auriga-cli 1.20.3 → 1.20.4

package/dist/catalog.d.ts

@@ -2,11 +2,11 @@ export interface CatalogEntry {
     name: string;
     description: string;
     /** Build-time-baked agent map for plugin entries. Derived from
-     *  `.claude/plugins.json` ∪ `.agents/plugins/install.json` — those config
-     *  files are NOT shipped in the npm tarball, so the scanner can't read
-     *  them at runtime. Baking here lets `/api/state` correctly classify
-     *  dual-Agent plugins as `["claude","codex"]` for installed users.
-     *  Absent on skill / hook entries. */
+     *  repo marketplace manifests plus `extra_plugin_configs.json` — those
+     *  config files are NOT shipped in the npm tarball, so the scanner can't
+     *  read them at runtime. Baking here lets `/api/state` correctly classify
+     *  dual-Agent plugins as `["claude","codex"]` for installed users. Absent
+     *  on skill / hook entries. */
     agents?: ("claude" | "codex")[];
     /** True for plugins whose source lives in an UPSTREAM marketplace
      *  (skill-creator / claude-md-management / codex), not in this repo.

package/dist/catalog.json

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-05-14T09:20:36.350Z",
+  "generatedAt": "2026-05-14T14:34:30.876Z",
   "workflowSkills": [
     {
       "name": "brainstorming",
@@ -61,30 +61,6 @@
     }
   ],
   "plugins": [
-    {
-      "name": "skill-creator",
-      "description": "Create and manage custom skills",
-      "agents": [
-        "claude"
-      ],
-      "external": true
-    },
-    {
-      "name": "claude-md-management",
-      "description": "Audit and improve CLAUDE.md files",
-      "agents": [
-        "claude"
-      ],
-      "external": true
-    },
-    {
-      "name": "codex",
-      "description": "Cross-model collaboration with Codex",
-      "agents": [
-        "claude"
-      ],
-      "external": true
-    },
     {
       "name": "auriga-go",
       "description": "(Claude/Codex) Workflow autopilot for the auriga workflow. Reminder-based navigation across CLAUDE.md's phases. Bundles a /goalify skill that plans an autonomous goal from a spec or work-in-progress and dispatches it via Claude Code's built-in /goal command.",
@@ -95,7 +71,7 @@
     },
     {
       "name": "auriga-git-guards",
-      "description": "(Claude/Codex) Git lifecycle guardrails: commit-reminder + PR-create snapshot inject + PR-ready structural block. Bundles the git-workflow skill (Claude Code + Codex).",
+      "description": "(Claude/Codex) Git lifecycle guardrails: commit-reminder (PostToolUse on Edit/Write/MultiEdit/apply_patch) + pr-create-guard with PR-body snapshot and Conventional Commits title check (PostToolUse on `gh pr create`) + pr-ready-guard structural block at PR Ready transitions, firing on BOTH `gh pr ready` AND `gh pr create` without `--draft` (PreToolUse). Bundles the git-workflow skill. Dual-Agent compatible (Claude Code + Codex).",
       "agents": [
         "claude",
         "codex"
@@ -103,7 +79,7 @@
     },
     {
       "name": "auriga-workflow-skills",
-      "description": "(Claude/Codex) Bundles the auriga-owned workflow execution skills: incremental-impl, test-designer, and session-compound.",
+      "description": "(Claude/Codex) Bundles the auriga-owned workflow execution skills: incremental-impl, test-designer, and session-compound. Dual-Agent compatible (Claude Code + Codex).",
       "agents": [
         "claude",
         "codex"
@@ -111,19 +87,43 @@
     },
     {
       "name": "auriga-notify",
-      "description": "(opt-in) Opt-in macOS native notification hook for Claude Code Notification events; migrates legacy notify config and icon on install.",
+      "description": "(opt-in) Opt-in macOS native notification hook for Claude Code Notification events.",
       "agents": [
         "claude"
       ]
     },
     {
       "name": "deep-review",
-      "description": "(Claude/Codex) Multi-dimensional PR review orchestrator. Dispatches parallel reviewers (spec-conformance, correctness, test-quality, docs-sync, robustness, security, ux, performance, structure, code-quality, skill-plugin-quality) and synthesizes findings into an actionable punch list. Supports project-level custom reviewers via docs/rules/review/ and ships a reviewer-creator skill for scaffolding them.",
+      "description": "(Claude/Codex) Multi-dimensional PR review orchestrator. Dispatches parallel reviewers (spec-conformance, correctness, test-quality, docs-sync, robustness, security, ux, performance, structure, code-quality, skill-plugin-quality) and synthesizes findings into an actionable punch list. Supports project-level custom reviewers via `docs/rules/review/` and ships a `reviewer-creator` skill for scaffolding them.",
       "agents": [
         "claude",
         "codex"
       ]
     },
+    {
+      "name": "skill-creator",
+      "description": "Create and manage custom skills",
+      "agents": [
+        "claude"
+      ],
+      "external": true
+    },
+    {
+      "name": "claude-md-management",
+      "description": "Audit and improve CLAUDE.md files",
+      "agents": [
+        "claude"
+      ],
+      "external": true
+    },
+    {
+      "name": "codex",
+      "description": "Cross-model collaboration with Codex",
+      "agents": [
+        "claude"
+      ],
+      "external": true
+    },
     {
       "name": "session-instructions-loader",
       "description": "(Codex) Injects extra instruction files on session start",

