refactor(dependabot): restructure skill to recommended subdirectory format v1.3.0 (#10)

* refactor(dependabot): restructure skill to recommended subdirectory format v1.3.0

Migrate from legacy flat structure to modern subdirectory structure:
- skills/dependabot.md → skills/dependabot/SKILL.md
- Extract ecosystem tables to references/ecosystems.md

This enables progressive disclosure - Claude loads SKILL.md first,
then fetches reference files only when needed, reducing token usage.

Structure now follows official Claude Code plugin best practices.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: add dependabot to README and document skill structure in CLAUDE.md

- Add dependabot plugin to Available Plugins table
- Add install command example
- Document recommended skill subdirectory structure in CLAUDE.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs(dependabot): remove redundant CLI behavior explanations

Consolidate repeated explanations:
- CLI outputs JSON / doesn't modify files (was in 3 places, now 1)
- --local flag purpose (was in 2 places, now 1)

Keep detailed explanation in Section 4, remove duplicates elsewhere.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs(dependabot): consolidate remaining redundancies

- Simplify Section 5: merge update detection into compact flow
- Remove duplicate ecosystem.md reference (keep one in Section 2)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs(dependabot): apply optional improvements from skill review

- Add trigger phrases: "upgrade dependencies", "version updates"
- Tighten --local flag explanation (save ~15 words)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: vnz

.claude-plugin/marketplace.json

@@ -29,7 +29,7 @@
     {
       "name": "dependabot",
       "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers",
-      "version": "1.2.0",
+      "version": "1.3.0",
       "source": "./plugins/dependabot",
       "category": "development",
       "author": {

CLAUDE.md

@@ -13,6 +13,20 @@ Personal Claude Code plugin marketplace by vnz.
 4. Validate: `prek run --all-files`
 5. Commit and test: `/plugin install <name>@cc-plugins-vnz`
 
