auriga-cli 1.18.4 → 1.19.1

package/dist/state.js

@@ -1,20 +1,23 @@
-// scanState — produce a tri-state install report (installed / update-available /
-// not-installed) for every category, reading the *actual* Claude Code install
-// locations rather than auriga-cli's own dev-repo layout. The truth sources
-// (per docs/specs/web-ui-scanner-redesign.md):
+// scanState — produce a presence-only install report for every category,
+// reading the *actual* Claude Code install locations rather than auriga-cli's
+// own dev-repo layout. The truth sources:
 //
 //   Workflow:  ~/.claude/CLAUDE.md                          (user scope)
-//              <proj>/CLAUDE.md, fallback .claude/CLAUDE.md (project scope)
+//              <proj>/CLAUDE.md                             (project scope)
 //   Skills:    ~/.claude/skills/<name>/SKILL.md             (user scope)
 //              <proj>/.claude/skills/<name>/SKILL.md        (project scope)
 //   Plugins(Claude): execPluginList(scope) + settings.json enabledPlugins
 //   Plugins(Codex):  ~/.codex/config.toml + ~/.codex/plugins/cache (user only)
 //   Hooks:     <scope>/.claude/settings.json `hooks` segment, matched by _marker
 //
+// Scanner is presence-only: states are `installed` / `not-installed` /
+// `partial-install` (dual-Agent half-install). v1.19.0 dropped
+// `update-available` — re-running install is the update path for every
+// category; the scanner no longer compares versions or hashes.
+//
 // External I/O is either injected via ScanOptions (tests) or done through the
 // default implementations at the bottom of the file (server.ts production
 // wiring). See tests/state.test.ts for the full behavioral contract.
-import { createHash } from "node:crypto";
 import { exec as execCallback } from "node:child_process";
 import { promisify } from "node:util";
 const execAsync = promisify(execCallback);
@@ -22,12 +25,6 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { parse as parseToml } from "smol-toml";
-/** Wildcard sentinel for the catalog hook `expectedHash` field. A value
- *  equal to this string (or the empty string) is treated as "no drift
- *  expectation, trust marker presence" — useful when the catalog hasn't yet
- *  been populated with a real settings-entry signature. The test suite uses
- *  this sentinel explicitly (see tests/state.test.ts assumption A7). */
-const WILDCARD_EXPECTED_HASH = "any";
 /**
  * Shorten an absolute path by replacing the user's $HOME with `~`. Avoids
  * leaking the full username in screenshots and keeps the TopBar label
@@ -55,7 +52,7 @@ export async function scanState(projectRoot, catalog, opts = {}) {
     const warnings = [];
     const home = opts.homeDir ?? os.homedir();
     const scopes = { ...DEFAULT_SCOPES, ...(opts.scopes ?? {}) };
-    const workflow = scanWorkflow(scopes.workflow, projectRoot, home, catalog, warnings);
+    const workflow = scanWorkflow(scopes.workflow, projectRoot, home, warnings);
     const skills = scanSkills(scopes.skills, projectRoot, home, catalog.skills, 
     /* recommended */ false, warnings);
     const recommendedSkills = scanRecommendedSkills(scopes.skills, projectRoot, home, catalog.recommendedSkills, warnings);
@@ -94,34 +91,23 @@ function dirExists(p) {
         return false;
     }
 }
-/**
- * Dedupe plugins by `id`, merging dual-Agent records into a single
- * multi-agent row. Aggregation rules:
- *
- *   agents:  union of all agent arrays for this id (claude before codex).
- *   status:  installed     ⇔ every agent's record is installed
- *            not-installed ⇔ every agent's record is not-installed
- *            otherwise     → update-available (partial install or any agent
- *                            with a pending update). One Apply covers all
- *                            gaps because the handler iterates `agents`.
- *
- * Non-status fields (description, currentVersion, expectedVersion,
- * versionSource) come from the first record we see. Today both sides report
- * the same description (catalog-driven) and the same versions for any
- * registry-pinned plugin, so this is safe; if a future divergence appears
- * we'll need a deliberate merge policy.
- */
 export function mergePluginsById(records) {
     const byId = new Map();
-    const statusByIdPerAgent = new Map();
+    const perAgentByIdEntries = new Map();
     for (const rec of records) {
+        // Pre-merge records are per-agent: their `agents[]` array contains the
+        // single Agent this row was scanned for. The merge step below unions
+        // those into the final dual-Agent record.
