From 72edf988cfa0364269ca8a8a704d4ec7e206abd7 Mon Sep 17 00:00:00 2001 From: Andy Dunn Date: Tue, 26 May 2026 12:21:06 -0600 Subject: [PATCH] feat: bootstrap marketplace catalog, docs, and validation CI - .claude-plugin/marketplace.json: catalog "rampstack" listing three curated subset plugins (rampstack-starter, rampstack-seo, rampstack-pm) via github sources pointed at their respective repos - README.md: install instructions, plugin table with verified skill counts, trust note distinguishing the install payload from the author-time social-card tool, and links to the source catalog - SECURITY.md: scoped to the marketplace manifest and docs, with redirects to skill content and per-plugin repos for out-of-scope reports - .github/workflows/validate-manifests.yml: runs claude plugin validate on push and pull_request so an invalid manifest fails CI --- .claude-plugin/marketplace.json | 31 ++++++++++++ .github/workflows/validate-manifests.yml | 33 +++++++++++++ README.md | 49 ++++++++++++++++++- SECURITY.md | 62 ++++++++++++++++++++++++ 4 files changed, 173 insertions(+), 2 deletions(-) create mode 100644 .claude-plugin/marketplace.json create mode 100644 .github/workflows/validate-manifests.yml create mode 100644 SECURITY.md diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json new file mode 100644 index 0000000..ccedd32 --- /dev/null +++ b/.claude-plugin/marketplace.json @@ -0,0 +1,31 @@ +{ + "name": "rampstack", + "owner": { + "name": "RampStack", + "email": "security@rampstack.co" + }, + "description": "Curated subsets of the RampStack Claude Skills catalog, installable as Claude Code plugins.", + "plugins": [ + { + "name": "rampstack-starter", + "source": { "source": "github", "repo": "rampstackco/claude-skills-starter" }, + "description": "Curated starter subset of the RampStack catalog: a general-purpose skill set for the website lifecycle.", + "category": "web-development", + "keywords": ["agent-skills", "claude-skills", "starter", "web-development"] + }, + { + "name": "rampstack-seo", + "source": { "source": "github", "repo": "rampstackco/claude-skills-seo" }, + "description": "Focused SEO skills: keyword research, on-page and technical audits, AI-search optimization, traffic diagnosis, site-health triage, competitor and content audits, and programmatic SEO, with content companions. Some skills (deep-audit workflows) assume the Ahrefs MCP is connected.", + "category": "seo", + "keywords": ["agent-skills", "claude-skills", "seo", "aeo", "geo"] + }, + { + "name": "rampstack-pm", + "source": { "source": "github", "repo": "rampstackco/claude-skills-pm" }, + "description": "Focused product management skills across the lifecycle: discovery, roadmaps and OKRs, PRDs, stakeholder communication, launch and beta programs, and measurement.", + "category": "product-management", + "keywords": ["agent-skills", "claude-skills", "product-management", "experimentation"] + } + ] +} diff --git a/.github/workflows/validate-manifests.yml b/.github/workflows/validate-manifests.yml new file mode 100644 index 0000000..01c3684 --- /dev/null +++ b/.github/workflows/validate-manifests.yml @@ -0,0 +1,33 @@ +name: Validate marketplace manifest + +on: + pull_request: + branches: [main] + push: + branches: [main] + workflow_dispatch: + +permissions: + contents: read + +jobs: + validate: + name: claude plugin validate + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v6 + + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version: "20" + + - name: Install Claude Code CLI + run: npm install -g @anthropic-ai/claude-code + + - name: Show Claude Code version + run: claude --version + + - name: Validate marketplace manifest + run: claude plugin validate . diff --git a/README.md b/README.md index babc7b3..b4a18b5 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,50 @@ # RampStack plugins -Claude Code plugin marketplace for the RampStack skill catalog. +The Claude Code plugin marketplace for the [RampStack](https://github.com/rampstackco/claude-skills) skill catalog. One place to add, then install any of the curated RampStack skill plugins. -Full README and marketplace catalog land in the next commit. +## Install + +Add this marketplace once, then install whichever subset you want: + +``` +/plugin marketplace add rampstackco/plugins +/plugin install rampstack-starter@rampstack +``` + +The other two plugins install the same way: + +``` +/plugin install rampstack-seo@rampstack +/plugin install rampstack-pm@rampstack +``` + +## Plugins + +| Plugin | What it covers | Skills | Source repo | +|---|---|---|---| +| `rampstack-starter` | A general-purpose subset across the website lifecycle: code review, QA, performance, frontend, design, content, SEO, conversion, and product specs | 14 | [rampstackco/claude-skills-starter](https://github.com/rampstackco/claude-skills-starter) | +| `rampstack-seo` | SEO operations: keyword research, on-page and technical audits, AI-search optimization, traffic diagnosis, site-health triage, competitor and content