Add release and dev-link safety checks

Use package metadata for MCP/app-server versions and verify committed dist in CI.

Harden the Claude development symlink installer with dry-run and safer replacement behavior.

Co-Authored-By: OpenAI Codex <noreply@openai.com>

Author: xuio

.github/workflows/ci.yml

@@ -34,3 +34,6 @@ jobs:
 
       - name: Test
         run: npm run test:ci
+
+      - name: Verify committed dist
+        run: git diff --exit-code -- dist/index.js

dist/index.js

@@ -23621,6 +23621,14 @@ function isParallelResult(value) {
 // src/app-server.ts
 import { spawn as spawn2 } from "node:child_process";
 import { stat as stat2 } from "node:fs/promises";
+
+// src/version.ts
+import { createRequire } from "node:module";
+var require2 = createRequire(import.meta.url);
+var packageJson = require2("../package.json");
+var packageVersion = packageJson.version ?? "0.0.0";
+
+// src/app-server.ts
 var maxPendingJsonLineChars2 = 1e6;
 var AppServerUnavailableError = class extends Error {
   constructor(message) {
@@ -23884,7 +23892,7 @@ var CodexAppServerSession = class _CodexAppServerSession {
   }
   async initialize(timeoutMs) {
     const initialized = await this.request("initialize", {
-      clientInfo: { name: "claude-code-codex-subagents", version: "0.1.1" },
+      clientInfo: { name: "claude-code-codex-subagents", version: packageVersion },
       capabilities: null
     }, timeoutMs);
     this.capabilities.initialize = true;
@@ -25521,7 +25529,7 @@ var usageGuide = [
 var server = new McpServer(
   {
     name: "codex-subagents",
-    version: "0.1.0"
+    version: packageVersion
   },
   {
     instructions: usageGuide

package.json

@@ -18,6 +18,7 @@
   },
   "scripts": {
     "build": "tsc --noEmit && esbuild src/index.ts --bundle --platform=node --target=node20 --format=esm --outfile=dist/index.js --banner:js='#!/usr/bin/env node' && chmod 755 dist/index.js",
+    "check:dist": "npm run build && git diff --exit-code -- dist/index.js",
     "test": "vitest run",
     "test:watch": "vitest",
     "dev:link": "node scripts/link-claude-dev-plugin.mjs",

scripts/link-claude-dev-plugin.mjs

@@ -1,10 +1,11 @@
-import { lstat, mkdir, readFile, realpath, rename, symlink, writeFile } from "node:fs/promises";
+import { lstat, mkdir, readFile, realpath, rename, rm, symlink, writeFile } from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 
 const root = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
-const claudeHome = process.env.CLAUDE_HOME ?? path.join(os.homedir(), ".claude");
+const dryRun = process.argv.includes("--dry-run") || process.env.CLAUDE_DEV_LINK_DRY_RUN === "1";
+const claudeHome = path.resolve(process.env.CLAUDE_HOME ?? path.join(os.homedir(), ".claude"));
 const manifestPath = path.join(root, ".claude-plugin", "plugin.json");
 const manifest = JSON.parse(await readFile(manifestPath, "utf8"));
 const marketplace = "codex-subagents-local";
@@ -21,6 +22,13 @@ const marketplacePluginPath = path.join(
 );
 const installPath = path.join(claudeHome, "plugins", "cache", marketplace, pluginName, version);
 
+function assertSafePath(targetPath) {
+  const resolved = path.resolve(targetPath);
+  if (resolved === claudeHome || !resolved.startsWith(`${claudeHome}${path.sep}`)) {
+    throw new Error(`Refusing to modify path outside CLAUDE_HOME: ${targetPath}`);
+  }
+}
+
 async function pathExists(targetPath) {
   try {
     await lstat(targetPath);
@@ -45,22 +53,36 @@ function backupPath(targetPath) {
 }
 
 async function replaceWithSymlink(linkPath, targetPath) {
-  await mkdir(path.dirname(linkPath), { recursive: true });
+  assertSafePath(linkPath);
   const currentTarget = await resolvedPath(linkPath);
   if (currentTarget === targetPath) return { path: linkPath, changed: false };
 
+  if (dryRun) {
+    return { path: linkPath, changed: true, dryRun: true };
+  }
+
+  await mkdir(path.dirname(linkPath), { recursive: true });
+  const tempLink = `${linkPath}.tmp-${process.pid}-${Date.now()}`;
+  let backup = null;
   if (await pathExists(linkPath)) {
-    const backup = backupPath(linkPath);
+    backup = backupPath(linkPath);
     await rename(linkPath, backup);
     console.log(`Moved existing ${linkPath} to ${backup}`);
   }
 
