npm - auriga-cli - Versions diffs - 1.20.5 → 1.24.0 - Mend

auriga-cli 1.20.5 → 1.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md CHANGED Viewed

@@ -11,9 +11,9 @@ This repo itself is a fully configured harness project. You can clone it to see
 | Module | Description |
 |---|---|
 | **Workflow** | `CLAUDE.md` auriga workflow: requirement clarification -> TDD -> Review, Harness principles, Subagent usage guide |
-| **Skills** | External development process skills — systematic-debugging, TDD, verification, planning, playwright (spec authoring ships as the `spec-design` skill inside the `auriga-workflow-skills` plugin) |
+| **Skills** | External development process skills — systematic-debugging, TDD, verification, planning, playwright (spec authoring and architecture design ship as the `spec-design` and `arch-design` skills inside the `auriga-workflow` plugin) |
 | **Recommended Skills** | Optional utility skills (e.g. `codex-agent`, `claude-code-agent`) you can add on top of the workflow skills |
-| **Plugins** | Recommended Claude Code and Codex plugins — skill-creator, claude-md-management, codex, auriga-go, auriga-git-guards, auriga-workflow-skills, auriga-notify, session-instructions-loader, deep-review |
+| **Plugins** | Recommended Claude Code and Codex plugins — skill-creator, claude-md-management, codex, auriga-workflow, auriga-notify, session-instructions-loader |
 | **Hooks** | Legacy Claude Code hook installer. No repo-owned hooks are currently exposed here; `notify` ships as the `auriga-notify` plugin. |
 ## Quick Start
@@ -107,7 +107,6 @@ Installs selected skills via `npx skills add`, targeting both Claude Code and Co
 | Skill | Source | Description |
 |---|---|---|
 | claude-code-agent | [Ben2pc/g-claude-code-plugins](https://github.com/Ben2pc/g-claude-code-plugins) | Delegate coding, review, diagnosis, and planning to standalone Claude Code sessions |
-| code-simplification | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | Refactor for clarity without changing behavior — trim accumulated complexity |
 | codex-agent | [Ben2pc/g-claude-code-plugins](https://github.com/Ben2pc/g-claude-code-plugins) | Delegate to Codex sessions for cross-model coverage |
 | deprecation-and-migration | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | Sunset, replace, or migrate legacy code — deprecation discipline |
 | design-taste-frontend | [Leonxlnx/taste-skill](https://github.com/Leonxlnx/taste-skill) | Senior UI/UX engineer with metric-based design rules and strict component architecture |
@@ -119,16 +118,14 @@ Supports both project and global installation scopes.
 ### Plugins
-Installs selected plugins for Claude Code, Codex, or both. Claude Code uses `claude plugins install` and honors `--scope project|user`; Codex uses `codex plugin marketplace add` and enables selected plugins in `~/.codex/config.toml`.
+Installs selected plugins for Claude Code, Codex, or both. Claude Code uses `claude plugins install` and honors `--scope project|user`; Codex uses `codex plugin marketplace add/upgrade` (the right one is picked by reading `~/.codex/config.toml`) and enables selected plugins in `~/.codex/config.toml`.
 Examples:
 ```bash
-npx -y auriga-cli install plugins --plugin auriga-go
-npx -y auriga-cli install plugins --agent both --plugin auriga-workflow-skills
+npx -y auriga-cli install plugins --agent both --plugin auriga-workflow
 npx -y auriga-cli install plugins --plugin auriga-notify
 npx -y auriga-cli install plugins --agent codex --plugin session-instructions-loader
-npx -y auriga-cli install plugins --agent both --plugin auriga-git-guards
 ```
 | Plugin | Runtime | Description |
@@ -136,12 +133,9 @@ npx -y auriga-cli install plugins --agent both --plugin auriga-git-guards
 | skill-creator | Claude Code | Create and manage custom skills |
 | claude-md-management | Claude Code | Audit and improve CLAUDE.md |
 | codex | Claude Code | Codex cross-model collaboration |
-| auriga-go | Claude Code / Codex | Workflow autopilot for the auriga workflow. Reminder-based navigation across the `CLAUDE.md` phases. Bundles two skills: `auriga-go` (description-based NL trigger + `/auriga-go`) and `/goalify` (plans an autonomous goal from a spec or work-in-progress and dispatches it via Claude Code's built-in `/goal` command). |
-| auriga-git-guards | Claude Code / Codex | Three git-lifecycle guardrails plus the bundled `git-workflow` skill. Hooks: `commit-reminder` (PostToolUse on `Edit` / `Write` / `MultiEdit` in Claude Code and on `apply_patch` — Codex's canonical file-edit `tool_name` — so it fires in both runtimes → when uncommitted diff vs `HEAD` exceeds 200 lines or 8 files and the last reminder was ≥ 60 s ago, inject a nudge to commit at the next semantic boundary), `pr-create-guard` (PostToolUse on `gh pr create` → fetch the new PR's body via `gh pr view` and inject headings + TODO counts as `additionalContext` so the Agent can self-verify the five-element PR description: scope / acceptance criteria / design decisions / risks / remaining TODOs), and `pr-ready-guard` (PreToolUse on `gh pr ready` → block on stray planning docs at `findings.md` / `progress.md` / `task_plan.md` / `docs/superpowers/specs/*.md`, unfinalized active specs in `docs/specs/*.md`, or unpushed commits; otherwise inject the body snapshot). The two PostToolUse hooks reach full Claude Code / Codex parity; Codex currently fails open on `pr-ready-guard`'s PreToolUse `additionalContext` informational path (block path identical). |
-| auriga-workflow-skills | Claude Code / Codex | Bundles the auriga-owned workflow execution skills: `incremental-impl`, `test-designer`, `session-compound`, and `spec-design`. Installed by default through the plugin path instead of `install skills`. |
+| auriga-workflow | Claude Code / Codex | The auriga workflow plugin — workflow skills plus the git lifecycle hooks that enforce them. Skills: `incremental-impl`, `test-designer`, `spec-design`, `arch-design`, `code-simplify`, `session-compound`, `goalify` (plans an autonomous goal and dispatches it via Claude Code's built-in `/goal` command), `deep-review` (multi-dimensional PR review orchestrator — parallel per-dimension reviewers synthesized into an actionable punch list), `reviewer-creator` (scaffolds project-level custom reviewers under `docs/rules/review/`), and `git-workflow` (git lifecycle skill). Hooks: `commit-reminder` (PostToolUse on file edits — `Edit` / `Write` / `MultiEdit` in Claude Code, `apply_patch` in Codex — nudges to commit at the next semantic boundary when uncommitted diff vs `HEAD` exceeds 200 lines or 8 files), `pr-create-guard` (PostToolUse on `gh pr create` → injects a PR-body snapshot for five-element self-verification and flags non-Conventional-Commits titles), and `pr-ready-guard` (PreToolUse on `gh pr ready` and non-draft `gh pr create` → blocks on stray planning docs, unfinalized active specs under `docs/specs/`, or unpushed commits). The two PostToolUse hooks reach full Claude Code / Codex parity; Codex currently fails open on `pr-ready-guard`'s PreToolUse `additionalContext` informational path (block path identical). Installed by default through the plugin path. |
 | auriga-notify *(opt-in)* | Claude Code | macOS native notification plugin for Claude Code `Notification` events. Focus-aware sound-only mode, click-to-activate, per-project notification grouping, and migrated `config.json` / `icon.png` support. Not installed by `install --all`; install explicitly with `install plugins --plugin auriga-notify`. |
 | session-instructions-loader | Codex | Codex-only SessionStart plugin that injects ancestor `AGENTS.md` files plus repo-configured extra instruction files. |
-| deep-review | Claude Code / Codex | Multi-dimensional PR review orchestrator — dispatches parallel reviewers (spec-conformance, correctness, test-quality, docs-sync, plus conditional robustness/UX/performance/structure/code-quality/skill-plugin-quality) and synthesizes findings into an actionable punch list. Bundles a companion `reviewer-creator` skill for scaffolding project-level custom reviewers under `docs/rules/review/`. Drives the formal-review phase in `CLAUDE.md`. |
 ### Hooks

