security-guidance: probe for a non-PATH 3.10+ interpreter on HOOK_PY_INCOMPATIBLE (2.0.6 → 2.0.7)

Instrument-first for the macOS Python-3.9 cohort.

v2.0.6 telemetry: ~13.6% of macOS sessions (~6,337 users) run on Apple's
Python 3.9 → HOOK_PY_INCOMPATIBLE → the agentic reviewer can't load (needs
3.10+ syntax). That's ~12x macOS's build-failure rate and the single
biggest macOS degradation. sg-python.sh only probes `python3.1x` on PATH,
so these users have nothing newer ON PATH — but they may still have a
3.10+ installed at a standard location that isn't on the hook's PATH
(Homebrew /opt/homebrew, python.org framework, etc.).

Before building an explicit-path interpreter search, size the RECOVERABLE
fraction: `_probe_alt_python()` checks Homebrew / python.org / distro
locations for a 3.10+ binary and emits the highest found as `sdk_alt_py`
(major*100+minor, or 0 = genuinely 3.9-only). Telemetry-only; probed ONLY
on the HOOK_PY_INCOMPATIBLE path, so healthy sessions never run it.

After a data cycle: non-zero sdk_alt_py = recoverable by an explicit-path
search in sg-python.sh; 0 = needs a user-side Python install (the one-time
notice is the only lever). That decides whether the search is worth building.

Verified locally on macOS Python 3.13:
  - py_compile clean; probe returns 314 on this Mac (homebrew 3.14 present).
  - 7 new tests (test_altpython_probe.py): highest-version selection,
    0-when-none (mocked os.access), framework/distro path parsing, only
    counts 3.10+, and emit gated on outcome==HOOK_PY_INCOMPATIBLE.
  - Full suite 575/575 + 2 skipped.

No behavior change — purely additive telemetry on the incompatible path.
Version 2.0.6 -> 2.0.7 per the per-PR-bump policy (#2114).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.claude-plugin/marketplace.json

@@ -35,7 +35,7 @@
         "url": "https://github.com/adobe/skills.git",
         "path": "plugins/creative-cloud/adobe-for-creativity",
         "ref": "main",
-        "sha": "e3971a70ecf47c0acadcd1852d9eb10e820e83f0"
+        "sha": "c467bf831064ebda26f39dd30c02d7cce03eb26c"
       },
       "homepage": "https://github.com/adobe/skills/tree/main/plugins/creative-cloud/adobe-for-creativity"
     },
@@ -113,22 +113,6 @@
       },
       "homepage": "https://www.airwallex.com/docs"
     },
-    {
-      "name": "airwallex-agentos",
-      "description": "Bring Airwallex's global financial infrastructure to Claude. Orchestrate actions across your account in plain language, e.g., set up invoices from a PO, onboard suppliers from invoices, and check current cash position across currencies. AgentOS bundles pre-built finance Skills with MCP servers. A public CLI connects your agent to Airwallex's capabilities.",
-      "author": {
-        "name": "Airwallex"
-      },
-      "category": "productivity",
-      "source": {
-        "source": "git-subdir",
-        "url": "https://github.com/airwallex/airwallex-marketplace.git",
-        "path": "plugins/airwallex-agentos",
-        "ref": "master",
-        "sha": "683a7536f9445c07439d087607b44b0383b8c41d"
-      },
-      "homepage": "https://www.airwallex.com/docs"
-    },
     {
       "name": "alloydb",
       "description": "Create, connect, and interact with an AlloyDB for PostgreSQL database and data.",
@@ -139,7 +123,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/alloydb.git",
-        "sha": "98bdfce9ab49622f5f4b1428130cc79feb37d93e"
+        "sha": "bbf4eb3664faf129ab8ff8c4b959d7e59c03d347"
       },
       "homepage": "https://cloud.google.com/alloydb"
     },
@@ -153,7 +137,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/alloydb-omni.git",
-        "sha": "23f9166ba3950728fb2c48390b2e35cc3ddd3b35"
+        "sha": "fbf2476630629f32ce0029bbd62d225950fdfd6d"
       },
