claudecode-linter 2.1.148 → 2.1.150-patch.1

package/dist/contracts.js

@@ -1,5 +1,5 @@
 // Auto-generated from contracts/claude-code-contracts.json
-// Claude Code v2.1.148 — extracted 2026-05-22T07:13:45.210Z
+// Claude Code v2.1.150 — extracted 2026-05-23T07:05:23.158Z
 // Do not edit manually. Run: npm run generate-contracts
 export const TOOLS = new Set([
     "Agent",
@@ -23,9 +23,11 @@ export const TOOLS = new Set([
     "NotebookEdit",
     "NotebookRead",
     "PushNotification",
+    "REPL",
     "Read",
     "ReadMcpResource",
     "RemoteTrigger",
+    "ScheduleWakeup",
     "SendMessage",
     "Skill",
     "SubscribeMcpResource",
@@ -44,6 +46,7 @@ export const TOOLS = new Set([
     "UnsubscribePolling",
     "WebFetch",
     "WebSearch",
+    "Workflow",
     "Write",
 ]);
 export const HOOK_EVENTS = new Set([
@@ -207,6 +210,7 @@ export const SETTINGS_USER_FIELDS = new Set([
     "advisorModel",
     "agent",
     "agentPushNotifEnabled",
+    "allowAllClaudeAiMcps",
     "allowManagedHooksOnly",
     "allowManagedMcpServersOnly",
     "allowManagedPermissionRulesOnly",
@@ -230,6 +234,7 @@ export const SETTINGS_USER_FIELDS = new Set([
     "awsAuthRefresh",
     "awsCredentialExport",
     "blockedMarketplaces",
+    "breakReminder",
     "channelsEnabled",
     "claudeMd",
     "claudeMdExcludes",
@@ -286,6 +291,7 @@ export const SETTINGS_USER_FIELDS = new Set([
     "proactive",
     "promptSuggestionEnabled",
     "proxyAuthHelper",
+    "quietHours",
     "remote",
     "remoteControlAtStartup",
     "respectGitignore",
@@ -389,4 +395,17 @@ export const PLUGIN_SUBAGENT_BLOCKED_TOOLS = new Set([
     "Glob",
     "Grep",
 ]);
+// Hand-curated named values for the frontmatter `effort` field. The Zod
+// schema types `effort` as a permissive scalar; the field's own describe()
+// string in the Claude Code bundle reads: "Thinking effort for the model:
+// `low`, `medium`, `high`, `max`, or an integer." — so a string `effort`
+// must be one of these, and a numeric `effort` must be an integer. (The
+// runtime effortLevel enum also has `xhigh`, but the frontmatter describe
+// string deliberately omits it; we follow the frontmatter contract.)
+export const EFFORT_LEVELS = new Set([
+    "low",
+    "medium",
+    "high",
+    "max",
+]);
 //# sourceMappingURL=contracts.js.map

package/dist/discovery.js

@@ -205,6 +205,25 @@ function discoverInDirectory(dir) {
     for (const f of monitors) {
         artifacts.push({ filePath: f, artifactType: "monitors-json" });
     }
+    // .claude-plugin/marketplace.json — schemastore-only artifact.
+    const marketplace = join(dir, ".claude-plugin", "marketplace.json");
+    if (existsSync(marketplace)) {
+        artifacts.push({ filePath: marketplace, artifactType: "marketplace-json" });
+    }
+    // keybindings.json — usually at ~/.claude/keybindings.json (user scope),
+    // but also picked up at project root if present. schemastore-only artifact.
+    for (const candidate of [
+        join(dir, "keybindings.json"),
+        join(dir, ".claude", "keybindings.json"),
+    ]) {
+        if (existsSync(candidate)) {
+            artifacts.push({
+                filePath: candidate,
+                artifactType: "keybindings-json",
+                scope: detectScope(candidate),
+            });
+        }
+    }
     // Claude config files — settings
     for (const name of ["settings.json", "settings.local.json"]) {
         // Direct in dir (handles both ~/.claude/settings.json and project root)
@@ -316,6 +335,10 @@ function classifyFile(filePath) {
     const parent = basename(dirname(filePath));
     if (name === "plugin.json" && parent === ".claude-plugin")
         return "plugin-json";
+    if (name === "marketplace.json" && parent === ".claude-plugin")
+        return "marketplace-json";
+    if (name === "keybindings.json")
+        return "keybindings-json";
     if (name === "SKILL.md")
         return "skill-md";
     if (name === "hooks.json" && parent === "hooks")

