fix: plugin install integrity check + branch rules

[tomymaritano]

Summary

Addresses P1 review finding from PR #200 and strengthens git flow rules.

Plugin Install

• Add cross-plugin overwrite protection: when marketplace serves wrong bundle
  (manifest.id ≠ requested slug), block only if it would overwrite an existing
  plugin directory — prevents silent overwrites without blocking valid installs
  where slug and manifest ID legitimately differ

CLAUDE.md

• Add explicit step-by-step workflow for Claude Code
• Add explicit NEVER list (no direct commits to develop/main)

Test plan

• pnpm typecheck — 17/17 pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Enhanced plugin installation safety to prevent accidental overwrites of existing plugins during installation from URL.

• Documentation

  • Updated development workflow documentation and branch protection requirements.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
readide	Error		Apr 23, 2026 6:50pm

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Two changes are introduced: (1) CLAUDE.md updates branch protection rules from "Critical" to "MANDATORY" with stricter Git workflow requirements including explicit branch naming conventions and a prohibited actions list; (2) apps/desktop/src/main/index.ts modifies the plugins:installFromUrl IPC handler to validate plugin slugs and reject cross-plugin overwrites.

Changes

Cohort / File(s)	Summary
Documentation & Policy CLAUDE.md	Branch protection rules elevated to "MANDATORY" with tightened requirements. All work requires PRs, even single-line changes. Git workflow explicitly documented as feature/* or fix/* → develop → main, both via PR. Branch naming conventions added. Explicit "NEVER" list forbids commits on develop, direct pushes to develop, and PRs targeting main from develop outside releases.
Plugin Installation Validation apps/desktop/src/main/index.ts	IPC handler plugins:installFromUrl now actively uses the pluginSlug parameter to perform cross-plugin overwrite validation. If the requested pluginSlug differs from the archive manifest.id and an existing plugin directory is present, the handler rejects installation; otherwise proceeds with standard validation and installation flow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: a plugin install integrity check and updated branch rules, both of which are directly present in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/plugin-install-integrity

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}