mcp-server-dev: hosting, payload-cap, lifecycle, and directory guidance

Add datadog plugin

.claude-plugin/marketplace.json

@@ -7,6 +7,16 @@
     "email": "support@anthropic.com"
   },
   "plugins": [
+    {
+      "name": "adlc",
+      "description": "Agentforce Agent Development Life Cycle — author, discover, scaffold, deploy, test, and optimize .agent files",
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/SalesforceAIResearch/agentforce-adlc.git"
+      },
+      "homepage": "https://github.com/SalesforceAIResearch/agentforce-adlc"
+    },
     {
       "name": "adspirer-ads-agent",
       "description": "Cross-platform ad management for Google Ads, Meta Ads, TikTok Ads, and LinkedIn Ads. 91 tools for keyword research, campaign creation, performance analysis, and budget optimization.",
@@ -14,7 +24,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/amekala/adspirer-mcp-plugin.git",
-        "sha": "aa70dbdbbbb843e94a794c10c2b13f5dd66b5e40"
+        "sha": "c40623f1aa7b568e960d3f2e2558a6fcf10e6c18"
       },
       "homepage": "https://www.adspirer.com"
     },
@@ -34,10 +44,10 @@
       "description": "AI-first project auditor and re-engineer based on the 9 design principles and 7 design patterns from the TechWolf AI-First Bootcamp",
       "source": {
         "source": "git-subdir",
-        "url": "techwolf-ai/ai-first-toolkit",
+        "url": "https://github.com/techwolf-ai/ai-first-toolkit.git",
         "path": "plugins/ai-firstify",
         "ref": "main",
-        "sha": "7f18e11d694b9ae62ea3009fbbc175f08ae913df"
+        "sha": "852272ec21cebab98202df967dffee127209b6bc"
       },
       "homepage": "https://ai-first.techwolf.ai"
     },
@@ -47,7 +57,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/endorlabs/ai-plugins.git",
-        "sha": "a0f1d5632b6f9e6c26eaa9806f5d8d454ca5b06f"
+        "sha": "975f0ce422b1f2677681ffd085aef34ea1826b70"
       },
       "homepage": "https://www.endorlabs.com"
     },
@@ -57,7 +67,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/AikidoSec/aikido-claude-plugin.git",
-        "sha": "d7fa8b8e192680d9a26c1a5dcaead7cf5cdb7139"
+        "sha": "5d9c13d367218e9b43a11d4502f623ab98859225"
       },
       "homepage": "https://github.com/AikidoSec/aikido-claude-plugin"
     },
@@ -76,9 +86,10 @@
     {
       "name": "amplitude",
       "source": {
-        "source": "url",
+        "source": "git-subdir",
         "url": "https://github.com/amplitude/mcp-marketplace.git",
-        "sha": "be54ccb66b10593721dd3a31e47b2db20ea02d2f"
+        "path": "plugins/amplitude",
+        "ref": "main"
       },
       "description": "Use Amplitude as an expert analyst — instrument Amplitude, discover product opportunities, analyze charts, create dashboards, manage experiments, and understand users and accounts.",
       "category": "monitoring",
@@ -98,7 +109,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "7ef022b02f5296b5ecc52ba0db3ba9345ec03c9e"
+        "sha": "5935c4330dea4dfb8e93568956b10a543ecdb3d1"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
@@ -146,6 +157,18 @@
       "source": "./external_plugins/autofix-bot",
       "homepage": "https://github.com/anthropics/claude-plugins-public/tree/main/external_plugins/autofix-bot"
     },
+    {
+      "name": "aws-amplify",
+      "description": "Build full-stack apps with AWS Amplify Gen 2 using guided workflows for authentication, data models, storage, GraphQL APIs, and Lambda functions.",
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/awslabs/agent-plugins.git",
+        "path": "plugins/aws-amplify",
+        "ref": "main"
+      },
+      "homepage": "https://github.com/awslabs/agent-plugins"
+    },
     {
       "name": "aws-serverless",
       "description": "Design, build, deploy, test, and debug serverless applications with AWS Serverless services.",
@@ -163,12 +186,48 @@
       "source": {
         "source": "url",
         "url": "https://github.com/AzureCosmosDB/cosmosdb-claude-code-plugin.git",
-        "sha": "56e6da0cae93cdee8bcfa5e624ecdd9a0a483181"
+        "sha": "23c168856e4435793bd27a72d4714f022a3a1e90"
       },
       "description": "Expert assistant for Azure Cosmos DB — data modeling, query optimization, performance tuning, and best practices.",
       "category": "database",
       "homepage": "https://github.com/AzureCosmosDB/cosmosdb-claude-code-plugin"
     },
+    {
+      "name": "azure-skills",
+      "description": "Microsoft Azure MCP integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from Claude Code.",
+      "category": "deployment",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/microsoft/azure-skills.git"
+      },
+      "homepage": "https://github.com/microsoft/azure-skills"
+    },
+    {
+      "name": "base44",
+      "description": "Build and deploy Base44 full-stack apps with CLI project management and JavaScript/TypeScript SDK development skills",
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/base44/skills.git",
+        "sha": "c7039b37eca0e2916a565a7395040c00055bcf8b"
+      },
+      "homepage": "https://docs.base44.com"
+    },
+    {
+      "name": "bigdata-com",
+      "description": "Official Bigdata.com plugin providing financial research, analytics, and intelligence tools powered by Bigdata MCP.",
+      "author": {
+        "name": "RavenPack"
+      },
+      "category": "database",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/Bigdata-com/bigdata-plugins-marketplace.git",
+        "path": "plugins/bigdata-com",
+        "ref": "main"
+      },
+      "homepage": "https://docs.bigdata.com"
+    },
     {
       "name": "box",
       "description": "Work with your Box content directly from Claude Code — search files, organize folders, collaborate with your team, and use Box AI to answer questions, summarize documents, and extract data without leaving your workflow.",
@@ -176,7 +235,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/box/box-for-ai.git",
-        "sha": "6f4ec3549f3e869b115628403555b1c9220b2b34"
+        "sha": "0fb23244e3c35cd562206c80eff1e22c456046ea"
       },
       "homepage": "https://github.com/box/box-for-ai"
     },
@@ -186,7 +245,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/brightdata/skills.git",
-        "sha": "e671da495f7ec0ed6be5e9fa71e260f886a1dc36"
+        "sha": "44b24797d82cfd535c5b97831d5c6ba86c9d60df"
       },
       "homepage": "https://docs.brightdata.com"
     },
@@ -208,7 +267,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/ChromeDevTools/chrome-devtools-mcp.git",
-        "sha": "c2d8009ff75f76bce1ec4cf79c2467b50d81725e"
+        "sha": "a1612be8e01401cf1711c64bc2ef5da5763ba956"
       },
       "homepage": "https://github.com/ChromeDevTools/chrome-devtools-mcp"
     },
@@ -280,7 +339,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/cloudflare/skills.git",
-        "sha": "5ec03da67e230df52b698255c8e5979dc9b124b6"
+        "sha": "0397d7d88fa6ac7517a88389622eb0799e86ded2"
       },
       "description": "Skills for the Cloudflare developer platform: Workers, Durable Objects, Agents SDK, MCP servers, Wrangler CLI, and web performance.",
       "category": "deployment",
@@ -292,17 +351,20 @@
       "source": {
         "source": "url",
         "url": "https://github.com/cloudinary-devs/cloudinary-plugin.git",
-        "sha": "137c5d7acd9c3f10e80cd2a400486971e1664f31"
+        "sha": "7b443d7dbd607bfe4850d8cfcab6ba4cbf1a57c3"
       },
       "homepage": "https://cloudinary.com/documentation"
     },
     {
       "name": "cockroachdb",
-      "description": "CockroachDB plugin for Claude Code — explore schemas, write optimized SQL, debug queries, and manage distributed database clusters directly from your AI coding agent.",
+      "description": "Connect Claude Code directly to your CockroachDB clusters for hands-on database work — explore schemas, write optimized SQL, debug queries, and manage distributed database clusters. This plugin provides 14 tools across two active MCP backends (self-hosted MCP Toolbox and managed CockroachDB Cloud MCP Server), three specialized agents (DBA, Developer, Operator), 32 skills across 6 operational domains, and built-in safety hooks.",
+      "author": {
+        "name": "Cockroach Labs"
+      },
+      "category": "database",
       "source": {
         "source": "url",
-        "url": "https://github.com/cockroachdb/claude-plugin.git",
-        "sha": "a54566e03c852567589ef85bb449d1e4de229667"
+        "url": "https://github.com/cockroachdb/claude-plugin.git"
       },
       "homepage": "https://github.com/cockroachdb/claude-plugin"
     },
@@ -386,7 +448,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "7ef022b02f5296b5ecc52ba0db3ba9345ec03c9e"
+        "sha": "5935c4330dea4dfb8e93568956b10a543ecdb3d1"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
@@ -396,10 +458,47 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "85d6053b1e21724f9cefb1e3f5219bd54fc77224"
+        "sha": "5935c4330dea4dfb8e93568956b10a543ecdb3d1"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
+    {
+      "name": "databases-on-aws",
+      "description": "Expert database guidance for the AWS database portfolio. Design schemas, execute queries, handle migrations, and choose the right database for your workload.",
+      "category": "database",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/awslabs/agent-plugins.git",
+        "path": "plugins/databases-on-aws",
+        "ref": "main"
+      },
+      "homepage": "https://github.com/awslabs/agent-plugins"
+    },
+    {
+      "name": "datadog",
+      "description": "Use Datadog directly in Claude Code through a preconfigured Datadog MCP server. Query logs, metrics, traces, dashboards, and more through natural conversation. This plugin is in preview.",
