Ecosystem Update - 2026-06-02
TL;DR
- Official Codex
0.136.0is out; local PATH Codex is still0.133.0, and packaged Codex.app is0.135.0-alpha.1, so upgrade/alignment needs a deliberate smoke pass rather than an automatic daily mutation. - Implemented one safe harness Quick Win: removed one stale trusted project entry from
~/.codex/config.toml; runtime doctor warnings dropped from 5 to 4 with zero errors. - Community catalogs continue to converge on hooks, agents, skills, MCP, and plugin marketplaces; this setup already has those primitives, so targeted audits beat wholesale imports.
Quick Wins
| Item | Source | Type | Impact | Effort | Action |
|---|---|---|---|---|---|
Stale trusted project prune for New project 7 |
local codex-runtime-doctor after daily crawl |
Codex-md | 2 | 1 | Removed the nonexistent /Users/chadsimon/Documents/New project 7 trusted project block from ~/.codex/config.toml. |
Auto-Implemented
- Backed up
~/.codex/config.toml,~/.codex/hooks.json, and all~/.codex/agents/*.tomlfiles under~/.codex/backups/2026-06-02/. - Removed only
[projects."/Users/chadsimon/Documents/New project 7"]from~/.codex/config.toml. - Verification passed:
~/.codex/config.tomlparses as TOML,~/.codex/hooks.jsonparses as JSON, andpython3 ~/.codex/bin/codex-runtime-doctorexits witherrors=0 warnings=4.
Build Queue
- Stable Codex 0.136.0 upgrade and smoke (Codex-md) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 - Latest npm is
0.136.0; local PATH is0.133.0and packaged app CLI is0.135.0-alpha.1. Upgrade deliberately, then smoke hooks, MCP listing, app connectors,codex doctor --json,codex features list, and a protected-branch push guard test. - Archive lifecycle harness check (Codex-md) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 -
codex archive/codex unarchivecan protect old sessions from accidental resume/fork; add a small operator note or doctor check after the stable CLI is active. - App-server stdio and richer MCP status intake (mcp) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 - New app-server status and
--stdiobehavior could simplify connector debugging, but should wait until the CLI upgrade is complete. - Remote-control server-token auth review (mcp) - https://github.com/openai/codex/releases/tag/rust-v0.136.0 - Remote control moved away from ChatGPT access tokens; compare this with local app-server/remote-control assumptions before enabling anything.
- Codex hook catalog apply-patch compatibility audit (hook) - https://github.com/am-will/codex-skills - The catalog claims 51 ready-to-install Codex hook bundles and apply-patch compatibility; audit specific bundles with
codex-skill-audit --strictbefore adapting any. - Operational safety taxonomy intake (research) - https://arxiv.org/abs/2605.30777 - The latest relevant arXiv result classifies coding-agent failures around constraint violations, destructive operations, authorization bypasses, and fabricated success; use it to refine local closure and guard tests.
Research
- What Breaks When LLMs Code? Characterizing Operational Safety Failures of Agentic Code Assistants - Directly supports the local AgentOps emphasis on constraint boundaries, safe-halt behavior, failure transparency, and evidence-backed closure.
Already Have
OpenAI developer docs MCP, live web search posture, GPT-5.5 default model, goals enabled, direct/lightweight/autonomous route contract, UserPromptSubmit route classifier, PreToolUse Bash guard, protected main/master push blocking, PostToolUse verification and failure-context hooks, SessionStart startup/resume/clear/compact coverage, Stop and PreCompact omni-mem hooks, read-only explorer/reviewer/validator agents, Python and TypeScript reviewers, conservative profiles, plugin and app connectors, local runtime doctor with CLI split-brain checks, config posture checker, skill creator/installer/audit flows, omni-mem durable memory, and policy-sized AGENTS.md with runtime-reference handoff.
Rejected
- Auto-upgrade Codex CLI during ecosystem-update - changes active runtime binaries and needs rollback notes plus a smoke pass; keep as Build Queue.
- Enable Bedrock provider globally -
0.136.0mentions Bedrock catalog/auth improvements, but this setup is OpenAI-first and no recurring Bedrock need is proven. - Enable native Codex memories as a Quick Win - conflicts with the current omni-mem-first policy and prior rejection history; requires an explicit pilot.
- Enable plugin hooks or import third-party hook bundles wholesale - still needs trust review, script inspection, and targeted need; daily auto-import is too broad.
- Install
am-will/codex-skillswholesale - duplicates local skills/agents/hooks and includes multi-provider/web-UI flows that add complexity without a current task. - Add managed
requirements.tomlenterprise policy now - official config supports managed requirements, but this local power-user setup already has policy and doctor gates; enterprise constraints need a separate design decision. - Use Claude-specific prompt/agent hook patterns directly - useful as reference only; Codex-owned command hooks and verifier agents remain the local runtime boundary.
Sources checked: https://github.com/hesreallyhim/awesome-claude-code, https://howborisusesclaudecode.com/, https://github.com/shanraisshan/codex-cli-best-practice, https://arxiv.org/search/?searchtype=all&query=LLM+agent+coding&order=-announced_date_first, http://export.arxiv.org/api/query?search_query=all:%22LLM%20agent%20coding%22%20OR%20all:%22autonomous%20coding%20agent%22&start=0&max_results=10&sortBy=submittedDate&sortOrder=descending, https://github.com/openai/codex/releases, https://github.com/openai/codex/releases/tag/rust-v0.136.0, https://developers.openai.com/codex/config-reference, https://github.com/am-will/codex-skills Tier 2 fetched: yes Tier 3 fetched: no - last tier3 run was 2026-05-30T10:34:13Z, still within 7 days Run at: 2026-06-02T10:32:53Z