~/chadacus.dev/ecosystem-update/2026-07-04

Ecosystem Update - 2026-07-04

July 4, 2026 · curated by Chad Simon · 12 items reviewed

Highlights

  • One safe harness Quick Win was implemented: removed 17 stale trusted project entries for deleted temp/scratch directories from ~/.codex/config.toml
  • Today's strongest ecosystem signal is context/harness linting: AGENTS/SKILL/hooks/MCP validators are maturing, but they should be audited before adoption
  • Dynamic workflows, broad skill catalogs, native memories, and automatic Codex upgrades remain useful signals but fail the automatic Quick Win safety gate for this setup

Quick Wins (implemented today)

  • Stale trusted project cleanup config
    Removed 17 deleted temp/scratch [projects] trust blocks from ~/.codex/config.toml; backup written to ~/.codex/backups/2026-07-04/

New Tools, Skills & Patterns

  • Agent context linter adapter skill/tooling
    awesome-claude-code now highlights AGENTS/SKILL/hooks/MCP linting tools such as agnix, Ctxlint, and agents-md-cookbook; build a read-only audit wrapper first, then run codex-skill-audit --strict before trusting any external package
  • approvals_reviewer profile normalization check config
    official docs list approvals_reviewer as user | auto_review, while the inactive conservative-auto-review profile still uses guardian_subagent; needs a deterministic strict-config validation path before changing behavior
  • Existing-script secret-scan expansion hook
    Agent Guard reinforces real-time secret-leak guardrails; only build this by extending existing Codex-owned guard scripts or adding a reviewed script first, never by wiring an unbuilt hook
  • Codex MCP-server interop smoke mcp
    codex-cli-best-practice documents Codex as an MCP server; useful for Wren/Claude interop, but it needs a smoke test and explicit boundary before any daemon or persistent route is added

Research Worth Reading

  • No Tier 2 arXiv fetch this run. The last Tier 2 run was 2026-07-03T06:33:50-04:00; this run started at 2026-07-04T06:30:47-04:00, still inside the 24-hour skip window.

Considered, Not Adopting

Items reviewed and explicitly declined this cycle, with the reason. Curation discipline matters more than coverage.

  • Wholesale community skill catalog import - external skills are not trusted without codex-skill-audit --strict, and this setup already has a large curated local skill set.
  • Auto-wire PreSkillUse/PostSkillUse or other unsupported hook events - no confirmed local support and no existing target script; violates the no-new-hook-without-script Quick Win limit.
  • Auto-enable native Codex memories - conflicts with the current deliberate features.memories = false posture and omni-mem default workflow.
  • Auto-upgrade Codex CLI daily - too high-risk for automatic mutation; current config already checks for updates on startup.
  • Add AGENTS.override.md or edit AGENTS policy as a Quick Win - conflicts with the byte-identical global/project AGENTS contract and the skill's hard policy-doc limit.
  • Enable plugin_hooks or global MCP parallel calls - adds broad behavior without server-by-server proof.

Sources Reviewed

// archive

← back to all digests