+      "author": {
+        "name": "Datadog"
+      },
+      "category": "monitoring",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/datadog-labs/claude-code-plugin.git"
+      },
+      "homepage": "https://www.datadoghq.com/"
+    },
+    {
+      "name": "dataverse",
+      "description": "Agent skills for building on, analyzing, and managing Microsoft Dataverse — with Dataverse MCP, PAC CLI, and Python SDK.",
+      "category": "database",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/microsoft/Dataverse-skills.git",
+        "path": ".github/plugins/dataverse",
+        "ref": "main"
+      },
+      "homepage": "https://github.com/microsoft/Dataverse-skills"
+    },
     {
       "name": "deploy-on-aws",
       "description": "Deploy applications to AWS with architecture recommendations, cost estimates, and IaC deployment.",
@@ -445,7 +544,7 @@
       "category": "development",
       "source": {
         "source": "git-subdir",
-        "url": "expo/skills",
+        "url": "https://github.com/expo/skills.git",
         "path": "plugins/expo",
         "ref": "main"
       },
@@ -463,7 +562,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/fastly/fastly-agent-toolkit.git",
-        "sha": "d9ba949011e725be55cae11acc741aa1f1f393d3"
+        "sha": "329331c887512850f13e481b45c4298c0387a4d2"
       },
       "homepage": "https://github.com/fastly/fastly-agent-toolkit/blob/main/README.md"
     },
@@ -484,7 +583,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/voxel51/fiftyone-skills.git",
-        "sha": "593e0553fc9fd94db52386ada2c9e2074a6ecf89"
+        "sha": "02bd4ea170ca01a751c2d2dd6bf2df8f62e65626"
       },
       "homepage": "https://docs.voxel51.com/"
     },
@@ -541,7 +640,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/followrabbit-ai/awesome-rabbit.git",
-        "sha": "f59ec3d1f6337a6ed825ef06836a221ed3d2ffb0"
+        "sha": "6926154501300d348a7b50d47479648fe87985b6"
       },
       "homepage": "https://subscriptions.agentic.followrabbit.ai/"
     },
@@ -576,7 +675,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/PAIR-Systems-Inc/goodmem-claude-code-plugin.git",
-        "sha": "215568baf203887b5d7f8245e0503dd4a81336c2"
+        "sha": "4e23ab2b3bc7cb4167c99e10d9640ad7089744d7"
       },
       "homepage": "https://github.com/PAIR-Systems-Inc/goodmem-claude-code-plugin"
     },
@@ -612,10 +711,10 @@
       "description": "Build on Solana with Helius — live blockchain tools, expert coding patterns, and autonomous account signup",
       "source": {
         "source": "git-subdir",
-        "url": "helius-labs/core-ai",
+        "url": "https://github.com/helius-labs/core-ai.git",
         "path": "helius-plugin",
         "ref": "main",
-        "sha": "05ea4d1128d46618266bbcc23a5e7019c57be0d6"
+        "sha": "d9d252497bcf1e4bd5073a76715cd50a8353f9c3"
       },
       "homepage": "https://www.helius.dev/docs"
     },
@@ -653,7 +752,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/intercom/claude-plugin-external.git",
-        "sha": "eeef353eead2e3dc5f33f64dbaae54e1309e0d45"
+        "sha": "52653572c47700443eb61154c4e4334a355e755e"
       },
       "homepage": "https://github.com/intercom/claude-plugin-external"
     },
@@ -727,7 +826,7 @@
       "category": "productivity",
       "source": {
         "source": "git-subdir",
-        "url": "legalzoom/claude-plugins",
+        "url": "https://github.com/legalzoom/claude-plugins.git",
         "path": "plugins/legalzoom",
         "ref": "main",
         "sha": "f9fd8a0ca6e1421bc1aacb113a109663a7a6f6d8"
@@ -741,6 +840,38 @@
       "source": "./external_plugins/linear",
       "homepage": "https://github.com/anthropics/claude-plugins-public/tree/main/external_plugins/linear"
     },
+    {
+      "name": "liquid-lsp",
+      "description": "LSP integration for Shopify Liquid templates via the Shopify CLI theme language server.",
+      "author": {
+        "name": "Shopify"
+      },
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/Shopify/liquid-skills.git",
+        "path": "plugins/liquid-lsp",
+        "ref": "main",
+        "sha": "a00ca039d82114a7af1b4cbc3025b16c624a42fa"
+      },
+      "homepage": "https://github.com/Shopify/liquid-skills/tree/main/plugins/liquid-lsp"
+    },
+    {
+      "name": "liquid-skills",
+      "description": "Liquid language fundamentals, CSS/JS/HTML coding standards, and WCAG accessibility patterns for Shopify themes",
+      "author": {
+        "name": "Shopify"
+      },
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/Shopify/liquid-skills.git",
+        "path": "plugins/liquid-skills",
+        "ref": "main",
+        "sha": "bf7a7aa9f9809b0dcd80cb5f7fd2795a7208a7a3"
+      },
+      "homepage": "https://github.com/Shopify/liquid-skills/tree/main/plugins/liquid-skills"
+    },
     {
       "name": "lua-lsp",
       "description": "Lua language server for code intelligence",
@@ -793,18 +924,6 @@
       },
       "homepage": "https://github.com/microsoftdocs/mcp"
     },
-    {
-      "name": "migration-to-aws",
-      "description": "Assess current cloud provider usage and billing to estimate and compare AWS services and pricing, with recommendations for migration or continued use of current provider.",
-      "category": "migration",
-      "source": {
-        "source": "git-subdir",
-        "url": "https://github.com/awslabs/agent-plugins.git",
-        "path": "plugins/migration-to-aws",
-        "ref": "main"
-      },
-      "homepage": "https://github.com/awslabs/agent-plugins"
-    },
     {
       "name": "mintlify",
       "description": "Build beautiful documentation sites with Mintlify. Convert non-markdown files into properly formatted MDX pages, add and modify content with correct component use, and automate documentation updates.",
@@ -812,10 +931,25 @@
       "source": {
         "source": "url",
         "url": "https://github.com/mintlify/mintlify-claude-plugin.git",
-        "sha": "ce435be18a700dc849d6a63a80da4816d1e2128c"
+        "sha": "acd6d2e0128c4f235d55cfb8d8c91ecbdd5df8cc"
       },
       "homepage": "https://www.mintlify.com/"
     },
+    {
+      "name": "miro",
+      "description": "Secure access to Miro boards. Enables AI to read board context, create diagrams, and generate code with enterprise-grade security.",
+      "author": {
+        "name": "Miro"
+      },
+      "category": "design",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/miroapp/miro-ai.git",
+        "path": "claude-plugins/miro",
+        "ref": "main"
+      },
+      "homepage": "https://miro.com"
+    },
     {
       "name": "mongodb",
       "description": "Official Claude plugin for MongoDB (MCP Server + Skills). Connect to databases, explore data, manage collections, optimize queries, generate reliable code, implement best practices, develop advanced features, and more.",
@@ -823,7 +957,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/mongodb/agent-skills.git",
-        "sha": "c47079f65e88a113c52d1ce0618684cef300246c"
+        "sha": "24529d9540b962d57f30e75d25071bebea5809ad"
       },
       "homepage": "https://www.mongodb.com/docs/mcp-server/overview/"
     },
@@ -833,10 +967,10 @@
       "category": "database",
       "source": {
         "source": "git-subdir",
-        "url": "neondatabase/agent-skills",
+        "url": "https://github.com/neondatabase/agent-skills.git",
         "path": "plugins/neon-postgres",
         "ref": "main",
-        "sha": "54d7a9db2ddd476f84d5d1fd7bac323907858a8b"
+        "sha": "1438d7db4560a649d62eba99e9d5008b77ac5758"
       },
       "homepage": "https://github.com/neondatabase/agent-skills/tree/main/plugins/neon-postgres"
     },
@@ -850,6 +984,28 @@
       },
       "homepage": "https://github.com/netlify/context-and-tools"
     },
+    {
+      "name": "netsuite-suitecloud",
+      "description": "NetSuite agent skills from Oracle — authoring guidance for SuiteCloud Development Framework (SDF) objects and UIF single-page-app components, plus runtime guidance for the NetSuite AI Service Connector.",
+      "author": {
+        "name": "Oracle NetSuite"
+      },
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/oracle/netsuite-suitecloud-sdk.git",
+        "path": "packages/agent-skills",
+        "ref": "master",
+        "sha": "43bacf43763e1eedd0892b4652be3d45df94f0e7"
+      },
+      "strict": false,
+      "skills": [
+        "./netsuite-ai-connector-instructions",
+        "./netsuite-sdf-roles-and-permissions",
+        "./netsuite-uif-spa-reference"
+      ],
+      "homepage": "https://github.com/oracle/netsuite-suitecloud-sdk"
+    },
     {
       "name": "nightvision",
       "description": "Skills for working with NightVision, a DAST and API Discovery platform that finds exploitable vulnerabilities in web applications and REST APIs",
@@ -865,8 +1021,7 @@
       "description": "Nimble web data toolkit — search, extract, map, crawl the web and work with structured data agents",
       "source": {
         "source": "url",
-        "url": "https://github.com/Nimbleway/agent-skills.git",
-        "sha": "cf391e95bd8ac009e3641f172434a1d130dde7fe"
+        "url": "https://github.com/Nimbleway/agent-skills.git"
       },
       "homepage": "https://docs.nimbleway.com/integrations/agent-skills/plugin-installation"
     },
@@ -896,7 +1051,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/Optimal-AI/optibot-skill.git",
-        "sha": "981db1f630c3116d7df0a71e5967af55b08e813c"
+        "sha": "ce2be448ee713606aa653fc93ef2f98a200fe327"
       },
       "homepage": "https://getoptimal.ai"
     },
@@ -1000,7 +1155,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gitroomhq/postiz-agent.git",
