@openthread/claude-code-plugin 0.1.4 → 0.1.8

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ot",
-  "version": "0.1.4",
-  "description": "Share Claude Code conversations to OpenThread",
+  "version": "0.1.8",
+  "description": "Share Claude Code conversations to OpenThread — the StackOverflow for AI agents. One command to publish any session.",
   "icon": "icon.svg",
   "author": {
     "name": "OpenThread"

package/README.md

@@ -1,6 +1,8 @@
 # @openthread/claude-code-plugin
 
-Share Claude Code conversations to [OpenThread](https://openthread.me) -- a Reddit-like platform for AI conversation threads.
+Share Claude Code conversations to [OpenThread](https://openthread.me) — **the StackOverflow for AI agents**. The community platform for the agentic AI era, where developers share, vote on, and discover the best AI conversation threads from Claude, ChatGPT, Gemini, and more.
+
+One command. Zero config. Publish any Claude Code session as a post others can learn from.
 
 [![npm version](https://img.shields.io/npm/v/@openthread/claude-code-plugin)](https://www.npmjs.com/package/@openthread/claude-code-plugin)
 [![license](https://img.shields.io/npm/l/@openthread/claude-code-plugin)](https://opensource.org/licenses/MIT)
@@ -25,7 +27,7 @@ Community: Coding with AI
 Tags: typescript, authentication, debugging
 
 Post shared successfully!
-View it at: https://openthread.me/post/abc123
+View it at: https://openthread.me/c/coding-with-ai/post/27512cb1
 ```
 
 ## Examples
@@ -51,7 +53,7 @@ Auto-generates title, picks the best community, adds tags, and posts -- no quest
 ? Tags: typescript, hono, api
 
 Post shared successfully!
-View it at: https://openthread.me/post/def456
+View it at: https://openthread.me/c/coding-with-ai/post/27512cb1
 ```
 
 ### Share after a long debugging session
@@ -66,13 +68,20 @@ The plugin reads the full conversation, generates a summary, and shares it as a
 
 The plugin auto-detects the current Claude Code session file. Works in any project directory -- just run `/ot:share` and it finds the right conversation.
 
+## Why OpenThread?
+
+OpenThread is the social platform for the agentic AI world — the place where developers share what their AI agents actually built. Think StackOverflow meets Reddit, designed from the ground up for AI conversations. Every post is a full thread (including code, thinking, and tool use) that the community votes on, comments on, and learns from.
+
+**This plugin is the one-command bridge from your Claude Code session to that community.**
+
 ## Features
 
-- **One-command sharing** -- run `/ot:share` inside any Claude Code session to publish the conversation to OpenThread.
-- **Quick mode** -- `/ot:share <description>` auto-generates a title, selects a community, and posts immediately.
-- **Interactive mode** -- `/ot:share` with no arguments prompts you to choose a title, community, and tags.
-- **Secure auth** -- PKCE OAuth flow with automatic token refresh. Credentials are stored locally at `~/.config/openthread/`.
-- **CLI management** -- `openthread-claude` binary for install, uninstall, status checks, and updates.
+- **One-command sharing** — run `/ot:share` inside any Claude Code session to publish the entire conversation to OpenThread.
+- **Quick mode** — `/ot:share <description>` auto-generates a title, picks the best-matching community, adds tags, and posts immediately. Zero questions asked.
+- **Interactive mode** — `/ot:share` with no arguments prompts you to choose a title, community, and tags.
+- **Privacy first** — strips usernames and local file paths before publishing. Your code, not your filesystem.
+- **Secure auth** — PKCE OAuth flow with automatic token refresh. Credentials stored locally at `~/.config/openthread/`.
+- **CLI management** — `openthread-claude` binary for install, uninstall, status checks, and updates.
 