package/README.zh-CN.md CHANGED Viewed

@@ -11,9 +11,9 @@
 | 模块 | 说明 |
 |---|---|
 | **Workflow** | `CLAUDE.md` 里的 auriga 工作流：需求澄清 → TDD → Review，Harness 原则，Subagent 使用指南 |
-| **Skills** | 外部开发流程 skills —— systematic-debugging、TDD、verification、planning、playwright（spec 撰写由 `auriga-workflow-skills` 插件内的 `spec-design` skill 提供）|
+| **Skills** | 外部开发流程 skills —— systematic-debugging、TDD、verification、planning、playwright（spec 撰写与架构设计由 `auriga-workflow` 插件内的 `spec-design`、`arch-design` skill 提供）|
 | **Recommended Skills** | 可选的工具类 skills（如 `codex-agent`、`claude-code-agent`），在 workflow skills 之外按需追加 |
-| **Plugins** | 推荐的 Claude Code 和 Codex 插件 —— skill-creator、claude-md-management、codex、auriga-go、auriga-git-guards、auriga-workflow-skills、auriga-notify、session-instructions-loader、deep-review |
+| **Plugins** | 推荐的 Claude Code 和 Codex 插件 —— skill-creator、claude-md-management、codex、auriga-workflow、auriga-notify、session-instructions-loader |
 | **Hooks** | 传统 Claude Code hook 安装器。目前没有仓库自维护 hook 暴露在这里；`notify` 已迁移为 `auriga-notify` 插件。 |
 ## 快速开始
@@ -107,7 +107,6 @@ npx auriga-cli
 | Skill | 来源 | 说明 |
 |---|---|---|
 | claude-code-agent | [Ben2pc/g-claude-code-plugins](https://github.com/Ben2pc/g-claude-code-plugins) | 通过 Claude Code Agent SDK 把任务委派给独立 Claude Code 会话 |
-| code-simplification | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | 不改变行为前提下重构代码以提升可读性 —— 清掉累积的不必要复杂度 |
 | codex-agent | [Ben2pc/g-claude-code-plugins](https://github.com/Ben2pc/g-claude-code-plugins) | 委派给 Codex 会话，做跨模型覆盖 |
 | deprecation-and-migration | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | 废弃与迁移流程 —— 安全地下线、替换或迁移遗留代码 |
 | design-taste-frontend | [Leonxlnx/taste-skill](https://github.com/Leonxlnx/taste-skill) | 高阶 UI/UX 工程师 —— 度量化设计规则与严格的组件架构约束 |
@@ -119,16 +118,14 @@ npx auriga-cli
 ### Plugins
-可以把选中的插件安装到 Claude Code、Codex 或两者都装。Claude Code 路径使用 `claude plugins install`，并遵守 `--scope project|user`；Codex 路径使用 `codex plugin marketplace add`，并在 `~/.codex/config.toml` 里启用选中的插件。
+可以把选中的插件安装到 Claude Code、Codex 或两者都装。Claude Code 路径使用 `claude plugins install`，并遵守 `--scope project|user`；Codex 路径根据 `~/.codex/config.toml` 中是否已注册同名 marketplace 自动选择 `codex plugin marketplace add` 或 `upgrade`，并在 `~/.codex/config.toml` 里启用选中的插件。
 示例：
 ```bash
-npx -y auriga-cli install plugins --plugin auriga-go
-npx -y auriga-cli install plugins --agent both --plugin auriga-workflow-skills
+npx -y auriga-cli install plugins --agent both --plugin auriga-workflow
 npx -y auriga-cli install plugins --plugin auriga-notify
 npx -y auriga-cli install plugins --agent codex --plugin session-instructions-loader
-npx -y auriga-cli install plugins --agent both --plugin auriga-git-guards
 ```
 | 插件 | 运行时 | 说明 |
@@ -136,12 +133,9 @@ npx -y auriga-cli install plugins --agent both --plugin auriga-git-guards
 | skill-creator | Claude Code | 创建和管理自定义 skills |
 | claude-md-management | Claude Code | 审计和改进 CLAUDE.md |
 | codex | Claude Code | Codex 跨模型协作 |