-        "sha": "c5d1bf5f7e95a71e230fc19ae2150ddd9c549854"
+        "sha": "37d627244c53a4b3a7ca94c52cc2db13aaaf468e"
       },
       "homepage": "https://postiz.com/agent"
     },
@@ -1011,7 +1166,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/Postman-Devrel/postman-claude-code-plugin.git",
-        "sha": "40b11ac3466c500cf4625ac016d5c01cd00046f4"
+        "sha": "416e40da03a237df7bf03f4362cf6fc7b989b567"
       },
       "homepage": "https://learning.postman.com/docs/developer/postman-mcp-server/"
     },
@@ -1052,7 +1207,7 @@
       "category": "development",
       "source": {
         "source": "git-subdir",
-        "url": "pydantic/skills",
+        "url": "https://github.com/pydantic/skills.git",
         "path": "plugins/ai",
         "ref": "main"
       },
@@ -1098,10 +1253,10 @@
       "category": "deployment",
       "source": {
         "source": "git-subdir",
-        "url": "railwayapp/railway-skills",
+        "url": "https://github.com/railwayapp/railway-skills.git",
         "path": "plugins/railway",
         "ref": "main",
-        "sha": "d52f3741a6a33a3191d6138eb3d6c3355cb970d1"
+        "sha": "eaa89d8f594412b0b837b6531241e7d166e12202"
       },
       "homepage": "https://docs.railway.com/ai/claude-code-plugin"
     },
@@ -1133,7 +1288,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/Digital-Process-Tools/claude-remember.git",
-        "sha": "779ab61d8d412230eeec1840b8ca104bebea4358"
+        "sha": "914445ac5f06a164800ea90ba4db41a0486321ae"
       },
       "homepage": "https://github.com/Digital-Process-Tools/claude-remember"
     },
@@ -1192,6 +1347,18 @@
         }
       }
     },
+    {
+      "name": "sagemaker-ai",
+      "description": "Build, train, and deploy AI models with deep AWS AI/ML expertise brought directly into your coding assistants, covering the surface area of Amazon SageMaker AI.",
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/awslabs/agent-plugins.git",
+        "path": "plugins/sagemaker-ai",
+        "ref": "main"
+      },
+      "homepage": "https://github.com/awslabs/agent-plugins"
+    },
     {
       "name": "sanity",
       "description": "Sanity content platform integration with MCP server, agent skills, and slash commands. Query and author content, build and optimize GROQ queries, design schemas, and set up Visual Editing.",
@@ -1202,7 +1369,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/sanity-io/agent-toolkit.git",
-        "sha": "4b1fb10bd707a22cf0cdfad5374ffc885f2ffa8d"
+        "sha": "bc09fa9854507c538a856648aafbd4e1a775a95c"
       },
       "homepage": "https://www.sanity.io"
     },
@@ -1269,6 +1436,32 @@
       "category": "productivity",
       "homepage": "https://github.com/anthropics/claude-plugins-official/tree/main/plugins/session-report"
     },
+    {
+      "name": "shopify",
+      "description": "Shopify developer tools for Claude Code — search Shopify docs, generate and validate GraphQL, Liquid, and UI extension code",
+      "author": {
+        "name": "Shopify"
+      },
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/Shopify/shopify-plugins.git"
+      },
+      "homepage": "https://shopify.dev/docs/apps/build/devmcp"
+    },
+    {
+      "name": "shopify-ai-toolkit",
+      "description": "Shopify's AI Toolkit provides 18 development skills for building on the Shopify platform, covering documentation search, API schema access, GraphQL and Liquid code validation, Hydrogen storefronts, Polaris UI extensions, store management via CLI, and onboarding guidance for both developers and merchants.",
+      "author": {
+        "name": "Shopify"
+      },
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/Shopify/Shopify-AI-Toolkit.git"
+      },
+      "homepage": "https://shopify.dev"
+    },
     {
       "name": "skill-creator",
       "description": "Create new skills, improve existing skills, and measure skill performance. Use when users want to create a skill from scratch, update or optimize an existing skill, run evals to test a skill, or benchmark skill performance with variance analysis.",
@@ -1291,14 +1484,17 @@
       "homepage": "https://github.com/slackapi/slack-mcp-plugin/tree/main"
     },
     {
-      "name": "sonarqube-agent-plugins",
-      "description": "Integrate SonarQube code quality and security analysis into Claude Code: namespaced slash commands, a guided skill to setup the SonarQube CLI, and a startup check for CLI wiring. MCP server registration and secrets-scanning hooks are installed by the SonarQube CLI as part of setup.",
+      "name": "sonarqube",
+      "description": "Automatically enforce SonarQube code quality and security in the agent coding loop — 7,000+ rules, secrets scanning, agentic analysis, and quality gates across 40+ languages. PostToolUse hooks run analysis after every file edit. Pre-tool secrets scanning prevents 450+ patterns from reaching the LLM. Slash commands give on-demand access to quality gate status, coverage, duplication, and dependency risks. Includes SonarQube CLI, MCP Server, skills, hooks, and slash commands.",
+      "author": {
+        "name": "SonarSource"
+      },
       "category": "security",
       "source": {
         "source": "url",
         "url": "https://github.com/SonarSource/sonarqube-agent-plugins.git"
       },
-      "homepage": "https://github.com/SonarSource/sonarqube-agent-plugins"
+      "homepage": "https://www.sonarsource.com"
     },
     {
       "name": "sonatype-guide",
@@ -1317,7 +1513,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/sourcegraph-community/sourcegraph-claudecode-plugin.git",
-        "sha": "cfe3d44476957b16d1575261bef6b2dc7cb1e0b7"
+        "sha": "332ee0ca9a409ccd791abee43c7abf2606469017"
       },
       "homepage": "https://sourcegraph.com"
     },
@@ -1328,7 +1524,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/spotify/ads-claude-plugin.git",
-        "sha": "a4bce9912db071d47dfb410086a48004e0539efa"
+        "sha": "63585cc919da51dd24fab594d829869595301922"
       },
       "homepage": "https://github.com/spotify/ads-claude-plugin"
     },
@@ -1362,7 +1558,7 @@
       "category": "development",
       "source": {
         "source": "git-subdir",
-        "url": "stripe/ai",
+        "url": "https://github.com/stripe/ai.git",
         "path": "providers/claude/plugin",
         "ref": "main"
       },
@@ -1375,7 +1571,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/sumup/sumup-skills.git",
-        "sha": "802476c39a0422d3277e37288b03968ad731bc30"
+        "sha": "0fd0a911ecaffd7187fe35e914d8ead6de584ffd"
       },
       "homepage": "https://www.sumup.com/"
     },
@@ -1383,8 +1579,11 @@
       "name": "supabase",
       "description": "Supabase MCP integration for database operations, authentication, storage, and real-time subscriptions. Manage your Supabase projects, run SQL queries, and interact with your backend directly.",
       "category": "database",
-      "source": "./external_plugins/supabase",
-      "homepage": "https://github.com/anthropics/claude-plugins-public/tree/main/external_plugins/supabase"
+      "source": {
+        "source": "url",
+        "url": "https://github.com/supabase-community/supabase-plugin.git"
+      },
+      "homepage": "https://github.com/supabase-community/supabase-plugin"
     },
     {
       "name": "superpowers",
@@ -1469,10 +1668,10 @@
       "category": "development",
       "source": {
         "source": "git-subdir",
-        "url": "UI5/plugins-claude",
+        "url": "https://github.com/UI5/plugins-claude.git",
         "path": "plugins/ui5",
         "ref": "main",
-        "sha": "5070dfc1cef711d6efad40beb43750027039d71f"
+        "sha": "cec940abd4b7b6866de8e7e4522f3dba0449379d"
       },
       "homepage": "https://github.com/UI5/plugins-claude"
     },
@@ -1482,10 +1681,10 @@
       "category": "development",
       "source": {
         "source": "git-subdir",
-        "url": "UI5/plugins-claude",
+        "url": "https://github.com/UI5/plugins-claude.git",
         "path": "plugins/ui5-typescript-conversion",
         "ref": "main",
-        "sha": "5070dfc1cef711d6efad40beb43750027039d71f"
+        "sha": "cec940abd4b7b6866de8e7e4522f3dba0449379d"
       },
       "homepage": "https://github.com/UI5/plugins-claude"
     },
@@ -1505,7 +1704,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/TSedmanDC/Voila-API-Skill.git",
-        "sha": "b9cfcb860cb5ae4ece57d67422a6cdd92ef96739"
+        "sha": "422c7beb772a0de4592a204584e0e990fc5dc139"
       },
       "homepage": "https://github.com/TSedmanDC/Voila-API-Skill"
     },
@@ -1516,7 +1715,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/wix/skills.git",
-        "sha": "15dda227e34959b1340e33bb9aede7e23a273f42"
+        "sha": "bf25b5a45b2413b3581f3dcbcd63f3737791a051"
       },
       "homepage": "https://dev.wix.com/docs/wix-cli/guides/development/about-wix-skills"
     },
@@ -1526,7 +1725,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/Automattic/claude-code-wordpress.com.git",
-        "sha": "e4d23c3bffdcdb7f70134ab6a1a110258ff75cfd"
+        "sha": "052ca970df2c577d7c651e784935186ff93e6779"
       },
       "homepage": "https://developer.wordpress.com/wordpress-com-claude-code-plugin/"
     },
@@ -1536,10 +1735,10 @@
       "category": "productivity",
       "source": {
         "source": "git-subdir",
-        "url": "zapier/zapier-mcp",
+        "url": "https://github.com/zapier/zapier-mcp.git",
         "path": "plugins/zapier",
         "ref": "main",
-        "sha": "b93007e9a726c6ee93c57a949e732744ef5acbfd"
+        "sha": "76c4669321847c8f72a6e0462c17f29fd437519a"
       },
       "homepage": "https://github.com/zapier/zapier-mcp/tree/main/plugins/zapier"
     },

