~/chadacus.dev/ecosystem-update/2026-06-02

Ecosystem Update - 2026-06-02

June 2, 2026 · generated by the ecosystem-update Claude Skill

TL;DR

  • Official Codex 0.136.0 is out; local PATH Codex is still 0.133.0, and packaged Codex.app is 0.135.0-alpha.1, so upgrade/alignment needs a deliberate smoke pass rather than an automatic daily mutation.
  • Implemented one safe harness Quick Win: removed one stale trusted project entry from ~/.codex/config.toml; runtime doctor warnings dropped from 5 to 4 with zero errors.
  • Community catalogs continue to converge on hooks, agents, skills, MCP, and plugin marketplaces; this setup already has those primitives, so targeted audits beat wholesale imports.

Quick Wins

Item Source Type Impact Effort Action
Stale trusted project prune for New project 7 local codex-runtime-doctor after daily crawl Codex-md 2 1 Removed the nonexistent /Users/chadsimon/Documents/New project 7 trusted project block from ~/.codex/config.toml.

Auto-Implemented

  • Backed up ~/.codex/config.toml, ~/.codex/hooks.json, and all ~/.codex/agents/*.toml files under ~/.codex/backups/2026-06-02/.
  • Removed only [projects."/Users/chadsimon/Documents/New project 7"] from ~/.codex/config.toml.
  • Verification passed: ~/.codex/config.toml parses as TOML, ~/.codex/hooks.json parses as JSON, and python3 ~/.codex/bin/codex-runtime-doctor exits with errors=0 warnings=4.

Build Queue

  • Stable Codex 0.136.0 upgrade and smoke (Codex-md) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 - Latest npm is 0.136.0; local PATH is 0.133.0 and packaged app CLI is 0.135.0-alpha.1. Upgrade deliberately, then smoke hooks, MCP listing, app connectors, codex doctor --json, codex features list, and a protected-branch push guard test.
  • Archive lifecycle harness check (Codex-md) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 - codex archive / codex unarchive can protect old sessions from accidental resume/fork; add a small operator note or doctor check after the stable CLI is active.
  • App-server stdio and richer MCP status intake (mcp) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 - New app-server status and --stdio behavior could simplify connector debugging, but should wait until the CLI upgrade is complete.
  • Remote-control server-token auth review (mcp) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 - Remote control moved away from ChatGPT access tokens; compare this with local app-server/remote-control assumptions before enabling anything.
  • Codex hook catalog apply-patch compatibility audit (hook) - https://github.com/am-will/codex-skills - The catalog claims 51 ready-to-install Codex hook bundles and apply-patch compatibility; audit specific bundles with codex-skill-audit --strict before adapting any.
  • Operational safety taxonomy intake (research) - https://arxiv.org/abs/2605.30777 - The latest relevant arXiv result classifies coding-agent failures around constraint violations, destructive operations, authorization bypasses, and fabricated success; use it to refine local closure and guard tests.

Research

Already Have

OpenAI developer docs MCP, live web search posture, GPT-5.5 default model, goals enabled, direct/lightweight/autonomous route contract, UserPromptSubmit route classifier, PreToolUse Bash guard, protected main/master push blocking, PostToolUse verification and failure-context hooks, SessionStart startup/resume/clear/compact coverage, Stop and PreCompact omni-mem hooks, read-only explorer/reviewer/validator agents, Python and TypeScript reviewers, conservative profiles, plugin and app connectors, local runtime doctor with CLI split-brain checks, config posture checker, skill creator/installer/audit flows, omni-mem durable memory, and policy-sized AGENTS.md with runtime-reference handoff.

Rejected

  • Auto-upgrade Codex CLI during ecosystem-update - changes active runtime binaries and needs rollback notes plus a smoke pass; keep as Build Queue.
  • Enable Bedrock provider globally - 0.136.0 mentions Bedrock catalog/auth improvements, but this setup is OpenAI-first and no recurring Bedrock need is proven.
  • Enable native Codex memories as a Quick Win - conflicts with the current omni-mem-first policy and prior rejection history; requires an explicit pilot.
  • Enable plugin hooks or import third-party hook bundles wholesale - still needs trust review, script inspection, and targeted need; daily auto-import is too broad.
  • Install am-will/codex-skills wholesale - duplicates local skills/agents/hooks and includes multi-provider/web-UI flows that add complexity without a current task.
  • Add managed requirements.toml enterprise policy now - official config supports managed requirements, but this local power-user setup already has policy and doctor gates; enterprise constraints need a separate design decision.
  • Use Claude-specific prompt/agent hook patterns directly - useful as reference only; Codex-owned command hooks and verifier agents remain the local runtime boundary.

Sources checked: https://github.com/hesreallyhim/awesome-claude-code, https://howborisusesclaudecode.com/, https://github.com/shanraisshan/codex-cli-best-practice, https://arxiv.org/search/?searchtype=all&query=LLM+agent+coding&order=-announced_date_first, http://export.arxiv.org/api/query?search_query=all:%22LLM%20agent%20coding%22%20OR%20all:%22autonomous%20coding%20agent%22&start=0&max_results=10&sortBy=submittedDate&sortOrder=descending, https://github.com/openai/codex/releases, https://github.com/openai/codex/releases/tag/rust-v0.136.0, https://developers.openai.com/codex/config-reference, https://github.com/am-will/codex-skills Tier 2 fetched: yes Tier 3 fetched: no - last tier3 run was 2026-05-30T10:34:13Z, still within 7 days Run at: 2026-06-02T10:32:53Z

// archive

← back to all digests