return deleted files

Author: yanivt-jfrog

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "jfrog",
-  "description": "Use the JFrog Platform from Claude Code: Artifactory repos and artifacts, security findings and exposures, Catalog package safety and downloads, workflows across the SDLC, and platform administration. Includes governance for installing MCP servers exclusively via the JFrog MCP Gateway.",
+  "description": "Use the JFrog Platform from Claude Code: Artifactory repos and artifacts, security findings and exposures, Catalog package safety and downloads, workflows across the SDLC, and platform administration.",
   "version": "0.1.1",
   "author": {
     "name": "JFrog Ltd.",

.github/workflows/validate.yml

@@ -0,0 +1,24 @@
+# Copyright (c) JFrog Ltd. 2026
+# Licensed under the Apache License, Version 2.0
+# https://www.apache.org/licenses/LICENSE-2.0
+
+name: Validate plugin
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: "24"
+
+      - name: Validate plugin layout
+        run: node scripts/validate-claude-plugin.mjs

CONTRIBUTING.md

@@ -10,7 +10,13 @@ All contributors must sign the [JFrog CLA](https://jfrog.com/cla/) before contri
 
 1. **Fork** the repository and create a feature branch from `main`.
 2. Make your changes, ensuring they follow the existing code style and project conventions.
-3. Before a release or directory submission, run **`claude plugin validate`** (requires [Claude Code](https://code.claude.com/docs) CLI).
+3. **Validate** locally:
+
+```bash
+node scripts/validate-claude-plugin.mjs
+```
+
+Before a release or directory submission, also run **`claude plugin validate`** (requires [Claude Code](https://code.claude.com/docs) CLI).
 
 4. **Test** by loading the repository as the plugin (the repo root is the plugin root):
 
@@ -25,6 +31,7 @@ Exercise the skills you changed (for example `/jfrog:<skill-name>`). Run `/reloa
 
 ## Pre-release checklist
 
+- [ ] `node scripts/validate-claude-plugin.mjs` passes.
 - [ ] `claude plugin validate` passes (before directory submission or major releases).
 - [ ] Version bumped in [`.claude-plugin/plugin.json`](.claude-plugin/plugin.json) when the plugin changes.
 - [ ] No secrets, credentials, or files under `**/local-cache/` committed.

README.md

@@ -16,61 +16,10 @@ This repository **is** the plugin: manifest at [`.claude-plugin/plugin.json`](.c
 
 Skills are vendored from [jfrog/jfrog-skills](https://github.com/jfrog/jfrog-skills); the pinned **release and commit** are in [`skills/VENDOR.md`](skills/VENDOR.md).
 
