Official Base44 plugin — full-stack app development with CLI project management
and JavaScript/TypeScript SDK skills. MIT licensed, skills-only (no MCP server).
Partner escalation from #plugin-partner-escalations.
Already merged on -internal (PR #1466, 2026-04-07).
Partner escalation from #plugin-partner-escalations (Lucas Smedley).
Spotify Ads Manager — skills-only plugin for managing ad campaigns
via Claude Code. Already published in community marketplace.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Allow SonarSource to ship updates without requiring SHA bump PRs.
The plugin tracks the default branch (main) going forward.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(telegram): prevent zombie pollers from blocking new sessions
The MCP server runs as a grandchild of the CLI (via `bun run start` →
shell → `bun server.ts`). When the CLI is killed uncleanly (SIGKILL,
crash, terminal close), the grandchild survives as an orphan and keeps
long-polling getUpdates indefinitely. Telegram allows only one consumer
per token, so every subsequent session sees 409 Conflict and the
existing retry loop spins forever.
Three layered mitigations:
- PID lockfile (STATE_DIR/bot.pid): on startup, SIGTERM any stale holder
before claiming the slot, so a fresh session always wins.
- Orphan watchdog: every 5s check for parent reparenting (POSIX ppid
change) or a dead stdin pipe, and self-terminate. Covers cases where
the existing stdin end/close events never fire through the wrapper.
- 409 retry cap: give up after 8 attempts (~28s) instead of looping
forever, and bail immediately if shutdown has begun.
Also adds a SIGHUP handler and removes the pidfile on clean shutdown
(only if still owned by this process).
* chore(telegram): bump version to 0.0.5
---------
Co-authored-by: Claude <noreply@anthropic.com>
- analyze-sessions.mjs: track per-session start/end/tokens and emit
by_day[] in JSON output (date, dow, tokens, peak concurrency,
per-session spans). Hoist shared token-sum in commit loop.
- template.html: new "session timeline by day" section — horizontal
day pills (% of total + session count) drive a lane-packed gantt of
concurrent sessions, colored by project, with hover details and
←/→ keyboard nav. Extract drillList() helper and use it for both
top-prompts and cache-breaks (5 visible + "show more" toggle).
URL-source plugin pointing to cap-js/mcp-server which already has
.claude-plugin/plugin.json and .mcp.json at repo root.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Promotes zoom-plugin from community-internal (PR #1567, merged
2026-04-07) to official. Uses url source pointing at
github.com/zoom/zoom-plugin without a SHA pin to track upstream.
Ref: DIR-77, DIR-79
Promotes expo from community to official. Uses git-subdir source
(expo/skills @ plugins/expo, ref main) without a SHA pin so it
tracks upstream. Description cleaned to remove the reviewer-note
preamble that leaked into the community entry.
Ref: DIR-77, DIR-79
Generates an explorable HTML report of Claude Code session usage from
local ~/.claude/projects transcripts: total tokens, cache efficiency,
per-project/subagent/skill breakdowns, most expensive prompts with
transcript context, and cache breaks. Terminal-styled, single-file
output with sortable tables and expandable drill-downs.
ZoomInfo submitted with platform "Claude Cowork" on their form (2/24/2026)
and is correctly listed on knowledge-work-plugins. This entry was swept
into -official via staging merge PR #730 but should not be on the Claude
Code plugin marketplace.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Official MongoDB plugin (MCP Server + Skills) from mongodb/agent-skills.
Partner escalation — submitted via PR #158, Forge, and Slack.
Already merged on -internal (PR #667).
Bumps pinned SHA from 0714280 (Feb 20) to 40b11ac (Mar 26).
New commit adds private network search support.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixes#993 (Permission denied on hook scripts) without relying on
client-side +x preservation.
The hook executor spawns commands via /bin/sh -c, which requires +x
to execute a script directly. Prefixing with bash reads the script
as data — mode bits are irrelevant. This works on all Claude Code
versions, whereas the client-side chmod fix (claude-cli #24666) only
shipped in v2.1.86.
All 3 scripts declare #!/bin/bash and use bashisms ([[ ]], =~), so
bash (not sh) is the correct interpreter.
The version field forces a fresh cache path (1.0.0/ instead of
unknown/), ensuring the new hooks.json reaches users with stale
caches.
Mirrors the existing IMESSAGE_STATE_DIR override. Lets a mock sqlite
chat.db stand in for ~/Library/Messages/chat.db so chat_messages can be
tested without macOS + Full Disk Access + real iMessage history.
SMS sender IDs are spoofable; iMessage is Apple-ID-authenticated and
end-to-end encrypted. The plugin previously treated both identically,
so a forged SMS from the owner's own number would match SELF, bypass
the access gate, and inherit owner-level trust — including permission
approval.
handleInbound now drops anything with service != 'iMessage' unless
IMESSAGE_ALLOW_SMS=true. Default is the safe path; users who want SMS
can opt in after reading the warning in README.
The self-chat echo filter matches outbound text against what chat.db
stores on round-trip. Three divergence sources caused false negatives
and duplicate bubbles:
- Signature suffix: "\nSent by Claude" is appended on send, but the
\n may not round-trip identically through attributedBody
- Emoji variation selectors (U+FE00-FE0F) and ZWJ (U+200D): chat.db
can add or drop these on emoji characters
- Smart quotes: macOS auto-substitutes straight quotes on the way in
Strip/normalize all three in echoKey() before the existing whitespace
collapse.
Fixes#1024
Tapback reactions and read receipts synced from linked devices arrive
as chat.db rows with whitespace-only text. The existing empty-check
used falsy comparison which doesn't catch ' ' or invisible chars,
causing unsolicited replies to reaction taps.
Fixes#1041
Permission prompts were being broadcast to all allowlisted contacts plus
every DM resolvable from the SELF address set. Two compounding bugs:
1. SELF was polluted by chat.last_addressed_handle, which on machines
with SMS history returns short codes, business handles, and other
contacts' numbers — not just the owner's addresses. One reporter's
query returned 50 addresses (2 actually theirs) resolving to 148 DM
chats, all of which received permission prompts.
2. Even with a clean SELF, the handler sent to allowFrom + SELF, so
every allowlisted contact received the prompt and could reply to
approve tool execution on the owner's machine.
Fix:
- Build SELF from message.account WHERE is_from_me=1 only
- Send permission prompts to self-chat only, not allowFrom
- Accept permission replies from self-chat only
Fixes#1048Fixes#1010
Reformat chat_messages output from flat per-message lines to grouped
conversation threads. Each thread gets a header labelling it DM or Group
with its participant list, date-separator lines when the calendar day
rolls over, and [HH:MM] local-time stamps instead of full ISO.
chat_guid is now optional — omit to dump every allowlisted chat at once
for a quick multi-thread overview. Default limit raised 20→100 per chat,
capped at 500.
New queries: qChatParticipants (handle list per chat) and qChatInfo
(display_name + style to distinguish DM/group). renderMsg replaced by
conversationHeader + renderConversation.
The lockfile had 94 artifactory.infra.ant.dev URLs baked in from
generation behind a private registry. External users hit 401s on
'bun install' and the server never starts. Regenerated against
registry.npmjs.org to match the .npmrc.
