chore: bump Claude Code version to 2.0.28

* feat: change plugins input from comma-separated to newline-separated

Changes:
- Update parsePlugins() to split by newline instead of comma for consistency with marketplaces input
- Update action.yml and base-action/action.yml with newline-separated format and realistic plugin examples
- Add plugin_marketplaces documentation to docs/usage.md
- Update all unit tests to match new installPlugins() signature (marketplaces, plugins, executable)
- Improve JSDoc comments for parsePlugins() and installPlugin() functions
- All 25 install-plugins tests passing

Breaking change: Users must update their workflows to use newline-separated format:
  Before: plugins: "plugin1,plugin2"
  After: plugins: "plugin1\nplugin2"

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* test: add comprehensive marketplace functionality tests

Critical fix: All previous tests passed undefined as marketplacesInput parameter,
leaving the entire marketplace functionality completely untested.

Added 13 new tests covering:
- Single marketplace installation
- Multiple marketplaces with newline separation
- Marketplace + plugin installation order verification
- Marketplace URL validation (format, protocol, .git extension)
- Whitespace and empty entry handling
- Error handling for marketplace operations
- Custom executable path for marketplace operations

Test coverage: 38 tests (was 25), 81 expect calls (was 50)
All tests passing ✅

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

action.yml

@@ -102,7 +102,11 @@ inputs:
     required: false
     default: ""
   plugins:
-    description: "Comma-separated list of Claude Code plugin names to install (e.g., 'plugin1,plugin2,plugin3')"
+    description: "Newline-separated list of Claude Code plugin names to install (e.g., 'code-review@claude-code-plugins\nfeature-dev@claude-code-plugins')"
+    required: false
+    default: ""
+  plugin_marketplaces:
+    description: "Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., 'https://github.com/user/marketplace1.git\nhttps://github.com/user/marketplace2.git')"
     required: false
     default: ""
 
@@ -181,7 +185,7 @@ runs:
         # Install Claude Code if no custom executable is provided
         if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
           echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.27
+          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.28
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
         else
           echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
@@ -218,6 +222,7 @@ runs:
         INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
         INPUT_PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
         INPUT_PLUGINS: ${{ inputs.plugins }}
+        INPUT_PLUGIN_MARKETPLACES: ${{ inputs.plugin_marketplaces }}
 
         # Model configuration
         GITHUB_TOKEN: ${{ steps.prepare.outputs.GITHUB_TOKEN }}

base-action/action.yml

@@ -56,7 +56,11 @@ inputs:
     required: false
     default: ""
   plugins:
-    description: "Comma-separated list of Claude Code plugin names to install (e.g., 'plugin1,plugin2,plugin3')"
+    description: "Newline-separated list of Claude Code plugin names to install (e.g., 'code-review@claude-code-plugins\nfeature-dev@claude-code-plugins')"
+    required: false
+    default: ""
+  plugin_marketplaces:
+    description: "Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., 'https://github.com/user/marketplace1.git\nhttps://github.com/user/marketplace2.git')"
     required: false
     default: ""
 
@@ -103,7 +107,7 @@ runs:
       run: |
         if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
           echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.27
+          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.28
         else
           echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
           # Add the directory containing the custom executable to PATH
@@ -131,6 +135,7 @@ runs:
         INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
         INPUT_PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
         INPUT_PLUGINS: ${{ inputs.plugins }}
+        INPUT_PLUGIN_MARKETPLACES: ${{ inputs.plugin_marketplaces }}
 
         # Provider configuration
         ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}

base-action/package-lock.json

@@ -0,0 +1,196 @@
+{
+  "name": "@anthropic-ai/claude-code-base-action",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "@anthropic-ai/claude-code-base-action",
+      "version": "1.0.0",
+      "dependencies": {
+        "@actions/core": "^1.10.1",
+        "shell-quote": "^1.8.3"
+      },
+      "devDependencies": {
+        "@types/bun": "^1.2.12",
+        "@types/node": "^20.0.0",
+        "@types/shell-quote": "^1.7.5",
+        "prettier": "3.5.3",
+        "typescript": "^5.8.3"
+      }
+    },
+    "node_modules/@actions/core": {
+      "version": "1.11.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
+      "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/exec": "^1.1.1",
+        "@actions/http-client": "^2.0.1"
+      }
+    },
+    "node_modules/@actions/exec": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/io": "^1.0.1"
+      }
+    },
+    "node_modules/@actions/http-client": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
+      "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
+      "license": "MIT",
+      "dependencies": {
+        "tunnel": "^0.0.6",
+        "undici": "^5.25.4"
+      }
+    },
+    "node_modules/@actions/io": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
+      "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
+      "license": "MIT"
+    },
+    "node_modules/@fastify/busboy": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
+      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/@types/bun": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/@types/bun/-/bun-1.3.1.tgz",
+      "integrity": "sha512-4jNMk2/K9YJtfqwoAa28c8wK+T7nvJFOjxI4h/7sORWcypRNxBpr+TPNaCfVWq70tLCJsqoFwcf0oI0JU/fvMQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "bun-types": "1.3.1"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "20.19.23",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.23.tgz",
+      "integrity": "sha512-yIdlVVVHXpmqRhtyovZAcSy0MiPcYWGkoO4CGe/+jpP0hmNuihm4XhHbADpK++MsiLHP5MVlv+bcgdF99kSiFQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "undici-types": "~6.21.0"
+      }
+    },
+    "node_modules/@types/react": {
+      "version": "19.2.2",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.2.tgz",
+      "integrity": "sha512-6mDvHUFSjyT2B2yeNx2nUgMxh9LtOWvkhIU3uePn2I2oyNymUAX1NIsdgviM4CH+JSrp2D2hsMvJOkxY+0wNRA==",
+      "dev": true,
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "csstype": "^3.0.2"
+      }
+    },
+    "node_modules/@types/shell-quote": {
+      "version": "1.7.5",
+      "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz",
+      "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/bun-types": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/bun-types/-/bun-types-1.3.1.tgz",
+      "integrity": "sha512-NMrcy7smratanWJ2mMXdpatalovtxVggkj11bScuWuiOoXTiKIu2eVS1/7qbyI/4yHedtsn175n4Sm4JcdHLXw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      },
+      "peerDependencies": {
+        "@types/react": "^19"
+      }
+    },
+    "node_modules/csstype": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.3.tgz",
+      "integrity": "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==",
+      "dev": true,
+      "license": "MIT",
+      "peer": true
+    },
+    "node_modules/prettier": {
+      "version": "3.5.3",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.5.3.tgz",
+      "integrity": "sha512-QQtaxnoDJeAkDvDKWCLiwIXkTgRhwYDEQCghU9Z6q03iyek/rxRh/2lC3HB7P8sWT2xC/y5JDctPLBIGzHKbhw==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "prettier": "bin/prettier.cjs"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/prettier/prettier?sponsor=1"
+      }
+    },
+    "node_modules/shell-quote": {
+      "version": "1.8.3",
+      "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz",
+      "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/undici": {
+      "version": "5.29.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
+      "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
+      "license": "MIT",
+      "dependencies": {
+        "@fastify/busboy": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=14.0"
+      }
+    },
+    "node_modules/undici-types": {
+      "version": "6.21.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
+      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "dev": true,
+      "license": "MIT"
+    }
+  }
+}

