Ecosystem Update - 2026-05-29
Highlights
- Official Codex stable is
0.135.0; this machine is still oncodex-cli 0.133.0, so upgrade + smoke is the highest-value queued item, not an auto-applied quick win - Safe Quick Win implemented:
~/.codex/bin/codex-runtime-doctornow includes the redacted officialcodex doctor --jsonsummary
Quick Wins (implemented today)
-
Official doctor summary in runtime doctor harnessAuto-implemented in
~/.codex/bin/codex-runtime-doctor; parsescodex doctor --json, reports status counts, and surfaces non-ok checks
New Tools, Skills & Patterns
-
Codex 0.135.0 stable upgrade and smoke runtimehttps://github.com/openai/codex/releases/tag/rust-v0.135.0 - Current CLI is
0.133.0;0.135.0adds richer doctor output,/statusremote details, named permission profile display, packaged zsh helper discovery, Python SDK sandbox presets, and several TUI/resume fixes. Queue because prior ecosystem state rejected auto-upgrading Codex as a Quick Win -
Named permission profile migration evaluation confighttps://developers.openai.com/codex/config-reference#configtoml - Current config uses top-level
sandbox_modeplus[profiles.*]; docs now exposedefault_permissionsand[permissions.<name>]profiles, but the docs warn not to combinedefault_permissionswithsandbox_mode. Needs a deliberate migration plan -
Thread idle lifecycle hook intake hookhttps://github.com/openai/codex/releases/tag/rust-v0.135.0 - Release notes include a thread idle lifecycle hook change. Current
hooks.jsoncoversPreToolUse,PostToolUse,SessionStart,UserPromptSubmit,Stop, andPreCompact; no existing idle-specific script is available, so this is not safe to wire automatically -
Official doctor state-path cleanup follow-up runtime hygienelocal
codex doctor --jsonandcodex-runtime-doctor- Doctor surfaced large rollout state and 4 stale/temp trusted project entries. Existing posture tooling can inspect this, but cleanup should be scoped and reviewed before touching trust roots -
Python SDK sandbox preset adapter check SDK/harnesshttps://github.com/openai/codex/releases/tag/rust-v0.135.0 - Release adds friendly
Sandboxpresets for Python SDK thread/turn APIs. Local search did not find a direct Python SDK adapter in the Codex harness; verify only if new SDK-based automation lands
Research Worth Reading
-
Autonomous LLM Agents & CTFs: A Second Look- Reinforces that general-purpose coding agents are strong baselines and that specialized role orchestration should be justified by measurable consistency/cost gains
-
Autonomous LLM Agent Worms: Cross-Platform Propagation, Automated Discovery and Temporal Re-Entry Defense- Already aligned with this runtime's memory/prompt-telemetry caution; keep applying the write-before-read and typed-memory promotion lens to hooks and skills
-
Self-Evolving Software Agents
Considered, Not Adopting
Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.
- Auto-upgrade Codex to 0.135.0 as a Quick Win — - rejected because prior state repeatedly rejected auto-upgrades; upgrading the installed CLI is a user-authority/runtime-change boundary
-
Enable plugin hooks globally — - rejected because
plugin_hooks = falseis an intentional trust posture and external plugin hook loading remains a supply-chain risk - Enable native Codex memories
- Wholesale import community skill/plugin catalogs — - rejected because the setup already has targeted local skills; bulk imports from Claude/Codex community lists violate anti-overengineering and supply-chain discipline
- Wire thread idle hook immediately — - rejected because no existing idle-specific script was identified; adding a new hook script is outside Quick Win limits
- Install external session manager or agenttrace stack
- Add prompt logging through UserPromptSubmit — - rejected because prompt telemetry must remain opt-in