-| auriga-go | Claude Code / Codex | auriga 工作流的自动驾驶：按 `CLAUDE.md` 的 phase 做 reminder-based 导航。内置两个 skill：`auriga-go`（按 description 的自然语言触发 + `/auriga-go` slash command）和 `/goalify`（根据 spec 或当前进展 plan 出 goal，并通过 Claude Code 内置的 `/goal` 命令分发执行）。 |
-| auriga-git-guards | Claude Code / Codex | 三个 git-lifecycle guardrail + 内置 `git-workflow` skill。Hooks：`commit-reminder`（Claude Code 下 PostToolUse 匹配 `Edit` / `Write` / `MultiEdit`，Codex 下匹配 `apply_patch`（Codex 文件编辑 canonical `tool_name`），两个 runtime 都触发 —— 未提交 diff 对比 `HEAD` 超过 200 行或 8 个文件，且距上次提醒 ≥ 60 s 时，注入提醒让 Agent 在下一个语义边界 commit）、`pr-create-guard`（`gh pr create` 的 PostToolUse —— 通过 `gh pr view` 拉真实 PR body，扫 `^##` / `^###` headings 并统计 `- [ ]` / `- [x]` 注入 `additionalContext`，让 Agent 对照五要素：scope / acceptance criteria / design decisions / risks / remaining TODOs）、`pr-ready-guard`（`gh pr ready` 的 PreToolUse —— 仅按结构信号拦截：游离 `findings.md` / `progress.md` / `task_plan.md` / `docs/superpowers/specs/*.md`、`docs/specs/*.md` 内未结案的活跃 spec、未 push commits；放行时注入 body 快照）。两个 PostToolUse hook 在 Claude Code / Codex 上完全对齐；Codex 仅对 `pr-ready-guard` 的 PreToolUse `additionalContext` 信息路径 fail-open（block 路径两边一致）。 |
-| auriga-workflow-skills | Claude Code / Codex | 打包 auriga 自维护的工作流执行 skills：`incremental-impl`、`test-designer`、`session-compound`、`spec-design`。默认通过插件路径安装，不再通过 `install skills` 作为独立条目安装。 |
+| auriga-workflow | Claude Code / Codex | auriga 工作流插件 —— 工作流 skill 加上强制执行工作流的 git 生命周期 hook。Skills：`incremental-impl`、`test-designer`、`spec-design`、`arch-design`、`code-simplify`、`session-compound`、`goalify`（plan 出自驱 goal 并通过 Claude Code 内置 `/goal` 命令分发执行）、`deep-review`（多维度 PR review 编排器——并行派发各维度 reviewer，汇总成可执行的 punch list）、`reviewer-creator`（在 `docs/rules/review/` 下生成项目级自定义 reviewer）、`git-workflow`（git 生命周期 skill）。Hooks：`commit-reminder`（文件编辑的 PostToolUse —— Claude Code 匹配 `Edit` / `Write` / `MultiEdit`，Codex 匹配 `apply_patch` —— 未提交 diff 对比 `HEAD` 超过 200 行或 8 个文件时，提醒在下一个语义边界 commit）、`pr-create-guard`（`gh pr create` 的 PostToolUse —— 注入 PR body 快照供五要素自检，并对不符合 Conventional Commits 的标题提示）、`pr-ready-guard`（`gh pr ready` 与非 draft `gh pr create` 的 PreToolUse —— 拦截游离规划文档、`docs/specs/` 内未结案的活跃 spec、未 push commits）。两个 PostToolUse hook 在 Claude Code / Codex 上完全对齐；Codex 仅对 `pr-ready-guard` 的 PreToolUse `additionalContext` 信息路径 fail-open（block 路径两边一致）。默认通过插件路径安装。 |
 | auriga-notify *(opt-in)* | Claude Code | Claude Code `Notification` 事件的 macOS 原生通知插件。支持焦点感知仅提示音、点击唤起终端、按项目分组通知，并迁移旧 `config.json` / `icon.png`。不随 `install --all` 默认安装，需要显式执行 `install plugins --plugin auriga-notify`。 |
 | session-instructions-loader | Codex | Codex-only SessionStart 插件，注入上层目录的 `AGENTS.md` 和仓库配置的额外 instruction 文件。 |
-| deep-review | Claude Code / Codex | 多维度 PR review 编排器 —— 并行派发各维度 reviewer（spec-conformance、correctness、test-quality、docs-sync，以及条件触发的 robustness/UX/performance/structure/code-quality/skill-plugin-quality），汇总成 punch list。同包内打包了 `reviewer-creator` skill，用于在 `docs/rules/review/` 下生成项目级自定义 reviewer。承担 `CLAUDE.md` 中的正式评审职责。 |
 ### Hooks

