@ijfw/install 1.3.0 → 1.3.1

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [1.3.1] -- 2026-05-12
+
+**Codex hook cleanup + release cadence hardening.** Tightens IJFW's Codex integration for Codex 0.130+, reduces the default dependency footprint, and moves more release drift into automated gates before it reaches users.
+
+- Codex `SessionStart` now emits `additionalContext` inside `hookSpecificOutput` with `hookEventName: "SessionStart"`, matching Codex's strict hook response shape. This closes the `SessionStart hook (failed): hook returned invalid session start JSON output` error.
+- Codex `PostToolUse` is now stdout-silent. IJFW still records local observations and failure signals, but it no longer re-injects cleaned tool output as `systemMessage`, which Codex renders as visible hook warning spam.
+- Codex hook Node shims now pass user/tool text after `--`, so tool output beginning with `---` is treated as data instead of a Node CLI option. This closes the `node: bad option: ---` failure.
+- Codex `UserPromptSubmit` and `PreToolUse` advisory output now use the same `hookSpecificOutput.additionalContext` shape when they do emit context.
+- Codex `Stop` now stays stdout-silent on routine session saves. Normal receipts are written locally; only actionable compression notices can surface by default. This closes the `Stop hook (completed) warning: [ijfw] Session #... saved` noise.
+- Codex bundle tests now cover strict `SessionStart` JSON and silent `PostToolUse` behavior for both routine output and failure-looking output.
+- The shipped MCP server no longer installs `@xenova/transformers` by default. Cold semantic vectors are explicit opt-in and `IJFW_VECTORS` now defaults to `off`, keeping the production install smaller and quieter under package audits.
+- The preflight audit gate now runs against both `installer` and `mcp-server`, so server-side dependency drift is covered by the same release gate as the installer.
+- `ijfw preflight` now routes through the canonical 11-gate preflight entrypoint from both installer and MCP CLI paths instead of falling back to `scripts/check-all.sh`.
+- Platform capability drift is now gated by `platform-capabilities.json` plus `scripts/check-platform-drift.js`, covering skill counts, hook-event counts, and marketplace/plugin manifest claims.
+- Update-check changelog URLs now point at GitLab releases, matching the canonical repository.
+- D2 graph-write lock timeout handling now throws the intended `EBUSY_GRAPH_WRITE` error instead of tripping an undeclared variable path under collision.
+
+Files: `codex/.codex/hooks/session-start.sh`, `codex/.codex/hooks/post-tool-use.sh`, `codex/.codex/hooks/pre-prompt.sh`, `codex/.codex/hooks/pre-tool-use.sh`, `codex/.codex/hooks/session-end.sh`, `scripts/observation/test-envelope-invariant-codex.sh`, `mcp-server/test-codex-bundle.js`, `mcp-server/src/vectors.js`, `mcp-server/package.json`, `installer/src/preflight/gates/audit-ci.js`, `installer/src/preflight.js`, `mcp-server/src/cross-orchestrator-cli.js`, `mcp-server/src/compute/graph-lock.js`, `platform-capabilities.json`, `scripts/check-platform-drift.js`.
+
 ## [1.2.6] -- 2026-05-01
 
 **Token sandbox + parallel workflow dispatch + DeepSeek frontier upgrade.** A new `ijfw_run` MCP tool keeps large command output out of your context window entirely -- builds, test suites, grep runs, and log tails are sandboxed to disk and summarized in a few lines instead of flooding thousands of tokens. The `ijfw-workflow` execution engine gains a formal Wave Table that makes parallel agent dispatch deterministic rather than inferred. DeepSeek moves to `deepseek-v4-pro` -- the actual frontier model -- so the Trident gets Frontier AI checking Frontier AI.