base-action/src/index.ts

@@ -18,6 +18,7 @@ async function run() {
 
     // Install Claude Code plugins if specified
     await installPlugins(
+      process.env.INPUT_PLUGIN_MARKETPLACES,
       process.env.INPUT_PLUGINS,
       process.env.INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE,
     );

base-action/src/install-plugins.ts

@@ -2,10 +2,34 @@ import { spawn, ChildProcess } from "child_process";
 
 const PLUGIN_NAME_REGEX = /^[@a-zA-Z0-9_\-\/\.]+$/;
 const MAX_PLUGIN_NAME_LENGTH = 512;
-const CLAUDE_CODE_MARKETPLACE_URL =
-  "https://github.com/anthropics/claude-code.git";
 const PATH_TRAVERSAL_REGEX =
   /\.\.\/|\/\.\.|\.\/|\/\.|(?:^|\/)\.\.$|(?:^|\/)\.$|\.\.(?![0-9])/;
+const MARKETPLACE_URL_REGEX =
+  /^https:\/\/[a-zA-Z0-9\-._~:/?#[\]@!$&'()*+,;=%]+\.git$/;
+
+/**
+ * Validates a marketplace URL for security issues
+ * @param url - The marketplace URL to validate
+ * @throws {Error} If the URL is invalid
+ */
+function validateMarketplaceUrl(url: string): void {
+  const normalized = url.trim();
+
+  if (!normalized) {
+    throw new Error("Marketplace URL cannot be empty");
+  }
+
+  if (!MARKETPLACE_URL_REGEX.test(normalized)) {
+    throw new Error(`Invalid marketplace URL format: ${url}`);
+  }
+
+  // Additional check for valid URL structure
+  try {
+    new URL(normalized);
+  } catch {
+    throw new Error(`Invalid marketplace URL: ${url}`);
+  }
+}
 
 /**
  * Validates a plugin name for security issues
@@ -31,10 +55,37 @@ function validatePluginName(pluginName: string): void {
 }
 
 /**
- * Parse a comma-separated list of plugin names and return an array of trimmed, non-empty plugin names
+ * Parse a newline-separated list of marketplace URLs and return an array of validated URLs
+ * @param marketplaces - Newline-separated list of marketplace Git URLs
+ * @returns Array of validated marketplace URLs (empty array if none provided)
+ */
+function parseMarketplaces(marketplaces?: string): string[] {
+  const trimmed = marketplaces?.trim();
+
+  if (!trimmed) {
+    return [];
+  }
+
+  // Split by newline and process each URL
+  return trimmed
+    .split("\n")
+    .map((url) => url.trim())
+    .filter((url) => {
+      if (url.length === 0) return false;
+
+      validateMarketplaceUrl(url);
+      return true;
+    });
+}
+
+/**
+ * Parse a newline-separated list of plugin names and return an array of trimmed, non-empty plugin names
  * Validates plugin names to prevent command injection and path traversal attacks
  * Allows: letters, numbers, @, -, _, /, . (common npm/scoped package characters)
  * Disallows: path traversal (../, ./), shell metacharacters, and consecutive dots
+ * @param plugins - Newline-separated list of plugin names, or undefined/empty to return empty array
+ * @returns Array of validated plugin names (empty array if none provided)
+ * @throws {Error} If any plugin name fails validation
  */
 function parsePlugins(plugins?: string): string[] {
   const trimmedPlugins = plugins?.trim();
@@ -43,9 +94,9 @@ function parsePlugins(plugins?: string): string[] {
     return [];
   }
 
-  // Split by comma and process each plugin
+  // Split by newline and process each plugin
   return trimmedPlugins
-    .split(",")
+    .split("\n")
     .map((p) => p.trim())
     .filter((p) => {
       if (p.length === 0) return false;
@@ -91,11 +142,17 @@ async function executeClaudeCommand(
 
 /**
  * Installs a single Claude Code plugin
+ * @param pluginName - The name of the plugin to install
+ * @param claudeExecutable - Path to the Claude executable
+ * @returns Promise that resolves when the plugin is installed successfully
+ * @throws {Error} If the plugin installation fails
  */
 async function installPlugin(
   pluginName: string,
   claudeExecutable: string,
 ): Promise<void> {
+  console.log(`Installing plugin: ${pluginName}`);
+
   return executeClaudeCommand(
     claudeExecutable,
     ["plugin", "install", pluginName],
@@ -104,52 +161,62 @@ async function installPlugin(
 }
 
 /**
- * Adds the Claude Code marketplace
+ * Adds a Claude Code plugin marketplace
  * @param claudeExecutable - Path to the Claude executable
+ * @param marketplaceUrl - The marketplace Git URL to add
  * @returns Promise that resolves when the marketplace add command completes
  * @throws {Error} If the command fails to execute
  */
-async function addMarketplace(claudeExecutable: string): Promise<void> {
+async function addMarketplace(
-  console.log("Adding Claude Code marketplace...");
+  claudeExecutable: string,
+  marketplaceUrl: string,
+): Promise<void> {
+  console.log(`Adding marketplace: ${marketplaceUrl}`);
 
   return executeClaudeCommand(
     claudeExecutable,
-    ["plugin", "marketplace", "add", CLAUDE_CODE_MARKETPLACE_URL],
+    ["plugin", "marketplace", "add", marketplaceUrl],
-    "Failed to add marketplace",
+    `Failed to add marketplace '${marketplaceUrl}'`,
   );
 }
 
 /**
- * Installs Claude Code plugins from a comma-separated list
+ * Installs Claude Code plugins from a newline-separated list
- * @param pluginsInput - Comma-separated list of plugin names, or undefined/empty to skip installation
+ * @param marketplacesInput - Newline-separated list of marketplace Git URLs
+ * @param pluginsInput - Newline-separated list of plugin names
  * @param claudeExecutable - Path to the Claude executable (defaults to "claude")
  * @returns Promise that resolves when all plugins are installed
  * @throws {Error} If any plugin fails validation or installation (stops on first error)
  */
 export async function installPlugins(
-  pluginsInput: string | undefined,
+  marketplacesInput?: string,
+  pluginsInput?: string,
   claudeExecutable?: string,
 ): Promise<void> {
-  const plugins = parsePlugins(pluginsInput);
-
-  if (plugins.length === 0) {
-    console.log("No plugins to install");
-    return;
-  }
-
   // Resolve executable path with explicit fallback
   const resolvedExecutable = claudeExecutable || "claude";
 
-  // Add marketplace before installing plugins
+  // Parse and add all marketplaces before installing plugins
-  await addMarketplace(resolvedExecutable);
+  const marketplaces = parseMarketplaces(marketplacesInput);
 
-  console.log(`Installing ${plugins.length} plugin(s)...`);
+  if (marketplaces.length > 0) {
-
+    console.log(`Adding ${marketplaces.length} marketplace(s)...`);
-  for (const plugin of plugins) {
+    for (const marketplace of marketplaces) {
-    console.log(`Installing plugin: ${plugin}`);
+      await addMarketplace(resolvedExecutable, marketplace);
-    await installPlugin(plugin, resolvedExecutable);
+      console.log(`✓ Successfully added marketplace: ${marketplace}`);
-    console.log(`✓ Successfully installed: ${plugin}`);
+    }
+  } else {
+    console.log("No marketplaces specified, skipping marketplace setup");
   }
 