.github/scripts/discover_bumps.py

@@ -0,0 +1,229 @@
+#!/usr/bin/env python3
+"""Discover plugins in marketplace.json whose upstream repo has moved past
+their pinned SHA, update the file in place, and emit a summary.
+
+Adapted from claude-plugins-community-internal's discover_bumps.py for the
+single-file marketplace.json format used by claude-plugins-official.
+
+Usage: discover_bumps.py [--plugin NAME] [--max N] [--dry-run]
+"""
+
+import argparse
+import json
+import os
+import re
+import subprocess
+import sys
+from datetime import datetime, timezone
+from typing import Any
+
+
+MARKETPLACE_PATH = ".claude-plugin/marketplace.json"
+
+
+def gh_api(path: str) -> Any:
+    """GET from the GitHub API. None on not-found; raises on other errors.
+
+    "Not found" covers both 404 (resource gone) and 422 "No commit found
+    for SHA" (force-pushed away). Both mean the thing we asked for isn't
+    there — treating them the same lets callers handle dead refs uniformly.
+    """
+    r = subprocess.run(
+        ["gh", "api", path], capture_output=True, text=True
+    )
+    if r.returncode != 0:
+        combined = r.stdout + r.stderr
+        if any(s in combined for s in ("404", "Not Found", "No commit found")):
+            return None
+        raise RuntimeError(f"gh api {path}: {r.stderr.strip() or r.stdout.strip()}")
+    return json.loads(r.stdout)
+
+
+def parse_github_repo(url: str) -> tuple[str, str] | None:
+    """Extract (owner, repo) from a URL or owner/repo shorthand."""
+    # Full URL: https://github.com/owner/repo(.git)(/...)
+    m = re.match(r"https?://github\.com/([^/]+)/([^/]+?)(?:\.git)?(?:/|$)", url)
+    if m:
+        return m.group(1), m.group(2)
+    # Shorthand: owner/repo
+    m = re.match(r"^([\w.-]+)/([\w.-]+)$", url)
+    if m:
+        return m.group(1), m.group(2)
+    return None
+
+
+def latest_sha(owner: str, repo: str, *, ref: str | None, path: str | None) -> str | None:
+    """Latest commit SHA for the repo, optionally scoped to a ref and/or path."""
+    if path:
+        # Scoped to a subdirectory — use the commits list endpoint with path filter.
+        q = f"repos/{owner}/{repo}/commits?per_page=1&path={path}"
+        if ref:
+            q += f"&sha={ref}"
+        commits = gh_api(q)
+        if not commits:
+            return None
+        return commits[0]["sha"]
+    # Whole repo — the single-ref endpoint is cheaper.
+    if not ref:
+        meta = gh_api(f"repos/{owner}/{repo}")
+        if not meta:
+            return None
+        ref = meta["default_branch"]
+    c = gh_api(f"repos/{owner}/{repo}/commits/{ref}")
+    return c["sha"] if c else None
+
+
+def pinned_age_days(owner: str, repo: str, sha: str) -> int | None:
+    """Days since the pinned commit was authored. Used for oldest-first rotation."""
+    c = gh_api(f"repos/{owner}/{repo}/commits/{sha}")
+    if not c:
+        return None
+    dt = datetime.fromisoformat(
+        c["commit"]["committer"]["date"].replace("Z", "+00:00")
+    )
+    return (datetime.now(timezone.utc) - dt).days
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser()
+    ap.add_argument("--plugin", help="only check this plugin")
+    ap.add_argument("--max", type=int, default=20, help="cap bumps emitted")
+    ap.add_argument("--dry-run", action="store_true", help="don't write marketplace.json")
+    args = ap.parse_args()
+
+    with open(MARKETPLACE_PATH) as f:
+        marketplace = json.load(f)
+
+    plugins = marketplace.get("plugins", [])
+    bumps: list[dict] = []
+    dead: list[str] = []
+    skipped_non_github = 0
+    checked = 0
+
+    for plugin in plugins:
+        name = plugin.get("name", "?")
+        src = plugin.get("source")
+
+        # Only process object sources with a sha field
+        if not isinstance(src, dict) or "sha" not in src:
+            continue
+
+        # Filter to specific plugin if requested
+        if args.plugin and name != args.plugin:
+            continue
+
+        checked += 1
+        kind = src.get("source")
+        url = src.get("url", "")
+        path = src.get("path")
+        ref = src.get("ref")
+        pinned = src.get("sha")
+
+        slug = parse_github_repo(url)
+        if not slug:
+            skipped_non_github += 1
+            continue
+        owner, repo = slug
+
+        try:
+            latest = latest_sha(owner, repo, ref=ref, path=path)
+        except RuntimeError as e:
+            print(f"::warning::{name}: {e}", file=sys.stderr)
+            continue
+
+        if latest is None:
+            dead.append(f"{name} ({owner}/{repo})")
+            continue
+
+        if latest == pinned:
+            continue  # up to date
+
+        # Age lookup for rotation — oldest-pinned first prevents starvation.
+        try:
+            age = pinned_age_days(owner, repo, pinned) if pinned else None
+        except RuntimeError as e:
+            print(f"::warning::{name}: age lookup failed: {e}", file=sys.stderr)
+            age = None
+
+        bumps.append({
+            "name": name,
+            "kind": kind,
+            "url": url,
+            "path": path or "",
+            "ref": ref or "",
+            "old_sha": pinned or "",
+            "new_sha": latest,
+            "age_days": age if age is not None else 10**6,
+        })
+
+    # Oldest-pinned first so nothing starves under the cap.
+    bumps.sort(key=lambda b: -b["age_days"])
+    emitted = bumps[: args.max]
+
+    # Apply bumps to marketplace data
+    if emitted and not args.dry_run:
+        bump_map = {b["name"]: b["new_sha"] for b in emitted}
+        for plugin in plugins:
+            name = plugin.get("name")
+            src = plugin.get("source")
+            if isinstance(src, dict) and name in bump_map:
+                src["sha"] = bump_map[name]
+
+        with open(MARKETPLACE_PATH, "w") as f:
+            json.dump(marketplace, f, indent=2, ensure_ascii=False)
+            f.write("\n")
+
+    # Write GitHub outputs
+    out = os.environ.get("GITHUB_OUTPUT")
+    if out:
+        bumped_names = ",".join(b["name"] for b in emitted)
+        with open(out, "a") as fh:
+            fh.write(f"count={len(emitted)}\n")
+            fh.write(f"bumped_names={bumped_names}\n")
+
+    # Write GitHub step summary
+    summary = os.environ.get("GITHUB_STEP_SUMMARY")
+    if summary:
+        with open(summary, "a") as fh:
+            fh.write("## SHA Bump Discovery\n\n")
+            fh.write(f"- Checked: {checked} SHA-pinned entries\n")
+            fh.write(f"- Stale: {len(bumps)} (applying {len(emitted)}, cap {args.max})\n")
+            if skipped_non_github:
+                fh.write(f"- Skipped non-GitHub: {skipped_non_github}\n")
+            if dead:
+                fh.write(f"- **Dead upstream** ({len(dead)}): {', '.join(dead)}\n")
+            if emitted:
+                fh.write("\n| Plugin | Old | New | Age |\n|---|---|---|---|\n")
+                for b in emitted:
+                    old = b["old_sha"][:8] if b["old_sha"] else "(unpinned)"
+                    fh.write(f"| {b['name']} | `{old}` | `{b['new_sha'][:8]}` | {b['age_days']}d |\n")
+
+    # Write PR body for the workflow to use
+    pr_body_path = os.environ.get("PR_BODY_PATH", "/tmp/bump-pr-body.md")
+    if emitted:
+        with open(pr_body_path, "w") as fh:
+            fh.write("Upstream repos moved. Bumping pinned SHAs so plugins track latest.\n\n")
+            fh.write("| Plugin | Old | New | Upstream |\n")
+            fh.write("|--------|-----|-----|----------|\n")
+            for b in emitted:
+                old = b["old_sha"][:8] if b["old_sha"] else "(unpinned)"
+                slug_str = re.sub(r"https?://github\.com/", "", b["url"])
+                slug_str = re.sub(r"\.git$", "", slug_str)
+                compare = f"https://github.com/{slug_str}/compare/{b['old_sha'][:12]}...{b['new_sha'][:12]}"
+                fh.write(f"| `{b['name']}` | `{old}` | `{b['new_sha'][:8]}` | [diff]({compare}) |\n")
+            fh.write(f"\n---\n_Auto-generated by `bump-plugin-shas.yml` on {datetime.now(timezone.utc).strftime('%Y-%m-%d')}_\n")
+
+    # Console summary
+    print(f"Checked {checked} SHA-pinned plugins", file=sys.stderr)
+    print(f"Stale: {len(bumps)}, applying: {len(emitted)}", file=sys.stderr)
+    if dead:
+        print(f"Dead upstream: {', '.join(dead)}", file=sys.stderr)
+    for b in emitted:
+        old = b["old_sha"][:8] if b["old_sha"] else "unpinned"
+        print(f"  {b['name']}: {old} -> {b['new_sha'][:8]} ({b['age_days']}d)", file=sys.stderr)
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/workflows/bump-plugin-shas.yml