package/dist/cli.js

@@ -593,15 +593,15 @@ async function runUi(p, version) {
     //     Always read from the installed npm package; can't be fetched because
     //     dist/ is built artifact, not git content.
     //   - contentRoot: where the runtime install recipes live (CLAUDE.md,
-    //     .claude/plugins.json, .claude/hooks/hooks.json, .agents/plugins/
-    //     install.json + marketplace.json, skills-lock.json). These files are
+    //     marketplace manifests, extra_plugin_configs.json, skills-lock.json).
+    //     These files are
     //     NOT in the npm tarball — the `files` allowlist only ships `dist/*`
     //     + npm defaults. They are fetched from GitHub, pinned to the CLI
     //     version tag, by fetchContentRoot(). Under DEV=1 fetchContentRoot
     //     short-circuits to the repo root so this is a no-op there.
     // Without the contentRoot fix, tarball-installed Web UI users hit ENOENT
-    // on any Codex plugin install (apply handlers read .agents/plugins/
-    // install.json from packageRoot).
+    // on any plugin install (apply handlers read non-tarball install inputs
+    // from packageRoot).
     const tarballRoot = getPackageRoot();
     let contentRoot;
     try {
@@ -671,8 +671,8 @@ async function runUi(p, version) {
         pluginAgentsByName.set(name, def.agents);
     }
     const applyHandlers = buildDefaultApplyHandlers({
-        // contentRoot: install handlers read CLAUDE.md, plugins.json,
-        // hooks.json, install.json, marketplace.json — all CONTENT_FILES.
+        // contentRoot: install handlers read CLAUDE.md, marketplace manifests,
+        // extra_plugin_configs.json, and skills-lock.json — all CONTENT_FILES.
         // Routing them at tarballRoot fails ENOENT for npm-installed users.
         packageRoot: contentRoot,
         cwd,
@@ -697,7 +697,7 @@ async function runUi(p, version) {
                 cwd,
                 // server reads dist/catalog.json (tarball-shipped) via
                 // buildScanCatalog on each /api/state call; install-time content
-                // (install.json, plugins.json, CLAUDE.md, …) was already injected
+                // (marketplace manifests, extra plugin config, CLAUDE.md, …) was already injected
                 // into applyHandlers above with contentRoot.
                 packageRoot: tarballRoot,
                 heartbeatTimeoutMs: UI_HEARTBEAT_TIMEOUT_MS,

package/dist/codex-plugin-config.d.ts

@@ -1,4 +1,3 @@
-import { type MarketplaceRef } from "./marketplace.js";
 export interface CodexMarketplacePlugin {
     name: string;
     source?: {
@@ -10,16 +9,6 @@ export interface CodexMarketplace {
     name: string;
     plugins: CodexMarketplacePlugin[];
 }
-export interface CodexInstallPlugin {
-    name: string;
-    description?: string;
-    defaultOn?: boolean;
-    marketplace?: MarketplaceRef;
-}
-export interface CodexInstallConfig {
-    plugins: CodexInstallPlugin[];
-}
 export declare function validateCodexMarketplace(raw: unknown): asserts raw is CodexMarketplace;
-export declare function validateCodexInstallConfig(raw: unknown): asserts raw is CodexInstallConfig;
 export declare function codexLocalPluginPath(plugin: CodexMarketplacePlugin): string | undefined;
 export declare function codexManifestPath(plugin: CodexMarketplacePlugin): string | undefined;

package/dist/codex-plugin-config.js

@@ -1,5 +1,5 @@
 import path from "node:path";
-import { MARKETPLACE_NAME_RE, validateMarketplaceField, } from "./marketplace.js";
+import { MARKETPLACE_NAME_RE } from "./marketplace.js";
 const PLUGIN_NAME_RE = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
 export function validateCodexMarketplace(raw) {
     if (!raw || typeof raw !== "object") {
@@ -22,33 +22,6 @@ export function validateCodexMarketplace(raw) {
         }
     }
 }
-export function validateCodexInstallConfig(raw) {
-    if (!raw || typeof raw !== "object") {
-        throw new Error("Codex install.json: root must be an object");
-    }
-    const cfg = raw;
-    if (!Array.isArray(cfg.plugins)) {
-        throw new Error("Codex install.json: .plugins must be an array");
-    }
-    for (const [i, plugin] of cfg.plugins.entries()) {
-        if (!plugin || typeof plugin !== "object") {
-            throw new Error(`Codex install.json: plugins[${i}] must be an object`);
-        }
-        const p = plugin;
-        if (typeof p.name !== "string" || !PLUGIN_NAME_RE.test(p.name)) {
-            throw new Error(`Codex install.json: plugins[${i}].name ${JSON.stringify(p.name)} does not match ${PLUGIN_NAME_RE}`);
-        }
-        if (p.description !== undefined && typeof p.description !== "string") {
-            throw new Error(`Codex install.json: plugins[${i}].description must be a string`);
-        }
-        if (p.defaultOn !== undefined && typeof p.defaultOn !== "boolean") {
-            throw new Error(`Codex install.json: plugins[${i}].defaultOn must be a boolean`);
-        }
-        if (p.marketplace !== undefined) {
-            validateMarketplaceField(`Codex install.json: plugins[${i}]`, p.marketplace);
-        }
-    }
-}
 export function codexLocalPluginPath(plugin) {
     const sourcePath = typeof plugin.source === "object" && plugin.source?.source === "local"
         ? plugin.source.path

package/dist/guide.js

@@ -93,8 +93,8 @@ Exit codes:
 