+        const recAgent = rec.agents[0];
+        const perAgentEntry = recAgent
+            ? { agent: recAgent, status: rec.status }
+            : null;
         const existing = byId.get(rec.id);
         if (!existing) {
             byId.set(rec.id, { ...rec });
-            statusByIdPerAgent.set(rec.id, [rec.status]);
+            perAgentByIdEntries.set(rec.id, perAgentEntry ? [perAgentEntry] : []);
             continue;
         }
-        // Union agents preserving order: existing first, then any new ones.
         const seen = new Set(existing.agents);
         for (const a of rec.agents) {
             if (!seen.has(a)) {
@@ -129,45 +115,55 @@ export function mergePluginsById(records) {
                 seen.add(a);
             }
         }
-        statusByIdPerAgent.get(rec.id).push(rec.status);
+        if (perAgentEntry) {
+            perAgentByIdEntries.get(rec.id).push(perAgentEntry);
+        }
     }
-    // Fold each id's per-agent status list into the aggregated status.
-    for (const [id, statuses] of statusByIdPerAgent) {
+    for (const [id, perAgent] of perAgentByIdEntries) {
         const rec = byId.get(id);
         if (!rec)
             continue;
-        rec.status = aggregateStatus(statuses);
+        const aggregated = aggregateStatus(perAgent);
+        rec.status = aggregated.status;
+        if (aggregated.missingAgents && aggregated.missingAgents.length > 0) {
+            rec.missingAgents = aggregated.missingAgents;
+        }
+        else {
+            delete rec.missingAgents;
+        }
     }
     return Array.from(byId.values());
 }
-function aggregateStatus(statuses) {
-    if (statuses.length === 0)
-        return "not-installed";
-    if (statuses.every((s) => s === "installed"))
-        return "installed";
-    if (statuses.every((s) => s === "not-installed"))
-        return "not-installed";
-    // Anything else — partial install, pending updates on any agent, mixed
-    // — falls through to update-available so a single Apply backfills the
-    // missing pieces.
-    return "update-available";
+function aggregateStatus(records) {
+    if (records.length === 0)
+        return { status: "not-installed" };
+    if (records.every((r) => r.status === "installed"))
+        return { status: "installed" };
+    if (records.every((r) => r.status === "not-installed"))
+        return { status: "not-installed" };
+    // Mixed: dual-Agent plugin with some agents installed and some not.
+    // User-facing action is "install on the missing side".
+    const missingAgents = records
+        .filter((r) => r.status === "not-installed")
+        .map((r) => r.agent);
+    return { status: "partial-install", missingAgents };
 }
 // ---------------------------------------------------------------------------
 // Workflow
 // ---------------------------------------------------------------------------
-const WORKFLOW_HEADER_RE = /^#\s+auriga\s+Workflow\s*\(v(\d+\.\d+\.\d+)\)/;
+const WORKFLOW_HEADER_RE = /^#\s+auriga\s+Workflow\s*\(v\d+\.\d+\.\d+\)/;
 function workflowPathsForScope(scope, projectRoot, home) {
     if (scope === "user") {
         return [path.join(home, ".claude", "CLAUDE.md")];
     }
-    // Project: <proj>/CLAUDE.md preferred, .claude/CLAUDE.md as fallback.
-    return [
-        path.join(projectRoot, "CLAUDE.md"),
-        path.join(projectRoot, ".claude", "CLAUDE.md"),
-    ];
+    // Project: only `<proj>/CLAUDE.md` — the auriga workflow installer
+    // (src/workflow.ts) writes here and never to `<proj>/.claude/CLAUDE.md`.
+    // The old fallback collapsed onto `$HOME/.claude/CLAUDE.md` when
+    // projectRoot === $HOME (user runs `web-ui` from home dir), leaking
+    // user-scope content into the project-scope row.
+    return [path.join(projectRoot, "CLAUDE.md")];
 }
-function scanWorkflow(scope, projectRoot, home, catalog, warnings) {
-    const expectedVersion = catalog.workflowVersion;
+function scanWorkflow(scope, projectRoot, home, warnings) {
     const candidates = workflowPathsForScope(scope, projectRoot, home);
     let content = null;
     for (const candidate of candidates) {
@@ -180,31 +176,27 @@ function scanWorkflow(scope, projectRoot, home, catalog, warnings) {
         }
     }
     if (content === null) {
-        return { status: "not-installed", expectedVersion, observedScope: scope };
+        return { status: "not-installed", observedScope: scope };
     }
-    // Walk the first non-blank lines looking for the auriga header.
+    // Walk the first non-blank lines looking for the auriga header. We only
+    // need to know "is this our CLAUDE.md or foreign" — the actual version
+    // string is unused since v1.19.0 dropped update-available status.
     for (const line of content.split(/\r?\n/)) {
-        const m = WORKFLOW_HEADER_RE.exec(line);
-        if (m) {
-            const currentVersion = m[1];
-            // Empty expectedVersion means scan-catalog couldn't extract the
-            // shipped workflow's header (auriga-cli's own CLAUDE.md missing or
-            // malformed at build time). Trust the installed version rather than
-            // forcing a phantom "update-available" against the empty string.
-            const status = !expectedVersion || currentVersion === expectedVersion ? "installed" : "update-available";
-            return { status, expectedVersion, currentVersion, observedScope: scope };
+        if (WORKFLOW_HEADER_RE.test(line)) {
+            return { status: "installed", observedScope: scope };
         }
         if (line.trim().length > 0)
             break;
     }
-    // CLAUDE.md exists but no recognizable auriga marker. Per spec degraded
-    // path: status remains "installed" (don't clobber user content on apply)
-    // and emit a workflow-unknown-version warning.
+    // CLAUDE.md exists but no recognizable auriga marker. The file is foreign
+    // — not our workflow. Report `not-installed` honestly; the install path
+    // (src/workflow.ts) protects user content by backing it up to
+    // `CLAUDE.md.bak` (backup-once: never clobbers a prior .bak).
     warnings.push({
-        code: "workflow-unknown-version",
-        message: `CLAUDE.md present but no auriga-workflow header found; cannot determine installed version.`,
+        code: "workflow-foreign-claudemd",
+        message: `Foreign CLAUDE.md detected at the workflow path — no auriga-workflow header. Install will back up to CLAUDE.md.bak.`,
     });
-    return { status: "installed", expectedVersion, observedScope: scope };
+    return { status: "not-installed", observedScope: scope };
 }
 // ---------------------------------------------------------------------------
 // Skills + recommendedSkills
@@ -214,50 +206,38 @@ function skillsRoot(scope, projectRoot, home) {
         return path.join(home, ".claude", "skills");
     return path.join(projectRoot, ".claude", "skills");
 }
-/** Classify a single skill by reading its SKILL.md from the scope's skills
- *  dir. Returns the status + (when readable) the on-disk content hash. The
- *  `malformedSeen` set is mutated when a skill dir exists but SKILL.md is
+/** Classify a single skill by presence of its SKILL.md. Returns
+ *  `installed` if SKILL.md is readable, `not-installed` otherwise.
+ *  `malformedSeen` is mutated when a skill dir exists but SKILL.md is
  *  missing/unreadable — the caller emits ONE skill-malformed warning per
  *  scan. */
-function classifySkillByFile(name, expectedHash, rootDir, malformedSeen) {
+function classifySkillByFile(name, rootDir, malformedSeen) {
     const skillDir = path.join(rootDir, name);
     const skillMd = path.join(skillDir, "SKILL.md");
-    let buf;
     try {
-        buf = fs.readFileSync(skillMd);
+        fs.readFileSync(skillMd);
+        return "installed";
     }
     catch {
-        // SKILL.md unreadable. Two sub-cases:
-        //   (a) skill dir also missing → simply not installed.
-        //   (b) skill dir present but SKILL.md missing → malformed; row stays
-        //       "installed" so the user can repair, plus a warning.
         if (dirExists(skillDir)) {
+            // skill dir present but SKILL.md missing → malformed; row stays
+            // "installed" so the user can repair, plus a warning.
             malformedSeen.add(name);
-            return { status: "installed" };
+            return "installed";
         }
-        return { status: "not-installed" };
-    }
-    const currentHash = createHash("sha256").update(buf).digest("hex");
-    if (expectedHash === "" ||
-        expectedHash === WILDCARD_EXPECTED_HASH ||
-        currentHash === expectedHash) {
-        return { status: "installed", currentHash };
+        return "not-installed";
     }
-    return { status: "update-available", currentHash };
 }
 function scanSkills(scope, projectRoot, home, catalogSkills, _recommended, warnings) {
     const rootDir = skillsRoot(scope, projectRoot, home);
     const malformed = new Set();
     const out = [];
     for (const [name, entry] of Object.entries(catalogSkills)) {
-        const cls = classifySkillByFile(name, entry.expectedHash, rootDir, malformed);
         out.push({
             name,
             description: entry.description,
-            status: cls.status,
+            status: classifySkillByFile(name, rootDir, malformed),
             isWorkflow: entry.isWorkflow,
-            currentHash: cls.currentHash,
-            expectedHash: entry.expectedHash,
             observedScope: scope,
         });
     }
@@ -274,14 +254,11 @@ function scanRecommendedSkills(scope, projectRoot, home, catalogRec, warnings) {
     const malformed = new Set();
     const out = [];
     for (const [name, entry] of Object.entries(catalogRec)) {
-        const cls = classifySkillByFile(name, entry.expectedHash, rootDir, malformed);
         out.push({
             name,
             description: entry.description,
-            status: cls.status,
+            status: classifySkillByFile(name, rootDir, malformed),
             isWorkflow: false,
-            currentHash: cls.currentHash,
-            expectedHash: entry.expectedHash,
             observedScope: scope,
         });
     }
@@ -299,15 +276,6 @@ function scanRecommendedSkills(scope, projectRoot, home, catalogRec, warnings) {
 function filterPluginsByAgent(catalogPlugins, agent) {
     return Object.entries(catalogPlugins).filter(([, def]) => def.agents.includes(agent));
 }
-/** Normalize a version ref: "v1.2.3" → "1.2.3", "1.2.3" → "1.2.3".
- *  Anything that is not a strict semver-like triple is returned as-is so the
- *  caller can detect "this is a branch / tag, not a comparable version". */
-function parseRef(ref) {
-    if (typeof ref !== "string" || ref.length === 0)
-        return null;
-    const m = /^v?(\d+\.\d+\.\d+(?:[-+][\w.]+)?)$/.exec(ref);
-    return m ? m[1] : null;
-}
 async function scanClaudePlugins(scope, entries, execPluginList, warnings) {
     if (entries.length === 0)
         return [];
@@ -317,7 +285,7 @@ async function scanClaudePlugins(scope, entries, execPluginList, warnings) {
     if (!execPluginList) {
         warnings.push({
             code: "claude-cli-missing",
-            message: "Claude CLI not available — plugin update detection disabled. Install `claude` to enable update checks.",
+            message: "Claude CLI not available — plugin presence detection disabled. Install `claude` to enable.",
         });
         return entries.map(([id, def]) => degradedClaudeRow(id, def, scope));
     }
@@ -335,32 +303,22 @@ async function scanClaudePlugins(scope, entries, execPluginList, warnings) {
     // claude plugins list emits ids in `<plugin>@<marketplace>` form (e.g.
     // `auriga-go@auriga-cli`). The auriga-cli catalog tracks plugins by bare
     // name. Index both forms so lookups succeed regardless of which side the
-    // suffix is on. Same trick for availables — note that the `--available`
-    // payload uses `pluginId` rather than `id`, so accept both as the key.
-    const indexBoth = (map, item) => {
+    // suffix is on.
+    const installedById = new Map();
+    for (const item of payload.installed ?? []) {
         if (!item || typeof item !== "object")
-            return;
-        const key = typeof item.id === "string"
-            ? item.id
-            : typeof item.pluginId === "string"
-                ? item.pluginId
-                : null;
+            continue;
+        const key = typeof item.id === "string" ? item.id : null;
         if (!key)
-            return;
-        map.set(key, item);
+            continue;
+        installedById.set(key, item);
         const at = key.indexOf("@");
         if (at > 0)
-            map.set(key.slice(0, at), item);
-    };
-    const installedById = new Map();
-    for (const item of payload.installed ?? [])
-        indexBoth(installedById, item);
-    const availableById = new Map();
-    for (const item of payload.available ?? [])
-        indexBoth(availableById, item);
+            installedById.set(key.slice(0, at), item);
+    }
     const out = [];
     for (const [id, def] of entries) {
-        out.push(classifyClaudePlugin(id, def, installedById.get(id), availableById.get(id), scope));
+        out.push(classifyClaudePlugin(id, def, installedById.get(id), scope));
     }
     return out;
 }
@@ -370,107 +328,21 @@ function degradedClaudeRow(id, def, scope) {
         description: def.description,
         status: "not-installed",
         agents: ["claude"],
-        expectedVersion: def.expectedVersion,
-        versionSource: "upstream-live",
         observedScope: scope,
         ...(def.external === true ? { external: true } : {}),
     };
 }
-function classifyClaudePlugin(id, def, installed, available, scope) {
-    // `external` propagates onto every return below so the UI can surface the
-    // EXTERNAL badge regardless of install state.
