sync superpowers v6.0.1 from upstream main @ a21956e4

[arittr]

Automated sync of the superpowers plugin from upstream main @ a21956e4 (v6.0.1), produced by scripts/sync-to-codex-plugin.sh.

This advances the embedded plugin from 5.1.3 (current main) to 6.0.1, so the diff spans a major version bump. It supersedes #332 (the v6.0.0 sync, now closed); 6.0.1 adds two Codex-specific fixes on top of the 6.0.0 work.

What changed (5.1.3 → 6.0.1)

Codex fixes (6.0.1)

• The brainstorm visual companion no longer reports its version as "unknown" in packaged Codex plugins — readSuperpowersVersion() now falls back to .codex-plugin/plugin.json when no root package.json is present.
• The sync excludes .gitmodules and .pre-commit-config.yaml, keeping repo metadata out of the packaged plugin.

Subagent-driven development rewrite (6.0.0)

• The two per-task reviewer prompts (spec-reviewer-prompt.md, code-quality-reviewer-prompt.md) are replaced by a single task-reviewer-prompt.md that returns both a spec-compliance and a quality verdict in one pass.
• Task text and review diffs now move as files via two new scripts, task-brief and review-package, instead of being pasted into the most expensive context.
• Every dispatch must name a model; controllers can no longer tell a reviewer what to ignore or pre-rate severity; reviewers are read-only.

Writing plans (6.0.0) — plans now carry a Global Constraints block and per-task Interfaces block, plus right-sizing guidance.

Brainstorming visual companion (6.0.0) — a real security model: a per-session key guards every request and WebSocket, the file server refuses symlinks/dotfiles/path-escape, and it survives restarts and dropped connections.

One set of skills, every harness (6.0.0) — skill prose was rewritten to be vendor-neutral ("dispatch a subagent" rather than "use the Task tool"), backed by a per-harness tool reference under skills/using-superpowers/references/ (Claude Code, Codex, Copilot, Gemini, Pi, Antigravity).

Codex-relevant harness updates (6.0.0) — Codex now bootstraps through its own SessionStart hook (hooks/session-start-codex) rather than shared wiring; the Codex manifest is updated accordingly.

Full release notes: https://github.com/obra/superpowers/blob/a21956e48c1324737257c0d9562e5397d1fbed6c/RELEASE-NOTES.md

Scope of the sync

• Synced from upstream: the committed Codex manifest (.codex-plugin/plugin.json), assets/, hooks/, and the skills + bundled skill support files.
• Preserved from this repo: OpenAI-owned marketplace metadata under skills/**/agents/openai.yaml.
• Excluded (source-repo-only, not shipped in the packaged plugin): .github/, evals/, scripts/, tests/, docs/, .gitmodules, .pre-commit-config.yaml, and other dev-only paths.

Verification

Checked against a clean upstream checkout at the synced SHA (a21956e4):

• Committed Codex manifest reports version: 6.0.1.
• The Codex session-start hook (hooks/session-start-codex) emits valid JSON whose context includes the superpowers:using-superpowers bootstrap.
• The reviewer-prompt consolidation and new task-brief / review-package scripts are present, matching the 6.0.0 release notes.

The sync is deterministic: re-running it against the same upstream SHA produces an identical diff.

Tooling

Generated by the sync-to-codex-plugin.sh script in the superpowers repo and reviewed by a human before submission. The PR body was drafted with Claude Code (Opus 4.8).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7e55b302aa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Match SessionStart on compact

Codex hook docs say SessionStart matchers are applied to source, whose values include startup, resume, clear, and compact; this Codex-specific hook omits compact even though the Claude hook in this commit includes it. In sessions that hit manual or automatic compaction, the Superpowers bootstrap will not be re-injected after the context is rewritten, so long-running sessions can lose the skill-loading instructions. Include compact in this matcher.

Useful? React with 👍 / 👎.

[6643]

superpowers to 6.0.2

[Sapientropic]

Thanks for opening this sync PR. I think this Superpowers gap also points to a broader marketplace-maintenance issue that may be worth turning into an RFC.

I tried to open a docs-only RFC PR from a fork, but this repository rejected external PR creation for my account (CreatePullRequest permission / REST 404). Since issues are disabled and this PR is the active example, I am leaving the RFC draft here for maintainers to consider:

https://github.com/Sapientropic/plugins/blob/sapientropic/plugin-version-tracking-rfc/docs/rfcs/plugin-version-tracking.md

Short version:

• Users tend to assume plugins installed from the official Codex marketplace are either kept current or clearly marked when stale.
• A one-off sync from 5.1.3 to 6.0.x helps Superpowers, but it does not make stale marketplace copies visible in general.
• The marketplace could track optional upstream metadata such as upstream repository, version source, release strategy, last synced ref, last sync PR, and update policy.
• A scheduled check could report states like current, stale, sync_pending, tracking_unknown, pinned, or check_failed.
• Codex App/CLI could then distinguish: installed version, marketplace version, upstream version, update available, and sync pending.

The concrete user-facing problem is that without this, a user can install from the official marketplace and unknowingly keep using an old plugin while assuming version management is handled by the marketplace.

If this belongs somewhere else, happy to reshape the draft or move it to whatever proposal path the plugin marketplace maintainers prefer.

[obra]

Thanks for opening this sync PR. I think this Superpowers gap also points to a broader marketplace-maintenance issue that may be worth turning into an RFC.

I tried to open a docs-only RFC PR from a fork, but this repository rejected external PR creation for my account (CreatePullRequest permission / REST 404). Since issues are disabled and this PR is the active example, I am leaving the RFC draft here for maintainers to consider:

https://github.com/Sapientropic/plugins/blob/sapientropic/plugin-version-tracking-rfc/docs/rfcs/plugin-version-tracking.md

Short version:

• Users tend to assume plugins installed from the official Codex marketplace are either kept current or clearly marked when stale.
• A one-off sync from 5.1.3 to 6.0.x helps Superpowers, but it does not make stale marketplace copies visible in general.
• The marketplace could track optional upstream metadata such as upstream repository, version source, release strategy, last synced ref, last sync PR, and update policy.
• A scheduled check could report states like current, stale, sync_pending, tracking_unknown, pinned, or check_failed.
• Codex App/CLI could then distinguish: installed version, marketplace version, upstream version, update available, and sync pending.

The concrete user-facing problem is that without this, a user can install from the official marketplace and unknowingly keep using an old plugin while assuming version management is handled by the marketplace.

If this belongs somewhere else, happy to reshape the draft or move it to whatever proposal path the plugin marketplace maintainers prefer.

@Sapientropic this is not the right forum for something like that. But I don't know what is.