~/chadacus.dev/ecosystem-update/2026-06-02

Ecosystem Update - 2026-06-02

June 2, 2026 · curated by Chad Simon · 15 items reviewed

Highlights

  • Official Codex 0.136.0 is out; local PATH Codex is still 0.133.0, and packaged Codex.app is 0.135.0-alpha.1, so upgrade/alignment needs a deliberate smoke pass rather than an automatic daily mutation
  • Implemented one safe harness Quick Win: removed one stale trusted project entry from ~/.codex/config.toml; runtime doctor warnings dropped from 5 to 4 with zero errors
  • Community catalogs continue to converge on hooks, agents, skills, MCP, and plugin marketplaces; this setup already has those primitives, so targeted audits beat wholesale imports

Quick Wins (implemented today)

  • Stale trusted project prune for New project 7 Codex-md
    local codex-runtime-doctor after daily crawl
    Removed the nonexistent /Users/chadsimon/Documents/New project 7 trusted project block from ~/.codex/config.toml

New Tools, Skills & Patterns

  • Stable Codex 0.136.0 upgrade and smoke Codex-md
    https://github.com/openai/codex/releases/tag/rust-v0.136.0 - Latest npm is 0.136.0; local PATH is 0.133.0 and packaged app CLI is 0.135.0-alpha.1. Upgrade deliberately, then smoke hooks, MCP listing, app connectors, codex doctor --json, codex features list, and a protected-branch push guard test
  • Archive lifecycle harness check Codex-md
    https://github.com/openai/codex/releases/tag/rust-v0.136.0 - codex archive / codex unarchive can protect old sessions from accidental resume/fork; add a small operator note or doctor check after the stable CLI is active
  • App-server stdio and richer MCP status intake mcp
    https://github.com/openai/codex/releases/tag/rust-v0.136.0 - New app-server status and --stdio behavior could simplify connector debugging, but should wait until the CLI upgrade is complete
  • Remote-control server-token auth review mcp
    https://github.com/openai/codex/releases/tag/rust-v0.136.0 - Remote control moved away from ChatGPT access tokens; compare this with local app-server/remote-control assumptions before enabling anything
  • Codex hook catalog apply-patch compatibility audit hook
    https://github.com/am-will/codex-skills - The catalog claims 51 ready-to-install Codex hook bundles and apply-patch compatibility; audit specific bundles with codex-skill-audit --strict before adapting any
  • Operational safety taxonomy intake
    https://arxiv.org/abs/2605.30777 - The latest relevant arXiv result classifies coding-agent failures around constraint violations, destructive operations, authorization bypasses, and fabricated success; use it to refine local closure and guard tests

Research Worth Reading

  • What Breaks When LLMs Code? Characterizing Operational Safety Failures of Agentic Code Assistants
    - Directly supports the local AgentOps emphasis on constraint boundaries, safe-halt behavior, failure transparency, and evidence-backed closure

Considered, Not Adopting

Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.

  • Auto-upgrade Codex CLI during ecosystem-update - changes active runtime binaries and needs rollback notes plus a smoke pass; keep as Build Queue.
  • Enable Bedrock provider globally - 0.136.0 mentions Bedrock catalog/auth improvements, but this setup is OpenAI-first and no recurring Bedrock need is proven.
  • Enable native Codex memories as a Quick Win - conflicts with the current omni-mem-first policy and prior rejection history; requires an explicit pilot.
  • Enable plugin hooks or import third-party hook bundles wholesale - still needs trust review, script inspection, and targeted need; daily auto-import is too broad.
  • Install am-will/codex-skills wholesale - duplicates local skills/agents/hooks and includes multi-provider/web-UI flows that add complexity without a current task.
  • Add managed requirements.toml enterprise policy now - official config supports managed requirements, but this local power-user setup already has policy and doctor gates; enterprise constraints need a separate design decision.
  • Use Claude-specific prompt/agent hook patterns directly - useful as reference only; Codex-owned command hooks and verifier agents remain the local runtime boundary.

Sources Reviewed

// archive

← back to all digests