package/dist/api-types.d.ts CHANGED Viewed

@@ -50,7 +50,7 @@ export interface PluginState {
     description: string;
     status: ItemStatus;
     /** Which Agent runtimes this plugin can install into. Most plugins target
-     *  a single agent; dual-Agent plugins (e.g. auriga-go) have both. When
+     *  a single agent; dual-Agent plugins (e.g. auriga-workflow) have both. When
      *  `agents.length === 2` the UI shows a BOTH badge and Apply installs to
      *  each agent in turn. Status is aggregated across all targeted agents:
      *  `installed` ⇔ all agents installed; `not-installed` ⇔ all not-installed;

package/dist/apply-handlers.d.ts CHANGED Viewed

@@ -7,7 +7,7 @@ export interface ApplyHandlerContext {
     cwd: string;
     /** Resolves plugin name → the list of agents this plugin can install
      *  into. Built at boot from the same scan catalog the /api/state route
-     *  uses. dual-Agent plugins (e.g. `auriga-go`) yield `["claude","codex"]`
+     *  uses. dual-Agent plugins (e.g. `auriga-workflow`) yield `["claude","codex"]`
      *  and the handler iterates the list, installing to each agent in turn.
      *  Names not in the map default to `["claude"]` (existing CLI default). */
     pluginAgentsByName: Map<string, ("claude" | "codex")[]>;

