~/chadacus.dev/ecosystem-update/2026-05-22

Ecosystem Update - 2026-05-22

May 22, 2026 · curated by Chad Simon · 18 items reviewed

Highlights

  • OpenAI Codex CLI 0.133.0 landed on 2026-05-21 with stable Goals, stronger permission-profile plumbing, better plugin discovery, remote-control UX fixes, and extension lifecycle observability; local CLI was upgraded from 0.132.0 to 0.133.0
  • The local harness had stale config keys that the 0.133.0 strict parser rejected; inactive legacy keys were removed and strict config now loads
  • Official hook docs list SessionStart source clear; local startup hooks now cover startup|resume|clear

Quick Wins (implemented today)

  • Stable Codex 0.133.0 upgrade Codex-md
    github.com/openai/codex
    Upgrade local CLI package and smoke-test codex --version, codex features list, codex doctor, and strict codex exec
  • SessionStart clear matcher coverage hook
    developers.openai.com
    Extend existing SessionStart matchers in ~/.codex/hooks.json from `startup
  • Strict-config stale-key cleanup Codex-md
    developers.openai.com
    Remove config entries rejected by codex exec --strict-config: legacy [mcp], inactive app default approval key, profile-scoped allow_login_shell, and tools.view_image

New Tools, Skills & Patterns

  • Extension lifecycle observability intake mcp/hook
    github.com/openai/codex
    https://github.com/openai/codex/releases/tag/rust-v0.133.0 - 0.133.0 exposes more lifecycle events for extensions, including subagent start/stop, tool execution, turn metadata, and async approval/turn processing. Map these to the local hook/AgentOps evidence ledger before wiring anything
  • Permission profile inheritance redesign agent-pattern
    developers.openai.com
    https://developers.openai.com/codex/config-reference#configtoml - Permission profiles now support inheritance and managed requirements, while the old profile-scoped allow_login_shell entries were inactive. Rebuild conservative profiles around supported permission-profile primitives
  • Plugin discovery report adapter mcp
    github.com/openai/codex
    https://github.com/openai/codex/releases/tag/rust-v0.133.0 - New marketplace-aware plugin list output and installed-version visibility can improve ecosystem reports without enabling plugin hooks
  • Temporal awareness hook design hook
    github.com/rohitg00/awesome-claude-code-toolkit
    https://github.com/rohitg00/awesome-claude-code-toolkit - claude-time and temporal-core show useful elapsed-time prompting patterns, but they require new hook scripts and should be designed against prompt-telemetry and privacy constraints
  • Cost/session analytics intake skill
    github.com/rohitg00/awesome-claude-code-toolkit
    https://github.com/rohitg00/awesome-claude-code-toolkit - ccusage, cc-cost, tokburn, and agenttrace suggest local-first transcript analytics patterns; adapt only if they read Codex-owned state and avoid raw prompt exfiltration

Research Worth Reading

  • No new directly applicable last-24-hour arXiv paper surfaced from the LLM agent coding query; the arXiv export API rate-limited during the run, so web search was used as fallback.
  • Autonomous LLM Agent Worms: Cross-Platform Propagation, Automated Discovery and Temporal Re-Entry Defense
    arXiv
    reinforces typed memory promotion and capability attenuation after untrusted reads
  • Can Coding Agents Reproduce Findings in Computational Materials Science?
    arXiv
    - Reinforces evidence-backed closure and reproducibility checks for long-horizon coding agents
  • To What Extent Does Agent-generated Code Require Maintenance? An Empirical Study
    arXiv
    - Useful watch item for post-build maintainability scoring and refactor gates

Considered, Not Adopting

Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.

  • Enable plugin_hooks automatically - Stable in 0.133.0 but still requires hook trust review; keep off globally until a plugin-specific trust pass is done.
  • Enable native Codex memories automatically - Conflicts with the current omni-mem default and prior rejection policy for native memories.
  • Wholesale install Claude toolkits or community plugin bundles - Violates Codex-owned surface rule and imports unreviewed hooks/skills.
  • Add tailtest, temporal-core, claude-time, or weft hooks directly - Requires new scripts or new runtime files, which the ecosystem-update hard limits forbid as Quick Wins.
  • Remote computer use/Appshots rollout - App-level workflow change that needs explicit trust testing, not a harness quick win.
  • Delete rollout files flagged by codex doctor - Potentially destructive state cleanup; keep as a separate maintenance task with explicit retention policy.

Sources Reviewed

This is the public summary of the daily Claude Code ecosystem digest I run for my dev team. Each item links to the original source so you can dig in directly. The internal version — with my own adoption decisions, rejection reasoning, and harness-specific notes — is at /2026-05-22/internal/ if you want the full reasoning.

// archive

← back to all digests