fix(ralph-wiggum): add :* to allowed-tools pattern to permit arguments

The allowed-tools pattern was missing :* suffix, causing permission check
failures when arguments were passed to the setup script via ```! block.

Fixes #16398

README.md

@@ -6,7 +6,7 @@
 
 Claude Code is an agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster by executing routine tasks, explaining complex code, and handling git workflows -- all through natural language commands. Use it in your terminal, IDE, or tag @claude on Github.
 
-**Learn more in the [official documentation](https://docs.anthropic.com/en/docs/claude-code/overview)**.
+**Learn more in the [official documentation](https://code.claude.com/docs/en/overview)**.
 
 <img src="./demo.gif" />
 
@@ -56,7 +56,7 @@ When you use Claude Code, we collect feedback, which includes usage data (such a
 
 ### How we use your data
 
-See our [data usage policies](https://docs.anthropic.com/en/docs/claude-code/data-usage).
+See our [data usage policies](https://code.claude.com/docs/en/data-usage).
 
 ### Privacy safeguards
 

plugins/plugin-dev/skills/mcp-integration/references/authentication.md

@@ -264,139 +264,6 @@ EOF
 - Time-based authentication
 - Dynamic tenant/workspace selection
 
-### TTL Configuration
-
-By default, dynamically generated API keys are cached for 5 minutes. Configure the TTL with:
-
-```bash
-export CLAUDE_CODE_API_KEY_HELPER_TTL_MS=300000  # 5 minutes (default)
-```
-
-### Writing Robust Helper Scripts
-
-Helper scripts can cause issues if they hang or fail repeatedly. Follow these best practices to prevent infinite retry loops and connection hangs:
-
-**1. Always set timeouts on network operations:**
-```bash
-#!/bin/bash
-# get-token.sh - Robust token fetcher
-
-# Set a timeout for the entire script
-TIMEOUT_SECONDS=10
-
-# Use timeout for network calls
-TOKEN=$(timeout ${TIMEOUT_SECONDS}s curl -s --max-time ${TIMEOUT_SECONDS} \
-  "https://auth.example.com/token" 2>/dev/null)
-
-if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
-  # Exit with error - don't output invalid JSON
-  echo "Failed to fetch token" >&2
-  exit 1
-fi
-
-echo "{\"Authorization\": \"Bearer $TOKEN\"}"
-```
-
-**2. Handle VPN/network dependency failures:**
-```bash
-#!/bin/bash
-# get-headers.sh - VPN-aware token fetcher
-
-# Quick connectivity check before attempting auth
-if ! timeout 2s ping -c 1 vpn-dependent-service.internal >/dev/null 2>&1; then
-  echo "VPN not connected or service unreachable" >&2
-  exit 1
-fi
-
-# Proceed with token fetch (with timeout)
-TOKEN=$(timeout 10s get-token-from-vpn-service)
-
-if [ $? -ne 0 ] || [ -z "$TOKEN" ]; then
-  echo "Token fetch failed" >&2
-  exit 1
-fi
-
-echo "{\"Authorization\": \"Bearer $TOKEN\"}"
-```
-
-**3. Cache tokens locally to reduce network calls:**
-```bash
-#!/bin/bash
-# get-headers-cached.sh - Token fetcher with local caching
-
-CACHE_FILE="${HOME}/.cache/my-api-token"
-CACHE_MAX_AGE=240  # seconds (refresh before 5min TTL)
-
-# Check cache validity
-if [ -f "$CACHE_FILE" ]; then
-  CACHE_AGE=$(($(date +%s) - $(stat -c %Y "$CACHE_FILE" 2>/dev/null || stat -f %m "$CACHE_FILE")))
-  if [ "$CACHE_AGE" -lt "$CACHE_MAX_AGE" ]; then
-    cat "$CACHE_FILE"
-    exit 0
-  fi
-fi
-
-# Fetch new token with timeout
-TOKEN=$(timeout 10s fetch-new-token 2>/dev/null)
-
-if [ -z "$TOKEN" ]; then
-  # If fetch fails, try to use expired cache as fallback
-  if [ -f "$CACHE_FILE" ]; then
-    echo "Warning: Using expired cached token" >&2
-    cat "$CACHE_FILE"
-    exit 0
-  fi
-  echo "Failed to fetch token and no cache available" >&2
-  exit 1
-fi
-
-# Update cache
-mkdir -p "$(dirname "$CACHE_FILE")"
-echo "{\"Authorization\": \"Bearer $TOKEN\"}" > "$CACHE_FILE"
-cat "$CACHE_FILE"
-```
-
-**4. Fail fast with clear error messages:**
-```bash
-#!/bin/bash
-set -e  # Exit on any error
-
-# Check prerequisites before attempting network calls
-if [ -z "$API_SECRET" ]; then
-  echo "API_SECRET environment variable not set" >&2
-  exit 1
-fi
-
-# Use short timeouts to fail fast
-TOKEN=$(timeout 5s curl -sf --max-time 5 \
-  -H "X-Secret: $API_SECRET" \
-  "https://auth.example.com/token") || {
-  echo "Token request failed or timed out" >&2
-  exit 1
-}
-
-echo "{\"Authorization\": \"Bearer $TOKEN\"}"
-```
-
-### Troubleshooting Helper Scripts
-
-**Infinite retry loop / hanging:**
-- Add timeouts to all network operations
-- Use `set -e` to exit on errors
-- Check VPN/network connectivity before making requests
-- Ensure script outputs valid JSON or exits with error code
-
-**Script takes too long:**
-- Use `timeout` command wrapper
-- Set `--max-time` on curl requests
-- Consider caching tokens locally
-- Reduce TTL if tokens refresh too slowly
-
-**VPN-dependent helpers failing:**
-- Add connectivity check at start of script
-- Implement graceful degradation with cached tokens
-- Log clear error messages to stderr
-
 ## Security Best Practices
 