package/dist/catalog.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-05-15T04:24:39.164Z",
+  "generatedAt": "2026-05-15T17:31:57.831Z",
   "workflowSkills": [
     {
       "name": "planning-with-files",
@@ -27,10 +27,6 @@
       "name": "claude-code-agent",
       "description": "Delegate coding, review, diagnosis, planning, and structured-output tasks to an independent Claude Code session via `claude -p` (Agent SDK)."
     },
-    {
-      "name": "code-simplification",
-      "description": "Simplifies code for clarity. Use when refactoring code for clarity without changing behavior. Use when code works but is harder to read, maintain, or extend than it should be. Use when reviewing code that has accumulated unnecessary complexity."
-    },
     {
       "name": "codex-agent",
       "description": "Delegate coding, review, diagnosis, planning, and browser tasks to an independent Codex session via `codex exec` / resume / review."
@@ -58,24 +54,8 @@
   ],
   "plugins": [
     {
-      "name": "auriga-go",
-      "description": "(Claude/Codex) Workflow autopilot for the auriga workflow. Reminder-based navigation across CLAUDE.md's phases. Bundles a /goalify skill that plans an autonomous goal from a spec or work-in-progress and dispatches it via Claude Code's built-in /goal command.",
-      "agents": [
-        "claude",
-        "codex"
-      ]
-    },
-    {
-      "name": "auriga-git-guards",
-      "description": "(Claude/Codex) Git lifecycle guardrails: commit-reminder (PostToolUse on Edit/Write/MultiEdit/apply_patch) + pr-create-guard with PR-body snapshot and Conventional Commits title check (PostToolUse on `gh pr create`) + pr-ready-guard structural block at PR Ready transitions, firing on BOTH `gh pr ready` AND `gh pr create` without `--draft` (PreToolUse). Bundles the git-workflow skill. Dual-Agent compatible (Claude Code + Codex).",
-      "agents": [
-        "claude",
-        "codex"
-      ]
-    },
-    {
-      "name": "auriga-workflow-skills",
-      "description": "(Claude/Codex) Bundles the auriga-owned workflow execution skills: incremental-impl, test-designer, session-compound, and spec-design. Dual-Agent compatible (Claude Code + Codex).",
+      "name": "auriga-workflow",
+      "description": "(Claude/Codex) The auriga workflow plugin: workflow skills — incremental-impl (implementation slicing), test-designer (independent test design), spec-design (requirement clarification), arch-design (architecture design), code-simplify (code simplification), session-compound (session compounding), goalify (autonomous /goal planning), deep-review (multi-dimensional PR review orchestrator), reviewer-creator (custom reviewer scaffolding), git-workflow (git lifecycle skill) — plus the git lifecycle hooks that enforce them: commit-reminder, pr-create-guard, pr-ready-guard. Dual-Agent compatible (Claude Code + Codex).",
       "agents": [
         "claude",
         "codex"
@@ -88,14 +68,6 @@
         "claude"
       ]
     },
-    {
-      "name": "deep-review",
-      "description": "(Claude/Codex) Multi-dimensional PR review orchestrator. Dispatches parallel reviewers (spec-conformance, correctness, test-quality, docs-sync, robustness, security, ux, performance, structure, code-quality, skill-plugin-quality) and synthesizes findings into an actionable punch list. Supports project-level custom reviewers via `docs/rules/review/` and ships a `reviewer-creator` skill for scaffolding them.",
-      "agents": [
-        "claude",
-        "codex"
-      ]
-    },
     {
       "name": "skill-creator",
       "description": "Create and manage custom skills",

package/dist/cli.js CHANGED Viewed

@@ -325,7 +325,7 @@ function validateFilterAgainstCatalog(type, filter) {
 function migratedPluginHint(type, name) {
     if (type === "skills" &&
         ["incremental-impl", "test-designer", "session-compound"].includes(name)) {
-        return "This skill moved to the auriga-workflow-skills plugin; install it with `install plugins --plugin auriga-workflow-skills`.";
+        return "This skill moved to the auriga-workflow plugin; install it with `install plugins --plugin auriga-workflow`.";
     }
     if (type === "hooks" && name === "notify") {
         return "The notify hook moved to the auriga-notify plugin; install it with `install plugins --plugin auriga-notify`.";
@@ -802,7 +802,7 @@ async function runLegacyMenu() {
             { name: "Workflow — CLAUDE.md + AGENTS.md", value: "workflow", checked: true },
             { name: "Skills — Development process skills (TDD, debugging, verification, planning...)", value: "skills", checked: true },
             { name: "Recommended Skills — Extra utility skills (claude-code-agent, codex-agent...)", value: "recommended", checked: true },
-            { name: "Plugins — Claude Code / Codex plugins (skill-creator, codex, auriga-go...)", value: "plugins", checked: true },
+            { name: "Plugins — Claude Code / Codex plugins (skill-creator, codex, auriga-workflow...)", value: "plugins", checked: true },
             { name: "Hooks — Claude Code hooks (notifications, etc.)", value: "hooks", checked: true },
         ],
     }));