+function classifyClaudePlugin(id, def, installed, scope) {
     const externalFlag = def.external === true ? { external: true } : {};
-    if (!installed || typeof installed.version !== "string") {
-        return {
-            id,
-            description: def.description,
-            status: "not-installed",
-            agents: ["claude"],
-            expectedVersion: typeof available?.source?.ref === "string" ? available.source.ref : def.expectedVersion,
-            versionSource: "upstream-live",
-            observedScope: scope,
-            ...externalFlag,
-        };
-    }
-    const installedVersion = installed.version;
-    // External plugin short-circuit: we don't own these, so we don't claim
-    // authority on "what version they should be at". `claude plugins update`
-    // is the right channel — the scanner just confirms presence. Status stays
-    // "installed" even if installed.version differs from any signal we have.
-    // The catalog deliberately omits `expectedVersion` for externals, but we
-    // double-down with this guard so a future regression that accidentally
-    // populates expectedVersion still can't flip externals to update-available.
-    if (def.external === true) {
-        return {
-            id,
-            description: def.description,
-            status: "installed",
-            agents: ["claude"],
-            currentVersion: installedVersion,
-            // Don't surface any "expected" on externals — the upstream tool owns
-            // the version conversation.
-            versionSource: "upstream-live",
-            observedScope: scope,
-            ...externalFlag,
-        };
-    }
-    const ref = available?.source?.ref;
-    const normalizedAvailable = parseRef(typeof ref === "string" ? ref : undefined);
-    const normalizedInstalled = parseRef(installedVersion);
-    // Pick the comparison target. The marketplace-live ref wins when it's a
-    // parseable semver — that's the freshest signal. Otherwise fall back to
-    // the build-time-baked `def.expectedVersion` (populated from
-    // plugins/<name>/.claude-plugin/plugin.json by scan-catalog for owned
-    // plugins). Without the fallback, the common upgrade case is invisible:
-    // `claude plugins list --available --json` excludes already-installed
-    // plugins from `.available[]`, so for any plugin the user already has,
-    // `ref` is undefined and the scanner can't tell whether a newer version
-    // ships in the marketplace.
-    const hasLiveRef = normalizedAvailable !== null && typeof ref === "string";
-    const expectedRaw = hasLiveRef ? ref : def.expectedVersion;
-    const expectedNormalized = hasLiveRef
-        ? normalizedAvailable
-        : parseRef(def.expectedVersion);
-    const versionSource = hasLiveRef
-        ? "upstream-live"
-        : "catalog";
-    // Fallback rules (no comparable expected version, or unknown installed):
-    //   - installed version "unknown" → trust it's installed.
-    //   - effective expected is null (branch ref + no baked version) → trust installed.
-    if (installedVersion === "unknown" || expectedNormalized === null) {
-        return {
-            id,
-            description: def.description,
-            status: "installed",
-            agents: ["claude"],
-            currentVersion: installedVersion,
-            expectedVersion: expectedRaw,
-            versionSource,
-            observedScope: scope,
-            ...externalFlag,
-        };
-    }
-    if (normalizedInstalled !== null && normalizedInstalled === expectedNormalized) {
-        return {
-            id,
-            description: def.description,
-            status: "installed",
-            agents: ["claude"],
-            currentVersion: installedVersion,
-            expectedVersion: expectedRaw,
-            versionSource,
-            observedScope: scope,
-            ...externalFlag,
-        };
-    }
+    // Presence-only since v1.19.0: any matching installed record counts.
