diff --git a/apps/cursor/src/actions/create-plugin.ts b/apps/cursor/src/actions/create-plugin.ts
index 8578cf7e..347fb27e 100644
--- a/apps/cursor/src/actions/create-plugin.ts
+++ b/apps/cursor/src/actions/create-plugin.ts
@@ -2,6 +2,7 @@
 
 import { revalidatePath } from "next/cache";
 import { z } from "zod";
+import { resolveGithubRepoIdFromRepository } from "@/lib/github-plugin/parse";
 import { InsertPluginError, insertPlugin } from "@/lib/plugins/insert";
 import { pluginScanLimit } from "@/lib/rate-limit";
 import { ActionError, authActionClient } from "./safe-action";
@@ -62,6 +63,12 @@ export const createPluginAction = authActionClient
         );
       }
 
+      // Never trust a client-supplied github_repo_id — resolve from the
+      // repository URL via GitHub so squatters cannot block idempotent imports.
+      const githubRepoId = await resolveGithubRepoIdFromRepository(repository, {
+        maxWaitMs: 3000,
+      });
+
       let result: { id: string; slug: string };
       try {
         result = await insertPlugin(
@@ -74,7 +81,12 @@ export const createPluginAction = authActionClient
             keywords,
             components,
           },
-          { ownerId: userId, source: "user", skipScan: false },
+          {
+            ownerId: userId,
+            source: "user",
+            skipScan: false,
+            githubRepoId,
+          },
         );
       } catch (err) {
         if (err instanceof InsertPluginError) {
diff --git a/apps/cursor/src/actions/star-plugin.ts b/apps/cursor/src/actions/star-plugin.ts
index 5f85ecb3..8e8628cf 100644
--- a/apps/cursor/src/actions/star-plugin.ts
+++ b/apps/cursor/src/actions/star-plugin.ts
@@ -2,9 +2,8 @@
 
 import { revalidatePath } from "next/cache";
 import { z } from "zod";
-import { createClient as createAdminClient } from "@/utils/supabase/admin-client";
 import { createClient } from "@/utils/supabase/server";
-import { authActionClient } from "./safe-action";
+import { ActionError, authActionClient } from "./safe-action";
 
 export const starPluginAction = authActionClient
   .metadata({
@@ -16,32 +15,17 @@ export const starPluginAction = authActionClient
       slug: z.string(),
     }),
   )
-  .action(async ({ parsedInput: { pluginId, slug }, ctx: { userId } }) => {
+  .action(async ({ parsedInput: { pluginId, slug } }) => {
+    // User-scoped client so `auth.uid()` inside the SECURITY DEFINER RPC
+    // authorizes against the caller, not the service role.
     const supabase = await createClient();
 
-    const { data: existing } = await supabase
-      .from("plugin_stars")
-      .select("plugin_id")
-      .eq("plugin_id", pluginId)
-      .eq("user_id", userId)
-      .maybeSingle();
+    const { error } = await supabase.rpc("toggle_plugin_star", {
+      plugin_id_input: pluginId,
+    });
 
-    const admin = await createAdminClient();
-
-    if (existing) {
-      await supabase
-        .from("plugin_stars")
-        .delete()
-        .eq("plugin_id", pluginId)
-        .eq("user_id", userId);
-
-      await admin.rpc("decrement_star_count", { plugin_id_input: pluginId });
-    } else {
-      await supabase
-        .from("plugin_stars")
-        .insert({ plugin_id: pluginId, user_id: userId });
-
-      await admin.rpc("increment_star_count", { plugin_id_input: pluginId });
+    if (error) {
+      throw new ActionError(`Failed to update star: ${error.message}`);
     }
 
     revalidatePath("/");
diff --git a/apps/cursor/src/actions/update-plugin.ts b/apps/cursor/src/actions/update-plugin.ts
index 5955165d..7f7a414a 100644
--- a/apps/cursor/src/actions/update-plugin.ts
+++ b/apps/cursor/src/actions/update-plugin.ts
@@ -24,6 +24,100 @@ const componentSchema = z.object({
   metadata: z.record(z.string(), z.unknown()).optional(),
 });
 
+type ComponentInput = z.infer<typeof componentSchema>;
+
+type ExistingComponent = {
+  type: string;
+  name: string;
+  slug: string;
+  description: string | null;
+  content: string | null;
+  metadata: Record<string, unknown> | null;
+  sort_order: number;
+};
+
+function slugify(value: string): string {
+  return value
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "");
+}
+
+function componentKey(type: string, slug: string): string {
+  return `${type}:${slug}`;
+}
+
+// Only fields that affect the install payload — cosmetic edits to name,
+// description, or sort_order must not trigger a rescan. MCP install links and
+// configs can live in metadata, so compare the metadata that will be saved.
+function fingerprintComponent(c: {
+  type: string;
+  slug?: string | null;
+  name: string;
+  content?: string | null;
+  metadata?: Record<string, unknown> | null;
+}): string {
+  const slug = c.slug || slugify(c.name);
+  return JSON.stringify({
+    type: c.type,
+    slug,
+    content: c.content ?? "",
+    metadata: c.metadata ?? {},
+  });
+}
+
+function resolveComponentMetadata(
+  comp: ComponentInput,
+  prevByKey: Map<string, ExistingComponent>,
+): Record<string, unknown> {
+  const slug = comp.slug || slugify(comp.name);
+  const submitted = comp.metadata;
+  if (submitted && Object.keys(submitted).length > 0) {
+    return submitted;
+  }
+  const prev = prevByKey.get(componentKey(comp.type, slug));
+  return prev?.metadata ?? {};
+}
+
+function installRelevantChanged(
+  prevComponents: ExistingComponent[],
+  prevRepository: string | null,
+  nextComponents: ComponentInput[],
+  nextRepository: string | null,
+): boolean {
+  if ((prevRepository ?? null) !== (nextRepository ?? null)) {
+    return true;
+  }
+
+  if (prevComponents.length !== nextComponents.length) {
+    return true;
+  }
+
+  const prevSorted = [...prevComponents]
+    .sort((a, b) => a.sort_order - b.sort_order)
+    .map(fingerprintComponent)
+    .sort();
+  const prevByKey = new Map(
+    prevComponents.map((c) => [
+      componentKey(c.type, c.slug || slugify(c.name)),
+      c,
+    ]),
+  );
+  const nextSorted = nextComponents
+    .map((component) =>
+      fingerprintComponent({
+        ...component,
+        metadata: resolveComponentMetadata(component, prevByKey),
+      }),
+    )
+    .sort();
+
+  for (let i = 0; i < prevSorted.length; i++) {
+    if (prevSorted[i] !== nextSorted[i]) return true;
+  }
+  return false;
+}
+
 export const updatePluginAction = authActionClient
   .metadata({
     actionName: "update-plugin",
@@ -62,7 +156,9 @@ export const updatePluginAction = authActionClient
 
       const { data: existing, error: fetchError } = await supabase
         .from("plugins")
-        .select("id, owner_id, slug")
+        .select(
+          "id, owner_id, slug, repository, github_repo_id, active, plugin_components(type, name, slug, description, content, metadata, sort_order)",
+        )
         .eq("id", id)
         .single();
 
@@ -76,86 +172,93 @@ export const updatePluginAction = authActionClient
         );
       }
 
-      const { success } = await pluginScanLimit(userId);
-      if (!success) {
-        throw new ActionError(
-          "Too many plugin updates in the last hour. Please try again later.",
-        );
-      }
+      // Source URL is pinned to the parsed GitHub repo so an owner can't keep
+      // the verified-looking badge while swapping the install payload.
+      const repositoryLocked = existing.github_repo_id != null;
+      const effectiveRepository = repositoryLocked
+        ? (existing.repository ?? null)
+        : (repository ?? null);
 
