Add plugins input to GitHub Action

[whyuan-cc]

Summary

This PR adds support for installing Claude Code plugins via a new plugins input parameter to the GitHub Action.

Changes

• Added plugins input to action.yml: Accepts a comma-separated list of plugin names
• Created install-plugins.ts: Contains the plugin installation logic with proper error handling
• Added comprehensive tests: install-plugins.test.ts with 11 test cases covering various edge cases
• Updated base-action index.ts: Calls plugin installation after settings setup but before Claude execution
• Proper TypeScript implementation: Includes type definitions and follows project conventions

Usage Example

- uses: anthropic-ai/claude-code-action@main
  with:
    plugins: "feature-dev,test-coverage-reviewer,code-quality-reviewer"

Or with spaces for readability:

- uses: anthropic-ai/claude-code-action@main
  with:
    plugins: "feature-dev, test-coverage-reviewer, code-quality-reviewer"

Test Plan

• Created comprehensive unit tests for plugin parsing
• Verified formatting with Prettier
• Plugin installation happens at the correct point in the execution flow
• Integration testing with actual plugins (to be done in CI)

🤖 Generated with Claude Code

[whyuan-cc]

@claude review the code

[claude]

Critical: Missing test coverage for core functionality

Current tests only cover parsePlugins() (11 tests), but provide zero coverage for:

• installPlugin() - subprocess spawning, error handling, process failures
• installPlugins() - sequential execution, error propagation
• Integration with index.ts

High-risk untested scenarios:

• Process exits with non-zero code
• Process spawn fails (ENOENT)
• Null exit codes
• Multiple plugin failures
• Security: malicious plugin names (--version, ../../etc/passwd)

Recommend adding tests with mocked spawn():

import { spawn } from "child_process";
import { mock } from "bun:test";

describe("installPlugin", () => {
  test("should reject when process exits with non-zero code", async () => {
    // Mock spawn to emit exit code 1
    await expect(installPlugin("bad-plugin")).rejects.toThrow(
      "Failed to install plugin 'bad-plugin' (exit code: 1)"
    );
  });
  
  test("should reject malicious plugin names", async () => {
    await expect(installPlugin("--version")).rejects.toThrow("Invalid plugin name");
  });
});

Without these tests, production failures are likely to go undetected until runtime.

[claude]

Code Review Summary

I've completed a comprehensive review using specialized agents. Here are the key findings:

Critical Issues Requiring Attention

1. Sequential Plugin Installation - Currently blocks all subsequent plugins if one fails, and has significant performance implications (10 plugins = 50-100s sequential vs 5-10s parallel). See inline comment on install-plugins.ts:73-77.

2. Security: Missing Input Validation - Plugin names lack validation, allowing potential argument injection attacks (--version, path traversal). See inline comment on install-plugins.ts:33.

3. Test Coverage Gap (89%) - Only parsePlugins() is tested. Core functionality (installPlugin, installPlugins) has zero test coverage, including critical error paths and security scenarios. See inline comment on install-plugins.test.ts:84.

Documentation Gaps

4. Missing from base-action/action.yml - The plugins input is not defined in the base action's action.yml, only in the wrapper action. Users of the base action standalone cannot use this feature.

5. No README Documentation - Neither README mentions the plugins feature, usage examples, or what Claude Code plugins are.

Positive Aspects

• Clean function design with good separation of concerns
• Excellent parsing test coverage with comprehensive edge cases
• Correct use of spawn() with argument array (prevents shell injection)
• Clear integration into existing workflow
• Proper TypeScript typing throughout

Recommendations

Before merging:

1. Add input validation for plugin names (security)
2. Add tests for installPlugin() and installPlugins() with mocked spawn()
3. Add plugins input to base-action/action.yml

Post-merge:

1. Consider parallel plugin installation for better performance
2. Add README documentation with usage examples
3. Document in docs/usage.md

The implementation is solid overall, but addressing the validation and test coverage gaps is critical for production readiness.

[claude]

Claude finished @whyuan-cc's task —— View job

---

Code Review Complete ✅

I've completed a thorough review of the plugin installation feature. The implementation is functional but has several critical issues that need to be addressed before merging.

🔴 Critical Issues

1. Security: Missing Input Validation (base-action/src/install-plugins.ts:28-54)

Plugin names are passed directly to spawn() without validation. While the array format prevents shell injection, malicious inputs could still cause issues:

// Current vulnerable code
spawn(claudeExecutable, ["plugin", "install", pluginName])

// Attack vectors:
plugins: "--version"        // Executes claude --version instead
plugins: "../../malicious"  // Path traversal attempt
plugins: "-h"               // Hijacks command behavior

Required fix: Add validation before spawning:

function validatePluginName(pluginName: string): void {
  const validPluginRegex = /^(@[a-z0-9-]+\/)?[a-z0-9_-]+$/i;
  
  if (!validPluginRegex.test(pluginName) || 
      pluginName.startsWith('-') || 
      pluginName.includes('..') ||
      pluginName.length > 214) {
    throw new Error(
      `Invalid plugin name: '${pluginName}'. Plugin names must contain only ` +
      `alphanumeric characters, hyphens, underscores, and forward slashes for scoped packages.`
    );
  }
}

2. Performance: Sequential Installation Blocks on Failure (base-action/src/install-plugins.ts:73-77)

Current implementation installs plugins one-by-one. If plugin #2 fails, plugins #3+ are never attempted. For 10 plugins, this takes 50-100 seconds vs 5-10 seconds in parallel.

