npm - auriga-cli - Versions diffs - 1.30.0 → 1.30.1 - Mend

auriga-cli 1.30.0 → 1.30.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/catalog.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-05-19T07:23:20.929Z",
+  "generatedAt": "2026-05-19T08:10:18.388Z",
   "workflowSkills": [
     {
       "name": "planning-with-files",

package/dist/plugins.js CHANGED Viewed

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { checkbox, select } from "@inquirer/prompts";
 import { parse as parseToml } from "smol-toml";
-import { codexManifestPath, validateCodexMarketplace, } from "./codex-plugin-config.js";
+import { validateCodexMarketplace, } from "./codex-plugin-config.js";
 import { validateMarketplaceField } from "./marketplace.js";
 import { atomicWriteFile, exec, execAsync, log, withEsc } from "./utils.js";
 // Plugin names and plugin-package names end up in `claude plugins ...`
@@ -467,12 +467,15 @@ function codexSupportsPluginAdd() {
     }
 }
 // `--enable plugins` turns on the global Codex plugins feature; `--enable
-// plugin_hooks` is appended only for plugins that ship hooks. We pass the
-// feature flags explicitly rather than relying on `codex plugin add` to
-// flip them — both flags are idempotent, so re-passing them across
-// multiple `add` calls is harmless. The plugin key (`<name>@<marketplace>`)
-// is validated upstream (PLUGIN_NAME_RE / MARKETPLACE_NAME_RE), so no
-// shell metacharacter can reach this interpolated command.
+// plugin_hooks` turns on the global plugin-hooks feature. Both are plain
+// Codex feature toggles (`-c features.<name>=true`), not per-plugin state —
+// `plugin_hooks` is appended for first-party plugins, which ship hooks, and
+// is harmless for any that don't (the feature simply has no hooks to run).
+// We do not inspect plugin payload to decide this: Codex owns plugin
+// content via `codex plugin add`, and the published CLI never fetches the
+// payload anyway. The plugin key (`<name>@<marketplace>`) is validated
+// upstream (PLUGIN_NAME_RE / MARKETPLACE_NAME_RE), so no shell
+// metacharacter can reach this interpolated command.
 function codexPluginAddCommand(pluginKey, hasHooks) {
     const enable = hasHooks
         ? "--enable plugins --enable plugin_hooks"
@@ -524,16 +527,6 @@ function readCodexMarketplaceSource(marketplaceName) {
 function isCodexMarketplaceDifferentSource(error) {
     return /already added from a different source/i.test(commandErrorText(error));
 }
-function pluginHasHooks(packageRoot, plugin) {
-    const relativeManifestPath = codexManifestPath(plugin);
-    if (!relativeManifestPath)
-        return false;
-    const manifestPath = path.join(packageRoot, relativeManifestPath);
-    if (!fs.existsSync(manifestPath))
-        return false;
-    const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf-8"));
-    return typeof manifest.hooks === "string" || Array.isArray(manifest.hooks);
-}
 function resolveSelectedCodexMarketplacePlugins(localMarketplace, localSelected) {
     const localMpByName = new Map(localMarketplace.plugins.map((p) => [p.name, p]));
     return localSelected.map((p) => {
@@ -544,17 +537,6 @@ function resolveSelectedCodexMarketplacePlugins(localMarketplace, localSelected)
         return plugin;
     });
 }
-function ensureCodexPluginManifests(packageRoot, plugins) {
-    for (const plugin of plugins) {
-        const manifestPath = codexManifestPath(plugin);
-        if (!manifestPath) {
-            throw new Error(`Codex marketplace.json: plugin ${plugin.name} must use a local source.path`);
-        }
-        if (fs.existsSync(path.join(packageRoot, manifestPath)))
-            continue;
-        throw new Error(`Codex plugin ${plugin.name} manifest missing at ${manifestPath}`);
-    }
-}
 async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, expectedSource, opts, marketplaceExecOpts, failures) {
     const registeredSource = readCodexMarketplaceSource(marketplaceName);
     if (registeredSource !== null) {
@@ -599,20 +581,22 @@ async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, expecte
     }
 }
 // Builds the `codex plugin add` work list: one entry per selected plugin.
-// Local plugins resolve their hooks flag from this repo's manifest;
-// external plugins emit a key straight from extra_plugin_configs.json
-// (Codex CLI fetches the upstream manifest itself) and never set
-// `hasHooks` — we don't have their manifest at install time. Acceptable
-// while no external plugin ships hooks; once one does, prefer fetching the
-// manifest or adding an explicit flag to the extra config entry.
-function composeCodexPluginAdds(pluginContentRoot, localMarketplace, selectedMarketplacePlugins, externalSelected) {
+// Local (first-party) plugins always enable `plugin_hooks` — they ship
+// hooks, and the flag is a harmless global toggle for any that don't. We
+// deliberately do not inspect plugin payload to decide this: Codex owns
+// plugin content via `codex plugin add`, and the published CLI never
+// fetches the payload. External plugins emit a key straight from
+// extra_plugin_configs.json (Codex CLI fetches the upstream manifest
+// itself) and never set `hasHooks` — acceptable while no external plugin
+// ships hooks; once one does, add an explicit flag to the extra config entry.
+function composeCodexPluginAdds(localMarketplace, selectedMarketplacePlugins, externalSelected) {
     const adds = [];
     if (localMarketplace) {
         for (const plugin of selectedMarketplacePlugins) {
             adds.push({
                 key: `${plugin.name}@${localMarketplace.name}`,
                 name: plugin.name,
-                hasHooks: pluginHasHooks(pluginContentRoot, plugin),
+                hasHooks: true,
             });
         }
     }
@@ -708,16 +692,14 @@ async function installCodexPlugins(packageRoot, opts) {
         await addCodexMarketplaceWithRetry(mp.name, codexExternalMarketplaceAddCommand(mp.source), codexExternalMarketplaceSource(mp.source), opts, marketplaceExecOpts, failures);
     }
     if (failures.length === 0) {
-        // Hooks detection reads this repo's manifest directly: local plugins
-        // listed in .agents/plugins/marketplace.json are sourced from this
-        // repo, so packageRoot is the authoritative manifest location. The
-        // plugin payload itself is materialized by `codex plugin add` from the
-        // marketplace snapshot registered above — no manual cache copy.
+        // The plugin payload is materialized by `codex plugin add` from the
+        // marketplace snapshot registered above — no manual cache copy, and no
+        // local manifest inspection. A plugin missing from the snapshot surfaces
+        // as a `codex plugin add` failure, already caught and aggregated below.
         const selectedMarketplacePlugins = localMarketplace
             ? resolveSelectedCodexMarketplacePlugins(localMarketplace, localSelected)
             : [];
-        ensureCodexPluginManifests(packageRoot, selectedMarketplacePlugins);
-        const pluginAdds = composeCodexPluginAdds(packageRoot, localMarketplace, selectedMarketplacePlugins, externalSelected);
+        const pluginAdds = composeCodexPluginAdds(localMarketplace, selectedMarketplacePlugins, externalSelected);
         for (const entry of pluginAdds) {
             try {
                 exec(codexPluginAddCommand(entry.key, entry.hasHooks), marketplaceExecOpts);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auriga-cli",
-  "version": "1.30.0",
+  "version": "1.30.1",
   "description": "Interactive CLI to install Claude Code harness modules (Workflow, Skills, Recommended Skills, Plugins)",
   "license": "MIT",
   "repository": {