package/dist/formatters/human.js

@@ -1,4 +1,5 @@
 import pc from "picocolors";
+import { sanitizeForTerminal } from "../utils/terminal.js";
 const SEVERITY_ICONS = {
     error: pc.red("error"),
     warning: pc.yellow("warn "),
@@ -16,12 +17,12 @@ export function formatHuman(results, quiet) {
         if (filtered.length === 0)
             continue;
         lines.push("");
-        lines.push(pc.underline(result.file));
+        lines.push(pc.underline(sanitizeForTerminal(result.file)));
         for (const d of filtered) {
             const loc = d.line
                 ? pc.dim(`:${d.line}${d.column ? `:${d.column}` : ""}`)
                 : "";
-            lines.push(`  ${SEVERITY_ICONS[d.severity]}  ${d.message}  ${pc.dim(d.rule)}${loc}`);
+            lines.push(`  ${SEVERITY_ICONS[d.severity]}  ${sanitizeForTerminal(d.message)}  ${pc.dim(d.rule)}${loc}`);
             if (d.severity === "error")
                 errorCount++;
             else if (d.severity === "warning")

package/dist/index.js

@@ -1,10 +1,13 @@
 #!/usr/bin/env node
-import { readFileSync, writeFileSync, copyFileSync, existsSync } from "node:fs";
+import { readFileSync, writeFileSync, copyFileSync, existsSync, statSync, } from "node:fs";
 import { resolve, relative, dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 import sade from "sade";
 import pc from "picocolors";
 import { loadConfig, mergeCliRules } from "./config.js";
+import { assetCandidates } from "./utils/asset-path.js";
+import { writeBlockedReason } from "./utils/safe-write.js";
+import { sanitizeForTerminal } from "./utils/terminal.js";
 import { discoverArtifacts, detectArtifactTypes } from "./discovery.js";
 import { formatHuman } from "./formatters/human.js";
 import { formatJson } from "./formatters/json.js";
@@ -18,6 +21,8 @@ import { mcpJsonLinter } from "./linters/mcp-json.js";
 import { claudeMdLinter } from "./linters/claude-md.js";
 import { lspJsonLinter } from "./linters/lsp-json.js";
 import { monitorsJsonLinter } from "./linters/monitors-json.js";
+import { marketplaceJsonLinter } from "./linters/marketplace-json.js";
+import { keybindingsJsonLinter } from "./linters/keybindings-json.js";
 import { misplacedFileLinter, MISPLACED_FILE_RULES, } from "./linters/misplaced-file.js";
 import { pluginJsonFixer } from "./fixers/plugin-json.js";
 import { frontmatterFixer } from "./fixers/frontmatter.js";
@@ -35,6 +40,8 @@ import { MCP_JSON_RULES } from "./linters/mcp-json.js";
 import { CLAUDE_MD_RULES } from "./linters/claude-md.js";
 import { LSP_JSON_RULES } from "./linters/lsp-json.js";
 import { MONITORS_JSON_RULES } from "./linters/monitors-json.js";
+import { MARKETPLACE_JSON_RULES } from "./linters/marketplace-json.js";
+import { KEYBINDINGS_JSON_RULES } from "./linters/keybindings-json.js";
 const LINTERS = {
     "plugin-json": pluginJsonLinter,
     "skill-md": skillMdLinter,
@@ -46,6 +53,8 @@ const LINTERS = {
     "claude-md": claudeMdLinter,
     "lsp-json": lspJsonLinter,
     "monitors-json": monitorsJsonLinter,
+    "marketplace-json": marketplaceJsonLinter,
+    "keybindings-json": keybindingsJsonLinter,
     "misplaced-file": misplacedFileLinter,
 };
 const FIXERS = {
@@ -69,8 +78,16 @@ const ALL_RULES = [
     ...CLAUDE_MD_RULES,
     ...LSP_JSON_RULES,
     ...MONITORS_JSON_RULES,
+    ...MARKETPLACE_JSON_RULES,
+    ...KEYBINDINGS_JSON_RULES,
     ...MISPLACED_FILE_RULES,
 ];
+/**
+ * Hard cap on artifact file size. Real Claude Code artifacts are KB-scale;
+ * this only exists to reject pathological / malicious inputs (e.g. a
+ * multi-gigabyte file crafted to exhaust memory).
+ */
+const MAX_ARTIFACT_BYTES = 5 * 1024 * 1024;
 function simpleDiff(oldContent, newContent, filePath) {
     if (oldContent === newContent)
         return "";
@@ -106,7 +123,21 @@ function simpleDiff(oldContent, newContent, filePath) {
     }
     return lines.join("\n");
 }
-const pkgVersion = JSON.parse(readFileSync(join(dirname(fileURLToPath(import.meta.url)), "..", "package.json"), "utf8")).version;
+function readPkgVersion() {
+    // package.json ships beside dist/ (Node) or beside the executable
+    // (bun-compiled single-executable). Try every candidate; fall back to
+    // "0.0.0" if none resolve (e.g. an unexpected layout) rather than crashing.
+    for (const p of assetCandidates(import.meta.url, ["..", "package.json"])) {
+        try {
+            return JSON.parse(readFileSync(p, "utf8")).version;
+        }
+        catch {
+            // try next candidate
+        }
+    }
+    return "0.0.0";
+}
+const pkgVersion = readPkgVersion();
 sade("claudecode-linter", true)
     .version(pkgVersion)
     .describe("Linter for Claude Code plugin artifacts")
@@ -133,9 +164,11 @@ sade("claudecode-linter", true)
     const fixDryRun = !!opts["fix-dry-run"];
     try {
         if (opts.init !== undefined) {