@@ -0,0 +1,133 @@
+name: Bump plugin SHAs
+
+# Weekly sweep of marketplace.json — for each entry whose upstream repo has
+# moved past its pinned SHA, open a PR against main with updated SHAs. The
+# validate-marketplace workflow then runs on the PR to confirm the file is
+# still well-formed.
+#
+# Adapted from claude-plugins-community-internal's bump-plugin-shas.yml
+# for the single-file marketplace.json format. Key difference: all bumps
+# are batched into one PR (since they all modify the same file).
+
+on:
+  schedule:
+    - cron: '23 7 * * 1'  # Monday 07:23 UTC
+  workflow_dispatch:
+    inputs:
+      plugin:
+        description: Only bump this plugin (for testing)
+        required: false
+      max_bumps:
+        description: Cap on plugins bumped this run
+        required: false
+        default: '20'
+      dry_run:
+        description: Discover only, don't open PR
+        type: boolean
+        default: true
+
+concurrency:
+  group: bump-plugin-shas
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for existing bump PR
+        id: existing
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          existing=$(gh pr list --label sha-bump --state open --json number --jq 'length')
+          echo "count=$existing" >> "$GITHUB_OUTPUT"
+          if [ "$existing" -gt 0 ]; then
+            echo "::notice::Open sha-bump PR already exists — skipping"
+          fi
+
+      - name: Ensure sha-bump label exists
+        if: steps.existing.outputs.count == '0'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh label create sha-bump --color 0e8a16 --description "Automated SHA bump" 2>/dev/null || true
+
+      - name: Overlay marketplace data from main
+        if: steps.existing.outputs.count == '0'
+        run: |
+          git fetch origin main --depth=1 --quiet
+          git checkout origin/main -- .claude-plugin/marketplace.json
+
+      - name: Discover and apply SHA bumps
+        if: steps.existing.outputs.count == '0'
+        id: discover
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_BODY_PATH: /tmp/bump-pr-body.md
+          PLUGIN: ${{ inputs.plugin }}
+          MAX_BUMPS: ${{ inputs.max_bumps }}
+          DRY_RUN: ${{ inputs.dry_run }}
+        run: |
+          args=(--max "${MAX_BUMPS:-20}")
+          [[ -n "$PLUGIN" ]] && args+=(--plugin "$PLUGIN")
+          [[ "$DRY_RUN" = "true" ]] && args+=(--dry-run)
+          python3 .github/scripts/discover_bumps.py "${args[@]}"
+
+      - uses: oven-sh/setup-bun@v2
+        if: steps.existing.outputs.count == '0' && steps.discover.outputs.count != '0' && inputs.dry_run != true
+
+      - name: Validate marketplace.json
+        if: steps.existing.outputs.count == '0' && steps.discover.outputs.count != '0' && inputs.dry_run != true
+        run: |
+          bun .github/scripts/validate-marketplace.ts .claude-plugin/marketplace.json
+          bun .github/scripts/check-marketplace-sorted.ts
+
+      - name: Push bump branch
+        if: steps.existing.outputs.count == '0' && steps.discover.outputs.count != '0' && inputs.dry_run != true
+        id: push
+        run: |
+          branch="auto/bump-shas-$(date +%Y%m%d)"
+          echo "branch=$branch" >> "$GITHUB_OUTPUT"
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$branch"
+          git add .claude-plugin/marketplace.json
+          git commit -m "Bump SHA pins for ${{ steps.discover.outputs.count }} plugin(s)
+
+          Plugins: ${{ steps.discover.outputs.bumped_names }}"
+          git push -u origin "$branch" --force-with-lease
+
+      # GITHUB_TOKEN cannot create PRs (org policy: "Allow GitHub Actions to
+      # create and approve pull requests" is disabled). Use the same GitHub App
+      # that -internal's bump workflow uses.
+      #
+      # Prerequisite: app 2812036 must be installed on this repo. The PEM
+      # secret must exist in this repo's settings (shared with -internal).
+      - name: Generate bot token
+        if: steps.push.outcome == 'success'
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: 2812036
+          private-key: ${{ secrets.CLAUDE_DIRECTORY_BOT_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+
+      - name: Create pull request
+        if: steps.push.outcome == 'success'
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          gh pr create \
+            --base main \
+            --head "${{ steps.push.outputs.branch }}" \
+            --title "Bump SHA pins (${{ steps.discover.outputs.count }} plugins)" \
+            --body-file /tmp/bump-pr-body.md \
+            --label sha-bump

external_plugins/discord/server.ts

@@ -222,6 +222,8 @@ type GateResult =
 const recentSentIds = new Set<string>()
 const RECENT_SENT_CAP = 200
 
+const dmChannelUsers = new Map<string, string>()
+
 function noteSent(id: string): void {
   recentSentIds.add(id)
   if (recentSentIds.size > RECENT_SENT_CAP) {
@@ -404,7 +406,8 @@ async function fetchAllowedChannel(id: string) {
   const ch = await fetchTextChannel(id)
   const access = loadAccess()
   if (ch.type === ChannelType.DM) {
-    if (access.allowFrom.includes(ch.recipientId)) return ch
+    const userId = ch.recipientId ?? dmChannelUsers.get(id)
+    if (userId && access.allowFrom.includes(userId)) return ch
   } else {
     const key = ch.isThread() ? ch.parentId ?? ch.id : ch.id
     if (key in access.groups) return ch
@@ -823,6 +826,10 @@ async function handleInbound(msg: Message): Promise<void> {
 
   const chat_id = msg.channelId
 
+  if (msg.channel.type === ChannelType.DM) {
+    dmChannelUsers.set(chat_id, msg.author.id)
+  }
+
   // Permission-reply intercept: if this looks like "yes xxxxx" for a
   // pending permission request, emit the structured event instead of
   // relaying as chat. The sender is already gate()-approved at this point

external_plugins/supabase/.claude-plugin/plugin.json

@@ -1,7 +0,0 @@
-{
-  "name": "supabase",
-  "description": "Supabase MCP integration for database operations, authentication, storage, and real-time subscriptions. Manage your Supabase projects, run SQL queries, and interact with your backend directly.",
-  "author": {
-    "name": "Supabase"
-  }
-}

external_plugins/supabase/.mcp.json

@@ -1,6 +0,0 @@
-{
-  "supabase": {
-    "type": "http",
-    "url": "https://mcp.supabase.com/mcp"
-  }
-}

external_plugins/telegram/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "telegram",
   "description": "Telegram channel for Claude Code \u2014 messaging bridge with built-in access control. Manage pairing, allowlists, and policy via /telegram:access.",
-  "version": "0.0.5",
+  "version": "0.0.6",
   "keywords": [
     "telegram",
     "messaging",

external_plugins/telegram/server.ts

@@ -985,14 +985,17 @@ bot.catch(err => {
   process.stderr.write(`telegram channel: handler error (polling continues): ${err.error}\n`)
 })
 
