Ecosystem Update — 2026-05-13

May 13, 2026 · generated by the ecosystem-update Claude Skill

TL;DR

No safe harness Quick Win cleared the automatic-edit bar today; the useful signals all require a new script, a new hook surface, a skill audit, or an explicit memory-policy decision.
The strongest near-term queue item is a hook health smoke check: GitHub issue #21639 reports Codex Desktop hook regressions, and this setup depends on PreToolUse, PostToolUse, SessionStart, Stop, and PreCompact.
Research signal is security-heavy: the May 2026 agent-worm paper reinforces typed memory promotion, sealed config, and capability attenuation after external reads, which fits the existing omni-mem and hook-guard direction.

Quick Wins

Item	Source	Type	Impact	Effort	Action
None safe today	Daily scan	hook / skill / memory	-	-	No automatic harness edit: every candidate needed new scripts, new hooks, external skill trust, policy changes, or upstream support.

Build Queue

Codex Desktop hook regression smoke check (hook) — https://github.com/openai/codex/issues/21639 — Add a small local diagnostic that verifies expected hook execution after Codex Desktop or CLI updates. Worth building because this runtime relies on hook-enforced Bash safety, verification recording, failure context, RLM context loading, and omni-mem persistence.
Hook parity gap tracker (hook) — https://github.com/openai/codex/issues/21753 — Track upstream hook parity against the local hooks.json contract, especially PostToolUseFailure, subagent lifecycle, config drift, worktree, and post-compaction events. Not a Quick Win because Codex does not expose these hook events locally yet.
Repo-scoped experience compiler intake (memory) — https://github.com/openai/codex/issues/20985 — Evaluate whether WorkGraph-style compiled repo intelligence can feed the existing rlm-scan, omni-mem, and session-recall surfaces without adding another always-on persistence layer.
Community Codex skill catalog audit (skill) — https://github.com/ComposioHQ/awesome-codex-skills — Audit individual skills such as gh-fix-ci, pr-review-ci-fix, sentry-triage, datadog-logs, and webapp-testing with codex-skill-audit --strict before considering local installation. Do not wholesale import.
Codex release and changelog watcher (Codex-md) — https://github.com/shanraisshan/codex-cli-best-practice — Current local CLI is codex-cli 0.130.0; keep the release watcher in the queue rather than auto-upgrading because version changes affect hooks, plugins, app-server behavior, and Desktop compatibility.
Native Codex memories pilot plan (mcp) — https://github.com/shanraisshan/codex-cli-best-practice — Revisit native [features] memories = true only as an explicit pilot alongside the existing omni-mem policy, with an untrusted-content reset/disable story first.

Research

Autonomous LLM Agent Worms: Cross-Platform Propagation, Automated Discovery and Temporal Re-Entry Defense — Directly relevant to this runtime's persistent memory, scheduled state, and off-machine connectors; prioritize typed memory promotion, sealed config, and capability attenuation patterns.
ASIA: an Autonomous System Identification Agent — Useful as a cautionary reference for autonomous experimentation loops: it highlights closed-loop hypothesis/implementation/evaluation, plus risks around test leakage and reproducibility.
To What Extent Does Agent-generated Code Require Maintenance? An Empirical Study — Reinforces the existing maintenance-score queue item: agent-authored files need explicit later review, not only initial green tests.
Can Coding Agents Reproduce Findings in Computational Materials Science? — Supports stronger environment reconstruction and evidence capture before claiming task completion, especially for underspecified workflows.

Already Have

Concise AGENTS.md runtime contract, rg-first search rule, omni-mem as default memory, OpenAI developer-docs MCP, prompt telemetry opt-in, /auto canonical runtime, direct-execution bias, route governance triggers, hook feature flag enabled, PreToolUse Bash safety hook, PostToolUse verification ledger, PostToolUse failure context hook, SessionStart startup/resume preflight with clear skipped, Stop omni-mem persistence hook, PreCompact omni-mem hook, custom read-only reviewer agents, explorer/planner/validator agent split, worker agent with scoped implementation instructions, supports_parallel_tool_calls = true for OpenAI docs MCP, plugin support enabled, goals support enabled, OpenAI bundled and primary-runtime marketplaces, browser/computer-use/documents/spreadsheets/presentations/gmail plugins, skill-creator, skill-installer, planning-gate, bug-miner, security-audit, codex-branch, codex-security, session-recall, rlm-scan, autoconfig, and prior release-watch/build-queue items.

Rejected

Enable native Codex memories immediately — conflicts with the current omni-mem-first policy and needs an explicit untrusted-content and secret-exposure plan.
Wholesale import from Composio or other community skill catalogs — violates the local outside-skill trust rule; individual skills need codex-skill-audit --strict and a concrete recurring use case.
Adopt full Claude Code hook parity locally — overfits to unimplemented upstream events; keep as a watcher until Codex exposes stable event and payload contracts.
Auto-format hook wiring — requires repo-specific formatters or a new global script, which the ecosystem-update hard limits forbid as an automatic Quick Win.
Default to xhigh reasoning or Fast Mode globally — changes cost/latency posture and contradicts the current power-user baseline unless requested for a specific route/profile.
Switch to conservative on-request approvals — conflicts with the explicit local runtime posture: approval_policy = "never" and sandbox_mode = "danger-full-access".
Install Deep Agents / LangGraph helper skills — useful only for that external stack; not aligned with the current Codex-owned harness without a concrete project need.

Auto-Implemented

None. Report and state files were updated; no harness config, hook, agent, skill, or policy file was modified.

Sources checked: https://github.com/hesreallyhim/awesome-claude-code, https://howborisusesclaudecode.com/, https://github.com/shanraisshan/codex-cli-best-practice, https://arxiv.org/search/?searchtype=all&query=LLM+agent+coding&order=-announced_date_first, https://export.arxiv.org/api/query, https://github.com/openai/codex/issues/21639, https://github.com/openai/codex/issues/21753, https://github.com/openai/codex/issues/20985, https://github.com/ComposioHQ/awesome-codex-skills, https://developers.openai.com/codex/app-server Tier 2 fetched: yes Tier 3 fetched: no — previous weekly run was 2026-05-08, inside the 7-day skip window Run at: 2026-05-13T10:30:32Z