Ecosystem Update - 2026-05-29

TL;DR

• Official Codex stable is 0.135.0; this machine is still on codex-cli 0.133.0, so upgrade + smoke is the highest-value queued item, not an auto-applied quick win.
• Safe Quick Win implemented: ~/.codex/bin/codex-runtime-doctor now includes the redacted official codex doctor --json summary.
• Current setup already covers most community recommendations: hooks, custom agents, skills, OpenAI docs MCP, omni-mem, browser tooling, execution policy rules, and prompt telemetry off by default.

Quick Wins

Build Queue

• Codex 0.135.0 stable upgrade and smoke (runtime) - https://github.com/openai/codex/releases/tag/rust-v0.135.0 - Current CLI is 0.133.0; 0.135.0 adds richer doctor output, /status remote details, named permission profile display, packaged zsh helper discovery, Python SDK sandbox presets, and several TUI/resume fixes. Queue because prior ecosystem state rejected auto-upgrading Codex as a Quick Win.
• Named permission profile migration evaluation (config) - https://developers.openai.com/codex/config-reference#configtoml - Current config uses top-level sandbox_mode plus [profiles.*]; docs now expose default_permissions and [permissions.<name>] profiles, but the docs warn not to combine default_permissions with sandbox_mode. Needs a deliberate migration plan.
• Thread idle lifecycle hook intake (hook) - https://github.com/openai/codex/releases/tag/rust-v0.135.0 - Release notes include a thread idle lifecycle hook change. Current hooks.json covers PreToolUse, PostToolUse, SessionStart, UserPromptSubmit, Stop, and PreCompact; no existing idle-specific script is available, so this is not safe to wire automatically.
• Official doctor state-path cleanup follow-up (runtime hygiene) - local codex doctor --json and codex-runtime-doctor - Doctor surfaced large rollout state and 4 stale/temp trusted project entries. Existing posture tooling can inspect this, but cleanup should be scoped and reviewed before touching trust roots.
• Python SDK sandbox preset adapter check (SDK/harness) - https://github.com/openai/codex/releases/tag/rust-v0.135.0 - Release adds friendly Sandbox presets for Python SDK thread/turn APIs. Local search did not find a direct Python SDK adapter in the Codex harness; verify only if new SDK-based automation lands.

Research

• Autonomous LLM Agents & CTFs: A Second Look - Reinforces that general-purpose coding agents are strong baselines and that specialized role orchestration should be justified by measurable consistency/cost gains.
• Autonomous LLM Agent Worms: Cross-Platform Propagation, Automated Discovery and Temporal Re-Entry Defense - Already aligned with this runtime's memory/prompt-telemetry caution; keep applying the write-before-read and typed-memory promotion lens to hooks and skills.
• Self-Evolving Software Agents - Relevant to /evolve and autonomy lab work, but current governance should keep self-modification behind explicit eval gates.

Already Have

PreToolUse Bash guard, PostToolUse verification ledger, PostToolUse failure context, SessionStart startup/resume/clear/compact coverage, UserPromptSubmit route classifier, Stop omni-mem save hook, PreCompact omni-mem hook, OpenAI developer docs MCP, omni-mem MCP, browser/chrome/computer-use plugins, read-only planner/reviewer/validator agents, workspace-write worker agent, custom agent nicknames, skills-janitor, security-audit, codex-security, planning-gate, auto runtime, what-would-chad-do reflection, execpolicy rules for destructive git and rm -rf, prompt telemetry disabled, plugin hooks disabled, native Codex memories disabled, conservative profiles, conservative auto-review profile, project doc byte cap.

Rejected

• Auto-upgrade Codex to 0.135.0 as a Quick Win - rejected because prior state repeatedly rejected auto-upgrades; upgrading the installed CLI is a user-authority/runtime-change boundary.
• Enable plugin hooks globally - rejected because plugin_hooks = false is an intentional trust posture and external plugin hook loading remains a supply-chain risk.
• Enable native Codex memories - rejected because omni-mem is the active memory system and native memories remain disabled by policy.
• Wholesale import community skill/plugin catalogs - rejected because the setup already has targeted local skills; bulk imports from Claude/Codex community lists violate anti-overengineering and supply-chain discipline.
• Wire thread idle hook immediately - rejected because no existing idle-specific script was identified; adding a new hook script is outside Quick Win limits.
• Install external session manager or agenttrace stack - rejected as a new daemon/control plane without proof that existing doctor, logs, session search, and omni-mem are insufficient.
• Add prompt logging through UserPromptSubmit - rejected because prompt telemetry must remain opt-in.

Auto-Implemented

• Patched ~/.codex/bin/codex-runtime-doctor with a read-only Official Doctor section.
• Backups written under ~/.codex/backups/2026-05-29/ for config, hooks, agents, and the patched runtime doctor.
• Verification passed: python3 -m py_compile /Users/chadsimon/.codex/bin/codex-runtime-doctor.
• Verification passed: python3 /Users/chadsimon/.codex/bin/codex-runtime-doctor completed with errors=0 warnings=3; warnings were pre-existing stale/temp trusted projects plus official doctor TERM=dumb in the non-interactive shell.

Sources checked: https://github.com/hesreallyhim/awesome-claude-code, https://howborisusesclaudecode.com/, https://github.com/shanraisshan/codex-cli-best-practice, https://github.com/openai/codex/releases, https://developers.openai.com/codex/, https://developers.openai.com/codex/config-reference, https://arxiv.org/search/?searchtype=all&query=LLM+agent+coding&order=-announced_date_first, https://github.com/rohitg00/awesome-claude-code-toolkit, web search supplement for Codex hooks/agents/skills. Tier 2 fetched: yes. Tier 3 fetched: yes, targeted because official release/docs changed. Run at: 2026-05-29T10:30:48Z.