 ### DO

plugins/ralph-wiggum/commands/cancel-ralph.md

@@ -1,26 +1,18 @@
 ---
 description: "Cancel active Ralph Wiggum loop"
-allowed-tools: ["Bash"]
+allowed-tools: ["Bash(test -f .claude/ralph-loop.local.md:*)", "Bash(rm .claude/ralph-loop.local.md)", "Read(.claude/ralph-loop.local.md)"]
 hide-from-slash-command-tool: "true"
 ---
 
 # Cancel Ralph
 
-```!
-if [[ -f .claude/ralph-loop.local.md ]]; then
-  ITERATION=$(grep '^iteration:' .claude/ralph-loop.local.md | sed 's/iteration: *//')
-  echo "FOUND_LOOP=true"
-  echo "ITERATION=$ITERATION"
-else
-  echo "FOUND_LOOP=false"
-fi
-```
+To cancel the Ralph loop:
 
-Check the output above:
+1. Check if `.claude/ralph-loop.local.md` exists using Bash: `test -f .claude/ralph-loop.local.md && echo "EXISTS" || echo "NOT_FOUND"`
 
-1. **If FOUND_LOOP=false**:
-   - Say "No active Ralph loop found."
+2. **If NOT_FOUND**: Say "No active Ralph loop found."
 
-2. **If FOUND_LOOP=true**:
-   - Use Bash: `rm .claude/ralph-loop.local.md`
-   - Report: "Cancelled Ralph loop (was at iteration N)" where N is the ITERATION value from above.
+3. **If EXISTS**:
+   - Read `.claude/ralph-loop.local.md` to get the current iteration number from the `iteration:` field
+   - Remove the file using Bash: `rm .claude/ralph-loop.local.md`
+   - Report: "Cancelled Ralph loop (was at iteration N)" where N is the iteration value

plugins/ralph-wiggum/commands/ralph-loop.md

@@ -1,7 +1,7 @@
 ---
 description: "Start Ralph Wiggum loop in current session"
 argument-hint: "PROMPT [--max-iterations N] [--completion-promise TEXT]"
-allowed-tools: ["Bash(${CLAUDE_PLUGIN_ROOT}/scripts/setup-ralph-loop.sh)"]
+allowed-tools: ["Bash(${CLAUDE_PLUGIN_ROOT}/scripts/setup-ralph-loop.sh:*)"]
 hide-from-slash-command-tool: "true"
 ---
 
