feat: add 10 pluginpool plugins (full bundles, scanner 97/100 PASS)#115
Conversation
Adds all 10 plugins from mturac/pluginpool as installable Codex plugin bundles under plugins/mturac/. Each plugin includes the required .codex-plugin/plugin.json with full interface metadata (displayName, shortDescription, longDescription, category, capabilities, brandColor, composerIcon), skills/<name>/SKILL.md with proper frontmatter (name, license), SECURITY.md, .codexignore, README.md, LICENSE, and assets. Plugins added (all under plugins/mturac/): - commit-narrator — semantic commit message from staged diff - pr-storyteller — PR title + body + test plan from commits - test-gap — diff lines lacking test coverage - deps-doctor — multi-ecosystem dependency audit (npm/pip/cargo/go) - env-lint — .env vs .env.example key parity - secret-guard — pre-commit secret scanner - standup-gen — standup notes from git activity - todo-harvest — TODO/FIXME/HACK scan with git blame - flaky-detector — per-test flakiness % from N runs - changelog-forge — conventional commits → CHANGELOG Validator results (codex-plugin-scanner): - All 10 plugins: lint policy PASS, effective_score=97/100 - All 10 plugins: verify PASS (manifest, interface, skills, assets) - Remaining warnings are info-level (no logo/screenshots — optional) Marketplace entries added to .agents/plugins/marketplace.json with local source paths so installation works offline through the curated marketplace. README.md updated under Development & Workflow with 10 direct links to bundles.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces 10 new productivity plugins to the marketplace, including tools for commit narration, dependency auditing, and secret scanning. Each plugin includes a Python helper script, documentation, and Codex skill definitions. The review feedback identifies potential AttributeError vulnerabilities in the deps-doctor script when handling malformed or null JSON fields and highlights a performance inefficiency in the todo-harvest script caused by spawning git blame subprocesses within a loop.
| except json.JSONDecodeError: | ||
| continue | ||
| finding = event.get("finding") or event.get("vulnerability") or {} |
There was a problem hiding this comment.
The event object returned by json.loads could be None (if the line is the string "null") or a non-dictionary type if the tool output is malformed. This would cause the subsequent event.get call to raise an AttributeError. It is safer to verify that event is a dictionary before proceeding.
try:
event = json.loads(line)
if not isinstance(event, dict):
continue
except json.JSONDecodeError:
continue
finding = event.get("finding") or event.get("vulnerability") or {}| continue | ||
| advisories.append({ | ||
| "id": str(osv.get("id", "")), | ||
| "severity": normalize_severity(osv.get("database_specific", {}).get("severity")), |
There was a problem hiding this comment.
If the database_specific key exists in the osv dictionary but its value is explicitly null in the JSON, osv.get("database_specific", {}) will return None instead of the default empty dictionary. This will cause the subsequent .get("severity") call to raise an AttributeError. Using the or operator ensures a dictionary is always available for the second .get() call.
| "severity": normalize_severity(osv.get("database_specific", {}).get("severity")), | |
| "severity": normalize_severity((osv.get("database_specific") or {}).get("severity")), |
| if not m: | ||
| continue | ||
| marker, text = m.group(1), m.group(2).strip() | ||
| blame = _blame(repo, rel, n) |
There was a problem hiding this comment.
Calling git blame for every single line that matches a marker is highly inefficient, especially in large repositories with many TODOs. This results in O(N) subprocess spawns where N is the number of markers found. Consider running git blame --porcelain <file> once per file that contains markers and parsing the output to retrieve author information for all relevant lines at once, which would significantly improve performance.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: da0a3e57b0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
|
|
||
| def severity_allowed(advisory: dict[str, Any], minimum: str) -> bool: | ||
| return SEVERITY_ORDER.get(advisory.get("severity", "unknown"), -1) >= SEVERITY_ORDER[minimum] |
There was a problem hiding this comment.
severity_allowed maps unknown severities to -1, so --severity low drops any advisory whose source omits severity metadata. In deps-doctor, that can silently hide real vulnerabilities (for example ecosystems/advisories that provide IDs and fixes but no CVSS label), yielding false-clean reports and undermining the tool’s core purpose.
Useful? React with 👍 / 👎.
| if source == "-": | ||
| return sys.stdin.read() | ||
| return run_git_diff() |
There was a problem hiding this comment.
When --diff is set to a file path, read_diff still calls run_git_diff() unless the value is -. This makes path-based input unusable and can return an empty or unrelated staged diff instead of the caller-provided patch, producing incorrect commit-message output in scripted/non-staged workflows.
