Ecosystem Update - 2026-05-09

May 9, 2026 · generated by the ecosystem-update Claude Skill

TL;DR

The only safe automatic Quick Win was narrowing the startup RLM hook so /clear no longer pays the cached-context preflight cost.
Today's Codex ecosystem signal mostly validates the current setup: gpt-5.5 default, live web search, hooks, role-specific agents, plugins, omni-mem, planning-gate, and explicit verification loops are already in place.
Local CLI is still codex-cli 0.128.0 while OpenAI published 0.130.0 on 2026-05-08; keep that as a deliberate upgrade-and-smoke task, not an automatic ecosystem-update mutation.

Quick Wins

Item	Source	Type	Impact	Effort	Action
Skip cached repo preflight on `/clear`	https://github.com/shanraisshan/codex-cli-best-practice and https://developers.openai.com/codex/hooks	hook	2	1	Updated `~/.codex/hooks.json` `SessionStart` matcher from `startup\\|resume\\|clear` to `startup\\|resume`.

Auto-Implemented

Backed up ~/.codex/config.toml, ~/.codex/hooks.json, and ~/.codex/agents/*.toml under ~/.codex/backups/2026-05-09/.
Changed the existing SessionStart RLM preflight hook matcher to startup|resume, preserving the same script and avoiding new hook wiring.
Verified ~/.codex/hooks.json with python3 -m json.tool.

Build Queue

Codex 0.130.0 stable upgrade and smoke (Codex-md) - https://github.com/openai/codex/releases/tag/rust-v0.130.0 - current binary is codex-cli 0.128.0; upgrade should be deliberate because it changes the installed runtime. Smoke after upgrade: hooks, plugins, subagents, /review, MCP, browser plugin, and /goal if still enabled.
PreToolUse / PostToolUse contract review (hook) - https://developers.openai.com/codex/hooks - official docs now describe PreToolUse, PermissionRequest, PostToolUse, UserPromptSubmit, and Stop wire formats. Do not add new hook entries until existing scripts are reviewed against current schemas.
Config rules and permissions profile audit (config) - https://developers.openai.com/codex/config-reference#configtoml - rules, named permissions, granular approvals, and app tool policies are now documented. Add only as optional constrained profiles; keep the power-user default intact.
Skill Gotchas maintenance pass (skill) - https://github.com/shanraisshan/codex-cli-best-practice - the repo emphasizes trigger-focused skill descriptions and high-signal Gotchas sections. Current skill inventory is broad; audit high-use skills before adding new ones.
Native Codex memories pilot decision (config) - https://developers.openai.com/codex/config-basic#supported-features - native memories are stable but disabled by default. Current omni-mem remains the primary memory substrate; a pilot needs explicit scope to avoid duplicate recall paths.
Worktree isolation wrapper for parallel local runs (workflow) - https://howborisusesclaudecode.com/ - Boris's strongest recurring workflow pattern is parallel worktrees. Codex already has subagents; a local wrapper is only worth building if it replaces repeated manual worktree setup.

Research

TriEx: A Game-based Tri-View Framework for Explaining Internal Reasoning in Multi-Agent LLMs - relevant to future verifier design because it compares action-bound self-reasoning, belief state, and oracle audit traces over time.
Kill-Chain Canaries: Stage-Level Tracking of Prompt Injection Across Attack Surfaces and Model Safety Tiers - directly relevant to memory/write-path governance; reinforces keeping untrusted ingestion away from durable memory writes.
No new last-24-hour arXiv result appeared for the exact LLM agent coding query; Tier 2 was still fetched because the user asked for today's crawl.

Already Have

gpt-5.5 default, approval_policy = "never", danger-full-access, prompt telemetry off, config schema directive, top-level web_search = "live", review_model = "gpt-5.4", OpenAI developer docs MCP, omni-mem MCP, Stop and PreCompact memory hooks, RLM session preflight hook, role-specific custom agents, read-only planner/explorer/reviewer/validator agents, Python and TypeScript reviewers, worker and chad-twin agents, [agents] runtime caps, plugins enabled, browser-use, computer-use, Gmail, documents, spreadsheets, presentations, live marketplace entries, planning-gate, /auto, build/backlog/evaluate/govern skills, security-audit and codex-security skills, session recall via codex-session-search, skill audit before external installs, and ecosystem-update state tracking.

Rejected

Adopt Claude ecosystem wholesale - awesome-claude-code is currently an update-in-progress/TODO README, and Claude-specific files or ~/.claude runtime dependencies conflict with Codex ownership.
Add new hook scripts today - the safe Quick Win only narrowed an existing matcher. New PreToolUse, PermissionRequest, PostToolUse, or UserPromptSubmit entries require existing scripts first.
Switch to shell-only edits for hook governance - third-party hook guidance suggests routing edits through shell to improve interception, but local Codex editing policy requires apply_patch, and official docs now document apply_patch hook aliases with caveats.
Enable native Codex memories immediately - stable does not mean automatically correct for this harness; omni-mem is already wired into Stop/PreCompact and avoids a second recall/write path.
Enable experimental app/tool policies broadly - current plugins already expose the needed Browser/Gmail/Documents/Spreadsheets/Presentations capabilities. Extra app policy churn needs a concrete failure mode.
Auto-upgrade Codex CLI - upgrade is high-leverage but changes the runtime binary; keep it in Build Queue for an explicit upgrade-and-smoke slice.

Sources checked: https://github.com/hesreallyhim/awesome-claude-code, https://howborisusesclaudecode.com/, https://github.com/shanraisshan/codex-cli-best-practice, https://arxiv.org/search/?searchtype=all&query=LLM+agent+coding&order=-announced_date_first, https://export.arxiv.org/api/query?search_query=all:%22LLM%20agent%20coding%22&start=0&max_results=10&sortBy=submittedDate&sortOrder=descending, https://developers.openai.com/codex/hooks, https://developers.openai.com/codex/config-basic#supported-features, https://developers.openai.com/codex/config-reference#configtoml, https://developers.openai.com/codex/subagents#custom-agent-file-schema, https://github.com/openai/codex/releases/tag/rust-v0.130.0 Tier 2 fetched: yes Tier 3 fetched: partial - official Codex docs/releases checked because runtime facts are volatile; weekly toolkit source skipped because tier3_last_run is within 7 days Run at: 2026-05-09T10:31:57Z