-            const __filename = fileURLToPath(import.meta.url);
-            const pkgDir = dirname(dirname(__filename));
-            const defaultsFile = join(pkgDir, ".claudecode-lint.defaults.yaml");
+            const defaultsFile = assetCandidates(import.meta.url, [
+                "..",
+                ".claudecode-lint.defaults.yaml",
+            ]).find((p) => existsSync(p)) ??
+                join(dirname(dirname(fileURLToPath(import.meta.url))), ".claudecode-lint.defaults.yaml");
             const targetDir = typeof opts.init === "string" ? resolve(opts.init) : process.cwd();
             const targetFile = join(targetDir, ".claudecode-lint.yaml");
             if (existsSync(targetFile)) {
@@ -197,10 +230,33 @@ sade("claudecode-linter", true)
                 ignore: ignorePatterns,
             });
             if (artifacts.length === 0) {
-                process.stderr.write(pc.yellow(`No plugin artifacts found in ${targetPath}\n`));
+                process.stderr.write(pc.yellow(`No plugin artifacts found in ${sanitizeForTerminal(targetPath)}\n`));
                 continue;
             }
+            // All --fix / --format writes for this target must stay inside
+            // rootDir. If targetPath is a file, rootDir is its parent dir.
+            const resolvedTarget = resolve(targetPath);
+            let rootDir = resolvedTarget;
+            try {
+                if (!statSync(resolvedTarget).isDirectory()) {
+                    rootDir = dirname(resolvedTarget);
+                }
+            }
+            catch {
+                rootDir = dirname(resolvedTarget);
+            }
             for (const artifact of artifacts) {
+                let sizeBytes;
+                try {
+                    sizeBytes = statSync(artifact.filePath).size;
+                }
+                catch {
+                    sizeBytes = 0;
+                }
+                if (sizeBytes > MAX_ARTIFACT_BYTES) {
+                    process.stderr.write(pc.yellow(`Skipping ${sanitizeForTerminal(artifact.filePath)}: file exceeds ${MAX_ARTIFACT_BYTES}-byte limit (${sizeBytes} bytes)\n`));
+                    continue;
+                }
                 let content = readFileSync(artifact.filePath, "utf-8");
                 const relPath = relative(process.cwd(), artifact.filePath);
                 if (opts.format) {
@@ -208,8 +264,14 @@ sade("claudecode-linter", true)
                     if (fixer) {
                         const fixedContent = await fixer.fix(artifact.filePath, content, config);
                         if (fixedContent !== content) {
-                            writeFileSync(artifact.filePath, fixedContent);
-                            formatted.push(relPath);
+                            const blocked = writeBlockedReason(artifact.filePath, rootDir);
+                            if (blocked) {
+                                process.stderr.write(pc.red(`Refusing to write ${sanitizeForTerminal(artifact.filePath)}: ${blocked}\n`));
+                            }
+                            else {
+                                writeFileSync(artifact.filePath, fixedContent);
+                                formatted.push(relPath);
+                            }
                         }
                     }
                     continue;
@@ -221,9 +283,15 @@ sade("claudecode-linter", true)
                     if (fixer) {
                         const fixedContent = await fixer.fix(artifact.filePath, content, config);
                         if (fixedContent !== content) {
-                            writeFileSync(artifact.filePath, fixedContent);
-                            content = fixedContent;
-                            fixed = 1;
+                            const blocked = writeBlockedReason(artifact.filePath, rootDir);
+                            if (blocked) {
+                                process.stderr.write(pc.red(`Refusing to write ${sanitizeForTerminal(artifact.filePath)}: ${blocked}\n`));
+                            }
+                            else {
+                                writeFileSync(artifact.filePath, fixedContent);
+                                content = fixedContent;
+                                fixed = 1;
+                            }
                         }
                     }
                 }
@@ -233,7 +301,7 @@ sade("claudecode-linter", true)
                         const fixedContent = await fixer.fix(artifact.filePath, content, config);
                         if (fixedContent !== content) {
                             const diff = simpleDiff(content, fixedContent, artifact.filePath);
-                            process.stdout.write(diff + "\n");
+                            process.stdout.write(sanitizeForTerminal(diff) + "\n");
                         }
                     }
                 }

