chore: prepare plugin marketplace submission

Author: avalonreset

.codex-plugin/plugin.json

@@ -58,6 +58,7 @@
       "Check schema and Core Web Vitals for this URL.",
       "Build an SEO action plan for this business."
     ],
-    "brandColor": "#D4AF37"
+    "brandColor": "#D4AF37",
+    "composerIcon": "./assets/icon.svg"
   }
 }

.codexignore

@@ -0,0 +1,18 @@
+.codex/
+.codex-work/
+.git/
+.github/
+.pytest_cache/
+.venv/
+build/
+dist/
+dungeon/.logs/
+dungeon/dist/
+dungeon/node_modules/
+node_modules/
+output/
+playwright-report/
+site/
+test-results/
+*.egg-info/
+*.log

.github/workflows/ci.yml

@@ -14,10 +14,10 @@ jobs:
     name: Python Syntax Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
 
@@ -36,10 +36,10 @@ jobs:
       # limit and the sync_flow dry-run test fails on shared-runner IPs.
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
 
@@ -59,10 +59,10 @@ jobs:
     name: Dungeon app build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Set up Node 22
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: "22"
           cache: npm
@@ -88,7 +88,7 @@ jobs:
     name: Secret scan
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Scan tracked files for leaked credentials
         run: |

.github/workflows/hol-plugin-scanner.yml

@@ -0,0 +1,27 @@
+name: HOL Plugin Scanner
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+
+      - name: HOL Plugin Scanner
+        uses: hashgraph-online/ai-plugin-scanner-action@18666b10a2e953318e119f61ea6d5bbb717b9bda # v1
+        with:
+          plugin_dir: "."
+          mode: scan
+          min_score: 80
+          fail_on_severity: high
+          format: sarif
+          upload_sarif: true

.github/workflows/v2.yml

@@ -27,10 +27,10 @@ jobs:
     name: Manifest consistency (13 assertions)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
 
@@ -44,10 +44,10 @@ jobs:
     name: SSRF + DNS rebinding suite
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
 
@@ -76,10 +76,10 @@ jobs:
       # 60/hr anonymous rate limit. Identical to ci.yml.
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.10"
 
@@ -95,7 +95,7 @@ jobs:
     name: Secret scan
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
 
       - name: Scan tracked files for leaked credentials
         run: |

assets/icon.svg

@@ -92,10 +92,11 @@ Confirm Gemini CLI is available on `PATH`:
 gemini --version
 ```
 
-If Gemini reports `GEMINI_API_KEY` is required, configure Gemini CLI auth or set:
+If Gemini reports `GEMINI_API_KEY` is required, configure Gemini CLI auth or set
+the variable in your shell without committing the value:
 