+    // Don't require a `version` field — the field may go away in a future
+    // `claude plugins list --json` shape and we no longer compare versions.
+    const status = installed ? "installed" : "not-installed";
     return {
         id,
         description: def.description,
-        status: "update-available",
+        status,
         agents: ["claude"],
-        currentVersion: installedVersion,
-        expectedVersion: expectedRaw,
-        versionSource,
         observedScope: scope,
         ...externalFlag,
     };
@@ -521,7 +393,7 @@ async function scanCodexPlugins(entries, readCodexConfig, readCodexPluginsDir, w
     // both emit `<plugin>@<marketplace>` keys (e.g. "auriga-go@auriga-cli").
     // Without dual indexing every dual-Agent plugin reports `not-installed` on
     // the Codex side, which `mergePluginsById` then folds into a permanent
-    // `update-available` even when both sides are genuinely installed.
+    // `partial-install` even when both sides are genuinely installed.
     const lookupEnabled = (catalogId) => {
         if (enabledIds.has(catalogId))
             return true;
@@ -555,75 +427,18 @@ function degradedCodexRow(id, def) {
         description: def.description,
         status: "not-installed",
         agents: ["codex"],
-        expectedVersion: def.expectedVersion,
-        versionSource: "catalog",
         observedScope: "user",
         ...(def.external === true ? { external: true } : {}),
     };
 }
 function classifyCodexPlugin(id, def, enabled, fsVersion) {
-    const expectedVersion = def.expectedVersion;
     const externalFlag = def.external === true ? { external: true } : {};
-    if (!enabled) {
-        return {
-            id,
-            description: def.description,
-            status: "not-installed",
-            agents: ["codex"],
-            expectedVersion,
-            versionSource: "catalog",
-            observedScope: "user",
-            ...externalFlag,
-        };
-    }
-    if (!fsVersion) {
-        return {
-            id,
-            description: def.description,
-            status: "not-installed",
-            agents: ["codex"],
-            expectedVersion,
-            versionSource: "catalog",
-            observedScope: "user",
-            ...externalFlag,
-        };
-    }
-    // External plugin short-circuit, same rationale as classifyClaudePlugin:
-    // we defer authority to `codex plugin marketplace update` and never flag
-    // update-available for upstream-owned plugins.
-    if (def.external === true) {
-        return {
-            id,
-            description: def.description,
-            status: "installed",
-            agents: ["codex"],
-            currentVersion: fsVersion,
-            versionSource: "catalog",
-            observedScope: "user",
-            ...externalFlag,
-        };
-    }
-    if (!expectedVersion || fsVersion === expectedVersion) {
-        return {
-            id,
-            description: def.description,
-            status: "installed",
-            agents: ["codex"],
-            currentVersion: fsVersion,
-            expectedVersion,
-            versionSource: "catalog",
-            observedScope: "user",
-            ...externalFlag,
-        };
-    }
+    const status = enabled && fsVersion ? "installed" : "not-installed";
     return {
         id,
         description: def.description,
-        status: "update-available",
+        status,
         agents: ["codex"],
-        currentVersion: fsVersion,
-        expectedVersion,
-        versionSource: "catalog",
         observedScope: "user",
         ...externalFlag,
     };
@@ -671,92 +486,38 @@ function settingsPathForScope(scope, projectRoot, home) {
         return path.join(home, ".claude", "settings.json");
     return path.join(projectRoot, ".claude", "settings.json");
 }
-/** Walk every settings hook action, returning a map keyed by the action's
- *  `_marker` sentinel value. Malformed sub-shapes are skipped silently. */
-function indexSettingsHooksByMarker(settings) {
-    const out = new Map();
+/** Returns the set of `_marker` sentinel values present in the settings
+ *  `hooks` segment. Malformed sub-shapes are skipped silently. v1.19.0
+ *  reduced this from a full {event, matcher, if, command} record (used for
+ *  drift detection) to a presence-only Set — re-install is the update
+ *  path now, so the scanner doesn't need to compare entry shapes. */
+function indexSettingsMarkers(settings) {
+    const out = new Set();
     if (!settings || typeof settings !== "object" || Array.isArray(settings))
         return out;
     const hooksSeg = settings.hooks;
     if (!hooksSeg || typeof hooksSeg !== "object" || Array.isArray(hooksSeg))
         return out;
-    for (const [event, blocks] of Object.entries(hooksSeg)) {
+    for (const blocks of Object.values(hooksSeg)) {
         if (!Array.isArray(blocks))
             continue;
