fix: add plugin cache health check (#2249)

* fix: add plugin cache health check * fix: harden plugin cache diagnostics * fix: reject escaping plugin cache refs * test: remove unused plugin cache fixture
2026-06-16 08:26:52 +08:00 · 2026-06-15 21:01:25 +03:00 · 2026-06-15 21:01:25 +03:00 · 683d291aa3
commit 683d291aa3
parent 48608863ea
8 changed files with 465 additions and 2 deletions
--- a/.codex-plugin/README.md
+++ b/.codex-plugin/README.md
@ -38,6 +38,14 @@ references the root `skills/` and `.mcp.json` so content stays single-sourced.
 After adding or updating the marketplace, restart Codex and install or enable
 `ecc` from the plugin directory.

+After install, `codex plugin list` is only a registration check. From an ECC
+checkout, run the cache check to verify that the installed manifest can resolve
+its referenced skills, MCP config, and assets:
+
+```bash
+node scripts/codex/check-plugin-cache.js
+```
+
 > **Plugin mode is currently fragile on Codex.** Marketplace discovery and
 > install work with this layout, but runtime skill loading from local/repo
 > marketplaces is unreliable upstream
--- a/README.md
+++ b/README.md
@ -1393,10 +1393,15 @@ The repo also exposes a Codex repo-scoped marketplace (`.agents/plugins/marketpl

 ```bash
 codex plugin marketplace add affaan-m/ECC
-codex plugin list   # ecc@ecc should appear
+codex plugin list
+node scripts/codex/check-plugin-cache.js
 ```

-**Plugin mode is currently fragile on Codex.** Marketplace discovery and install work with this layout, but runtime skill loading from local/repo marketplaces is still unreliable upstream ([openai/codex#26037](https://github.com/openai/codex/issues/26037)): Codex copies only the plugin folder into its install cache, so plugins that reference shared repo content may not expose skills in a fresh session. Until that settles, treat the plugin path as experimental and prefer the manual sync flow above (`scripts/sync-ecc-to-codex.sh`), which is the supported Codex route. See [#2128](https://github.com/affaan-m/ECC/issues/2128) for the full investigation.
+`codex plugin list` only confirms marketplace registration. Run
+`node scripts/codex/check-plugin-cache.js` after install to verify that the
+installed cache can resolve the manifest's skills, MCP config, and assets.
+
+**Plugin mode is currently fragile on Codex.** Marketplace discovery and install work with this layout, but runtime skill loading from local/repo marketplaces is still unreliable upstream ([openai/codex#26037](https://github.com/openai/codex/issues/26037)): Codex copies only the plugin folder into its install cache, so plugins that reference shared repo content may not expose skills in a fresh session. If the cache health check reports missing manifest references, treat the plugin path as discovery-only and prefer the manual sync flow above (`scripts/sync-ecc-to-codex.sh`), which is the supported Codex route. See [#2128](https://github.com/affaan-m/ECC/issues/2128) for the full investigation.

 ### What's Included

--- a/package.json
+++ b/package.json
@ -81,6 +81,7 @@
    "scripts/auto-update.js",
    "scripts/claw.js",
    "scripts/control-pane.js",
+    "scripts/codex/check-plugin-cache.js",
    "scripts/codex/merge-codex-config.js",
    "scripts/codex/merge-mcp-config.js",
    "scripts/discussion-audit.js",
--- a/plugins/ecc/README.md
+++ b/plugins/ecc/README.md
@ -33,6 +33,17 @@ cache, and local/personal marketplace plugins are not always exposed at
 runtime (see [openai/codex#26037](https://github.com/openai/codex/issues/26037)
 and [affaan-m/ECC#2128](https://github.com/affaan-m/ECC/issues/2128)).

+After install, `codex plugin list` is not enough to prove the runtime can load
+the referenced skills and assets. From an ECC checkout, run:
+
+```bash
+node scripts/codex/check-plugin-cache.js
+```
+
+The check inspects the installed cache under `CODEX_HOME` (or `~/.codex`) and
+fails if `.codex-plugin/plugin.json` points at files that were not copied into
+that cache entry.
+
 Until the upstream discovery issues settle, the supported Codex path is the
 manual sync flow documented in the README:

