@gajae-code/coding-agent 0.7.3 → 0.7.5

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@gajae-code/coding-agent",
-	"version": "0.7.3",
+	"version": "0.7.5",
 	"description": "Gajae Code CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://gaebal-gajae.dev",
 	"author": "Yeachan-Heo",
@@ -28,7 +28,7 @@
 	"main": "./src/index.ts",
 	"types": "./dist/types/index.d.ts",
 	"bin": {
-		"gjc": "src/cli.ts"
+		"gjc": "bin/gjc.js"
 	},
 	"scripts": {
 		"build": "bun scripts/build-binary.ts",
@@ -52,12 +52,12 @@
 		"@agentclientprotocol/sdk": "0.21.0",
 		"@babel/parser": "^7.29.3",
 		"@mozilla/readability": "^0.6.0",
-		"@gajae-code/stats": "0.7.3",
-		"@gajae-code/agent-core": "0.7.3",
-		"@gajae-code/ai": "0.7.3",
-		"@gajae-code/natives": "0.7.3",
-		"@gajae-code/tui": "0.7.3",
-		"@gajae-code/utils": "0.7.3",
+		"@gajae-code/stats": "0.7.5",
+		"@gajae-code/agent-core": "0.7.5",
+		"@gajae-code/ai": "0.7.5",
+		"@gajae-code/natives": "0.7.5",
+		"@gajae-code/tui": "0.7.5",
+		"@gajae-code/utils": "0.7.5",
 		"@puppeteer/browsers": "^2.13.0",
 		"@types/turndown": "5.0.6",
 		"@xterm/headless": "^6.0.0",
@@ -74,13 +74,15 @@
 		"zod": "4.4.3"
 	},
 	"devDependencies": {
-		"@types/bun": "^1.3.14"
+		"@types/bun": "^1.3.14",
+		"@types/ws": "^8.5.13"
 	},
 	"engines": {
 		"bun": ">=1.3.14"
 	},
 	"files": [
 		"src",
+		"bin",
 		"scripts",
 		"examples",
 		"README.md",