-  console.log("All plugins installed successfully");
+  const plugins = parsePlugins(pluginsInput);
+  if (plugins.length > 0) {
+    console.log(`Installing ${plugins.length} plugin(s)...`);
+    for (const plugin of plugins) {
+      await installPlugin(plugin, resolvedExecutable);
+      console.log(`✓ Successfully installed: ${plugin}`);
+    }
+  } else {
+    console.log("No plugins specified, skipping plugins installation");
+  }
 }

base-action/test/install-plugins.test.ts

@@ -39,43 +39,31 @@ describe("installPlugins", () => {
 
   test("should not call spawn when no plugins are specified", async () => {
     const spy = createMockSpawn();
-    await installPlugins("");
+    await installPlugins(undefined, "");
     expect(spy).not.toHaveBeenCalled();
   });
 
   test("should not call spawn when plugins is undefined", async () => {
     const spy = createMockSpawn();
-    await installPlugins(undefined);
+    await installPlugins(undefined, undefined);
     expect(spy).not.toHaveBeenCalled();
   });
 
   test("should not call spawn when plugins is only whitespace", async () => {
     const spy = createMockSpawn();
-    await installPlugins("   ");
+    await installPlugins(undefined, "   ");
     expect(spy).not.toHaveBeenCalled();
   });
 
   test("should install a single plugin with default executable", async () => {
     const spy = createMockSpawn();
-    await installPlugins("test-plugin");
+    await installPlugins(undefined, "test-plugin");
 
-    expect(spy).toHaveBeenCalledTimes(2);
+    expect(spy).toHaveBeenCalledTimes(1);
-    // First call: add marketplace
+    // Only call: install plugin (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    // Second call: install plugin
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "claude",
       ["plugin", "install", "test-plugin"],
       { stdio: "inherit" },
     );
@@ -83,36 +71,24 @@ describe("installPlugins", () => {
 
   test("should install multiple plugins sequentially", async () => {
     const spy = createMockSpawn();
-    await installPlugins("plugin1,plugin2,plugin3");
+    await installPlugins(undefined, "plugin1\nplugin2\nplugin3");
 
-    expect(spy).toHaveBeenCalledTimes(4);
+    expect(spy).toHaveBeenCalledTimes(3);
-    // First call: add marketplace
+    // Install plugins (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    // Subsequent calls: install plugins
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "claude",
       ["plugin", "install", "plugin1"],
       { stdio: "inherit" },
     );
     expect(spy).toHaveBeenNthCalledWith(
-      3,
+      2,
       "claude",
       ["plugin", "install", "plugin2"],
       { stdio: "inherit" },
     );
     expect(spy).toHaveBeenNthCalledWith(
-      4,
+      3,
       "claude",
       ["plugin", "install", "plugin3"],
       { stdio: "inherit" },
@@ -121,25 +97,13 @@ describe("installPlugins", () => {
 
   test("should use custom claude executable path when provided", async () => {
     const spy = createMockSpawn();
-    await installPlugins("test-plugin", "/custom/path/to/claude");
+    await installPlugins(undefined, "test-plugin", "/custom/path/to/claude");
 
-    expect(spy).toHaveBeenCalledTimes(2);
+    expect(spy).toHaveBeenCalledTimes(1);
-    // First call: add marketplace
+    // Only call: install plugin (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "/custom/path/to/claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    // Second call: install plugin
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "/custom/path/to/claude",
       ["plugin", "install", "test-plugin"],
       { stdio: "inherit" },
     );
@@ -147,29 +111,18 @@ describe("installPlugins", () => {
 
   test("should trim whitespace from plugin names before installation", async () => {
     const spy = createMockSpawn();
-    await installPlugins(" plugin1 , plugin2 ");
+    await installPlugins(undefined, " plugin1 \n plugin2 ");
 
-    expect(spy).toHaveBeenCalledTimes(3);
+    expect(spy).toHaveBeenCalledTimes(2);
-    // First call: add marketplace
+    // Install plugins (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "claude",
       ["plugin", "install", "plugin1"],
       { stdio: "inherit" },
     );
     expect(spy).toHaveBeenNthCalledWith(
-      3,
+      2,
       "claude",
       ["plugin", "install", "plugin2"],
       { stdio: "inherit" },
@@ -178,29 +131,18 @@ describe("installPlugins", () => {
 
   test("should skip empty entries in plugin list", async () => {
     const spy = createMockSpawn();
-    await installPlugins("plugin1,,plugin2");
+    await installPlugins(undefined, "plugin1\n\nplugin2");
 
-    expect(spy).toHaveBeenCalledTimes(3);
+    expect(spy).toHaveBeenCalledTimes(2);
-    // First call: add marketplace
+    // Install plugins (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "claude",
       ["plugin", "install", "plugin1"],
       { stdio: "inherit" },
     );
     expect(spy).toHaveBeenNthCalledWith(
-      3,
+      2,
       "claude",
       ["plugin", "install", "plugin2"],
       { stdio: "inherit" },
@@ -210,55 +152,46 @@ describe("installPlugins", () => {
   test("should handle plugin installation error and throw", async () => {
     createMockSpawn(1, false); // Exit code 1
 
-    await expect(installPlugins("failing-plugin")).rejects.toThrow(
+    await expect(installPlugins(undefined, "failing-plugin")).rejects.toThrow(
-      "Failed to add marketplace (exit code: 1)",
+      "Failed to install plugin 'failing-plugin' (exit code: 1)",
     );
   });
 
   test("should handle null exit code (process terminated by signal)", async () => {
     createMockSpawn(null, false); // Exit code null (terminated by signal)
 
-    await expect(installPlugins("terminated-plugin")).rejects.toThrow(
+    await expect(
-      "Failed to add marketplace: process terminated by signal",
+      installPlugins(undefined, "terminated-plugin"),
+    ).rejects.toThrow(
+      "Failed to install plugin 'terminated-plugin': process terminated by signal",
     );
   });
 
   test("should stop installation on first error", async () => {
     const spy = createMockSpawn(1, false); // Exit code 1
 
-    await expect(installPlugins("plugin1,plugin2,plugin3")).rejects.toThrow(
+    await expect(
-      "Failed to add marketplace (exit code: 1)",
+      installPlugins(undefined, "plugin1\nplugin2\nplugin3"),
-    );
+    ).rejects.toThrow("Failed to install plugin 'plugin1' (exit code: 1)");
 
-    // Should only try to add marketplace before failing
+    // Should only try to install first plugin before failing
     expect(spy).toHaveBeenCalledTimes(1);
   });
 
   test("should handle plugins with special characters in names", async () => {
     const spy = createMockSpawn();
-    await installPlugins("org/plugin-name,@scope/plugin");
+    await installPlugins(undefined, "org/plugin-name\n@scope/plugin");
 
-    expect(spy).toHaveBeenCalledTimes(3);
+    expect(spy).toHaveBeenCalledTimes(2);
-    // First call: add marketplace
+    // Install plugins (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "claude",
       ["plugin", "install", "org/plugin-name"],
       { stdio: "inherit" },
     );
     expect(spy).toHaveBeenNthCalledWith(
-      3,
+      2,
       "claude",
       ["plugin", "install", "@scope/plugin"],
       { stdio: "inherit" },
@@ -268,36 +201,29 @@ describe("installPlugins", () => {
   test("should handle spawn errors", async () => {
     createMockSpawn(0, true); // Trigger error event
 