Required fix: Use parallel installation with proper error handling:

const results = await Promise.allSettled(
  plugins.map(async (plugin) => {
    console.log(`Installing plugin: ${plugin}`);
    try {
      await installPlugin(plugin, claudeExecutable);
      console.log(`✓ Successfully installed: ${plugin}`);
      return { plugin, status: 'success' };
    } catch (error) {
      console.error(`✗ Failed to install: ${plugin}`);
      return { plugin, status: 'failed', error };
    }
  })
);

const failed = results.filter(r => 
  r.status === 'rejected' || 
  (r.status === 'fulfilled' && r.value.status === 'failed')
);

if (failed.length > 0) {
  throw new Error(`Failed to install ${failed.length} plugin(s)`);
}

3. Testing: Zero Coverage for Core Functionality (base-action/test/install-plugins.test.ts)

Current tests only cover parsePlugins() but provide no coverage for:

• installPlugin() - The actual subprocess spawning and error handling
• installPlugins() - Sequential execution logic
• Security scenarios (malicious plugin names)
• Process failures (non-zero exit codes, ENOENT, null exit codes)

Required: Add tests with mocked spawn():

import { spawn } from "child_process";
import { mock } from "bun:test";

describe("installPlugin", () => {
  test("should reject when process exits with non-zero code", async () => {
    const mockSpawn = mock();
    // Mock implementation that emits exit code 1
    await expect(installPlugin("bad-plugin")).rejects.toThrow(
      "Failed to install plugin 'bad-plugin' (exit code: 1)"
    );
  });
  
  test("should reject malicious plugin names", async () => {
    await expect(installPlugin("--version")).rejects.toThrow("Invalid plugin name");
    await expect(installPlugin("../../etc/passwd")).rejects.toThrow("Invalid plugin name");
  });
});

⚠️ Minor Issues

4. Error Handling: Null Exit Codes (base-action/src/install-plugins.ts:37-46)

Process exit code can be null if killed by signal, resulting in confusing error messages.

process.on("close", (code: number | null) => {
  if (code === 0) {
    resolve();
  } else {
    reject(new Error(
      `Failed to install plugin '${pluginName}' (exit code: ${code ?? 'unknown'})`
    ));
  }
});

✅ Good Aspects

1. Clean API design - Simple comma-separated list is user-friendly
2. Comprehensive parsing tests - Good edge case coverage for parsePlugins()
3. Proper TypeScript types - Follows project conventions
4. Clear console output - Good UX with progress indicators
5. Correct execution order - Plugins installed after settings but before Claude runs

📋 Summary

The feature adds valuable functionality, but the security vulnerabilities and lack of test coverage for the core logic are blocking issues. Once the critical issues are addressed (especially input validation and parallel installation), this will be a solid addition to the action.

Recommendation: Address the three critical issues before merging. The minor issue with null exit codes can be fixed in a follow-up if needed.

✅ All tasks completed:

• Read all changed files
• Analyze code quality and security
• Check adherence to project conventions
• Provide comprehensive review feedback

---

View workflow run

[claude]

CRITICAL: Missing Resource Limits & Timeout Protection

Two significant issues:

1. Unbounded Parallelism: All plugins install simultaneously without concurrency limits. With 20 plugins, this spawns 20 concurrent processes, potentially overwhelming the runner.

2. No Timeouts: A single hanging installation will block indefinitely.

Recommendation: Implement concurrency limiting and timeouts:

import pLimit from 'p-limit';

const PLUGIN_INSTALL_TIMEOUT = 5 * 60 * 1000; // 5 minutes per plugin
const MAX_CONCURRENT_INSTALLS = 3;
const MAX_PLUGINS = 10;

if (plugins.length > MAX_PLUGINS) {
  throw new Error(`Too many plugins (${plugins.length}). Maximum allowed: ${MAX_PLUGINS}`);
}

console.log(`Installing ${plugins.length} plugin(s) (max ${MAX_CONCURRENT_INSTALLS} concurrent)...`);

const limit = pLimit(MAX_CONCURRENT_INSTALLS);

const results = await Promise.allSettled(
  plugins.map((plugin) =>
    limit(() => Promise.race([
      installPlugin(plugin, claudeExecutable),
      new Promise((_, reject) =>
        setTimeout(() => reject(new Error(`Timeout installing ${plugin}`)), PLUGIN_INSTALL_TIMEOUT)
      )
    ]))
  )
);

const failed = results.filter((r): r is PromiseRejectedResult => r.status === 'rejected');

if (failed.length > 0) {
  const failureDetails = failed.map((f, i) => 
    `  - ${plugins[i]}: ${f.reason instanceof Error ? f.reason.message : String(f.reason)}`
  ).join('\n');
  throw new Error(`Failed to install ${failed.length} plugin(s):\n${failureDetails}`);
}

[claude]

Code Quality: Duplicate Console Logging

Identical message appears twice. Remove line 98.

Suggested change

	}
	console.log("All plugins installed successfully");
	console.log("All plugins installed successfully");
	}

[claude]

CRITICAL: Missing Test Coverage

The test file only covers parsePlugins() (11 tests), but the two most critical functions have zero test coverage:

• installPlugin() - spawns child processes, handles exit codes and errors
• installPlugins() - orchestrates parallel installation, aggregates errors

This creates significant risk of production failures. Essential missing tests:

// Mock child_process.spawn for testing
import { spawn } from "child_process";
import { mock } from "bun:test";

describe("installPlugin", () => {
  test("should succeed with exit code 0", async () => {
    // Mock spawn to simulate success
    await expect(installPlugin("test-plugin")).resolves.toBeUndefined();
  });

  test("should reject on non-zero exit code", async () => {
    // Mock spawn to simulate failure
    await expect(installPlugin("bad-plugin")).rejects.toThrow(
      "Failed to install plugin 'bad-plugin' (exit code: 1)"
    );
  });

  test("should reject on spawn error", async () => {
    // Mock spawn to emit error event
    await expect(installPlugin("test-plugin")).rejects.toThrow();
  });

  test("should timeout after 5 minutes", async () => {
    // Test timeout behavior
  });
});

describe("installPlugins", () => {
  test("should handle partial failures", async () => {
    // Mock some plugins to succeed, others to fail
    await expect(installPlugins("good,bad")).rejects.toThrow(
      "Failed to install 1 plugin(s)"
    );
  });

  test("should install plugins in parallel with concurrency limit", async () => {
    // Verify concurrent installation behavior
  });
});

These tests are critical before merging.