package/scripts/g004-tmux-smoke.ts

@@ -0,0 +1,100 @@
+// G004 real-tmux smoke: exercises forceCloseGjcTmuxSession against LIVE tmux
+// sessions (tmux 3.6a). Proves the wrapper hard-kills GJC-managed live panes
+// (where remove refuses), refuses non-GJC sessions, and enforces session-id
+// matching. Produces durable evidence; not part of the unit suite.
+import assert from "node:assert";
+
+import {
+	buildGjcTmuxExactOptionTarget,
+	buildGjcTmuxProfileCommands,
+	resolveGjcTmuxCommand,
+} from "../src/gjc-runtime/tmux-common";
+import { forceCloseGjcTmuxSession, removeGjcTmuxSession, statusGjcTmuxSession } from "../src/gjc-runtime/tmux-sessions";
+
+const tmux = resolveGjcTmuxCommand(process.env);
+
+function sh(args: string[]): { code: number; err: string } {
+	const r = Bun.spawnSync([tmux, ...args], { stdout: "pipe", stderr: "pipe" });
+	return { code: r.exitCode, err: r.stderr.toString().trim() };
+}
+
+function makeRawSession(name: string): void {
+	const r = sh(["new-session", "-d", "-s", name, "sleep 600"]);
+	if (r.code !== 0) throw new Error(`failed to create tmux session ${name}: ${r.err}`);
+}
+
+function tagAsGjc(name: string, sessionId?: string): void {
+	const target = buildGjcTmuxExactOptionTarget(name);
+	for (const cmd of buildGjcTmuxProfileCommands(target, process.env, { sessionId })) {
+		const r = sh(cmd.args);
+		if (r.code !== 0) throw new Error(`failed to tag ${name} (${cmd.description}): ${r.err}`);
+	}
+}
+
+function exists(name: string): boolean {
+	return sh(["has-session", "-t", `=${name}`]).code === 0;
+}
+
+function killQuiet(name: string): void {
+	sh(["kill-session", "-t", `=${name}`]);
+}
+
+const suffix = `${process.pid}-${Date.now()}`;
+const live = `gjc_g004live_${suffix}`;
+const raw = `g004raw_${suffix}`;
+const mism = `gjc_g004mism_${suffix}`;
+const cleanup: string[] = [live, raw, mism];
+
+try {
+	// 1. GJC-managed LIVE session: remove refuses, force-close hard-kills.
+	makeRawSession(live);
+	tagAsGjc(live, "sess-g004");
+	const status = statusGjcTmuxSession(live);
+	assert.equal(status.profile, "1", "session must be recognized as GJC-managed");
+	assert.ok(status.panePids.length > 0, "session must have a live pane (sleep)");
+	console.log(`[g004] live GJC session up: ${live} panePids=${status.panePids.length}`);
+
+	let removeRefused = false;
+	try {
+		removeGjcTmuxSession(live);
+	} catch (e) {
+		removeRefused = /gjc_tmux_session_live/.test(String(e));
+	}
+	assert.ok(removeRefused, "removeGjcTmuxSession must REFUSE a live pane");
+	console.log("[g004] remove refused live session (expected)");
+
+	const closed = forceCloseGjcTmuxSession(live, process.env, "sess-g004");
+	assert.equal(closed.name, live);
+	assert.ok(!exists(live), "force-close must hard-kill the live GJC session");
+	console.log("[g004] force-close hard-killed the live GJC session (id-matched)");
+
+	// 2. Non-GJC (untagged) session: force-close must refuse.
+	makeRawSession(raw);
+	let notManaged = false;
+	try {
+		forceCloseGjcTmuxSession(raw, process.env);
+	} catch (e) {
+		notManaged = /gjc_tmux_session_(not_managed|not_found)/.test(String(e));
+	}
+	assert.ok(notManaged, "force-close must refuse a non-GJC tmux session");
+	assert.ok(exists(raw), "non-GJC session must be left untouched");
+	killQuiet(raw);
+	console.log("[g004] force-close refused + preserved non-GJC session (expected)");
+
+	// 3. GJC session with a MISMATCHED expected session id: must refuse.
+	makeRawSession(mism);
+	tagAsGjc(mism, "sess-real");
+	let idMismatch = false;
+	try {
+		forceCloseGjcTmuxSession(mism, process.env, "sess-WRONG");
+	} catch (e) {
+		idMismatch = /gjc_tmux_session_id_mismatch/.test(String(e));
+	}
+	assert.ok(idMismatch, "force-close must refuse on session-id mismatch");
+	assert.ok(exists(mism), "mismatched session must be left untouched");
+	console.log("[g004] force-close refused on session-id mismatch (expected)");
+
+	console.log("[g004] PASS: forceCloseGjcTmuxSession verified against live tmux");
+} finally {
+	for (const name of cleanup) killQuiet(name);
+}