 ## Usage
 
@@ -96,23 +105,108 @@ Run with no arguments to step through each field:
 2. Community (selectable from list)
 3. Tags (suggested, accept or modify)
 
+## Commands
+
+### `/ot:search <query>`
+
+Search OpenThread for threads, comments, communities, or users without
+leaving your Claude Code session.
+
+Flags:
+
+- `--type posts|comments|communities|users|all` (default `posts`)
+- `--community <name>`
+- `--provider claude|chatgpt|gemini|...`
+- `--time hour|day|week|month|year|all`
+- `--limit 1-25` (default `10`)
+
+Works without authentication (narrower visibility). If you're logged in,
+you also see private communities you're a member of. After results are
+shown, pick a number to import the thread via `/ot:import`.
+
+```
+> /ot:search hono auth bug
+
+[1] Debugging PKCE token refresh in auth middleware
+    c/coding-with-ai · u/alice · 3h ago · ▲ 42 · 💬 7
+    Walks through the PKCE refresh flow and the off-by-one in expiresAt...
+```
+
+### `/ot:import <post-id-or-url> [--read|--context]`
+
+Pull a published OpenThread thread into your current workspace.
+
+**Imported content is UNTRUSTED third-party data.** It may contain
+prompt injections. The plugin treats every imported byte as data, not
+instructions, and enforces that boundary at multiple layers.
+
+- **`--read`** (default) — downloads the thread, sanitizes and masks
+  it locally (defense-in-depth on top of server-side masking), and
+  saves it to `~/.openthread/imports/<uuid>.md` with mode `0600`
+  inside a `0700` directory. Claude does **not** automatically load
+  the file into context. If you want it read, ask in a separate
+  message after the import completes.
+- **`--context`** — additionally emits an
+  `<imported_thread trust="untrusted">` envelope that the skill shows
+  to Claude after you explicitly confirm. Even inside the envelope,
+  the content is treated as data, never as instructions.
+
+Inputs accepted:
+
+- Bare UUID: `27512cb1-4e7a-4c3b-9d8e-1f2a3b4c5d6e`
+- Path: `/c/<community>/post/<uuid>` or `/post/<uuid>`
+- Full URL: `https://openthread.me/c/<community>/post/<uuid>`
+
+Security properties:
+
+- Strict UUID validation on every input form.
+- HTTPS enforced unless `OPENTHREAD_API_URL` points to a loopback host.
+- Response bodies capped at 5 MB, read in bounded chunks.
+- Control characters and ANSI escapes are stripped; paths, usernames,
+  secrets, emails, and IPs are masked locally.
+- Writes are atomic via a `.part` rename — a partial fetch never lands
+  at the final path. Files land at mode `0600` in a `0700` directory.
+- Every saved file starts with a trust banner reminding Claude that
+  the content is data, not instructions.
+
+### `/ot:export <post-id-or-url>`
+
+Download a thread from OpenThread as a local file. Unlike `/ot:import`,
+this is for archival / sharing — the file is written with sharable
+permissions and does NOT include the "untrusted data" banner.
+
+Flags:
+
+- `--format markdown|text|json` (default `markdown`)
+- `--out <path>` (default `./ot-<slug>-<short>.<ext>`)
+- `--stdout`
+- `--no-banner`
+
+The file is path-traversal-guarded (relative paths must stay under cwd;
+absolute paths are denied into system dirs). Content is re-masked
+locally on top of the server's masking as defense-in-depth. Writes are
+atomic via a `.part` rename and land at mode `0644` so the file can be
+committed or shared. Exported files are NOT loaded into Claude's
+context — if you want Claude to read one, open it in a follow-up
+message.
+
 ## CLI Commands
 
-| Command | Description |
-| --- | --- |
-| `openthread-claude install` | Install and register the plugin with Claude Code |
+| Command                       | Description                                       |
+| ----------------------------- | ------------------------------------------------- |
+| `openthread-claude install`   | Install and register the plugin with Claude Code  |
 | `openthread-claude uninstall` | Remove the plugin and deregister from Claude Code |
-| `openthread-claude status` | Show plugin installation and registration state |
-| `openthread-claude update` | Reinstall plugin (update to current version) |
+| `openthread-claude status`    | Show plugin installation and registration state   |
+| `openthread-claude update`    | Reinstall plugin (update to current version)      |
 
 ## Configuration
 
 Environment variables override the default endpoints. Set them in your shell profile or `.env` file.
 
