[codex] Support npm marketplace plugin sources

[charlesgong-openai]

Why

Marketplace source deserialization treated {"source":"npm", ...} as unsupported. The loader logged and skipped the entry, so npm-backed plugins never appeared in plugin list --available and plugin add returned "plugin not found".

Codex plugins are installed from a plugin root, not from an npm dependency tree. For npm-backed marketplace entries, Codex should fetch the published package contents without running package scripts or installing unrelated dependencies.

What changed

• Add npm marketplace plugin sources with package, optional semver version or version range, and optional HTTPS registry.
• Reject unsafe npm source fields before materialization, including invalid package names, non-semver version selectors, plaintext or credential-bearing registry URLs, and registry query/fragment data.
• Materialize npm plugins with npm pack --ignore-scripts, then unpack the resulting tarball through the existing hardened plugin bundle extractor.
• Enforce npm archive and extracted-size limits, require the standard npm package/ archive root, and verify the extracted package.json name matches the requested package before installing.
• Keep plugin listings, install-source descriptions, CLI JSON/human output, app-server v2 PluginSource, TUI source summaries, regenerated schema fixtures, and app-server documentation in sync.

Impact

Marketplaces can distribute Codex plugins from public or configured private HTTPS npm registries using the same install flow as existing materialized plugin sources. npm must be available on PATH when an npm-backed plugin is installed.

Fixes #27831

Validation

• just write-app-server-schema
• just test -p codex-core-plugins -p codex-app-server-protocol -p codex-app-server -p codex-cli
  • npm/schema/core-plugin coverage passed in the run.
  • The full focused command finished with 1739 passed, 11 failed, and 6 timed out; the failures were unrelated local app-server environment failures from sandbox-exec: sandbox_apply: Operation not permitted plus one missing test_stdio_server helper binary.
• Installed an npm-published Codex plugin package through a throwaway local marketplace and throwaway CODEX_HOME to exercise the real npm materialization path end to end.

[charlesgong-openai]

main npm validator

[charlesgong-openai]

main fetcher

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 048cae405c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[charlesgong-openai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

Reviewed commit: a2504d2771

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".