       "homepage": "https://github.com/gemini-cli-extensions/alloydb-omni"
     },
@@ -166,7 +150,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/amazon-location-service",
         "ref": "main",
-        "sha": "46fd59cd1a0751ac15e34754f86f9a06b0900d2c"
+        "sha": "7a17df718d26f07414b876e77a7480fa25089b08"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -239,7 +223,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "da0048c49f88335c9d9cc617837e182ba04a2ab5"
+        "sha": "789b4544b85a989694501e4f405b522f2d711cf6"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
@@ -291,7 +275,7 @@
         "url": "https://github.com/auth0/agent-skills.git",
         "path": "plugins/auth0",
         "ref": "main",
-        "sha": "fcc4f206e938116c2abb44f3484235e6f728ced2"
+        "sha": "b595bdb9b574569e864eef86c3d48c06e2cf414c"
       },
       "homepage": "https://auth0.com/docs/quickstart/agent-skills"
     },
@@ -307,7 +291,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-agents",
         "ref": "main",
-        "sha": "6c8891273181288a3172850e4501c762feb7c257"
+        "sha": "a9d1c70fe7442a97678e82b62c7c61bcb0deeaea"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -320,7 +304,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/aws-amplify",
         "ref": "main",
-        "sha": "46fd59cd1a0751ac15e34754f86f9a06b0900d2c"
+        "sha": "7a17df718d26f07414b876e77a7480fa25089b08"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -336,7 +320,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-core",
         "ref": "main",
-        "sha": "6c8891273181288a3172850e4501c762feb7c257"
+        "sha": "a9d1c70fe7442a97678e82b62c7c61bcb0deeaea"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -352,7 +336,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-data-analytics",
         "ref": "main",
-        "sha": "6c8891273181288a3172850e4501c762feb7c257"
+        "sha": "a9d1c70fe7442a97678e82b62c7c61bcb0deeaea"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -381,7 +365,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/aws-serverless",
         "ref": "main",
-        "sha": "46fd59cd1a0751ac15e34754f86f9a06b0900d2c"
+        "sha": "7a17df718d26f07414b876e77a7480fa25089b08"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -397,26 +381,10 @@
         "url": "https://github.com/awslabs/startups.git",
         "path": "advisor/plugins/aws-startup-advisor",
         "ref": "main",
-        "sha": "2e1d603a43b241f13ed40e4d1762f5e4ed744ecc"
+        "sha": "3eae13125da8cc923f010b19321137efd0e69a66"
       },
       "homepage": "https://github.com/awslabs/startups"
     },
-    {
-      "name": "aws-transform",
-      "description": "Migrate, modernize, and upgrade codebases to AWS. Transforms .NET Framework to .NET 8/10, mainframe COBOL to Java, VMware VMs to EC2, SQL Server to Aurora, and upgrades Java/Python/Node.js versions and AWS SDKs. AWS Transform - continuous modernization analyzes codebases for tech debt, security issues, and upgrade opportunities, then remediates them.",
-      "author": {
-        "name": "Amazon Web Services"
-      },
-      "category": "migration",
-      "source": {
-        "source": "git-subdir",
-        "url": "https://github.com/awslabs/agent-plugins.git",
-        "path": "plugins/aws-transform",
-        "ref": "main",
-        "sha": "46fd59cd1a0751ac15e34754f86f9a06b0900d2c"
-      },
-      "homepage": "https://github.com/awslabs/agent-plugins"
-    },
     {
       "name": "azure",
       "description": "Transform Claude into an Azure expert. This plugin integrates the Azure MCP server and specialized Azure skills to move beyond generic advice. It enables Claude to perform real-world tasks: listing resources, validating deployments, diagnosing infrastructure issues, and optimizing costs across 50+ Azure services.",