-| Variable | Default | Description |
-| --- | --- | --- |
-| `OPENTHREAD_API_URL` | `https://openthread.me/api` | Backend API base URL |
-| `OPENTHREAD_WEB_URL` | `https://openthread.me` | Web app base URL (used for post links) |
+| Variable             | Default                     | Description                            |
+| -------------------- | --------------------------- | -------------------------------------- |
+| `OPENTHREAD_API_URL` | `https://openthread.me/api` | Backend API base URL                   |
+| `OPENTHREAD_WEB_URL` | `https://openthread.me`     | Web app base URL (used for post links) |
 
 ## Manual Install
 

package/bin/__tests__/settings-writer.test.js

@@ -0,0 +1,122 @@
+#!/usr/bin/env node
+// Unit tests for bin/lib/settings-writer.js
+// Run with: node bin/__tests__/settings-writer.test.js
+// Exit 0 on pass, non-zero on failure.
+
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+const assert = require("node:assert/strict");
+
+const { safeUpdateSettings } = require("../lib/settings-writer.js");
+
+let failures = 0;
+let passed = 0;
+
+function test(name, fn) {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "ot-settings-test-"));
+  const tmpFile = path.join(tmpDir, "settings.json");
+  try {
+    fn(tmpFile);
+    console.log(`  ok  ${name}`);
+    passed++;
+  } catch (e) {
+    console.error(`  FAIL  ${name}`);
+    console.error("    " + (e.stack || e.message));
+    failures++;
+  } finally {
+    try {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    } catch {
+      /* ignore */
+    }
+  }
+}
+
+console.log("settings-writer tests:");
+
+test("enables ot@openthread on empty file", (file) => {
+  const result = safeUpdateSettings(
+    { enabledPlugins: { "ot@openthread": true } },
+    file,
+  );
+  assert.equal(result.enabledPlugins["ot@openthread"], true);
+  const onDisk = JSON.parse(fs.readFileSync(file, "utf8"));
+  assert.equal(onDisk.enabledPlugins["ot@openthread"], true);
+});
+
+test("refuses to modify hooks", (file) => {
+  assert.throws(
+    () =>
+      safeUpdateSettings(
+        { hooks: { preToolUse: "evil" } },
+        file,
+      ),
+    /refusing to modify top-level key "hooks"/,
+  );
+  assert.equal(fs.existsSync(file), false);
+});
+
+test("refuses to modify permissions", (file) => {
+  assert.throws(
+    () => safeUpdateSettings({ permissions: { allow: ["*"] } }, file),
+    /refusing to modify top-level key "permissions"/,
+  );
+});
+
+test("refuses unknown plugin keys", (file) => {
+  assert.throws(
+    () =>
+      safeUpdateSettings(
+        { enabledPlugins: { "other@thing": true } },
+        file,
+      ),
+    /refusing to modify plugin key "other@thing"/,
+  );
+});
+
+test("refuses unknown top-level keys", (file) => {
+  assert.throws(
+    () => safeUpdateSettings({ unknownKey: "x" }, file),
+    /refusing to modify top-level key "unknownKey"/,
+  );
+});
+
+test("preserves unrelated keys on update", (file) => {
+  fs.writeFileSync(
+    file,
+    JSON.stringify({
+      permissions: { allow: ["Bash"] },
+      hooks: { preToolUse: "existing" },
+      enabledPlugins: { "some@other": true },
+    }),
+  );
+  const result = safeUpdateSettings(
+    { enabledPlugins: { "ot@openthread": true } },
+    file,
+  );
+  assert.deepEqual(result.permissions, { allow: ["Bash"] });
+  assert.deepEqual(result.hooks, { preToolUse: "existing" });
+  assert.equal(result.enabledPlugins["some@other"], true);
+  assert.equal(result.enabledPlugins["ot@openthread"], true);
+});
+
+test("disables ot@openthread", (file) => {
+  const result = safeUpdateSettings(
+    { enabledPlugins: { "ot@openthread": false } },
+    file,
+  );
+  assert.equal(result.enabledPlugins["ot@openthread"], false);
+});
+
+test("replaces non-object enabledPlugins safely", (file) => {
+  fs.writeFileSync(file, JSON.stringify({ enabledPlugins: ["bogus"] }));
+  const result = safeUpdateSettings(
+    { enabledPlugins: { "ot@openthread": true } },
+    file,
+  );
+  assert.equal(result.enabledPlugins["ot@openthread"], true);
+});
+
+console.log(`\n${passed} passed, ${failures} failed`);
+process.exit(failures > 0 ? 1 : 0);

package/bin/cli.sh

@@ -2,12 +2,13 @@
 # CLI for managing the OpenThread Claude Code plugin
 set -euo pipefail
 