-      const { error: updateError } = await supabase
-        .from("plugins")
-        .update({
-          name,
-          description,
-          logo: logo || null,
-          repository: repository || null,
-          homepage: homepage || null,
-          keywords: keywords || [],
-        })
-        .eq("id", id);
+      const prevComponents = (existing.plugin_components ??
+        []) as ExistingComponent[];
 
-      if (updateError) {
-        if (updateError.code === "23505") {
+      const installChanged = installRelevantChanged(
+        prevComponents,
+        existing.repository ?? null,
+        components,
+        effectiveRepository,
+      );
+
+      const shouldRescan = installChanged;
+      if (shouldRescan) {
+        const { success } = await pluginScanLimit(userId);
+        if (!success) {
           throw new ActionError(
-            "A plugin with this name already exists. Please choose a different name.",
+            "Too many plugin updates in the last hour. Please try again later.",
           );
         }
-        throw new ActionError(
-          `Failed to update plugin: ${updateError.message}`,
-        );
       }
 
-      const { error: deleteError } = await supabase
-        .from("plugin_components")
-        .delete()
-        .eq("plugin_id", id);
+      const prevByKey = new Map(
+        prevComponents.map((c) => [
+          componentKey(c.type, c.slug || slugify(c.name)),
+          c,
+        ]),
+      );
 
-      if (deleteError) {
-        throw new ActionError(
-          `Failed to update components: ${deleteError.message}`,
-        );
-      }
+      const componentRows = components.map((comp, i) => ({
+        plugin_id: id,
+        type: comp.type,
+        name: comp.name,
+        slug: comp.slug || slugify(comp.name),
+        description: comp.description || null,
+        content: comp.content || null,
+        metadata: resolveComponentMetadata(comp, prevByKey),
+        sort_order: i,
+      }));
 
-      type ComponentInput = z.infer<typeof componentSchema>;
-      const componentRows = components.map(
-        (comp: ComponentInput, i: number) => ({
-          plugin_id: id,
-          type: comp.type,
-          name: comp.name,
-          slug:
-            comp.slug ||
-            comp.name
-              .toLowerCase()
-              .replace(/[^a-z0-9]+/g, "-")
-              .replace(/^-+|-+$/g, ""),
-          description: comp.description || null,
-          content: comp.content || null,
-          metadata: comp.metadata || {},
-          sort_order: i,
-        }),
+      const { error: updateError } = await supabase.rpc(
+        "update_plugin_with_components",
+        {
+          p_plugin_id: id,
+          p_name: name,
+          p_description: description,
+          p_logo: logo || null,
+          p_repository: effectiveRepository,
+          p_homepage: homepage || null,
+          p_keywords: keywords || [],
+          p_components: componentRows,
+          p_deactivate_for_scan: shouldRescan && existing.active,
+        },
       );
 
-      const { error: compError } = await supabase
-        .from("plugin_components")
-        .insert(componentRows);
-
-      if (compError) {
+      if (updateError) {
+        if (updateError.code === "23505") {
+          throw new ActionError(
+            "A plugin with this name already exists. Please choose a different name.",
+          );
+        }
         throw new ActionError(
-          `Failed to save plugin components: ${compError.message}`,
+          `Failed to update plugin: ${updateError.message}`,
         );
       }
 
-      try {
-        await enqueuePluginScan(id);
-        kickDrainAfterResponse();
-      } catch (queueError) {
-        console.error("Failed to enqueue plugin scan", queueError);
+      if (shouldRescan) {
+        try {
+          await enqueuePluginScan(id);
+          kickDrainAfterResponse();
+        } catch (queueError) {
+          console.error("Failed to enqueue plugin scan", queueError);
+        }
       }
 
       revalidatePath("/");
       revalidatePath(`/plugins/${existing.slug}`);
 