-    await expect(installPlugins("test-plugin")).rejects.toThrow(
+    await expect(installPlugins(undefined, "test-plugin")).rejects.toThrow(
-      "Failed to add marketplace: spawn error",
+      "Failed to install plugin 'test-plugin': spawn error",
     );
   });
 
   test("should install plugins with custom executable and multiple plugins", async () => {
     const spy = createMockSpawn();
-    await installPlugins("plugin-a,plugin-b", "/usr/local/bin/claude-custom");
+    await installPlugins(
+      undefined,
+      "plugin-a\nplugin-b",
+      "/usr/local/bin/claude-custom",
+    );
 
-    expect(spy).toHaveBeenCalledTimes(3);
+    expect(spy).toHaveBeenCalledTimes(2);
-    // First call: add marketplace
+    // Install plugins (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "/usr/local/bin/claude-custom",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "/usr/local/bin/claude-custom",
       ["plugin", "install", "plugin-a"],
       { stdio: "inherit" },
     );
     expect(spy).toHaveBeenNthCalledWith(
-      3,
+      2,
       "/usr/local/bin/claude-custom",
       ["plugin", "install", "plugin-b"],
       { stdio: "inherit" },
@@ -308,9 +234,9 @@ describe("installPlugins", () => {
     const spy = createMockSpawn();
 
     // Should throw due to invalid characters (semicolon and spaces)
-    await expect(installPlugins("plugin-name; rm -rf /")).rejects.toThrow(
+    await expect(
-      "Invalid plugin name format",
+      installPlugins(undefined, "plugin-name; rm -rf /"),
-    );
+    ).rejects.toThrow("Invalid plugin name format");
 
     // Mock should never be called because validation fails first
     expect(spy).not.toHaveBeenCalled();
@@ -319,9 +245,9 @@ describe("installPlugins", () => {
   test("should reject plugin names with path traversal using ../", async () => {
     const spy = createMockSpawn();
 
-    await expect(installPlugins("../../../malicious-plugin")).rejects.toThrow(
+    await expect(
-      "Invalid plugin name format",
+      installPlugins(undefined, "../../../malicious-plugin"),
-    );
+    ).rejects.toThrow("Invalid plugin name format");
 
     expect(spy).not.toHaveBeenCalled();
   });
@@ -329,9 +255,9 @@ describe("installPlugins", () => {
   test("should reject plugin names with path traversal using ./", async () => {
     const spy = createMockSpawn();
 
-    await expect(installPlugins("./../../@scope/package")).rejects.toThrow(
+    await expect(
-      "Invalid plugin name format",
+      installPlugins(undefined, "./../../@scope/package"),
-    );
+    ).rejects.toThrow("Invalid plugin name format");
 
     expect(spy).not.toHaveBeenCalled();
   });
@@ -339,7 +265,7 @@ describe("installPlugins", () => {
   test("should reject plugin names with consecutive dots", async () => {
     const spy = createMockSpawn();
 
-    await expect(installPlugins(".../.../package")).rejects.toThrow(
+    await expect(installPlugins(undefined, ".../.../package")).rejects.toThrow(
       "Invalid plugin name format",
     );
 
@@ -349,7 +275,7 @@ describe("installPlugins", () => {
   test("should reject plugin names with hidden path traversal", async () => {
     const spy = createMockSpawn();
 
-    await expect(installPlugins("package/../other")).rejects.toThrow(
+    await expect(installPlugins(undefined, "package/../other")).rejects.toThrow(
       "Invalid plugin name format",
     );
 
@@ -358,24 +284,13 @@ describe("installPlugins", () => {
 
   test("should accept plugin names with single dots in version numbers", async () => {
     const spy = createMockSpawn();
-    await installPlugins("plugin-v1.0.2");
+    await installPlugins(undefined, "plugin-v1.0.2");
 
-    expect(spy).toHaveBeenCalledTimes(2);
+    expect(spy).toHaveBeenCalledTimes(1);
-    // First call: add marketplace
+    // Only call: install plugin (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "claude",
       ["plugin", "install", "plugin-v1.0.2"],
       { stdio: "inherit" },
     );
@@ -383,24 +298,13 @@ describe("installPlugins", () => {
 
   test("should accept plugin names with multiple dots in semantic versions", async () => {
     const spy = createMockSpawn();
-    await installPlugins("@scope/plugin-v1.0.0-beta.1");
+    await installPlugins(undefined, "@scope/plugin-v1.0.0-beta.1");
 
-    expect(spy).toHaveBeenCalledTimes(2);
+    expect(spy).toHaveBeenCalledTimes(1);
-    // First call: add marketplace
+    // Only call: install plugin (no marketplace without explicit marketplace input)
     expect(spy).toHaveBeenNthCalledWith(
       1,
       "claude",
-      [
-        "plugin",
-        "marketplace",
-        "add",
-        "https://github.com/anthropics/claude-code.git",
-      ],
-      { stdio: "inherit" },
-    );
-    expect(spy).toHaveBeenNthCalledWith(
-      2,
-      "claude",
       ["plugin", "install", "@scope/plugin-v1.0.0-beta.1"],
       { stdio: "inherit" },
     );
@@ -410,7 +314,7 @@ describe("installPlugins", () => {
     const spy = createMockSpawn();
 
     // Using fullwidth dots (U+FF0E) and fullwidth solidus (U+FF0F)
-    await expect(installPlugins("．．／malicious")).rejects.toThrow(
+    await expect(installPlugins(undefined, "．．／malicious")).rejects.toThrow(
       "Invalid plugin name format",
     );
 
@@ -420,7 +324,7 @@ describe("installPlugins", () => {
   test("should reject path traversal at end of path", async () => {
     const spy = createMockSpawn();
 
-    await expect(installPlugins("package/..")).rejects.toThrow(
+    await expect(installPlugins(undefined, "package/..")).rejects.toThrow(
       "Invalid plugin name format",
     );
 
@@ -430,7 +334,7 @@ describe("installPlugins", () => {
   test("should reject single dot directory reference", async () => {
     const spy = createMockSpawn();
 
-    await expect(installPlugins("package/.")).rejects.toThrow(
+    await expect(installPlugins(undefined, "package/.")).rejects.toThrow(
       "Invalid plugin name format",
     );
 
@@ -440,10 +344,256 @@ describe("installPlugins", () => {
   test("should reject path traversal in middle of path", async () => {
     const spy = createMockSpawn();
 
