~/chadacus.dev/ecosystem-update/2026-05-14

Ecosystem Update — 2026-05-14

May 14, 2026 · curated by Chad Simon · 12 items reviewed

Highlights

  • One safe Quick Win was implemented: the existing Bash PreToolUse guard now blocks more catastrophic local deletions, pipe-to-shell installs, and fork bombs without adding a new hook or external binary
  • Today's strongest new research signal is SkillOps: skill libraries need maintenance contracts and health checks, not just task-time retrieval
  • broad community imports remain more risk than leverage

Quick Wins (implemented today)

  • Balanced safety guard gap tightening hook
    github.com/CodeAlive-AI/ai-driven-development
    Auto-implemented additional patterns in existing /Users/chadsimon/.codex/bin/pre_tool_guard.py; no new hook, script, binary, or service added

New Tools, Skills & Patterns

  • SkillOps-style local skill contract audit skill
    arXiv
    Extend skill-audit or skills-janitor with a lightweight contract pass for each installed skill: declared purpose, outputs, allowed actions/tools, validation evidence, and known failure modes. This fits the current large skill inventory and should be built as an audit/check, not a new runtime service
  • Full AST-backed Bash guard evaluation hook
    github.com/CodeAlive-AI/ai-driven-development
    The current regex guard is now stronger, but the external bash-guard idea covers shell AST cases such as heredocs, bash -c, eval, xargs, and SSH. Evaluate by auditing or reimplementing a Codex-owned subset; do not pipe-install the upstream binary
  • AGENTS.override.md compatibility decision Codex-md
    github.com/shanraisshan/codex-cli-best-practice
    Codex best-practice guidance points to AGENTS.override.md for personal preferences. Current global policy already owns personal runtime posture, so this should stay a deliberate policy decision rather than an automatic config edit
  • Skill metadata gotchas pass skill
    github.com/shanraisshan/codex-cli-best-practice
    High-use local skills should expose failure-specific gotchas and sharper trigger descriptions. This is valuable but touches skill bodies, so it is outside Quick Win limits

Research Worth Reading

  • SkillOps: Managing LLM Agent Skill Libraries as Self-Maintaining Software Ecosystems
    arXiv
    Directly relevant to this machine's many local skills; suggests typed skill contracts, ecosystem graph checks, and health dimensions for utility, compatibility, risk, and validation

Considered, Not Adopting

Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.

  • Wholesale import of CodeAlive AI-driven-development skillsrejected: overlaps existing skills and requires codex-skill-audit --strict per outside skill before trust
  • Pipe-install upstream bash-guard binaryrejected: the source itself advertises a pipe-to-shell install path; installing external hook binaries automatically violates the local trust and supply-chain posture
  • Global auto-format hooksrejected: useful for specific repos, but a global formatter hook needs repo-aware commands or a new script and can create noisy edits
  • Enable native Codex memories immediately
  • Adopt full Claude/Codex hook parity locallyrejected: many events in the upstream parity tracker are not exposed locally; keep as a watcher until Codex ships stable event/payload contracts
  • Edit AGENTS.md as a Quick Winrejected by the ecosystem-update hard limit; constitutional policy changes need explicit user direction

Sources Reviewed

This is the public summary of the daily Claude Code ecosystem digest I run for my dev team. Each item links to the original source so you can dig in directly. The internal version — with my own adoption decisions, rejection reasoning, and harness-specific notes — is at /2026-05-14/internal/ if you want the full reasoning.

// archive

← back to all digests