chore(codex): refresh system runtime pins

Author: rldyourmnd

CHANGELOG.md

@@ -10,6 +10,9 @@ The format follows Keep a Changelog, and marketplace/plugin versions follow Sema
 
 ### Changed
 
+- Runtime pins updated to current stable upstream versions: Codex CLI `0.132.0`, Serena Agent `1.5.1`, and Chrome DevTools MCP `1.0.1`.
+- System Codex docs now clarify that the owner-selected `sandbox_mode = "danger-full-access"` remains the active runtime policy while `plugin_hooks` stays an explicit official Codex opt-in.
+
 ### Security
 
 ## [0.4.1] - 2026-05-19

README.md

@@ -114,7 +114,7 @@ scripts/doctor_system_codex.sh --strict-runtime
 python3 scripts/validate_runtime_prereqs.py --strict --require-codex
 ```
 
-System Codex is intentionally configured for unattended maintainer-controlled execution on a trusted machine: `profile = "rldyour-yolo"`, `approval_policy = "never"`, `sandbox_mode = "danger-full-access"`, `default_permissions = ":danger-no-sandbox"`, `model = "gpt-5.5"`, and `model_reasoning_effort = "xhigh"`. Managed subagent roles in `system/agents/*.toml` install to `~/.codex/agents/*.toml` and use `model = "gpt-5.5"` with `model_reasoning_effort = "medium"`. This is a maintainer-required operating mode for trusted local machines; downstream operators should review their own permission posture before applying these defaults.
+System Codex is intentionally configured for unattended maintainer-controlled execution on a trusted machine: `profile = "rldyour-yolo"`, `approval_policy = "never"`, `sandbox_mode = "danger-full-access"`, `default_permissions = ":danger-no-sandbox"`, `model = "gpt-5.5"`, and `model_reasoning_effort = "xhigh"`. Current Codex documentation treats `sandbox_mode` as the active older sandbox model when it is present, so this repository does not migrate the owner profile to beta permission profiles without an explicit policy decision. Managed subagent roles in `system/agents/*.toml` install to `~/.codex/agents/*.toml` and use `model = "gpt-5.5"` with `model_reasoning_effort = "medium"`. This is a maintainer-required operating mode for trusted local machines; downstream operators should review their own permission posture before applying these defaults.
 
 Managed subagents currently include a temporary MCP isolation policy because Codex can eagerly initialize MCP servers per spawned session/subagent. Subagents keep the lightweight core surface available through inherited runtime configuration: `sequential-thinking`, `serena`, `context7`, `grep`, `deepwiki`, `openaiDeveloperDocs`, and built-in `codex_apps`. Specialist MCP servers such as `semgrep`, `figma`, `playwright`, `chrome-devtools`, `dart-flutter`, and `shadcn` are explicitly disabled inside managed subagents and remain parent-session tools for explicit security, design, browser, Flutter, or shadcn work.
 

config/mcp-runtime-versions.env

@@ -5,12 +5,12 @@ DART_FLUTTER_MCP_RUNTIME=external-local-dart-sdk
 NODE_MAJOR_VERSION=24
 BUN_VERSION=1.3.14
 DART_SDK_VERSION=3.11.0
-CODEX_CLI_VERSION=0.130.0
+CODEX_CLI_VERSION=0.132.0
 MCP_PYTHON_SDK_VERSION=1.27.1
-SERENA_AGENT_VERSION=1.3.0
+SERENA_AGENT_VERSION=1.5.1
 SEMGREP_VERSION=1.163.0
 SEQUENTIAL_THINKING_MCP_VERSION=2025.12.18
 PLAYWRIGHT_MCP_VERSION=0.0.75
-CHROME_DEVTOOLS_MCP_VERSION=0.26.0
+CHROME_DEVTOOLS_MCP_VERSION=1.0.1
 CONTEXT7_MCP_VERSION=2.2.5
 SHADCN_VERSION=4.7.0

plugins/rldyour-flow/references/flow-lifecycle.md

@@ -23,7 +23,7 @@ Core order:
 1. Git sync audit: dirty state, current branch, upstream ahead/behind, worktrees, local/remote branches.
 2. If uncommitted, unmerged, or stale merged branch/worktree state exists, deeply review it. If correct and consistent, synchronize it into `main`, merge safe branches, push, and remove merged worktrees/branches. If risky, ask the user with concrete options.
 3. Bootstrap agent-only context with `fullrepo_sync.py --bootstrap-init` before treating `AGENTS.md`, `CLAUDE.md`, `.serena/*`, `.claude/*`, `.codex/*`, or similar files as missing. This restores an existing `fullrepo`, publishes local agent-only files when no `fullrepo` exists, installs `.git/info/exclude`, and removes tracked agent-only files from the current branch index when migration is needed.
-4. Serena readiness: `check_onboarding_performed`, onboarding if needed, `list_memories`, relevant `read_memory`.
+4. Serena readiness: `initial_instructions`, `list_memories`, relevant `read_memory`, and `onboarding` only when no usable project context exists.
 5. Scope detection: project, module, sphere, or feature. For a sphere such as backend, inspect the whole sphere and its integration points.
 6. Semantic map: `get_symbols_overview`, targeted `find_symbol`, `find_referencing_symbols`, `search_for_pattern` only when needed.
 7. Data and contract map: database tables/fields, schemas, migrations, API contracts, generated artifacts, configuration keys, environment variables, and integration boundaries that affect the scope.

plugins/rldyour-flow/references/init-context-pack.md

@@ -17,14 +17,15 @@ If the scope is ambiguous, ask the owner in Russian with 2-3 concrete options. I
 
 Use Serena first for supported code:
 
-1. `check_onboarding_performed`.
+1. `initial_instructions`.
 2. `list_memories`.
 3. `read_memory` for relevant memories.
-4. `get_symbols_overview` for entry files and important modules before reading bodies.
-5. `find_symbol` with body disabled to discover children and public surface.
-6. `find_symbol` with body enabled only for implementation that must be understood.
-7. `find_referencing_symbols` to trace callers, data flow, and impact.
-8. `search_for_pattern` for cross-cutting names, routes, schemas, config keys, DB fields, migrations, generated artifacts, tests, and unsupported file types.
+4. Use `onboarding` only when a project has no usable Serena memory/context yet.
+5. `get_symbols_overview` for entry files and important modules before reading bodies.
+6. `find_symbol` with body disabled to discover children and public surface.
+7. `find_symbol` with body enabled only for implementation that must be understood.
+8. `find_referencing_symbols` to trace callers, data flow, and impact.
+9. `search_for_pattern` for cross-cutting names, routes, schemas, config keys, DB fields, migrations, generated artifacts, tests, and unsupported file types.
 
 Use raw `rg` or direct reads only for manifests, Markdown, config files, shell scripts, generated metadata, unsupported language files, or broad text sweeps.
 

plugins/rldyour-lsps/skills/serena-lsp-integration/SKILL.md

@@ -29,7 +29,7 @@ Use `.serena/project.local.yml` for machine-local executable paths. Use committe
 
 For supported code files, use the existing Serena-first workflow:
 
-1. `check_onboarding_performed`
+1. `initial_instructions`
 2. `list_memories`
 3. relevant `read_memory`
 4. `get_symbols_overview`

plugins/rldyour-mcps/.mcp.json

@@ -4,7 +4,7 @@
       "command": "uvx",
       "args": [
         "--from",
-        "serena-agent==1.3.0",
+        "serena-agent==1.5.1",
         "--python",
         "3.13",
         "--prerelease",
@@ -45,7 +45,7 @@
     "chrome-devtools": {
       "command": "bunx",
       "args": [
-        "chrome-devtools-mcp@0.26.0",
+        "chrome-devtools-mcp@1.0.1",
         "--headless",
         "--isolated",
         "--no-usage-statistics",

plugins/rldyour-mcps/README.md

@@ -124,7 +124,7 @@ After plugin installation, browser/OAuth authorization may be required. If Codex
 Serena is configured without starting or opening the web dashboard:
 
