ci+ui: skip ccplugins workflows without PAT; surface export errors in UI

CI: both ccplugins workflows were erroring on every push because the
CCPLUGINS_PAT secret isn't set yet. Added a guard step that checks for
the secret and short-circuits the rest of the job cleanly (success,
not failure) when absent. Once the secret is added the workflows run
normally with no code change needed.

UI: export buttons were <a download> links, which saved JSON error
responses as `page.pdf` / `page.docx` with a few KB of error text
inside — indistinguishable from a broken download. Switched to a
fetch-based flow that inspects Content-Type:
  - application/json → parse, show the error message + pandoc stderr
    in an alert dialog
  - binary → save as a blob with the server's filename
Now a failing export shows "Export failed (pdf): pandoc not
installed…" instead of downloading a 200-byte JSON file the user has
to open to understand.

Author: cdeust

.github/workflows/publish-ccplugins.yml

@@ -27,14 +27,28 @@ jobs:
       PLUGIN_NAME: cortex
       CATEGORY: "Development Engineering"
     steps:
+      - name: Guard — skip cleanly when CCPLUGINS_PAT is missing
+        id: guard
+        env:
+          PAT: ${{ secrets.CCPLUGINS_PAT }}
+        run: |
+          if [ -z "$PAT" ]; then
+            echo "CCPLUGINS_PAT secret not configured — skipping."
+            echo "has_pat=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_pat=true" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Checkout Cortex
+        if: steps.guard.outputs.has_pat == 'true'
         uses: actions/checkout@v4
         with:
           path: cortex
           fetch-depth: 0
 
       - name: Resolve release tag
         id: tag
+        if: steps.guard.outputs.has_pat == 'true'
         run: |
           if [ "${{ github.event_name }}" = "release" ]; then
             TAG="${{ github.event.release.tag_name }}"
@@ -45,6 +59,7 @@ jobs:
           echo "Release tag: $TAG"
 
       - name: Checkout fork of ccplugins
+        if: steps.guard.outputs.has_pat == 'true'
         uses: actions/checkout@v4
         with:
           repository: ${{ env.FORK }}
@@ -53,6 +68,7 @@ jobs:
           fetch-depth: 0
 
       - name: Sync fork with upstream
+        if: steps.guard.outputs.has_pat == 'true'
         working-directory: ccplugins
         env:
           GH_TOKEN: ${{ secrets.CCPLUGINS_PAT }}
@@ -68,6 +84,7 @@ jobs:
           git push origin main --force-with-lease
 
       - name: Write plugin bundle
+        if: steps.guard.outputs.has_pat == 'true'
         working-directory: ccplugins
         run: |
           set -euo pipefail
@@ -108,6 +125,7 @@ jobs:
           EOF
 
       - name: Update index entry in README
+        if: steps.guard.outputs.has_pat == 'true'
         working-directory: ccplugins
         run: |
           python3 - <<'PY'
@@ -144,6 +162,7 @@ jobs:
 
       - name: Stage, commit, diff
         id: diff
+        if: steps.guard.outputs.has_pat == 'true'
         working-directory: ccplugins
         run: |
           git add "plugins/${PLUGIN_NAME}" README.md
@@ -164,7 +183,7 @@ jobs:
           Automated sync from cdeust/Cortex@${{ github.sha }}."
 
       - name: Push + open (or update) PR
-        if: steps.diff.outputs.changed == 'true' && inputs.dry_run != true
+        if: steps.guard.outputs.has_pat == 'true' && steps.diff.outputs.changed == 'true' && inputs.dry_run != true
         working-directory: ccplugins
         env:
           GH_TOKEN: ${{ secrets.CCPLUGINS_PAT }}

