Ecosystem Update - 2026-05-09
Highlights
- The only safe automatic Quick Win was narrowing the startup RLM hook so
/clearno longer pays the cached-context preflight cost - Local CLI is still
codex-cli 0.128.0while OpenAI published0.130.0on 2026-05-08; keep that as a deliberate upgrade-and-smoke task, not an automatic ecosystem-update mutation
Quick Wins (implemented today)
-
Skip cached repo preflight on
/clearhookUpdated~/.codex/hooks.jsonSessionStartmatcher from `startup\
New Tools, Skills & Patterns
-
Codex 0.130.0 stable upgrade and smoke Codex-mdhttps://github.com/openai/codex/releases/tag/rust-v0.130.0 - current binary is
codex-cli 0.128.0; upgrade should be deliberate because it changes the installed runtime. Smoke after upgrade: hooks, plugins, subagents,/review, MCP, browser plugin, and/goalif still enabled -
PreToolUse / PostToolUse contract review hookhttps://developers.openai.com/codex/hooks - official docs now describe
PreToolUse,PermissionRequest,PostToolUse,UserPromptSubmit, andStopwire formats. Do not add new hook entries until existing scripts are reviewed against current schemas -
Config rules and permissions profile audit confighttps://developers.openai.com/codex/config-reference#configtoml -
rules, named permissions, granular approvals, and app tool policies are now documented. Add only as optional constrained profiles; keep the power-user default intact -
Skill Gotchas maintenance pass skillhttps://github.com/shanraisshan/codex-cli-best-practice - the repo emphasizes trigger-focused skill descriptions and high-signal Gotchas sections. Current skill inventory is broad; audit high-use skills before adding new ones
-
Native Codex memories pilot decision confighttps://developers.openai.com/codex/config-basic#supported-features - native memories are stable but disabled by default. a pilot needs explicit scope to avoid duplicate recall paths
-
Worktree isolation wrapper for parallel local runs workflowhttps://howborisusesclaudecode.com/ - Boris's strongest recurring workflow pattern is parallel worktrees. Codex already has subagents; a local wrapper is only worth building if it replaces repeated manual worktree setup
Research Worth Reading
-
TriEx: A Game-based Tri-View Framework for Explaining Internal Reasoning in Multi-Agent LLMs- relevant to future verifier design because it compares action-bound self-reasoning, belief state, and oracle audit traces over time
-
Kill-Chain Canaries: Stage-Level Tracking of Prompt Injection Across Attack Surfaces and Model Safety Tiers- directly relevant to memory/write-path governance; reinforces keeping untrusted ingestion away from durable memory writes
-
No new last-24-hour arXiv result appeared for the exact
LLM agent codingquery; Tier 2 was still fetched because the user asked for today's crawl.
Considered, Not Adopting
Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.
-
Adopt Claude ecosystem wholesale — -
awesome-claude-codeis currently an update-in-progress/TODO README, and Claude-specific files or~/.clauderuntime dependencies conflict with Codex ownership -
Add new hook scripts today — - the safe Quick Win only narrowed an existing matcher. New
PreToolUse,PermissionRequest,PostToolUse, orUserPromptSubmitentries require existing scripts first -
Switch to shell-only edits for hook governance — - third-party hook guidance suggests routing edits through shell to improve interception, but local Codex editing policy requires
apply_patch, and official docs now documentapply_patchhook aliases with caveats - Enable native Codex memories immediately — - stable does not mean automatically correct for this harness
- Enable experimental app/tool policies broadly — - current plugins already expose the needed Browser/Gmail/Documents/Spreadsheets/Presentations capabilities. Extra app policy churn needs a concrete failure mode
- Auto-upgrade Codex CLI — - upgrade is high-leverage but changes the runtime binary; keep it in Build Queue for an explicit upgrade-and-smoke slice