feat(plugins): add Command Code plugin

[ec812]

Adds a plugin for Command Code (cmd) that uses the Command Code API to display usage metrics in the menu bar.

Endpoints: /alpha/whoami, /alpha/billing/credits, /alpha/billing/subscriptions, /alpha/usage/summary
Auth: ~/.commandcode/auth.json or COMMAND_CODE_API_KEY env var
Tests: 13 unit tests passing

---

Summary by cubic

Adds the Command Code (cmd) plugin to show usage in the menu bar: monthly credit progress, total spend, tokens, and per‑model usage. Pulls data from the Command Code API and handles auth and error states cleanly.

• New Features
  • Reads auth from ~/.commandcode/auth.json or COMMAND_CODE_API_KEY.
  • Calls /alpha/whoami, /alpha/billing/credits, /alpha/billing/subscriptions, /alpha/usage/summary.
  • Progress bar for monthly credits (used vs total plan).
  • Text lines: Total spent, Tokens used, Models (per‑model cost and call count).
  • Graceful handling of network/API errors and empty responses.
  • Includes plugin manifest and icon (brand color #000000).
  • 13 unit tests for auth, headers, layout, and edge cases.

^{Written for commit 8920146. Summary will update on new commits. Review in cubic}

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="plugins/command-code/plugin.js">

<violation number="1" location="plugins/command-code/plugin.js:22">
P2: `COMMAND_CODE_API_KEY` env auth path silently fails at runtime because the host API allowlist (`WHITELISTED_ENV_VARS` in `src-tauri/src/plugin_engine/host_api.rs`) does not include this key, causing the plugin to fall back to file auth without warning and breaking the documented env-based authentication.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

P2: COMMAND_CODE_API_KEY env auth path silently fails at runtime because the host API allowlist (WHITELISTED_ENV_VARS in src-tauri/src/plugin_engine/host_api.rs) does not include this key, causing the plugin to fall back to file auth without warning and breaking the documented env-based authentication.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At plugins/command-code/plugin.js, line 22:

<comment>`COMMAND_CODE_API_KEY` env auth path silently fails at runtime because the host API allowlist (`WHITELISTED_ENV_VARS` in `src-tauri/src/plugin_engine/host_api.rs`) does not include this key, causing the plugin to fall back to file auth without warning and breaking the documented env-based authentication.</comment>

<file context>
@@ -0,0 +1,227 @@
+
+  function loadApiKeyFromEnv(ctx) {
+    try {
+      var value = ctx.host.env.get("COMMAND_CODE_API_KEY")
+      if (typeof value !== "string") return null
+      var trimmed = value.trim()
</file context>

[robinebers]

Hi, I've decided to decline new plugins for the time being. They've become unmaintanable, as I don't own most of these subscriptions and that results in slop (can't test them myself). Maybe this will change in the future.

Thank you