package/dist/linters/agent-md.js

@@ -1,6 +1,7 @@
 import { existsSync, readFileSync } from "node:fs";
 import { dirname, join } from "node:path";
-import { AGENT_MODELS, AGENT_COLORS, TOOLS, PLUGIN_SUBAGENT_BLOCKED_TOOLS, } from "../contracts.js";
+import { AGENT_MODELS, AGENT_COLORS, TOOLS, PERMISSION_MODES, PLUGIN_SUBAGENT_BLOCKED_TOOLS, } from "../contracts.js";
+import { invalidEffortReason } from "../utils/effort.js";
 import { formatAjvError, loadAgentFrontmatterSchema, summarizeErrors, } from "../plugin-schema.js";
 import { isRuleEnabled, getRuleSeverity } from "../types.js";
 import { parseFrontmatter } from "../utils/frontmatter.js";
@@ -65,7 +66,12 @@ const RULES = [
     { id: "agent-md/description-routing-guidance", defaultSeverity: "warning" },
     { id: "agent-md/model-required", defaultSeverity: "error" },
     { id: "agent-md/model-valid", defaultSeverity: "warning" },
-    { id: "agent-md/color-required", defaultSeverity: "warning" },
+    { id: "agent-md/permission-mode-valid", defaultSeverity: "warning" },
+    { id: "agent-md/effort-valid", defaultSeverity: "warning" },
+    { id: "agent-md/max-turns-valid", defaultSeverity: "warning" },
+    // agent-md/color-required removed in gitea#3 — Claude Code marks `color`
+    // as `.optional()` and `@internal`. The remaining `color-valid` rule still
+    // enforces the value set when an author opts in.
     { id: "agent-md/color-valid", defaultSeverity: "warning" },
     { id: "agent-md/system-prompt-present", defaultSeverity: "error" },
     { id: "agent-md/system-prompt-length", defaultSeverity: "warning" },
@@ -158,12 +164,43 @@ export const agentMdLinter = {
             !fm.data.model.startsWith("claude-")) {
             push(diag(config, filePath, "agent-md/model-valid", "warning", `"model" must be one of: ${[...AGENT_MODELS].join(", ")} or a versioned claude-* model ID (got "${fm.data.model}")`));
         }
-        // color
-        if (!("color" in fm.data) || typeof fm.data.color !== "string") {
-            push(diag(config, filePath, "agent-md/color-required", "warning", '"color" is required in frontmatter'));
+        // permissionMode — typed as a permissive scalar by the Zod schema;
+        // at runtime only the PERMISSION_MODES values take effect.
+        if ("permissionMode" in fm.data) {
+            const pm = fm.data.permissionMode;
+            if (typeof pm !== "string" || !PERMISSION_MODES.has(pm)) {
+                push(diag(config, filePath, "agent-md/permission-mode-valid", "warning", `"permissionMode" must be one of: ${[...PERMISSION_MODES].join(", ")} (got ${JSON.stringify(pm)})`));
+            }
+        }
+        // effort — Zod types it as a permissive scalar; the field's describe()
+        // string restricts it to a named level or an integer.
+        if ("effort" in fm.data) {
+            const reason = invalidEffortReason(fm.data.effort);
+            if (reason) {
+                push(diag(config, filePath, "agent-md/effort-valid", "warning", reason));
+            }
         }
-        else if (!AGENT_COLORS.has(fm.data.color)) {
-            push(diag(config, filePath, "agent-md/color-valid", "warning", `"color" must be one of: ${[...AGENT_COLORS].join(", ")} (got "${fm.data.color}")`));
+        // maxTurns — Zod accepts a string / float; only a positive integer
+        // is a meaningful turn budget.
+        if ("maxTurns" in fm.data) {
+            const mt = fm.data.maxTurns;
+            if (typeof mt !== "number" || !Number.isInteger(mt) || mt <= 0) {
+                push(diag(config, filePath, "agent-md/max-turns-valid", "warning", `"maxTurns" must be a positive integer (got ${JSON.stringify(mt)})`));
+            }
+        }
+        // color — optional per Claude Code's agent frontmatter Zod schema
+        // (`color: hW().optional().describe("@internal — display color in the
+        // agents UI")`). Only validate the value if the user set one; never
+        // require it. The `color-required` rule (gitea#3) is kept on disk for
+        // users who explicitly opted in via .claudecode-lint.yaml, but defaults
+        // to off because requiring an @internal display field misled users.
+        if ("color" in fm.data) {
+            if (typeof fm.data.color !== "string") {
+                push(diag(config, filePath, "agent-md/color-valid", "warning", '"color" must be a string when set'));
+            }
+            else if (!AGENT_COLORS.has(fm.data.color)) {
+                push(diag(config, filePath, "agent-md/color-valid", "warning", `"color" must be one of: ${[...AGENT_COLORS].join(", ")} (got "${fm.data.color}")`));
+            }
         }
         // Frontmatter keys: only flag cross-artifact misplacement. A key valid
         // for a *different* markdown artifact (e.g. a skill-only key on an