package/dist/ijfw.js

@@ -582,27 +582,35 @@ async function run7(ctx) {
   const t0 = Date.now();
   const ver = ctx.versions["audit-ci"] || "latest";
   const configPath = join4(ctx.repoRoot, ".audit-ci.jsonc");
-  const res = spawnSync7(
-    "npx",
-    ["--yes", `audit-ci@${ver}`, "--config", configPath],
-    {
-      encoding: "utf8",
-      cwd: join4(ctx.repoRoot, "installer"),
-      timeout: 6e4
-    }
-  );
+  const packageDirs = ["installer", "mcp-server"];
+  const runs = packageDirs.map((dir) => {
+    const res = spawnSync7(
+      "npx",
+      ["--yes", `audit-ci@${ver}`, "--config", configPath],
+      {
+        encoding: "utf8",
+        cwd: join4(ctx.repoRoot, dir),
+        timeout: 6e4
+      }
+    );
+    return { dir, status: res.status, output: (res.stdout || "") + (res.stderr || "") };
+  });
   const durationMs = Date.now() - t0;
-  const output = (res.stdout || "") + (res.stderr || "");
-  const lines = output.split("\n").filter(Boolean);
-  if (res.status === 0) {
+  const failed = runs.filter((r) => r.status !== 0);
+  if (failed.length === 0) {
     return {
       name: "audit-ci",
       status: "PASS",
-      message: "audit-ci: no high/critical vulnerabilities",
-      details: [],
+      message: "audit-ci: no high/critical vulnerabilities in installer or mcp-server",
+      details: runs.map((r) => `${r.dir}: pass`),
       durationMs
     };
   }
+  const lines = [];
+  for (const r of failed) {
+    lines.push(`${r.dir}: audit failed`);
+    lines.push(...r.output.split("\n").filter(Boolean).slice(0, 10));
+  }
   return {
     name: "audit-ci",
     status: "FAIL",
@@ -1045,7 +1053,7 @@ __export(preflight_exports, {
   runPreflightCommand: () => runPreflightCommand
 });
 import { readFileSync as readFileSync2, existsSync as existsSync3 } from "node:fs";
-import { join as join8, dirname } from "node:path";
+import { join as join8, dirname, resolve as resolve3 } from "node:path";
 import { fileURLToPath } from "node:url";
 function printHelp() {
   console.log(`
@@ -1144,11 +1152,24 @@ async function runPreflightCommand(argv, repoRoot2) {
   const report = await runPreflight(gates, ctx);
   process.exit(report.outcome === "pass" ? 0 : 1);
 }
+function defaultRepoRoot() {
+  let dir = __dirname;
+  for (let i = 0; i < 8; i++) {
+    if (existsSync3(join8(dir, "package.json")) && existsSync3(join8(dir, "mcp-server"))) return dir;
+    const next = resolve3(dir, "..");
+    if (next === dir) break;
+    dir = next;
+  }
+  return process.cwd();
+}
 var __dirname;
 var init_preflight = __esm({
-  "src/preflight.js"() {
+  async "src/preflight.js"() {
     init_runner();
     __dirname = dirname(fileURLToPath(import.meta.url));
+    if (process.argv[1] && resolve3(process.argv[1]) === fileURLToPath(import.meta.url)) {
+      await runPreflightCommand(process.argv, defaultRepoRoot());
+    }
   }
 });
 
@@ -2412,7 +2433,7 @@ Please report this to https://github.com/markedjs/marked.`, e) {
 });
 
