Pin GitHub Actions to commit SHAs

* Adopt validate-plugins action suite; pin all external SHAs

Replaces the hand-rolled marketplace validator and bot-based bump
workflow with the shared composite actions (pinned at f846a0b).

marketplace.json:
- 62 external entries that were missing a `sha` are now pinned to
  their current upstream HEAD (resolved via git ls-remote).

Workflows:
- validate-plugins.yml: invariants I1-I11 + claude plugin validate +
  diff-gated clone-at-SHA validation of changed external entries.
  SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15
  known data issues (vendored dirs without manifests; one dotted
  name) are cleaned up.
- bump-plugin-shas.yml: bot-free weekly refresh. Validates each new
  SHA with claude plugin validate before opening one PR; works with
  the default GITHUB_TOKEN (contents:write + pull-requests:write).
- scan-plugins.yml: Claude policy scan of changed external entries.
  Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set.

Removed:
- validate-marketplace.yml + the two TS helper scripts (superseded
  by step 11/20 of validate-plugins).

validate-frontmatter.yml is kept — it's complementary (targeted
checks on agent/skill/command files for in-repo plugins).

* Remove 5 external entries that fail validation at HEAD

Step 30 (clone at pinned SHA + claude plugin validate) fails for
these at their current HEAD:

  aiven                   Unrecognized key "logo" in plugin.json
  atlassian-forge-skills  skill YAML frontmatter parse error
  sagemaker-ai            skill YAML frontmatter parse error
  speakai                 no plugin manifest at repo root
  stagehand               no plugin manifest at repo root

These can be re-added once the upstream repos are fixed.

* Wire scan-plugins to the detailed policy prompt

Adds .github/policy/prompt.md and schema.json (the full security
review rubric — malicious code, privacy, deception, safety
circumvention, exfiltration; plus network-call and software-install
flags) and points scan-plugins at it via the policy-prompt input.

With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs
the actual policy review on changed external entries instead of
no-op'ing.

* Bump scan-plugins action pin to include L11/L12 fixes

.claude-plugin/marketplace.json

@@ -1937,57 +1937,8 @@
       "source": {
         "source": "url",
         "url": "https://github.com/twilio/ai.git",
-        "sha": "137c4679855d31115a8509b93a3887b8bb317da9"
+        "sha": "0713fb1f40b5e871cad4c1c99f603c812431692a"
       },
-      "strict": false,
-      "skills": [
-        "./skills/sendgrid/twilio-sendgrid-account-setup",
-        "./skills/sendgrid/twilio-sendgrid-deliverability-advisor",
-        "./skills/sendgrid/twilio-sendgrid-email-send",
-        "./skills/sendgrid/twilio-sendgrid-email-settings",
-        "./skills/sendgrid/twilio-sendgrid-engagement-quality",
-        "./skills/sendgrid/twilio-sendgrid-inbound-parse",
-        "./skills/sendgrid/twilio-sendgrid-suppressions",
-        "./skills/sendgrid/twilio-sendgrid-webhooks",
-        "./skills/twilio/twilio-account-setup",
-        "./skills/twilio/twilio-call-recordings",
-        "./skills/twilio/twilio-cli-reference",
-        "./skills/twilio/twilio-compliance-onboarding",
-        "./skills/twilio/twilio-compliance-traffic",
-        "./skills/twilio/twilio-conference-calls",
-        "./skills/twilio/twilio-content-template-builder",
-        "./skills/twilio/twilio-conversations-classic-api",
-        "./skills/twilio/twilio-debugging-observability",
-        "./skills/twilio/twilio-email-deliverability-advisor",
-        "./skills/twilio/twilio-iam-auth-setup",
-        "./skills/twilio/twilio-identity-verification-advisor",
-        "./skills/twilio/twilio-lookup-phone-intelligence",
-        "./skills/twilio/twilio-marketing-promotions-advisor",
-        "./skills/twilio/twilio-messaging-channel-advisor",
-        "./skills/twilio/twilio-messaging-overview",
-        "./skills/twilio/twilio-messaging-services",
-        "./skills/twilio/twilio-messaging-webhooks",
-        "./skills/twilio/twilio-notifications-alerts-advisor",
-        "./skills/twilio/twilio-numbers-senders",
-        "./skills/twilio/twilio-organizations-setup",
-        "./skills/twilio/twilio-rcs-messaging",
-        "./skills/twilio/twilio-regulatory-compliance-bundles",
-        "./skills/twilio/twilio-reliability-patterns",
-        "./skills/twilio/twilio-security-api-auth",
-        "./skills/twilio/twilio-security-compliance-hipaa",
-        "./skills/twilio/twilio-security-hardening",
-        "./skills/twilio/twilio-send-message",
-        "./skills/twilio/twilio-sms-isv-setup",
-        "./skills/twilio/twilio-sms-send-message",
-        "./skills/twilio/twilio-taskrouter-routing",
-        "./skills/twilio/twilio-verify-send-otp",
-        "./skills/twilio/twilio-voice-conversation-relay",
-        "./skills/twilio/twilio-voice-outbound-calls",
-        "./skills/twilio/twilio-voice-twiml",
-        "./skills/twilio/twilio-webhook-architecture",
-        "./skills/twilio/twilio-whatsapp-manage-senders",
-        "./skills/twilio/twilio-whatsapp-send-message"
-      ],
       "homepage": "https://www.twilio.com"
     },
     {
@@ -2143,7 +2094,7 @@
         "url": "https://github.com/zapier/zapier-mcp.git",
         "path": "plugins/zapier",
         "ref": "main",
-        "sha": "76c4669321847c8f72a6e0462c17f29fd437519a"
+        "sha": "f34a7854febed415c9ef766eec1c66529ef0668e"
       },
       "homepage": "https://github.com/zapier/zapier-mcp/tree/main/plugins/zapier"
     },

.github/workflows/validate-frontmatter.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 (sha-pinned)
 
       - name: Install dependencies
         run: cd .github/scripts && bun install yaml