package/scripts/g005-daemon-smoke.ts

@@ -0,0 +1,181 @@
+// G005 real end-to-end daemon-orchestration smoke.
+//
+// Drives the lifecycle orchestrator's create -> close path with REAL effects:
+// a real fsynced file-backed idempotency ledger, a real audit JSONL, and a real
+// tmux session spawned/closed via the actual tmux helpers. Proves the daemon
+// orchestration turns a `session_create` frame into a genuinely-spawned,
+// GJC-tagged tmux session and a `session_close` frame into a real hard-close,
+// with idempotent re-ack. Not part of the unit suite.
+import assert from "node:assert";
+import * as crypto from "node:crypto";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+
+import {
+	buildGjcTmuxExactOptionTarget,
+	buildGjcTmuxProfileCommands,
+	resolveGjcTmuxCommand,
+} from "../src/gjc-runtime/tmux-common";
+import { forceCloseGjcTmuxSession, statusGjcTmuxSession } from "../src/gjc-runtime/tmux-sessions";
+import type { SessionCloseFrame, SessionCreateFrame } from "../src/notifications/index";
+import {
+	type AuditEvent,
+	handleLifecycleRequest,
+	type LedgerDoc,
+	type LedgerStore,
+	type OrchestratorDeps,
+} from "../src/notifications/lifecycle-orchestrator";
+
+const tmux = resolveGjcTmuxCommand(process.env);
+const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), "gjc-g005-"));
+const ledgerPath = path.join(tmpRoot, "idempotency.json");
+const auditPath = path.join(tmpRoot, "audit.jsonl");
+const created: string[] = [];
+
+function sh(args: string[]): number {
+	return Bun.spawnSync([tmux, ...args], { stdout: "pipe", stderr: "pipe" }).exitCode;
+}
+function exists(name: string): boolean {
+	return sh(["has-session", "-t", `=${name}`]) === 0;
+}
+
+// Real fsynced + atomic file ledger store.
+const store: LedgerStore = {
+	async read(): Promise<LedgerDoc> {
+		try {
+			return JSON.parse(fs.readFileSync(ledgerPath, "utf8")) as LedgerDoc;
+		} catch {
+			return { version: 1, entries: {} };
+		}
+	},
+	async write(doc: LedgerDoc): Promise<void> {
+		const tmp = `${ledgerPath}.${process.pid}.tmp`;
+		const fd = fs.openSync(tmp, "w", 0o600);
+		fs.writeSync(fd, JSON.stringify(doc));
+		fs.fsyncSync(fd);
+		fs.closeSync(fd);
+		fs.renameSync(tmp, ledgerPath);
+	},
+};
+
+const auditLines: AuditEvent[] = [];
+const deps: OrchestratorDeps = {
+	pairedChatId: "42",
+	now: () => Date.now(),
+	store,
+	audit: e => {
+		auditLines.push(e);
+		fs.appendFileSync(auditPath, `${JSON.stringify(e)}\n`, { mode: 0o600 });
+	},
+	allowCreate: () => true,
+	writeStartupPrompt: async (requestId, prompt) => {
+		if (prompt === undefined) return undefined;
+		const ref = path.join(tmpRoot, `prompt-${requestId}`);
+		const fd = fs.openSync(ref, "w", 0o600);
+		fs.writeSync(fd, prompt);
+		fs.fsyncSync(fd);
+		fs.closeSync(fd);
+		return ref;
+	},
+	// REAL spawn: create a GJC-tagged tmux session carrying the authoritative id.
+	spawnCreate: async (_frame, ids) => {
+		const name = `gjc_g005_${ids.intendedSessionId}`;
+		created.push(name);
+		if (sh(["new-session", "-d", "-s", name, "sleep 600"]) !== 0) {
+			throw new Error(`tmux spawn failed for ${name}`);
+		}
+		const target = buildGjcTmuxExactOptionTarget(name);
+		for (const cmd of buildGjcTmuxProfileCommands(target, process.env, {
+			sessionId: ids.intendedSessionId,
+		})) {
+			if (sh(cmd.args) !== 0) throw new Error(`tag failed for ${name}`);
+		}
+		return {
+			sessionId: ids.intendedSessionId,
+			tmuxSession: name,
+			endpointUrl: "ws://127.0.0.1:0",
+			topicThreadId: "1",
+		};
+	},
