feat: add public external plugin workflows

[aaronpowell]

Summary

• add intake, approval, and six-month re-review workflows for public external plugins
• add shared external plugin validation and supporting scripts
• document the GitHub-only submission policy, labels, and maintainer commands

Validation

• npm run build
• npm run plugin:validate
• npm run skill:validate
• bash eng/fix-line-endings.sh

[Copilot]

Pull request overview

Adds public external plugin submission automation, shared validation, approval/re-review command handling, and updated contributor/agent documentation for the GitHub-only external plugin workflow.

Changes:

• Introduces shared external plugin validation and intake/approval/re-review helper scripts.
• Adds issue form plus GitHub Actions workflows for submission intake, maintainer approval, and six-month re-review.
• Updates contributor and agent guidance for the new external plugin process.

Show a summary per file

File	Description
eng/validate-plugins.mjs	Includes external catalog validation in plugin validation.
eng/generate-marketplace.mjs	Reuses shared external plugin validation before merging catalog entries.
eng/external-plugin-validation.mjs	Adds canonical validation policies and helpers for external plugin entries.
eng/external-plugin-intake.mjs	Parses issue-form submissions and performs automated intake checks.
eng/external-plugin-approval.mjs	Adds approval command parsing and external catalog upsert logic.
eng/external-plugin-rereview.mjs	Adds re-review command parsing, issue matching, and removal helpers.
.github/ISSUE_TEMPLATE/external-plugin.yml	Adds the external plugin submission issue form.
.github/workflows/external-plugin-intake.yml	Adds automated issue intake validation and labeling.
.github/workflows/external-plugin-approval-command.yml	Adds /approve and /reject command workflow automation.
.github/workflows/external-plugin-rereview.yml	Adds scheduled six-month re-review queue synchronization.
.github/workflows/external-plugin-rereview-command.yml	Adds re-review decision command automation.
CONTRIBUTING.md	Documents the public external plugin submission and re-review workflow.
AGENTS.md	Updates agent-facing external plugin contribution guidance.

Copilot's findings

• Files reviewed: 13/13 changed files
• Comments generated: 8

[Copilot]

Copilot's findings

Comments suppressed due to low confidence (2)

.github/workflows/external-plugin-rereview-command.yml:192

• plugin-name can come from the original issue contents when the catalog entry is not matched, so embedding it directly inside the JavaScript template literal lets untrusted markdown/title text break or alter the privileged workflow script. Use an env var or JSON encoding instead of expression interpolation here.

            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              body: `Marked **${{ steps.parse.outputs.plugin-name }}** as needing follow-up. The plugin will stay in the six-month re-review queue until a maintainer comments \`/re-review-keep\` or \`/re-review-remove\`.`

.github/workflows/external-plugin-rereview-command.yml:300

• This expression is inserted into JavaScript source even when has-plugin is false, in which case it may be derived from unvalidated issue text. A quote, backtick, or newline in that value can break or inject the privileged script; pass it via env or JSON-encode the output before use.

            const changed = process.env.CHANGED === 'true';
            const prUrl = process.env.PR_URL;
            const pluginName = '${{ steps.parse.outputs.plugin-name }}';
            const hasPlugin = '${{ steps.parse.outputs.has-plugin }}' === 'true';

• Files reviewed: 13/13 changed files
• Comments generated: 11