-## JFrog MCP Gateway integration
-
-When the plugin is enabled, every Claude Code session starts by asking the JFrog MCP Gateway whether the current tenant is entitled to the AI Catalog feature (`npx @jfrog/mcp-gateway --should-inject`). If the gateway returns **entitled**, the rules in [`templates/jfrog-mcp-management.md`](templates/jfrog-mcp-management.md) are injected into the model's context via the [`additionalContext`](https://docs.anthropic.com/en/docs/claude-code/hooks#sessionstart) `SessionStart` hook output. **No instructions file is written to your repo** — the rules live only in the plugin and reach the model directly through the hook.
-
-The check fails closed: anything other than a clean "entitled" response (entitlement denied, no JFrog server resolvable, network/`npx` failure, timeout) skips the injection so the plugin stays inert when the gateway can't authoritatively say "yes".
-
-You can short-circuit the check with the `JF_MCP_GATEWAY_FORCE_ENABLE` env var in the shell that launches Claude Code — this is mainly for tests, demos, and air-gapped setups:
-
-| Value | Effect |
-| --- | --- |
-| `true` | Always inject the instructions; skip the entitlement check entirely. |
-| `false` | Never inject; skip the entitlement check entirely. |
-| unset / anything else | Run `--should-inject` and respect its decision (default). |
-
-Set `JF_MCP_GATEWAY_DEBUG=1` to have the hook log its decision to stderr (visible in Claude Code's logs panel) for troubleshooting.
-
-The rules tell Claude to:
-
-- Add MCP servers only through `npx @jfrog/mcp-gateway --inspect / --login / --list-available`, never via direct `npx`/`pip`/`docker` or hand-rolled catalog API calls.
-- Resolve project / server ID from `.claude/settings.json` (`allowedMcpServers`), then existing `.mcp.json` / `~/.claude.json`, then `~/.jfrog/jfrog-cli.conf.v6`.
-- Write the entry to **`.mcp.json` (project scope) by default** — creating the file if it doesn't exist — so the entry stays alongside the project and the team can share it via git. Only fall back to `~/.claude.json` (user scope) when you ask for it explicitly. Either way, secrets stay out of the file via `${ENV_VAR}` expansion (Claude Code has no native interactive secret prompt).
-- Run the gateway's `--login` automatically for OAuth-only remote MCPs.
-
-After a new MCP entry is written, you must (1) **export every `${VAR}` referenced by the entry** in the shell that will launch Claude Code so the gateway has them at server-start time (an unset variable shows as `[Contains warnings]` in `/mcp` — informational only — and any tool call needing that value will fail at runtime), and (2) **quit and relaunch Claude Code** in the same directory. The first time you launch in a project, Claude Code prompts you both for workspace trust and once per `.mcp.json` server (`Approve MCP server <name> from .mcp.json?`); accept each one. On subsequent launches the `mcpServers` block loads silently. Verify with `/mcp` (under "Project MCPs (.../.mcp.json)") or `claude mcp list`.
-
-Note: in Claude Code v2.1.x, per-project approve/reject decisions are persisted in **`<cwd>/.claude/settings.local.json`** (`enabledMcpjsonServers` / `disabledMcpjsonServers`), **not** in `~/.claude.json`. `claude mcp reset-project-choices` and deleting `projects.<cwd>` from `~/.claude.json` do **not** touch that file, so a previously-rejected `.mcp.json` server stays silently disabled and is never re-prompted. To re-enable it, edit `<cwd>/.claude/settings.local.json`, remove the entry from `disabledMcpjsonServers`, append it to `enabledMcpjsonServers`, and relaunch.
-
-To **enforce** the gateway as the only allowed transport in a project, add an `allowedMcpServers` policy to `.claude/settings.json`:
-
-```json
-{
-  "allowedMcpServers": [
-    {
-      "serverCommand": [
-        "npx",
-        "--yes",
-        "--registry",
-        "https://releases.jfrog.io/artifactory/api/npm/coding-agents-npm/",
-        "@jfrog/mcp-gateway",
-        "--server",
-        "<JFROG_SERVER_ID>"
-      ]
-    }
-  ]
-}
-```
-
-To override the registry without editing the manifest, set `JFROG_MCP_GATEWAY_REPO` in your shell.
-
 ## Prerequisites
 
 1. **JFrog Platform** access (Cloud or self-hosted).
-2. **Node.js** (for `npx @jfrog/mcp-gateway` and the plugin's `SessionStart` hook).
-3. **JFrog credentials** — either a `JFROG_ACCESS_TOKEN` / `JF_ACCESS_TOKEN` env var, or a server registered with the [JFrog CLI](https://jfrog.com/getcli) via `jf c add`. The gateway picks up either source automatically.
-4. **JFrog CLI** (`jf`) is used by several skills for authentication and REST API operations. It can be installed automatically if missing, or manually via [Get JFrog CLI](https://jfrog.com/getcli) (installers and downloads) or the [Install JFrog CLI](https://docs.jfrog.com/integrations/docs/download-and-install-the-jfrog-cli) documentation for full steps and troubleshooting.
+2. **JFrog CLI** (`jf`) is used by several skills for authentication and REST API operations. It can be installed automatically if missing, or manually via [Get JFrog CLI](https://jfrog.com/getcli) (installers and downloads) or the [Install JFrog CLI](https://docs.jfrog.com/integrations/docs/download-and-install-the-jfrog-cli) documentation for full steps and troubleshooting.
 