+	// REAL close: hard-close the GJC-managed tmux session, id-matched.
+	closeSession: async target => {
+		forceCloseGjcTmuxSession(target.tmuxSession ?? "", process.env, target.sessionId);
+		return { processGone: !exists(target.tmuxSession ?? "") };
+	},
+	resumeSession: async () => ({ ambiguous: [] }),
+	newLifecycleRequestId: () => `lc-${crypto.randomUUID()}`,
+	newSessionId: () => `s${crypto.randomUUID().slice(0, 8)}`,
+};
+
+const createFrame: SessionCreateFrame = {
+	type: "session_create",
+	requestId: "lc_g005",
+	lifecycleRequestId: "lc_g005",
+	intendedSessionId: `g005${Date.now().toString(36)}`,
+	updateId: 100,
+	chatId: "42",
+	token: "control-token",
+	target: { kind: "existing_path", path: tmpRoot },
+};
+
+async function main(): Promise<void> {
+	// 1. CREATE -> real tmux session spawned + GJC-tagged with the authoritative id.
+	const createOut = await handleLifecycleRequest(createFrame, deps);
+	assert.equal(createOut.status, "ok", "create must succeed");
+	const session = createOut.status === "ok" ? createOut.entry.tmuxSession! : "";
+	assert.ok(exists(session), "real tmux session must exist after create");
+	const status = statusGjcTmuxSession(session);
+	assert.equal(status.profile, "1", "spawned session must be GJC-managed");
+	assert.equal(status.sessionId, createFrame.intendedSessionId, "authoritative session id propagated to tmux tag");
+	console.log(`[g005] CREATE -> live tmux session ${session} (id=${status.sessionId})`);
+
+	// 2. Idempotent re-ack: same updateId+body must NOT spawn a second session.
+	const before = created.length;
+	const dupOut = await handleLifecycleRequest(createFrame, deps);
+	assert.equal(dupOut.status, "ok", "duplicate create re-acks ok");
+	assert.equal(created.length, before, "duplicate create must NOT spawn a second session");
+	console.log("[g005] DUPLICATE create re-acked, no second spawn (idempotent)");
+
+	// 3. CLOSE -> real hard-close of the GJC-managed session, id-matched.
+	const closeFrame: SessionCloseFrame = {
+		type: "session_close",
+		requestId: "lc_g005_close",
+		updateId: 101,
+		chatId: "42",
+		token: "control-token",
+		target: { sessionId: createFrame.intendedSessionId, tmuxSession: session },
+		force: true,
+	};
+	const closeOut = await handleLifecycleRequest(closeFrame, deps);
+	assert.equal(closeOut.status, "ok", "close must succeed");
+	assert.ok(!exists(session), "real tmux session must be gone after close");
+	console.log(`[g005] CLOSE -> hard-closed ${session} (id-matched)`);
+
+	// 4. Durable ledger + audit redaction.
+	const doc = JSON.parse(fs.readFileSync(ledgerPath, "utf8")) as LedgerDoc;
+	assert.equal(doc.entries["42:100"]?.state, "success");
+	assert.equal(doc.entries["42:101"]?.state, "success");
+	const auditBlob = fs.readFileSync(auditPath, "utf8");
+	assert.ok(!auditBlob.includes("control-token"), "audit must never contain the control token");
+	assert.ok(
+		auditLines.some(a => a.event === "spawn_started"),
+		"audit records spawn_started",
+	);
+	console.log("[g005] durable fsynced ledger + token-redacted audit verified");
+
+	console.log("[g005] PASS: real create->close daemon orchestration over live tmux");
+}
+
+main()
+	.then(() => {
+		for (const n of created) sh(["kill-session", "-t", `=${n}`]);
+		fs.rmSync(tmpRoot, { recursive: true, force: true });
+		process.exit(0);
+	})
+	.catch(err => {
+		for (const n of created) sh(["kill-session", "-t", `=${n}`]);
+		fs.rmSync(tmpRoot, { recursive: true, force: true });
+		console.error("[g005] FAIL", err);
+		process.exit(1);
+	});