[claude]

Duplicate console log statements

These two lines both log the same information. Remove the first one and keep the more descriptive "in parallel" version.

Suggested change

	console.log(`Installing ${plugins.length} plugin(s)...`);
	console.log(`Installing ${plugins.length} plugin(s) in parallel...`);
	console.log(`Installing ${plugins.length} plugin(s) in parallel...`);

[claude]

Critical: Missing test coverage for core functionality

While the parsePlugins() function has excellent test coverage (11 tests), there are zero tests for the actual plugin installation logic:

Missing tests:

1. installPlugin() - process spawning, exit codes, error handling
2. installPlugins() - orchestration, parallel execution, partial failures
3. Error scenarios and edge cases

Impact: The core functionality that spawns processes and handles errors is completely untested, which poses significant risk.

Recommendation: Add tests with mocked spawn:

describe("installPlugin", () => {
  test("should resolve when plugin installs successfully (exit code 0)");
  test("should reject with error when installation fails (non-zero exit)");
  test("should reject with error on spawn error event");
  test("should handle custom claude executable");
});

describe("installPlugins", () => {
  test("should return early for empty plugin list");
  test("should install multiple plugins in parallel");
  test("should throw error if any plugin fails");
  test("should include failed plugin names in error message");
});

The syntax error on lines 47-49 of install-plugins.ts would likely be caught by these tests.

[claude]

Code Review Summary

I've completed a comprehensive review of PR #637 using specialized agents for code quality, performance, security, testing, and documentation. Here are the key findings:

Critical Issues (Must Fix Before Merge)

1. Syntax Error (lines 47-49): Malformed closing braces in install-plugins.ts that will prevent compilation
2. Missing Test Coverage: Zero tests for installPlugin() and installPlugins() functions - only parsePlugins() is tested
3. Code Duplication: Duplicate console.log statements at lines 73/75 and 98/100

Important Issues

4. Security - Input Validation: No validation on plugin names (length limits, format checking, max count). Could allow resource exhaustion or typosquatted packages
5. Error Handling Logic: Dead code checking for r.status === 'rejected' due to inner try-catch blocks
6. Unnecessary Code: Global console type declaration (lines 5-9) is not needed

Documentation Gaps

7. Missing plugins input documentation in base-action/action.yml
8. Missing usage documentation in base-action/README.md and docs/usage.md
9. Missing configuration documentation in docs/configuration.md

Positive Aspects ✅

• Secure by design: Proper use of spawn() with array arguments prevents command injection
• Excellent parsing tests: 11 comprehensive test cases for parsePlugins()
• Good parallel execution: Uses Promise.allSettled() for efficient plugin installation
• Clear function decomposition: Clean separation of concerns

Security Assessment

The implementation is fundamentally secure against command injection. The use of spawn() with array arguments ensures plugin names are treated as literal strings, not shell commands. However, adding input validation would improve robustness.

Recommendations Priority

High Priority:

1. Fix syntax error (compilation blocker)
2. Add tests for core installation logic
3. Add plugin name validation (security + robustness)
4. Remove duplicate console.log statements

Medium Priority:
5. Fix error handling logic and improve error messages
6. Add missing documentation
7. Remove unnecessary console type declaration

I've posted inline comments with specific suggestions on the affected lines. The feature concept is solid, but these issues should be addressed before merging.

---

🤖 Review generated by Claude Code with specialized review agents

[claude]

Improve error reporting for parallel failures

When multiple plugins fail, the error only shows the count. Users need to know which plugins failed:

Suggested change

	if (failed.length > 0) {
	const failedPlugins = failed
	.map((r) => (r.status === "fulfilled" ? r.value.plugin : "unknown"))
	.join(", ");
	throw new Error(
	`Failed to install ${failed.length} plugin(s): ${failedPlugins}`
	const failed = results
	.map((r, i) => ({ result: r, plugin: plugins[i] }))
	.filter(({ result }) =>
	result.status === 'rejected' ||
	(result.status === 'fulfilled' && result.value.status === 'failed')
	);
	if (failed.length > 0) {
	const failedPlugins = failed.map(({ plugin }) => plugin).join(', ');
	throw new Error(
	`Failed to install ${failed.length} plugin(s): ${failedPlugins}`
	);
	}

[claude]

Missing timeout handling

Plugin installations can hang indefinitely without a timeout. This could cause GitHub Actions to run until the workflow timeout (default 6 hours).

Consider adding timeout protection:

return new Promise((resolve, reject) => {
  const childProcess = spawn(claudeExecutable, ["plugin", "install", pluginName], {
    stdio: "inherit",
  });

  const timeoutHandle = setTimeout(() => {
    childProcess.kill("SIGTERM");
    setTimeout(() => childProcess.kill("SIGKILL"), 5000);
    reject(new Error(`Plugin installation timed out: '${pluginName}'`));
  }, 300000); // 5 minute timeout

  childProcess.on("close", (code: number | null) => {
    clearTimeout(timeoutHandle);
    // ... rest of handler
  });

  childProcess.on("error", (err: Error) => {
    clearTimeout(timeoutHandle);
    // ... rest of handler
  });
});

[claude]

Test name doesn't match implementation

This test is named "sequentially" but the implementation uses Promise.allSettled() for parallel execution.

