Weekly Research— April 20, 2026

[github-actions[bot]]

Anthropic Platform Signals

No new ToS changes in April 2026, but a critical nuance has solidified that directly affects this plugin's positioning:

The ban on subscription OAuth tokens in third-party tools is now fully enforced and legally explicit (ToS updated Feb 20, 2026). What is explicitly permitted — and officially documented — is using claude setup-token to generate a long-lived sk-ant-oat01-... token, then setting CLAUDE_CODE_OAUTH_TOKEN as a secret in the official anthropics/claude-code-action. Because the official claude binary is Anthropic's own product, this path avoids the prohibition. This matters for how the plugin's auth.md frames things: the OAuth path the plugin supports is not a gray area — it's documented and legitimate. The current framing ("workaround," "post-compile tweak") undersells its standing. Worth revisiting the docs.

Claude Code is releasing at high velocity. Plugin-ecosystem-relevant changes from the past two weeks:

Version	Date	What changed
v2.1.111	Apr 16	Installed tab sorted by token count; favorites; attention items
v2.1.110	Apr 15	plugin install honors dependencies in plugin.json; /reload-plugins works from remote
v2.1.108	Apr 14	Plugin marketplace auto-update no longer leaves marketplace in broken state
v2.1.94	Apr 7	Plugin hooks in YAML frontmatter no longer silently ignored
v2.1.91	Apr 2	disableSkillShellExecution added; plugins can ship executables under bin/

Dependency resolution in plugin.json (v2.1.110) is the biggest structural improvement: plugins can now declare each other as dependencies and Claude Code will install the chain automatically. This is relevant once this plugin wants to reference gh-aw setup as a declared dependency.

Also released April 16: Claude Opus 4.7, which is the model anthropics/claude-code-action bumped to by default (v1.0.100, April 17). The agent-team workflows that reference a specific model version may want to track this.

---

Claude Code Plugin Ecosystem

The awesome-claude-code index (39.6k stars) had several new additions this cycle:

• claude-pace — statusline showing rate-limit burn rate, context %, and git branch stats
• ccxray — transparent HTTP proxy between Claude Code and Anthropic API for observability
• CodeBurn — terminal dashboard for cost/token analytics (Ink/React)
• AgentSys (avifenesh) — workflow automation bundling agents, skills, linting via agnix
• Claude Code Agent Teams: Exercises (April 4) — training material for multi-agent workflows, directly adjacent to this plugin's agent-team pattern

Structural trends hardening this week:

Skills (implicit, context-aware activation) are becoming the dominant contribution format over slash commands. Hooks are being used primarily for compliance enforcement — blocking writes to .env, auto-running formatters, and now blocking context compaction via the new PreCompact hook (exit 2 or {"decision":"block"}). Background monitor support was added in the plugin manifest (monitors top-level key). The skill description cap was raised from 250 → 1,536 characters; sessions now warn at startup for truncation.

A new source: 'settings' plugin marketplace source was added — plugins can now be declared inline in settings.json without a separate install step, which may be relevant for embedding this plugin in organizational .claude/settings.json files.

---

gh-aw Upstream Activity

Very active release week (v0.68.3 → v0.68.7, April 14–17):

Notable changes:

• v0.68.6 — OpenCode added as a fourth first-class engine (joining Claude, Copilot CLI, Codex). New engine.bare mode skips context loading. Pre-agent-steps support. Security hardening: cache-memory sanitization, detection caution alerts in all footers.
• v0.68.5 — MCP config relocated to .github/mcp.json. This is a breaking change for any compiled lockfiles that reference MCP server declarations in the old location. The install-workflow and install-agent-team skills should flag this.
• v0.68.3 — Major commit-signing overhaul; shared workflow imports gain checkout and env fields; TBT telemetry; OTEL token breakdowns.

Pending breaking rename (unreleased): create-agent-task → create-agent-session, GITHUB_AW_AGENT_TASK_BASE → GITHUB_AW_AGENT_SESSION_BASE. The gh aw fix command will auto-migrate workflow source files. The agent-team workflows' dispatch-workflow safe-output calls reference create-agent-task — when this ships, they'll need migration or gh aw fix must be run.