-      return { slug: existing.slug };
+      return {
+        slug: existing.slug,
+        rescanQueued: shouldRescan,
+        repositoryLocked,
+      };
     },
   );
diff --git a/apps/cursor/src/components/forms/edit-plugin-form.tsx b/apps/cursor/src/components/forms/edit-plugin-form.tsx
index 6ac2cab5..b9ea75e5 100644
--- a/apps/cursor/src/components/forms/edit-plugin-form.tsx
+++ b/apps/cursor/src/components/forms/edit-plugin-form.tsx
@@ -58,6 +58,7 @@ export function EditPluginForm({ data }: { data: PluginRow }) {
   const [description, setDescription] = useState(data.description ?? "");
   const [logo, setLogo] = useState<string | null>(data.logo);
   const [repository, setRepository] = useState(data.repository ?? "");
+  const repositoryLocked = data.github_repo_id != null;
   const [homepage, setHomepage] = useState(data.homepage ?? "");
   const [keywords, setKeywords] = useState(data.keywords.join(", "));
   const [components, setComponents] = useState<EditableComponent[]>(
@@ -127,7 +128,9 @@ export function EditPluginForm({ data }: { data: PluginRow }) {
       name: name.trim(),
       description: description.trim(),
       logo,
-      repository: repository.trim() || null,
+      repository: repositoryLocked
+        ? (data.repository ?? null)
+        : repository.trim() || null,
       homepage: homepage.trim() || null,
       keywords: keywords
         .split(",")
@@ -139,7 +142,6 @@ export function EditPluginForm({ data }: { data: PluginRow }) {
         slug: slugify(c.name),
         description: c.description.trim() || undefined,
         content: c.content.trim() || undefined,
-        metadata: {},
       })),
     });
   };
@@ -183,15 +185,23 @@ export function EditPluginForm({ data }: { data: PluginRow }) {
           <label className="mb-1.5 block text-sm font-medium">
             Repository URL
             <span className="ml-1 font-normal text-muted-foreground">
-              (optional)
+              {repositoryLocked ? "(locked to GitHub source)" : "(optional)"}
             </span>
           </label>
           <Input
             value={repository}
-            onChange={(e) => setRepository(e.target.value)}
+            onChange={(e) => !repositoryLocked && setRepository(e.target.value)}
+            readOnly={repositoryLocked}
             placeholder="https://github.com/you/your-plugin"
-            className="border-border placeholder:text-[#878787]"
+            className="border-border placeholder:text-[#878787] read-only:cursor-not-allowed read-only:opacity-70"
           />
+          {repositoryLocked && (
+            <p className="mt-1.5 text-xs text-muted-foreground">
+              This plugin was imported from GitHub, so the Source link is locked
+              to that repository to keep the displayed source consistent with
+              the install payload.
+            </p>
+          )}
         </div>
         <div>
           <label className="mb-1.5 block text-sm font-medium">
diff --git a/apps/cursor/src/components/forms/plugin-form.tsx b/apps/cursor/src/components/forms/plugin-form.tsx
index f9cb0d6a..e1451a88 100644
--- a/apps/cursor/src/components/forms/plugin-form.tsx
+++ b/apps/cursor/src/components/forms/plugin-form.tsx
@@ -72,6 +72,7 @@ type ParsedPlugin = {
   author_name?: string;
   author_url?: string;
   author_avatar?: string;
+  github_repo_id?: number;
   components: ParsedComponent[];
 };
 
diff --git a/apps/cursor/src/components/plugins/plugin-detail.tsx b/apps/cursor/src/components/plugins/plugin-detail.tsx
index c5fa645c..6abea3be 100644
--- a/apps/cursor/src/components/plugins/plugin-detail.tsx
+++ b/apps/cursor/src/components/plugins/plugin-detail.tsx
@@ -93,7 +93,9 @@ function toBase64(input: string): string {
 }
 
 function buildMCPInstallDeepLink(name: string, config: string) {
-  return `cursor://anysphere.cursor-deeplink/mcp/install?name=${encodeURIComponent(name)}&config=${toBase64(config)}`;
+  // `+` in a query string decodes to a space, so the base64 must be
+  // URL-encoded or Cursor base64-decodes garbage and throws "Not valid JSON".
+  return `cursor://anysphere.cursor-deeplink/mcp/install?name=${encodeURIComponent(name)}&config=${encodeURIComponent(toBase64(config))}`;
 }
 