@@ -476,26 +444,10 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/bigquery-data-analytics.git",
-        "sha": "4e64d8488e95697a348b88b8ee47f0e676b2544b"
+        "sha": "9cee2a03105d74648231ed3a5c4a63c4f194790d"
       },
       "homepage": "https://github.com/gemini-cli-extensions/bigquery-data-analytics"
     },
-    {
-      "name": "boltz",
-      "description": "Predict structures, screen molecules and proteins, and design binders with Boltz from Claude Code.",
-      "author": {
-        "name": "Boltz"
-      },
-      "category": "development",
-      "source": {
-        "source": "git-subdir",
-        "url": "https://github.com/boltz-bio/boltz-api-skills.git",
-        "path": "plugins/boltz",
-        "ref": "main",
-        "sha": "02d9d74cfa4465149c66136d2b3c92a9d7c117c4"
-      },
-      "homepage": "https://boltz.bio"
-    },
     {
       "name": "box",
       "description": "Work with your Box content directly from Claude Code — search files, organize folders, collaborate with your team, and use Box AI to answer questions, summarize documents, and extract data without leaving your workflow.",
@@ -534,7 +486,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/buildkite/skills.git",
-        "sha": "ffffb1ed6c82a3b170433572b93d85b764c91bab"
+        "sha": "e6c7784f46a2c070fdf7e6fe1b61cd3ca0e20166"
       },
       "homepage": "https://buildkite.com"
     },
@@ -550,7 +502,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-cap-table",
         "ref": "main",
-        "sha": "bb08003a5474a8dbaca41b496a892c5cbcd057c7"
+        "sha": "5e119d7848e1f495092df4e41ac43e609e3293d1"
       },
       "homepage": "https://carta.com"
     },
@@ -566,7 +518,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-crm",
         "ref": "main",
-        "sha": "bb08003a5474a8dbaca41b496a892c5cbcd057c7"
+        "sha": "5e119d7848e1f495092df4e41ac43e609e3293d1"
       },
       "homepage": "https://carta.com"
     },
@@ -582,7 +534,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-investors",
         "ref": "main",
-        "sha": "bb08003a5474a8dbaca41b496a892c5cbcd057c7"
+        "sha": "5e119d7848e1f495092df4e41ac43e609e3293d1"
       },
       "homepage": "https://carta.com"
     },
@@ -609,7 +561,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/ChromeDevTools/chrome-devtools-mcp.git",
-        "sha": "08c234ea4b14b0ba0906deeca396873614a8c063"
+        "sha": "ed02047ae90f25c4c15adb8fd7e224b963f43135"
       },
       "homepage": "https://github.com/ChromeDevTools/chrome-devtools-mcp"
     },
@@ -731,7 +683,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/cloud-sql-mysql.git",
-        "sha": "4508637f66362b70b75ea6e40d41a7ef8efabcc6"
+        "sha": "983c804fe7dc58b3e58021960e7e1831a10e08b9"
       },
       "homepage": "https://github.com/gemini-cli-extensions/cloud-sql-mysql"
     },
@@ -759,7 +711,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/cloud-sql-sqlserver.git",
-        "sha": "e55c1ff46d92dfcfedc6cf1139cf5eb5beb9f02d"
+        "sha": "8e1490ec8f659a5711655d2fa4241597a63d4883"
       },
       "homepage": "https://github.com/gemini-cli-extensions/cloud-sql-sqlserver"
     },
@@ -852,7 +804,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/CodSpeedHQ/codspeed.git",
-        "sha": "66037bed0152bd0998685c876a80814383dd0eeb"
+        "sha": "9e21a9c0415c848d1c6d7e66c221f7524433899d"
       },
       "homepage": "https://codspeed.io"
     },
@@ -867,20 +819,6 @@
       "category": "productivity",
       "homepage": "https://github.com/anthropics/claude-plugins-public/tree/main/plugins/commit-commands"
     },
-    {
-      "name": "confidence",
-      "description": "Access Confidence feature flags, experiments, and migration tools directly from Claude Code.",