 ${h("## Step 4 — Reload session (REQUIRED when installed non-interactively)")}
 
-${warn("⚠")} CLAUDE.md, .agents/skills/, .claude/plugins.json, Codex plugin
-config, and hook/plugin registrations are loaded at session startup. If you ran
+${warn("⚠")} CLAUDE.md, .agents/skills/, plugin enablement, and hook/plugin
+registrations are loaded at session startup. If you ran
 \`npx -y auriga-cli install\` inside an existing Claude Code or Codex session
 (e.g., \`claude -p\` / \`claude -p --worktree\` / \`codex exec\`), the current session
 will NOT see the new harness.
@@ -106,11 +106,11 @@ Action:
 
 ${h("## Step 5 — Verify install")}
 
-Expected artifacts:
+Expected artifacts/checks:
   - CLAUDE.md                 (workflow manifesto)
   - AGENTS.md -> CLAUDE.md    (symlink)
   - .agents/skills/<name>/    (one per installed skill)
-  - .claude/plugins.json
+  - claude plugins list       (shows Claude plugins, if Claude plugins selected)
   - ~/.codex/config.toml      (Codex plugin enablement, if Codex plugins selected)
   - .claude/settings.json     (updated hook/plugin registrations, if selected)
   - .claude/auriga-notify/    (project notify config, if auriga-notify selected)

package/dist/hooks.js

@@ -5,11 +5,11 @@ import path from "node:path";
 import { checkbox, confirm, input, select } from "@inquirer/prompts";
 import { atomicWriteFile, exec, fetchExtraContentBinary, log, withEsc, } from "./utils.js";
 // --- Registry validation ---
-// hooks.json is fetched at runtime from raw.githubusercontent.com, so any
-// downstream code that interpolates registry values into shell commands or
-// filesystem paths is one force-push away from RCE / arbitrary-file-write
-// for every user running `npx auriga-cli`. Validate every untrusted value
-// once at load time, then trust it through the rest of the install flow.
+// The root hooks registry is legacy-only, but when present it may still be
+// loaded from runtime-fetched content. Any downstream code that interpolates
+// registry values into shell commands or filesystem paths is one bad config
+// away from RCE / arbitrary-file-write. Validate every untrusted value once at
+// load time, then trust it through the rest of the install flow.
 const HOOK_NAME_RE = /^[a-z][a-z0-9-]*$/;
 // Matches a flat brew formula name (`jq`, `pngquant`) OR a fully
 // qualified tap-prefixed name (`vjeantet/tap/alerter`) — up to 2
@@ -424,12 +424,11 @@ function preflightDeps(hook) {
  * Lazy-fetch a hook's payload files into `packageRoot` so they can be
  * copied from there into the user's target directory.
  *
- * IMPORTANT: in production, `packageRoot` is the temp dir created by
- * `fetchContentRoot()` (utils.ts) — not the npm package install dir.
- * Only `.claude/hooks/hooks.json` is preloaded by `CONTENT_FILES`; we
- * fetch each hook's individual files on demand here so users who pick
- * no hooks pay no network cost. In DEV mode `packageRoot` is the live
- * repo root, so the files are already on disk and we skip the fetch.
+ * IMPORTANT: this is retained for legacy root-hook installs. New hooks should
+ * ship inside plugins instead. In production, `packageRoot` is the temp dir
+ * created by `fetchContentRoot()` (utils.ts) — not the npm package install
+ * dir. In DEV mode `packageRoot` is the live repo root, so the files are
+ * already on disk and we skip the fetch.
  *
  * The hook payload list is owned by `hook.files` in `hooks.json`, which
  * loadHooksConfig already validated for path-traversal safety, so each
@@ -540,6 +539,8 @@ function writeMergedSettings(resolved, hook, parsed) {
 }
 export function loadHooksConfig(packageRoot) {
     const configPath = path.join(packageRoot, ".claude", "hooks", "hooks.json");
+    if (!fs.existsSync(configPath))
+        return { hooks: [] };
     const raw = JSON.parse(fs.readFileSync(configPath, "utf-8"));
     if (!raw || !Array.isArray(raw.hooks)) {
         throw new Error(`${configPath} must have a "hooks" array at the top level`);

package/dist/marketplace.js

@@ -1,25 +1,23 @@
 // Shared shape + validators for cross-Agent marketplace references.
 // Used by:
-//   - PluginDef.marketplace in src/utils.ts (Claude side, .claude/plugins.json)
-//   - CodexInstallPlugin.marketplace in src/codex-plugin-config.ts
-//     (Codex side, .agents/plugins/install.json)
+//   - extra_plugin_configs.json external plugin refs
+//   - Codex local marketplace materialization refs
 //
 // Both sides interpolate `<source>` into shell commands like
 // `codex plugin marketplace add https://github.com/<source>.git` and
 // `<plugin>@<name>` into TOML keys, so these regexes are the only thing
 // standing between a compromised metadata source and arbitrary command
 // execution. Tighten with care — a regression here is a shell-injection
-// vector. Both metadata files are fetched from raw GitHub at runtime.
+// vector. The metadata files are fetched from raw GitHub at runtime.
 export const MARKETPLACE_NAME_RE = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
 // GitHub `owner/repo` shape: exactly one `/`, both segments kebab-case-ish
 // without leading punctuation. Tighter than the prior PLUGIN_SOURCE_RE
 // which permitted multi-slash / `..` / trailing `.git` patterns and would
 // compose into confusing git-layer errors like `https://github.com/a/../b.git`.
 export const MARKETPLACE_SOURCE_RE = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}\/[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
-// Centralizes the marketplace field shape check so the Claude-side
-// validatePluginsConfig and the Codex-side validateCodexInstallConfig
-// stay in lockstep. `label` is interpolated into the thrown Error so
-// the caller's file context (e.g. `plugins.json: plugins[3]`) survives.
+// Centralizes the marketplace field shape check so Claude and Codex plugin
+// config paths stay in lockstep. `label` is interpolated into the thrown Error
+// so the caller's file context survives.
 export function validateMarketplaceField(label, raw) {
     if (!raw || typeof raw !== "object") {
         throw new Error(`${label}.marketplace must be an object`);

package/dist/plugins.d.ts

@@ -1,5 +1,41 @@
-import type { InstallOpts, PluginsConfig } from "./utils.js";
-export declare function validatePluginsConfig(raw: unknown): asserts raw is PluginsConfig;
+import { type MarketplaceRef } from "./marketplace.js";
+import type { InstallOpts } from "./utils.js";
+export type PluginRuntime = "claude" | "codex";
+export interface ClaudeMarketplacePlugin {
+    name: string;
+    description?: string;
+    source?: string;
+}
+export interface ClaudeMarketplace {
+    name: string;
+    plugins: ClaudeMarketplacePlugin[];
+}
+export interface ExtraPluginConfig {
+    name: string;
+    agents?: PluginRuntime[];
+    description?: string;
+    defaultOn?: boolean;
+    claude?: {
+        package?: string;
+        marketplace?: MarketplaceRef;
+    };
+    codex?: {
+        marketplace?: MarketplaceRef;
+    };
+}
+export interface ExtraPluginConfigs {
+    plugins: ExtraPluginConfig[];
+}
+export declare function validateExtraPluginConfigs(raw: unknown): asserts raw is ExtraPluginConfigs;
+export declare function loadExtraPluginConfigs(packageRoot: string): ExtraPluginConfigs;
+export declare function extraAppliesTo(extra: ExtraPluginConfig, runtime: PluginRuntime): boolean;
+export declare function extraByNameForRuntime(extras: ExtraPluginConfigs, runtime: PluginRuntime): Map<string, ExtraPluginConfig>;
+export declare function applyExtraPluginFields<T extends {
+    name: string;
+    description?: string;
+    defaultOn?: boolean;
+}>(plugin: T, extra: ExtraPluginConfig | undefined): T;
+export declare function loadClaudeMarketplace(packageRoot: string): ClaudeMarketplace | null;
 export declare function installPlugins(packageRoot: string, opts: InstallOpts): Promise<void>;
 /**
  * Uninstall a single plugin.

package/dist/plugins.js

@@ -3,18 +3,19 @@ import os from "node:os";
 import path from "node:path";
 import { checkbox, select } from "@inquirer/prompts";
 import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
-import { codexLocalPluginPath, codexManifestPath, validateCodexInstallConfig, validateCodexMarketplace, } from "./codex-plugin-config.js";
+import { codexLocalPluginPath, codexManifestPath, validateCodexMarketplace, } from "./codex-plugin-config.js";
 import { validateMarketplaceField } from "./marketplace.js";
-import { atomicWriteFile, exec, execAsync, fetchExtraContent, log, withEsc } from "./utils.js";
+import { atomicWriteFile, exec, execAsync, log, withEsc } from "./utils.js";
 // Plugin names and plugin-package names end up in `claude plugins ...`
-// shell commands via string interpolation. .claude/plugins.json is
-// fetched from raw GitHub at runtime, so every value must pass a
+// shell commands via string interpolation. Marketplace and extra config
+// files are fetched from raw GitHub at runtime, so every value must pass a
 // conservative whitelist before composing the command. Without this a
-// compromised plugins.json would execute arbitrary commands via shell
+// compromised config would execute arbitrary commands via shell
 // metachar injection. Marketplace shape (name + source) lives in
 // `./marketplace.js` so Claude and Codex sides share one validator.
 const PLUGIN_NAME_RE = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
 const PLUGIN_PACKAGE_RE = /^[A-Za-z0-9][A-Za-z0-9._@/-]{0,255}$/;
+const LOCAL_MARKETPLACE_SOURCE = "Ben2pc/auriga-cli";
 const MIGRATED_WORKFLOW_SKILLS = [
     "incremental-impl",
     "test-designer",
@@ -24,30 +25,73 @@ const NOTIFY_PLUGIN_NAME = "auriga-notify";
 const WORKFLOW_SKILLS_PLUGIN_NAME = "auriga-workflow-skills";
 const LEGACY_NOTIFY_MARKER = "auriga:notify";
 const CODEX_PLUGIN_VERSION_RE = /^[A-Za-z0-9][A-Za-z0-9._+-]{0,127}$/;
-export function validatePluginsConfig(raw) {
+function validateClaudeMarketplace(raw) {
     if (!raw || typeof raw !== "object") {
-        throw new Error("plugins.json: root must be an object");
+        throw new Error("Claude marketplace.json: root must be an object");
     }
     const cfg = raw;
+    if (typeof cfg.name !== "string" || !PLUGIN_NAME_RE.test(cfg.name)) {
+        throw new Error("Claude marketplace.json: root must include a safe name");
+    }
     if (!Array.isArray(cfg.plugins)) {
-        throw new Error("plugins.json: .plugins must be an array");
+        throw new Error("Claude marketplace.json: .plugins must be an array");
     }
     cfg.plugins.forEach((p, i) => {
         if (!p || typeof p !== "object") {
-            throw new Error(`plugins.json: plugins[${i}] must be an object`);
+            throw new Error(`Claude marketplace.json: plugins[${i}] must be an object`);
         }
         const plugin = p;
         if (typeof plugin.name !== "string" || !PLUGIN_NAME_RE.test(plugin.name)) {
-            throw new Error(`plugins.json: plugins[${i}].name ${JSON.stringify(plugin.name)} does not match ${PLUGIN_NAME_RE}`);
+            throw new Error(`Claude marketplace.json: plugins[${i}].name ${JSON.stringify(plugin.name)} does not match ${PLUGIN_NAME_RE}`);
         }
-        if (typeof plugin.package !== "string" || !PLUGIN_PACKAGE_RE.test(plugin.package)) {
-            throw new Error(`plugins.json: plugins[${i}].package ${JSON.stringify(plugin.package)} does not match ${PLUGIN_PACKAGE_RE}`);
+        if (plugin.description !== undefined && typeof plugin.description !== "string") {
+            throw new Error(`Claude marketplace.json: plugins[${i}].description must be a string`);
         }
-        if (plugin.marketplace !== undefined) {
-            validateMarketplaceField(`plugins.json: plugins[${i}]`, plugin.marketplace);
+    });
+}
+export function validateExtraPluginConfigs(raw) {
+    if (!raw || typeof raw !== "object") {
+        throw new Error("extra_plugin_configs.json: root must be an object");
+    }
+    const cfg = raw;
+    if (!Array.isArray(cfg.plugins)) {
+        throw new Error("extra_plugin_configs.json: .plugins must be an array");
+    }
+    cfg.plugins.forEach((p, i) => {
+        if (!p || typeof p !== "object") {
+            throw new Error(`extra_plugin_configs.json: plugins[${i}] must be an object`);
+        }
+        const plugin = p;
+        if (typeof plugin.name !== "string" || !PLUGIN_NAME_RE.test(plugin.name)) {
+            throw new Error(`extra_plugin_configs.json: plugins[${i}].name ${JSON.stringify(plugin.name)} does not match ${PLUGIN_NAME_RE}`);
+        }
+        if (plugin.agents !== undefined) {
+            if (!Array.isArray(plugin.agents) || !plugin.agents.every((agent) => agent === "claude" || agent === "codex")) {
+                throw new Error(`extra_plugin_configs.json: plugins[${i}].agents must contain only claude/codex`);
+            }
+        }
+        if (plugin.description !== undefined && typeof plugin.description !== "string") {
+            throw new Error(`extra_plugin_configs.json: plugins[${i}].description must be a string`);
         }
         if (plugin.defaultOn !== undefined && typeof plugin.defaultOn !== "boolean") {
-            throw new Error(`plugins.json: plugins[${i}].defaultOn must be a boolean`);
+            throw new Error(`extra_plugin_configs.json: plugins[${i}].defaultOn must be a boolean`);
+        }
+        for (const runtime of ["claude", "codex"]) {
+            const runtimeCfg = plugin[runtime];
+            if (runtimeCfg === undefined)
+                continue;
+            if (!runtimeCfg || typeof runtimeCfg !== "object") {
+                throw new Error(`extra_plugin_configs.json: plugins[${i}].${runtime} must be an object`);
+            }
+            const runtimeRecord = runtimeCfg;
+            if (runtime === "claude" && runtimeRecord.package !== undefined) {
+                if (typeof runtimeRecord.package !== "string" || !PLUGIN_PACKAGE_RE.test(runtimeRecord.package)) {
+                    throw new Error(`extra_plugin_configs.json: plugins[${i}].claude.package ${JSON.stringify(runtimeRecord.package)} does not match ${PLUGIN_PACKAGE_RE}`);
+                }
+            }
+            if (runtimeRecord.marketplace !== undefined) {
+                validateMarketplaceField(`extra_plugin_configs.json: plugins[${i}].${runtime}`, runtimeRecord.marketplace);
+            }
         }
     });
 }
@@ -100,6 +144,67 @@ function getInstalledMarketplaces() {
         return new Set();
     }
 }
+export function loadExtraPluginConfigs(packageRoot) {
+    const configPath = path.join(packageRoot, "extra_plugin_configs.json");
+    if (!fs.existsSync(configPath))
+        return { plugins: [] };
+    const raw = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+    validateExtraPluginConfigs(raw);
+    return raw;
+}
+export function extraAppliesTo(extra, runtime) {
+    return extra.agents === undefined || extra.agents.includes(runtime);
+}
+export function extraByNameForRuntime(extras, runtime) {
+    return new Map(extras.plugins
+        .filter((extra) => extraAppliesTo(extra, runtime))
+        .map((extra) => [extra.name, extra]));
+}
+export function applyExtraPluginFields(plugin, extra) {
+    if (!extra)
+        return plugin;
+    return {
+        ...plugin,
+        ...(extra.description !== undefined ? { description: extra.description } : {}),
+        ...(extra.defaultOn !== undefined ? { defaultOn: extra.defaultOn } : {}),
+    };
+}
+export function loadClaudeMarketplace(packageRoot) {
+    const marketplacePath = path.join(packageRoot, ".claude-plugin", "marketplace.json");
+    if (!fs.existsSync(marketplacePath))
+        return null;
+    const raw = JSON.parse(fs.readFileSync(marketplacePath, "utf-8"));
+    validateClaudeMarketplace(raw);
+    return raw;
+}
+function loadClaudePluginsConfig(packageRoot) {
+    const extras = loadExtraPluginConfigs(packageRoot);
+    const extraByName = extraByNameForRuntime(extras, "claude");
+    const marketplace = loadClaudeMarketplace(packageRoot);
+    const plugins = new Map();
+    if (marketplace) {
+        for (const plugin of marketplace.plugins) {
+            plugins.set(plugin.name, applyExtraPluginFields({
+                name: plugin.name,
+                package: `${plugin.name}@${marketplace.name}`,
+                description: plugin.description ?? plugin.name,
+                marketplace: { name: marketplace.name, source: LOCAL_MARKETPLACE_SOURCE },
+            }, extraByName.get(plugin.name)));
+        }
+    }
+    for (const extra of extras.plugins) {
+        if (!extraAppliesTo(extra, "claude") || !extra.claude?.package)
+            continue;
+        plugins.set(extra.name, {
+            name: extra.name,
+            package: extra.claude.package,
+            description: extra.description ?? extra.name,
+            ...(extra.defaultOn !== undefined ? { defaultOn: extra.defaultOn } : {}),
+            ...(extra.claude.marketplace ? { marketplace: extra.claude.marketplace } : {}),
+        });
+    }
+    return plugins.size > 0 ? { plugins: [...plugins.values()] } : null;
+}
 function loadCodexMarketplace(packageRoot) {
     const marketplacePath = path.join(packageRoot, ".agents", "plugins", "marketplace.json");
     if (!fs.existsSync(marketplacePath))
@@ -109,12 +214,28 @@ function loadCodexMarketplace(packageRoot) {
     return raw;
 }
 function loadCodexInstallConfig(packageRoot) {
-    const installPath = path.join(packageRoot, ".agents", "plugins", "install.json");
-    if (!fs.existsSync(installPath))
-        return null;
-    const raw = JSON.parse(fs.readFileSync(installPath, "utf-8"));
-    validateCodexInstallConfig(raw);
-    return raw;
+    const extras = loadExtraPluginConfigs(packageRoot);
+    const extraByName = extraByNameForRuntime(extras, "codex");
+    const marketplace = loadCodexMarketplace(packageRoot);
+    const plugins = new Map();
+    if (marketplace) {
+        for (const plugin of marketplace.plugins) {
+            plugins.set(plugin.name, applyExtraPluginFields({
+                name: plugin.name,
+            }, extraByName.get(plugin.name)));
+        }
+    }
+    for (const extra of extras.plugins) {
+        if (!extraAppliesTo(extra, "codex") || !extra.codex?.marketplace)
+            continue;
+        plugins.set(extra.name, {
+            name: extra.name,
+            description: extra.description,
+            ...(extra.defaultOn !== undefined ? { defaultOn: extra.defaultOn } : {}),
+            marketplace: extra.codex.marketplace,
+        });
+    }
+    return plugins.size > 0 ? { plugins: [...plugins.values()] } : null;
 }
 function resolveCodexPluginSelection(all, selected) {
     if (!selected)
@@ -131,6 +252,17 @@ function resolveCodexPluginSelection(all, selected) {
 function codexHome() {
     return process.env.CODEX_HOME || path.join(os.homedir(), ".codex");
 }
+function codexMarketplaceCacheRoot(marketplaceName) {
+    return path.join(codexHome(), ".tmp", "marketplaces", marketplaceName);
+}
+function resolveCodexMarketplaceContentRoot(packageRoot, marketplaceName) {
+    const cachedRoot = codexMarketplaceCacheRoot(marketplaceName);
+    if (fs.existsSync(path.join(cachedRoot, ".agents", "plugins", "marketplace.json"))) {
+        return cachedRoot;
+    }
+    throw new Error(`Codex marketplace ${marketplaceName} cache missing at ${cachedRoot}. ` +
+        "Run `codex plugin marketplace add/upgrade` successfully before materializing local plugins.");
+}
 function shellQuote(value) {
     return `'${value.replace(/'/g, "'\\''")}'`;
 }
@@ -297,7 +429,7 @@ function codexMarketplaceAddCommand(packageRoot) {
     return "codex plugin marketplace add https://github.com/Ben2pc/auriga-cli.git";
 }
 function codexExternalMarketplaceAddCommand(source) {
-    // `source` is validated by validateCodexInstallConfig against
+    // `source` is validated by validateExtraPluginConfigs against
     // MARKETPLACE_SOURCE_RE (alphanumerics + `._/-`) — no shell metachars
     // can reach this string. URL form deliberately mirrors
     // codexMarketplaceAddCommand's hardcoded production branch.
@@ -323,8 +455,10 @@ function escapeRegex(value) {
 function isCodexMarketplaceAlreadyAdded(error, marketplaceName) {
     const text = commandErrorText(error);
     const marketplacePattern = new RegExp(`marketplace ['"]?${escapeRegex(marketplaceName)}['"]? is already added`, "i");
-    return marketplacePattern.test(text)
-        || /already added from a different source/i.test(text);
+    return marketplacePattern.test(text);
+}
+function isCodexMarketplaceDifferentSource(error) {
+    return /already added from a different source/i.test(commandErrorText(error));
 }
 function pluginHasHooks(packageRoot, plugin) {
     const relativeManifestPath = codexManifestPath(plugin);
@@ -341,12 +475,12 @@ function resolveSelectedCodexMarketplacePlugins(localMarketplace, localSelected)
     return localSelected.map((p) => {
         const plugin = localMpByName.get(p.name);
         if (!plugin) {
-            throw new Error(`Codex install.json: plugin ${p.name} is not present in marketplace.json`);
+            throw new Error(`Codex plugin ${p.name} is selected but not present in marketplace.json`);
         }
         return plugin;
     });
 }
-async function ensureCodexPluginManifests(packageRoot, plugins) {
+function ensureCodexPluginManifests(packageRoot, plugins) {
     for (const plugin of plugins) {
         const manifestPath = codexManifestPath(plugin);
         if (!manifestPath) {
@@ -354,7 +488,7 @@ async function ensureCodexPluginManifests(packageRoot, plugins) {
         }
         if (fs.existsSync(path.join(packageRoot, manifestPath)))
             continue;
-        await fetchExtraContent(packageRoot, manifestPath);
+        throw new Error(`Codex plugin ${plugin.name} manifest missing at ${manifestPath}`);
     }
 }
 function readCodexPluginVersion(packageRoot, plugin) {