package/dist/plugins.js CHANGED Viewed

@@ -22,7 +22,7 @@ const MIGRATED_WORKFLOW_SKILLS = [
     "session-compound",
 ];
 const NOTIFY_PLUGIN_NAME = "auriga-notify";
-const WORKFLOW_SKILLS_PLUGIN_NAME = "auriga-workflow-skills";
+const WORKFLOW_SKILLS_PLUGIN_NAME = "auriga-workflow";
 const LEGACY_NOTIFY_MARKER = "auriga:notify";
 const CODEX_PLUGIN_VERSION_RE = /^[A-Za-z0-9][A-Za-z0-9._+-]{0,127}$/;
 function validateClaudeMarketplace(raw) {
@@ -287,7 +287,7 @@ function isWorkflowPluginDevSymlink(skillPath, cwd, name) {
         return false;
     const target = fs.readlinkSync(skillPath);
     const resolved = path.resolve(path.dirname(skillPath), target);
-    const expected = path.resolve(cwd, "plugins", "auriga-workflow-skills", "skills", name);
+    const expected = path.resolve(cwd, "plugins", "auriga-workflow", "skills", name);
     return resolved === expected;
 }
 function removeMigratedSkillFromLock(cwd, name, opts) {
@@ -422,18 +422,30 @@ function runPostInstallMigration(pluginName, opts, runtimes) {
         migrateLegacyNotifyConfig(opts);
     }
 }
-function codexMarketplaceAddCommand(packageRoot) {
-    if (process.env.DEV === "1") {
-        return `codex plugin marketplace add ${shellQuote(packageRoot)}`;
-    }
-    return "codex plugin marketplace add https://github.com/Ben2pc/auriga-cli.git";
+// Source string Codex CLI records in `~/.codex/config.toml`
+// `[marketplaces.<name>].source` after `marketplace add` succeeds. Used for
+// exact-string compare against the registered marketplace's source to detect
+// same-name-different-source hijack attempts before running `upgrade`.
+function codexLocalMarketplaceSource(packageRoot) {
+    if (process.env.DEV === "1")
+        return packageRoot;
+    return "https://github.com/Ben2pc/auriga-cli.git";
 }
-function codexExternalMarketplaceAddCommand(source) {
+function codexExternalMarketplaceSource(source) {
     // `source` is validated by validateExtraPluginConfigs against
     // MARKETPLACE_SOURCE_RE (alphanumerics + `._/-`) — no shell metachars
-    // can reach this string. URL form deliberately mirrors
-    // codexMarketplaceAddCommand's hardcoded production branch.
-    return `codex plugin marketplace add https://github.com/${source}.git`;
+    // can reach this string.
+    return `https://github.com/${source}.git`;
+}
+function codexMarketplaceAddCommand(packageRoot) {
+    const source = codexLocalMarketplaceSource(packageRoot);
+    // DEV-mode local paths may contain spaces; URLs need no shell quoting.
+    return process.env.DEV === "1"
+        ? `codex plugin marketplace add ${shellQuote(source)}`
+        : `codex plugin marketplace add ${source}`;
+}
+function codexExternalMarketplaceAddCommand(source) {
+    return `codex plugin marketplace add ${codexExternalMarketplaceSource(source)}`;
 }
 function codexMarketplaceUpgradeCommand(marketplaceName) {
     return `codex plugin marketplace upgrade ${shellQuote(marketplaceName)}`;
@@ -449,13 +461,36 @@ function commandErrorText(error) {
         parts.push(String(withOutput.stderr));
     return parts.join("\n");
 }
-function escapeRegex(value) {
-    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function isCodexMarketplaceAlreadyAdded(error, marketplaceName) {
-    const text = commandErrorText(error);
-    const marketplacePattern = new RegExp(`marketplace ['"]?${escapeRegex(marketplaceName)}['"]? is already added`, "i");
-    return marketplacePattern.test(text);
+// Codex CLI records every added marketplace as `[marketplaces.<name>]` in
+// `~/.codex/config.toml` with a `source` field. Returns that stored source
+// for an exact-string compare against the source we would `add`, or null
+// when the marketplace isn't registered or the entry is malformed.
+//
+// Why config.toml is the authoritative signal: Codex's `add` command is
+// silently idempotent for an already-added marketplace (exit 0, prints to
+// stdout, no error), so we can't detect already-added by catching an
+// `add` failure. The stored source also lets us guard against same-name
+// hijack — a fork registered under our marketplace name would be invisible
+// to a presence-only check.
+function readCodexMarketplaceSource(marketplaceName) {
+    const configPath = path.join(codexHome(), "config.toml");
+    if (!fs.existsSync(configPath))
+        return null;
+    try {
+        const parsed = parseToml(fs.readFileSync(configPath, "utf-8"));
+        const marketplaces = parsed.marketplaces;
+        if (typeof marketplaces !== "object" || marketplaces === null || Array.isArray(marketplaces)) {
+            return null;
+        }
+        const entry = marketplaces[marketplaceName];
+        if (typeof entry !== "object" || entry === null || Array.isArray(entry))
+            return null;
+        const source = entry.source;
+        return typeof source === "string" ? source : null;
+    }
+    catch {
+        return null;