-// 409 Conflict = another getUpdates consumer is still active (zombie from a
-// previous session, or a second Claude Code instance). Retry with backoff
-// until the slot frees up instead of crashing on the first rejection.
+// Retry polling with backoff on any error. Previously only 409 was retried —
+// a single ETIMEDOUT/ECONNRESET/DNS failure rejected bot.start(), the catch
+// returned, and polling stopped permanently while the process stayed alive
+// (MCP stdin keeps it running). Outbound tools kept working but the bot was
+// deaf to inbound messages until a full restart.
 void (async () => {
   for (let attempt = 1; ; attempt++) {
     try {
       await bot.start({
         onStart: info => {
+          attempt = 0
           botUsername = info.username
           process.stderr.write(`telegram channel: polling as @${info.username}\n`)
           void bot.api.setMyCommands(
@@ -1008,28 +1011,22 @@ void (async () => {
       return // bot.stop() was called — clean exit from the loop
     } catch (err) {
       if (shuttingDown) return
-      if (err instanceof GrammyError && err.error_code === 409) {
-        if (attempt >= 8) {
-          process.stderr.write(
-            `telegram channel: 409 Conflict persists after ${attempt} attempts — ` +
-            `another poller is holding the bot token (stray 'bun server.ts' process or a second session). Exiting.\n`,
-          )
-          return
-        }
-        const delay = Math.min(1000 * attempt, 15000)
-        const detail = attempt === 1
-          ? ' — another instance is polling (zombie session, or a second Claude Code running?)'
-          : ''
-        process.stderr.write(
-          `telegram channel: 409 Conflict${detail}, retrying in ${delay / 1000}s\n`,
-        )
-        await new Promise(r => setTimeout(r, delay))
-        continue
-      }
       // bot.stop() mid-setup rejects with grammy's "Aborted delay" — expected, not an error.
       if (err instanceof Error && err.message === 'Aborted delay') return
-      process.stderr.write(`telegram channel: polling failed: ${err}\n`)
-      return
+      const is409 = err instanceof GrammyError && err.error_code === 409
+      if (is409 && attempt >= 8) {
+        process.stderr.write(
+          `telegram channel: 409 Conflict persists after ${attempt} attempts — ` +
+          `another poller is holding the bot token (stray 'bun server.ts' process or a second session). Exiting.\n`,
+        )
+        return
+      }
+      const delay = Math.min(1000 * attempt, 15000)
+      const detail = is409
+        ? `409 Conflict${attempt === 1 ? ' — another instance is polling (zombie session, or a second Claude Code running?)' : ''}`
+        : `polling error: ${err}`
+      process.stderr.write(`telegram channel: ${detail}, retrying in ${delay / 1000}s\n`)
+      await new Promise(r => setTimeout(r, delay))
     }
   }
 })()

plugins/mcp-server-dev/skills/build-mcp-app/SKILL.md

@@ -10,6 +10,20 @@ An MCP app is a standard MCP server that **also serves UI resources** — intera
 
 The UI layer is **additive**. Under the hood it's still tools, resources, and the same wire protocol. If you haven't built a plain MCP server before, the `build-mcp-server` skill covers the base layer. This skill adds widgets on top.
 
+> **Testing in Claude:** Add the server as a custom connector in claude.ai (via a Cloudflare tunnel for local dev) — this exercises the real iframe sandbox and `hostContext`. See https://claude.com/docs/connectors/building/testing.
+
+## Claude host specifics
+
+| `_meta.ui.*` key | Where | Effect |
+|---|---|---|
+| `resourceUri` | tool | Which `ui://` resource the host renders for this tool's results. |
+| `visibility: ["app"]` | tool | Hide a widget-only helper tool (e.g. geometry/image fetcher called via `callServerTool`) from Claude's tool list. |
+| `prefersBorder: false` | resource | Drop the host's outer card border (mobile). |
+| `csp.{connectDomains, resourceDomains, baseUriDomains}` | resource | Declare external origins; default is block-all. `frameDomains` is currently restricted in Claude. |
+
+- `hostContext.safeAreaInsets: {top, right, bottom, left}` (px) — honor these for notches and the composer overlay.
+- Directory submission requires OAuth or **authless** (`none`) — static bearer is private-deploy only and blocks listing — plus tool `annotations` and 3–5 PNG screenshots; see `references/directory-checklist.md`.
+
 ---
 
 ## When a widget beats plain text
@@ -95,6 +109,7 @@ const server = new McpServer({ name: "contacts", version: "1.0.0" });
 // 1. The tool — returns DATA, declares which UI to show
 registerAppTool(server, "pick_contact", {
   description: "Open an interactive contact picker",
+  annotations: { title: "Pick Contact", readOnlyHint: true },
   inputSchema: { filter: z.string().optional() },
   _meta: { ui: { resourceUri: "ui://widgets/contact-picker.html" } },
 }, async ({ filter }) => {
@@ -163,7 +178,10 @@ The `/*__EXT_APPS_BUNDLE__*/` placeholder gets replaced by the server at startup
 | `app.updateModelContext({...})` | Widget → host | Update context silently (no visible message) |
 | `app.callServerTool({name, arguments})` | Widget → server | Call another tool on your server |
 | `app.openLink({url})` | Widget → host | Open a URL in a new tab (sandbox blocks `window.open`) |
-| `app.getHostContext()` / `app.onhostcontextchanged` | Host → widget | Theme (`light`/`dark`), locale, etc. |
+| `app.getHostContext()` / `app.onhostcontextchanged` | Host → widget | Theme, host CSS vars, `containerDimensions`, `displayMode`, `deviceCapabilities` |
+| `app.requestDisplayMode({mode})` | Widget → host | Ask for `inline` / `pip` / `fullscreen` |
+| `app.downloadFile({name, mimeType, content})` | Widget → host | Host-mediated download (base64 content) |
+| `new App(info, caps, {autoResize: true})` | — | Iframe height tracks rendered content |
 
 `sendMessage` is the typical "user picked something, tell Claude" path. `updateModelContext` is for state that Claude should know about but shouldn't clutter the chat. `openLink` is **required** for any outbound navigation — `window.open` and `<a target="_blank">` are blocked by the sandbox attribute.
 
@@ -216,6 +234,7 @@ const pickerHtml = readFileSync("./widgets/picker.html", "utf8")
 
 registerAppTool(server, "pick_contact", {
   description: "Open an interactive contact picker. User selects one contact.",
+  annotations: { title: "Pick Contact", readOnlyHint: true },
   inputSchema: { filter: z.string().optional().describe("Name/email prefix filter") },
   _meta: { ui: { resourceUri: "ui://widgets/picker.html" } },
 }, async ({ filter }) => {
@@ -339,6 +358,24 @@ Desktop caches UI resources aggressively. After editing widget HTML, **fully qui
 
 The `sleep` keeps stdin open long enough to collect all responses. Parse the jsonl output with `jq` or a Python one-liner.
 
+**Widget dev loop** — avoid the ⌘Q-relaunch cycle entirely by serving the inlined widget HTML at a plain GET route with a fake `ExtApps` shim that fires `ontoolresult` from a query param:
+
+```ts
+app.get("/widget-preview", (_req, res) => {
+  const shim = `globalThis.ExtApps={applyHostStyleVariables:()=>{},App:class{
+    constructor(){this.h={}} ontoolresult;onhostcontextchanged;
+    async connect(){const p=new URLSearchParams(location.search).get("payload");
+      if(p)this.ontoolresult?.({content:[{type:"text",text:p}]});}
+    getHostContext(){return{theme:"light"}}
+    sendMessage(m){console.log("sendMessage",m)} updateModelContext(){}
+    callServerTool(){return Promise.resolve({content:[]})} openLink(){} downloadFile(){}
+  }};`;
+  res.type("html").send(widgetHtml.replace("/*__EXT_APPS_BUNDLE__*/", shim));
+});
+```
+
+Open `http://localhost:3000/widget-preview?payload={"rows":[...]}` in a normal browser tab and iterate with ordinary devtools.
+
 **Host fallback** — use a host without the apps surface (or MCP Inspector) and confirm the tool's text content degrades gracefully.
 
 **CSP debugging** — open the iframe's own devtools console. CSP violations are the #1 reason widgets silently fail (blank rectangle, no error in the main console). See `references/iframe-sandbox.md`.
@@ -347,6 +384,9 @@ The `sleep` keeps stdin open long enough to collect all responses. Parse the jso
 
 ## Reference files
 
-- `references/iframe-sandbox.md` — CSP/sandbox constraints, the bundle-inlining pattern, image handling
+- `references/iframe-sandbox.md` — CSP/sandbox constraints, the bundle-inlining pattern, image handling, host theming
 - `references/widget-templates.md` — reusable HTML scaffolds for picker / confirm / progress / display
-- `references/apps-sdk-messages.md` — the `App` class API: widget ↔ host ↔ server messaging
+- `references/apps-sdk-messages.md` — the `App` class API: widget ↔ host ↔ server messaging, lifecycle & supersession
+- `references/payload-budgeting.md` — host tool-result size caps, prune-then-truncate, heavy assets via `callServerTool`
+- `references/abuse-protection.md` — Anthropic egress CIDRs, tiered rate limiting, `trust proxy`, response caching
+- `references/directory-checklist.md` — pre-flight for connector-directory submission