-    await expect(installPlugins("package/../other")).rejects.toThrow(
+    await expect(installPlugins(undefined, "package/../other")).rejects.toThrow(
       "Invalid plugin name format",
     );
 
     expect(spy).not.toHaveBeenCalled();
   });
+
+  // Marketplace functionality tests
+  test("should add a single marketplace before installing plugins", async () => {
+    const spy = createMockSpawn();
+    await installPlugins(
+      "https://github.com/user/marketplace.git",
+      "test-plugin",
+    );
+
+    expect(spy).toHaveBeenCalledTimes(2);
+    // First call: add marketplace
+    expect(spy).toHaveBeenNthCalledWith(
+      1,
+      "claude",
+      [
+        "plugin",
+        "marketplace",
+        "add",
+        "https://github.com/user/marketplace.git",
+      ],
+      { stdio: "inherit" },
+    );
+    // Second call: install plugin
+    expect(spy).toHaveBeenNthCalledWith(
+      2,
+      "claude",
+      ["plugin", "install", "test-plugin"],
+      { stdio: "inherit" },
+    );
+  });
+
+  test("should add multiple marketplaces with newline separation", async () => {
+    const spy = createMockSpawn();
+    await installPlugins(
+      "https://github.com/user/m1.git\nhttps://github.com/user/m2.git",
+      "test-plugin",
+    );
+
+    expect(spy).toHaveBeenCalledTimes(3); // 2 marketplaces + 1 plugin
+    // First two calls: add marketplaces
+    expect(spy).toHaveBeenNthCalledWith(
+      1,
+      "claude",
+      ["plugin", "marketplace", "add", "https://github.com/user/m1.git"],
+      { stdio: "inherit" },
+    );
+    expect(spy).toHaveBeenNthCalledWith(
+      2,
+      "claude",
+      ["plugin", "marketplace", "add", "https://github.com/user/m2.git"],
+      { stdio: "inherit" },
+    );
+    // Third call: install plugin
+    expect(spy).toHaveBeenNthCalledWith(
+      3,
+      "claude",
+      ["plugin", "install", "test-plugin"],
+      { stdio: "inherit" },
+    );
+  });
+
+  test("should add marketplaces before installing multiple plugins", async () => {
+    const spy = createMockSpawn();
+    await installPlugins(
+      "https://github.com/user/marketplace.git",
+      "plugin1\nplugin2",
+    );
+
+    expect(spy).toHaveBeenCalledTimes(3); // 1 marketplace + 2 plugins
+    // First call: add marketplace
+    expect(spy).toHaveBeenNthCalledWith(
+      1,
+      "claude",
+      [
+        "plugin",
+        "marketplace",
+        "add",
+        "https://github.com/user/marketplace.git",
+      ],
+      { stdio: "inherit" },
+    );
+    // Next calls: install plugins
+    expect(spy).toHaveBeenNthCalledWith(
+      2,
+      "claude",
+      ["plugin", "install", "plugin1"],
+      { stdio: "inherit" },
+    );
+    expect(spy).toHaveBeenNthCalledWith(
+      3,
+      "claude",
+      ["plugin", "install", "plugin2"],
+      { stdio: "inherit" },
+    );
+  });
+
+  test("should handle only marketplaces without plugins", async () => {
+    const spy = createMockSpawn();
+    await installPlugins("https://github.com/user/marketplace.git", undefined);
+
+    expect(spy).toHaveBeenCalledTimes(1);
+    expect(spy).toHaveBeenNthCalledWith(
+      1,
+      "claude",
+      [
+        "plugin",
+        "marketplace",
+        "add",
+        "https://github.com/user/marketplace.git",
+      ],
+      { stdio: "inherit" },
+    );
+  });
+
+  test("should skip empty marketplace entries", async () => {
+    const spy = createMockSpawn();
+    await installPlugins(
+      "https://github.com/user/m1.git\n\nhttps://github.com/user/m2.git",
+      "test-plugin",
+    );
+
+    expect(spy).toHaveBeenCalledTimes(3); // 2 marketplaces (skip empty) + 1 plugin
+  });
+
+  test("should trim whitespace from marketplace URLs", async () => {
+    const spy = createMockSpawn();
+    await installPlugins(
+      "  https://github.com/user/marketplace.git  \n  https://github.com/user/m2.git  ",
+      "test-plugin",
+    );
+
+    expect(spy).toHaveBeenCalledTimes(3);
+    expect(spy).toHaveBeenNthCalledWith(
+      1,
+      "claude",
+      [
+        "plugin",
+        "marketplace",
+        "add",
+        "https://github.com/user/marketplace.git",
+      ],
+      { stdio: "inherit" },
+    );
+    expect(spy).toHaveBeenNthCalledWith(
+      2,
+      "claude",
+      ["plugin", "marketplace", "add", "https://github.com/user/m2.git"],
+      { stdio: "inherit" },
+    );
+  });
+
+  test("should reject invalid marketplace URL format", async () => {
+    const spy = createMockSpawn();
+
+    await expect(
+      installPlugins("not-a-valid-url", "test-plugin"),
+    ).rejects.toThrow("Invalid marketplace URL format");
+
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test("should reject marketplace URL without .git extension", async () => {
+    const spy = createMockSpawn();
+
+    await expect(
+      installPlugins("https://github.com/user/marketplace", "test-plugin"),
+    ).rejects.toThrow("Invalid marketplace URL format");
+
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test("should reject marketplace URL with non-https protocol", async () => {
+    const spy = createMockSpawn();
+
+    await expect(
+      installPlugins("http://github.com/user/marketplace.git", "test-plugin"),
+    ).rejects.toThrow("Invalid marketplace URL format");
+
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test("should skip whitespace-only marketplace input", async () => {
+    const spy = createMockSpawn();
+    await installPlugins("   ", "test-plugin");
+
+    // Should skip marketplaces and only install plugin
+    expect(spy).toHaveBeenCalledTimes(1);
+    expect(spy).toHaveBeenNthCalledWith(
+      1,
+      "claude",
+      ["plugin", "install", "test-plugin"],
+      { stdio: "inherit" },
+    );
+  });
+
+  test("should handle marketplace addition error", async () => {
+    createMockSpawn(1, false); // Exit code 1
+
+    await expect(
+      installPlugins("https://github.com/user/marketplace.git", "test-plugin"),
+    ).rejects.toThrow(
+      "Failed to add marketplace 'https://github.com/user/marketplace.git' (exit code: 1)",
+    );
+  });
+
+  test("should stop if marketplace addition fails before installing plugins", async () => {
+    const spy = createMockSpawn(1, false); // Exit code 1
+
+    await expect(
+      installPlugins(
+        "https://github.com/user/marketplace.git",
+        "plugin1\nplugin2",
+      ),
+    ).rejects.toThrow("Failed to add marketplace");
+
+    // Should only try to add marketplace, not install any plugins
+    expect(spy).toHaveBeenCalledTimes(1);
+  });
+
+  test("should use custom executable for marketplace operations", async () => {
+    const spy = createMockSpawn();
+    await installPlugins(
+      "https://github.com/user/marketplace.git",
+      "test-plugin",
+      "/custom/path/to/claude",
+    );
+
+    expect(spy).toHaveBeenCalledTimes(2);
+    expect(spy).toHaveBeenNthCalledWith(
+      1,
+      "/custom/path/to/claude",
+      [
+        "plugin",
+        "marketplace",
+        "add",
+        "https://github.com/user/marketplace.git",
+      ],
+      { stdio: "inherit" },
+    );
+    expect(spy).toHaveBeenNthCalledWith(
+      2,
+      "/custom/path/to/claude",
+      ["plugin", "install", "test-plugin"],
+      { stdio: "inherit" },
+    );
+  });
 });