--- a/scripts/codex/check-plugin-cache.js
+++ b/scripts/codex/check-plugin-cache.js
@ -0,0 +1,264 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Verify that the installed Codex plugin cache can resolve every file path
+ * referenced by the cached plugin manifest.
+ */
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const REPO_ROOT = path.join(__dirname, '..', '..');
+const PACKAGE_JSON = JSON.parse(fs.readFileSync(path.join(REPO_ROOT, 'package.json'), 'utf8'));
+
+function usage() {
+  console.log([
+    'Usage: check-plugin-cache.js [options]',
+    '',
+    'Options:',
+    '  --codex-home <dir>   Override CODEX_HOME (default: $CODEX_HOME or ~/.codex)',
+    '  --plugin-dir <dir>   Check a specific installed plugin cache directory',
+    '  --marketplace <name> Marketplace cache name (default: ecc)',
+    '  --plugin <name>      Plugin cache name (default: ecc)',
+    '  --version <version>  Plugin version (default: package.json version)',
+    '  --help              Show this help text',
+  ].join('\n'));
+}
+
+function validateCacheSegment(flag, value) {
+  if (
+    typeof value !== 'string' ||
+    value.trim() === '' ||
+    value.includes('\0') ||
+    value.includes('..') ||
+    value.includes('/') ||
+    value.includes('\\') ||
+    path.isAbsolute(value) ||
+    path.win32.isAbsolute(value)
+  ) {
+    throw new Error(`Invalid ${flag}: expected a single cache path segment`);
+  }
+  return value;
+}
+
+function parseArgs(argv) {
+  const defaults = {
+    marketplace: 'ecc',
+    plugin: 'ecc',
+    version: PACKAGE_JSON.version,
+    codexHome: process.env.CODEX_HOME || path.join(os.homedir(), '.codex'),
+    pluginDir: null,
+  };
+  const optionKeys = {
+    '--codex-home': 'codexHome',
+    '--plugin-dir': 'pluginDir',
+    '--marketplace': 'marketplace',
+    '--plugin': 'plugin',
+    '--version': 'version',
+  };
+  let parsed = {};
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === '--help' || arg === '-h') {
+      parsed = { ...parsed, help: true };
+      continue;
+    }
+
+    const key = optionKeys[arg];
+    if (!key) {
+      throw new Error(`Unknown argument: ${arg}`);
+    }
+
+    const value = argv[index + 1];
+    if (!value || value.startsWith('--')) {
+      throw new Error(`Missing value for ${arg}`);
+    }
+    index += 1;
+
+    parsed = { ...parsed, [key]: value };
+  }
+
+  const options = { ...defaults, ...parsed };
+  return {
+    ...options,
+    marketplace: validateCacheSegment('--marketplace', options.marketplace),
+    plugin: validateCacheSegment('--plugin', options.plugin),
+    version: validateCacheSegment('--version', options.version),
+    codexHome: path.resolve(options.codexHome),
+    pluginDir: options.pluginDir ? path.resolve(options.pluginDir) : null,
+  };
+}
+
+function log(message) {
+  console.log(`[ecc-codex] ${message}`);
+}
+
+function readJson(filePath) {
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch (error) {
+    throw new Error(`Failed to read ${filePath}: ${error.message}`);
+  }
+}
+
+function pluginCacheDir(options) {
+  if (options.pluginDir) {
+    return options.pluginDir;
+  }
+  return path.join(
+    options.codexHome,
+    'plugins',
+    'cache',
+    options.marketplace,
+    options.plugin,
+    options.version
+  );
+}
+
+function listInstalledVersions(options) {
+  const versionsRoot = path.join(
+    options.codexHome,
+    'plugins',
+    'cache',
+    options.marketplace,
+    options.plugin
+  );
+  try {
+    return fs.readdirSync(versionsRoot, { withFileTypes: true })
+      .filter(entry => entry.isDirectory())
+      .map(entry => entry.name)
+      .sort();
+  } catch {
+    return [];
+  }
+}
+
+function manifestPathFor(pluginDir) {
+  return path.join(pluginDir, '.codex-plugin', 'plugin.json');
+}
+
+function collectManifestRefs(manifest) {
+  const refs = [];
+  if (typeof manifest.skills === 'string') {
+    refs.push({ label: 'skills', ref: manifest.skills, kind: 'directory' });
+  }
+  if (typeof manifest.mcpServers === 'string') {
+    refs.push({ label: 'mcpServers', ref: manifest.mcpServers, kind: 'file' });
+  }
+  if (manifest.interface && typeof manifest.interface.composerIcon === 'string') {
+    refs.push({
+      label: 'interface.composerIcon',
+      ref: manifest.interface.composerIcon,
+      kind: 'file',
+    });
+  }
+  if (manifest.interface && typeof manifest.interface.logo === 'string') {
+    refs.push({ label: 'interface.logo', ref: manifest.interface.logo, kind: 'file' });
+  }
+  return refs;
+}
+
+function pathExists(target, kind) {
+  try {
+    const stat = fs.statSync(target);
+    return kind === 'directory' ? stat.isDirectory() : stat.isFile();
+  } catch {
+    return false;
+  }
+}
+
+function checkCache(options) {
+  const cacheDir = pluginCacheDir(options);
+  const manifestPath = manifestPathFor(cacheDir);
+
+  log('Codex plugin cache check');
+  log(`Codex home: ${options.codexHome}`);
+  log(`Plugin cache: ${cacheDir}`);
+
+  if (!fs.existsSync(manifestPath)) {
+    const versions = listInstalledVersions(options);
+    log(`[FAIL] Cached plugin manifest missing: ${manifestPath}`);
+    if (versions.length > 0) {
+      log(`Installed versions found: ${versions.join(', ')}`);
+      log(`Re-run with --version <version> if you want to inspect a different cache entry.`);
+    } else {
+      log(`No installed cache entries found for ${options.marketplace}/${options.plugin}.`);
+      if (options.marketplace === 'ecc' && options.plugin === 'ecc') {
+        log('Run: codex plugin marketplace add affaan-m/ECC');
+      } else {
+        log('Install the requested plugin into the Codex plugin cache.');
+      }
+      log('Then run: codex plugin list');
+    }
+    return 1;
+  }
+
+  const manifest = readJson(manifestPath);
+  const refs = collectManifestRefs(manifest);
+  let failures = 0;
+
+  log(`Manifest: ${manifestPath}`);
+  for (const entry of refs) {
+    const target = path.resolve(cacheDir, entry.ref);
+    const relativeTarget = path.relative(cacheDir, target);
+    if (relativeTarget.startsWith('..') || path.isAbsolute(relativeTarget)) {
+      failures += 1;
+      log(`[FAIL] ${entry.label} escapes cache boundary`);
+      continue;
+    }
+    if (pathExists(target, entry.kind)) {
+      log(`[OK] ${entry.label} -> ${target}`);
+    } else {
+      failures += 1;
+      log(`[FAIL] ${entry.label} missing -> ${target}`);
+    }
+  }
+
+  if (refs.length === 0) {
+    log('[WARN] Cached manifest has no string path references to verify.');
+  }
+
+  if (failures > 0) {
+    log(`${failures} cached manifest reference(s) do not resolve.`);
+    log('codex plugin list only confirms marketplace registration; it is not proof of runtime skill loading.');
+    const syncScript = path.join(REPO_ROOT, 'scripts', 'sync-ecc-to-codex.sh');
+    if (fs.existsSync(syncScript)) {
+      log('Use the supported sync path until the cache contains the referenced files:');
+      log('npm install && bash scripts/sync-ecc-to-codex.sh');
+    } else {
+      log('Use the supported manual sync workflow from your ECC installation.');
+    }
+    return 1;
+  }
+
+  log('All cached manifest references resolve.');
+  return 0;
+}
+
+function main() {
+  let options;
+  try {
+    options = parseArgs(process.argv.slice(2));
+  } catch (error) {
+    console.error(`[ecc-codex] ${error.message}`);
+    usage();
+    process.exit(1);
+  }
+
+  if (options.help) {
+    usage();
+    process.exit(0);
+  }
+
+  try {
+    process.exit(checkCache(options));
+  } catch (error) {
+    console.error(`[ecc-codex] ${error.message}`);
+    process.exit(1);
+  }
+}
+
+main();
--- a/tests/plugin-manifest.test.js
+++ b/tests/plugin-manifest.test.js
@ -463,6 +463,7 @@ test('plugins/ecc README documents the upstream Codex fragility', () => {
  assert.ok(fs.existsSync(readmePath), 'Expected plugins/ecc/README.md');
  const source = fs.readFileSync(readmePath, 'utf8');
  assert.ok(source.includes('openai/codex'), 'plugins/ecc README must link the upstream Codex discovery issue');
+  assert.ok(source.includes('check-plugin-cache.js'), 'plugins/ecc README must point at the cache health check');
  assert.ok(source.includes('sync-ecc-to-codex.sh'), 'plugins/ecc README must point at the supported manual sync flow');
 });

--- a/tests/scripts/codex-hooks.test.js
+++ b/tests/scripts/codex-hooks.test.js
@ -11,9 +11,12 @@ const TOML = require('@iarna/toml');

 const repoRoot = path.join(__dirname, '..', '..');
 const installScript = path.join(repoRoot, 'scripts', 'codex', 'install-global-git-hooks.sh');
+const pluginCacheCheckScript = path.join(repoRoot, 'scripts', 'codex', 'check-plugin-cache.js');
 const mergeCodexConfigScript = path.join(repoRoot, 'scripts', 'codex', 'merge-codex-config.js');
 const mergeMcpConfigScript = path.join(repoRoot, 'scripts', 'codex', 'merge-mcp-config.js');
 const syncScript = path.join(repoRoot, 'scripts', 'sync-ecc-to-codex.sh');
+const packageJson = JSON.parse(fs.readFileSync(path.join(repoRoot, 'package.json'), 'utf8'));
+const packageVersion = packageJson.version;
 const deterministicPackageEnv = {
  CLAUDE_PACKAGE_MANAGER: 'npm',
  CLAUDE_CODE_PACKAGE_MANAGER: 'npm',
@ -82,9 +85,177 @@ function makeHermeticCodexEnv(homeDir, codexDir, extraEnv = {}) {
  };
 }

+function writeJson(filePath, value) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+  fs.writeFileSync(filePath, `${JSON.stringify(value, null, 2)}\n`);
+}
+
+function seedPluginCache(codexDir, manifest, files = []) {
+  const cacheDir = path.join(codexDir, 'plugins', 'cache', 'ecc', 'ecc', packageVersion);
+  writeJson(path.join(cacheDir, '.codex-plugin', 'plugin.json'), manifest);
+  fs.writeFileSync(path.join(cacheDir, 'README.md'), '# cached plugin\n');
+  for (const [relativePath, content] of files) {
+    const target = path.join(cacheDir, relativePath);
+    fs.mkdirSync(path.dirname(target), { recursive: true });
+    fs.writeFileSync(target, content);
+  }
+  return cacheDir;
+}
+
+const cacheManifestWithLocalRefs = {
+  name: 'ecc',
+  version: packageVersion,
+  skills: './skills/',
+  mcpServers: './.mcp.json',
+  interface: {
+    composerIcon: './assets/ecc-icon.svg',
+    logo: './assets/hero.png',
+  },
+};
+
 let passed = 0;
 let failed = 0;

