From 40d70f391b493dd489d4eec02a0af700a0764b7f Mon Sep 17 00:00:00 2001 From: Eve McGivern Date: Mon, 15 Jun 2026 13:30:44 -0500 Subject: [PATCH] chore: repin defect-scan to v1.6.0 (both manifests) + add manifest-sync CI - Bump defect-scan -> v1.6.0 in BOTH .claude-plugin/marketplace.json (Claude) and .agents/plugins/marketplace.json (Codex). The .agents bump carries the new .codex-plugin display name ('Defect Scan') into Codex. - Add scripts/check-manifest-sync.sh + .github/workflows/manifest-sync.yml: fails if the two manifests disagree on the plugin set or any plugin's ref. Prevents the drift that hid defect-scan from Codex (stylusnexus/defect-scan#45). Co-Authored-By: Claude Opus 4.8 --- .agents/plugins/marketplace.json | 2 +- .claude-plugin/marketplace.json | 4 ++-- .github/workflows/manifest-sync.yml | 16 +++++++++++++++ scripts/check-manifest-sync.sh | 31 +++++++++++++++++++++++++++++ 4 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/manifest-sync.yml create mode 100755 scripts/check-manifest-sync.sh diff --git a/.agents/plugins/marketplace.json b/.agents/plugins/marketplace.json index c837e72..d78a10b 100644 --- a/.agents/plugins/marketplace.json +++ b/.agents/plugins/marketplace.json @@ -24,7 +24,7 @@ "source": { "source": "url", "url": "https://github.com/stylusnexus/defect-scan.git", - "ref": "v1.5.0" + "ref": "v1.6.0" }, "policy": { "installation": "AVAILABLE", diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 58cb193..b5c3bcb 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -12,14 +12,14 @@ "repo": "stylusnexus/work-plan-toolkit", "ref": "v2026.06.15-488753b" }, - "description": "Track-aware daily planning over GitHub issues. Shared tracks (git-synced .work-plan/) optionally pinned to a canonical plan branch (plan-branch; push-track promotes a private track to it), AI clustering (group/auto-triage), coverage, plan-status doc liveness with drift detection, batched GraphQL fetches, and dependency-aware next-up with per-track ordering presets. Includes a theme-aware, accessible VS Code viewer — sidebar tree with a visibility×tier exposure badge, a Mermaid dependency graph with GitHub-native blocked-by edges, per-issue in-progress badge/toggle, blocked-by/blocking dependency chips, next-up controls (Set Next-Up + Set Next-Up Order preset picker), and a Plans view with confirm-gated frontmatter writes (verdict / acknowledge / drift-baseline), track↔plan links, fast-fail GitHub auth, and a gated GitHub issue-close." + "description": "Track-aware daily planning over GitHub issues. Shared tracks (git-synced .work-plan/) optionally pinned to a canonical plan branch (plan-branch; push-track promotes a private track to it), AI clustering (group/auto-triage), coverage, plan-status doc liveness with drift detection, batched GraphQL fetches, and dependency-aware next-up with per-track ordering presets. Includes a theme-aware, accessible VS Code viewer \u2014 sidebar tree with a visibility\u00d7tier exposure badge, a Mermaid dependency graph with GitHub-native blocked-by edges, per-issue in-progress badge/toggle, blocked-by/blocking dependency chips, next-up controls (Set Next-Up + Set Next-Up Order preset picker), and a Plans view with confirm-gated frontmatter writes (verdict / acknowledge / drift-baseline), track\u2194plan links, fast-fail GitHub auth, and a gated GitHub issue-close." }, { "name": "defect-scan", "source": { "source": "github", "repo": "stylusnexus/defect-scan", - "ref": "v1.5.0" + "ref": "v1.6.0" }, "description": "Language-aware defect hunter for Claude Code AND Codex. Detect stack -> triage by risk -> run real analyzers (ruff/mypy, tsc/eslint, rubocop/brakeman, +optional semgrep/gitleaks/bandit) -> reason with battle-tested patterns + 14 language profiles (python, react-typescript, ruby, go, csharp, java, kotlin, swift, php, rust, yaml, shell, dart) -> report (confidence-tiered, severity/priority, gh-issue-correlated) -> optionally file deduped/labeled issues (--file-issues), apply safe fixes (--fix), or second-opinion via Codex (--cross-model). Runs on macOS/Linux/Windows (WSL/Git-Bash or PowerShell shim); model-free eval harness; extensible drop-in profiles/patterns." } diff --git a/.github/workflows/manifest-sync.yml b/.github/workflows/manifest-sync.yml new file mode 100644 index 0000000..1c02163 --- /dev/null +++ b/.github/workflows/manifest-sync.yml @@ -0,0 +1,16 @@ +name: manifest-sync +# The Claude (.claude-plugin) and Codex (.agents) marketplace manifests must stay in +# sync on every release — a drift hid defect-scan from Codex once. Gate it. +on: + pull_request: + push: + branches: [main] +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + - name: Manifests in sync (plugins + refs) + run: sh scripts/check-manifest-sync.sh diff --git a/scripts/check-manifest-sync.sh b/scripts/check-manifest-sync.sh new file mode 100755 index 0000000..76e8fc7 --- /dev/null +++ b/scripts/check-manifest-sync.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env sh +# Fail if the two marketplace manifests disagree. Claude Code reads +# .claude-plugin/marketplace.json; Codex reads .agents/plugins/marketplace.json. They +# use different source shapes (github+repo vs url+.git) but MUST agree on which plugins +# exist and each plugin's pinned `ref` — otherwise a release silently ships to one +# harness and not the other (defect-scan was invisible in Codex this way; see +# stylusnexus/defect-scan#45). +set -eu +C=.claude-plugin/marketplace.json +A=.agents/plugins/marketplace.json +for f in "$C" "$A"; do [ -f "$f" ] || { echo "missing manifest: $f" >&2; exit 2; }; done +fail=0 +cn=$(jq -r '.plugins[].name' "$C" | sort) +an=$(jq -r '.plugins[].name' "$A" | sort) +if [ "$cn" != "$an" ]; then + echo "MISMATCH: plugin sets differ." >&2 + echo " .claude-plugin: $(echo "$cn" | tr '\n' ' ')" >&2 + echo " .agents: $(echo "$an" | tr '\n' ' ')" >&2 + fail=1 +fi +for name in $cn; do + echo "$an" | grep -qx "$name" || continue + cr=$(jq -r --arg n "$name" '.plugins[]|select(.name==$n)|.source.ref // "MISSING"' "$C") + ar=$(jq -r --arg n "$name" '.plugins[]|select(.name==$n)|.source.ref // "MISSING"' "$A") + if [ "$cr" != "$ar" ]; then + echo "MISMATCH: '$name' ref differs — .claude-plugin=$cr .agents=$ar" >&2 + fail=1 + fi +done +[ "$fail" = 0 ] && echo "manifests in sync (same plugins, matching refs)" +exit "$fail"