docs: document security scope and trust model for workflow commands

Add transparency documentation explaining the file system access that
workflow commands require and why:

- Add "Workflow Command Security" section to CLAUDE.md explaining:
  - Why broad tool access is needed (Write, Edit, Bash for scaffolding)
  - Security considerations for users
  - Design contrast with /plugin-dev:start command
  - Guidance for security-sensitive environments

- Add brief security notes to create-plugin.md and create-marketplace.md
  pointing users to the detailed documentation in CLAUDE.md

This is a documentation improvement for transparency - the tool access
is correctly scoped for the intended use case of creating plugin
structures.

Fixes #162

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: sjnims

CLAUDE.md

@@ -225,6 +225,36 @@ An 8-phase guided workflow for marketplace creation:
 7. Validation - Run marketplace validators
 8. Testing & Finalization - Test installation and finalize
 
+### Workflow Command Security
+
+The workflow commands (`/plugin-dev:create-plugin` and `/plugin-dev:create-marketplace`) require broad file system access to perform their scaffolding functions:
+
+```yaml
+allowed-tools: Read, Write, Edit, Grep, Glob, Bash(mkdir:*), Bash(git init:*), ...
+```
+
+**Why this access is needed:**
+
+- Creating plugin directory structures requires `Write` and `Bash(mkdir:*)`
+- Generating manifest files and component templates requires `Write` and `Edit`
+- Initializing git repositories requires `Bash(git init:*)`
+- Exploring existing code for patterns requires `Read`, `Grep`, `Glob`
+
+**Security considerations:**
+
+- These commands can write to any location within the user's permission scope
+- The commands prompt for confirmation before creating structures
+- Review the target directory before starting a workflow
+- In multi-user environments, verify the working directory is appropriate
+
+**Design contrast with `/plugin-dev:start`:**
+
+The entry point command uses `disable-model-invocation: true` and restricts tools to `AskUserQuestion, SlashCommand, TodoWrite` since it only routes to other commands. The workflow commands need broader access because they perform the actual file creation work.
+
+**For security-sensitive environments:**
+
+Review the `allowed-tools` frontmatter in each command file to understand exactly what access is granted. Future Claude Code versions may support path-scoped tool restrictions (e.g., `Write(./plugins/*)`), which would allow tighter scoping.
+
 ## Validation Agents
 
 Use these agents proactively after creating components:

plugins/plugin-dev/commands/create-marketplace.md

@@ -19,6 +19,8 @@ Guide the user through creating a complete plugin marketplace from initial conce
 
 **Initial request:** $ARGUMENTS
 
+**Security note:** This workflow has broad file system access to create marketplace structures. It can write files and create directories within your permission scope. Review the target directory before starting, and see CLAUDE.md "Workflow Command Security" for details.
+
 ---
 
 ## Phase 1: Discovery

plugins/plugin-dev/commands/create-plugin.md

@@ -20,6 +20,8 @@ Guide the user through creating a complete, high-quality Claude Code plugin from
 
 **Initial request:** $ARGUMENTS
 
+**Security note:** This workflow has broad file system access to create plugin structures. It can write files and create directories within your permission scope. Review the target directory before starting, and see CLAUDE.md "Workflow Command Security" for details.
+
 ---
 
 ## Phase 1: Discovery