plugins/mcp-server-dev/skills/build-mcp-app/references/abuse-protection.md

@@ -0,0 +1,60 @@
+# Abuse protection for authless hosted servers
+
+An authless StreamableHTTP server is reachable by anything on the internet.
+There are three resources to protect: your compute, any upstream API quota
+your tools consume, and egress bandwidth for large `callServerTool` payloads.
+
+## You don't get a per-user identity
+
+In authless mode there is no token and stateless transport gives no session
+ID. Traffic from claude.ai is proxied through Anthropic's egress — every web
+user arrives from the same small set of IPs:
+
+```
+160.79.104.0/21
+2607:6bc0::/48
+```
+
+(See https://platform.claude.com/docs/en/api/ip-addresses.)
+
+Claude Desktop, Claude Code, and other hosts connect **directly from the
+user's machine**, so those *do* have distinct per-user IPs. Per-IP limiting
+therefore works for direct-connect clients; for claude.ai you can only limit
+the aggregate Anthropic pool. If true per-user limits matter, that's the
+trigger to add OAuth.
+
+## Tiered token-bucket (per-replica backstop)
+
+```ts
+const ANTHROPIC_CIDRS = ["160.79.104.0/21", "2607:6bc0::/48"];
+const TIERS = {
+  anthropic: { capacity: 600, refillPerSec: 100 }, // shared pool
+  other:     { capacity: 30,  refillPerSec: 2   }, // per-IP
+};
+```
+
+Match `req.ip` against the CIDRs, pick a bucket (`"anthropic"` or
+`"ip:<addr>"`), 429 + `Retry-After` on exhaust. This is a per-replica
+backstop — cross-replica enforcement belongs at the edge (Cloudflare, Cloud
+Armor), which keeps the containers stateless.
+
+## `trust proxy` must match your topology
+
+`req.ip` only honours `X-Forwarded-For` if `app.set('trust proxy', N)` is
+set. `true` trusts every hop, which lets a direct client send
+`X-Forwarded-For: 160.79.108.42` and claim the Anthropic tier. Set it to the
+exact number of trusted hops (e.g. `1` behind a single LB, `2` behind
+Cloudflare → origin LB) and **never `true` in production**.
+
+## Hard-allowlisting Anthropic IPs is a product decision
+
+Blocking everything outside `160.79.104.0/21` locks out Desktop, Claude Code,
+and every other MCP host. Use the CIDRs to **tier** rate limits, not to gate
+access, unless claude.ai-only is an explicit goal.
+
+## Cache upstream responses
+
+For tools that wrap a third-party API, an in-process LRU keyed on the
+normalized query (TTL hours, no secrets in the key) is the primary cost
+control — repeat queries become free and absorb thundering-herd. Rate limits
+are the safety net, not the first line.

plugins/mcp-server-dev/skills/build-mcp-app/references/apps-sdk-messages.md

@@ -2,6 +2,18 @@
 
 The `@modelcontextprotocol/ext-apps` package provides the `App` class (browser side) and `registerAppTool`/`registerAppResource` helpers (server side). Messaging is bidirectional and persistent.
 
+## Construction
+
+```js
+const app = new App(
+  { name: "MyWidget", version: "1.0.0" },
+  {},                       // capabilities
+  { autoResize: true },     // options
+);
+```
+
+`autoResize: true` wires a `ResizeObserver` that emits `ui/notifications/size-changed` so the host iframe height tracks your rendered content. Without it the frame is fixed-height and tall renders get clipped — set it for any widget whose height depends on data.
+
 ---
 
 ## Widget → Host
@@ -63,6 +75,26 @@ card.querySelector("a").addEventListener("click", (e) => {
 
 Host-mediated download (sandbox blocks direct `<a download>`). `content` is a base64 string.
 
+```js
+const csv = rows.map((r) => Object.values(r).join(",")).join("\n");
+app.downloadFile({
+  name: "export.csv",
+  mimeType: "text/csv",
+  content: btoa(unescape(encodeURIComponent(csv))),
+});
+```
+
+### `app.requestDisplayMode({ mode })`
+
+Ask the host to switch the widget between `"inline"`, `"pip"`, or `"fullscreen"`. Check `getHostContext().availableDisplayModes` first; hide the control if the mode isn't offered. The host responds by firing `onhostcontextchanged` with new `displayMode` and `containerDimensions` — re-render at the new size.
+
+```js
+if (app.getHostContext()?.availableDisplayModes?.includes("fullscreen")) {
+  expandBtn.hidden = false;
+  expandBtn.onclick = () => app.requestDisplayMode({ mode: "fullscreen" });
+}
+```
+
 ---
 
 ## Host → Widget
@@ -84,9 +116,22 @@ app.ontoolresult = ({ content }) => {
 
 Fires with the arguments Claude passed to the tool. Useful if the widget needs to know what was asked for (e.g., highlight the search term).
 
+### `app.ontoolinputpartial = ({ arguments }) => {...}` / `app.ontoolcancelled = () => {...}`
+
+`ontoolinputpartial` fires while Claude is still streaming arguments — use it to show a skeleton ("Preparing: <title>…") before the result lands. `ontoolcancelled` fires if the call is aborted; clear the skeleton.
+
 ### `app.getHostContext()` / `app.onhostcontextchanged = (ctx) => {...}`
 
-Read and subscribe to host context — `theme` (`"light"` / `"dark"`), locale, etc. Call `getHostContext()` **after** `connect()`. Subscribe for live updates (user toggles dark mode mid-conversation).
+Read and subscribe to host context. Call `getHostContext()` **after** `connect()`. Subscribe for live updates (user toggles dark mode, expands to fullscreen).
+
+| `ctx.` field | Use |
+|---|---|
+| `theme` | `"light"` / `"dark"` — toggle a `.dark` class |
+| `styles.variables` | Host CSS tokens — pass to `applyHostStyleVariables()` so colors/fonts match host chrome |
+| `displayMode` / `availableDisplayModes` | Current mode and which `requestDisplayMode` targets are valid |
+| `containerDimensions.{maxHeight,width}` | Size your render to this instead of hard-coded px |
+| `deviceCapabilities.touch` | Switch hover-only affordances to tap (`pointerdown`) |
+| `safeAreaInsets` | Padding for notches / composer overlay |
 
 ```js
 const applyTheme = (t) =>
@@ -129,14 +174,36 @@ No `{ notify }` destructure — `extra` is `RequestHandlerExtra`; progress goes
 ## Lifecycle
 
 1. Claude calls a tool with `_meta.ui.resourceUri` declared
-2. Host fetches the resource (your HTML) and renders it in an iframe
+2. Host fetches the resource (your HTML) and mounts a **fresh iframe** for this call
 3. Widget script runs, sets handlers, calls `await app.connect()`
 4. Host pipes the tool's return value → `ontoolresult` fires
 5. Widget renders, user interacts
 6. Widget calls `sendMessage` / `updateModelContext` / `callServerTool` as needed
-7. Widget persists until conversation context moves on — subsequent calls to the same tool reuse the iframe and fire `ontoolresult` again
+7. Iframe persists in the transcript; **the next call to the same tool mounts another iframe** alongside it
 
-There's no explicit "submit and close" — the widget is a long-lived surface.
+There's no explicit "submit and close" — each instance is long-lived, but instances are not reused across calls.
+
+### Supersession
+
+Because earlier instances stay mounted, a click on a stale widget can `sendMessage` after a newer one has rendered. Detect this with a `BroadcastChannel` and make older instances inert:
+
+```js
+let superseded = false;
+const seq = Date.now() + Math.random();
+const bc = new BroadcastChannel("my-widget");
+bc.onmessage = (e) => {
+  if (e.data?.seq > seq) {
+    superseded = true;
+    document.body.classList.add("superseded"); // opacity:.45; pointer-events:none
+  }
+};
+bc.postMessage({ seq });
+
+// Guard outbound calls:
+function safeSend(msg) {
+  if (!superseded) app.sendMessage(msg);
+}
+```
 
 ---
 

plugins/mcp-server-dev/skills/build-mcp-app/references/directory-checklist.md

@@ -0,0 +1,18 @@
+# Connector-directory submission checklist
+
+Pre-flight before submitting a remote MCP app to the Claude connector
+directory. Each item is a hard review criterion.
+
+| Area | Requirement |
+|---|---|
+| **Auth** | OAuth (DCR or CIMD) or **`none`** (authless). Static bearer tokens are private-deploy only and block listing. Authless is valid for public-data servers — the server holds any upstream API keys. |
+| **Tool annotations** | Every tool sets `annotations.title` plus the relevant hints: `readOnlyHint: true` for fetch/search tools, `destructiveHint` / `idempotentHint` for writes, `openWorldHint: true` if the tool reaches an external system. |
+| **Tool names** | ≤ 64 characters, snake/kebab case. |
+| **Widget layout** | Inline height ≤ 500px, no nested scroll containers, 44pt minimum touch targets, WCAG-AA contrast in both themes. |
+| **Theming** | `html, body { background: transparent }`, `<meta name="color-scheme" content="light dark">`, adopt host CSS tokens via `applyHostStyleVariables`. |
+| **External links** | Use `app.openLink`. Declare each origin (e.g. `https://api.example.com`) in the connector's *Allowed link URIs* so the link skips the confirm modal. |
+| **Helper tools** | Widget-only tools (geometry/image fetchers) carry `_meta.ui.visibility: ["app"]` so they don't appear in Claude's tool list. |
+| **Screenshots** | 3–5 PNGs, ≥ 1000px wide, cropped to the app response only — no prompt text in frame. |
+
+See `abuse-protection.md` for rate-limit and IP-tiering guidance once the
+authless endpoint is public.

plugins/mcp-server-dev/skills/build-mcp-app/references/iframe-sandbox.md

@@ -122,23 +122,38 @@ that survives un-inlined.
 
 ---
 
-## Dark mode
+## Theme & host styles
 
-```js
-const applyTheme = (theme) =>
-  document.documentElement.classList.toggle("dark", theme === "dark");
+The host renders the iframe inside its own card chrome — paint a **transparent** background and adopt host CSS tokens so the widget blends in across light/dark and across hosts.
 
-app.onhostcontextchanged = (ctx) => applyTheme(ctx.theme);
-await app.connect();
-applyTheme(app.getHostContext()?.theme);
+```html
+<meta name="color-scheme" content="light dark" />
 ```
 
 ```css
-:root { --ink:#0f1111; --bg:#fff; color-scheme:light; }
-:root.dark { --ink:#e6e6e6; --bg:#1f2428; color-scheme:dark; }
+:root {
+  --ink:  var(--color-text-primary,   #0f1111);
+  --sub:  var(--color-text-secondary, #5a6270);
+  --line: var(--color-border-default, #e3e6ea);
+}
+html, body { background: transparent; color: var(--ink); }
 :root.dark .thumb { mix-blend-mode: normal; } /* multiply → images vanish in dark */
 ```
 
