[codex] Clarify plugin provider access policy

[SeoFood]

Summary

• Adds a Provider Access Policy section to CONTRIBUTING.md.
• Clarifies acceptable provider access paths for catalog submissions: user-provided API keys, official developer platform billing, documented third-party SDK/OAuth flows, and local-only integrations.
• Documents disallowed access patterns such as first-party client impersonation, unsupported consumer subscription credential use, unofficial OAuth clients, copied client IDs, hidden endpoints, and token refresh flows intended for another first-party product.
• Requires external-provider plugin READMEs to document the supported auth path.

Companion

Companion to TypeWhisper/typewhisper.com#75 for TypeWhisper/typewhisper.com#74.

Validation

• git diff --check

Summary by CodeRabbit

• Documentation
  • Added guidelines requiring external-provider plugins to document supported authentication and access paths for user configuration
  • Introduced "Provider Access Policy" section defining acceptable third-party integration access practices and restrictions
  • Specified disallowed access behaviors including impersonation, unauthorized credentials, and off-path OAuth configurations
  • Enhanced documentation requirements for plugins to clearly specify their authentication path in README for verification

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 041e6610-a769-4c55-9d5a-7fe3246af715

📥 Commits

Reviewing files that changed from the base of the PR and between 0c13baa and ab4f71e.

📒 Files selected for processing (1)

• CONTRIBUTING.md

---

📝 Walkthrough

Walkthrough

CONTRIBUTING.md is updated to establish provider access documentation requirements for external-provider plugins. A new "Provider access" checklist item requires documenting supported auth paths in README files, and a new "Provider Access Policy" section details acceptable third-party integration access patterns while explicitly prohibiting impersonation, unauthorized OAuth flows, and off-path credentials.

Changes

Provider Access Documentation Requirements

Layer / File(s)	Summary
Provider access README requirement and policy CONTRIBUTING.md	"Provider access" checklist item added to plugin README guidance requiring documentation of supported auth paths. New "Provider Access Policy" section establishes acceptable third-party integration access patterns and prohibits impersonation, unauthorized OAuth, and off-path credential usage.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly Related Issues

• Clarify plugin catalog submission policy for unofficial provider auth typewhisper.com#74: This PR implements the provider access documentation requirements and policy guidance for external-provider plugins, directly addressing the need to clarify authorized access paths and prohibit unauthorized OAuth or impersonation patterns.

Poem

🐰 A guardian hops through docs so fine,
Drawing borders, marking lines.
"No tricks," it whispers, "paths must glow—
Auth that's true, not stealthy woe!"
Provider trust, now crystal clear,
Welcome, kindred developers, here.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch seofood/plugin-auth-policy-contributing

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}