chore: repin defect-scan v1.6.0 (both manifests) + manifest-sync CI (#45)

.agents/plugins/marketplace.json

@@ -24,7 +24,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/stylusnexus/defect-scan.git",
-        "ref": "v1.5.0"
+        "ref": "v1.6.0"
       },
       "policy": {
         "installation": "AVAILABLE",

.claude-plugin/marketplace.json

@@ -12,14 +12,14 @@
         "repo": "stylusnexus/work-plan-toolkit",
         "ref": "v2026.06.15-488753b"
       },
-      "description": "Track-aware daily planning over GitHub issues. Shared tracks (git-synced .work-plan/) optionally pinned to a canonical plan branch (plan-branch; push-track promotes a private track to it), AI clustering (group/auto-triage), coverage, plan-status doc liveness with drift detection, batched GraphQL fetches, and dependency-aware next-up with per-track ordering presets. Includes a theme-aware, accessible VS Code viewer — sidebar tree with a visibility×tier exposure badge, a Mermaid dependency graph with GitHub-native blocked-by edges, per-issue in-progress badge/toggle, blocked-by/blocking dependency chips, next-up controls (Set Next-Up + Set Next-Up Order preset picker), and a Plans view with confirm-gated frontmatter writes (verdict / acknowledge / drift-baseline), track↔plan links, fast-fail GitHub auth, and a gated GitHub issue-close."
+      "description": "Track-aware daily planning over GitHub issues. Shared tracks (git-synced .work-plan/) optionally pinned to a canonical plan branch (plan-branch; push-track promotes a private track to it), AI clustering (group/auto-triage), coverage, plan-status doc liveness with drift detection, batched GraphQL fetches, and dependency-aware next-up with per-track ordering presets. Includes a theme-aware, accessible VS Code viewer \u2014 sidebar tree with a visibility\u00d7tier exposure badge, a Mermaid dependency graph with GitHub-native blocked-by edges, per-issue in-progress badge/toggle, blocked-by/blocking dependency chips, next-up controls (Set Next-Up + Set Next-Up Order preset picker), and a Plans view with confirm-gated frontmatter writes (verdict / acknowledge / drift-baseline), track\u2194plan links, fast-fail GitHub auth, and a gated GitHub issue-close."
     },
     {
       "name": "defect-scan",
       "source": {
         "source": "github",
         "repo": "stylusnexus/defect-scan",
-        "ref": "v1.5.0"
+        "ref": "v1.6.0"
       },
       "description": "Language-aware defect hunter for Claude Code AND Codex. Detect stack -> triage by risk -> run real analyzers (ruff/mypy, tsc/eslint, rubocop/brakeman, +optional semgrep/gitleaks/bandit) -> reason with battle-tested patterns + 14 language profiles (python, react-typescript, ruby, go, csharp, java, kotlin, swift, php, rust, yaml, shell, dart) -> report (confidence-tiered, severity/priority, gh-issue-correlated) -> optionally file deduped/labeled issues (--file-issues), apply safe fixes (--fix), or second-opinion via Codex (--cross-model). Runs on macOS/Linux/Windows (WSL/Git-Bash or PowerShell shim); model-free eval harness; extensible drop-in profiles/patterns."
     }

.github/workflows/manifest-sync.yml

@@ -0,0 +1,16 @@
+name: manifest-sync
+# The Claude (.claude-plugin) and Codex (.agents) marketplace manifests must stay in
+# sync on every release — a drift hid defect-scan from Codex once. Gate it.
+on:
+  pull_request:
+  push:
+    branches: [main]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+      - name: Manifests in sync (plugins + refs)
+        run: sh scripts/check-manifest-sync.sh

scripts/check-manifest-sync.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env sh
+# Fail if the two marketplace manifests disagree. Claude Code reads
+# .claude-plugin/marketplace.json; Codex reads .agents/plugins/marketplace.json. They
+# use different source shapes (github+repo vs url+.git) but MUST agree on which plugins
+# exist and each plugin's pinned `ref` — otherwise a release silently ships to one
+# harness and not the other (defect-scan was invisible in Codex this way; see
+# stylusnexus/defect-scan#45).
+set -eu
+C=.claude-plugin/marketplace.json
+A=.agents/plugins/marketplace.json
+for f in "$C" "$A"; do [ -f "$f" ] || { echo "missing manifest: $f" >&2; exit 2; }; done
+fail=0
+cn=$(jq -r '.plugins[].name' "$C" | sort)
+an=$(jq -r '.plugins[].name' "$A" | sort)
+if [ "$cn" != "$an" ]; then
+  echo "MISMATCH: plugin sets differ." >&2
+  echo "  .claude-plugin: $(echo "$cn" | tr '\n' ' ')" >&2
+  echo "  .agents:        $(echo "$an" | tr '\n' ' ')" >&2
+  fail=1
+fi
+for name in $cn; do
+  echo "$an" | grep -qx "$name" || continue
+  cr=$(jq -r --arg n "$name" '.plugins[]|select(.name==$n)|.source.ref // "MISSING"' "$C")
+  ar=$(jq -r --arg n "$name" '.plugins[]|select(.name==$n)|.source.ref // "MISSING"' "$A")
+  if [ "$cr" != "$ar" ]; then
+    echo "MISMATCH: '$name' ref differs — .claude-plugin=$cr  .agents=$ar" >&2
+    fail=1
+  fi
+done
+[ "$fail" = 0 ] && echo "manifests in sync (same plugins, matching refs)"
+exit "$fail"