Issue #16498 (OAuth/provider-based auth): Still open. No implementation milestone, no attached PR. The collaborator's March 1 message asked "should we revisit?" but there has been no follow-up commit activity. The AWF sandbox proxy (Squid allowlist) blocks the OAuth auth endpoint, and the merged PR #20473 (AuthDefinition) is for machine-to-machine OAuth flows (Azure, custom backends), not subscription tokens. No viable path to native CLAUDE_CODE_OAUTH_TOKEN support in gh-aw for the foreseeable future.

githubnext/agentics catalog: No new workflows merged; catalog remains at 49 entries. Notable: Issue #309 (April 7) reports that the weekly-research.md workflow uses WebSearch implicitly despite only declaring web-fetch: in the tools block — the same pattern this repo dogfoods. If the upstream catalog fixes this, the local weekly-research.md compiled lockfile may need a recompile to pick up the correction.

---

Competitive Landscape

anthropics/claude-code-action: At v1.0.101 (April 18), shipping near-daily patches. The model bump to Opus 4.7 (v1.0.100) is the most notable functional change. Roughly 6 releases in the last 7 days — the action is mature and well-maintained, which is good news for the OAuth path this plugin guides users through.

Anthropic's Claude Code Review (launched March 9): Multi-agent PR review system built directly into Claude Code. Multiple specialized agents run in parallel (logic, security, API misuse, conventions); a verification agent attempts to disprove each finding before posting. Currently Team/Enterprise only; estimated $15–25/review. This is in adjacent territory — it's a reviewer, not a workflow installer — but it validates the multi-agent pattern at Anthropic's own product level.

ComposioHQ/agent-orchestrator: Parallel coding agent orchestration where each agent gets its own worktree, branch, and PR. Agent-agnostic (Claude Code, Codex, Aider). This is the closest functional competitor to the agent-team pattern in this plugin.

VoltAgent/awesome-agent-skills: 1,000+ skills, cross-editor (Claude Code, Codex, Gemini CLI, Cursor, Copilot, OpenCode, Windsurf). The NeoLabHQ/code-review skill has specialized sub-agents (bug-hunter, security-auditor, contracts-reviewer, test-coverage-reviewer) — a multi-agent review architecture implemented as Claude Code skills rather than gh-aw workflows.

zircote/github-agentic-workflows: Active; provides guided/one-shot gh-aw workflow creation, compile integration, and intent-level validation. This is the most direct overlap — an author-side tool vs. this plugin's install-side tool. No recent releases surfaced.

different-ai/openwork: Open-source team collaboration tool positioning as an alternative to Claude Cowork, powered by OpenCode.

No forks of github/gh-aw were found that added OAuth subscription token support back.

---

Subscription-backed CI Signals

The policy timeline has clarified considerably:

• Jan 9, 2026: Anthropic blocked third-party OAuth token usage server-side (no advance notice). OpenCode, Roo Code, Cline, Goose all hit "This credential is only authorized..." errors.
• Feb 20, 2026: ToS updated explicitly: "The use of OAuth tokens obtained via Claude Free, Pro, or Max accounts in any other product, tool, or service is not permitted."
• Apr 4, 2026: Third-party tools using subscription OAuth now draw from "extra usage" (metered billing over the subscription) rather than the subscription limit. The free-ride route is now monetized.

What remains clearly permitted: Using claude setup-token to generate a long-lived token and running it through the official anthropics/claude-code-action. This is documented in Anthropic's own Claude Code GitHub Actions docs and uses the official claude binary.

Key friction still unresolved (high upvote GitHub issues):

• claude-code-action issue #727 (18 upvotes): OAuth tokens from /login expire in ~1 day, impractical for CI without automation. setup-token tokens are ~1 year.
• claude-code issue #22992 (27 upvotes): Headless VMs/Docker/SSH can't complete browser-based OAuth flow. One user's workaround: install a full GUI desktop, complete OAuth, uninstall — a 15-minute 2–3 GB process.

Community forks addressing token refresh: grll/claude-code-action (Guillaume Raille) adds OAuth with automatic token refresh via PAT. claude-max-code-base-action is another marketplace option. Both require storing additional secrets and a PAT with secrets:write.

Community sentiment: Engineers who set ANTHROPIC_API_KEY thinking they were operating within a subscription budget have been surprised by per-token billing (a documented $1,800 accident). The confusion between OAuth and API-key paths remains a real pain point — one this plugin's auth.md is well-positioned to solve.