-  await symlink(targetPath, linkPath, "dir");
-  return { path: linkPath, changed: true };
+  try {
+    await symlink(targetPath, tempLink, "dir");
+    await rename(tempLink, linkPath);
+    return { path: linkPath, changed: true };
+  } catch (error) {
+    await rm(tempLink, { recursive: true, force: true }).catch(() => {});
+    if (backup) await rename(backup, linkPath).catch(() => {});
+    throw error;
+  }
 }
 
 async function ensureInstalledPluginsEntry() {
-  await mkdir(path.dirname(installedPluginsPath), { recursive: true });
+  assertSafePath(installedPluginsPath);
   let data = { version: 2, plugins: {} };
   if (await pathExists(installedPluginsPath)) {
     data = JSON.parse(await readFile(installedPluginsPath, "utf8"));
@@ -83,7 +105,10 @@ async function ensureInstalledPluginsEntry() {
   };
 
   data.plugins[key] = [entry, ...entries.filter((candidate) => candidate !== existing)];
-  await writeFile(installedPluginsPath, `${JSON.stringify(data, null, 2)}\n`);
+  if (!dryRun) {
+    await mkdir(path.dirname(installedPluginsPath), { recursive: true });
+    await writeFile(installedPluginsPath, `${JSON.stringify(data, null, 2)}\n`);
+  }
   return entry;
 }
 
@@ -94,4 +119,5 @@ const entry = await ensureInstalledPluginsEntry();
 console.log(`Marketplace plugin path: ${marketplaceLink.path} -> ${root}`);
 console.log(`Installed plugin path: ${cacheLink.path} -> ${root}`);
 console.log(`Installed plugin entry: ${entry.installPath}`);
+if (dryRun) console.log("Dry run only; no Claude plugin files were modified.");
 console.log("Claude Code CLI and Claude Desktop CLI share this ~/.claude plugin install.");

src/app-server.ts

@@ -23,6 +23,7 @@ import {
 } from "./subagents.js";
 import { OutputArtifactWriter } from "./artifacts.js";
 import { recordDiagnosticEvent } from "./diagnostics.js";
+import { packageVersion } from "./version.js";
 
 type JsonObject = Record<string, unknown>;
 
@@ -363,7 +364,7 @@ export class CodexAppServerSession {
 
   private async initialize(timeoutMs: number): Promise<void> {
     const initialized = await this.request("initialize", {
-      clientInfo: { name: "claude-code-codex-subagents", version: "0.1.1" },
+      clientInfo: { name: "claude-code-codex-subagents", version: packageVersion },
       capabilities: null,
     }, timeoutMs) as JsonObject | undefined;
     this.capabilities.initialize = true;

src/index.ts

@@ -37,6 +37,7 @@ import {
 } from "./response.js";
 import { sessionManager } from "./sessions.js";
 import { modelPresets } from "./subagents.js";
+import { packageVersion } from "./version.js";
 
 const usageGuide = [
   "Claude Code integration guide for codex-subagents:",
@@ -88,7 +89,7 @@ const usageGuide = [
 const server = new McpServer(
   {
     name: "codex-subagents",
-    version: "0.1.0",
+    version: packageVersion,
   },
   {
     instructions: usageGuide,

src/version.ts

@@ -0,0 +1,6 @@
+import { createRequire } from "node:module";
+
+const require = createRequire(import.meta.url);
+const packageJson = require("../package.json") as { version?: string };
+
+export const packageVersion = packageJson.version ?? "0.0.0";

test/dev-link.mjs

@@ -1,5 +1,5 @@
 import { spawnSync } from "node:child_process";
-import { mkdtemp, readFile, realpath, rm } from "node:fs/promises";
+import { lstat, mkdtemp, readFile, realpath, rm } from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 
@@ -21,7 +21,31 @@ const marketplacePath = path.join(
   "plugins/marketplaces/codex-subagents-local/plugins/codex-subagents",
 );
 
+async function pathExists(targetPath) {
+  try {
+    await lstat(targetPath);
+    return true;
+  } catch (error) {
+    if (error?.code === "ENOENT") return false;
+    throw error;
+  }
+}
+
 try {
+  const dryRun = spawnSync("node", ["scripts/link-claude-dev-plugin.mjs", "--dry-run"], {
+    cwd: root,
+    encoding: "utf8",
+    shell: false,
+    env: {
+      ...process.env,
+      CLAUDE_HOME: claudeHome,
+    },
+  });
+  const dryRunOutput = [dryRun.stdout, dryRun.stderr].filter(Boolean).join("");
+  assert(dryRun.status === 0, "dev link dry run should succeed", dryRunOutput);
+  assert(dryRunOutput.includes("Dry run only"), "dry run should be explicit", dryRunOutput);
+  assert(!(await pathExists(path.join(claudeHome, "plugins"))), "dry run should not create plugin directories", dryRunOutput);
+
   for (const pass of [1, 2]) {
     const result = spawnSync("node", ["scripts/link-claude-dev-plugin.mjs"], {
       cwd: root,

test/version.test.ts

@@ -0,0 +1,13 @@
+import { readFile } from "node:fs/promises";
+import { describe, expect, it } from "vitest";
+import { packageVersion } from "../src/version.js";
+
+describe("version metadata", () => {
+  it("keeps package, plugin, and MCP server version source aligned", async () => {
+    const packageJson = JSON.parse(await readFile("package.json", "utf8")) as { version: string };
+    const pluginJson = JSON.parse(await readFile(".claude-plugin/plugin.json", "utf8")) as { version: string };
+
+    expect(packageVersion).toBe(packageJson.version);
+    expect(pluginJson.version).toBe(packageJson.version);
+  });
+});