@@ -489,7 +623,13 @@ async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, opts, m
         return;
     }
     catch (e) {
-        if (opts.interactive || isCodexMarketplaceAlreadyAdded(e, marketplaceName)) {
+        if (isCodexMarketplaceDifferentSource(e)) {
+            const msg = `Codex marketplace ${marketplaceName} is already added from a different source`;
+            log.error(`${msg}\n${commandErrorText(e)}`);
+            failures.push(msg);
+            return;
+        }
+        if (isCodexMarketplaceAlreadyAdded(e, marketplaceName)) {
             try {
                 exec(codexMarketplaceUpgradeCommand(marketplaceName), marketplaceExecOpts);
                 log.ok(`Codex marketplace ${marketplaceName} upgraded`);
@@ -510,20 +650,20 @@ async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, opts, m
 }
 // Builds the `<name>@<marketplace>` config keys + decides whether
 // features.plugin_hooks needs to flip on. Local plugins resolve through
-// this repo's marketplace.json and require a manifest fetch + hooks
-// inspection; external plugins emit a key directly from install.json
+// this repo's marketplace.json and require a manifest check + hooks
+// inspection; external plugins emit a key directly from extra_plugin_configs.json
 // (Codex CLI fetches the upstream manifest itself). External plugins do
 // NOT flip plugin_hooks today — we don't have access to the upstream
 // manifest at install time. Acceptable while no external plugin ships
 // hooks; once one does, prefer fetching the manifest or adding an
-// explicit `requiresPluginHooks: true` field on the install.json entry.
-async function composeCodexPluginKeys(packageRoot, localMarketplace, selectedMarketplacePlugins, externalSelected) {
+// explicit `requiresPluginHooks: true` field on the extra config entry.
+async function composeCodexPluginKeys(pluginContentRoot, localMarketplace, selectedMarketplacePlugins, externalSelected) {
     const pluginKeys = [];
     let needsPluginHooks = false;
     if (localMarketplace) {
         for (const plugin of selectedMarketplacePlugins) {
             pluginKeys.push(`${plugin.name}@${localMarketplace.name}`);
-            if (pluginHasHooks(packageRoot, plugin))
+            if (pluginHasHooks(pluginContentRoot, plugin))
                 needsPluginHooks = true;
         }
     }
@@ -535,7 +675,7 @@ async function composeCodexPluginKeys(packageRoot, localMarketplace, selectedMar
 async function installCodexPlugins(packageRoot, opts) {
     const installConfig = loadCodexInstallConfig(packageRoot);
     if (!installConfig) {
-        const msg = "No .agents/plugins/install.json found";
+        const msg = "No Codex plugins found in .agents/plugins/marketplace.json or extra_plugin_configs.json";
         if (!opts.interactive)
             throw new Error(msg);
         log.warn(msg);
@@ -555,11 +695,10 @@ async function installCodexPlugins(packageRoot, opts) {
         log.skip("No Codex plugins selected");
         return;
     }
-    // Local plugins are described by this repo's .agents/plugins/marketplace.json
-    // and need a manifest fetch + hooks-detection. External plugins point to a
-    // different GitHub-hosted Codex marketplace and are resolved by Codex CLI
-    // itself when the marketplace is added — we only need to register the
-    // marketplace and emit the right `<name>@<marketplace>` plugin key.
+    // Local plugins are described by this repo's .agents/plugins/marketplace.json.
+    // External plugins come from extra_plugin_configs.json and are resolved by
+    // Codex CLI itself when their marketplace is added — we only need to
+    // register that marketplace and emit the right `<name>@<marketplace>` key.
     let localSelected = selected.filter((p) => p.marketplace === undefined);
     const externalSelected = selected.filter((p) => p.marketplace !== undefined);
     let localMarketplace = null;
@@ -599,14 +738,20 @@ async function installCodexPlugins(packageRoot, opts) {
         await addCodexMarketplaceWithRetry(mp.name, codexExternalMarketplaceAddCommand(mp.source), opts, marketplaceExecOpts, failures);
     }
     if (failures.length === 0) {
-        const selectedMarketplacePlugins = localMarketplace
-            ? resolveSelectedCodexMarketplacePlugins(localMarketplace, localSelected)
+        const localMarketplaceContentRoot = localMarketplace
+            ? resolveCodexMarketplaceContentRoot(packageRoot, localMarketplace.name)
+            : packageRoot;
+        const effectiveLocalMarketplace = localMarketplace
+            ? loadCodexMarketplace(localMarketplaceContentRoot) ?? localMarketplace
+            : null;
+        const selectedMarketplacePlugins = effectiveLocalMarketplace
+            ? resolveSelectedCodexMarketplacePlugins(effectiveLocalMarketplace, localSelected)
             : [];
-        await ensureCodexPluginManifests(packageRoot, selectedMarketplacePlugins);
-        if (localMarketplace) {
-            materializeLocalCodexPluginCache(packageRoot, localMarketplace.name, selectedMarketplacePlugins);
+        ensureCodexPluginManifests(localMarketplaceContentRoot, selectedMarketplacePlugins);
+        if (effectiveLocalMarketplace) {
+            materializeLocalCodexPluginCache(localMarketplaceContentRoot, effectiveLocalMarketplace.name, selectedMarketplacePlugins);
         }
-        const { pluginKeys, needsPluginHooks } = await composeCodexPluginKeys(packageRoot, localMarketplace, selectedMarketplacePlugins, externalSelected);
+        const { pluginKeys, needsPluginHooks } = await composeCodexPluginKeys(localMarketplaceContentRoot, effectiveLocalMarketplace, selectedMarketplacePlugins, externalSelected);
         enableCodexPluginConfig(path.join(codexHome(), "config.toml"), pluginKeys, needsPluginHooks);
         for (const plugin of [...localSelected, ...externalSelected]) {
             log.ok(`${plugin.name} enabled for Codex`);
@@ -659,21 +804,17 @@ export async function installPlugins(packageRoot, opts) {
         return;
     }
     const failures = [];
-    const configPath = path.join(packageRoot, ".claude", "plugins.json");
-    let config = null;
-    if (!fs.existsSync(configPath)) {
-        log.warn("No .claude/plugins.json found");
+    let config = loadClaudePluginsConfig(packageRoot);
+    if (!config) {
+        log.warn("No Claude plugins found in .claude-plugin/marketplace.json or extra_plugin_configs.json");
         if (agent === "both")
             failures.push("Claude Code plugins config missing");
         else
             return;
     }
     else {
-        const raw = JSON.parse(fs.readFileSync(configPath, "utf-8"));
-        validatePluginsConfig(raw);
-        config = raw;
         if (config.plugins.length === 0) {
-            log.warn("No plugins defined in plugins.json");
+            log.warn("No Claude plugins defined");
             if (agent === "both")
                 failures.push("Claude Code plugins config empty");
             else