The test at line 276-300 ("should stop and propagate error on first failure") expects only 2 spawn calls, but with parallel execution all 3 plugins will start simultaneously.

Options:

1. Change implementation to sequential with fail-fast (matching test expectations)
2. Rename tests and update assertions to match parallel behavior

Current mismatch will cause test failures.

[claude]

Comprehensive Code Review Summary

I've completed a thorough review of this PR using specialized review agents for code quality, performance, test coverage, documentation accuracy, and security. While the concept and test suite are excellent, the implementation file has critical structural issues that prevent it from functioning correctly.

🚨 Critical Issues (Must Fix Before Merge)

The base-action/src/install-plugins.ts file contains severe code corruption that makes it non-functional:

1. Missing JSDoc opening (line 5-7)
2. Unreachable validation code (lines 26-33) - important security checks never execute
3. Duplicate Promise wrapper (lines 62-91) - incomplete and duplicated code blocks
4. Missing return statement and 4x duplicated console.log (lines 103-110)
5. Orphaned code fragment (lines 111-120) - missing variable declaration and function opening
6. Duplicate error handling with extra closing braces (lines 126-149)

📊 Review Results by Category

Category	Status	Key Findings
Code Quality	❌ Critical Issues	File structure is corrupted with duplicates and unreachable code
Performance	⚠️ Sequential vs Parallel Mismatch	Logs say "parallel" but tests validate sequential execution (~5x slower)
Test Coverage	✅ Excellent	11 comprehensive tests, but missing control character validation tests
Documentation	⚠️ Needs Improvement	Orphaned JSDoc, misleading messages, missing README updates
Security	✅ Strong	Proper spawn() usage with array args prevents command injection

🔍 Detailed Findings

Performance Issue: Sequential vs Parallel Execution

The implementation claims to install plugins "in parallel" (line 106) but the test suite explicitly validates sequential behavior:

• Test line 240: "should install multiple plugins sequentially"
• Test line 276-299: Validates installation stops on first failure (only 2 spawn calls, not 3)

Impact: For 5 plugins @ 10s each: Sequential takes 50s vs Parallel takes ~10s (5x performance difference)

Recommendation: Implement true parallel execution using Promise.allSettled() for better performance and user experience.

Security Assessment: ✅ PASS

The security implementation is strong:

• ✅ Correct use of spawn() with array arguments (prevents shell injection)
• ✅ Comprehensive input validation rejecting: flags (-version), path traversal (../), shell metacharacters (;, |, &, etc.)
• ✅ Good test coverage for attack vectors
• ⚠️ Note: Control character validation exists but is unreachable (line 27)

Test Coverage: Excellent Quality

The test suite is well-written with 11 tests covering:

• ✅ Parsing edge cases (whitespace, empty strings, special characters)
• ✅ Security validation (injection attempts, path traversal)
• ✅ Error handling (exit codes, spawn failures, ENOENT)
• ✅ Custom executable paths

Missing tests:

• Control character validation (\n, \r, \t, \0)
• Empty string validation for isValidPluginName()

📝 Recommendations

Immediate Actions Required:

1. Rewrite install-plugins.ts - The file is too corrupted to fix incrementally. Use the test suite as your specification.

2. Decide on execution model:

   • Parallel (recommended): ~5x faster, better UX, implement with Promise.allSettled()
   • Sequential: Current test behavior, use for...of loop with await

3. Fix validation function to include the control character check before the final return

4. Update tests to match the chosen execution model (parallel vs sequential)

5. Add README documentation for the new plugins input parameter

Suggested Implementation (Parallel):

See inline comments for complete code examples. The key structure should be:

// installPlugins() with parallel execution
const results = await Promise.allSettled(
  plugins.map(async (plugin) => {
    try {
      await installPlugin(plugin, claudeExecutable);
      return { plugin, status: 'success' };
    } catch (error) {
      return { plugin, status: 'failed', error };
    }
  })
);
// Then collect and report failures

✅ Positive Observations

1. Test quality is excellent - comprehensive coverage and good security testing
2. Security-first design - proper spawn() usage and input validation
3. Integration pattern is correct - plugins install at the right point in execution flow
4. Feature is valuable - adds important extensibility to the action

📌 Conclusion

Cannot merge in current state due to file corruption. However, the concept, tests, and security design are all solid. Once the implementation is rewritten to match the test specifications, this will be a valuable feature addition.

Estimated fix time: 1-2 hours for complete rewrite and validation.

Please see the inline comments for detailed guidance on each issue.

[claude]

CRITICAL: Unreachable Security Validation

This early return makes lines 25-32 completely unreachable, including the control character security check on lines 26-28. This creates a security vulnerability where control characters (null bytes, newlines, tabs) are never validated.

Suggested change

	const validPattern = /^[@\w][\w\-./]*$/;
	// Allow @scope/package-name, package-name, package_name patterns
	const validPattern = /^[@\w][\w\-./]*$/;
	// Reject control characters (newlines, tabs, null bytes, etc.)
	if (/[\x00-\x1F\x7F]/.test(pluginName)) {
	return false;
	}
	return validPattern.test(pluginName);

This also fixes the duplicate validPattern declaration.

[claude]

CRITICAL: Duplicated Promise Implementation

Lines 68-90 duplicate the Promise implementation from lines 61-67, creating unreachable code. This appears to be a merge conflict artifact.