 function ScanStatusBanner({
@@ -233,6 +235,13 @@ export function PluginDetailView({ plugin }: { plugin: PluginRow }) {
   const [expandedRule, setExpandedRule] = useState<string | null>(
     rules[0]?.slug ?? null,
   );
+  const [expandedMcp, setExpandedMcp] = useState<string | null>(
+    mcps[0]?.slug ?? null,
+  );
+
+  // Component content stays visible for inactive plugins so owners can review;
+  // only one-click install is hidden.
+  const installable = plugin.active === true;
 
   return (
     <div className="min-h-screen px-4 pt-24 md:pt-32">
@@ -359,11 +368,18 @@ export function PluginDetailView({ plugin }: { plugin: PluginRow }) {
             expandedRule={expandedRule}
             setExpandedRule={setExpandedRule}
             onInstall={handleInstall}
+            installable={installable}
           />
         )}
 
         {activeTab === "mcp_server" && mcps.length > 0 && (
-          <McpSection mcps={mcps} onInstall={handleInstall} />
+          <McpSection
+            mcps={mcps}
+            onInstall={handleInstall}
+            installable={installable}
+            expandedMcp={expandedMcp}
+            setExpandedMcp={setExpandedMcp}
+          />
         )}
 
         {activeTab !== "rule" &&
@@ -373,6 +389,7 @@ export function PluginDetailView({ plugin }: { plugin: PluginRow }) {
               components={activeComponents}
               type={activeTab}
               onInstall={handleInstall}
+              installable={installable}
             />
           )}
       </div>
@@ -385,11 +402,13 @@ function RulesSection({
   expandedRule,
   setExpandedRule,
   onInstall,
+  installable,
 }: {
   rules: NonNullable<PluginRow["plugin_components"]>;
   expandedRule: string | null;
   setExpandedRule: (slug: string | null) => void;
   onInstall: () => void;
+  installable: boolean;
 }) {
   return (
     <div>
@@ -421,21 +440,23 @@ function RulesSection({
                     {rule.name}
                   </span>
                 </button>
-                {deepLinkUsable ? (
-                  <a
-                    href={deepLink}
-                    className="shrink-0 rounded-md border border-border px-2 py-1 text-xs text-muted-foreground transition-colors hover:text-foreground"
-                    onClick={onInstall}
-                  >
-                    Add to Cursor
-                  </a>
-                ) : (
-                  <CopyButton
-                    text={ruleContent}
-                    onCopy={onInstall}
-                    title="Rule too large to install via deeplink — copy and paste into Cursor"
-                  />
-                )}
+                {installable ? (
+                  deepLinkUsable ? (
+                    <a
+                      href={deepLink}
+                      className="shrink-0 rounded-md border border-border px-2 py-1 text-xs text-muted-foreground transition-colors hover:text-foreground"
+                      onClick={onInstall}
+                    >
+                      Add to Cursor
+                    </a>
+                  ) : (
+                    <CopyButton
+                      text={ruleContent}
+                      onCopy={onInstall}
+                      title="Rule too large to install via deeplink — copy and paste into Cursor"
+                    />
+                  )
+                ) : null}
               </div>
 
               {isExpanded && (
@@ -496,9 +517,15 @@ function resolveMcpConfig(
 function McpSection({
   mcps,
   onInstall,
+  installable,
+  expandedMcp,
+  setExpandedMcp,
 }: {
   mcps: NonNullable<PluginRow["plugin_components"]>;
   onInstall: () => void;
+  installable: boolean;
+  expandedMcp: string | null;
+  setExpandedMcp: (slug: string | null) => void;
 }) {
   return (
     <div className="space-y-3">
@@ -508,48 +535,90 @@ function McpSection({
         const mcpLink = meta?.mcp_link as string | undefined;
 
