refactor(plugin): install via marketplace; skill bundle fetched lazily from Maven Central

.claude-plugin/marketplace.json

@@ -0,0 +1,24 @@
+{
+  "name": "sonar-predict",
+  "owner": {
+    "name": "Amit Kumar",
+    "url": "https://github.com/RandomCodeSpace"
+  },
+  "plugins": [
+    {
+      "name": "sonar-predictor",
+      "source": "./plugin",
+      "description": "Offline SonarSource quality gate — runs the genuine SonarSource analyzers locally (no network, no server) to catch bugs, code smells, vulnerabilities and security hotspots. The plugin itself is lightweight (kilobytes); the heavy analyzer bundle is fetched from Maven Central on first invocation and cached locally for every subsequent run.",
+      "homepage": "https://github.com/RandomCodeSpace/sonar-predict",
+      "license": "Apache-2.0",
+      "keywords": [
+        "code-quality",
+        "static-analysis",
+        "sonarsource",
+        "linter",
+        "quality-gate",
+        "offline"
+      ]
+    }
+  ]
+}

.github/workflows/publish.yml

@@ -9,10 +9,12 @@ name: Publish to Maven Central + GitHub Release
 #   2. builds, tests, GPG-signs and deploys protocol/daemon/cli to Maven
 #      Central via the Sonatype Central Portal (the dist module sets
 #      maven.deploy.skip=true so it is built but never staged),
-#   3. creates a GitHub Release carrying three bundles: a whole-repo source
-#      zip (git archive of HEAD), the assembled skill bundle zip, and the
-#      assembled plugin bundle zip (the .claude-plugin format installable
-#      on Claude Code and GitHub Copilot CLI).
+#   3. creates a GitHub Release carrying two bundles: a whole-repo source
+#      zip (git archive of HEAD) and the assembled skill bundle zip. The
+#      plugin itself is installed via the in-repo /plugin/ directory through
+#      Claude Code's / Copilot CLI's marketplace (see /.claude-plugin/
+#      marketplace.json); its skill launcher downloads the analyzer bundle
+#      on first run from the Maven Central artifact this workflow publishes.
 #
 # Required repo secrets:
 #   OSS_NEXUS_USER         - Sonatype Central Portal token username
@@ -126,20 +128,6 @@ jobs:
           echo "skill_zip=${SKILL_ZIP}" >> "$GITHUB_OUTPUT"
           echo "Skill bundle: ${SKILL_ZIP}"
 
-      - name: Locate the plugin bundle zip
-        id: plugin
-        run: |
-          set -euo pipefail
-          VERSION="${{ steps.version.outputs.version }}"
-          PLUGIN_ZIP="dist/target/sonar-predict-plugin-${VERSION}.zip"
-          if [ ! -f "${PLUGIN_ZIP}" ]; then
-            echo "::error::plugin bundle not found at ${PLUGIN_ZIP}"
-            ls -la dist/target || true
-            exit 1
-          fi
-          echo "plugin_zip=${PLUGIN_ZIP}" >> "$GITHUB_OUTPUT"
-          echo "Plugin bundle: ${PLUGIN_ZIP}"
-
       - name: Create the GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}
@@ -148,7 +136,6 @@ jobs:
           VERSION="${{ steps.version.outputs.version }}"
           SRC_ZIP="sonar-predict-${VERSION}-src.zip"
           SKILL_ZIP="${{ steps.bundle.outputs.skill_zip }}"
-          PLUGIN_ZIP="${{ steps.plugin.outputs.plugin_zip }}"
           if [ -n "${GITHUB_REF_NAME:-}" ] && [ "${GITHUB_REF_TYPE:-}" = "tag" ]; then
             TAG="${GITHUB_REF_NAME}"
           else
@@ -158,5 +145,4 @@ jobs:
             --title "sonar-predict ${VERSION}" \
             --generate-notes \
             "${SRC_ZIP}" \
-            "${SKILL_ZIP}" \
-            "${PLUGIN_ZIP}"
+            "${SKILL_ZIP}"