package/scripts/g011-daemon-path-smoke.ts

@@ -0,0 +1,153 @@
+// G011 real daemon-path smoke.
+//
+// Drives a PARSED /session_* command through the LIVE native
+// NotificationControlServer + a real loopback WebSocket client (NO injected/fake
+// seams), wired to the real orchestrator (with stubbed spawn/close effects so the
+// focus is the authenticated wire path, not tmux). Asserts:
+//  - a wrong-token handshake is rejected (control token gates the endpoint);
+//  - a valid frame is forwarded with the control token STRIPPED from payloadJson;
+//  - the host response is routed back to the client by requestId;
+//  - control discovery exists while running and is removed after stop.
+import assert from "node:assert";
+import * as crypto from "node:crypto";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import WebSocket from "ws";
+
+// Import the WORKTREE native build directly (not @gajae-code/natives, which can
+// resolve to a different checkout in this dev environment).
+import { NotificationControlServer } from "../../natives/native/index.js";
+import { parseLifecycleCommand } from "../src/notifications/lifecycle-commands";
+import { attachLifecycleControl, fileAudit, fileLedgerStore } from "../src/notifications/lifecycle-control-runtime";
+import type { OrchestratorDeps } from "../src/notifications/lifecycle-orchestrator";
+
+const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "gjc-g011-"));
+const token = crypto.randomBytes(32).toString("base64url");
+const ownerId = "daemon-g011";
+const closed: string[] = [];
+
+function deps(): OrchestratorDeps {
+	return {
+		pairedChatId: "42",
+		now: () => Date.now(),
+		store: fileLedgerStore(path.join(tmp, "idempotency.json")),
+		audit: fileAudit(path.join(tmp, "audit.jsonl")),
+		allowCreate: () => true,
+		writeStartupPrompt: async () => undefined,
+		// Stubbed effects: this smoke proves the WIRE path, not tmux (covered by g005).
+		spawnCreate: async (_f, ids) => ({
+			sessionId: ids.intendedSessionId,
+			tmuxSession: `gjc-${ids.intendedSessionId}`,
+			endpointUrl: "ws://127.0.0.1:0",
+			topicThreadId: "1",
+		}),
+		closeSession: async t => {
+			closed.push(t.sessionId);
+			return { processGone: true };
+		},
+		resumeSession: async () => ({ ambiguous: [] }),
+		newLifecycleRequestId: () => `lc-${crypto.randomUUID()}`,
+		newSessionId: () => `s${crypto.randomUUID().slice(0, 8)}`,
+	};
+}
+
+function send(ws: WebSocket, frame: unknown): void {
+	ws.send(JSON.stringify(frame));
+}
+
+async function main(): Promise<void> {
+	const server = new NotificationControlServer(token, ownerId, tmp);
+
+	// Wire the real orchestrator to the real native control server.
+	const d = deps();
+	attachLifecycleControl(server as never, d);
+
+	const ep = (await server.start()) as { url: string };
+	assert.ok(ep.url.startsWith("ws://127.0.0.1:"), `loopback url, got ${ep.url}`);
+	const controlJson = path.join(tmp, "notifications", "control.json");
+	assert.ok(fs.existsSync(controlJson), "control discovery must exist while running");
+	// The control discovery file MUST NOT persist the privileged control token:
+	// the daemon holds it in memory and is the only client.
+	const controlRaw = fs.readFileSync(controlJson, "utf8");
+	assert.ok(!controlRaw.includes(token), "control token MUST NOT be persisted in control.json");
+	assert.ok(
+		!("token" in (JSON.parse(controlRaw) as Record<string, unknown>)),
+		"control.json must omit any token field",
+	);
+	console.log(`[g011] live control endpoint ${ep.url}; discovery present, no persisted token`);
+
+	// 1. Wrong-token handshake must be rejected.
+	await new Promise<void>(resolve => {
+		const bad = new WebSocket(`${ep.url}/?token=wrong`);
+		bad.on("open", () => {
+			throw new Error("wrong-token handshake must NOT open");
+		});
+		bad.on("error", () => {
+			console.log("[g011] wrong-token handshake rejected (expected)");
+			resolve();
+		});
+	});
+
+	// 2. Valid client: send a PARSED /session_close command through the real wire.
+	const parsed = parseLifecycleCommand("/session_close sess-g011");
+	assert.equal(parsed.kind, "close", "parser must yield a close command");
+	const requestId = "lc-g011-1";
+	const frame = {
+		type: "session_close",
+		requestId,
+		updateId: 1,
+		chatId: "42",
+		token,
+		target: parsed.kind === "close" ? parsed.target : { sessionId: "sess-g011" },
+		force: true,
+	};
+
+	const response = await new Promise<Record<string, unknown>>((resolve, reject) => {
+		const ws = new WebSocket(`${ep.url}/?token=${token}`);
+		const timer = setTimeout(() => reject(new Error("timed out")), 5000);
+		ws.on("open", () => send(ws, frame));
+		ws.on("message", data => {
+			clearTimeout(timer);
+			ws.close();
+			resolve(JSON.parse(String(data)) as Record<string, unknown>);
+		});
+		ws.on("error", reject);
+	});
+
+	assert.equal(response.type, "session_close_response", "response routed back to client");
+	assert.equal(response.requestId, requestId, "response correlated by requestId");
+	assert.equal(response.sessionId, "sess-g011");
+	assert.deepEqual(closed, ["sess-g011"], "orchestrator close effect ran exactly once");
+	console.log("[g011] parsed command -> real wire -> orchestrator -> routed response OK");
+
+	// 3. The real orchestrator path must NOT leak the control token into its
+	// durable audit log or idempotency ledger (g002 separately proves the native
+	// payloadJson boundary is token-stripped).
+	for (const f of ["audit.jsonl", "idempotency.json"]) {
+		const p = path.join(tmp, f);
+		if (fs.existsSync(p)) {
+			assert.ok(!fs.readFileSync(p, "utf8").includes(token), `control token leaked into ${f}`);
+		}
+	}
+	console.log("[g011] no control-token leak in audit/ledger on the real path");
+
+	// 4. Stop removes control discovery.
+	server.stop();
+	await new Promise(r => setTimeout(r, 50));
+	assert.ok(!fs.existsSync(controlJson), "control discovery removed after stop");
+	console.log("[g011] control discovery removed after stop");
+
+	console.log("[g011] PASS: real daemon-path (parse -> native control endpoint -> orchestrator -> reply)");
+}
+
+main()
+	.then(() => {
+		fs.rmSync(tmp, { recursive: true, force: true });
+		process.exit(0);
+	})
+	.catch(err => {
+		fs.rmSync(tmp, { recursive: true, force: true });
+		console.error("[g011] FAIL", err);
+		process.exit(1);
+	});