Suggested change

	process.on("close", (code: number | null) => {
	process.on("close", (code: number | null) => {
	if (code === 0) {
	resolve();
	} else {
	reject(
	new Error(
	`Failed to install plugin '${pluginName}' (exit code: ${code ?? 'unknown'})`,
	),
	);
	}
	});
	process.on("error", (err: Error) => {
	reject(
	new Error(`Failed to install plugin '${pluginName}': ${err.message}`),
	);
	});
	});
	}

Remove the duplicate Promise wrapper and complete the implementation.

[claude]

CRITICAL: Early Return Makes All Plugin Installation Code Unreachable

This early return statement causes lines 105-147 (the entire plugin installation logic) to be unreachable. This makes the plugin installation feature completely non-functional.

The lines below also contain multiple issues:

• Lines 107-109: Same console.log repeated 4 times
• Lines 126-143: Duplicate nested error handling
• Missing proper Promise.allSettled result handling

Suggested change

	console.log("No plugins to install");
	if (plugins.length === 0) {
	console.log("No plugins to install");
	return;
	}
	console.log(`Installing ${plugins.length} plugin(s) in parallel...`);
	const results = await Promise.allSettled(
	plugins.map(async (plugin) => {
	try {
	await installPlugin(plugin, claudeExecutable);
	console.log(`✓ Successfully installed: ${plugin}`);
	return { plugin, status: 'success' as const };
	} catch (error) {
	console.error(`✗ Failed to install: ${plugin}`);
	return { plugin, status: 'failed' as const, error };
	}
	})
	);
	const failed = results.filter(
	(r) => r.status === "fulfilled" && r.value.status === "failed"
	);
	if (failed.length > 0) {
	const failureDetails = failed
	.map(r => {
	const value = (r as PromiseFulfilledResult<any>).value;
	return `${value.plugin}: ${value.error?.message || 'unknown error'}`;
	})
	.join('; ');
	throw new Error(
	`Failed to install ${failed.length} plugin(s): ${failureDetails}`
	);
	}
	console.log("All plugins installed successfully");
	}

[claude]

SECURITY: Missing Validation for Claude Executable Path

The INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE environment variable is passed directly to spawn() without validation, creating a command injection vulnerability.

An attacker who can control this input could execute arbitrary commands:

path_to_claude_code_executable: "/bin/bash -c 'malicious command' #"

Recommendation: Add validation before calling installPlugins():

const claudeExecutable = process.env.INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE || "claude";

// Validate executable path
if (claudeExecutable !== "claude") {
  if (!claudeExecutable.startsWith('/') || /[;&|`$()<>]/.test(claudeExecutable)) {
    throw new Error(`Invalid claude executable path: ${claudeExecutable}`);
  }
}

await installPlugins(process.env.INPUT_PLUGINS, claudeExecutable);

[claude]

TEST ISSUE: Test Name Doesn't Match Implementation Behavior

This test is named "should install multiple plugins sequentially" but the implementation uses Promise.allSettled() for parallel installation.

The test expectations are also incorrect:

• Line 249-264: Expects sequential spawn calls, but parallel would initiate all 3 simultaneously
• Line 276-300: Expects fail-fast behavior (2 spawn calls), but parallel continues all installations

Recommendation: Either:

1. Update test to expect parallel behavior, OR
2. Change implementation to sequential installation (which the unreachable code structure suggests was intended)

Based on the console.log message "Installing X plugin(s) in parallel...", the implementation should be parallel. Update the test accordingly.

[claude]

MISSING TEST CASE: Control Character Validation

The implementation attempts to validate control characters (lines 26-28 in install-plugins.ts), but this is never tested. Add test coverage:

test("should reject control characters", () => {
  expect(isValidPluginName("plugin\x00name")).toBe(false); // null byte
  expect(isValidPluginName("plugin\nname")).toBe(false);   // newline
  expect(isValidPluginName("plugin\tname")).toBe(false);   // tab
  expect(isValidPluginName("plugin\rname")).toBe(false);   // carriage return
  expect(isValidPluginName("plugin\x1fname")).toBe(false); // control char
});

This is security-critical as control characters could enable injection attacks.

[claude]

Code Review Summary

I've completed a comprehensive review of PR #637 using specialized analysis agents. Unfortunately, this PR has critical issues and should not be merged in its current state.

🚨 Critical Issues Found

1. Non-Functional Implementation Due to Code Corruption

The install-plugins.ts file contains severe structural problems that render the plugin installation feature completely non-functional:

• Lines 25-32: Unreachable security validation code (control character check never executes)
• Lines 68-90: Duplicated Promise implementation
• Lines 105-147: Entire plugin installation logic is unreachable due to early return on line 104
• Lines 107-109: Same console.log statement repeated 4 times
• Lines 126-143: Duplicate error handling with nested conditions

This appears to be a merge conflict or incomplete refactoring that was not caught before the PR was opened.

2. Security Vulnerability: Command Injection

Severity: CRITICAL (CWE-78)

The INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE parameter is passed directly to spawn() without any validation in index.ts:19. An attacker who can control this input could execute arbitrary commands.

Required fix: Add validation before spawning processes.

3. Test Suite Mismatch

Tests expect sequential plugin installation with fail-fast behavior, but the (unreachable) implementation code uses parallel installation with Promise.allSettled(). This fundamental mismatch means tests won't validate actual behavior once the code is fixed.

📋 Additional Issues

• Security: Missing control character validation (unreachable code)
• Performance: No timeout on plugin installation processes (could hang indefinitely)
• Documentation: Feature not documented in any user-facing docs (README, usage guide)
• Testing: Missing test coverage for control character injection

✅ What's Good

• Comprehensive test suite structure (318 lines)
• Good security awareness in validation attempts
• Clean action.yml integration
• Proper environment variable wiring

🔧 Required Actions Before Merge

1. CRITICAL: Completely rewrite install-plugins.ts to remove all duplicate/unreachable code
2. CRITICAL: Add validation for path_to_claude_code_executable to prevent command injection
3. HIGH: Decide on sequential vs parallel installation and align tests with implementation
4. HIGH: Add missing control character validation tests
5. MEDIUM: Add user-facing documentation for the plugins input parameter
6. MEDIUM: Add timeout handling for plugin installation processes

I've posted detailed inline comments on the specific problematic code sections with suggested fixes.