package/dist/linters/command-md.js

@@ -1,12 +1,17 @@
-import { TOOLS } from "../contracts.js";
+import { AGENT_MODELS, TOOLS } from "../contracts.js";
 import { formatAjvError, loadCommandFrontmatterSchema, summarizeErrors, } from "../plugin-schema.js";
 import { isRuleEnabled, getRuleSeverity } from "../types.js";
+import { invalidEffortReason } from "../utils/effort.js";
 import { parseFrontmatter } from "../utils/frontmatter.js";
 import { artifactLabel, classifyUnknownFrontmatterKey, } from "../utils/frontmatter-keys.js";
 const RULES = [
     { id: "command-md/valid-frontmatter", defaultSeverity: "error" },
     { id: "command-md/schema-valid", defaultSeverity: "error" },
     { id: "command-md/description-required", defaultSeverity: "error" },
+    { id: "command-md/name-format", defaultSeverity: "warning" },
+    { id: "command-md/model-valid", defaultSeverity: "warning" },
+    { id: "command-md/effort-valid", defaultSeverity: "warning" },
+    { id: "command-md/frontmatter-field-type", defaultSeverity: "warning" },
     { id: "command-md/allowed-tools-valid", defaultSeverity: "warning" },
     { id: "command-md/body-present", defaultSeverity: "warning" },
     { id: "command-md/no-unknown-frontmatter", defaultSeverity: "info" },
@@ -57,6 +62,37 @@ export const commandMdLinter = {
         if (!("description" in fm.data) || typeof fm.data.description !== "string") {
             push(diag(config, filePath, "command-md/description-required", "error", "\"description\" is required in frontmatter"));
         }
+        // name — optional display-name override. Zod types it as a permissive
+        // scalar; if present it must be a non-empty string.
+        if ("name" in fm.data) {
+            const name = fm.data.name;
+            if (typeof name !== "string" || name.trim() === "") {
+                push(diag(config, filePath, "command-md/name-format", "warning", `"name" must be a non-empty string (got ${JSON.stringify(name)})`));
+            }
+        }
+        // model — Zod types it as a permissive scalar; accept a named alias or a
+        // versioned claude-* model id. Mirrors agent-md/model-valid.
+        if ("model" in fm.data && typeof fm.data.model === "string") {
+            const model = fm.data.model;
+            if (!AGENT_MODELS.has(model) && !model.startsWith("claude-")) {
+                push(diag(config, filePath, "command-md/model-valid", "warning", `"model" must be one of: ${[...AGENT_MODELS].join(", ")} or a versioned claude-* model ID (got "${model}")`));
+            }
+        }
+        // effort — Zod types it as a permissive scalar; the field's describe()
+        // string restricts it to a named level or an integer.
+        if ("effort" in fm.data) {
+            const reason = invalidEffortReason(fm.data.effort);
+            if (reason) {
+                push(diag(config, filePath, "command-md/effort-valid", "warning", reason));
+            }
+        }