         let installLink = mcpLink ?? null;
-        if (!installLink) {
-          try {
-            const resolved = resolveMcpConfig(mcp.content, meta);
-            if (resolved) {
+        let configPreview: string | null = null;
+        try {
+          const resolved = resolveMcpConfig(mcp.content, meta);
+          if (resolved) {
+            const serialized = JSON.stringify(resolved.config, null, 2);
+            configPreview = serialized;
+            if (!installLink) {
               installLink = buildMCPInstallDeepLink(
                 resolved.name,
                 JSON.stringify(resolved.config),
               );
             }
-          } catch {
-            installLink = null;
           }
+        } catch {
+          installLink = installLink ?? null;
+        }
+        if (!configPreview && mcp.content) {
+          configPreview = mcp.content;
         }
 
+        const isExpanded = expandedMcp === mcp.slug;
+        const canExpand = Boolean(configPreview);
+
         return (
-          <div
-            key={mcp.slug}
-            className="flex items-center justify-between gap-4 rounded-lg border border-border p-4"
-          >
-            <div className="flex items-center gap-3 min-w-0">
-              <span className="shrink-0 rounded-md border border-border bg-muted px-2 py-1 text-xs font-mono text-muted-foreground">
-                MCP
-              </span>
-              <span className="truncate text-sm font-medium">{mcp.name}</span>
-            </div>
-            <div className="flex items-center gap-3 shrink-0">
-              {link && (
-                <Link
-                  href={link}
-                  className="flex items-center gap-1 text-sm text-muted-foreground hover:text-foreground"
-                  target="_blank"
-                >
-                  <span>Source</span>
-                  <ExternalLinkIcon />
-                </Link>
-              )}
-              {installLink ? (
-                <CursorDeepLink mcp_link={installLink} onInstall={onInstall} />
-              ) : mcp.content ? (
-                <CopyButton text={mcp.content} onCopy={onInstall} />
-              ) : null}
+          <div key={mcp.slug} className="rounded-lg border border-border">
+            <div className="flex items-center justify-between gap-4 p-4">
+              <button
+                type="button"
+                className="flex items-center gap-2 min-w-0 text-left disabled:cursor-default"
+                onClick={() =>
+                  canExpand && setExpandedMcp(isExpanded ? null : mcp.slug)
+                }
+                disabled={!canExpand}
+              >
+                {canExpand ? (
+                  <ChevronDown
+                    className={cn(
+                      "size-4 shrink-0 text-muted-foreground transition-transform",
+                      isExpanded && "rotate-180",
+                    )}
+                  />
+                ) : (
+                  <span className="size-4 shrink-0" />
+                )}
+                <span className="shrink-0 rounded-md border border-border bg-muted px-2 py-1 text-xs font-mono text-muted-foreground">
+                  MCP
+                </span>
+                <span className="truncate text-sm font-medium">{mcp.name}</span>
+              </button>
+              <div className="flex items-center gap-3 shrink-0">
+                {link && (
+                  <Link
+                    href={link}
+                    className="flex items-center gap-1 text-sm text-muted-foreground hover:text-foreground"
+                    target="_blank"
+                  >
+                    <span>Source</span>
+                    <ExternalLinkIcon />
+                  </Link>
+                )}
+                {installable && installLink ? (
+                  <CursorDeepLink
+                    mcp_link={installLink}
+                    onInstall={onInstall}
+                  />
+                ) : installable && mcp.content ? (
+                  <CopyButton text={mcp.content} onCopy={onInstall} />
+                ) : null}
+              </div>
             </div>
+
+            {isExpanded && configPreview && (
+              <div className="px-4 pb-4">
+                <p className="mb-2 text-[11px] uppercase tracking-wide text-muted-foreground/80">
+                  This config will be passed to Cursor on install. Inspect
+                  `command`, `args`, and `env` before continuing.
+                </p>
+                <div className="max-h-96 overflow-y-auto rounded-lg border border-border bg-editor p-4 font-mono text-xs leading-6 text-muted-foreground">
+                  <code className="block whitespace-pre-wrap">
+                    {configPreview}
+                  </code>
+                </div>
+              </div>
+            )}
           </div>
         );
       })}
@@ -843,10 +912,12 @@ function GenericComponentSection({
   components,
   type,
   onInstall,
+  installable,
 }: {
   components: NonNullable<PluginRow["plugin_components"]>;
   type: ComponentType;
   onInstall: () => void;
+  installable: boolean;
 }) {
   return (
     <div>
@@ -859,7 +930,8 @@ function GenericComponentSection({
             <CardContent className="p-4 space-y-2">
               <div className="flex items-center justify-between gap-4">
                 <h3 className="text-sm font-medium">{comp.name}</h3>
-                {comp.content &&
+                {installable &&
+                  comp.content &&
                   (() => {
                     if (type !== "command") {
                       return (
diff --git a/apps/cursor/src/lib/github-plugin/parse.ts b/apps/cursor/src/lib/github-plugin/parse.ts
index 04848396..142cd73a 100644
--- a/apps/cursor/src/lib/github-plugin/parse.ts
+++ b/apps/cursor/src/lib/github-plugin/parse.ts
@@ -250,6 +250,21 @@ export type GitHubRepoMeta = {
   license_spdx: string | null;
 };
 
+/**
+ * Resolve GitHub's stable numeric repo id from a repository URL.
+ * Returns null for non-GitHub URLs or when the repo cannot be read.
+ */
+export async function resolveGithubRepoIdFromRepository(
+  repository: string | null | undefined,
+  opts: FetchOptions = {},
+): Promise<number | null> {
+  if (!repository) return null;
+  const parsed = parseGitHubUrl(repository);
+  if (!parsed) return null;
+  const meta = await fetchGitHubRepoMeta(parsed.owner, parsed.repo, opts);
+  return meta?.id ?? null;
+}
+
 export async function fetchGitHubRepoMeta(
   owner: string,
   repo: string,
diff --git a/supabase/migrations/20260523_plugin_star_atomic.sql b/supabase/migrations/20260523_plugin_star_atomic.sql
new file mode 100644
index 00000000..7002a271
--- /dev/null
+++ b/supabase/migrations/20260523_plugin_star_atomic.sql
@@ -0,0 +1,90 @@
+-- Atomic plugin-star toggle: the old three-step `select` + `insert`/`delete`
+-- + `increment_star_count` / `decrement_star_count` flow had no serialization,
+-- so N concurrent toggles from a single user could push `plugins.star_count`
+-- arbitrarily far from `count(*) from plugin_stars`.
+
+do $$
+begin
+  if not exists (
+    select 1
+    from pg_constraint
+    where conname = 'plugin_stars_plugin_user_key'
+  ) then
+    delete from plugin_stars a
+    using plugin_stars b
+    where a.ctid < b.ctid
+      and a.plugin_id = b.plugin_id
+      and a.user_id = b.user_id;
+
+    alter table plugin_stars
+      add constraint plugin_stars_plugin_user_key unique (plugin_id, user_id);
+  end if;
+end
+$$;
+
+create or replace function toggle_plugin_star(plugin_id_input uuid)
+returns jsonb
+language plpgsql
+security definer
+set search_path = public
+as $$
+declare
+  v_user_id uuid := auth.uid();
+  v_inserted boolean := false;
+  v_new_count integer;
+begin
+  if v_user_id is null then
+    raise exception 'not authenticated'
+      using errcode = '28000';
+  end if;
+
+  -- Serialize concurrent toggles for the same plugin.
+  perform 1 from plugins where id = plugin_id_input for update;
+
+  insert into plugin_stars (plugin_id, user_id)
+  values (plugin_id_input, v_user_id)
+  on conflict (plugin_id, user_id) do nothing
+  returning true into v_inserted;
+
+  if not coalesce(v_inserted, false) then
+    delete from plugin_stars
+    where plugin_id = plugin_id_input
+      and user_id = v_user_id;
+  end if;
+
+  -- Derive star_count from count(*) so the cached value can't drift.
+  update plugins
+  set star_count = (
+    select count(*) from plugin_stars where plugin_id = plugin_id_input
+  )
+  where id = plugin_id_input
+  returning star_count into v_new_count;
+
+  return jsonb_build_object(
+    'starred', coalesce(v_inserted, false),
+    'count', coalesce(v_new_count, 0)
+  );
+end;
+$$;
+
+revoke all on function toggle_plugin_star(uuid) from public;
+grant execute on function toggle_plugin_star(uuid) to authenticated;
+
+drop function if exists increment_star_count(uuid);
+drop function if exists decrement_star_count(uuid);
+
+-- Backfill any rows whose cached count had already drifted.
+update plugins p
+set star_count = sub.cnt
+from (
+  select plugin_id, count(*) as cnt
+  from plugin_stars
+  group by plugin_id
+) sub
+where p.id = sub.plugin_id
+  and p.star_count is distinct from sub.cnt;
+
+update plugins
+set star_count = 0
+where star_count is distinct from 0
+  and id not in (select distinct plugin_id from plugin_stars);
diff --git a/supabase/migrations/20260524_atomic_plugin_update.sql b/supabase/migrations/20260524_atomic_plugin_update.sql
new file mode 100644
index 00000000..975f34e9
--- /dev/null
+++ b/supabase/migrations/20260524_atomic_plugin_update.sql
@@ -0,0 +1,85 @@
+-- Keep plugin metadata updates and component rewrites in a single transaction.
+-- If a component row fails validation, Postgres rolls back the delist/reset too.
+create or replace function public.update_plugin_with_components(
+  p_plugin_id uuid,
+  p_name text,
+  p_description text,
+  p_logo text,
+  p_repository text,
+  p_homepage text,
+  p_keywords text[],
+  p_components jsonb,
+  p_deactivate_for_scan boolean
+)
+returns void
+language plpgsql
+set search_path = public
+as $$
+begin
+  update public.plugins
+  set
+    name = p_name,
+    description = p_description,
+    logo = p_logo,
+    repository = p_repository,
+    homepage = p_homepage,
+    keywords = coalesce(p_keywords, '{}'::text[]),
+    active = case when p_deactivate_for_scan then false else active end,
+    scan_status = case
+      when p_deactivate_for_scan then 'pending'
+      else scan_status
+    end,
+    flag_summary = case when p_deactivate_for_scan then null else flag_summary end,
+    flag_reasons = case
+      when p_deactivate_for_scan then '{}'::text[]
+      else flag_reasons
+    end,
+    flag_severity = case when p_deactivate_for_scan then null else flag_severity end,
+    flagged_at = case when p_deactivate_for_scan then null else flagged_at end
+  where id = p_plugin_id;
+
+  if not found then
+    raise exception 'plugin not found'
+      using errcode = 'P0002';
+  end if;
+
+  delete from public.plugin_components
+  where plugin_id = p_plugin_id;
+
+  insert into public.plugin_components (
+    plugin_id,
+    type,
+    name,
+    slug,
+    description,
+    content,
+    metadata,
+    sort_order
+  )
+  select
+    p_plugin_id,
+    component.type,
+    component.name,
+    component.slug,
+    component.description,
+    component.content,
+    coalesce(component.metadata, '{}'::jsonb),
+    component.sort_order
+  from jsonb_to_recordset(p_components) as component(
+    type text,
+    name text,
+    slug text,
+    description text,
+    content text,
+    metadata jsonb,
+    sort_order integer
+  );
+end;
+$$;
+
+revoke execute on function public.update_plugin_with_components(
+  uuid, text, text, text, text, text, text[], jsonb, boolean
+) from public, anon, authenticated;
+grant execute on function public.update_plugin_with_components(
+  uuid, text, text, text, text, text, text[], jsonb, boolean
+) to service_role;