---

Recommendation: Close this PR, fix the implementation file from a clean baseline, and reopen with corrected code.

[claude]

CRITICAL: Unreachable code and duplicate logic

This function has severe code duplication issues:

1. Lines 23-25: Early return makes subsequent code unreachable
2. Lines 26-33: This entire block never executes (unreachable code)
3. Security impact: Control character validation (lines 27-29) is bypassed completely

The control character check [\x00-\x1F\x7F] is critical security validation that's never reached, leaving the system vulnerable to null bytes, newlines, and other control characters.

Recommended fix:

export function isValidPluginName(pluginName: string): boolean {
  if (pluginName.startsWith("-")) {
    return false;
  }

  if (pluginName.includes("../") || pluginName.includes("..\\")) {
    return false;
  }

  // Reject control characters (newlines, tabs, null bytes, etc.)
  if (/[\x00-\x1F\x7F]/.test(pluginName)) {
    return false;
  }

  // Allow @scope/package-name, package-name, package_name patterns
  const validPattern = /^[@\w][\w\-./]*$/;
  return validPattern.test(pluginName);
}

[claude]

CRITICAL: Duplicate Promise implementation

Lines 62-68 create a complete Promise, then lines 69-91 duplicate the exact same implementation. The second block (lines 69-91) is unreachable code.

This appears to be an incomplete merge or refactoring. Only the first Promise implementation will ever execute.

[claude]

CRITICAL: Duplicated console.log statements

The same log message is repeated 4 times. This appears to be a copy-paste error or incomplete refactoring.

[claude]

CRITICAL: Conflicting error handling implementations

There are two different error handling patterns here:

• Lines 128-138: Detailed error messages with failureDetails
• Lines 139-143: Simpler error messages with failedPlugins

The nested if (failed.length > 0) at line 128 inside the outer check at line 126 means lines 139-143 are unreachable. This code needs to be cleaned up to have a single, coherent error handling path.

[claude]

HIGH: Missing timeout handling

The spawned process has no timeout mechanism. If a plugin installation hangs, it will block the GitHub Action indefinitely (up to the 6-hour job timeout).

Recommendation: Add timeout handling:

export async function installPlugin(
  pluginName: string,
  claudeExecutable: string = "claude",
): Promise<void> {
  if (!isValidPluginName(pluginName)) {
    throw new Error(
      `Invalid plugin name: '${pluginName}'. Plugin names must not start with '-' or contain path traversal sequences.`,
    );
  }

  return new Promise((resolve, reject) => {
    const process = spawn(claudeExecutable, ["plugin", "install", pluginName], {
      stdio: "inherit",
    });

    const timeout = setTimeout(() => {
      process.kill('SIGTERM');
      reject(new Error(`Plugin installation timed out: '${pluginName}'`));
    }, 300000); // 5 minute timeout

    const cleanup = () => {
      clearTimeout(timeout);
      process.removeAllListeners();
    };

    process.on("close", (code: number | null) => {
      cleanup();
      if (code === 0) {
        resolve();
      } else {
        reject(new Error(`Failed to install plugin '${pluginName}' (exit code: ${code ?? 'unknown'})`));
      }
    });

    process.on("error", (err: Error) => {
      cleanup();
      reject(new Error(`Failed to install plugin '${pluginName}': ${err.message}`));
    });
  });
}

[claude]

Test-Implementation Mismatch

This test expects sequential installation with early termination ("should stop and propagate error on first failure"), but the implementation in install-plugins.ts appears to use Promise.allSettled() for parallel execution.

With parallel execution:

• All 3 plugins will be attempted
• mockSpawn will be called 3 times, not 2
• The error message format will be different

Either:

1. Change implementation to sequential with fail-fast behavior, OR
2. Update this test to reflect parallel execution behavior

[claude]

Code Review Summary

I've completed a comprehensive review of PR #637 using specialized agents for code quality, performance, security, test coverage, and documentation. Unfortunately, this PR has critical issues that must be resolved before merging.

🚨 Critical Issues

The base-action/src/install-plugins.ts file has severe code duplication and unreachable code that prevents it from functioning correctly:

1. Security vulnerability: Control character validation is unreachable (lines 26-29), leaving the system vulnerable to null bytes, newlines, and other control characters
2. Duplicate Promise implementation: Lines 62-91 contain two identical Promise implementations where the second is unreachable
3. Quadruple console.log: Lines 106-110 repeat the same log statement 4 times
4. Conflicting error handling: Lines 122-147 have nested conflicting error handling logic with unreachable code

These issues suggest an incomplete merge conflict resolution or corrupted file state. The code will not execute as intended.

⚠️ High Priority Issues

1. Missing timeout handling: Plugin installations can hang indefinitely, blocking GitHub Actions
2. Test-implementation mismatch: Tests expect sequential execution with fail-fast, but code appears to implement parallel execution
3. Missing test coverage: No tests for network failures, hung processes, or control character injection

📋 Recommendations

Before merge:

1. Fix all code duplication and unreachable code in install-plugins.ts
2. Add timeout handling to prevent hung processes
3. Align tests with actual implementation behavior (parallel vs sequential)
4. Add tests for control character injection (security)

Nice to have:
5. Add retry logic for transient network failures
6. Add tests for common failure scenarios (plugin not found, network timeout, etc.)
7. Improve type safety (replace any with proper discriminated unions)

✅ Positive Observations

• Good security-focused validation approach
• Comprehensive test structure with 11 test cases
• Proper use of spawn() with array arguments (prevents command injection)
• Clear separation of concerns (parsing, validation, installation)

---

I've left inline comments on the specific code sections that need attention. Please address the critical issues before requesting another review.