docs/create-app.html

@@ -0,0 +1,744 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Create Claude Code GitHub App</title>
+    <style>
+      * {
+        box-sizing: border-box;
+        margin: 0;
+        padding: 0;
+      }
+
+      :root {
+        /* Claude Brand Colors */
+        --primary-dark: #0e0e0e;
+        --primary-light: #d4a27f;
+        --background-light: rgb(253, 253, 247);
+        --background-dark: rgb(9, 9, 11);
+        --text-primary: #1a1a1a;
+        --text-secondary: #525252;
+        --text-tertiary: #737373;
+        --border-color: rgba(0, 0, 0, 0.08);
+        --hover-bg: rgba(0, 0, 0, 0.02);
+        --success: #2ea44f;
+        --warning: #e3b341;
+        --card-shadow:
+          0 1px 3px rgba(0, 0, 0, 0.06), 0 1px 2px rgba(0, 0, 0, 0.04);
+        --card-shadow-hover:
+          0 4px 6px rgba(0, 0, 0, 0.07), 0 2px 4px rgba(0, 0, 0, 0.05);
+      }
+
+      body {
+        font-family:
+          -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto,
+          "Helvetica Neue", Arial, sans-serif;
+        background: var(--background-light);
+        color: var(--text-primary);
+        line-height: 1.6;
+        -webkit-font-smoothing: antialiased;
+        -moz-osx-font-smoothing: grayscale;
+      }
+
+      .container {
+        max-width: 960px;
+        margin: 0 auto;
+        padding: 40px 24px;
+      }
+
+      /* Header */
+      header {
+        text-align: center;
+        margin-bottom: 48px;
+      }
+
+      h1 {
+        font-size: 36px;
+        font-weight: 600;
+        color: var(--text-primary);
+        margin-bottom: 12px;
+        letter-spacing: -0.02em;
+      }
+
+      .subtitle {
+        font-size: 18px;
+        color: var(--text-secondary);
+        max-width: 640px;
+        margin: 0 auto;
+        line-height: 1.5;
+      }
+
+      /* Cards */
+      .card {
+        background: white;
+        border: 1px solid var(--border-color);
+        border-radius: 12px;
+        padding: 32px;
+        margin-bottom: 24px;
+        box-shadow: var(--card-shadow);
+        transition: all 0.2s ease;
+      }
+
+      .card:hover {
+        box-shadow: var(--card-shadow-hover);
+      }
+
+      .card-header {
+        display: flex;
+        align-items: center;
+        gap: 12px;
+        margin-bottom: 20px;
+      }
+
+      .card-icon {
+        font-size: 24px;
+        line-height: 1;
+      }
+
+      h2 {
+        font-size: 20px;
+        font-weight: 600;
+        color: var(--text-primary);
+        margin: 0;
+        letter-spacing: -0.01em;
+      }
+
+      .card-description {
+        color: var(--text-secondary);
+        margin-bottom: 24px;
+        font-size: 15px;
+        line-height: 1.6;
+      }
+
+      /* Buttons */
+      .button-group {
+        display: flex;
+        flex-direction: column;
+        gap: 16px;
+      }
+
+      .btn {
+        display: inline-flex;
+        align-items: center;
+        justify-content: center;
+        gap: 8px;
+        padding: 12px 24px;
+        font-size: 15px;
+        font-weight: 500;
+        border-radius: 8px;
+        border: none;
+        cursor: pointer;
+        transition: all 0.2s ease;
+        text-decoration: none;
+        font-family: inherit;
+        width: 100%;
+      }
+
+      .btn-primary {
+        background: var(--primary-dark);
+        color: white;
+      }
+
+      .btn-primary:hover {
+        background: #1a1a1a;
+        transform: translateY(-1px);
+        box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15);
+      }
+
+      .btn-secondary {
+        background: var(--primary-light);
+        color: var(--primary-dark);
+      }
+
+      .btn-secondary:hover {
+        background: #c99a70;
+        transform: translateY(-1px);
+        box-shadow: 0 4px 12px rgba(212, 162, 127, 0.3);
+      }
+
+      .btn-outline {
+        background: white;
+        color: var(--text-primary);
+        border: 1px solid var(--border-color);
+      }
+
+      .btn-outline:hover {
+        background: var(--hover-bg);
+        border-color: var(--text-secondary);
+      }
+
+      .btn:active {
+        transform: translateY(0);
+      }
+
+      .btn.copied {
+        background: var(--success);
+        color: white;
+      }
+
+      /* Form */
+      .form-row {
+        display: flex;
+        gap: 12px;
+        align-items: flex-end;
+      }
+
+      .form-group {
+        flex: 1;
+      }
+
+      label {
+        display: block;
+        font-size: 14px;
+        font-weight: 500;
+        color: var(--text-primary);
+        margin-bottom: 6px;
+      }
+
+      input[type="text"] {
+        width: 100%;
+        padding: 10px 14px;
+        font-size: 15px;
+        border: 1px solid var(--border-color);
+        border-radius: 8px;
+        font-family: inherit;
+        transition: all 0.2s ease;
+        background: white;
+      }
+
+      input[type="text"]:focus {
+        outline: none;
+        border-color: var(--primary-dark);
+        box-shadow: 0 0 0 3px rgba(14, 14, 14, 0.1);
+      }
+
+      /* Code Block */
+      .code-container {
+        position: relative;
+        background: #fafafa;
+        border: 1px solid var(--border-color);
+        border-radius: 8px;
+        margin: 20px 0;
+      }
+
+      .code-header {
+        display: flex;
+        justify-content: space-between;
+        align-items: center;
+        padding: 12px 16px;
+        border-bottom: 1px solid var(--border-color);
+      }
+
+      .code-label {
+        font-size: 13px;
+        font-weight: 500;
+        color: var(--text-secondary);
+      }
+
+      .copy-btn {
+        padding: 6px 12px;
+        font-size: 13px;
+        font-weight: 500;
+        background: white;
+        color: var(--text-primary);
+        border: 1px solid var(--border-color);
+        border-radius: 6px;
+        cursor: pointer;
+        transition: all 0.2s ease;
+      }
+
+      .copy-btn:hover {
+        background: var(--hover-bg);
+      }
+
+      .copy-btn.copied {
+        background: var(--success);
+        color: white;
+        border-color: var(--success);
+      }
+
+      .code-block {
+        padding: 16px;
+        overflow-x: auto;
+        font-family:
+          "SF Mono", Monaco, "Cascadia Code", "Roboto Mono", Consolas,
+          "Courier New", monospace;
+        font-size: 13px;
+        line-height: 1.6;
+        color: var(--text-primary);
+        white-space: pre;
+      }
+
+      /* Permissions List */
+      .permissions-grid {
+        display: grid;
+        gap: 12px;
+        margin-top: 16px;
+      }
+
+      .permission-item {
+        display: flex;
+        align-items: center;
+        gap: 10px;
+        padding: 10px 14px;
+        background: #fafafa;
+        border-radius: 8px;
+        font-size: 14px;
+      }
+
+      .permission-icon {
+        color: var(--success);
+        font-size: 16px;
+        line-height: 1;
+      }
+
+      .permission-name {
+        font-weight: 500;
+        color: var(--text-primary);
+      }
+
+      .permission-value {
+        margin-left: auto;
+        color: var(--text-secondary);
+        font-size: 13px;
+      }
+
+      /* Steps */
+      .steps {
+        margin: 24px 0;
+      }
+
+      .step {
+        display: flex;
+        gap: 16px;
+        margin-bottom: 20px;
+      }
+
+      .step-number {
+        flex-shrink: 0;
+        width: 28px;
+        height: 28px;
+        background: var(--primary-dark);
+        color: white;
+        border-radius: 50%;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        font-size: 14px;
+        font-weight: 600;
+      }
+
+      .step-content {
+        flex: 1;
+        padding-top: 2px;
+      }
+
+      .step-content p {
+        color: var(--text-secondary);
+        font-size: 15px;
+        line-height: 1.6;
+      }
+
+      .step-content strong {
+        color: var(--text-primary);
+        font-weight: 500;
+      }
+
+      /* Alert Box */
+      .alert {
+        display: flex;
+        gap: 12px;
+        padding: 16px;
+        background: #fffbf0;
+        border: 1px solid #f5e7c3;
+        border-radius: 8px;
+        margin-top: 32px;
+      }
+
+      .alert-icon {
+        font-size: 18px;
+        line-height: 1;
+        flex-shrink: 0;
+      }
+
+      .alert-content {
+        flex: 1;
+        font-size: 14px;
+        line-height: 1.6;
+      }
+
+      .alert-content strong {
+        color: var(--text-primary);
+        font-weight: 600;
+      }
+
+      /* Responsive */
+      @media (min-width: 640px) {
+        .button-group {
+          flex-direction: row;
+        }
+
+        .btn {
+          width: auto;
+        }
+
+        .permissions-grid {
+          grid-template-columns: repeat(2, 1fr);
+        }
+      }
+
+      @media (max-width: 640px) {
+        h1 {
+          font-size: 28px;
+        }
+
+        .subtitle {
+          font-size: 16px;
+        }
+
+        .card {
+          padding: 24px 20px;
+        }
+
+        .container {
+          padding: 24px 16px;
+        }
+      }
+
+      /* Hidden form elements */
+      .hidden-form {
+        display: none;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <header>
+        <h1>Create Your Custom GitHub App</h1>
+        <p class="subtitle">
+          Set up a custom GitHub App for Claude Code Action with all required
+          permissions automatically configured.
+        </p>
+      </header>
+
+      <!-- Quick Setup Card -->
+      <div class="card">
+        <div class="card-header">
+          <span class="card-icon">🚀</span>
+          <h2>Quick Setup</h2>
+        </div>
+        <p class="card-description">
+          Create your GitHub App with one click. All permissions will be
+          automatically configured for Claude Code Action.
+        </p>
+
+        <div class="button-group">
+          <!-- Personal Account Button -->
+          <form
+            action="https://github.com/settings/apps/new"
+            method="post"
+            class="hidden-form"
+            id="personal-form"
+          >
+            <input type="hidden" name="manifest" id="personal-manifest" />
+          </form>
+          <button