         for (const block of blocks) {
             if (!block || typeof block !== "object" || Array.isArray(block))
                 continue;
-            const b = block;
-            const matcher = typeof b.matcher === "string" ? b.matcher : undefined;
-            const ifExpr = typeof b.if === "string" ? b.if : undefined;
-            const actions = b.hooks;
+            const actions = block.hooks;
             if (!Array.isArray(actions))
                 continue;
             for (const action of actions) {
                 if (!action || typeof action !== "object" || Array.isArray(action))
                     continue;
-                const a = action;
-                const marker = typeof a._marker === "string" ? a._marker : undefined;
-                if (!marker)
-                    continue;
-                out.set(marker, {
-                    event,
-                    matcher,
-                    ifExpr,
-                    command: typeof a.command === "string" ? a.command : undefined,
-                });
+                const marker = action._marker;
+                if (typeof marker === "string")
+                    out.add(marker);
             }
         }
     }
     return out;
 }
-/** Compute a coarse sha256 signature over a settings hook entry's drift-
- *  relevant fields (event, matcher, if). Used to fall back to a single-
- *  field comparison when the catalog hasn't been upgraded to expose
- *  structured expectedMatcher / expectedEvent / expectedIf. */
-function signatureForSettingsEntry(entry) {
-    const canonical = JSON.stringify({
-        event: entry.event,
-        matcher: entry.matcher ?? "",
-        if: entry.ifExpr ?? "",
-    });
-    return createHash("sha256").update(canonical).digest("hex");
-}
-/** Returns true when the catalog's expectedHash is a wildcard sentinel
- *  (empty string or the literal "any" placeholder). Wildcard means "no
- *  drift expectation for this hook — trust marker presence." */
-function isWildcardExpectedHash(expectedHash) {
-    return expectedHash === "" || expectedHash === WILDCARD_EXPECTED_HASH;
-}
-function detectHookDrift(catalogEntry, settingsEntry) {
-    // Preferred drift path: structured expectations from catalog.
-    if (typeof catalogEntry.expectedMatcher === "string" &&
-        (settingsEntry.matcher ?? "") !== catalogEntry.expectedMatcher) {
-        return true;
-    }
-    if (typeof catalogEntry.expectedEvent === "string" &&
-        settingsEntry.event !== catalogEntry.expectedEvent) {
-        return true;
-    }
-    if (typeof catalogEntry.expectedIf === "string" &&
-        (settingsEntry.ifExpr ?? "") !== catalogEntry.expectedIf) {
-        return true;
-    }
-    // Fallback drift signal via expectedHash. When the catalog hasn't been
-    // populated with structured expected* fields (yet), expectedHash doubles
-    // as a coarse signature: if non-empty and non-wildcard, the implementation
-    // computes its own signature over the settings entry and treats any
-    // divergence as drift. Production scan-catalog.ts can populate this with
-    // a real settings-entry signature; until then, an explicit non-wildcard
-    // placeholder in tests (e.g. "expected-new-matcher-signature") deliberately
-    // triggers drift since it can never equal a sha256 hex digest.
-    if (!isWildcardExpectedHash(catalogEntry.expectedHash)) {
-        const sig = signatureForSettingsEntry(settingsEntry);
-        if (sig !== catalogEntry.expectedHash)
-            return true;
-    }
-    return false;
-}
 function scanHooks(scope, projectRoot, home, catalogHooks, warnings) {
     const settingsPath = settingsPathForScope(scope, projectRoot, home);
     let settingsRaw = null;
@@ -788,30 +549,13 @@ function scanHooks(scope, projectRoot, home, catalogHooks, warnings) {
             message: `Settings file unreadable or corrupt JSON: ${settingsPath}`,
         });
     }
-    const byMarker = indexSettingsHooksByMarker(parsed);
+    const markers = indexSettingsMarkers(parsed);
     const out = [];
     for (const [name, def] of Object.entries(catalogHooks)) {
-        const settingsEntry = byMarker.get(name);
-        if (!settingsEntry) {
-            out.push({
-                name,
-                description: def.description,
-                status: "not-installed",
-                expectedHash: def.expectedHash,
-                observedScope: scope,
-            });
-            continue;
-        }
-        const drift = detectHookDrift(def, settingsEntry);
         out.push({
             name,
             description: def.description,
-            status: drift ? "update-available" : "installed",
-            // Surface a coarse current signature so the UI can show diff details
-            // if it wants. The exact format is "sha256 of normalized settings
-            // entry" — opaque to the UI, used only for drift detection.