package/src/cli/plugin-cli.ts

@@ -7,6 +7,7 @@
 import { APP_NAME, getProjectDir } from "@gajae-code/utils";
 import chalk from "chalk";
 import { resolveOrDefaultProjectRegistryPath } from "../discovery/helpers";
+import { installGjcPluginBundle, isGjcPluginBundleSource, readRegistry } from "../extensibility/gjc-plugins";
 import { PluginManager, parseSettingValue, validateSetting } from "../extensibility/plugins";
 import {
 	getInstalledPluginsRegistryPath,
@@ -48,6 +49,8 @@ export interface PluginCommandArgs {
 		disable?: string;
 		set?: string;
 		scope?: "user" | "project";
+		user?: boolean;
+		project?: boolean;
 	};
 }
 
@@ -109,6 +112,10 @@ export function parsePluginArgs(args: string[]): PluginCommandArgs | undefined {
 			result.flags.dryRun = true;
 		} else if (arg === "-l" || arg === "--local") {
 			result.flags.local = true;
+		} else if (arg === "--user") {
+			result.flags.user = true;
+		} else if (arg === "--project") {
+			result.flags.project = true;
 		} else if (arg === "--enable" && i + 1 < args.length) {
 			result.flags.enable = args[++i];
 		} else if (arg === "--disable" && i + 1 < args.length) {
@@ -345,7 +352,14 @@ async function handleUpgrade(args: string[], flags: PluginCommandArgs["flags"]):
 async function handleInstall(
 	manager: PluginManager,
 	packages: string[],
-	flags: { json?: boolean; force?: boolean; dryRun?: boolean; scope?: "user" | "project" },
+	flags: {
+		json?: boolean;
+		force?: boolean;
+		dryRun?: boolean;
+		scope?: "user" | "project";
+		user?: boolean;
+		project?: boolean;
+	},
 ): Promise<void> {
 	if (packages.length === 0) {
 		console.error(chalk.red(`Usage: ${APP_NAME} plugin install <package[@version]>[features] ...`));
@@ -360,6 +374,32 @@ async function handleInstall(
 	const knownMarketplaces = new Set((await mktMgr.listMarketplaces()).map(m => m.name));
 