@@ -11,36 +11,6 @@ Execute the setup script to initialize the Ralph loop:
 
 ```!
 "${CLAUDE_PLUGIN_ROOT}/scripts/setup-ralph-loop.sh" $ARGUMENTS
-
-# Extract and display completion promise if set
-if [ -f .claude/ralph-loop.local.md ]; then
-  PROMISE=$(grep '^completion_promise:' .claude/ralph-loop.local.md | sed 's/completion_promise: *//' | sed 's/^"\(.*\)"$/\1/')
-  if [ -n "$PROMISE" ] && [ "$PROMISE" != "null" ]; then
-    echo ""
-    echo "═══════════════════════════════════════════════════════════"
-    echo "CRITICAL - Ralph Loop Completion Promise"
-    echo "═══════════════════════════════════════════════════════════"
-    echo ""
-    echo "To complete this loop, output this EXACT text:"
-    echo "  <promise>$PROMISE</promise>"
-    echo ""
-    echo "STRICT REQUIREMENTS (DO NOT VIOLATE):"
-    echo "  ✓ Use <promise> XML tags EXACTLY as shown above"
-    echo "  ✓ The statement MUST be completely and unequivocally TRUE"
-    echo "  ✓ Do NOT output false statements to exit the loop"
-    echo "  ✓ Do NOT lie even if you think you should exit"
-    echo ""
-    echo "IMPORTANT - Do not circumvent the loop:"
-    echo "  Even if you believe you're stuck, the task is impossible,"
-    echo "  or you've been running too long - you MUST NOT output a"
-    echo "  false promise statement. The loop is designed to continue"
-    echo "  until the promise is GENUINELY TRUE. Trust the process."
-    echo ""
-    echo "  If the loop should stop, the promise statement will become"
-    echo "  true naturally. Do not force it by lying."
-    echo "═══════════════════════════════════════════════════════════"
-  fi
-fi
 ```
 
 Please work on the task. When you try to exit, the Ralph loop will feed the SAME PROMPT back to you for the next iteration. You'll see your previous work in files and git history, allowing you to iterate and improve.

plugins/ralph-wiggum/scripts/setup-ralph-loop.sh

@@ -174,3 +174,30 @@ if [[ -n "$PROMPT" ]]; then
   echo ""
   echo "$PROMPT"
 fi
+
+# Display completion promise requirements if set
+if [[ "$COMPLETION_PROMISE" != "null" ]]; then
+  echo ""
+  echo "═══════════════════════════════════════════════════════════"
+  echo "CRITICAL - Ralph Loop Completion Promise"
+  echo "═══════════════════════════════════════════════════════════"
+  echo ""
+  echo "To complete this loop, output this EXACT text:"
+  echo "  <promise>$COMPLETION_PROMISE</promise>"
+  echo ""
+  echo "STRICT REQUIREMENTS (DO NOT VIOLATE):"
+  echo "  ✓ Use <promise> XML tags EXACTLY as shown above"
+  echo "  ✓ The statement MUST be completely and unequivocally TRUE"
+  echo "  ✓ Do NOT output false statements to exit the loop"
+  echo "  ✓ Do NOT lie even if you think you should exit"
+  echo ""
+  echo "IMPORTANT - Do not circumvent the loop:"
+  echo "  Even if you believe you're stuck, the task is impossible,"
+  echo "  or you've been running too long - you MUST NOT output a"
+  echo "  false promise statement. The loop is designed to continue"
+  echo "  until the promise is GENUINELY TRUE. Trust the process."
+  echo ""
+  echo "  If the loop should stop, the promise statement will become"
+  echo "  true naturally. Do not force it by lying."
+  echo "═══════════════════════════════════════════════════════════"
+fi