-            currentHash: signatureForSettingsEntry(settingsEntry),
-            expectedHash: def.expectedHash,
+            status: markers.has(name) ? "installed" : "not-installed",
             observedScope: scope,
         });
     }
@@ -822,29 +566,20 @@ function scanHooks(scope, projectRoot, home, catalogHooks, warnings) {
 // injected — server.ts wires these up in production).
 // ---------------------------------------------------------------------------
 /** Default: run `claude plugins list --json` (no scope flag — the CLI
- *  doesn't expose one) plus the `--available` variant, then filter the
- *  installed records to the requested scope (and current projectRoot for
- *  project-scope) client-side. Server.ts decides whether to pass this
- *  function based on `which claude`. */
+ *  doesn't expose one), then filter the installed records to the requested
+ *  scope (and current projectRoot for project-scope) client-side. Server.ts
+ *  decides whether to pass this function based on `which claude`.
+ *
+ *  v1.19.0 dropped the parallel `--available` fetch — the scanner no longer
+ *  compares versions, so there's no use for the upstream-live ref. */
 export async function defaultExecPluginList(scope = "user", projectRoot) {
-    // Run both lookups in parallel via async exec so /api/state doesn't block
-    // the event loop. `claude plugins list` can take several seconds on cold
-    // marketplace fetches; sync exec would freeze heartbeats and other
-    // concurrent /api requests. Note: `claude plugins list` does NOT support
-    // `--user` / `--project`; each record carries its own `scope` field which
-    // we filter on below.
-    const [installedRes, availableRes] = await Promise.all([
-        execAsync(`claude plugins list --json`, { encoding: "utf8" }),
-        execAsync(`claude plugins list --available --json`, { encoding: "utf8" }),
-    ]);
-    const allInstalled = parseJsonArray(installedRes.stdout);
-    // `claude plugins list --available --json` returns a wrapped object
-    // `{ installed: [...], available: [...] }`, NOT a flat array. parseJsonArray
-    // alone would return `[]` and silently lose every marketplace ref → the
-    // scanner could never surface "update-available" from upstream-live data.
-    // Pull `.available` out of the wrapper; tolerate the flat-array form too
-    // in case Claude CLI's shape regresses.
-    const available = extractAvailableArray(availableRes.stdout);
+    // Async exec so /api/state doesn't block the event loop. `claude plugins
+    // list` can take several seconds on cold marketplace fetches; sync exec
+    // would freeze heartbeats and other concurrent /api requests. Note:
+    // `claude plugins list` does NOT support `--user` / `--project`; each
+    // record carries its own `scope` field which we filter on below.
+    const { stdout } = await execAsync(`claude plugins list --json`, { encoding: "utf8" });
+    const allInstalled = parseJsonArray(stdout);
     const installed = allInstalled.filter((rec) => {
         if (!rec || typeof rec !== "object")
             return false;
@@ -860,7 +595,7 @@ export async function defaultExecPluginList(scope = "user", projectRoot) {
         }
         return true;
     });
-    return { installed, available };
+    return { installed };
 }
 function parseJsonArray(text) {
     try {
@@ -871,24 +606,6 @@ function parseJsonArray(text) {
         return [];
     }
 }
-/** Pull the available-plugins array out of `claude plugins list --available
- *  --json`'s response. Empirically the CLI returns `{ installed, available }`;
- *  if a future version regresses to a flat array we keep working. Returns
- *  `[]` on malformed JSON. */
-function extractAvailableArray(text) {
-    try {
-        const parsed = JSON.parse(text);
-        if (Array.isArray(parsed))
-            return parsed;
-        if (parsed && typeof parsed === "object" && Array.isArray(parsed.available)) {
-            return parsed.available;
-        }
-        return [];
-    }
-    catch {
-        return [];
-    }
-}
 function codexHome() {
     return process.env.CODEX_HOME || path.join(os.homedir(), ".codex");
 }