Add Auto-Claim plugin

[BambooFury]

Auto-detects 100% discounted games on Steam and adds them to your library.
https://github.com/BambooFury/Auto-Claim

[madmaxgrey]

i have tested and can confirm this plugin works as intended

[github-actions]

Automated Message: This message has been sent to all open pull requests. Your pull request will be further reviewed once Millennium 3.0.0 is released. We are very busy with Millennium!

[shdwmtr]

@claude Review this.

[claude]

Claude finished @shdwmtr's task in 8m 40s —— View job

---

PR Review: Add Auto-Claim Plugin

• Gather PR context
• Review PR diff
• Inspect CI build logs
• Attempt source code access (blocked by sandbox)
• Security review (partial — see note)
• Bug review (partial — see note)
• UI/component standards check (partial)
• Backend language policy check (partial)
• Post full review

---

Important

Incomplete Review — Source Code Unavailable
Per the CLAUDE.md review instructions, this review requires cloning and inspecting the plugin source at BambooFury/Auto-Claim@8cd1f68. The review sandbox blocked all outbound network access (no git clone, curl, gh api, etc.), making a full source inspection impossible. The findings below are based on CI build logs, .gitmodules, and workflow artifacts only. This review should not be used as the sole basis for approval.

---

What the CI Build Tells Us

From the successful Test Build job:

• Build succeeds cleanly at commit 8cd1f68 (v1.5.7) with millennium-ttc --build prod
• Dependencies: @steambrew/client 5.8.5, @steambrew/api 5.8.4, @steambrew/webkit 5.8.4, @steambrew/ttc 3.3.6 — all standard Steambrew packages
• No Python backend: requirements.txt not found — consistent with Lua backend policy compliance
• Asset structure: the plugin bundles CSS (14 KB), a widget component, card component, settings panel (~1.4 KB), icons, and welcome icons — indicating a non-trivial UI
• Includes LICENSE (via plugin.json's include field)
• 7 files in the distribution artifact (normal size)

Concerns

1. Functionality and Steam ToS Risk

The plugin's stated purpose is to automatically detect 100%-discounted games and add them to the user's library without per-game confirmation. This raises questions that can only be answered by reading the source:

• Does it use Steam's internal JS API (SteamClient.Apps.*) or does it make outbound HTTP calls to the Steam store to detect deals?
• Does it rate-limit its scanning to avoid triggering Steam's bot detection / account flags?
• Does it provide a settings toggle to require confirmation before claiming?

Steam has historically taken action against accounts that automate store interactions. If the plugin polls store endpoints aggressively or lacks a rate-limit/confirmation mechanism, users could be at risk.

2. Scanning Stability (Past Issues)

The source repo has a branch named fix/millennium-scan-stability, which implies the scanning mechanism had known stability problems. Without reading the diff for that fix (and verifying it was merged before v1.5.7), it's not possible to confirm this is resolved in the pinned commit.

3. Rapid Version Churn

The PR includes 7 commits bumping from v1.5.1 → v1.5.7 since May 12. Rapid iteration can indicate active bug fixing, but the PR review should confirm that each bump is a deliberate, reviewed release and not a regression. The PR should ideally be pinned to a stable tag after the source review passes.

4. Items That Cannot Be Verified Without Source

These checks are required by the review guidelines but were not possible:

Check	Status
No eval() / Function() / innerHTML injection vectors	❌ Not checked
No outbound network requests to non-Steam third-party hosts	❌ Not checked
No credential/token leakage	❌ Not checked
callable Lua RPC input validation	❌ Not checked
backendType: "lua" confirmed in plugin.json	❌ Not checked
Event listeners cleaned up on unmount	❌ Not checked
No stale closure / missing useEffect dependency bugs	❌ Not checked
Settings stored under stable, non-breaking keys	❌ Not checked
Settings panel uses Field + Steambrew components (no raw <input>)	❌ Not checked

Recommendation

Do not merge without a manual source review. Specifically, a maintainer should inspect:

1. plugin.json — confirm "backendType": "lua", check name / common_name / description / version fields
2. The main TypeScript entry point — check for eval, innerHTML, unsafe network calls
3. The Lua backend — check for file path traversal, input validation on callable RPCs
4. How the plugin discovers and claims free games (Steam API vs. external endpoints)
5. Whether a rate-limit or confirmation setting exists

The author (BambooFury) already has dotastats in this database, which suggests some track record, but that does not substitute for reviewing this plugin's code.

---

| Test Build run