[claude]

Remove unnecessary console type declaration

This custom console type declaration is inconsistent with the rest of the codebase. Other files like setup-claude-code-settings.ts and run-claude.ts use console without custom declarations, and the project uses @actions/core for structured logging.

Recommendation: Remove this declaration entirely and use @actions/core for consistency:

import * as core from "@actions/core";

// Replace console.log with core.info
// Replace console.error with core.error

This provides better GitHub Actions integration and log formatting.

[claude]

Consider parallel plugin installation

Plugins are currently installed sequentially. For users specifying multiple plugins, this could add 10-30+ seconds to action execution time.

Recommendation: Install plugins in parallel using Promise.all():

console.log(`Installing ${plugins.length} plugin(s) in parallel...`);

await Promise.all(
  plugins.map(async (plugin) => {
    console.log(`Installing plugin: ${plugin}`);
    await installPlugin(plugin, claudeExecutable);
    console.log(`✓ Successfully installed: ${plugin}`);
  })
);

Impact: 60-70% reduction in installation time for multiple plugins.

[claude]

Improve error messages for spawn failures

When spawn fails, the error usually indicates the executable wasn't found or couldn't be started. The current error message doesn't distinguish between different failure types.

Recommendation: Enhance error messages to guide users:

process.on("error", (err: Error) => {
  if ((err as NodeJS.ErrnoException).code === 'ENOENT') {
    reject(
      new Error(
        `Failed to install plugin '${pluginName}': Claude executable '${claudeExecutable}' not found. ` +
        `Ensure Claude Code is installed and the path is correct.`
      )
    );
  } else {
    reject(
      new Error(`Failed to spawn plugin install process for '${pluginName}': ${err.message}`)
    );
  }
});

[claude]

Add JSDoc documentation

This function is missing complete JSDoc documentation including @param, @returns, @throws, and @example tags.

Recommendation:

/**
 * Installs a single Claude Code plugin by executing the Claude CLI plugin install command.
 * 
 * @param pluginName - The name of the plugin to install (e.g., "feature-dev", "@scope/plugin-name")
 * @param claudeExecutable - Path to the Claude Code executable (defaults to "claude")
 * @returns A Promise that resolves when installation succeeds
 * @throws {Error} When plugin installation fails or the Claude executable is not found
 * 
 * @example
 * ```typescript
 * await installPlugin("feature-dev");
 * await installPlugin("@myorg/custom-plugin", "/usr/local/bin/claude");
 * ```
 */

Similar documentation should be added to installPlugins() as well.

[claude]

Missing test coverage for critical functions

The test file only covers parsePlugins(), leaving installPlugin() and installPlugins() completely untested (0% coverage for 2 out of 3 exported functions).

Critical missing tests:

1. installPlugin() tests (process spawning, error handling):

   • Success with exit code 0
   • Non-zero exit codes
   • Spawn errors (ENOENT, EACCES)
   • Null exit code handling

2. installPlugins() tests (orchestration):

   • No plugins provided
   • Single and multiple plugin installation
   • Error propagation
   • Console output verification

3. Security tests:

   • Plugin names with shell metacharacters

Recommendation: Add comprehensive tests for these functions before merging. This is critical for production reliability since these functions perform privileged operations (spawning processes).

[claude]

Code Review Summary

I've completed a comprehensive review of PR #637 using specialized review agents. Overall, the implementation is well-structured and secure, but there are some noteworthy issues to address before merging.

🟢 Strengths

• Excellent security: Correctly uses array-based spawn() to prevent command injection
• Clean code structure: Well-organized with single-responsibility functions
• Good test coverage for parsing: parsePlugins() has 11 comprehensive test cases
• Proper integration: Well-positioned in the action execution flow

🟡 Key Issues to Address

1. Test Coverage Gap (Priority: High)

Only parsePlugins() is tested. The two critical functions that spawn processes (installPlugin() and installPlugins()) have 0% test coverage. This creates significant risk for production failures.

Required tests:

• Process spawning success/failure scenarios
• Error handling (ENOENT, exit codes)
• Orchestration logic
• Security validation (shell metacharacters)

See inline comment on install-plugins.test.ts for details.

2. Performance Opportunity (Priority: Medium)

Sequential plugin installation could add 10-30+ seconds for multiple plugins. Parallel installation using Promise.all() would reduce this by 60-70%.

See inline comment on line 73 of install-plugins.ts.

3. Code Consistency (Priority: Medium)

Custom console type declaration is inconsistent with the rest of the codebase. Should use @actions/core for logging like other files.

See inline comment on line 9 of install-plugins.ts.

4. Documentation Gaps (Priority: Low-Medium)

• Missing JSDoc tags (@param, @returns, @throws, @example)
• Missing plugins input in base-action/action.yml
• No usage examples in base-action/README.md

See inline comments for specific recommendations.

📊 Review Agent Results

• Code Quality: Good structure, minor consistency issues
• Performance: Acceptable, with optimization opportunity
• Test Coverage: Inadequate (33% function coverage)
• Documentation: Adequate but incomplete
• Security: Excellent, no vulnerabilities found

✅ Recommendation

Request changes to add test coverage for installPlugin() and installPlugins() before merging. The other issues can be addressed post-merge if needed, but untested process spawning code is too risky for production.

---

🤖 Generated with Claude Code

[claude]

Performance & Error Handling: Sequential installation is inefficient and provides poor error feedback.