---

Strategic Suggestions

1. Reframe the auth docs from "workaround" to "official path."
The auth.md currently describes the OAuth path as a workaround referencing an open upstream issue (#16498). But the relevant path for subscribers — claude setup-token → CLAUDE_CODE_OAUTH_TOKEN in the official claude binary — is explicitly documented and permitted by Anthropic. The issue #16498 is about gh-aw's proxy not supporting it (a different problem). Separating these two concerns in the docs would clarify: the auth mechanism is sound, the limitation is gh-aw's sandbox proxy. This also positions the post-compile tweak correctly: it's circumventing gh-aw's proxy restriction, not Anthropic's policy.

2. Add a gh aw fix prompt to the install skills before the upcoming agent-task → agent-session rename ships.
The agent-team workflows use create-agent-task in their dispatch-workflow safe-output calls. When gh-aw ships the rename, compiled lockfiles will warn (deprecated names still work during transition, then break). The install-agent-team skill should proactively run gh aw fix as a post-install step, or at least mention it in the install summary. Catching this before users encounter mysterious deprecation warnings is a low-effort high-value catch.

3. Submit to hesreallyhim/awesome-claude-code now.
The plugin's agent-team pattern is the most sophisticated multi-agent Claude Code construct documented publicly (4 specialized roles, structured comment contracts, concurrency locking, iteration caps). The awesome-claude-code index is what hiring managers at companies like Deepline and Anthropic itself are scanning for AI-tooling portfolio signal. The "Claude Code Agent Teams: Exercises" training material was just added this week — there's active interest in this pattern. A PR to the index with a one-line description referencing the agent-team pattern and gh-aw discovery skills would get the repo in front of the right audience at the right moment.

---

Enjoyable Anecdote

The recursive irony of the week: several sources confirm that recruiters at AI-forward companies are now using Claude Code itself to screen Claude Code engineering candidates — running the candidate's GitHub repo through a Claude Code session to evaluate code quality, CLAUDE.md sophistication, and skill architecture. This means a Claude Code plugin repo is, uniquely, optimized for its own job-application evaluation method. Building a well-structured CLAUDE.md and skill layout is simultaneously good engineering and a cover letter written in a language the interviewer speaks natively. The system is the portfolio is the resume.

---

Research Audit Trail

Web Search Queries

• anthropic terms of service april 2026
• anthropic.com/legal terms of service site:anthropic.com
• Claude Code changelog release notes april 2026
• anthropic blog april 2026
• CLAUDE_CODE_OAUTH_TOKEN CI github actions policy 2026
• Claude Code plugin marketplace announcement
• hesreallyhim/awesome-claude-code recent additions april 2026
• anthropics/claude-code recent PRs plugins skills
• github/gh-aw releases april 2026
• gh-aw issue 16498 OAuth
• gh-aw PR 20473 AuthDefinition
• githubnext/agentics catalog new workflows
• zircote/aw-author github-agentic-workflows releases
• anthropics/claude-code-action releases april 2026
• gh-aw OAuth fork subscription token
• ComposioHQ/agent-orchestrator
• VoltAgent/awesome-agent-skills
• different-ai/openwork
• Claude subscription CI github actions reddit r/ClaudeAI
• CLAUDE_CODE_OAUTH_TOKEN github actions ban 2026
• Anthropic OAuth ban third party tools
• grll/claude-code-login refresh token
• anthropic/claude-code-action issue 727 token expiry
• anthropic claude code headless auth issue 22992
• claude setup-token CI permitted
• AI tooling engineer jobs april 2026
• Anthropic careers Claude Code engineer
• HN who is hiring april 2026 claude anthropic
• awesome-claude-code portfolio signal hiring
• everything-claude-code affaan-m
• agentic engineering jobs 2026
• Claude Code recruiter screening candidates

MCP Tools Used

• mcp__github__list_discussion_categories (verkyyi/github-agent-runner)
• mcp__safeoutputs__create_discussion

Bash Commands Executed

• None

Warning

⚠️ Firewall blocked 9 domains

The following domains were blocked by the firewall during workflow execution:

• autonomee.ai
• code.claude.com
• grll.bearblog.dev
• hn.algolia.com
• kissapi.ai
• news.ycombinator.com
• platform.claude.com
• support.claude.com
• wain.blog

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "autonomee.ai"
    - "code.claude.com"
    - "grll.bearblog.dev"
    - "hn.algolia.com"
    - "kissapi.ai"
    - "news.ycombinator.com"
    - "platform.claude.com"
    - "support.claude.com"
    - "wain.blog"

See Network Configuration for more information.

Generated by Weekly Research · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/weekly-research.md@96b9d4c39aa22359c0b38265927eadb31dcf4e2a

• expires on Apr 27, 2026, 4:03 PM UTC