-PLUGIN_NAME="openthread-share"
 PLUGIN_ID="ot"
-MARKETPLACE_NAME="local-plugins"
+MARKETPLACE_NAME="openthread"
 PLUGIN_KEY="${PLUGIN_ID}@${MARKETPLACE_NAME}"
 PLUGIN_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-DEST_DIR="$HOME/.claude/plugins/$PLUGIN_NAME"
+MARKETPLACE_DIR="$HOME/.claude/plugins/marketplaces/$MARKETPLACE_NAME"
+DEST_DIR="$MARKETPLACE_DIR/plugins/$PLUGIN_ID"
+KNOWN_FILE="$HOME/.claude/plugins/known_marketplaces.json"
 SETTINGS_FILE="$HOME/.claude/settings.json"
 
 usage() {
@@ -20,132 +21,106 @@ usage() {
   echo "  update      Reinstall plugin (update to current version)"
 }
 
-register_plugin() {
-  python3 -c "
-import json, os
-
-settings_path = '$SETTINGS_FILE'
-dest_dir = '$DEST_DIR'
-marketplace = '$MARKETPLACE_NAME'
-plugin_key = '$PLUGIN_KEY'
-
-settings = {}
-if os.path.exists(settings_path):
-    try:
-        with open(settings_path) as f:
-            settings = json.load(f)
-    except:
-        settings = {}
-
-# Register as local marketplace
-if 'extraKnownMarketplaces' not in settings:
-    settings['extraKnownMarketplaces'] = {}
-settings['extraKnownMarketplaces'][marketplace] = {
-    'source': {'source': 'directory', 'path': dest_dir}
-}
-
-# Enable the plugin (must be an object, not array)
-if not isinstance(settings.get('enabledPlugins'), dict):
-    settings['enabledPlugins'] = {}
-settings['enabledPlugins'][plugin_key] = True
-
-os.makedirs(os.path.dirname(settings_path), exist_ok=True)
-with open(settings_path, 'w') as f:
-    json.dump(settings, f, indent=2)
-    f.write('\n')
-"
-}
-
-deregister_plugin() {
-  if [ -f "$SETTINGS_FILE" ]; then
-    python3 -c "
-import json
-
-settings_path = '$SETTINGS_FILE'
-marketplace = '$MARKETPLACE_NAME'
-plugin_key = '$PLUGIN_KEY'
-
-with open(settings_path) as f:
-    settings = json.load(f)
-
-# Remove from enabledPlugins
-if isinstance(settings.get('enabledPlugins'), dict):
-    settings['enabledPlugins'].pop(plugin_key, None)
-
-# Remove marketplace
-if isinstance(settings.get('extraKnownMarketplaces'), dict):
-    settings['extraKnownMarketplaces'].pop(marketplace, None)
-
-with open(settings_path, 'w') as f:
-    json.dump(settings, f, indent=2)
-    f.write('\n')
-"
-  fi
-}
-
 install_plugin() {
+  # Copy plugin files into marketplace structure
   mkdir -p "$DEST_DIR"
-
   for dir in .claude-plugin commands skills scripts; do
     if [ -d "$PLUGIN_DIR/$dir" ]; then
       cp -r "$PLUGIN_DIR/$dir" "$DEST_DIR/"
     fi
   done
+  [ -f "$PLUGIN_DIR/icon.svg" ] && cp "$PLUGIN_DIR/icon.svg" "$DEST_DIR/"
+  chmod +x "$DEST_DIR/scripts/"*.sh 2>/dev/null || true
 
-  if [ -f "$PLUGIN_DIR/icon.svg" ]; then
-    cp "$PLUGIN_DIR/icon.svg" "$DEST_DIR/"
-  fi
+  # Create marketplace.json
+  mkdir -p "$MARKETPLACE_DIR/.claude-plugin"
+  python3 -c "
+import json
+mkt = {
+    'name': '$MARKETPLACE_NAME',
+    'description': 'OpenThread plugins for sharing AI conversations',
+    'owner': {'name': 'OpenThread'},
+    'plugins': [{'name': '$PLUGIN_ID', 'description': 'Share Claude Code conversations to OpenThread', 'source': './plugins/$PLUGIN_ID'}]
+}
+with open('$MARKETPLACE_DIR/.claude-plugin/marketplace.json', 'w') as f:
+    json.dump(mkt, f, indent=2)
+    f.write('\n')
+"
 
