~/chadacus.dev/ecosystem-update/2026-06-09

Ecosystem Update - 2026-06-09

June 9, 2026 · curated by Chad Simon · 20 items reviewed

Highlights

  • Two safe harness Quick Wins landed: default.rules now blocks destructive git checkout -- and git clean -fd, and config.toml no longer trusts a stale /private/tmp/auto-task-eval-* project root
  • Tier 1 mostly reinforced existing posture: feature-specific subagents, progressive-disclosure skills, hook-backed validation, rules-based command policy, Chrome/browser verification, and cautious plugin intake
  • Tier 2 produced fresh June 8 research worth tracking: SIGA-style simulator-interface adapters, SecureClaw-style dual-boundary controls, DCPM memory hierarchy, and agent-serving simulation

Quick Wins (implemented today)

  • Destructive git execpolicy parity guard rule
    Add exact-prefix forbids for git checkout -- and git clean -fd to the existing rules harness
  • Stale temp trust-root prune config
    /Users/chadsimon/.codex/bin/codex_config_posture.py --mode warn
    Remove missing /private/tmp/auto-task-eval-4qqi_jtw/blocked-terminal-repo from trusted projects

New Tools, Skills & Patterns

  • Codex 0.137+ upgrade and smoke Codex-md
    https://github.com/shanraisshan/codex-cli-best-practice - Local codex --version reports codex-cli 0.133.0, while the best-practice source references 0.137.0 and sessions/archive/history features. Verify against official OpenAI releases before upgrading; do not auto-upgrade inside this daily skill
  • SIGA-style domain contract adapters
    https://arxiv.org/abs/2606.09774v1 - Build a small adapter-pack pattern for domain tools: vocabulary, structural constraints, validation rules, termination checks, and trajectory-derived procedural memory. This belongs in a scoped skill or harness experiment, not global runtime policy
  • SecureClaw-style sensitive read and side-effect boundary spike
    https://arxiv.org/abs/2606.09549v1 - Current rules block obvious destructive shell patterns, but the stronger pattern is trusted read gateways plus preview/commit side effects. Worth a design spike for secrets and off-machine connector actions
  • AgentServeSim capacity-model intake
    arXiv daily API result for AGENTSERVESIM, 2026-06-08 - Session-aware routing and tool-gap simulation may help model local/remote agent serving cost, but it is too infrastructure-heavy for a Quick Win

Research Worth Reading

  • SIGA: Self-Evolving Coding-Agent Adapters for Scientific Simulation
    - Directly relevant to turning general coding agents into reliable operators for strict domain-specific tools through validation-enforced adapters
  • SecureClaw: Clawing Back Control of LLM Agents
    - Supports the local direction of effect-sink authorization and stronger sensitive-read confinement
  • Memory Beyond Recall: A Dual-Process Cognitive Memory System for Self-Evolving LLM Agents
  • Bespoke-Card: Why Tune When You Can Generate?
    - Interesting validator/archive-selection loop for generated code artifacts; applicable as a future benchmark-harness pattern
  • Trellis process semantics for spelling out rigorous proofs
    - Useful reference for deterministic incremental verification semantics, especially for proof-like or spec-heavy tasks

Considered, Not Adopting

Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.

  • Auto-upgrade Codex CLI from the ecosystem run - version drift is real, but upgrades require official release verification and a smoke pass outside this safe Quick Win lane.
  • Wholesale install from awesome-claude-code, Boris/Thariq workflows, am-will/codex-skills, or community plugin catalogs - useful intake material, but outside skills/plugins require strict audit and Codex-owned adaptation.
  • Enable plugin hooks globally - still a trust-boundary decision; current features.plugin_hooks = false remains the safer default.
  • Enable native Codex memories globally - conflicts with the omni-mem-first memory policy and the current prompt-telemetry posture.
  • Retire planning/alignment in favor of always-on auto mode - Boris's current Claude guidance is useful context, but it conflicts with this machine's non-trivial-work alignment and AgentOps contract.
  • Wire unsupported hook events such as PostCompact, PermissionRequest, SubagentStart, SubagentStop, PreSkillUse, or PostSkillUse without existing scripts and verified runtime support - report as watch items only.
  • Enable Fast Mode or global service_tier - this is a spend/performance preference, not a safety or quality harness fix.
  • Default all subagents to worktree isolation - still too broad for routine local runs; use bounded task-specific isolation when the task warrants it.
  • Edit AGENTS.md as a Quick Win - constitutional policy docs require explicit direction.

Sources Reviewed

// archive

← back to all digests