package/dist/utils.js

@@ -148,53 +148,9 @@ function resolveContentRef() {
 const CONTENT_FILES = [
     "CLAUDE.md",
     "skills-lock.json",
-    ".claude/plugins.json",
+    ".claude-plugin/marketplace.json",
     ".agents/plugins/marketplace.json",
-    ".agents/plugins/install.json",
-    ".claude/hooks/hooks.json",
-    "plugins/auriga-go/.claude-plugin/plugin.json",
-    "plugins/auriga-go/.codex-plugin/plugin.json",
-    "plugins/auriga-go/README.md",
-    "plugins/auriga-go/skills/auriga-go/SKILL.md",
-    "plugins/auriga-go/skills/goalify/SKILL.md",
-    "plugins/auriga-git-guards/.claude-plugin/plugin.json",
-    "plugins/auriga-git-guards/.codex-plugin/plugin.json",
-    "plugins/auriga-git-guards/README.md",
-    "plugins/auriga-git-guards/hooks/hooks.json",
-    "plugins/auriga-git-guards/scripts/commit-reminder.mjs",
-    "plugins/auriga-git-guards/scripts/pr-create-guard.mjs",
-    "plugins/auriga-git-guards/scripts/pr-ready-guard.mjs",
-    "plugins/auriga-git-guards/skills/git-workflow/SKILL.md",
-    "plugins/auriga-workflow-skills/.claude-plugin/plugin.json",
-    "plugins/auriga-workflow-skills/.codex-plugin/plugin.json",
-    "plugins/auriga-workflow-skills/README.md",
-    "plugins/auriga-workflow-skills/skills/incremental-impl/SKILL.md",
-    "plugins/auriga-workflow-skills/skills/session-compound/SKILL.md",
-    "plugins/auriga-workflow-skills/skills/session-compound/analyzers/claude-code.mjs",
-    "plugins/auriga-workflow-skills/skills/session-compound/analyzers/codex.mjs",
-    "plugins/auriga-workflow-skills/skills/session-compound/template.html",
-    "plugins/auriga-workflow-skills/skills/test-designer/SKILL.md",
-    "plugins/session-instructions-loader/.codex-plugin/plugin.json",
-    "plugins/session-instructions-loader/README.md",
-    "plugins/session-instructions-loader/hooks/hooks.json",
-    "plugins/session-instructions-loader/scripts/session-start.mjs",
-    "plugins/deep-review/.claude-plugin/plugin.json",
-    "plugins/deep-review/.codex-plugin/plugin.json",
-    "plugins/deep-review/README.md",
-    "plugins/deep-review/skills/deep-review/SKILL.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/code-quality.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/correctness.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/docs-sync.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/performance.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/robustness.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/security.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/skill-plugin-quality.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/spec-conformance.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/structure.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/test-quality.md",
-    "plugins/deep-review/skills/deep-review/references/reviewers/ux.md",
-    "plugins/deep-review/skills/reviewer-creator/SKILL.md",
-    "plugins/deep-review/skills/reviewer-creator/references/template.md",
+    "extra_plugin_configs.json",
 ];
 async function fetchFile(file) {
     const ref = resolveContentRef();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auriga-cli",
-  "version": "1.20.3",
+  "version": "1.20.4",
   "description": "Interactive CLI to install Claude Code harness modules (Workflow, Skills, Recommended Skills, Plugins, Hooks)",
   "license": "MIT",
   "repository": {