 ```text
-uvx --from serena-agent==1.3.0 --python 3.13 --prerelease allow serena start-mcp-server --project-from-cwd --context=codex --enable-web-dashboard False --open-web-dashboard False
+uvx --from serena-agent==1.5.1 --python 3.13 --prerelease allow serena start-mcp-server --project-from-cwd --context=codex --enable-web-dashboard False --open-web-dashboard False
 ```
 
 If the dashboard is needed manually, change this runtime policy intentionally and re-run the system installer.

plugins/rldyour-serena-mcp/hooks/stop_memory_sync.sh

@@ -167,7 +167,7 @@ Preferred path — delegate to the managed Codex subagent role 'serena-sync' whe
 The 'serena-sync' role is a managed Codex TOML agent installed from system/agents/serena-sync.toml. It is Codex-native; do not use Claude Code Agent(...) syntax in this repository.
 
 Fallback path (if the subagent is not available — e.g. plugin not yet reloaded):
-1. Use Serena MCP for code inspection: check_onboarding_performed -> list_memories -> read_memory(relevant) -> get_symbols_overview -> find_symbol(include_body=false) -> find_symbol(include_body=true only where needed) -> find_referencing_symbols -> search_for_pattern.
+1. Use Serena MCP for code inspection: initial_instructions -> list_memories -> read_memory(relevant) -> get_symbols_overview -> find_symbol(include_body=false) -> find_symbol(include_body=true only where needed) -> find_referencing_symbols -> search_for_pattern.
 2. Update .serena/memories with high-signal fact-only English content. Use numbered topic files (AREA-01-SLUG.md) and update CORE-01-INDEX.md when adding, renaming, or splitting memories. Code, git diff, and tests are the source of truth.
 3. Each touched memory must contain a 'Last commit: ${HEAD_SHA}' line so the state script recognises sync via direct-head-reference.
 4. Run ${COMMIT_SCRIPT} to acknowledge sync state and clear runtime markers.

plugins/rldyour-serena-mcp/hooks/user_prompt_submit.sh

@@ -25,7 +25,7 @@ if ! printf "%s" "$PROMPT" | grep -qiE 'код|code|repo|repository|project|пр
   exit 0
 fi
 
-CONTEXT="Serena-first code workflow: for repository/project/directory/file code inspection, use Serena MCP before raw text reads when available: check_onboarding_performed -> list_memories -> read_memory(relevant) -> get_symbols_overview -> find_symbol(include_body=false) -> find_symbol(include_body=true only for needed symbols) -> find_referencing_symbols -> search_for_pattern. Use raw rg/read only as fallback, broad text sweep, or tiny known-location edit."
+CONTEXT="Serena-first code workflow: for repository/project/directory/file code inspection, use Serena MCP before raw text reads when available: initial_instructions -> list_memories -> read_memory(relevant) -> get_symbols_overview -> find_symbol(include_body=false) -> find_symbol(include_body=true only for needed symbols) -> find_referencing_symbols -> search_for_pattern. Use raw rg/read only as fallback, broad text sweep, or tiny known-location edit."
 
 python3 - "$CONTEXT" <<'PY'
 import json