+            type="button"
+            class="btn btn-primary"
+            onclick="submitPersonalForm()"
+          >
+            <span>👤</span>
+            <span>Create for Personal Account</span>
+          </button>
+
+          <!-- Organization Form -->
+          <form id="org-form" method="post" class="hidden-form">
+            <input type="hidden" name="manifest" id="org-manifest" />
+          </form>
+        </div>
+
+        <!-- Organization Input -->
+        <div
+          style="
+            margin-top: 24px;
+            padding-top: 24px;
+            border-top: 1px solid var(--border-color);
+          "
+        >
+          <label for="org-name" style="margin-bottom: 8px"
+            >Or create for an organization:</label
+          >
+          <div class="form-row">
+            <div class="form-group">
+              <input
+                type="text"
+                id="org-name"
+                placeholder="Enter organization name (e.g., my-org)"
+              />
+            </div>
+            <button
+              type="button"
+              class="btn btn-secondary"
+              onclick="submitOrgForm()"
+              style="flex-shrink: 0"
+            >
+              <span>🏢</span>
+              <span>Create for Org</span>
+            </button>
+          </div>
+        </div>
+      </div>
+
+      <!-- Permissions Card -->
+      <div class="card">
+        <div class="card-header">
+          <span class="card-icon">✅</span>
+          <h2>Configured Permissions</h2>
+        </div>
+        <p class="card-description">
+          Your GitHub App will be created with these permissions:
+        </p>
+
+        <div class="permissions-grid">
+          <div class="permission-item">
+            <span class="permission-icon">✓</span>
+            <span class="permission-name">Contents</span>
+            <span class="permission-value">Read & Write</span>
+          </div>
+          <div class="permission-item">
+            <span class="permission-icon">✓</span>
+            <span class="permission-name">Issues</span>
+            <span class="permission-value">Read & Write</span>
+          </div>
+          <div class="permission-item">
+            <span class="permission-icon">✓</span>
+            <span class="permission-name">Pull Requests</span>
+            <span class="permission-value">Read & Write</span>
+          </div>
+          <div class="permission-item">
+            <span class="permission-icon">✓</span>
+            <span class="permission-name">Actions</span>
+            <span class="permission-value">Read</span>
+          </div>
+          <div class="permission-item">
+            <span class="permission-icon">✓</span>
+            <span class="permission-name">Metadata</span>
+            <span class="permission-value">Read</span>
+          </div>
+        </div>
+      </div>
+
+      <!-- Next Steps Card -->
+      <div class="card">
+        <div class="card-header">
+          <span class="card-icon">📋</span>
+          <h2>Next Steps</h2>
+        </div>
+        <p class="card-description">
+          After creating your app, complete these steps:
+        </p>
+
+        <div class="steps">
+          <div class="step">
+            <div class="step-number">1</div>
+            <div class="step-content">
+              <p>
+                <strong>Generate a private key:</strong> In your app settings,
+                scroll to "Private keys" and click "Generate a private key"
+              </p>
+            </div>
+          </div>
+          <div class="step">
+            <div class="step-number">2</div>
+            <div class="step-content">
+              <p>
+                <strong>Install the app:</strong> Click "Install App" and select
+                the repositories where you want to use Claude
+              </p>
+            </div>
+          </div>
+          <div class="step">
+            <div class="step-number">3</div>
+            <div class="step-content">
+              <p>
+                <strong>Configure your workflow:</strong> Add your app's ID and
+                private key to your repository secrets
+              </p>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <!-- Manual Setup Card -->
+      <div class="card">
+        <div class="card-header">
+          <span class="card-icon">⚙️</span>
+          <h2>Manual Setup</h2>
+        </div>
+        <p class="card-description">
+          If the buttons above don't work, you can manually create the app by
+          copying the manifest JSON below:
+        </p>
+
+        <div class="code-container">
+          <div class="code-header">
+            <span class="code-label">github-app-manifest.json</span>
+            <button class="copy-btn" onclick="copyManifest()">Copy</button>
+          </div>
+          <div class="code-block" id="manifest-json"></div>
+        </div>
+
+        <div class="steps">
+          <div class="step">
+            <div class="step-number">1</div>
+            <div class="step-content">
+              <p>Copy the manifest JSON above</p>
+            </div>
+          </div>
+          <div class="step">
+            <div class="step-number">2</div>
+            <div class="step-content">
+              <p>
+                Go to
+                <a
+                  href="https://github.com/settings/apps/new"
+                  target="_blank"
+                  style="color: var(--primary-dark); text-decoration: underline"
+                  >GitHub App Settings</a
+                >
+              </p>
+            </div>
+          </div>
+          <div class="step">
+            <div class="step-number">3</div>
+            <div class="step-content">
+              <p>Look for "Create from manifest" option and paste the JSON</p>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <!-- Warning Alert -->
+      <div class="alert">
+        <span class="alert-icon">⚠️</span>
+        <div class="alert-content">
+          <strong>Important:</strong> Keep your private key secure! Never commit
+          it to your repository. Always use GitHub secrets to store sensitive
+          credentials.
+        </div>
+      </div>
+    </div>
+
+    <script>
+      // Manifest configuration
+      const manifest = {
+        name: "Claude Code Custom App",
+        description:
+          "Custom GitHub App for Claude Code Action - AI-powered coding assistant for GitHub workflows",
+        url: "https://github.com/anthropics/claude-code-action",
+        hook_attributes: {
+          url: "https://example.com/github/webhook",
+          active: false,
+        },
+        redirect_url: "https://github.com/settings/apps/new",
+        callback_urls: [],
+        setup_url:
+          "https://github.com/anthropics/claude-code-action/blob/main/docs/setup.md",
+        public: false,
+        default_permissions: {
+          contents: "write",
+          issues: "write",
+          pull_requests: "write",
+          actions: "read",
+          metadata: "read",
+        },
+        default_events: [
+          "issue_comment",
+          "issues",
+          "pull_request",
+          "pull_request_review",
+          "pull_request_review_comment",
+        ],
+      };
+
+      // Populate manifest fields
+      const manifestJson = JSON.stringify(manifest);
+      const manifestJsonPretty = JSON.stringify(manifest, null, 2);
+
+      document.getElementById("personal-manifest").value = manifestJson;
+      document.getElementById("org-manifest").value = manifestJson;
+
+      // Display formatted JSON
+      const manifestDisplay = document.getElementById("manifest-json");
+      manifestDisplay.textContent = manifestJsonPretty;
+
+      // Submit personal form
+      function submitPersonalForm() {
+        document.getElementById("personal-form").submit();
+      }
+
+      // Submit organization form
+      function submitOrgForm() {
+        const orgName = document.getElementById("org-name").value.trim();
+        if (!orgName) {
+          alert("Please enter an organization name");
+          document.getElementById("org-name").focus();
+          return;
+        }
+        const form = document.getElementById("org-form");
+        form.action = `https://github.com/organizations/${orgName}/settings/apps/new`;
+        form.submit();
+      }
+
+      // Allow Enter key to submit org form
+      document
+        .getElementById("org-name")
+        .addEventListener("keypress", function (e) {
+          if (e.key === "Enter") {
+            e.preventDefault();
+            submitOrgForm();
+          }
+        });
+
+      // Copy manifest to clipboard
+      function copyManifest() {
+        navigator.clipboard
+          .writeText(manifestJsonPretty)
+          .then(() => {
+            const button = document.querySelector(".copy-btn");
+            const originalText = button.textContent;
+            button.textContent = "Copied!";
+            button.classList.add("copied");
+            setTimeout(() => {
+              button.textContent = originalText;
+              button.classList.remove("copied");
+            }, 2000);
+          })
+          .catch(() => {
+            // Fallback for older browsers
+            const textArea = document.createElement("textarea");
+            textArea.value = manifestJsonPretty;
+            textArea.style.position = "fixed";
+            textArea.style.opacity = "0";
+            document.body.appendChild(textArea);
+            textArea.select();
+            try {
+              document.execCommand("copy");
+              const button = document.querySelector(".copy-btn");
+              const originalText = button.textContent;
+              button.textContent = "Copied!";
+              button.classList.add("copied");
+              setTimeout(() => {
+                button.textContent = originalText;
+                button.classList.remove("copied");
+              }, 2000);
+            } catch (err) {
+              alert("Failed to copy. Please copy manually.");
+            }
+            document.body.removeChild(textArea);
+          });
+      }
+    </script>
+  </body>
+</html>