+    }
 }
 function isCodexMarketplaceDifferentSource(error) {
     return /already added from a different source/i.test(commandErrorText(error));
@@ -616,34 +651,45 @@ function enableCodexPluginConfig(configPath, pluginKeys, needsPluginHooks) {
     const content = minimalContent ?? buildCodexPluginConfigToml(originalContent, configPath, pluginKeys, needsPluginHooks);
     atomicWriteFile(configPath, content.endsWith("\n") ? content : `${content}\n`);
 }
-async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, opts, marketplaceExecOpts, failures) {
+async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, expectedSource, opts, marketplaceExecOpts, failures) {
+    const registeredSource = readCodexMarketplaceSource(marketplaceName);
+    if (registeredSource !== null) {
+        if (registeredSource !== expectedSource) {
+            // Supply-chain guard: a same-name marketplace pointing at a different
+            // source (e.g. a fork URL) must not be silently `upgrade`d — its
+            // content would be cached under our name and consumed downstream.
+            const msg = `Codex marketplace ${marketplaceName} is already added from a different source`;
+            log.error(`${msg}\n  registered: ${registeredSource}\n  expected:   ${expectedSource}`);
+            failures.push(msg);
+            return;
+        }
+        try {
+            exec(codexMarketplaceUpgradeCommand(marketplaceName), marketplaceExecOpts);
+            log.ok(`Codex marketplace ${marketplaceName} upgraded`);
+        }
+        catch (e) {
+            // Surface the underlying upgrade error so a 6-month-out reader
+            // can tell apart ENOENT / network / auth / git failures.
+            log.error(`Failed to upgrade Codex marketplace: ${marketplaceName}\n${commandErrorText(e)}`);
+            failures.push(`codex marketplace ${marketplaceName}`);
+        }
+        return;
+    }
     try {
         exec(addCommand, marketplaceExecOpts);
         log.ok(`Codex marketplace ${marketplaceName} added`);
-        return;
     }
     catch (e) {
         if (isCodexMarketplaceDifferentSource(e)) {
+            // Defense-in-depth: config.toml didn't claim the name but Codex CLI
+            // refused with "different source" — rare divergence between Codex
+            // internal state and config.toml.
             const msg = `Codex marketplace ${marketplaceName} is already added from a different source`;
             log.error(`${msg}\n${commandErrorText(e)}`);
             failures.push(msg);
             return;
         }
-        if (isCodexMarketplaceAlreadyAdded(e, marketplaceName)) {
-            try {
-                exec(codexMarketplaceUpgradeCommand(marketplaceName), marketplaceExecOpts);
-                log.ok(`Codex marketplace ${marketplaceName} upgraded`);
-                return;
-            }
-            catch (upgradeErr) {
-                // Surface the underlying upgrade error so a 6-month-out reader
-                // can tell apart ENOENT / network / auth / git failures.
-                log.error(`Failed to upgrade Codex marketplace: ${marketplaceName}\n${commandErrorText(upgradeErr)}`);
-                failures.push(`codex marketplace ${marketplaceName}`);
-                return;
-            }
-        }
-        // Same: surface the add error rather than masking ENOENT / network / auth.
+        // Surface the add error rather than masking ENOENT / network / auth.
         log.error(`Failed to add Codex marketplace: ${marketplaceName}\n${commandErrorText(e)}`);
         failures.push(`codex marketplace ${marketplaceName}`);
     }
@@ -726,7 +772,7 @@ async function installCodexPlugins(packageRoot, opts) {
         ? { inherit: true }
         : undefined;
     if (localMarketplace) {
-        await addCodexMarketplaceWithRetry(localMarketplace.name, codexMarketplaceAddCommand(packageRoot), opts, marketplaceExecOpts, failures);
+        await addCodexMarketplaceWithRetry(localMarketplace.name, codexMarketplaceAddCommand(packageRoot), codexLocalMarketplaceSource(packageRoot), opts, marketplaceExecOpts, failures);
     }
     // Dedupe external marketplaces by name — multiple plugins from the same
     // upstream share a single `marketplace add` call.
@@ -735,7 +781,7 @@ async function installCodexPlugins(packageRoot, opts) {
         uniqueExternalMarketplaces.set(p.marketplace.name, p.marketplace);
     }
     for (const mp of uniqueExternalMarketplaces.values()) {
-        await addCodexMarketplaceWithRetry(mp.name, codexExternalMarketplaceAddCommand(mp.source), opts, marketplaceExecOpts, failures);
+        await addCodexMarketplaceWithRetry(mp.name, codexExternalMarketplaceAddCommand(mp.source), codexExternalMarketplaceSource(mp.source), opts, marketplaceExecOpts, failures);
     }
     if (failures.length === 0) {
         const localMarketplaceContentRoot = localMarketplace