+if (
+  test('check-plugin-cache fails when the installed cache is missing manifest-referenced files', () => {
+    const homeDir = createTempDir('codex-plugin-cache-home-');
+    const codexDir = path.join(homeDir, '.codex');
+
+    try {
+      seedPluginCache(codexDir, cacheManifestWithLocalRefs);
+      const result = runNode(pluginCacheCheckScript, [], makeHermeticCodexEnv(homeDir, codexDir));
+
+      assert.strictEqual(result.status, 1, `${result.stdout}\n${result.stderr}`);
+      assert.match(result.stdout, /Plugin cache:/);
+      assert.match(result.stdout, /\[FAIL\] skills missing/);
+      assert.match(result.stdout, /\[FAIL\] mcpServers missing/);
+      assert.match(result.stdout, /codex plugin list only confirms marketplace registration/);
+      assert.match(result.stdout, /sync-ecc-to-codex\.sh/);
+    } finally {
+      cleanup(homeDir);
+    }
+  })
+)
+  passed++;
+else failed++;
+
+if (
+  test('check-plugin-cache rejects manifest references that escape the cache boundary', () => {
+    const homeDir = createTempDir('codex-plugin-cache-manifest-traversal-home-');
+    const codexDir = path.join(homeDir, '.codex');
+
+    try {
+      seedPluginCache(codexDir, {
+        name: 'ecc',
+        version: packageVersion,
+        skills: '../../../../../etc/passwd',
+        mcpServers: '../../.mcp.json',
+      });
+      const result = runNode(pluginCacheCheckScript, [], makeHermeticCodexEnv(homeDir, codexDir));
+
+      assert.strictEqual(result.status, 1, `${result.stdout}\n${result.stderr}`);
+      assert.match(result.stdout, /\[FAIL\] skills escapes cache boundary/);
+      assert.match(result.stdout, /\[FAIL\] mcpServers escapes cache boundary/);
+      assert.doesNotMatch(result.stdout, /etc\/passwd/);
+    } finally {
+      cleanup(homeDir);
+    }
+  })
+)
+  passed++;
+else failed++;
+
+if (
+  test('check-plugin-cache passes when cached manifest references resolve inside the cache', () => {
+    const homeDir = createTempDir('codex-plugin-cache-ok-home-');
+    const codexDir = path.join(homeDir, '.codex');
+
+    try {
+      const cacheDir = seedPluginCache(codexDir, cacheManifestWithLocalRefs, [
+        ['.mcp.json', '{"mcpServers":{}}\n'],
+        ['assets/ecc-icon.svg', '<svg />\n'],
+        ['assets/hero.png', 'png\n'],
+      ]);
+      fs.mkdirSync(path.join(cacheDir, 'skills'), { recursive: true });
+
+      const result = runNode(pluginCacheCheckScript, [], makeHermeticCodexEnv(homeDir, codexDir));
+
+      assert.strictEqual(result.status, 0, `${result.stdout}\n${result.stderr}`);
+      assert.match(result.stdout, /\[OK\] skills/);
+      assert.match(result.stdout, /\[OK\] mcpServers/);
+      assert.match(result.stdout, /All cached manifest references resolve/);
+    } finally {
+      cleanup(homeDir);
+    }
+  })
+)
+  passed++;
+else failed++;
+
+if (
+  test('check-plugin-cache reports a missing installed cache clearly', () => {
+    const homeDir = createTempDir('codex-plugin-cache-missing-home-');
+    const codexDir = path.join(homeDir, '.codex');
+
+    try {
+      const result = runNode(pluginCacheCheckScript, [], makeHermeticCodexEnv(homeDir, codexDir));
+
+      assert.strictEqual(result.status, 1, `${result.stdout}\n${result.stderr}`);
+      assert.match(result.stdout, /Cached plugin manifest missing/);
+      assert.match(result.stdout, /codex plugin marketplace add affaan-m\/ECC/);
+    } finally {
+      cleanup(homeDir);
+    }
+  })
+)
+  passed++;
+else failed++;
+
+if (
+  test('check-plugin-cache rejects traversal in cache path segments', () => {
+    const homeDir = createTempDir('codex-plugin-cache-traversal-home-');
+    const codexDir = path.join(homeDir, '.codex');
+
+    try {
+      const result = runNode(
+        pluginCacheCheckScript,
+        ['--marketplace', '../outside'],
+        makeHermeticCodexEnv(homeDir, codexDir)
+      );
+
+      assert.strictEqual(result.status, 1, `${result.stdout}\n${result.stderr}`);
+      assert.match(result.stderr, /Invalid --marketplace/);
+    } finally {
+      cleanup(homeDir);
+    }
+  })
+)
+  passed++;
+else failed++;
+
+if (
+  test('check-plugin-cache names custom missing cache entries in diagnostics', () => {
+    const homeDir = createTempDir('codex-plugin-cache-custom-home-');
+    const codexDir = path.join(homeDir, '.codex');
+
+    try {
+      const result = runNode(
+        pluginCacheCheckScript,
+        ['--marketplace', 'custom-market', '--plugin', 'custom-plugin', '--version', '1.2.3'],
+        makeHermeticCodexEnv(homeDir, codexDir)
+      );
+
+      assert.strictEqual(result.status, 1, `${result.stdout}\n${result.stderr}`);
+      assert.match(result.stdout, /No installed cache entries found for custom-market\/custom-plugin/);
+      assert.match(result.stdout, /Install the requested plugin into the Codex plugin cache/);
+    } finally {
+      cleanup(homeDir);
+    }
+  })
+)
+  passed++;
+else failed++;
+
 // Windows NTFS does not allow double-quote characters in file paths,
 // so the quoted-path shell-injection test is only meaningful on Unix.
 if (os.platform() === 'win32') {
--- a/tests/scripts/npm-publish-surface.test.js
+++ b/tests/scripts/npm-publish-surface.test.js
@ -69,6 +69,7 @@ function buildExpectedPublishPaths(repoRoot) {
    "scripts/session-inspect.js",
    "scripts/uninstall.js",
    "scripts/gemini-adapt-agents.js",
+    "scripts/codex/check-plugin-cache.js",
    "scripts/codex/merge-codex-config.js",
    "scripts/codex/merge-mcp-config.js",
    ".codex-plugin",
@ -141,6 +142,7 @@ function main() {
        "scripts/release-video-suite.js",
        "scripts/work-items.js",
        "scripts/platform-audit.js",
+        "scripts/codex/check-plugin-cache.js",
        ".gemini/GEMINI.md",
        ".qwen/QWEN.md",
        ".claude-plugin/plugin.json",