Issues:

1. Installing plugins one-by-one adds significant CI/CD time (e.g., 5 plugins × 10s = 50s total vs 10s in parallel)
2. If plugin 3 fails, users won't know plugins 1-2 succeeded
3. Plugins 4-5 never get attempted

Recommendation: Use Promise.allSettled() for parallel installation with better error reporting:

const results = await Promise.allSettled(
  plugins.map(async (plugin) => {
    console.log(`Installing plugin: ${plugin}`);
    await installPlugin(plugin, claudeExecutable);
    console.log(`✓ Successfully installed: ${plugin}`);
  })
);

const failures = results
  .map((result, idx) => ({ result, plugin: plugins[idx] }))
  .filter(({ result }) => result.status === "rejected");

if (failures.length > 0) {
  failures.forEach(({ plugin, result }) => {
    console.error(`✗ Failed: ${plugin} - ${result.reason}`);
  });
  throw new Error(
    `Failed to install ${failures.length}/${plugins.length} plugin(s): ${failures.map(f => f.plugin).join(", ")}`
  );
}

This provides 60-80% faster installation and clear failure reporting.

[claude]

Code Quality: This console declaration should be removed.

Issues:

1. console is a global object in Node.js/Bun - this declaration is unnecessary
2. The type definition is incomplete (missing warn, info, debug, etc.)
3. This pattern doesn't exist anywhere else in the codebase
4. TypeScript already knows about console from built-in type definitions

Recommendation: Delete lines 5-9 entirely.

[claude]

Test Coverage: Critical functions are untested.

Current Coverage:

• ✅ parsePlugins: 11 comprehensive tests (excellent!)
• ❌ installPlugin: 0 tests
• ❌ installPlugins: 0 tests

Missing Test Scenarios:

1. Plugin installation success/failure paths
2. Non-zero exit codes from claude CLI
3. Process spawn errors (executable not found)
4. Error propagation in sequential installation
5. Empty plugin list handling in installPlugins

Recommendation: Add integration tests for the core functionality:

describe("installPlugin", () => {
  test("should reject when plugin installation fails", async () => {
    await expect(installPlugin("non-existent-plugin-xyz"))
      .rejects.toThrow("Failed to install plugin");
  });
});

describe("installPlugins", () => {
  test("should handle empty plugin list", async () => {
    await expect(installPlugins("")).resolves.toBeUndefined();
  });

  test("should report failures clearly", async () => {
    await expect(installPlugins("invalid-plugin"))
      .rejects.toThrow("Failed to install");
  });
});

These tests would catch regressions in the process spawning logic and error handling.

[claude]

Code Quality: Exit code handling could be more explicit about null cases.

While this works in practice, making the null handling explicit improves clarity:

process.on("close", (code: number | null) => {
  if (code === 0) {
    resolve();
  } else {
    reject(
      new Error(
        `Failed to install plugin '${pluginName}' (exit code: ${code ?? "unknown"})`,
      ),
    );
  }
});

This makes it clear that code can be null and provides a better error message in that case.

[claude]

Comprehensive Code Review

I've completed a multi-faceted review of PR #637 using specialized review agents. Here's a summary of the findings:

🎯 Overall Assessment

The plugin installation feature is well-implemented with clean code structure and excellent input parsing tests. However, there are several areas that need attention before merging.

---

⚠️ Critical Issues

1. Sequential Installation Performance & Error Handling (base-action/src/install-plugins.ts:73-77)

• Plugins install sequentially, which is slow and provides poor error feedback
• 5 plugins could take 50s sequentially vs 10s in parallel
• If one plugin fails, users don't know which others succeeded
• Recommendation: Switch to Promise.allSettled() for parallel installation with detailed error reporting

2. Missing Test Coverage (base-action/test/install-plugins.test.ts)

• Only parsePlugins has tests (11 excellent tests)
• installPlugin and installPlugins have zero tests
• Critical error paths untested: process failures, non-zero exit codes, spawn errors
• Recommendation: Add integration tests for the core installation functions

3. Documentation Completely Missing

• The plugins input isn't documented in any README or docs/ file
• Users won't discover this feature exists
• Recommendation: Add to README.md, base-action/README.md, docs/usage.md, and docs/configuration.md

---

🔧 Code Quality Issues

4. Unnecessary Console Declaration (base-action/src/install-plugins.ts:5-9)

• Manual console type declaration is unnecessary in Node.js/Bun
• Pattern doesn't exist elsewhere in codebase
• Recommendation: Remove lines 5-9

5. Exit Code Null Handling (base-action/src/install-plugins.ts:37-45)

• Should explicitly handle code ?? "unknown" for better error messages
• Recommendation: Add explicit null handling

---

✅ Security Assessment

No vulnerabilities found. The implementation correctly uses spawn() with array-based arguments, which prevents command injection. The code follows security best practices.

---

💡 Positive Observations

• Excellent input parsing with comprehensive edge case coverage
• Clean function separation and single responsibility
• Proper TypeScript usage with type annotations
• Good integration into existing codebase
• Security-conscious implementation

---

📋 Recommended Action Items

Must fix before merge:

1. Implement parallel plugin installation with Promise.allSettled()
2. Add tests for installPlugin and installPlugins functions
3. Add documentation to README files and docs/

Should fix:
4. Remove unnecessary console declaration
5. Improve exit code null handling

---

📊 Review Breakdown

• Code Quality: Several improvements needed
• Performance: Significant optimization opportunity (60-80% faster)
• Test Coverage: Critical gap in testing core functionality
• Documentation: Complete absence in user-facing docs
• Security: ✅ Secure implementation, no vulnerabilities

See inline comments for detailed recommendations and code examples.