 	for (const spec of packages) {
+		// GJC plugin bundle classifier: a source containing gajae-plugin.json (or a
+		// git/tarball source) routes to the bundle installer BEFORE marketplace/npm.
+		if (await isGjcPluginBundleSource(spec)) {
+			if (flags.user === flags.project) {
+				console.error(
+					chalk.red(`GJC plugin bundle install requires exactly one of --user or --project for "${spec}".`),
+				);
+				process.exit(1);
+			}
+			const scope: "user" | "project" = flags.user ? "user" : "project";
+			try {
+				const res = await installGjcPluginBundle(spec, { scope, cwd: process.cwd(), force: flags.force });
+				if (flags.json) {
+					console.log(JSON.stringify({ name: res.entry.name, status: res.status, scope }, null, 2));
+				} else {
+					console.log(
+						chalk.green(`${theme.status.success} ${res.status} GJC plugin ${res.entry.name} (${scope})`),
+					);
+				}
+			} catch (err) {
+				console.error(chalk.red(`${theme.status.error} Failed to install GJC plugin ${spec}: ${err}`));
+				process.exit(1);
+			}
+			continue;
+		}
+
 		const target = classifyInstallTarget(spec, knownMarketplaces);
 
 		if (target.type === "marketplace") {
@@ -462,13 +502,16 @@ async function handleList(manager: PluginManager, flags: { json?: boolean }): Pr
 	const npmPlugins = await manager.list();
 	const mktMgr = await makeMarketplaceManager();
 	const mktPlugins = await mktMgr.listInstalledPlugins();
+	const cwd = getProjectDir();
+	const [gjcUser, gjcProject] = await Promise.all([readRegistry("user", cwd), readRegistry("project", cwd)]);
+	const gjcBundles = [...gjcUser.plugins, ...gjcProject.plugins];
 
 	if (flags.json) {
-		console.log(JSON.stringify({ npm: npmPlugins, marketplace: mktPlugins }, null, 2));
+		console.log(JSON.stringify({ npm: npmPlugins, marketplace: mktPlugins, gjc: gjcBundles }, null, 2));
 		return;
 	}
 
-	if (npmPlugins.length === 0 && mktPlugins.length === 0) {
+	if (npmPlugins.length === 0 && mktPlugins.length === 0 && gjcBundles.length === 0) {
 		console.log(chalk.dim("No plugins installed"));
 		console.log(chalk.dim(`\nInstall plugins with: ${APP_NAME} plugin install <package>`));
 		return;
@@ -510,6 +553,26 @@ async function handleList(manager: PluginManager, flags: { json?: boolean }): Pr
 			console.log(`  ${plugin.id} (${version})${scopeLabel}${shadowLabel}`);
 		}
 	}
+
+	if (gjcBundles.length > 0) {
+		if (npmPlugins.length > 0 || mktPlugins.length > 0) console.log();
+		console.log(chalk.bold("GJC Plugin Bundles:\n"));
+		for (const plugin of gjcBundles) {
+			const status = plugin.enabled ? chalk.green(theme.status.enabled) : chalk.dim(theme.status.disabled);
+			const scopeLabel = chalk.dim(` (${plugin.scope})`);
+			const disabledCount = plugin.disabledSurfaceIds.length;
+			const quarantineCount = plugin.quarantine?.length ?? 0;
+			const detail = [
+				disabledCount > 0 ? `${disabledCount} disabled` : null,
+				quarantineCount > 0 ? `${quarantineCount} quarantined` : null,
+			]
+				.filter((v): v is string => Boolean(v))
+				.join(", ");
+			console.log(
+				`${status} ${plugin.name}@${plugin.version}${scopeLabel}${detail ? chalk.dim(` — ${detail}`) : ""}`,
+			);
+		}
+	}
 }
 