 ## Setup
 

scripts/validate-claude-plugin.mjs

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+
+// Copyright (c) JFrog Ltd. 2026
+// Licensed under the Apache License, Version 2.0
+// https://www.apache.org/licenses/LICENSE-2.0
+
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import process from "node:process";
+
+const repoRoot = process.cwd();
+const errors = [];
+const warnings = [];
+
+const pluginNamePattern = /^[a-z0-9](?:[a-z0-9.-]*[a-z0-9])?$/;
+
+function addError(message) {
+  errors.push(message);
+}
+
+function addWarning(message) {
+  warnings.push(message);
+}
+
+async function pathExists(targetPath) {
+  try {
+    await fs.access(targetPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function readJsonFile(filePath, context) {
+  let raw;
+  try {
+    raw = await fs.readFile(filePath, "utf8");
+  } catch {
+    addError(`${context} is missing: ${filePath}`);
+    return null;
+  }
+
+  try {
+    return JSON.parse(raw);
+  } catch (error) {
+    addError(`${context} contains invalid JSON (${filePath}): ${error.message}`);
+    return null;
+  }
+}
+
+function normalizeNewlines(content) {
+  return content.replace(/\r\n/g, "\n");
+}
+
+function extractFrontmatterBlock(content) {
+  const normalized = normalizeNewlines(content);
+  if (!normalized.startsWith("---\n")) {
+    return null;
+  }
+  const closingIndex = normalized.indexOf("\n---\n", 4);
+  if (closingIndex === -1) {
+    return null;
+  }
+  return normalized.slice(4, closingIndex);
+}
+
+async function validateSkillFile(filePath, pluginName) {
+  const content = await fs.readFile(filePath, "utf8");
+  const relativeFile = path.relative(repoRoot, filePath);
+  const block = extractFrontmatterBlock(content);
+  if (!block) {
+    addError(`${pluginName}: skill missing YAML frontmatter: ${relativeFile}`);
+    return;
+  }
+  if (!/^name:\s+/m.test(block)) {
+    addError(`${pluginName}: skill missing "name" in frontmatter: ${relativeFile}`);
+  }
+  if (!/^description:\s+/m.test(block)) {
+    addError(`${pluginName}: skill missing "description" in frontmatter: ${relativeFile}`);
+  }
+}
+
+async function validateSkills(pluginDir, pluginName) {
+  const skillsDir = path.join(pluginDir, "skills");
+  if (!(await pathExists(skillsDir))) {
+    addWarning(`${pluginName}: no skills/ directory`);
+    return;
+  }
+  const entries = await fs.readdir(skillsDir, { withFileTypes: true });
+  let foundSkill = false;
+  for (const entry of entries) {
+    if (!entry.isDirectory()) {
+      continue;
+    }
+    const skillMd = path.join(skillsDir, entry.name, "SKILL.md");
+    if (await pathExists(skillMd)) {
+      foundSkill = true;
+      await validateSkillFile(skillMd, pluginName);
+    }
+  }
+  if (!foundSkill) {
+    addError(`${pluginName}: no skills/*/SKILL.md found under ${path.relative(repoRoot, skillsDir)}`);
+  }
+}
+
+async function main() {
+  const manifestPath = path.join(repoRoot, ".claude-plugin", "plugin.json");
+  const pluginManifest = await readJsonFile(manifestPath, "Plugin manifest (.claude-plugin/plugin.json)");
+  if (!pluginManifest) {
+    summarizeAndExit();
+    return;
+  }
+
+  const pluginName = pluginManifest.name || "plugin";
+  if (typeof pluginManifest.name !== "string" || !pluginNamePattern.test(pluginManifest.name)) {
+    addError(
+      `"name" in plugin.json must be lowercase and use only alphanumerics, hyphens, and periods.`
+    );
+  }
+
+  await validateSkills(repoRoot, pluginName);
+
+  summarizeAndExit();
+}
+
+function summarizeAndExit() {
+  if (warnings.length > 0) {
+    console.log("Warnings:");
+    for (const warning of warnings) {
+      console.log(`- ${warning}`);
+    }
+    console.log("");
+  }
+
+  if (errors.length > 0) {
+    console.error("Validation failed:");
+    for (const error of errors) {
+      console.error(`- ${error}`);
+    }
+    process.exit(1);
+  }
+
+  console.log("Validation passed.");
+}
+
+await main();