docs/setup.md

@@ -20,7 +20,48 @@ If you prefer not to install the official Claude app, you can create your own Gi
 - Organization policies prevent installing third-party apps
 - You're using AWS Bedrock or Google Vertex AI
 
-**Steps to create and use a custom GitHub App:**
+### Option 1: Quick Setup with App Manifest (Recommended)
+
+The fastest way to create a custom GitHub App is using our pre-configured manifest. This ensures all permissions are correctly set up with a single click.
+
+**Steps:**
+
+1. **Create the app:**
+
+   **🚀 [Download the Quick Setup Tool](./create-app.html)** (Right-click → "Save Link As" or "Download Linked File")
+
+   After downloading, open `create-app.html` in your web browser:
+
+   - **For Personal Accounts:** Click the "Create App for Personal Account" button
+   - **For Organizations:** Enter your organization name and click "Create App for Organization"
+
+   The tool will automatically configure all required permissions and submit the manifest.
+
+   Alternatively, you can use the manifest file directly:
+
+   - Use the [`github-app-manifest.json`](../github-app-manifest.json) file from this repository
+   - Visit https://github.com/settings/apps/new (for personal) or your organization's app settings
+   - Look for the "Create from manifest" option and paste the JSON content
+
+2. **Complete the creation flow:**
+
+   - GitHub will show you a preview of the app configuration
+   - Confirm the app name (you can customize it)
+   - Click "Create GitHub App"
+   - The app will be created with all required permissions automatically configured
+
+3. **Generate and download a private key:**
+
+   - After creating the app, you'll be redirected to the app settings
+   - Scroll down to "Private keys"
+   - Click "Generate a private key"
+   - Download the `.pem` file (keep this secure!)
+
+4. **Continue with installation** - Skip to step 3 in the manual setup below to install the app and configure your workflow.
+
+### Option 2: Manual Setup
+
+If you prefer to configure the app manually or need custom permissions:
 
 1. **Create a new GitHub App:**
 

docs/usage.md

@@ -32,8 +32,10 @@ jobs:
           #   --max-turns 10
           #   --model claude-4-0-sonnet-20250805
 
+          # Optional: add custom plugin marketplaces
+          # plugin_marketplaces: "https://github.com/user/marketplace1.git\nhttps://github.com/user/marketplace2.git"
           # Optional: install Claude Code plugins
-          # plugins: "plugin1,plugin2,plugin3"
+          # plugins: "code-review@claude-code-plugins\nfeature-dev@claude-code-plugins"
 
           # Optional: add custom trigger phrase (default: @claude)
           # trigger_phrase: "/claude"
@@ -76,7 +78,8 @@ jobs:
 | `allowed_non_write_users`        | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md)         | No       | ""            |
 | `path_to_claude_code_executable` | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments                                         | No       | ""            |
 | `path_to_bun_executable`         | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments                                             | No       | ""            |
-| `plugins`                        | Comma-separated list of Claude Code plugin names to install (e.g., `plugin1,plugin2,plugin3`). Plugins are installed before Claude Code execution                                      | No       | ""            |
+| `plugin_marketplaces`            | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation             | No       | ""            |
+| `plugins`                        | Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution                                | No       | ""            |
 
 ### Deprecated Inputs
 

github-app-manifest.json

@@ -0,0 +1,27 @@
+{
+  "name": "Claude Code Custom App",
+  "description": "Custom GitHub App for Claude Code Action - AI-powered coding assistant for GitHub workflows",
+  "url": "https://github.com/anthropics/claude-code-action",
+  "hook_attributes": {
+    "url": "https://example.com/github/webhook",
+    "active": false
+  },
+  "redirect_url": "https://github.com/settings/apps/new",
+  "callback_urls": [],
+  "setup_url": "https://github.com/anthropics/claude-code-action/blob/main/docs/setup.md",
+  "public": false,
+  "default_permissions": {
+    "contents": "write",
+    "issues": "write",
+    "pull_requests": "write",
+    "actions": "read",
+    "metadata": "read"
+  },
+  "default_events": [
+    "issue_comment",
+    "issues",
+    "pull_request",
+    "pull_request_review",
+    "pull_request_review_comment"
+  ]
+}