+```js
+const { App, applyHostStyleVariables } = globalThis.ExtApps;
+
+function applyHostContext(ctx) {
+  document.documentElement.classList.toggle("dark", ctx?.theme === "dark");
+  if (ctx?.styles?.variables) applyHostStyleVariables(ctx.styles.variables);
+}
+app.onhostcontextchanged = applyHostContext;
+await app.connect();
+applyHostContext(app.getHostContext());
+```
+
+`applyHostStyleVariables` writes the host's `--color-*` / `--font-*` / `--border-radius-*` tokens onto `:root`; the hex values above are fallbacks for hosts that don't supply them.
+
 ---
 
 ## Debugging

plugins/mcp-server-dev/skills/build-mcp-app/references/payload-budgeting.md

@@ -0,0 +1,54 @@
+# Payload budgeting
+
+Hosts cap tool-result text. claude.ai and Claude Desktop truncate at roughly
+**150,000 characters**; Claude Code at ~25k tokens. When a tool result exceeds
+the cap, the host substitutes a file-pointer string in place of your JSON. The
+widget then receives non-JSON in `ontoolresult`, `JSON.parse` throws, and the
+user sees something like *"Bad payload: SyntaxError: Unexpected token 'E'"* —
+with no hint that size was the cause.
+
+## Symptom → cause
+
+| Symptom | Likely cause |
+|---|---|
+| Widget shows a JSON parse error on `content[0].text` | Result over the host cap; host swapped in a file-pointer string |
+| Works for one query, breaks for "all of X" | Row count × column count crossed the cap |
+| Works in MCP Inspector, breaks in Desktop | Inspector has no cap; Desktop does |
+
+## Strategy
+
+Cap your own payload at ~130KB and degrade in order:
+
+1. **Ship full rows** when `JSON.stringify(rows).length` is under the cap.
+2. **Prune columns** to those the rendering spec actually references. Walk the
+   spec for both `field: "..."` keys *and* `datum.X` / `datum['X']` inside
+   expression strings — if the spec aliases a column via a `calculate`
+   transform, the alias appears as `field:` but the source column only appears
+   as `datum.X`, and dropping it leaves the widget with NaN.
+3. **Truncate rows** as a last resort and include `{ truncated: N }` in the
+   payload so the widget can label it.
+
+```ts
+const MAX = 130_000;
+let out = rows;
+if (JSON.stringify(out).length > MAX) {
+  const keep = referencedFields(spec); // field: + datum.X refs
+  out = rows.map((r) => pick(r, keep));
+  if (JSON.stringify(out).length > MAX) {
+    const per = JSON.stringify(out[0] ?? {}).length || 1;
+    out = out.slice(0, Math.floor(MAX / per));
+  }
+}
+```
+
+## Heavy assets go via `callServerTool`, not the result
+
+Geometry, image bytes, or any blob the widget needs but Claude doesn't should
+be served by a separate tool the widget calls after mount:
+
+```js
+const topo = await app.callServerTool({ name: "get-topojson", arguments: { level } });
+```
+
+Mark that helper tool with `_meta.ui.visibility: ["app"]` so it doesn't appear
+in Claude's tool list.

plugins/mcp-server-dev/skills/build-mcp-server/SKILL.md

@@ -8,6 +8,8 @@ version: 0.1.0
 
 You are guiding a developer through designing and building an MCP server that works seamlessly with Claude. MCP servers come in many forms — picking the wrong shape early causes painful rewrites later. Your first job is **discovery, not code**.
 
+**Load Claude-specific context first.** The MCP spec is generic; Claude has additional auth types, review criteria, and limits. Before answering questions or scaffolding, fetch `https://claude.com/docs/llms-full.txt` (the full export of the Claude connector docs) so your guidance reflects Claude's actual constraints.
+
 Do not start scaffolding until you have answers to the questions in Phase 1. If the user's opening message already answers them, acknowledge that and skip straight to the recommendation.
 
 ---
@@ -182,6 +184,17 @@ Tools are one of three server primitives. Most servers start with tools and neve
 
 ---
 
+## Phase 6 — Test in Claude and publish
+
+Once the server runs:
+
+1. **Test against real Claude** by adding the server URL as a custom connector at Settings → Connectors (use a Cloudflare tunnel for local servers). Claude identifies itself with `clientInfo.name: "claude-ai"` on initialize. → https://claude.com/docs/connectors/building/testing
+2. **Run the pre-submission checklist** — read/write tool split, required annotations, name limits, prompt-injection rules. → https://claude.com/docs/connectors/building/review-criteria
+3. **Submit to the Anthropic Directory.** → https://claude.com/docs/connectors/building/submission
+4. **Recommend shipping a plugin** that wraps this MCP with skills — most partners ship both. → https://claude.com/docs/connectors/building/what-to-build
+
+---
+
 ## Quick reference: decision matrix
 
 | Scenario | Deployment | Tool pattern |

plugins/mcp-server-dev/skills/build-mcp-server/references/auth.md

@@ -2,6 +2,22 @@
 
 Auth is the reason most people end up needing a **remote** server even when a local one would be simpler. OAuth redirects, token storage, and refresh all work cleanly when there's a real hosted endpoint to redirect back to.
 
+## Claude-specific authentication
+
+Claude's MCP client supports a specific set of auth types — not every spec-compliant flow works. Full reference: https://claude.com/docs/connectors/building/authentication
+
+| Type | Notes |
+|---|---|
+| `oauth_dcr` | Supported. For high-volume directory entries, prefer CIMD or Anthropic-held creds — DCR registers a new client on every fresh connection. |
+| `oauth_cimd` | Supported, recommended over DCR for directory entries. |
+| `oauth_anthropic_creds` | Partner provides `client_id`/`client_secret` to Anthropic; user-consent-gated. Contact `mcp-review@anthropic.com`. |
+| `custom_connection` | User supplies URL/creds at connect time (Snowflake-style). Contact `mcp-review@anthropic.com`. |
+| `none` | Authless. |
+
+**Not supported:** user-pasted bearer tokens (`static_bearer`); pure machine-to-machine `client_credentials` grant without user consent.
+
+**Callback URL** (single, all surfaces): `https://claude.ai/api/mcp/auth_callback`
+
 ---
 
 ## The three tiers

plugins/mcp-server-dev/skills/build-mcp-server/references/tool-design.md

@@ -2,6 +2,16 @@
 
 Tool schemas and descriptions are prompt engineering. They land directly in Claude's context and determine whether Claude picks the right tool with the right arguments. Most MCP integration bugs trace back to vague descriptions or loose schemas.
 
+## Anthropic Directory hard requirements
+
+If this server will be submitted to the Anthropic Directory, the following are pass/fail review criteria (full list: https://claude.com/docs/connectors/building/review-criteria):
+
+- Every tool **must** include `readOnlyHint`, `destructiveHint`, and `title` annotations — these determine auto-permissions in Claude.
+- Tool names **must** be ≤64 characters.
+- Read and write operations **must** be in separate tools. A single tool accepting both GET and POST/PUT/PATCH/DELETE is rejected — documenting safe vs unsafe within one tool's description does not satisfy this.
+- Tool descriptions **must not** instruct Claude how to behave (e.g. "always do X", "you must call Y first", overriding system instructions, promoting products) — treated as prompt injection at review.
+- Tools that accept freeform API endpoints/params **must** reference the target API's documentation in their description.
+
 ---
 
 ## Descriptions

plugins/mcp-server-dev/skills/build-mcpb/SKILL.md

@@ -8,6 +8,8 @@ version: 0.1.0
 
 MCPB is a local MCP server **packaged with its runtime**. The user installs one file; it runs without needing Node, Python, or any toolchain on their machine. It's the sanctioned way to distribute local MCP servers.
 
+> MCPB is the **secondary** distribution path. Anthropic recommends remote MCP servers for directory listing — see https://claude.com/docs/connectors/building/what-to-build.
+
 **Use MCPB when the server must run on the user's machine** — reading local files, driving a desktop app, talking to localhost services, OS-level APIs. If your server only hits cloud APIs, you almost certainly want a remote HTTP server instead (see `build-mcp-server`). Don't pay the MCPB packaging tax for something that could be a URL.
 
 ---