.github/workflows/sync-ccplugins-fork.yml

@@ -31,14 +31,29 @@ jobs:
       UPSTREAM: ccplugins/awesome-claude-code-plugins
       FORK:     cdeust/awesome-claude-code-plugins
     steps:
+      - name: Guard — skip cleanly when CCPLUGINS_PAT is missing
+        id: guard
+        env:
+          PAT: ${{ secrets.CCPLUGINS_PAT }}
+        run: |
+          if [ -z "$PAT" ]; then
+            echo "CCPLUGINS_PAT secret not configured — skipping."
+            echo "Add it at Settings → Secrets and variables → Actions."
+            echo "has_pat=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_pat=true" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Checkout fork
+        if: steps.guard.outputs.has_pat == 'true'
         uses: actions/checkout@v4
         with:
           repository: ${{ env.FORK }}
           token: ${{ secrets.CCPLUGINS_PAT }}
           fetch-depth: 0
 
       - name: Fast-forward main from upstream
+        if: steps.guard.outputs.has_pat == 'true'
         run: |
           set -euo pipefail
           git config user.name  "github-actions[bot]"

ui/unified/js/wiki.js

@@ -550,11 +550,13 @@
     });
     actions.appendChild(editBtn);
     ['pdf', 'tex', 'docx', 'html'].forEach(function(fmt) {
-      var b = el('a', 'wiki-export-btn');
+      var b = el('button', 'wiki-export-btn');
+      b.type = 'button';
       b.textContent = fmt.toUpperCase();
-      b.href = '/api/wiki/export?path=' + encodeURIComponent(data.path) + '&format=' + fmt;
-      b.setAttribute('download', '');
       b.title = 'Export via Pandoc → ' + fmt;
+      b.addEventListener('click', function() {
+        _exportDownload(data.path, fmt, b);
+      });
       actions.appendChild(b);
     });
     pageHeader.appendChild(actions);
@@ -992,6 +994,53 @@
     return e;
   }
 
+  // ── Export download (Phase 10) ──
+  //
+  // Fetches /api/wiki/export and decides between saving the blob (on
+  // success — binary Content-Type) and surfacing the error message
+  // (when the server returned JSON). Using fetch avoids the old
+  // <a download> trap where a JSON error response got silently saved
+  // as "page.pdf" with 2 KB of error text inside.
+
+  async function _exportDownload(relPath, fmt, btn) {
+    if (btn) { btn.disabled = true; btn.textContent = fmt.toUpperCase() + '\u2026'; }
+    try {
+      var url = '/api/wiki/export?path=' + encodeURIComponent(relPath)
+        + '&format=' + fmt;
+      var resp = await fetch(url);
+      var contentType = resp.headers.get('Content-Type') || '';
+      if (contentType.indexOf('application/json') === 0) {
+        var err = await resp.json();
+        var msg = err.error || 'export failed';
+        if (err.stderr) msg += '\n\nstderr:\n' + err.stderr;
+        alert('Export failed (' + fmt + '):\n\n' + msg);
+        return;
+      }
+      if (!resp.ok) {
+        alert('Export failed (' + fmt + '): HTTP ' + resp.status);
+        return;
+      }
+      var blob = await resp.blob();
+      var dispo = resp.headers.get('Content-Disposition') || '';
+      var m = dispo.match(/filename="([^"]+)"/);
+      var filename = m ? m[1]
+        : (relPath.split('/').pop() || 'page').replace(/\.md$/, '') + '.' + fmt;
+      var link = document.createElement('a');
+      link.href = URL.createObjectURL(blob);
+      link.download = filename;
+      document.body.appendChild(link);
+      link.click();
+      setTimeout(function() {
+        URL.revokeObjectURL(link.href);
+        link.remove();
+      }, 200);
+    } catch (err) {
+      alert('Export failed (' + fmt + '): ' + (err.message || err));
+    } finally {
+      if (btn) { btn.disabled = false; btn.textContent = fmt.toUpperCase(); }
+    }
+  }
+
   // ── Academic rendering layer (Phase 9) ──
   //
   // Three post-render passes over the already-rendered body: