auriga-cli 1.29.1 → 1.30.0

package/README.md

@@ -113,7 +113,6 @@ Installs selected skills via `npx skills add`, targeting both Claude Code and Co
 | codex-agent | [Ben2pc/g-claude-code-plugins](https://github.com/Ben2pc/g-claude-code-plugins) | Delegate to Codex sessions for cross-model coverage |
 | deprecation-and-migration | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | Sunset, replace, or migrate legacy code — deprecation discipline |
 | design-taste-frontend | [Leonxlnx/taste-skill](https://github.com/Leonxlnx/taste-skill) | Senior UI/UX engineer with metric-based design rules and strict component architecture |
-| documentation-and-adrs | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | Record architectural decisions and the *why* — context for future engineers / agents |
 | frontend-design | [anthropics/skills](https://github.com/anthropics/skills) | Distinctive, production-grade frontend UI generation that avoids generic AI aesthetics |
 | make-interfaces-feel-better | [jakubkrehel/make-interfaces-feel-better](https://github.com/jakubkrehel/make-interfaces-feel-better) | Polish principles — animations, surfaces, typography, performance |
 
@@ -121,7 +120,7 @@ Supports both project and global installation scopes.
 
 ### Plugins
 
-Installs selected plugins for Claude Code, Codex, or both. Claude Code uses `claude plugins install` and honors `--scope project|user`; Codex uses `codex plugin marketplace add/upgrade` (the right one is picked by reading `~/.codex/config.toml`) and enables selected plugins in `~/.codex/config.toml`.
+Installs selected plugins for Claude Code, Codex, or both. Claude Code uses `claude plugins install` and honors `--scope project|user`; Codex registers the marketplace via `codex plugin marketplace add/upgrade` (the right one is picked by reading `~/.codex/config.toml`), then installs each selected plugin with the native `codex plugin add <plugin>@<marketplace>` command. The Codex path requires a Codex CLI new enough to expose `codex plugin add`; on older versions the Codex-side install aborts with an upgrade hint.
 
 Examples:
 
@@ -137,7 +136,7 @@ npx -y auriga-cli install plugins --agent codex --plugin session-instructions-lo
 | claude-md-management | Claude Code / Codex | Audit and improve AGENTS.md / CLAUDE.md |
 | playground | Claude Code / Codex | Build interactive HTML playgrounds |
 | codex | Claude Code | Codex cross-model collaboration |
-| auriga-workflow | Claude Code / Codex | The auriga workflow plugin — workflow skills plus the git lifecycle hooks that enforce them. Skills: `incremental-impl`, `test-designer`, `spec-design`, `arch-design`, `code-simplify`, `session-compound`, `goalify` (plans an autonomous goal and dispatches it via the built-in `/goal` command), `deep-review` (multi-dimensional PR review orchestrator — parallel per-dimension reviewers synthesized into an actionable punch list), `reviewer-creator` (scaffolds project-level custom reviewers under `docs/rules/review/`), and `git-workflow` (git lifecycle skill). Hooks: `commit-reminder` (PostToolUse on file edits — `Edit` / `Write` / `MultiEdit` in Claude Code, `apply_patch` in Codex — nudges to commit at the next semantic boundary when uncommitted diff vs `HEAD` exceeds 200 lines or 8 files), `pr-create-guard` (PostToolUse on `gh pr create` → injects a PR-body snapshot for five-element self-verification and flags non-Conventional-Commits titles), `pr-ready-guard` (PreToolUse on `gh pr ready` and non-draft `gh pr create` → blocks on stray planning docs, unfinalized active specs under `docs/specs/`, or unpushed commits), and `pr-merge-guard` (PreToolUse on `gh pr merge` → blocks while the PR body's Acceptance criteria section still has unchecked checklist items). The two PostToolUse hooks reach full Claude Code / Codex parity; Codex currently fails open on `pr-ready-guard`'s PreToolUse `additionalContext` informational path (block path identical). Installed by default through the plugin path. |
+| auriga-workflow | Claude Code / Codex | The auriga workflow plugin — workflow skills plus the git lifecycle hooks that enforce them. Skills: `incremental-impl`, `test-designer`, `spec-design`, `arch-design`, `code-simplify`, `session-compound`, `goalify` (plans an autonomous goal and dispatches it via the built-in `/goal` command), `deep-review` (multi-dimensional PR review orchestrator — parallel per-dimension reviewers synthesized into an actionable punch list), `reviewer-creator` (scaffolds project-level custom reviewers under `docs/rules/review/`), `git-workflow` (git lifecycle skill), and `documentation-and-adrs` (architecture decision records and project documentation discipline — ADRs archived under `docs/architecture/`). Hooks: `commit-reminder` (PostToolUse on file edits — `Edit` / `Write` / `MultiEdit` in Claude Code, `apply_patch` in Codex — nudges to commit at the next semantic boundary when uncommitted diff vs `HEAD` exceeds 200 lines or 8 files), `pr-create-guard` (PostToolUse on `gh pr create` → injects a PR-body snapshot for five-element self-verification and flags non-Conventional-Commits titles), `pr-ready-guard` (PreToolUse on `gh pr ready` and non-draft `gh pr create` → blocks on stray planning docs, unfinalized active specs under `docs/specs/`, or unpushed commits), and `pr-merge-guard` (PreToolUse on `gh pr merge` → blocks while the PR body's Acceptance criteria section still has unchecked checklist items). The two PostToolUse hooks reach full Claude Code / Codex parity; Codex currently fails open on `pr-ready-guard`'s PreToolUse `additionalContext` informational path (block path identical). Installed by default through the plugin path. |
 | auriga-notify *(opt-in)* | Claude Code | macOS native notification plugin for Claude Code `Notification` events. Focus-aware sound-only mode, click-to-activate, per-project notification grouping, and migrated `config.json` / `icon.png` support. Not installed by `install --all`; install explicitly with `install plugins --plugin auriga-notify`. |
 | session-instructions-loader | Codex | Codex-only SessionStart plugin that injects ancestor `AGENTS.md` files plus repo-configured extra instruction files. |
 