 async function handleLink(manager: PluginManager, paths: string[], flags: { json?: boolean }): Promise<void> {

package/src/cli.ts

@@ -64,7 +64,7 @@ async function showHelp(config: CliConfig): Promise<void> {
 }
 
 async function installRuntimeGlobals(): Promise<void> {
-	const [{ installH2Fetch }, { procmgr }] = await Promise.all([import("@gajae-code/ai"), import("@gajae-code/utils")]);
+	const { installH2Fetch } = await import("@gajae-code/ai/utils/h2-fetch");
 	// Activate HTTP/2 for all `fetch()` calls (provider streams, OAuth, model
 	// discovery, web tools). Bun's HTTP/2 client is gated on a startup flag we
 	// can't toggle from JS, so we patch globalThis.fetch to pass
@@ -75,7 +75,24 @@ async function installRuntimeGlobals(): Promise<void> {
 	// Strip macOS malloc-stack-logging env vars before any subprocess is spawned.
 	// Otherwise every child bun process (subagents, plugin installs, ptree spawns,
 	// etc.) prints a `MallocStackLogging: can't turn off …` warning to stderr.
-	procmgr.scrubProcessEnv();
+	delete process.env.MallocStackLogging;
+	delete process.env.MallocStackLoggingNoCompact;
+}
+
+function hasRootFastFlag(argv: string[], flags: readonly string[]): boolean {
+	for (const arg of argv) {
+		if (isSubcommand(arg)) return false;
+		if (flags.includes(arg)) return true;
+	}
+	return false;
+}
+
+function hasRootHelpFlag(argv: string[]): boolean {
+	return hasRootFastFlag(argv, rootHelpFlags);
+}
+
+function hasRootVersionFlag(argv: string[]): boolean {
+	return hasRootFastFlag(argv, versionFlags);
 }
 
 class RootHelpCommand extends Command {
@@ -195,7 +212,7 @@ export async function runCli(argv: string[]): Promise<void> {
 		await runSmokeTest();
 		return;
 	}
-	if (rootHelpFlags.includes(argv[0] ?? "")) {
+	if (hasRootHelpFlag(argv)) {
 		const { renderRootHelp } = await import("@gajae-code/utils/cli");
 		const { getExtraHelpText } = await import("./cli/fast-help");
 		renderRootHelp({ bin: APP_NAME, version: VERSION, commands: new Map([["launch", RootHelpCommand]]) });
@@ -205,7 +222,7 @@ export async function runCli(argv: string[]): Promise<void> {
 		}
 		return;
 	}
-	if (versionFlags.includes(argv[0] ?? "")) {
+	if (hasRootVersionFlag(argv)) {
 		process.stdout.write(`${APP_NAME}/${VERSION}\n`);
 		return;
 	}

package/src/commands/plugin.ts

@@ -49,6 +49,8 @@ export default class Plugin extends Command {
 			description: 'Install scope: "user" (default) or "project"',
 			options: ["user", "project"],
 		}),
+		user: Flags.boolean({ description: "Install GJC plugin bundle into the user root" }),
+		project: Flags.boolean({ description: "Install GJC plugin bundle into the project root" }),
 	};
 
 	async run(): Promise<void> {
@@ -69,6 +71,8 @@ export default class Plugin extends Command {
 				disable: flags.disable,
 				set: flags.set,
 				scope: flags.scope as "user" | "project" | undefined,
+				user: flags.user,
+				project: flags.project,
 			},
 		};