-      "author": {
-        "name": "Spotify Confidence"
-      },
-      "category": "development",
-      "source": {
-        "source": "url",
-        "url": "https://github.com/spotify/confidence-ai-plugins.git",
-        "sha": "4854807c4461dba686f2b8b69d0955a83ac6ff7e"
-      },
-      "homepage": "https://confidence.spotify.com"
-    },
     {
       "name": "context7",
       "description": "Upstash Context7 MCP server for up-to-date documentation lookup. Pull version-specific documentation and code examples directly from source repositories into your LLM context.",
@@ -903,7 +841,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/get-convex/convex-backend-skill.git",
-        "sha": "b04d9d3c83bf8446302be95e12cb834fba6fe622"
+        "sha": "d184f54776d20dd834218b11b83feb42d5e2a065"
       },
       "homepage": "https://github.com/get-convex/convex-backend-skill",
       "keywords": [
@@ -980,7 +918,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/dash0hq/dash0-agent-plugin.git",
-        "sha": "9d0f6d3ed65dcd512324f767a49b9d1612ead59d"
+        "sha": "e1a46f085171787382465b7148070da36127119f"
       },
       "homepage": "https://dash0.com/"
     },
@@ -991,7 +929,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "da0048c49f88335c9d9cc617837e182ba04a2ab5"
+        "sha": "789b4544b85a989694501e4f405b522f2d711cf6"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
@@ -1005,7 +943,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/data-agent-kit-starter-pack.git",
-        "sha": "cb3a6e85b7b0607c09479216597a92f0dcf693ce"
+        "sha": "65a480a04dc09fe51fab66fde61b1a2baa443741"
       },
       "homepage": "https://github.com/gemini-cli-extensions/data-agent-kit-starter-pack"
     },
@@ -1015,7 +953,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "da0048c49f88335c9d9cc617837e182ba04a2ab5"
+        "sha": "789b4544b85a989694501e4f405b522f2d711cf6"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
@@ -1028,7 +966,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/databases-on-aws",
         "ref": "main",
-        "sha": "46fd59cd1a0751ac15e34754f86f9a06b0900d2c"
+        "sha": "7a17df718d26f07414b876e77a7480fa25089b08"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -1070,7 +1008,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/dataproc.git",
-        "sha": "a8d5220007ae51a7104428acd38748432de597a8"
+        "sha": "80d126d27d84ded752c84668472dd6f75896fc59"
       },
       "homepage": "https://github.com/gemini-cli-extensions/dataproc"
     },
@@ -1084,7 +1022,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/datarobot-oss/datarobot-agent-skills.git",
-        "sha": "6597148f13471d951322f5321a35cef59a47f6bc"
+        "sha": "6937e65a4f652ecc08b8b53bd7e79f6e3d1f69b3"
       },
       "homepage": "https://datarobot.com"
     },
@@ -1110,7 +1048,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/deploy-on-aws",
         "ref": "main",
-        "sha": "46fd59cd1a0751ac15e34754f86f9a06b0900d2c"
+        "sha": "7a17df718d26f07414b876e77a7480fa25089b08"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -1146,7 +1084,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/dominodatalab/domino-claude-plugin.git",
-        "sha": "c2649c78bac350715594352ca61d2df9e3340783"
+        "sha": "56c3fc39d2f2f26d58d0f27d4dad138b0edec456"
       },
       "homepage": "https://www.domino.ai"
     },
@@ -1174,7 +1112,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/DuendeSoftware/duende-skills.git",
-        "sha": "fc252b1747ee45bffd0d8c6007009f7ae637b09b"
+        "sha": "72e39de9f10c5dafaa7f32f58fcdbd5a8f3e5c14"
       },
       "homepage": "https://duendesoftware.com"
     },
@@ -1212,7 +1150,7 @@
         "url": "https://github.com/expo/skills.git",
         "path": "plugins/expo",
