From df7b588354e2e4c59d5af16815cb9de95810adb3 Mon Sep 17 00:00:00 2001
From: Yavor Panayotov <y.panayotov@yahoo.com>
Date: Fri, 19 Jun 2026 16:40:06 +0300
Subject: [PATCH] Add a sync guard for the vendored Allium plugin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Allium is developed in juxt/allium and vendored here under plugins/allium
so Codex (which only discovers local ./plugins/X marketplace entries) can
install it. A vendored copy drifts from upstream silently — the existing
remote-source entry was already several releases behind.

Add scripts/sync-allium.sh, which vendors (or, with --check, verifies)
plugins/allium against a juxt/allium ref pinned in scripts/allium-ref.txt,
plus a CI workflow that fails when the two drift. To ship a new Allium
release: bump allium-ref.txt, run the script, commit.

Depends on juxt/claude-plugins#11 (which introduces plugins/allium). Until
that lands the check no-ops; the pinned ref matches the snapshot #11 should
vendor.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/check-allium-sync.yml | 22 ++++++++++
 scripts/allium-ref.txt                  |  1 +
 scripts/sync-allium.sh                  | 57 +++++++++++++++++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 .github/workflows/check-allium-sync.yml
 create mode 100644 scripts/allium-ref.txt
 create mode 100755 scripts/sync-allium.sh

diff --git a/.github/workflows/check-allium-sync.yml b/.github/workflows/check-allium-sync.yml
new file mode 100644
index 0000000..b508563
--- /dev/null
+++ b/.github/workflows/check-allium-sync.yml
@@ -0,0 +1,22 @@
+name: Check Allium vendor sync
+
+# Fails if the vendored plugins/allium drifts from the juxt/allium ref pinned
+# in scripts/allium-ref.txt. Runs only when the vendored copy, the pin, or the
+# sync tooling changes — so unrelated PRs are unaffected, and it no-ops until
+# plugins/allium is vendored.
+on:
+  pull_request:
+    paths:
+      - "plugins/allium/**"
+      - "scripts/allium-ref.txt"
+      - "scripts/sync-allium.sh"
+      - ".github/workflows/check-allium-sync.yml"
+  workflow_dispatch:
+
+jobs:
+  check-sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Verify plugins/allium matches the pinned juxt/allium ref
+        run: bash scripts/sync-allium.sh --check
diff --git a/scripts/allium-ref.txt b/scripts/allium-ref.txt
new file mode 100644
index 0000000..4bd3b42
--- /dev/null
+++ b/scripts/allium-ref.txt
@@ -0,0 +1 @@
+229ccd03684d377c07334732c5829296f189585c
diff --git a/scripts/sync-allium.sh b/scripts/sync-allium.sh
new file mode 100755
index 0000000..a308051
--- /dev/null
+++ b/scripts/sync-allium.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+#
+# Re-vendor (or verify) plugins/allium from a pinned juxt/allium ref.
+#
+#   scripts/sync-allium.sh           # update plugins/allium to the pinned ref
+#   scripts/sync-allium.sh --check   # exit non-zero if plugins/allium drifts
+#
+# The pinned ref lives in scripts/allium-ref.txt — a commit SHA or release tag
+# of juxt/allium. Allium is an actively developed external repo, so its plugin
+# payload is vendored here rather than referenced as a remote source (Codex
+# only discovers local `./plugins/X` marketplace entries). Vendoring drifts
+# silently; this script + the matching CI check keep the copy honest.
+#
+# To ship a new Allium release to the marketplace: bump scripts/allium-ref.txt
+# to the new ref, run `scripts/sync-allium.sh`, and commit the result.
+#
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+REF="$(tr -d '[:space:]' < "$ROOT/scripts/allium-ref.txt")"
+DEST="$ROOT/plugins/allium"
+MODE="${1:-sync}"
+
+if [ -z "$REF" ]; then
+  echo "error: scripts/allium-ref.txt is empty" >&2
+  exit 2
+fi
+
+tmp="$(mktemp -d)"
+trap 'rm -rf "$tmp"' EXIT
+
+git clone --quiet https://github.com/juxt/allium "$tmp/allium"
+git -C "$tmp/allium" checkout --quiet "$REF"
+rm -rf "$tmp/allium/.git"
+
+if [ "$MODE" = "--check" ]; then
+  if [ ! -d "$DEST" ]; then
+    echo "plugins/allium not present yet — nothing to check (vendor it with: scripts/sync-allium.sh)."
+    exit 0
+  fi
+  if diff -r "$tmp/allium" "$DEST" >/dev/null; then
+    echo "plugins/allium is in sync with juxt/allium@$REF"
+  else
+    echo "::error::plugins/allium is OUT OF SYNC with juxt/allium@$REF" >&2
+    diff -r "$tmp/allium" "$DEST" || true
+    echo "Run scripts/sync-allium.sh to update plugins/allium." >&2
+    exit 1
+  fi
+elif [ "$MODE" = "sync" ]; then
+  rm -rf "$DEST"
+  mkdir -p "$DEST"
+  cp -R "$tmp/allium/." "$DEST/"
+  echo "Synced plugins/allium to juxt/allium@$REF"
+else
+  echo "usage: scripts/sync-allium.sh [--check]" >&2
+  exit 2
+fi