 // src/ijfw.js
-import { dirname as dirname2, join as join9, resolve as resolve3, basename } from "node:path";
+import { dirname as dirname2, join as join9, resolve as resolve4, basename } from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 import { existsSync as existsSync4, mkdirSync as mkdirSync3, copyFileSync, readdirSync as readdirSync4, rmSync as rmSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync4 } from "node:fs";
 import { homedir, platform as platform2 } from "node:os";
@@ -2422,7 +2443,7 @@ function repoRoot() {
   let dir = __dirname2;
   for (let i = 0; i < 6; i++) {
     if (existsSync4(join9(dir, "package.json")) && existsSync4(join9(dir, ".git"))) return dir;
-    dir = resolve3(dir, "..");
+    dir = resolve4(dir, "..");
   }
   return process.cwd();
 }
@@ -2437,7 +2458,7 @@ COMMANDS
   install     Install IJFW into your AI coding agents
   uninstall   Remove IJFW from your AI coding agents
   help        Open the full IJFW guide (terminal, or --browser for rendered)
-  preflight   Run 12-gate quality pipeline before publishing
+  preflight   Run 11-gate quality pipeline before publishing
   dashboard   Start / stop / check the local observability dashboard
   design      Manage the visual design companion
   doctor      Diagnose IJFW installation health
@@ -2494,19 +2515,19 @@ async function main() {
   }
   switch (sub) {
     case "install": {
-      const installBin = resolve3(__dirname2, "..", "dist", "install.js");
+      const installBin = resolve4(__dirname2, "..", "dist", "install.js");
       const r = spawnSync12("node", [installBin, ...argv.slice(3)], { stdio: "inherit" });
       process.exit(r.status ?? 1);
       break;
     }
     case "uninstall": {
-      const uninstallBin = resolve3(__dirname2, "..", "dist", "uninstall.js");
+      const uninstallBin = resolve4(__dirname2, "..", "dist", "uninstall.js");
       const r = spawnSync12("node", [uninstallBin, ...argv.slice(3)], { stdio: "inherit" });
       process.exit(r.status ?? 1);
       break;
     }
     case "preflight": {
-      const { runPreflightCommand: runPreflightCommand2 } = await Promise.resolve().then(() => (init_preflight(), preflight_exports));
+      const { runPreflightCommand: runPreflightCommand2 } = await init_preflight().then(() => preflight_exports);
       await runPreflightCommand2([argv[0], argv[1], ...argv.slice(3)], repoRoot());
       break;
     }
@@ -2563,7 +2584,7 @@ async function main() {
           console.error("Usage: ijfw design push <file.html>");
           process.exit(1);
         }
-        const abs = resolve3(filePath);
+        const abs = resolve4(filePath);
         if (!existsSync4(abs)) {
           console.error(`File not found: ${abs}`);
           process.exit(1);
@@ -2587,7 +2608,7 @@ async function main() {
       const wantsBrowser = argv.slice(3).includes("--browser");
       const candidates = [
         join9(repoRoot(), "docs", "GUIDE.md"),
-        resolve3(__dirname2, "..", "docs", "GUIDE.md"),
+        resolve4(__dirname2, "..", "docs", "GUIDE.md"),
         join9(homedir(), ".ijfw", "docs", "GUIDE.md")
       ];
       const guidePath = candidates.find((p) => existsSync4(p));

package/dist/install.js

@@ -767,7 +767,7 @@ async function installCodex(ctx) {
       copyDirIfAbsent(sd.path, join4(projSkills, sd.name));
     }
   }
-  ctx.log.ok("Installed Codex bundle: MCP + hooks + 15 skills + context");
+  ctx.log.ok("Installed Codex bundle: MCP + hooks + 19 skills + context");
   return { status: "ok" };
 }
 async function installGemini(ctx) {
@@ -832,7 +832,7 @@ async function installGemini(ctx) {
   for (const f of listFiles(agentSrc, ".md")) {
     copyIfAbsent(f.path, join4(extDst, "agents", f.name));
   }
-  ctx.log.ok("Installed Gemini bundle: MCP + extension + 15 skills + 11 hooks + policy");
+  ctx.log.ok("Installed Gemini bundle: MCP + extension + 19 skills + 11 hooks + policy");
   return { status: "ok" };
 }
 async function installWayland(ctx) {
@@ -2048,14 +2048,12 @@ function cloneOrPull(dir, branch) {
     else if (remoteSignal) console.warn(`  git exited on signal ${remoteSignal}`);
     else if (remoteStatus !== 0 && remoteStderr) console.warn(`  git remote get-url: ${remoteStderr.slice(0, 120).trim()}`);
     if (remoteStatus === 0) {
-      const STALE_ORIGINS = [
-        "https://github.com/seandonahoe/ijfw.git",
-        "https://github.com/seandonahoe/ijfw",
-        "https://github.com/seandonahoe/ijfw/",
-        "https://github.com/seandonahoe/ijfw.git/"
+      const STALE_PATTERNS = [
+        /^https:\/\/github\.com\/seandonahoe\/ijfw(\.git)?\/?$/i,
+        /^https:\/\/github\.com\/therealseandonahoe\/ijfw(\.git)?\/?$/i
       ];
       const currentOrigin = (stdout || "").trim();
-      if (STALE_ORIGINS.includes(currentOrigin)) {
+      if (STALE_PATTERNS.some((re) => re.test(currentOrigin))) {
         const setUrl = spawnSync2("git", ["-C", dir, "remote", "set-url", "origin", DEFAULT_REPO], { stdio: "inherit" });
         if (setUrl.status !== 0) {
           console.warn(`  [!] origin migration failed -- could not repoint ${currentOrigin} to ${DEFAULT_REPO}`);