         "ref": "main",
-        "sha": "b76270a44ce60fd2f1e664d92177e88211722c45"
+        "sha": "39d50f0caeacec8a17588534bb32aa962c677a3d"
       },
       "homepage": "https://github.com/expo/skills/blob/main/plugins/expo/README.md"
     },
@@ -1278,7 +1216,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/firecrawl/firecrawl-claude-plugin.git",
-        "sha": "e30c89f7b065b29a7283d49a4dcc5e302900fda3"
+        "sha": "b33447585ac521b091eae672bd4cad4ec1d093f6"
       },
       "homepage": "https://github.com/firecrawl/firecrawl-claude-plugin.git"
     },
@@ -1306,7 +1244,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/atlassian/forge-skills.git",
-        "sha": "8c1c2488f213f8f4bf0647b87176c36549e61e3f"
+        "sha": "c7df956176eb1c2a10ffabc4eaacc5d843d8bede"
       },
       "homepage": "https://developer.atlassian.com/platform/forge/"
     },
@@ -1409,7 +1347,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/hunter-io/claude-plugin.git",
-        "sha": "9929ccf4f228171398049633da7afd8f1b65646b"
+        "sha": "06bcb94a4e6498d8557a4543f8d5c4ea429b0c0a"
       },
       "homepage": "https://hunter.io"
     },
@@ -1423,7 +1361,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/heygen-com/hyperframes.git",
-        "sha": "66dde0898b11235e5231e94443364267a8c14a34"
+        "sha": "3b3ece81d1a0b36038e67e58d9ca620e4a3122e9"
       },
       "homepage": "https://hyperframes.heygen.com"
     },
@@ -1491,7 +1429,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/knowledge-catalog.git",
-        "sha": "260294e6b662eaccafe1361e88496ea259df79ed"
+        "sha": "fe4e94035824fa41f7d06426531bbed7bec2520c"
       },
       "homepage": "https://github.com/gemini-cli-extensions/knowledge-catalog"
     },
@@ -1630,7 +1568,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/looker.git",
-        "sha": "0b4e497ef9839fce0ae1efd40216fee15a1c5e33"
+        "sha": "ef38964514c9b6634ac9a211d3987222bb36bf6e"
       },
       "homepage": "https://github.com/gemini-cli-extensions/looker"
     },
@@ -1692,7 +1630,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/lusha-oss/lusha-mcp-plugin.git",
-        "sha": "aafe0a59cb143d0adc711af2813cd3b9cd5693d0"
+        "sha": "affbc76b03c1a46c0dffc5b7a374cf7af17b26e8"
       },
       "homepage": "https://www.lusha.com"
     },
@@ -1798,7 +1736,7 @@
         "url": "https://github.com/awslabs/startups.git",
         "path": "migrate/plugins/migration-to-aws",
         "ref": "main",
-        "sha": "f28c66d966e8b03b387ffd44a47c6c53b73ff775"
+        "sha": "3eae13125da8cc923f010b19321137efd0e69a66"
       },
       "homepage": "https://github.com/awslabs/startups"
     },
@@ -1902,7 +1840,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/Nimbleway/agent-skills.git",
-        "sha": "eb97261aa8145fa6d0f45d62d0955805fa06fb91"
+        "sha": "e72345e283f977d4f7bb4d6d415b5964a385bdf1"
       },
       "homepage": "https://docs.nimbleway.com/integrations/agent-skills/plugin-installation"
     },
@@ -1929,7 +1867,7 @@
         "url": "https://github.com/NVIDIA/skills.git",
         "path": "plugins/nvidia-skills",
         "ref": "main",
-        "sha": "366564ddf68ad55b3c12a2faee3d2fd3d3de3b36"
+        "sha": "b0c4c9abca3e0b493d96a1574c9678daf086c4b5"
       },
       "homepage": "https://github.com/NVIDIA/skills"
     },
@@ -1945,7 +1883,7 @@
         "url": "https://github.com/oracle-samples/oracle-aidp-samples.git",
         "path": "ai/claude-code-plugins/oracle-ai-data-platform-workbench-spark-connectors",
         "ref": "main",
-        "sha": "13e7a9139b3b62172119c7fc1a63bf4a2eac919d"
+        "sha": "fd54df54076da5fa95fdb4a63398d2edb8724edb"
       },
       "homepage": "https://docs.oracle.com/en/cloud/paas/ai-data-platform/index.html"
     },
@@ -1959,7 +1897,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/oracledb.git",
-        "sha": "112837b96ddf6a9be8506cacbc847776e6252d8e"
+        "sha": "56239109760fd8ea838a56c946400347467bfa6d"
       },
       "homepage": "https://github.com/gemini-cli-extensions/oracledb"
     },
@@ -1975,7 +1913,7 @@
         "url": "https://github.com/growthxai/output.git",
         "path": "coding_assistants/claude/plugins/outputai",
         "ref": "main",
-        "sha": "ad03627aa08a4384bb401066f1cb93e47f5e5b88"
+        "sha": "bd6bd4960b00f340c1e345620a8eb42d6c696e5f"
       },
       "homepage": "https://output.ai"
     },
@@ -2217,7 +2155,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/quarkusio/quarkus-agent-mcp.git",
-        "sha": "0baae19189bb5c0a74c586e1ba5576d2b503583b"
+        "sha": "bcab0174a0f3a076a265958d9017da15c1f87d01"
       },
       "homepage": "https://quarkus.io"
     },
@@ -2253,7 +2191,7 @@
         "source": "url",
         "url": "https://github.com/RevenueCat/rc-claude-code-plugin.git",
         "path": "revenuecat",
-        "sha": "c387dcd737a949f303ee5942b022f922edda5ac6"
+        "sha": "e0470e8f5413decb0dc67156057b4b5cfc6df447"
       },
       "homepage": "https://www.revenuecat.com"
     },
@@ -2305,24 +2243,10 @@
         "source": "url",
         "url": "https://github.com/RevenueCat/rc-claude-code-plugin.git",
         "path": "revenuecat",
-        "sha": "c387dcd737a949f303ee5942b022f922edda5ac6"
+        "sha": "e0470e8f5413decb0dc67156057b4b5cfc6df447"
       },
       "homepage": "https://www.revenuecat.com"
     },
-    {
-      "name": "rill",
-      "description": "Skills for developing and querying projects in the Rill business intelligence platform",
-      "author": {
-        "name": "Rill Data"
-      },
-      "category": "development",
-      "source": {
-        "source": "url",
-        "url": "https://github.com/rilldata/agent-skills.git",
-        "sha": "9bdc4efa38a9ad419104fc2d1bb3e89529202487"
-      },
-      "homepage": "https://docs.rilldata.com/developers/build/ai-configuration"
-    },
     {
       "name": "rootly",
       "description": "Full-lifecycle incident management: deploy safety, incident response, on-call management, and retrospectives.",
@@ -2404,7 +2328,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/sagemaker-ai",
         "ref": "main",
-        "sha": "46fd59cd1a0751ac15e34754f86f9a06b0900d2c"
+        "sha": "7a17df718d26f07414b876e77a7480fa25089b08"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -2452,7 +2376,7 @@
         "url": "https://github.com/SAP/open-ux-tools.git",
         "path": "packages/fiori-mcp-server",
         "ref": "main",
-        "sha": "f15bbb9afb98a5590247b472fc2cd680ed01e71c"
+        "sha": "384fb88f5b4662ec0f7e1ac81689ebccaa9d7cb8"
       },
       "homepage": "https://github.com/SAP/open-ux-tools/tree/main/packages/fiori-mcp-server"
     },
@@ -2491,7 +2415,7 @@
     {
       "name": "security-guidance",
       "description": "Security review for Claude-generated code. Pattern-based warnings on edits, LLM-powered diff review on Stop, and an agentic commit reviewer that catches injection, XSS, SSRF, hardcoded secrets, and 25+ other vulnerability classes.",
-      "version": "2.0.6",
+      "version": "2.0.7",
       "author": {
         "name": "Anthropic",
         "email": "support@anthropic.com"
@@ -2508,7 +2432,7 @@
         "source": "git-subdir",
         "url": "https://github.com/semgrep/mcp-marketplace.git",
         "path": "plugin",
-        "sha": "6b7cc9dd82e36461ab737d725ef554e370373754"
+        "sha": "274846f6f9da5f56be53b19170bc008d357142a7"
       },
       "homepage": "https://github.com/semgrep/mcp-marketplace.git"
     },
@@ -2519,7 +2443,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/getsentry/sentry-for-claude.git",
-        "sha": "34da65c94c93aed40a20ae85d9e1d1935591ad39"
+        "sha": "765cca4683e77271900fdf3521a555a04528baaf"
       },
       "homepage": "https://github.com/getsentry/sentry-for-claude/tree/main"
     },
@@ -2535,7 +2459,7 @@
         "url": "https://github.com/getsentry/cli.git",
         "path": "plugins/sentry-cli",
         "ref": "main",
-        "sha": "a1674824a25e7e6a066f932c2f3746bb0ff70c3b"
+        "sha": "4fda3dc169b914a8dec53c18d127ccbe67dbbf3e"
       },
       "homepage": "https://sentry.io"
     },
@@ -2688,7 +2612,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/spanner.git",
-        "sha": "e6a93f9ce95758ce7b7c54330871cfb40e53b976"
+        "sha": "d4678e2bc04f60f3dfcdb6b916df28e63a0d615f"
       },
       "homepage": "https://github.com/gemini-cli-extensions/spanner"
     },
@@ -2746,7 +2670,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/obra/superpowers.git",
-        "sha": "b62616fc12f6a007c6fd5118146821d748da0d33"
+        "sha": "6fd4507659784c351abbd2bc264c7162cfd386dc"
       },
       "homepage": "https://github.com/obra/superpowers.git"
     },
@@ -2780,7 +2704,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/JetBrains/teamcity-cli.git",
-        "sha": "1da7bafc3d34f419397c920172bd12d0a0d81b9d"
+        "sha": "4865b1b75e77889355393a46dc56a0363ce3330d"
       },
       "homepage": "https://www.jetbrains.com/teamcity/"
     },
@@ -2873,7 +2797,7 @@
         "url": "https://github.com/UI5/plugins-coding-agents.git",
         "path": "plugins/ui5",
         "ref": "main",
-        "sha": "60f66f3341cb69ab4f649f1f60d70649bf391be2"
+        "sha": "80f2d93287054f9d30dd990e842e15bcfca581c9"
       },
       "homepage": "https://github.com/UI5/plugins-coding-agents"
     },
@@ -2891,7 +2815,7 @@
         "url": "https://github.com/UI5/plugins-coding-agents.git",
         "path": "plugins/ui5-typescript-conversion",
         "ref": "main",
-        "sha": "60f66f3341cb69ab4f649f1f60d70649bf391be2"
+        "sha": "80f2d93287054f9d30dd990e842e15bcfca581c9"
       },
       "homepage": "https://github.com/UI5/plugins-coding-agents"
     },
@@ -2985,7 +2909,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/wix/skills.git",
-        "sha": "3210de0af739dd668e1531b8acd9a6a6ec3bf5c4"
+        "sha": "561315d22a49544d6518d3a753973d3a95dfafcc"
       },
       "homepage": "https://dev.wix.com/docs/wix-cli/guides/development/about-wix-skills"
     },
@@ -3038,7 +2962,7 @@
         "url": "https://github.com/zapier/zapier-mcp.git",
         "path": "plugins/zapier",
         "ref": "main",
-        "sha": "469b06007824bb859982a95d2dad5caec11e0bf1"
+        "sha": "ea8ed6b4de66e9bb46c12b3a38da8286e3770ad9"
       },
       "homepage": "https://github.com/zapier/zapier-mcp/tree/main/plugins/zapier"
     },

plugins/security-guidance/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "security-guidance",
-  "version": "2.0.6",
+  "version": "2.0.7",
   "description": "Security review for Claude-generated code. Pattern-based warnings on edits, LLM-powered diff review on Stop, and an agentic commit reviewer that catches injection, XSS, SSRF, hardcoded secrets, and 25+ other vulnerability classes.",
   "author": {
     "name": "David Dworken",

plugins/security-guidance/hooks/ensure_agent_sdk.py

@@ -318,6 +318,46 @@ def _probe_has_pip() -> bool:
         return False
 
 
+def _probe_alt_python() -> int:
+    """When the hook interpreter is <3.10 (HOOK_PY_INCOMPATIBLE), look for a
+    3.10+ interpreter at well-known install locations that aren't necessarily
+    on the hook's PATH — Homebrew (/opt/homebrew, /usr/local), python.org
+    framework builds, and the `py`/distro layouts. Returns the HIGHEST version
+    found encoded as major*100+minor (e.g. 312), or 0 if none.
