chore: post-release v1.10.0

[claude-puntlabs]

Note

Medium Risk
Plugin renaming and new command/tool wiring can break existing setups if any clients still reference biff or old tool names, and the added durable cron-based polling changes background behavior.

Overview
Renames the Claude Code plugin from biff to biff-dev (via .claude-plugin/plugin.json), aligning all MCP tool namespaces to mcp__plugin_biff-dev_tty__*.

Adds a full set of *-dev slash-command prompt definitions under commands/ (who-dev, finger-dev, write-dev, etc.), including new background polling management (poll-dev) and auto-poll setup after write-dev using durable CronCreate/CronDelete jobs.

Updates README install instructions to pin install.sh to a new commit hash.

^{Reviewed by Cursor Bugbot for commit 2c3e269. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Security review completed for this PR.

No high-confidence vulnerabilities found in the introduced changes.

Scope reviewed:

• Injection vectors (command/path/template style issues)
• Authn/authz boundary regressions
• Secret/token exposure in docs and command wiring
• SSRF/XSS/request-forgery/unsafe deserialization classes
• Supply-chain implications of dependency/config changes

Notes:

• Changes are primarily command-definition markdown and plugin-name/readme updates.
• I did not find evidence in this diff of new exploitable paths or permission-boundary bypasses.

Residual risk to keep in mind (not a confirmed vuln in this diff): command files rely on model-side argument parsing, so strict validation still needs to be enforced by the underlying MCP tool handlers.

  

_{Sent by Cursor Automation: Find vulnerabilities}

[Copilot]

Pull request overview

Restores the repository to the normal post-release “dev plugin” state for v1.10.0 by reintroducing the *-dev command set, switching the plugin namespace back to biff-dev, and updating the pinned installer script SHA in the README.

Changes:

• Add back commands/*-dev.md command docs wired to mcp__plugin_biff-dev_tty__*.
• Change .claude-plugin/plugin.json plugin name from biff → biff-dev.
• Update README install instructions to pin install.sh to commit 677d77a.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
commands/biff-dev.md	Dev variant of /biff command pointing at mcp__plugin_biff-dev_tty__biff.
commands/finger-dev.md	Dev variant of /finger command pointing at mcp__plugin_biff-dev_tty__finger.
commands/last-dev.md	Dev variant of /last command pointing at mcp__plugin_biff-dev_tty__last.
commands/mesg-dev.md	Dev variant of /mesg command pointing at mcp__plugin_biff-dev_tty__mesg.
commands/plan-dev.md	Dev variant of /plan command pointing at mcp__plugin_biff-dev_tty__plan.
commands/poll-dev.md	Dev variant of /poll command pointing at mcp__plugin_biff-dev_tty__set_poll_interval / __get_poll_status and cron management.
commands/read-dev.md	Dev variant of /read command pointing at mcp__plugin_biff-dev_tty__read_messages.
commands/talk-dev.md	Dev variant of /talk command pointing at mcp__plugin_biff-dev_tty__talk / __talk_end.
commands/tty-dev.md	Dev variant of /tty command pointing at mcp__plugin_biff-dev_tty__tty.
commands/wall-dev.md	Dev variant of /wall command pointing at mcp__plugin_biff-dev_tty__wall.
commands/who-dev.md	Dev variant of /who command pointing at mcp__plugin_biff-dev_tty__who.
commands/write-dev.md	Dev variant of /write command pointing at mcp__plugin_biff-dev_tty__write and cron-based auto-polling.
README.md	Updates pinned install.sh URL SHA to 677d77a.
.claude-plugin/plugin.json	Restores plugin name to biff-dev for mainline development.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the dev command set, this description references /who and /finger, but the corresponding dev commands are /who-dev and /finger-dev (to avoid collisions with the installed prod plugin). Consider updating the description to point at the dev command names so users of the dev plugin aren’t misled.

Suggested change

	description: Name the current session (visible in /who and /finger)
	description: Name the current session (visible in /who-dev and /finger-dev)

[Copilot]

The auto-poll setup created after /write-dev is marked durable: true, which can leave a long-lived recurring cron firing every 5 minutes even after the immediate reply window has passed. If the intent is “temporary auto-poll to catch replies”, consider using a non-durable job (and/or an explicit short TTL) so this automatic action doesn’t persist across restarts.

Suggested change

	- `durable`: true
	- `durable`: false