+## Skill Structure (Recommended)
+
+Use the subdirectory format for skills with reference files:
+
+```
+skills/
+└── <skill-name>/
+    ├── SKILL.md              # Main skill (required)
+    └── references/           # Optional reference data
+        └── <topic>.md
+```
+
+This enables progressive disclosure — Claude loads SKILL.md first, then fetches reference files only when needed.
+
 ## Development
 
 ```bash

README.md

@@ -23,13 +23,15 @@ Personal Claude Code plugin marketplace by vnz.
 |--------|-------------|
 | `date-context` | Injects current date/time at session start to fix web search year issues |
 | `terraform-ls` | Terraform language server for code intelligence (go-to-definition, hover, diagnostics) |
+| `dependabot` | Check for dependency updates using Dependabot CLI with auto-detection of package managers |
 
 ## Usage
 
 After adding the marketplace, install any plugin:
 ```bash
 /plugin install date-context@cc-plugins-vnz
 /plugin install terraform-ls@cc-plugins-vnz
+/plugin install dependabot@cc-plugins-vnz
 ```
 
 ## Development

plugins/dependabot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "dependabot",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers",
   "license": "MIT",
   "author": {

plugins/dependabot/skills/dependabot.md …ns/dependabot/skills/dependabot/SKILL.mdplugins/dependabot/skills/dependabot.md renamed to plugins/dependabot/skills/dependabot/SKILL.md plugins/dependabot/skills/dependabot.md renamed to plugins/dependabot/skills/dependabot/SKILL.md

@@ -1,11 +1,15 @@
 ---
-description: This skill should be used when the user asks to "check dependencies", "find outdated packages", "scan for updates", "use dependabot", "run dependabot", "check for security updates", "what needs updating", or requests dependency scanning for specific ecosystems like npm, terraform, or github-actions. Supports scanning all ecosystems or specific ones with "use dependabot for <ecosystem>".
+name: dependabot
+description: This skill should be used when the user asks to "check dependencies", "find outdated packages", "scan for updates", "use dependabot", "run dependabot", "check for security updates", "upgrade dependencies", "version updates", "what needs updating", or requests dependency scanning for specific ecosystems like npm, terraform, or github-actions. Supports scanning all ecosystems or specific ones with "use dependabot for <ecosystem>".
 ---
 
 # Dependabot Update Skill
 
 Scan for dependency updates using the official Dependabot CLI and optionally create PRs for found updates.
 
+**Reference files:**
+- `references/ecosystems.md` - Complete list of supported ecosystems with aliases and detection methods
+
 ## 1. Prerequisites Check
 
 Before running, verify the required tools are installed:
@@ -36,48 +40,11 @@ Analyze the user's trigger phrase:
 - **"use dependabot for npm"** → Scan only `npm_and_yarn` ecosystem
 - **"use dependabot for github-actions"** or **"use dependabot for actions"** → Scan only `github_actions` ecosystem
 
-Map common aliases to Dependabot CLI ecosystem values:
-| User Says | CLI Ecosystem |
-|-----------|---------------|
-| npm, yarn, pnpm | `npm_and_yarn` |
-| github-actions, actions, workflows | `github_actions` |
-| terraform, tf | `terraform` |
-| go, golang | `go_modules` |
-| python, pip, pipenv | `pip` |
-| ruby, bundler, gems | `bundler` |
-| rust, cargo | `cargo` |
-| docker | `docker` |
-| maven, java | `maven` |
-| gradle | `gradle` |
-| composer, php | `composer` |
-| nuget, dotnet, csharp | `nuget` |
-| helm | `helm` |
-| dart, flutter, pub | `pub` |
-| swift | `swift` |
-| elixir, hex | `hex` |
+See `references/ecosystems.md` for the complete alias mapping and detection methods.
 
 ## 3. Ecosystem Auto-Detection
 
-If scanning all ecosystems, detect which are present using file existence checks:
-
-| Ecosystem | CLI Value | Detection Method |
-|-----------|-----------|------------------|
-| GitHub Actions | `github_actions` | Glob: `.github/workflows/*.yml` or `.github/workflows/*.yaml` |
-| Terraform | `terraform` | Glob: `*.tf` or `**/*.tf` (check root and subdirs) |
-| npm/yarn/pnpm | `npm_and_yarn` | File exists: `package.json` |
-| Go | `go_modules` | File exists: `go.mod` |
-| Python (pip) | `pip` | File exists: `requirements.txt`, `pyproject.toml`, `Pipfile`, or `setup.py` |
-| Ruby | `bundler` | File exists: `Gemfile` |
-| Rust | `cargo` | File exists: `Cargo.toml` |
-| Docker | `docker` | Glob: `Dockerfile` or `*.dockerfile` or `docker-compose.yml` |
-| Maven | `maven` | File exists: `pom.xml` |
-| Gradle | `gradle` | File exists: `build.gradle` or `build.gradle.kts` |
-| Composer | `composer` | File exists: `composer.json` |
-| NuGet | `nuget` | Glob: `*.csproj` or `packages.config` or `*.fsproj` |
-| Helm | `helm` | File exists: `Chart.yaml` |
-| Pub (Dart) | `pub` | File exists: `pubspec.yaml` |
-| Swift | `swift` | File exists: `Package.swift` |
-| Hex (Elixir) | `hex` | File exists: `mix.exs` |
+If scanning all ecosystems, detect which are present using file existence checks.
 
 Report detected ecosystems to the user before proceeding:
 > "Detected ecosystems: npm_and_yarn, github_actions, terraform"
@@ -102,32 +69,28 @@ Where `<ecosystem>` is the CLI ecosystem value (e.g., `npm_and_yarn`, `terraform
 **Understanding the output:**
 - The CLI outputs **JSON lines** (one JSON object per line), NOT human-readable tables
 - The CLI **never modifies files directly** - it only outputs data describing what would change
-- The `--local .` flag means "use local filesystem as source" — this prevents the CLI from cloning from GitHub and instead uses your working directory (it's NOT a "dry-run" flag)
+- The `--local .` flag uses your working directory instead of cloning from GitHub (NOT a "dry-run" flag)
 - Output can be very large (40KB+) - it may be truncated
 - **Important:** Use `2>&1` to capture both stdout and stderr, as the CLI mixes log messages (stderr) with JSON output (stdout)
 
 ## 5. Parse Results from JSON Output
 
-The CLI outputs multiple JSON objects. Look for `create_pull_request` events to find updates:
+Filter the output for `create_pull_request` events — these contain the updates:
 