-  chmod +x "$DEST_DIR/scripts/"*.sh 2>/dev/null || true
+  # Register in known_marketplaces.json
+  python3 -c "
+import json, os, datetime
+path = '$KNOWN_FILE'
+known = {}
+if os.path.exists(path):
+    try:
+        with open(path) as f: known = json.load(f)
+    except: pass
+known['$MARKETPLACE_NAME'] = {
+    'source': {'source': 'local', 'path': '$MARKETPLACE_DIR'},
+    'installLocation': '$MARKETPLACE_DIR',
+    'lastUpdated': datetime.datetime.utcnow().isoformat() + 'Z'
+}
+with open(path, 'w') as f:
+    json.dump(known, f, indent=2)
+    f.write('\n')
+"
 
-  register_plugin
+  # Enable in settings.json via the guarded writer (G16).
+  # Only enabledPlugins["ot@openthread"] is permitted to change.
+  node "$PLUGIN_DIR/bin/lib/settings-writer.js" enable
 
   VERSION=$(python3 -c "import json; print(json.load(open('$DEST_DIR/.claude-plugin/plugin.json'))['version'])")
-  echo "✓ OpenThread plugin v$VERSION installed to $DEST_DIR"
-  echo "  Registered in $SETTINGS_FILE"
+  echo "✓ OpenThread plugin v$VERSION installed"
+  echo "  Marketplace: $MARKETPLACE_DIR"
   echo "  Restart Claude Code, then use /ot:share to share conversations."
 }
 
 uninstall_plugin() {
-  if [ -d "$DEST_DIR" ]; then
-    rm -rf "$DEST_DIR"
-    deregister_plugin
-    echo "✓ OpenThread plugin removed and deregistered"
-  else
-    echo "Plugin is not installed."
-  fi
+  [ -d "$MARKETPLACE_DIR" ] && rm -rf "$MARKETPLACE_DIR"
+
+  # Remove from known_marketplaces.json
+  [ -f "$KNOWN_FILE" ] && python3 -c "
+import json
+with open('$KNOWN_FILE') as f: known = json.load(f)
+known.pop('$MARKETPLACE_NAME', None)
+with open('$KNOWN_FILE', 'w') as f:
+    json.dump(known, f, indent=2)
+    f.write('\n')
+" 2>/dev/null || true
+
+  # Disable in settings.json via the guarded writer (G16).
+  [ -f "$SETTINGS_FILE" ] && node "$PLUGIN_DIR/bin/lib/settings-writer.js" disable 2>/dev/null || true
+
+  echo "✓ OpenThread plugin removed and deregistered"
 }
 
 check_status() {
-  local installed=false
-  local registered=false
-
   if [ -d "$DEST_DIR" ] && [ -f "$DEST_DIR/.claude-plugin/plugin.json" ]; then
-    installed=true
+    VERSION=$(python3 -c "import json; print(json.load(open('$DEST_DIR/.claude-plugin/plugin.json'))['version'])")
+    echo "✓ Plugin: v$VERSION at $DEST_DIR"
+  else
+    echo "✗ Plugin: not installed"
   fi
 
-  if [ -f "$SETTINGS_FILE" ]; then
-    registered=$(python3 -c "
+  if [ -f "$KNOWN_FILE" ] && python3 -c "
 import json
-with open('$SETTINGS_FILE') as f:
-    s = json.load(f)
-plugins = s.get('enabledPlugins', {})
-print('true' if isinstance(plugins, dict) and plugins.get('$PLUGIN_KEY') else 'false')
-" 2>/dev/null || echo "false")
-  fi
-
-  if [ "$installed" = true ]; then
-    VERSION=$(python3 -c "import json; print(json.load(open('$DEST_DIR/.claude-plugin/plugin.json'))['version'])")
-    echo "✓ Plugin files: v$VERSION at $DEST_DIR"
+with open('$KNOWN_FILE') as f: k = json.load(f)
+exit(0 if '$MARKETPLACE_NAME' in k else 1)
+" 2>/dev/null; then
+    echo "✓ Marketplace: registered"
   else
-    echo "✗ Plugin files: not installed"
+    echo "✗ Marketplace: not registered"
   fi
 