package/README.zh-CN.md

@@ -113,7 +113,6 @@ npx auriga-cli
 | codex-agent | [Ben2pc/g-claude-code-plugins](https://github.com/Ben2pc/g-claude-code-plugins) | 委派给 Codex 会话，做跨模型覆盖 |
 | deprecation-and-migration | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | 废弃与迁移流程 —— 安全地下线、替换或迁移遗留代码 |
 | design-taste-frontend | [Leonxlnx/taste-skill](https://github.com/Leonxlnx/taste-skill) | 高阶 UI/UX 工程师 —— 度量化设计规则与严格的组件架构约束 |
-| documentation-and-adrs | [addyosmani/agent-skills](https://github.com/addyosmani/agent-skills) | 记录架构决策与"为什么" —— 为后来的工程师和 Agent 沉淀上下文 |
 | frontend-design | [anthropics/skills](https://github.com/anthropics/skills) | 生成有辨识度、production 级的前端界面，避开常见 AI 同质化美学 |
 | make-interfaces-feel-better | [jakubkrehel/make-interfaces-feel-better](https://github.com/jakubkrehel/make-interfaces-feel-better) | 界面打磨原则 —— 动画、表面、排版、性能 |
 
@@ -121,7 +120,7 @@ npx auriga-cli
 
 ### Plugins
 
-可以把选中的插件安装到 Claude Code、Codex 或两者都装。Claude Code 路径使用 `claude plugins install`，并遵守 `--scope project|user`；Codex 路径根据 `~/.codex/config.toml` 中是否已注册同名 marketplace 自动选择 `codex plugin marketplace add` 或 `upgrade`，并在 `~/.codex/config.toml` 里启用选中的插件。
+可以把选中的插件安装到 Claude Code、Codex 或两者都装。Claude Code 路径使用 `claude plugins install`，并遵守 `--scope project|user`；Codex 路径根据 `~/.codex/config.toml` 中是否已注册同名 marketplace 自动选择 `codex plugin marketplace add` 或 `upgrade` 注册 marketplace，再用原生的 `codex plugin add <plugin>@<marketplace>` 命令安装每个选中的插件。Codex 路径要求 Codex CLI 版本新到支持 `codex plugin add`；旧版本会中止 Codex 侧安装并提示升级。
 
 示例：
 
@@ -137,7 +136,7 @@ npx -y auriga-cli install plugins --agent codex --plugin session-instructions-lo
 | claude-md-management | Claude Code / Codex | 审计和改进 AGENTS.md / CLAUDE.md |
 | playground | Claude Code / Codex | 构建交互式 HTML playground |
 | codex | Claude Code | Codex 跨模型协作 |
-| auriga-workflow | Claude Code / Codex | auriga 工作流插件 —— 工作流 skill 加上强制执行工作流的 git 生命周期 hook。Skills：`incremental-impl`、`test-designer`、`spec-design`、`arch-design`、`code-simplify`、`session-compound`、`goalify`（plan 出自驱 goal 并通过内置 `/goal` 命令分发执行）、`deep-review`（多维度 PR review 编排器——并行派发各维度 reviewer，汇总成可执行的 punch list）、`reviewer-creator`（在 `docs/rules/review/` 下生成项目级自定义 reviewer）、`git-workflow`（git 生命周期 skill）。Hooks：`commit-reminder`（文件编辑的 PostToolUse —— Claude Code 匹配 `Edit` / `Write` / `MultiEdit`，Codex 匹配 `apply_patch` —— 未提交 diff 对比 `HEAD` 超过 200 行或 8 个文件时，提醒在下一个语义边界 commit）、`pr-create-guard`（`gh pr create` 的 PostToolUse —— 注入 PR body 快照供五要素自检，并对不符合 Conventional Commits 的标题提示）、`pr-ready-guard`（`gh pr ready` 与非 draft `gh pr create` 的 PreToolUse —— 拦截游离规划文档、`docs/specs/` 内未结案的活跃 spec、未 push commits）、`pr-merge-guard`（`gh pr merge` 的 PreToolUse —— PR body 的验收标准章节仍有未勾选清单项时拦截合并）。两个 PostToolUse hook 在 Claude Code / Codex 上完全对齐；Codex 仅对 `pr-ready-guard` 的 PreToolUse `additionalContext` 信息路径 fail-open（block 路径两边一致）。默认通过插件路径安装。 |
+| auriga-workflow | Claude Code / Codex | auriga 工作流插件 —— 工作流 skill 加上强制执行工作流的 git 生命周期 hook。Skills：`incremental-impl`、`test-designer`、`spec-design`、`arch-design`、`code-simplify`、`session-compound`、`goalify`（plan 出自驱 goal 并通过内置 `/goal` 命令分发执行）、`deep-review`（多维度 PR review 编排器——并行派发各维度 reviewer，汇总成可执行的 punch list）、`reviewer-creator`（在 `docs/rules/review/` 下生成项目级自定义 reviewer）、`git-workflow`（git 生命周期 skill）、`documentation-and-adrs`（架构决策记录与项目文档规范，ADR 归档到 `docs/architecture/`）。Hooks：`commit-reminder`（文件编辑的 PostToolUse —— Claude Code 匹配 `Edit` / `Write` / `MultiEdit`，Codex 匹配 `apply_patch` —— 未提交 diff 对比 `HEAD` 超过 200 行或 8 个文件时，提醒在下一个语义边界 commit）、`pr-create-guard`（`gh pr create` 的 PostToolUse —— 注入 PR body 快照供五要素自检，并对不符合 Conventional Commits 的标题提示）、`pr-ready-guard`（`gh pr ready` 与非 draft `gh pr create` 的 PreToolUse —— 拦截游离规划文档、`docs/specs/` 内未结案的活跃 spec、未 push commits）、`pr-merge-guard`（`gh pr merge` 的 PreToolUse —— PR body 的验收标准章节仍有未勾选清单项时拦截合并）。两个 PostToolUse hook 在 Claude Code / Codex 上完全对齐；Codex 仅对 `pr-ready-guard` 的 PreToolUse `additionalContext` 信息路径 fail-open（block 路径两边一致）。默认通过插件路径安装。 |
 | auriga-notify *(opt-in)* | Claude Code | Claude Code `Notification` 事件的 macOS 原生通知插件。支持焦点感知仅提示音、点击唤起终端、按项目分组通知，并迁移旧 `config.json` / `icon.png`。不随 `install --all` 默认安装，需要显式执行 `install plugins --plugin auriga-notify`。 |
 | session-instructions-loader | Codex | Codex-only SessionStart 插件，注入上层目录的 `AGENTS.md` 和仓库配置的额外 instruction 文件。 |
 

package/dist/catalog.json

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-05-17T06:16:55.450Z",
+  "generatedAt": "2026-05-19T07:23:20.929Z",
   "workflowSkills": [
     {
       "name": "planning-with-files",
@@ -39,10 +39,6 @@
       "name": "design-taste-frontend",
       "description": "Senior UI/UX Engineer. Architect digital interfaces overriding default LLM biases. Enforces metric-based rules, strict component architecture, CSS hardware acceleration, and balanced design engineering."
     },
-    {
-      "name": "documentation-and-adrs",
-      "description": "Records decisions and documentation. Use when making architectural decisions, changing public APIs, shipping features, or when you need to record context that future engineers and agents will need to understand the codebase."
-    },
     {
       "name": "frontend-design",
       "description": "Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, artifacts, posters, or applications (examples include websites, landing pages, dashboards, React components, HTML/CSS layouts, or when styling/beautifying any web UI). Generates creative, polished code and UI design that avoids generic AI aesthetics."
@@ -55,7 +51,7 @@
   "plugins": [
     {
       "name": "auriga-workflow",
-      "description": "(Claude/Codex) The auriga workflow plugin: workflow skills — incremental-impl (implementation slicing), test-designer (independent test design), spec-design (requirement clarification), arch-design (architecture design), code-simplify (code simplification), session-compound (session compounding), goalify (autonomous /goal planning), deep-review (multi-dimensional PR review orchestrator), reviewer-creator (custom reviewer scaffolding), git-workflow (git lifecycle skill) — plus the git lifecycle hooks that enforce them: commit-reminder, pr-create-guard, pr-ready-guard, pr-merge-guard. Dual-Agent compatible (Claude Code + Codex).",
+      "description": "(Claude/Codex) The auriga workflow plugin: workflow skills — incremental-impl (implementation slicing), test-designer (independent test design), spec-design (requirement clarification), arch-design (architecture design), code-simplify (code simplification), session-compound (session compounding), goalify (autonomous /goal planning), deep-review (multi-dimensional PR review orchestrator), reviewer-creator (custom reviewer scaffolding), git-workflow (git lifecycle skill), documentation-and-adrs (architecture decision records and documentation discipline) — plus the git lifecycle hooks that enforce them: commit-reminder, pr-create-guard, pr-ready-guard, pr-merge-guard. Dual-Agent compatible (Claude Code + Codex).",
       "agents": [
         "claude",
         "codex"

package/dist/plugins.d.ts

@@ -54,22 +54,18 @@ export declare function installPlugins(packageRoot: string, opts: InstallOpts):
  *     surfaces nuanced failure modes (marketplace gone, network) that
  *     the caller needs to see verbatim.
  *
- *   Codex side: no `codex plugin uninstall` exists today (spec §10.4
- *     flagged this as v0.1 needs-confirm). We mimic the install path
- *     in reverse:
- *       1. Read + parse `~/.codex/config.toml`, delete `[plugins."<id>"]`,
- *          atomic write back. Throws on parse error (don't half-corrupt).
- *       2. rm `~/.codex/plugins/cache/<marketplace>/<plugin>/` directory.
- *     Both steps are idempotent — missing config / missing cache dir is
- *     a no-op (the user may have manually cleaned half of the install).
+ *   Codex side: shells out to `codex plugin remove <id>`, which deletes
+ *     the plugin from Codex's local config and cache. We deliberately do
+ *     NOT remove the marketplace itself — a single marketplace may host
+ *     multiple plugins, and tearing it down because one plugin left would
+ *     break the others. The user can `codex plugin marketplace remove`
+ *     separately when they want. Errors are propagated like the Claude
+ *     side; idempotency (removing an already-absent plugin) is the Codex
+ *     CLI's responsibility.
  *
- *     Caveat: we deliberately do NOT remove the marketplace itself. A
- *     single marketplace may host multiple plugins; tearing it down
- *     because one plugin left would break others. The user can
- *     `codex plugin marketplace remove` separately when they want.
- *
- * Validation happens before any I/O — a malformed id throws cleanly with
- * no side effects, so retries are safe.
+ * `parsePluginId` validates the id shape — and rejects shell
+ * metacharacters in either segment — before any command runs, so a
+ * malformed id throws cleanly with no side effects and retries are safe.
  */
 export declare function uninstallPlugin(id: string, agent: "claude" | "codex", opts: {
     cwd: string;

package/dist/plugins.js

@@ -2,8 +2,8 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { checkbox, select } from "@inquirer/prompts";
-import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
-import { codexLocalPluginPath, codexManifestPath, validateCodexMarketplace, } from "./codex-plugin-config.js";
+import { parse as parseToml } from "smol-toml";
+import { codexManifestPath, validateCodexMarketplace, } from "./codex-plugin-config.js";
 import { validateMarketplaceField } from "./marketplace.js";
 import { atomicWriteFile, exec, execAsync, log, withEsc } from "./utils.js";
 // Plugin names and plugin-package names end up in `claude plugins ...`
@@ -24,7 +24,6 @@ const MIGRATED_WORKFLOW_SKILLS = [
 const NOTIFY_PLUGIN_NAME = "auriga-notify";
 const WORKFLOW_SKILLS_PLUGIN_NAME = "auriga-workflow";
 const LEGACY_NOTIFY_MARKER = "auriga:notify";
-const CODEX_PLUGIN_VERSION_RE = /^[A-Za-z0-9][A-Za-z0-9._+-]{0,127}$/;
 function validateClaudeMarketplace(raw) {
     if (!raw || typeof raw !== "object") {
         throw new Error("Claude marketplace.json: root must be an object");
@@ -264,17 +263,6 @@ function resolveCodexPluginSelection(all, selected) {
 function codexHome() {
     return process.env.CODEX_HOME || path.join(os.homedir(), ".codex");
 }
-function codexMarketplaceCacheRoot(marketplaceName) {
-    return path.join(codexHome(), ".tmp", "marketplaces", marketplaceName);
-}
-function resolveCodexMarketplaceContentRoot(packageRoot, marketplaceName) {
-    const cachedRoot = codexMarketplaceCacheRoot(marketplaceName);
-    if (fs.existsSync(path.join(cachedRoot, ".agents", "plugins", "marketplace.json"))) {
-        return cachedRoot;
-    }
-    throw new Error(`Codex marketplace ${marketplaceName} cache missing at ${cachedRoot}. ` +
-        "Run `codex plugin marketplace add/upgrade` successfully before materializing local plugins.");
-}
 function shellQuote(value) {
     return `'${value.replace(/'/g, "'\\''")}'`;
 }
@@ -462,6 +450,35 @@ function codexExternalMarketplaceAddCommand(source) {
 function codexMarketplaceUpgradeCommand(marketplaceName) {
     return `codex plugin marketplace upgrade ${shellQuote(marketplaceName)}`;
 }
+// Capability probe for the native `codex plugin add` command. Older Codex
+// versions expose `codex plugin marketplace` but not `add`; probing the
+// subcommand's `--help` is version-number-agnostic — it needs no knowledge
+// of which Codex release introduced `add`, so it can't rot the way a
+// hardcoded minimum-version compare would. `--help` prints and exits 0
+// when the subcommand exists, and exits non-zero (throwing here) when it
+// doesn't.
+function codexSupportsPluginAdd() {
+    try {
+        exec("codex plugin add --help");
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+// `--enable plugins` turns on the global Codex plugins feature; `--enable
+// plugin_hooks` is appended only for plugins that ship hooks. We pass the
+// feature flags explicitly rather than relying on `codex plugin add` to
+// flip them — both flags are idempotent, so re-passing them across
+// multiple `add` calls is harmless. The plugin key (`<name>@<marketplace>`)
+// is validated upstream (PLUGIN_NAME_RE / MARKETPLACE_NAME_RE), so no
+// shell metacharacter can reach this interpolated command.
+function codexPluginAddCommand(pluginKey, hasHooks) {
+    const enable = hasHooks
+        ? "--enable plugins --enable plugin_hooks"
+        : "--enable plugins";
+    return `codex plugin add ${pluginKey} ${enable}`;
+}
 function commandErrorText(error) {
     if (!(error instanceof Error))
         return String(error);
@@ -538,131 +555,6 @@ function ensureCodexPluginManifests(packageRoot, plugins) {
         throw new Error(`Codex plugin ${plugin.name} manifest missing at ${manifestPath}`);
     }
 }
-function readCodexPluginVersion(packageRoot, plugin) {
-    const manifestPath = codexManifestPath(plugin);
-    if (!manifestPath) {
-        throw new Error(`Codex marketplace.json: plugin ${plugin.name} must use a local source.path`);
-    }
-    const manifest = JSON.parse(fs.readFileSync(path.join(packageRoot, manifestPath), "utf-8"));
-    if (typeof manifest.version !== "string" || !CODEX_PLUGIN_VERSION_RE.test(manifest.version)) {
-        throw new Error(`Codex plugin ${plugin.name} manifest must include a safe string version`);
-    }
-    return manifest.version;
-}
-function materializeLocalCodexPluginCache(packageRoot, marketplaceName, plugins) {
-    const cacheRoot = path.join(codexHome(), "plugins", "cache");
-    for (const plugin of plugins) {
-        const sourcePath = codexLocalPluginPath(plugin);
-        if (!sourcePath) {
-            throw new Error(`Codex marketplace.json: plugin ${plugin.name} must use a local source.path`);
-        }
-        const version = readCodexPluginVersion(packageRoot, plugin);
-        const sourceDir = path.join(packageRoot, sourcePath);
-        const destDir = path.join(cacheRoot, marketplaceName, plugin.name, version);
-        const tmpDir = `${destDir}.tmp-${process.pid}-${Date.now()}`;
-        fs.rmSync(tmpDir, { recursive: true, force: true });
-        fs.mkdirSync(path.dirname(destDir), { recursive: true });
-        fs.cpSync(sourceDir, tmpDir, { recursive: true });
-        fs.rmSync(destDir, { recursive: true, force: true });
-        fs.renameSync(tmpDir, destDir);
-        if (!fs.existsSync(path.join(destDir, ".codex-plugin", "plugin.json"))) {
-            throw new Error(`Codex plugin ${plugin.name} cache materialization did not produce plugin.json`);
-        }
-    }
-}
-function ensureTomlBoolean(content, section, key, value) {
-    const line = `${key} = ${value ? "true" : "false"}`;
-    const header = `[${section}]`;
-    const lines = content.length > 0 ? content.split(/\r?\n/) : [];
-    const start = lines.findIndex((l) => l.trim() === header);
-    if (start === -1) {
-        const prefix = content.trimEnd();
-        return `${prefix}${prefix ? "\n\n" : ""}${header}\n${line}\n`;
-    }
-    let end = lines.length;
-    for (let i = start + 1; i < lines.length; i += 1) {
-        if (/^\s*\[/.test(lines[i])) {
-            end = i;
-            break;
-        }
-    }
-    const keyRe = new RegExp(`^\\s*${key}\\s*=`);
-    for (let i = start + 1; i < end; i += 1) {
-        if (keyRe.test(lines[i])) {
-            lines[i] = line;
-            return lines.join("\n");
-        }
-    }
-    lines.splice(end, 0, line);
-    return lines.join("\n");
-}
-function parseCodexConfigToml(content, configPath) {
-    if (content.trim().length === 0)
-        return {};
-    try {
-        return parseToml(content);
-    }
-    catch (e) {
-        throw new Error(`Codex config.toml is invalid TOML at ${configPath}: ${e.message}`);
-    }
-}
-function isTomlTable(value) {
-    return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-function getOrCreateTomlTable(parent, key, pathLabel) {
-    const existing = parent[key];
-    if (existing === undefined) {
-        const table = {};
-        parent[key] = table;
-        return table;
-    }
-    if (!isTomlTable(existing)) {
-        throw new Error(`Codex config.toml: ${pathLabel} must be a TOML table`);
-    }
-    return existing;
-}
-function buildCodexPluginConfigToml(originalContent, configPath, pluginKeys, needsPluginHooks) {
-    const parsed = parseCodexConfigToml(originalContent, configPath);
-    const features = getOrCreateTomlTable(parsed, "features", "features");
-    features.plugins = true;
-    if (needsPluginHooks) {
-        features.plugin_hooks = true;
-    }
-    const plugins = getOrCreateTomlTable(parsed, "plugins", "plugins");
-    for (const pluginKey of pluginKeys) {
-        const plugin = getOrCreateTomlTable(plugins, pluginKey, `plugins.${JSON.stringify(pluginKey)}`);
-        plugin.enabled = true;
-    }
-    return stringifyToml(parsed);
-}
-function tryMinimalCodexPluginConfigToml(originalContent, configPath, pluginKeys, needsPluginHooks) {
-    let content = originalContent;
-    content = ensureTomlBoolean(content, "features", "plugins", true);
-    if (needsPluginHooks) {
-        content = ensureTomlBoolean(content, "features", "plugin_hooks", true);
-    }
-    for (const pluginKey of pluginKeys) {
-        content = ensureTomlBoolean(content, `plugins."${pluginKey}"`, "enabled", true);
-    }
-    try {
-        parseToml(content);
-        return content;
-    }
-    catch {
-        // Existing configs may use legal TOML forms such as inline tables
-        // (`features = { plugins = false }`). In that case, a local section
-        // insertion would redefine the table, so fall back to structured output.
-        parseCodexConfigToml(originalContent, configPath);
-        return null;
-    }
-}
-function enableCodexPluginConfig(configPath, pluginKeys, needsPluginHooks) {
-    fs.mkdirSync(path.dirname(configPath), { recursive: true });
-    const originalContent = fs.existsSync(configPath) ? fs.readFileSync(configPath, "utf-8") : "";
-    const minimalContent = tryMinimalCodexPluginConfigToml(originalContent, configPath, pluginKeys, needsPluginHooks);
-    const content = minimalContent ?? buildCodexPluginConfigToml(originalContent, configPath, pluginKeys, needsPluginHooks);
-    atomicWriteFile(configPath, content.endsWith("\n") ? content : `${content}\n`);
-}
 async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, expectedSource, opts, marketplaceExecOpts, failures) {
     const registeredSource = readCodexMarketplaceSource(marketplaceName);
     if (registeredSource !== null) {
@@ -706,29 +598,32 @@ async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, expecte
         failures.push(`codex marketplace ${marketplaceName}`);
     }
 }
-// Builds the `<name>@<marketplace>` config keys + decides whether
-// features.plugin_hooks needs to flip on. Local plugins resolve through
-// this repo's marketplace.json and require a manifest check + hooks
-// inspection; external plugins emit a key directly from extra_plugin_configs.json
-// (Codex CLI fetches the upstream manifest itself). External plugins do
-// NOT flip plugin_hooks today — we don't have access to the upstream
-// manifest at install time. Acceptable while no external plugin ships
-// hooks; once one does, prefer fetching the manifest or adding an
-// explicit `requiresPluginHooks: true` field on the extra config entry.
-async function composeCodexPluginKeys(pluginContentRoot, localMarketplace, selectedMarketplacePlugins, externalSelected) {
-    const pluginKeys = [];
-    let needsPluginHooks = false;
+// Builds the `codex plugin add` work list: one entry per selected plugin.
+// Local plugins resolve their hooks flag from this repo's manifest;
+// external plugins emit a key straight from extra_plugin_configs.json
+// (Codex CLI fetches the upstream manifest itself) and never set
+// `hasHooks` — we don't have their manifest at install time. Acceptable
+// while no external plugin ships hooks; once one does, prefer fetching the
+// manifest or adding an explicit flag to the extra config entry.
+function composeCodexPluginAdds(pluginContentRoot, localMarketplace, selectedMarketplacePlugins, externalSelected) {
+    const adds = [];
     if (localMarketplace) {
         for (const plugin of selectedMarketplacePlugins) {
-            pluginKeys.push(`${plugin.name}@${localMarketplace.name}`);
-            if (pluginHasHooks(pluginContentRoot, plugin))
-                needsPluginHooks = true;
+            adds.push({
+                key: `${plugin.name}@${localMarketplace.name}`,
+                name: plugin.name,
+                hasHooks: pluginHasHooks(pluginContentRoot, plugin),
+            });
         }
     }
     for (const p of externalSelected) {
-        pluginKeys.push(`${p.name}@${p.marketplace.name}`);
+        adds.push({
+            key: `${p.name}@${p.marketplace.name}`,
+            name: p.name,
+            hasHooks: false,
+        });
     }
-    return { pluginKeys, needsPluginHooks };
+    return adds;
 }
 async function installCodexPlugins(packageRoot, opts) {
     const installConfig = loadCodexInstallConfig(packageRoot);
@@ -756,6 +651,20 @@ async function installCodexPlugins(packageRoot, opts) {
         log.skip("No Codex plugins selected");
         return;
     }
+    // Version gate: native `codex plugin add` materializes the plugin cache
+    // and writes the enable config itself. Without it there is no supported
+    // install path — fail fast with an actionable upgrade hint rather than
+    // falling back to a hand-rolled cache/config mechanism. Under `--agent
+    // both` this throw is caught by installPlugins' aggregator, so the
+    // Claude-side install still completes (the Codex side is recorded as a
+    // failure).
+    if (!codexSupportsPluginAdd()) {
+        const msg = "Codex CLI does not support `codex plugin add` — upgrade the Codex CLI and retry";
+        if (!opts.interactive)
+            throw new Error(msg);
+        log.error(msg);
+        return;
+    }
     // Local plugins are described by this repo's .agents/plugins/marketplace.json.
     // External plugins come from extra_plugin_configs.json and are resolved by
     // Codex CLI itself when their marketplace is added — we only need to
@@ -799,24 +708,26 @@ async function installCodexPlugins(packageRoot, opts) {
         await addCodexMarketplaceWithRetry(mp.name, codexExternalMarketplaceAddCommand(mp.source), codexExternalMarketplaceSource(mp.source), opts, marketplaceExecOpts, failures);
     }
     if (failures.length === 0) {
-        const localMarketplaceContentRoot = localMarketplace
-            ? resolveCodexMarketplaceContentRoot(packageRoot, localMarketplace.name)
-            : packageRoot;
-        const effectiveLocalMarketplace = localMarketplace
-            ? loadCodexMarketplace(localMarketplaceContentRoot) ?? localMarketplace
-            : null;
-        const selectedMarketplacePlugins = effectiveLocalMarketplace
-            ? resolveSelectedCodexMarketplacePlugins(effectiveLocalMarketplace, localSelected)
+        // Hooks detection reads this repo's manifest directly: local plugins
+        // listed in .agents/plugins/marketplace.json are sourced from this
+        // repo, so packageRoot is the authoritative manifest location. The
+        // plugin payload itself is materialized by `codex plugin add` from the
+        // marketplace snapshot registered above — no manual cache copy.
+        const selectedMarketplacePlugins = localMarketplace
+            ? resolveSelectedCodexMarketplacePlugins(localMarketplace, localSelected)
             : [];
-        ensureCodexPluginManifests(localMarketplaceContentRoot, selectedMarketplacePlugins);
-        if (effectiveLocalMarketplace) {
-            materializeLocalCodexPluginCache(localMarketplaceContentRoot, effectiveLocalMarketplace.name, selectedMarketplacePlugins);
-        }
-        const { pluginKeys, needsPluginHooks } = await composeCodexPluginKeys(localMarketplaceContentRoot, effectiveLocalMarketplace, selectedMarketplacePlugins, externalSelected);
-        enableCodexPluginConfig(path.join(codexHome(), "config.toml"), pluginKeys, needsPluginHooks);
-        for (const plugin of [...localSelected, ...externalSelected]) {
-            log.ok(`${plugin.name} enabled for Codex`);
-            runPostInstallMigration(plugin.name, opts, ["codex"]);
+        ensureCodexPluginManifests(packageRoot, selectedMarketplacePlugins);
+        const pluginAdds = composeCodexPluginAdds(packageRoot, localMarketplace, selectedMarketplacePlugins, externalSelected);
+        for (const entry of pluginAdds) {
+            try {
+                exec(codexPluginAddCommand(entry.key, entry.hasHooks), marketplaceExecOpts);
+                log.ok(`Codex plugin ${entry.key} added`);
+                runPostInstallMigration(entry.name, opts, ["codex"]);
+            }
+            catch (e) {
+                log.error(`Failed to add Codex plugin ${entry.key}\n${commandErrorText(e)}`);
+                failures.push(`codex plugin ${entry.key}`);
+            }
         }
     }
     if (failures.length > 0 && !opts.interactive) {
@@ -1046,23 +957,6 @@ function parsePluginId(id) {
     }
     return { plugin: m[1], marketplace: m[2] };
 }
-/**
- * Remove `[plugins."<id>"]` from a parsed Codex config TOML tree.
- * Returns true if anything was removed. Idempotent: missing key → false.
- *
- * Pure function operating on the parsed tree — no I/O. Lets the test
- * harness assert tree shape without touching disk + lets the I/O wrapper
- * skip the atomic write when nothing changed.
- */
-function removeCodexPluginFromConfig(parsed, pluginId) {
-    const plugins = parsed.plugins;
-    if (!isTomlTable(plugins))
-        return false;
-    if (!(pluginId in plugins))
-        return false;
-    delete plugins[pluginId];
-    return true;
-}
 /**
  * Uninstall a single plugin.
  *
@@ -1071,25 +965,21 @@ function removeCodexPluginFromConfig(parsed, pluginId) {
  *     surfaces nuanced failure modes (marketplace gone, network) that
  *     the caller needs to see verbatim.
  *
- *   Codex side: no `codex plugin uninstall` exists today (spec §10.4
- *     flagged this as v0.1 needs-confirm). We mimic the install path
- *     in reverse:
- *       1. Read + parse `~/.codex/config.toml`, delete `[plugins."<id>"]`,
- *          atomic write back. Throws on parse error (don't half-corrupt).
- *       2. rm `~/.codex/plugins/cache/<marketplace>/<plugin>/` directory.
- *     Both steps are idempotent — missing config / missing cache dir is
- *     a no-op (the user may have manually cleaned half of the install).
- *
- *     Caveat: we deliberately do NOT remove the marketplace itself. A
- *     single marketplace may host multiple plugins; tearing it down
- *     because one plugin left would break others. The user can
- *     `codex plugin marketplace remove` separately when they want.
+ *   Codex side: shells out to `codex plugin remove <id>`, which deletes
+ *     the plugin from Codex's local config and cache. We deliberately do
+ *     NOT remove the marketplace itself — a single marketplace may host
+ *     multiple plugins, and tearing it down because one plugin left would
+ *     break the others. The user can `codex plugin marketplace remove`
+ *     separately when they want. Errors are propagated like the Claude
+ *     side; idempotency (removing an already-absent plugin) is the Codex
+ *     CLI's responsibility.
  *
- * Validation happens before any I/O — a malformed id throws cleanly with
- * no side effects, so retries are safe.
+ * `parsePluginId` validates the id shape — and rejects shell
+ * metacharacters in either segment — before any command runs, so a
+ * malformed id throws cleanly with no side effects and retries are safe.
  */
 export async function uninstallPlugin(id, agent, opts) {
-    const { plugin, marketplace } = parsePluginId(id);
+    parsePluginId(id);
     const emit = (line) => { opts.onLog?.(line); };
     if (agent === "claude") {
         // Note: scope is intentionally NOT specified. `claude plugins
@@ -1101,44 +991,10 @@ export async function uninstallPlugin(id, agent, opts) {
         emit(`uninstalled ${id} from Claude Code`);
         return;
     }
-    // Codex path.
-    const home = codexHome();
-    const configPath = path.join(home, "config.toml");
-    if (fs.existsSync(configPath)) {
-        const content = fs.readFileSync(configPath, "utf-8");
-        // Parse-then-mutate: any parse failure aborts BEFORE we touch the
-        // filesystem (cache dir removal also gets skipped) so a damaged
-        // config doesn't end up half-uninstalled. The test "config.toml
-        // damaged → throw before mutation" locks this in.
-        const parsed = parseCodexConfigToml(content, configPath);
-        const removed = removeCodexPluginFromConfig(parsed, id);
-        if (removed) {
-            const next = stringifyToml(parsed);
-            atomicWriteFile(configPath, next.endsWith("\n") ? next : `${next}\n`);
-            log.ok(`${id} disabled in Codex config.toml`);
-            emit(`removed ${id} from Codex config.toml`);
-        }
-        else {
-            log.skip(`${id} not present in Codex config.toml`);
-            emit(`${id} not present in Codex config.toml`);
-        }
-    }
-    else {
-        log.skip(`Codex config.toml not present`);
-        emit(`Codex config.toml not present`);
-    }
-    // Cache dir: ~/.codex/plugins/cache/<marketplace>/<plugin>/
-    // PLUGIN_ID_RE constrains both segments to a safe charset, so the
-    // path can't escape via injection. rmSync with recursive+force is
-    // the standard rm-rf idiom; missing dir is a no-op.
-    const cacheDir = path.join(home, "plugins", "cache", marketplace, plugin);
-    if (fs.existsSync(cacheDir)) {
-        fs.rmSync(cacheDir, { recursive: true, force: true });
-        log.ok(`${id} cache directory removed`);
-        emit(`removed Codex cache directory for ${id}`);
-    }
-    else {
-        log.skip(`${id} cache directory not present`);
-        emit(`Codex cache directory for ${id} not present`);
-    }
+    // Codex path: `codex plugin remove` deletes the plugin from Codex's
+    // local config and cache. `id` was validated above, so it carries no
+    // shell metacharacter.
+    exec(`codex plugin remove ${id}`, { cwd: opts.cwd, inherit: true });
+    log.ok(`${id} removed from Codex`);
+    emit(`removed ${id} from Codex`);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auriga-cli",
-  "version": "1.29.1",
+  "version": "1.30.0",
   "description": "Interactive CLI to install Claude Code harness modules (Workflow, Skills, Recommended Skills, Plugins)",
   "license": "MIT",
   "repository": {