audits, programmatic SEO, plus content companions | 12 | [rampstackco/claude-skills-seo](https://github.com/rampstackco/claude-skills-seo) | +| `rampstack-pm` | Product management across the lifecycle: discovery, roadmaps and OKRs, PRDs, stakeholder communication, launches, beta programs, and measurement | 12 | [rampstackco/claude-skills-pm](https://github.com/rampstackco/claude-skills-pm) | + +The `rampstack-seo` plugin includes a handful of skills that assume the Ahrefs MCP for the deep-audit workflows. The rest of the SEO skills work without it. + +## Trust + +The plugins listed here install skill files only. A skill is a markdown `SKILL.md` plus its reference material. Installing one of these plugins copies that content into your Claude Code plugin cache so Claude can read it. The plugin payload does not include or run executable code, hooks, or MCP servers. + +The plugin source repos do contain an author-time social-card generation script under `tools/` with a Playwright dev dependency. That script is run manually by the maintainers to regenerate the GitHub social preview image, is not packaged into the plugin, and does not run on install. + +## Catalog + +This marketplace lists curated subsets. The full RampStack skill catalog (101 skills, the source of truth for all skill content) lives at [rampstackco/claude-skills](https://github.com/rampstackco/claude-skills). The starter, SEO, and PM plugins are subsets of that catalog with no modifications to skill content. + +## Related repos + +- [claude-skills](https://github.com/rampstackco/claude-skills): the full catalog. +- [claude-skills-starter](https://github.com/rampstackco/claude-skills-starter): the starter plugin source. +- [claude-skills-seo](https://github.com/rampstackco/claude-skills-seo): the SEO plugin source. +- [claude-skills-pm](https://github.com/rampstackco/claude-skills-pm): the PM plugin source. + +## License + +MIT. See [LICENSE](LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..787ebf0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,62 @@ +# Security Policy + +## Reporting a vulnerability + +If you discover a security vulnerability in this repository, please report it privately. Do **not** open a public GitHub issue. + +### Preferred: GitHub Security Advisories + +The fastest way to report is via GitHub's private vulnerability reporting: + +1. Go to the [Security tab](https://github.com/rampstackco/plugins/security) of this repository +2. Click **Report a vulnerability** +3. Fill out the form with as much detail as possible + +This keeps the report confidential while we investigate. + +### Alternate: email + +You can also email the security team directly at **security@rampstack.co**. + +When reporting, please include: + +- A description of the vulnerability +- Steps to reproduce +- The potential impact +- Any suggested mitigation, if you have one +- Whether you would like public credit when the fix ships + +## What to expect + +- **Acknowledgment** within 3 business days +- **Initial assessment** within 7 business days, including a severity classification +- **Status updates** every 7 days while the fix is in progress +- **Public disclosure** coordinated with the reporter once a fix is available + +## Scope + +This repository is a Claude Code plugin marketplace. The only files it ships are the marketplace manifest (`.claude-plugin/marketplace.json`), the marketplace documentation, and the validation workflow. The most likely security concerns here are: + +- **Marketplace manifest tampering** that would redirect a plugin source to an unintended repository +- **Misleading documentation** that could lead a user to install an unintended plugin or marketplace +- **CI workflow vulnerabilities** in the manifest validation pipeline + +## Out of scope + +The following are not security vulnerabilities for this repository: + +- Issues with the skill content itself. Skill content lives in the source catalog at [rampstackco/claude-skills](https://github.com/rampstackco/claude-skills); report those there. +- Issues with an individual plugin's source repository. Report those to the corresponding plugin repo: [claude-skills-starter](https://github.com/rampstackco/claude-skills-starter), [claude-skills-seo](https://github.com/rampstackco/claude-skills-seo), or [claude-skills-pm](https://github.com/rampstackco/claude-skills-pm). +- Issues with how Claude itself handles plugins. Report those to [Anthropic](https://www.anthropic.com/security). +- Issues with third-party tools recommended in any skill (Ahrefs MCP, GitHub MCP, etc.). Report those to the respective vendors. +- General feedback or suggestions on plugin packaging. Use [Issues](https://github.com/rampstackco/plugins/issues) for those. + +## Hall of fame + +We thank security researchers who responsibly disclose vulnerabilities. With permission, we will list contributors who help keep this repository safe in this section. + +_No reports yet._ + +--- + +Thank you for helping keep this project and its users safe.