package/dist/state.js CHANGED Viewed

@@ -301,7 +301,7 @@ async function scanClaudePlugins(scope, entries, execPluginList, warnings) {
         return entries.map(([id, def]) => degradedClaudeRow(id, def, scope));
     }
     // claude plugins list emits ids in `<plugin>@<marketplace>` form (e.g.
-    // `auriga-go@auriga-cli`). The auriga-cli catalog tracks plugins by bare
+    // `auriga-workflow@auriga-cli`). The auriga-cli catalog tracks plugins by bare
     // name. Index both forms so lookups succeed regardless of which side the
     // suffix is on.
     const installedById = new Map();
@@ -388,9 +388,9 @@ async function scanCodexPlugins(entries, readCodexConfig, readCodexPluginsDir, w
     catch {
         fsVersions = new Map();
     }
-    // Mirror the Claude side: catalog tracks bare names (e.g. "auriga-go") but
+    // Mirror the Claude side: catalog tracks bare names (e.g. "auriga-workflow") but
     // ~/.codex/config.toml [plugins.*] sections and defaultReadCodexPluginsDir
-    // both emit `<plugin>@<marketplace>` keys (e.g. "auriga-go@auriga-cli").
+    // both emit `<plugin>@<marketplace>` keys (e.g. "auriga-workflow@auriga-cli").
     // Without dual indexing every dual-Agent plugin reports `not-installed` on
     // the Codex side, which `mergePluginsById` then folds into a permanent
     // `partial-install` even when both sides are genuinely installed.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auriga-cli",
-  "version": "1.20.5",
+  "version": "1.24.0",
   "description": "Interactive CLI to install Claude Code harness modules (Workflow, Skills, Recommended Skills, Plugins, Hooks)",
   "license": "MIT",
   "repository": {
@@ -25,8 +25,8 @@
     "dev": "tsc --watch",
     "start": "node dist/cli.js",
     "pretest": "npm run build",
-    "test": "tsc -p tsconfig.test.json && DEV=1 node --test --experimental-test-module-mocks dist-test/tests/hooks.test.js dist-test/tests/hooks-uninstall.test.js dist-test/tests/skills.test.js dist-test/tests/skills-uninstall.test.js dist-test/tests/catalog.test.js dist-test/tests/cli-parse.test.js dist-test/tests/install-nontty.test.js dist-test/tests/plugins.test.js dist-test/tests/plugins-uninstall.test.js dist-test/tests/content-fetch.test.js dist-test/tests/utils.test.js dist-test/tests/guide.test.js dist-test/tests/validators.test.js dist-test/tests/entrypoint.test.js dist-test/tests/state.test.js dist-test/tests/server.test.js dist-test/tests/server-auth.test.js dist-test/tests/server-apply.test.js dist-test/tests/apply-handlers.test.js dist-test/tests/ui-fetch.test.js dist-test/tests/workflow-install.test.js dist-test/tests/workflow-uninstall.test.js dist-test/tests/tarball-shape.test.js dist-test/tests/spec-design.test.js",
-    "test:watch": "tsc -p tsconfig.test.json --watch & node --test --watch --experimental-test-module-mocks dist-test/tests/hooks.test.js dist-test/tests/hooks-uninstall.test.js dist-test/tests/skills.test.js dist-test/tests/skills-uninstall.test.js dist-test/tests/catalog.test.js dist-test/tests/cli-parse.test.js dist-test/tests/install-nontty.test.js dist-test/tests/plugins.test.js dist-test/tests/plugins-uninstall.test.js dist-test/tests/content-fetch.test.js dist-test/tests/utils.test.js dist-test/tests/guide.test.js dist-test/tests/validators.test.js dist-test/tests/entrypoint.test.js dist-test/tests/state.test.js dist-test/tests/server.test.js dist-test/tests/server-auth.test.js dist-test/tests/server-apply.test.js dist-test/tests/apply-handlers.test.js dist-test/tests/ui-fetch.test.js dist-test/tests/workflow-install.test.js dist-test/tests/workflow-uninstall.test.js dist-test/tests/tarball-shape.test.js dist-test/tests/spec-design.test.js",
+    "test": "tsc -p tsconfig.test.json && DEV=1 node --test --experimental-test-module-mocks dist-test/tests/hooks.test.js dist-test/tests/hooks-uninstall.test.js dist-test/tests/skills.test.js dist-test/tests/skills-uninstall.test.js dist-test/tests/catalog.test.js dist-test/tests/cli-parse.test.js dist-test/tests/install-nontty.test.js dist-test/tests/plugins.test.js dist-test/tests/plugins-uninstall.test.js dist-test/tests/content-fetch.test.js dist-test/tests/utils.test.js dist-test/tests/guide.test.js dist-test/tests/validators.test.js dist-test/tests/entrypoint.test.js dist-test/tests/state.test.js dist-test/tests/server.test.js dist-test/tests/server-auth.test.js dist-test/tests/server-apply.test.js dist-test/tests/apply-handlers.test.js dist-test/tests/ui-fetch.test.js dist-test/tests/workflow-install.test.js dist-test/tests/workflow-uninstall.test.js dist-test/tests/tarball-shape.test.js dist-test/tests/spec-design.test.js dist-test/tests/plugin-skill-frontmatter.test.js",
+    "test:watch": "tsc -p tsconfig.test.json --watch & node --test --watch --experimental-test-module-mocks dist-test/tests/hooks.test.js dist-test/tests/hooks-uninstall.test.js dist-test/tests/skills.test.js dist-test/tests/skills-uninstall.test.js dist-test/tests/catalog.test.js dist-test/tests/cli-parse.test.js dist-test/tests/install-nontty.test.js dist-test/tests/plugins.test.js dist-test/tests/plugins-uninstall.test.js dist-test/tests/content-fetch.test.js dist-test/tests/utils.test.js dist-test/tests/guide.test.js dist-test/tests/validators.test.js dist-test/tests/entrypoint.test.js dist-test/tests/state.test.js dist-test/tests/server.test.js dist-test/tests/server-auth.test.js dist-test/tests/server-apply.test.js dist-test/tests/apply-handlers.test.js dist-test/tests/ui-fetch.test.js dist-test/tests/workflow-install.test.js dist-test/tests/workflow-uninstall.test.js dist-test/tests/tarball-shape.test.js dist-test/tests/spec-design.test.js dist-test/tests/plugin-skill-frontmatter.test.js",
     "pretest:e2e": "npm run build",
     "test:e2e": "tsc -p tsconfig.test.json && node --test dist-test/tests/e2e-install.test.js",
     "pretest:web-ui-e2e": "npm run build && npm --prefix ui ci && npm --prefix ui run build",