+        // boolean fields — the Zod schema accepts the string "true"; only a real
+        // boolean behaves as expected.
+        for (const field of ["disable-model-invocation", "user-invocable"]) {
+            if (field in fm.data && typeof fm.data[field] !== "boolean") {
+                push(diag(config, filePath, "command-md/frontmatter-field-type", "warning", `"${field}" must be a boolean (got ${JSON.stringify(fm.data[field])})`));
+            }
+        }
         // allowed-tools
         if ("allowed-tools" in fm.data) {
             const tools = fm.data["allowed-tools"];

package/dist/linters/hooks-json.js

@@ -1,7 +1,9 @@
 import { HOOK_EVENTS, HOOK_TYPES, PROMPT_EVENTS } from "../contracts.js";
+import { formatAjvError, loadHooksJsonSchema, summarizeErrors, } from "../plugin-schema.js";
 import { isRuleEnabled, getRuleSeverity } from "../types.js";
 const RULES = [
     { id: "hooks-json/valid-json", defaultSeverity: "error" },
+    { id: "hooks-json/schema-valid", defaultSeverity: "error" },
     { id: "hooks-json/root-hooks-key", defaultSeverity: "error" },
     { id: "hooks-json/valid-event-names", defaultSeverity: "error" },
     { id: "hooks-json/hook-type-required", defaultSeverity: "error" },
@@ -52,6 +54,28 @@ export const hooksJsonLinter = {
             push(diag(config, filePath, "hooks-json/valid-json", "error", "hooks.json must be a JSON object"));
             return diagnostics;
         }
+        // schema-valid — structural validation against the JSON Schema
+        // auto-extracted from Claude Code's hooks-config Zod validator (the
+        // hook-event → matcher-array map, each matcher holding a discriminated
+        // union of hook definitions). The hand-written rules below add
+        // Claude-Code-specific advice the schema can't express (hardcoded-path
+        // warnings, prompt-event-support hints, …). The extracted schema is
+        // intentionally permissive about unknown hook fields (Claude Code's hook
+        // objects are not .strict()). Skipped silently if the schema bundle isn't
+        // shipped with this install.
+        if (isRuleEnabled(config, "hooks-json/schema-valid")) {
+            const compiled = loadHooksJsonSchema();
+            if (compiled) {
+                const ok = compiled.validate(parsed);
+                if (!ok && compiled.validate.errors) {
+                    for (const err of summarizeErrors(compiled.validate.errors)) {
+                        const firstSeg = err.instancePath.split("/").filter(Boolean)[0];
+                        const p = firstSeg ? findKeyPosition(content, firstSeg) : undefined;
+                        push(diag(config, filePath, "hooks-json/schema-valid", "error", formatAjvError(err), p?.line, p?.column));
+                    }
+                }
+            }
+        }
         const root = parsed;
         // root "hooks" key
         if (!("hooks" in root) || typeof root.hooks !== "object" || root.hooks === null) {

package/dist/linters/keybindings-json.js

@@ -0,0 +1,53 @@
+import { formatAjvError, loadKeybindingsSchema, summarizeErrors, } from "../plugin-schema.js";
+import { isRuleEnabled, getRuleSeverity } from "../types.js";
+export const KEYBINDINGS_JSON_RULES = [
+    { id: "keybindings-json/valid-json", defaultSeverity: "error" },
+    { id: "keybindings-json/schema-valid", defaultSeverity: "error" },
+];
+/**
+ * Validate `~/.claude/keybindings.json` (or per-project `keybindings.json`)
+ * against the schemastore.org curated schema. As with marketplace.json,
+ * there is no Zod source for keybindings in the Claude Code bundle —
+ * schemastore is the sole authoritative shape we have.
+ */
+export const keybindingsJsonLinter = {
+    artifactType: "keybindings-json",
+    lint(filePath, content, config) {
+        const diagnostics = [];
+        const push = (d) => {
+            if (d)
+                diagnostics.push(d);
+        };
+        let parsed;
+        try {
+            parsed = JSON.parse(content);
+        }
+        catch (e) {
+            push(diag(config, filePath, "keybindings-json/valid-json", "error", `Invalid JSON: ${e.message}`));
+            return diagnostics;
+        }
+        if (isRuleEnabled(config, "keybindings-json/schema-valid")) {
+            const compiled = loadKeybindingsSchema();
+            if (compiled) {
+                const ok = compiled.validate(parsed);
+                if (!ok && compiled.validate.errors) {
+                    for (const err of summarizeErrors(compiled.validate.errors)) {
+                        push(diag(config, filePath, "keybindings-json/schema-valid", "error", formatAjvError(err)));
+                    }
+                }
+            }
+        }
+        return diagnostics;
+    },
+};
+function diag(config, filePath, ruleId, defaultSeverity, message) {
+    if (!isRuleEnabled(config, ruleId))
+        return null;
+    return {
+        rule: ruleId,
+        severity: getRuleSeverity(config, ruleId, defaultSeverity),
+        message,
+        file: filePath,
+    };
+}
+//# sourceMappingURL=keybindings-json.js.map

package/dist/linters/marketplace-json.js

@@ -0,0 +1,55 @@
+import { formatAjvError, loadMarketplaceSchema, summarizeErrors, } from "../plugin-schema.js";
+import { isRuleEnabled, getRuleSeverity } from "../types.js";
+export const MARKETPLACE_JSON_RULES = [
+    { id: "marketplace-json/valid-json", defaultSeverity: "error" },
+    { id: "marketplace-json/schema-valid", defaultSeverity: "error" },
+];
+/**
+ * Validate `.claude-plugin/marketplace.json` against the schemastore.org
+ * curated schema. There's no Zod source for marketplace.json in the Claude
+ * Code bundle — schemastore is the sole authoritative shape we have.
+ *
+ * If the schemastore bundle isn't shipped with this install (unlikely;
+ * package.json includes it), the schema check silently skips.
+ */
+export const marketplaceJsonLinter = {
+    artifactType: "marketplace-json",
+    lint(filePath, content, config) {
+        const diagnostics = [];
+        const push = (d) => {
+            if (d)
+                diagnostics.push(d);
+        };
+        let parsed;
+        try {
+            parsed = JSON.parse(content);
+        }
+        catch (e) {
+            push(diag(config, filePath, "marketplace-json/valid-json", "error", `Invalid JSON: ${e.message}`));
+            return diagnostics;
+        }
+        if (isRuleEnabled(config, "marketplace-json/schema-valid")) {
+            const compiled = loadMarketplaceSchema();
+            if (compiled) {
+                const ok = compiled.validate(parsed);
+                if (!ok && compiled.validate.errors) {
+                    for (const err of summarizeErrors(compiled.validate.errors)) {
+                        push(diag(config, filePath, "marketplace-json/schema-valid", "error", formatAjvError(err)));
+                    }
+                }
+            }
+        }
+        return diagnostics;
+    },
+};
+function diag(config, filePath, ruleId, defaultSeverity, message) {
+    if (!isRuleEnabled(config, ruleId))
+        return null;
+    return {
+        rule: ruleId,
+        severity: getRuleSeverity(config, ruleId, defaultSeverity),
+        message,
+        file: filePath,
+    };
+}
+//# sourceMappingURL=marketplace-json.js.map

package/dist/linters/mcp-json.js

@@ -1,5 +1,6 @@
 import { basename } from "node:path";
 import { MCP_SERVER_FIELDS } from "../contracts.js";
+import { formatAjvError, loadMcpJsonSchema, summarizeErrors, } from "../plugin-schema.js";
 import { isRuleEnabled, getRuleSeverity } from "../types.js";
 import { isKebabCase } from "../utils/kebab-case.js";
 // Valid `type` values for a URL-based HTTP MCP server. Claude Code v2.1.146
@@ -9,6 +10,7 @@ const HTTP_TRANSPORT_TYPES = new Set(["http", "streamable-http"]);
 const RULES = [
     { id: "mcp-json/scope-file-name", defaultSeverity: "warning" },
     { id: "mcp-json/valid-json", defaultSeverity: "error" },
+    { id: "mcp-json/schema-valid", defaultSeverity: "error" },
     { id: "mcp-json/servers-required", defaultSeverity: "error" },
     { id: "mcp-json/servers-object", defaultSeverity: "error" },
     { id: "mcp-json/server-name-kebab", defaultSeverity: "info" },
@@ -73,6 +75,28 @@ export const mcpJsonLinter = {
             push(diag(config, filePath, "mcp-json/valid-json", "error", "mcp.json must be a JSON object"));
             return diagnostics;
         }
+        // schema-valid — structural validation against the JSON Schema
+        // auto-extracted from Claude Code's .mcp.json Zod validator (the
+        // `mcpServers` record of discriminated transport configs). The hand-written
+        // rules below add Claude-Code-specific advice the schema can't express
+        // (kebab-case names, ${CLAUDE_PLUGIN_ROOT} hints, …). The extracted schema
+        // is intentionally permissive about unknown server fields (Claude Code's
+        // server union is not .strict()), so those are NOT reported here —
+        // mcp-json/no-unknown-server-fields handles them. Skipped silently if the
+        // schema bundle isn't shipped with this install.
+        if (isRuleEnabled(config, "mcp-json/schema-valid")) {
+            const compiled = loadMcpJsonSchema();
+            if (compiled) {
+                const ok = compiled.validate(parsed);
+                if (!ok && compiled.validate.errors) {
+                    for (const err of summarizeErrors(compiled.validate.errors)) {
+                        const firstSeg = err.instancePath.split("/").filter(Boolean)[0];
+                        const p = firstSeg ? findKeyPosition(content, firstSeg) : undefined;
+                        push(diag(config, filePath, "mcp-json/schema-valid", "error", formatAjvError(err), p?.line, p?.column));
+                    }
+                }
+            }
+        }
         // mcpServers required
         if (!("mcpServers" in parsed)) {
             push(diag(config, filePath, "mcp-json/servers-required", "error", "\"mcpServers\" field is required"));