+
+    Purpose (telemetry only, for now): size how many of the macOS Python-3.9
+    cohort actually HAVE a newer interpreter that sg-python.sh's PATH probe
+    missed — i.e. how many are RECOVERABLE by an explicit-path search vs.
+    genuinely 3.9-only. Emitted as sdk_alt_py. Existence-checks the versioned
+    binaries (cheap); a later explicit-path search would version-verify before
+    exec'ing. Probed only on the incompatible path, so healthy sessions never
+    pay for it."""
+    candidates = []
+    for minor in (14, 13, 12, 11, 10):
+        candidates += [
+            f"/opt/homebrew/bin/python3.{minor}",        # Apple-Silicon Homebrew
+            f"/usr/local/bin/python3.{minor}",           # Intel Homebrew / python.org shim
+            f"/Library/Frameworks/Python.framework/Versions/3.{minor}/bin/python3",  # python.org
+            f"/usr/bin/python3.{minor}",                 # distro-managed (Linux)
+        ]
+    best = 0
+    for path in candidates:
+        try:
+            if os.access(path, os.X_OK):
+                # path name encodes the minor; parse it back to a code
+                base = os.path.basename(path)
+                minor = None
+                if base.startswith("python3."):
+                    minor = int(base.split(".")[1])
+                elif "/Versions/3." in path:
+                    minor = int(path.split("/Versions/3.")[1].split("/")[0])
+                if minor is not None:
+                    best = max(best, 300 + minor)
+        except (OSError, ValueError, IndexError):
+            continue
+    return best
+
+
 def _pip_err_from_stderr(stderr_b):
     """Categorize a pip-install stderr into a known err_kind (the pip subset
     of SDK_BOOTSTRAP_ERR_CODES). Used by the --target fallback; mirrors the
@@ -788,6 +828,14 @@ if __name__ == "__main__":
         # per healthy session.
         if _encode_err_kind(err_kind) == 11:
             metrics["sdk_has_pip"] = _probe_has_pip()
+    # When the hook interpreter is <3.10 (HOOK_PY_INCOMPATIBLE), probe for a
+    # 3.10+ interpreter at known non-PATH locations. Non-zero sdk_alt_py =
+    # this user is RECOVERABLE by an explicit-path search in sg-python.sh; 0 =
+    # genuinely 3.9-only (needs a user install). Sizes the macOS Py-3.9 cohort
+    # (~13.6% of macOS sessions) before we build the search. Incompatible path
+    # only — healthy sessions never run it.
+    if outcome == HOOK_PY_INCOMPATIBLE:
+        metrics["sdk_alt_py"] = _probe_alt_python()
     # Interpreter version (major*100 + minor, e.g. 309 / 312), emitted on
     # every bootstrap. Disambiguates the macOS cohort (Apple 3.9 vs a 3.10+
     # with broken ensurepip) for both venv_ensurepip_fail AND