package/docs/GUIDE.md

@@ -172,7 +172,7 @@ Run `/team setup` in Claude Code, or `ijfw team` from the shell, to see your cur
 |------|-------|--------------|
 | Hot  | Plain markdown in `.ijfw/memory/` | Always on. Instant reads. Git friendly. |
 | Warm | BM25 ranked search | Always on. Scales to around 10,000 entries per project. |
-| Cold | Optional semantic vectors | Only if you install `@xenova/transformers`. Off by default. |
+| Cold | Optional semantic vectors | Off by default. Requires a user-installed embedding provider. |
 
 Every session also ends with an optional "dream cycle". Run `/consolidate` or "run a dream cycle" to have IJFW sweep the day's memory: promote observed patterns into your knowledge base, prune stale entries, reconcile contradictions, optionally lift winners into global memory so every future project benefits. Memory that grows sharper over time instead of heavier.
 
@@ -359,9 +359,9 @@ IJFW configures six AI coding agents with native affordances on each, plus a uni
 
 | Platform | What ships |
 |----------|------------|
-| Claude Code | Native plugin via marketplace, MCP auto-registered, 9 hooks, 20 on-demand skills, 21 slash commands |
-| Codex CLI | Native plugin (`.codex-plugin/plugin.json`), 20 skills, 9 hooks, MCP registered, marketplace-ready |
-| Gemini CLI | Native extension (`gemini-extension.json`), 20 skills, 11 hook events, 21 TOML slash commands, policy engine, BeforeModel injection, checkpointing |
+| Claude Code | Native plugin via marketplace, MCP auto-registered, 6 hook events / 12 scripts, 22 on-demand skills, 22 slash commands |
+| Codex CLI | Native plugin (`.codex-plugin/plugin.json`), 19 skills, 5 hook events, MCP registered, marketplace-ready |
+| Gemini CLI | Native extension (`gemini-extension.json`), 19 skills, 11 hook events, 19 TOML slash commands, policy engine, BeforeModel injection, checkpointing |
 | Cursor | `.cursor/mcp.json` plus `.cursor/rules/ijfw.mdc`. Dashboard view-only. |
 | Windsurf | `~/.codeium/windsurf/mcp_config.json` plus `.windsurfrules`. Dashboard view-only. |
 | Copilot (VS Code) | `.vscode/mcp.json` plus `.github/copilot-instructions.md`. Dashboard view-only. |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ijfw/install",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "One-command installer for IJFW -- the AI efficiency layer. One install, every AI coding agent, zero config.",
   "type": "module",
   "bin": {
@@ -55,7 +55,6 @@
     "url": "git+https://gitlab.com/therealseandonahoe/ijfw.git"
   },
   "publishConfig": {
-    "access": "public",
-    "provenance": true
+    "access": "public"
   }
 }