Ecosystem Update - 2026-05-27

May 27, 2026 · generated by the ecosystem-update Claude Skill

TL;DR

One safe Quick Win was implemented: restored the official Codex config schema header in ~/.codex/config.toml, clearing the local config-posture hard violation.
Tier 1 community sources had no new GitHub commits since yesterday's run; their useful patterns are already covered locally or require repo-specific design.
Today's strongest research signals are SEC-bench Pro and Verus-SpecGym: both reinforce evidence-backed closure and intent/spec validation rather than new global automation.

Quick Wins

Item	Source	Type	Impact	Effort	Action
Config schema header repair	https://developers.openai.com/codex/config-reference#configtoml and local `codex_config_posture.py`	Codex-md	2	1	Restore `#:schema https://developers.openai.com/codex/config-schema.json` as the first line of `~/.codex/config.toml`

Auto-Implemented

Backed up config.toml, hooks.json, and current agent TOML files under /Users/chadsimon/.codex/backups/2026-05-27/.
Added #:schema https://developers.openai.com/codex/config-schema.json as the first line of /Users/chadsimon/.codex/config.toml.
Verified config.toml with Python tomllib.
Verified hooks.json with python3 -m json.tool /Users/chadsimon/.codex/hooks.json.
Verified the harness posture with python3 /Users/chadsimon/.codex/bin/codex_config_posture.py --mode warn; it now reports Codex config posture ok.
Smoke-ran python3 /Users/chadsimon/.codex/bin/rlm_session_preflight.py </dev/null; it exited 0.

Build Queue

SEC-bench Pro security-eval adapter (research) - https://arxiv.org/abs/2605.26548v1 - Long-horizon software-security tasks map cleanly to codex-security, security-audit, and AgentOps closure gates. Build only a thin intake/eval adapter if the benchmark artifacts are reproducible enough to run locally.
Verus-SpecGym intent/spec validation intake (research) - https://arxiv.org/abs/2605.26457v1 - The paper targets a real verification failure mode: generated formal specs can be machine-checkable while not matching user intent. Fold this into planning-gate/eval design for formal or contract-heavy tasks before adding any new runtime hook.
RepoMirage-style repository perturbation checks (research) - https://arxiv.org/abs/2605.26177v1 - Useful for future rlm-scan and reviewer evals because it tests whether agents use repository structure robustly instead of overfitting path/name cues.
Conservative auto-review profile naming cleanup (Codex-md) - https://developers.openai.com/codex/config-reference#configtoml - Current approvals_reviewer = "guardian_subagent" is schema-accepted as a legacy alias, but docs prefer auto_review; normalize later with a focused profile compatibility check.

Research

Helicase: Uncertainty-Guided Supply Chain Knowledge Graph Construction with Autonomous Multi-Agent LLMs - Relevant to source synthesis and confidence accounting, but a knowledge-graph layer would be too heavy for today's harness without a concrete repeated failure.
SEC-bench Pro: Can Language Models Solve Long-Horizon Software Security Tasks? - Good candidate benchmark for security-agent closure quality and long-horizon exploit/patch workflows.
Verus-SpecGym: An Agentic Environment for Evaluating Specification Autoformalization - Directly relevant to checking whether formal acceptance criteria preserve user intent, not just verifier success.
RepoMirage: Probing Repository Context Reasoning in Code Agents with Perturbations - Supports future evals for cached repo context and codebase-localization robustness.

Already Have

Power-user default model/profile posture, prompt telemetry off, live web search, official config schema hook now restored, native hooks enabled, UserPromptSubmit route classification, Bash PreToolUse safety guard, Bash PostToolUse verification and failure-context hooks, SessionStart cached repo context and config-posture checks, Stop and PreCompact omni-mem hooks, OpenAI developer docs MCP, omni-mem MCP, Browser/Chrome/Computer Use/Documents/Spreadsheets/Presentations/Gmail/OpenAI Developers plugins, read-only explorer/planner/reviewer/python-reviewer/typescript-reviewer/validator agents, scoped workspace-write worker and chad-twin agents, bounded agent depth/thread/runtime caps, conservative and review profiles, destructive app tools disabled globally, pokegen disabled through [[skills.config]], session recall, skill audit, planning-gate, /auto, build/drive/go/govern wrappers, security-audit, codex-security, runtime doctor, what-would-chad-do, and daily ecosystem state tracking.

Rejected

Wholesale import from Awesome Claude Code, Boris workflows, or community Codex skill catalogs - rejected: outside skills require strict audit and the local skill library already covers the recurring workflows.
Global auto-format PostToolUse hook - rejected as a Quick Win: the skill forbids adding hooks that require new scripts, and formatting is repo-specific.
Enable native Codex memories - rejected: current memory authority is omni-mem, and changing memory generation globally would alter privacy/trust posture.
Default worktree isolation for all agents - rejected: useful for selected large migrations, but a global behavior change would add coordination overhead without a proven current bottleneck.
Build a Helicase-style source knowledge graph service - rejected: current WebFetch/search plus report/state files satisfy today's source synthesis needs.
Normalize guardian_subagent to auto_review immediately - rejected as a Quick Win: the official schema still accepts the legacy value for compatibility, so this is cleanup rather than a hard defect.

Sources checked: https://github.com/hesreallyhim/awesome-claude-code, https://raw.githubusercontent.com/hesreallyhim/awesome-claude-code/main/THE_RESOURCES_TABLE.csv, https://howborisusesclaudecode.com/, https://github.com/shanraisshan/codex-cli-best-practice, https://raw.githubusercontent.com/shanraisshan/codex-cli-best-practice/main/best-practice/codex-hooks.md, https://raw.githubusercontent.com/shanraisshan/codex-cli-best-practice/main/best-practice/codex-skills.md, https://arxiv.org/search/?searchtype=all&query=LLM+agent+coding&order=-announced_date_first, https://arxiv.org/abs/2605.26835v1, https://arxiv.org/abs/2605.26548v1, https://arxiv.org/abs/2605.26457v1, https://arxiv.org/abs/2605.26177v1, https://developers.openai.com/codex/config-reference#configtoml, https://developers.openai.com/codex/config-schema.json, web search: "Codex new hooks agents skills site:github.com 2026", web search: "arxiv.org LLM agent coding autonomous 2026 site:arxiv.org" Tier 2 fetched: yes Tier 3 fetched: no; skipped because the last full Tier 3 run was 2026-05-22T10:37:39Z, inside the 7-day window. Run at: 2026-05-27T10:34:35Z