~/chadacus.dev/ecosystem-update/2026-06-23

Ecosystem Update - 2026-06-23

June 23, 2026 · curated by Chad Simon · 16 items reviewed

Highlights

  • No new harness mutation was safe to auto-apply in this second pass. The useful Claude/Codex pulls from the previous step are now part of the: Stop completion evidence, stricter agent handoffs, and test-breadth classification
  • The one operational follow-up is hook trust: official Codex docs require changed non-managed hooks to be reviewed through /hooks; the Stop completion hook added today may not run in interactive Codex until trusted
  • Tier 1 sources mostly reinforce current posture: progressive-disclosure skills, bounded subagents, hook-backed validation, explicit acceptance criteria, and native config.toml MCP/plugin management

Quick Wins (implemented today)

  • None admitted by the safety gate hook/agent-pattern/skill
    Current setup vs. second-pass crawl
    No additional harness mutation after the contract-state repair

New Tools, Skills & Patterns

  • Hook trust review for new Stop completion gate hook
    https://developers.openai.com/codex/hooks - Official docs say non-managed command hooks must be reviewed/trusted by hash. Run interactive /hooks and trust python3 /Users/chadsimon/.codex/bin/completion_gate.py --event stop, or use --dangerously-bypass-hook-trust only for vetted automation. Impact 3 / Effort 1, but requires interactive review authority
  • Subagent lifecycle tracer design hook
    https://developers.openai.com/codex/hooks - SubagentStart and SubagentStop are supported hook events, but there is still no proven Codex-owned target script. Build a tiny JSONL tracer only if subagent evidence gaps recur. Impact 2 / Effort 2
  • PermissionRequest profile policy eval hook
    https://developers.openai.com/codex/hooks - PermissionRequest is supported, but the default posture is approval_policy = "never". Evaluate only for conservative/on-request profiles before wiring anything globally. Impact 2 / Effort 2
  • Skill metadata audit for agents/openai.yaml skill
    https://developers.openai.com/codex/skills - Official docs support per-skill UI metadata and allow_implicit_invocation. Useful for noisy or explicit-only personal skills, but current descriptions are already concise enough for discovery. Impact 1 / Effort 1
  • External skill catalog triage skill
    https://github.com/VoltAgent/awesome-agent-skills and https://github.com/hesreallyhim/awesome-claude-code - Large skill catalogs keep growing, but wholesale import is wrong. Triage one domain at a time through codex-skill-audit --strict. Impact 2 / Effort 2

Research Worth Reading

  • Codex hooks docs
    - Confirms supported event set, concurrent hook launch behavior, trust-by-hash, managed hooks, plugin-bundled hooks, and current command-handler limits
  • Codex skills docs
    - Reinforces progressive disclosure, skill locations, plugin distribution, and optional agents/openai.yaml metadata
  • shanraisshan/codex-cli-best-practice
    - Reinforces native Codex primitives already in use: subagent TOMLs, skills under .agents/skills, MCP in config.toml, Starlark rules, hooks, and session/history management
  • How Boris Uses Claude Code
    - Reinforces full task context upfront: goal, constraints, and acceptance criteria

Considered, Not Adopting

Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.

  • Auto-trust the new hook by editing hooks.state hashes manually- rejected: official docs define /hooks as the review path, and the hash algorithm/state is intentionally opaque. Do not forge trust state
  • Wire SubagentStart, SubagentStop, PostCompact, or PermissionRequest immediately- rejected: supported events exist, but no existing target script was proven for these events in this pass
  • Enable plugin_hooks globally- rejected: expands the trust surface and contradicts current runtime posture
  • Enable native Codex memoriesenabling a second durable memory plane would add drift and privacy risk
  • Increase subagent depth or generic parallelism- rejected: current cap is intentional; deeper nesting needs a temporary profile and eval, not a global default change
  • Install large external skill catalogs wholesale- rejected: outside skills require strict audit and domain-specific need

Sources Reviewed

// archive

← back to all digests