 ```bash
-# Filter for PR creation events (these contain the updates)
 <output> | grep '"type":"create_pull_request"'
 ```
 
+- ✅ **Updates found:** `create_pull_request` events in output
+- ❌ **No updates:** Only `mark_as_processed` events (grep returns nothing)
+
 Each `create_pull_request` event contains:
 - `dependencies[].name` - Package name
 - `dependencies[].previous-version` - Current version
 - `dependencies[].version` - Available version
 - `pr-title` - Suggested PR title
 - `updated-dependency-files[]` - The actual file changes to apply
 
-**Determining if updates exist:**
-- ✅ **Updates found:** One or more `create_pull_request` events in the output
-- ❌ **No updates:** Only `mark_as_processed` events appear (no `create_pull_request`)
-
-This is the definitive way to check — if you grep for `create_pull_request` and get no results, that ecosystem is up-to-date.
-
 ## 6. Present Results
 
 Summarize findings in a clear format:
@@ -179,8 +142,6 @@ Based on user's choice:
    ```
 
 2. **Apply changes manually:**
-   The CLI doesn't modify files - you must apply the changes yourself.
-
    From the `create_pull_request` JSON events, extract the `updated-dependency-files` array.
    Each entry contains:
    - `name` - The file path (e.g., `.github/workflows/ci.yml`)
@@ -223,9 +184,5 @@ Based on user's choice:
 ## Important Notes
 
 - Always use `gh auth token` for authentication - never ask for tokens directly
-- The CLI **outputs JSON describing changes** - it never modifies files directly
-- The `--local .` flag means "use local directory as repo source" (avoids cloning from GitHub)
-- Without `--local`, the CLI clones from GitHub but still doesn't modify your local files
 - Some ecosystems may require additional configuration (e.g., private registries)
 - If dependabot fails for an ecosystem, report the error and continue with others
-- JSON output can be 40KB+ - grep for `create_pull_request` to find relevant data

plugins/dependabot/skills/dependabot/references/ecosystems.md

@@ -0,0 +1,49 @@
+# Supported Ecosystems Reference
+
+This file contains the complete mapping of user aliases to Dependabot CLI ecosystem values, and the detection methods for auto-discovery.
+
+## Ecosystem Alias Mapping
+
+Map common user phrases to Dependabot CLI ecosystem values:
+
+| User Says | CLI Ecosystem |
+|-----------|---------------|
+| npm, yarn, pnpm | `npm_and_yarn` |
+| github-actions, actions, workflows | `github_actions` |
+| terraform, tf | `terraform` |
+| go, golang | `go_modules` |
+| python, pip, pipenv | `pip` |
+| ruby, bundler, gems | `bundler` |
+| rust, cargo | `cargo` |
+| docker | `docker` |
+| maven, java | `maven` |
+| gradle | `gradle` |
+| composer, php | `composer` |
+| nuget, dotnet, csharp | `nuget` |
+| helm | `helm` |
+| dart, flutter, pub | `pub` |
+| swift | `swift` |
+| elixir, hex | `hex` |
+
+## Ecosystem Auto-Detection
+
+Detect which ecosystems are present using file existence checks:
+
+| Ecosystem | CLI Value | Detection Method |
+|-----------|-----------|------------------|
+| GitHub Actions | `github_actions` | Glob: `.github/workflows/*.yml` or `.github/workflows/*.yaml` |
+| Terraform | `terraform` | Glob: `*.tf` or `**/*.tf` (check root and subdirs) |
+| npm/yarn/pnpm | `npm_and_yarn` | File exists: `package.json` |
+| Go | `go_modules` | File exists: `go.mod` |
+| Python (pip) | `pip` | File exists: `requirements.txt`, `pyproject.toml`, `Pipfile`, or `setup.py` |
+| Ruby | `bundler` | File exists: `Gemfile` |
+| Rust | `cargo` | File exists: `Cargo.toml` |
+| Docker | `docker` | Glob: `Dockerfile` or `*.dockerfile` or `docker-compose.yml` |
+| Maven | `maven` | File exists: `pom.xml` |
+| Gradle | `gradle` | File exists: `build.gradle` or `build.gradle.kts` |
+| Composer | `composer` | File exists: `composer.json` |
+| NuGet | `nuget` | Glob: `*.csproj` or `packages.config` or `*.fsproj` |
+| Helm | `helm` | File exists: `Chart.yaml` |
+| Pub (Dart) | `pub` | File exists: `pubspec.yaml` |
+| Swift | `swift` | File exists: `Package.swift` |
+| Hex (Elixir) | `hex` | File exists: `mix.exs` |