dist/pom.xml

@@ -171,37 +171,6 @@
                             </descriptors>
                         </configuration>
                     </execution>
-                    <!-- Exploded plugin bundle at target/plugin/sonar-predictor/.
-                         The .claude-plugin/plugin.json format is shared by
-                         Claude Code and GitHub Copilot CLI, so one bundle
-                         installs in both. Layout: .claude-plugin/, agents/,
-                         skills/sonar-predictor/. -->
-                    <execution>
-                        <id>build-plugin-dir</id>
-                        <phase>package</phase>
-                        <goals><goal>single</goal></goals>
-                        <configuration>
-                            <appendAssemblyId>false</appendAssemblyId>
-                            <finalName>plugin</finalName>
-                            <descriptors>
-                                <descriptor>src/assembly/plugin.xml</descriptor>
-                            </descriptors>
-                        </configuration>
-                    </execution>
-                    <!-- Matching plugin zip:
-                         target/sonar-predict-plugin-<version>.zip. -->
-                    <execution>
-                        <id>build-plugin-zip</id>
-                        <phase>package</phase>
-                        <goals><goal>single</goal></goals>
-                        <configuration>
-                            <appendAssemblyId>false</appendAssemblyId>
-                            <finalName>sonar-predict-plugin-${project.version}</finalName>
-                            <descriptors>
-                                <descriptor>src/assembly/plugin-zip.xml</descriptor>
-                            </descriptors>
-                        </configuration>
-                    </execution>
                 </executions>
             </plugin>
         </plugins>

dist/src/main/plugin/.claude-plugin/plugin.json → plugin/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "sonar-predictor",
-  "version": "0.1.1",
-  "description": "Offline SonarSource quality gate — runs the genuine SonarSource analyzers locally (no network, no server) to catch bugs, code smells, vulnerabilities and security hotspots. Bundles the sonar-predictor scanner skill and two named agent variants — invoke `sonar-scanner-claude` on Claude Code (model: haiku) and `sonar-scanner-copilot` on GitHub Copilot CLI (model: gpt-5-mini). Selection is by agent name; neither is implicitly default.",
+  "version": "0.1.3",
+  "description": "Offline SonarSource quality gate — runs the genuine SonarSource analyzers locally (no network, no server) to catch bugs, code smells, vulnerabilities and security hotspots. Ships two named scanner agent variants (sonar-scanner-claude on Claude Code, sonar-scanner-copilot on GitHub Copilot CLI) and a thin sonar-predictor skill whose launcher fetches the analyzer bundle (~150 MB) from Maven Central on first invocation and caches it for every subsequent run.",
   "author": {
     "name": "Amit Kumar",
     "url": "https://github.com/RandomCodeSpace"

plugin/skills/sonar-predictor/SKILL.md

@@ -0,0 +1,20 @@
+---
+name: sonar-predictor
+description: Use after writing or modifying source code, before committing or pushing — runs genuine SonarSource analyzers offline as a fast local quality gate to catch bugs, code smells, vulnerabilities and security hotspots. Also use when the user asks to check code quality, run sonar, or analyze a file or diff.
+---
+
+# sonar-predictor
+
+An offline SonarSource pre-push quality gate — runs the genuine analyzers locally, no network, no server.
+
+**Scan-only.** This skill only *scans and reports* — it reads source and emits findings, and never modifies any file. Applying fixes is the calling agent's job, not this tool's; running it is a safe, read-only operation.
+
+Run `./bin/sonar` from this skill's base directory (the folder with this `SKILL.md`), or by its absolute path — it is not on `PATH`. The first invocation downloads the analyzer bundle (~150 MB) from Maven Central into a user cache; every subsequent call runs from that cache with no network. **Read the tool's own help before invoking it:** `./bin/sonar --help` lists the commands and the global options, and `./bin/sonar <command> --help` gives a command's own options and exact argument order. The skill scans a git changeset or explicit files and directories and reports in a chosen format — the help states the precise flags and where each one goes. That generated help is the single source of truth; this `SKILL.md` deliberately does not restate command syntax, which would drift. Do not guess flag names or their placement — read the help.
+
+Exit codes: `0` clean, `1` issues found, `2` tool error.
+
+Acting on findings: fix `BUG`/`VULNERABILITY`/`SECURITY_HOTSPOT` and `CRITICAL`/`MAJOR` first. This is a fast first-pass gate, not the release gate — fix the real issues and move on.
+
+**Air-gapped / pre-staged installs.** Set `SONAR_PREDICTOR_HOME=/path/to/extracted/sonar-predictor` to point the launcher at a pre-downloaded bundle and skip the first-run download.
+
+**Plugin-bundled agent variants.** Two named scanner subagents ship with this plugin: invoke `sonar-scanner-claude` on Claude Code (model: haiku) or `sonar-scanner-copilot` on GitHub Copilot CLI (model: gpt-5-mini). Selection is by agent name — pick the one matching your platform.