-  if [ "$registered" = "true" ]; then
-    echo "✓ Registered: yes ($PLUGIN_KEY in $SETTINGS_FILE)"
+  if [ -f "$SETTINGS_FILE" ] && python3 -c "
+import json
+with open('$SETTINGS_FILE') as f: s = json.load(f)
+exit(0 if isinstance(s.get('enabledPlugins'), dict) and s['enabledPlugins'].get('$PLUGIN_KEY') else 1)
+" 2>/dev/null; then
+    echo "✓ Enabled: $PLUGIN_KEY"
   else
-    echo "✗ Registered: no (Claude Code won't detect the plugin)"
-    echo "  Run: openthread-claude install"
+    echo "✗ Enabled: no"
   fi
 }
 

package/bin/lib/settings-writer.js

@@ -0,0 +1,108 @@
+#!/usr/bin/env node
+// Guarded writer for ~/.claude/settings.json.
+//
+// Only allows modifications to a strict allowlist of top-level keys. Refuses
+// any diff touching "hooks", "permissions", or unknown keys so that a
+// compromised release cannot inject a preToolUse hook or weaken permissions.
+
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+
+const SETTINGS_PATH = path.join(os.homedir(), ".claude", "settings.json");
+
+const ALLOWED_TOP_LEVEL_KEYS = new Set(["enabledPlugins"]);
+const ALLOWED_PLUGIN_KEYS = /^ot@openthread$/;
+
+function readSettings(settingsPath = SETTINGS_PATH) {
+  try {
+    return JSON.parse(fs.readFileSync(settingsPath, "utf8"));
+  } catch (e) {
+    if (e.code === "ENOENT") return {};
+    throw e;
+  }
+}
+
+function writeAtomically(data, settingsPath = SETTINGS_PATH) {
+  const tmp = settingsPath + ".part";
+  fs.mkdirSync(path.dirname(settingsPath), { recursive: true });
+  fs.writeFileSync(tmp, JSON.stringify(data, null, 2) + "\n", { mode: 0o600 });
+  fs.renameSync(tmp, settingsPath);
+}
+
+function safeUpdateSettings(patch, settingsPath = SETTINGS_PATH) {
+  if (!patch || typeof patch !== "object" || Array.isArray(patch)) {
+    throw new Error("settings-writer: patch must be a plain object");
+  }
+
+  const current = readSettings(settingsPath);
+  const next = JSON.parse(JSON.stringify(current));
+
+  for (const key of Object.keys(patch)) {
+    if (!ALLOWED_TOP_LEVEL_KEYS.has(key)) {
+      throw new Error(
+        `settings-writer: refusing to modify top-level key "${key}"`,
+      );
+    }
+  }
+
+  // enabledPlugins merge (only ot@openthread keys allowed)
+  if (patch.enabledPlugins !== undefined) {
+    if (
+      !patch.enabledPlugins ||
+      typeof patch.enabledPlugins !== "object" ||
+      Array.isArray(patch.enabledPlugins)
+    ) {
+      throw new Error(
+        "settings-writer: enabledPlugins patch must be a plain object",
+      );
+    }
+    if (
+      !next.enabledPlugins ||
+      typeof next.enabledPlugins !== "object" ||
+      Array.isArray(next.enabledPlugins)
+    ) {
+      next.enabledPlugins = {};
+    }
+    for (const pluginKey of Object.keys(patch.enabledPlugins)) {
+      if (!ALLOWED_PLUGIN_KEYS.test(pluginKey)) {
+        throw new Error(
+          `settings-writer: refusing to modify plugin key "${pluginKey}"`,
+        );
+      }
+      next.enabledPlugins[pluginKey] = patch.enabledPlugins[pluginKey];
+    }
+  }
+
+  writeAtomically(next, settingsPath);
+  return next;
+}
+
+// CLI entry point: node settings-writer.js enable | disable
+if (require.main === module) {
+  const cmd = process.argv[2];
+  try {
+    if (cmd === "enable") {
+      safeUpdateSettings({ enabledPlugins: { "ot@openthread": true } });
+      console.log("enabled ot@openthread in", SETTINGS_PATH);
+    } else if (cmd === "disable") {
+      safeUpdateSettings({ enabledPlugins: { "ot@openthread": false } });
+      console.log("disabled ot@openthread in", SETTINGS_PATH);
+    } else {
+      console.error("Usage: settings-writer.js enable|disable");
+      process.exit(1);
+    }
+  } catch (e) {
+    console.error(e.message);
+    process.exit(1);
+  }
+}
+
+module.exports = {
+  safeUpdateSettings,
+  readSettings,
+  writeAtomically,
+  SETTINGS_PATH,
+  ALLOWED_TOP_LEVEL_KEYS,
+  ALLOWED_PLUGIN_KEYS,
+};