#323), the plmbr#284/plmbr#303 mis-attribution, missing migration note, 3 em dashes, and the stale `fastmcp==2.x.*` recommendation in the admin guide. - Round 2 caught the missing plmbr#301 migration bullet, missing version- matrix 5.0.x row, missing README TOC entry, and a couple of style nits (sub-heading overpromise, orphan bullet). Skipped (deferred to future PRs): - README first-run tour mention. - Admin guide HTTP kill-switch row in Failure-modes table. - Terminal drag-drop trust-model precision update after plmbr#327. - Cipher description nit in plmbr#293 (Fernet AES-128-CBC+HMAC, not AES-GCM).
Summary
.claude-plugin/marketplace.jsonplugin@marketplaceValidation
python -m pytest tests\test_plugin_manager.py -qjlpm test tests/ts/plugins-panel.test.tsx --runInBandjlpm build:libjlpm lint:checkFixes #282