Useful? React with 👍 / 👎.
|
The plugins themselves look valid, but the README entries use local paths ( |
|
Merged via direct commit to main due to merge conflicts with README.md and marketplace.json from other concurrent PRs. All 10 pluginpool bundles (commit-narrator, pr-storyteller, test-gap, deps-doctor, env-lint, secret-guard, standup-gen, todo-harvest, flaky-detector, changelog-forge) are preserved. Artifacts regenerated. |
The ArmorCodex entry was added in PR hashgraph-online#140 (merged 2026-05-20 14:45 UTC) but accidentally dropped 5 minutes later when PR hashgraph-online#115 (Add 10 pluginpool plugins, merged 14:50 UTC) was reconciled. The plugin bundle at plugins/armoriq/armorCodex/ remained intact, so the registry has the plugin but README and downstream marketplace artifacts don't list it. Restoring the README entry in its alphabetical slot between Apple Productivity and AxonFlow. Plugin folder + plugin.json are already in the repo from PR hashgraph-online#140; no other changes needed. Repo: https://github.com/armoriq/armorCodex Plugin bundle in this repo: plugins/armoriq/armorCodex/
The ArmorCodex entry was added in PR hashgraph-online#140 (merged 2026-05-20 14:45 UTC) but accidentally dropped 5 minutes later when PR hashgraph-online#115 (Add 10 pluginpool plugins, merged 14:50 UTC) was reconciled. The plugin bundle at plugins/armoriq/armorCodex/ remained intact, so the registry has the plugin but README and downstream marketplace artifacts don't list it. Restoring the README entry in its alphabetical slot between Apple Productivity and AxonFlow. Plugin folder + plugin.json are already in the repo from PR hashgraph-online#140; no other changes needed. Repo: https://github.com/armoriq/armorCodex Plugin bundle in this repo: plugins/armoriq/armorCodex/
The ArmorCodex entry was added in PR hashgraph-online#140 (merged 2026-05-20 14:45 UTC) but accidentally dropped 5 minutes later when PR hashgraph-online#115 (Add 10 pluginpool plugins, merged 14:50 UTC) was reconciled. The plugin bundle at plugins/armoriq/armorCodex/ remained intact, so the registry has the plugin but README and downstream marketplace artifacts don't list it. Restoring the README entry in its alphabetical slot between Apple Productivity and AxonFlow. Plugin folder + plugin.json are already in the repo from PR hashgraph-online#140; no other changes needed. Repo: https://github.com/armoriq/armorCodex Plugin bundle in this repo: plugins/armoriq/armorCodex/
2 participants
Resubmits the pluginpool plugins as proper plugin bundles under
plugins/mturac/, addressing the feedback from #112 (which only added a README entry without bundle files).What's added
10 complete plugin bundles, each with:
.codex-plugin/plugin.json— full interface metadata (displayName, shortDescription, longDescription, developerName, category, capabilities, brandColor, composerIcon)skills/<name>/SKILL.md— skill manifest with required frontmatter (name, license, description, allowed-tools)scripts/<helper>.py— Python stdlib-only helperassets/icon.svg— composerIcon targetSECURITY.md,.codexignore,README.md,LICENSEPlugins (under
plugins/mturac/):commit-narrator— semantic commit message from staged diffpr-storyteller— PR title + body + test plan from commitstest-gap— diff lines lacking test coveragedeps-doctor— multi-ecosystem dependency audit (npm/pip/cargo/go)env-lint—.envvs.env.examplekey paritysecret-guard— pre-commit secret scannerstandup-gen— daily standup notes from git activitytodo-harvest— TODO/FIXME/HACK scan withgit blameflaky-detector— per-test flakiness % from N runschangelog-forge— conventional commits → CHANGELOG + semverScanner results
Each of the 10 plugins passes both lint and verify:
Only remaining notices are info-level (
logo/screenshotsassets not provided — they're optional in the spec). Each plugin scores 97/100.Marketplace integration
.agents/plugins/marketplace.jsonupdated with 10 new entries (local source paths, category "Development & Workflow", composerIcon path) so installation works offline through the curated marketplaceREADME.mdupdated under Community Plugins → Development & Workflow with 10 direct links to bundlesUpstream
Each plugin also lives as its own standalone repo at mturac/pluginpool-. The umbrella index is at https://github.com/mturac/pluginpool. MIT.