 ```powershell
-$env:GEMINI_API_KEY='your-key'
+$env:GEMINI_API_KEY = Read-Host 'Paste Gemini API key'
 ```
 
 The bridge default is:

docs/TROUBLESHOOTING.md

@@ -16,6 +16,10 @@ const ROOT = __dirname;
 const DIST = path.join(ROOT, 'dist');
 const LOG_DIR = path.join(ROOT, '.logs');
 
+function resolveNpxCommand() {
+  return process.platform === 'win32' ? 'npx.cmd' : 'npx';
+}
+
 // Ensure log directory exists. Bridge stdout/stderr get piped here so we
 // can diagnose audit parse failures, disconnects, and agent CLI errors
 // after the fact. Previously the bridge ran with stdio:'ignore' and
@@ -45,7 +49,7 @@ console.log('');
 if (!fs.existsSync(path.join(DIST, 'index.html'))) {
   console.log('  Building optimized production bundle...');
   try {
-    execFileSync('npx', ['vite', 'build'], { cwd: ROOT, stdio: 'inherit', shell: true });
+    execFileSync(resolveNpxCommand(), ['vite', 'build'], { cwd: ROOT, stdio: 'inherit', shell: false });
     console.log('  ✓ Build complete');
     console.log('');
   } catch (e) {
@@ -91,7 +95,7 @@ let bridge = null;
   // a file keeps both readable and gives us a post-mortem for bugs that
   // only happen during long audits.
   const bridgeLog = fs.openSync(bridgeLogPath, 'a');
-  fs.writeSync(bridgeLog, `\n=== Bridge started ${new Date().toISOString()} on ${bridgeUrl} ===\n`);
+  fs.writeSync(bridgeLog, '\n=== Bridge started ' + new Date().toISOString() + ' on ' + bridgeUrl + ' ===\n');
   bridge = spawn('node', [path.join(ROOT, 'server', 'index.js')], {
     cwd: ROOT,
     env: {
@@ -116,9 +120,9 @@ let bridge = null;
   console.log(`  ✓ Remote session ledger: ${path.relative(ROOT, sessionLogPath)}`);
 
   // Serve optimized production build
-  const serve = spawn('npx', ['serve', 'dist', '-l', String(appPort), '-s'], {
+  const serve = spawn(resolveNpxCommand(), ['serve', 'dist', '-l', String(appPort), '-s'], {
     cwd: ROOT,
-    shell: true,
+    shell: false,
     stdio: 'inherit',
     windowsHide: true
   });

dungeon/launch.js

@@ -567,6 +567,21 @@ function resolveNpmPowerShellShim(ps1Path) {
   }
 }
 
+function resolveCmdExe() {
+  if (process.env.ComSpec) return process.env.ComSpec;
+  if (process.env.SystemRoot) return path.join(process.env.SystemRoot, 'System32', 'cmd.exe');
+  return 'cmd.exe';
+}
+
+function resolveWindowsBatchShim(batchPath) {
+  return {
+    command: resolveCmdExe(),
+    argsPrefix: ['/d', '/s', '/c', batchPath],
+    shell: false,
+    display: batchPath
+  };
+}
+
 function resolveCliLaunch(execPath) {
   const raw = String(execPath || '').trim();
   if (!raw) throw new Error('CLI executable path is empty.');
@@ -578,7 +593,7 @@ function resolveCliLaunch(execPath) {
   const ext = path.extname(selected).toLowerCase();
 
   if (ext === '.cmd' || ext === '.bat') {
-    return { command: selected, argsPrefix: [], shell: true, display: selected };
+    return resolveWindowsBatchShim(selected);
   }
 
   if (ext === '.ps1') {
@@ -599,7 +614,7 @@ function resolveCliLaunch(execPath) {
   return {
     command: selected,
     argsPrefix: [],
-    shell: !path.extname(selected),
+    shell: false,
     display: selected
   };
 }
@@ -1854,12 +1869,12 @@ function createCodexAppServerRun({ prompt, onStream, onStatus, workDir, requestI
 
   console.log(`  Running with codex app-server (profile: ${codexProfile.key}, effort: ${codexProfile.effort}${codexProfile.model ? `, model: ${codexProfile.model}` : ''}, bypass: ${dangerousBypass ? 'on' : 'off'})`);
   console.log(`  Executable: ${launchDisplay}`);
-  console.log(`  CWD: ${workDir}`);
+  console.log('  CWD: ' + workDir);
 
   const child = spawn(launch.command, appArgs, {
     cwd: workDir,
     env: safeEnv(workDir),
-    shell: launch.shell,
+    shell: false,
     stdio: ['pipe', 'pipe', 'pipe'],
     windowsHide: true
   });
@@ -2306,11 +2321,11 @@ function runTextCli(runtime, prompt, onStream, cwd, requestId, profile, options
 
     console.log(`  Running with ${normalizedRuntime} CLI (profile: ${cliProfile.key}${cliProfile.model ? `, model: ${cliProfile.model}` : ', default model'})`);
     console.log(`  Executable: ${launch.display}`);
-    console.log(`  CWD: ${workDir}`);
+    console.log('  CWD: ' + workDir);
     const proc = spawn(launch.command, launchArgs, {
       cwd: workDir,
       env: safeEnv(workDir),
-      shell: launch.shell,
+      shell: false,
       stdio: ['ignore', 'pipe', 'pipe'],
       windowsHide: true
     });
@@ -2393,11 +2408,11 @@ function runCodexExec(prompt, onStream, cwd, requestId, profile, options = {}) {
 
     console.log(`  Running with codex exec (profile: ${codexProfile.key}, effort: ${codexProfile.effort}${codexProfile.model ? `, model: ${codexProfile.model}` : ''}, bypass: ${dangerousBypass ? 'on' : 'off'})`);
     console.log(`  Executable: ${launch.display}`);
-    console.log(`  CWD: ${workDir}`);
+    console.log('  CWD: ' + workDir);
     const proc = spawn(launch.command, launchArgs, {
       cwd: workDir,
       env: safeEnv(workDir),
-      shell: launch.shell,
+      shell: false,
       stdio: ['ignore', 'pipe', 'pipe'],
       windowsHide: true
     });