fix: strip commandSpecific before passing settings to createCodexCli

[octo-patch]

Fixes #1679

Problem

When codexCli.commandSpecific is present in the Task Master config, the resolved settings object (returned by getCodexCliSettingsForCommand) includes the commandSpecific key. This object is spread directly into defaultSettings and forwarded to createCodexCli().

Codex CLI does not know about commandSpecific — it's a Task Master-level concept — so it rejects the settings with:

Warning: Invalid Codex CLI settings in config: [
  {
    "code": "custom",
    "path": ["commandSpecific"],
    "message": "Invalid command name in commandSpecific"
  }
]. Falling back to default.

Solution

Destructure commandSpecific out of the resolved settings object before constructing defaultSettings. Only Task Master–agnostic keys are forwarded to createCodexCli().

const { commandSpecific: _commandSpecific, ...safeSettings } = settings;

Testing

• Added a unit test verifying that when getCodexCliSettingsForCommand returns an object that includes commandSpecific, the resulting createCodexCli call does not contain commandSpecific in defaultSettings.
• Existing tests continue to pass.

---

Note

Low Risk
Low risk: small, localized change to Codex CLI provider settings sanitization with a targeted unit test; main risk is unintended omission of other provider settings during the destructuring/forwarding step.

Overview
Fixes Codex CLI initialization failures by stripping Task Master-only codexCli.commandSpecific from the settings object before building defaultSettings passed to createCodexCli().

Adds a unit test to ensure commandSpecific (and any nested override keys) are not forwarded, and includes a patch changeset documenting the bug fix.

^{Reviewed by Cursor Bugbot for commit 752d96f. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Bug Fixes

  • Fixed a configuration-forwarding bug in the Codex CLI provider that could cause initialization to fail with validation errors; settings are now filtered before provider initialization.

• Tests

  • Added a unit test to verify the provider no longer forwards unintended configuration keys and still passes allowed settings through.

[changeset-bot]

🦋 Changeset detected

Latest commit: 752d96f

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 32598f5b-86e5-4c9a-a5b3-8a109f70e0ca

📥 Commits

Reviewing files that changed from the base of the PR and between c29712e and 752d96f.

📒 Files selected for processing (1)

• tests/unit/ai-providers/codex-cli.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/unit/ai-providers/codex-cli.test.js

---

📝 Walkthrough

Walkthrough

A patch prevents the commandSpecific key from being forwarded into createCodexCli(). getClient() now strips commandSpecific from resolved Codex CLI settings before building defaultSettings, so only supported keys are passed to the Codex CLI provider.

Changes

Cohort / File(s)	Summary
Changeset Entry .changeset/fix-codex-commandspecific-leak.md	Adds a changeset noting a patch release: commandSpecific is no longer forwarded to Codex CLI defaultSettings.
Codex CLI Provider Fix src/ai-providers/codex-cli.js	getClient() destructures and removes commandSpecific from merged settings, uses the remaining safeSettings when constructing defaultSettings passed to createCodexCli().
Test Coverage tests/unit/ai-providers/codex-cli.test.js	Adds a unit test stubbing getCodexCliSettingsForCommand with commandSpecific and asserts createCodexCli is called once and its defaultSettings does not include commandSpecific but still includes other keys (e.g., allowNpx).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: stripping commandSpecific from settings before passing to createCodexCli, matching the core fix in the PR.
Linked Issues check	✅ Passed	All objectives from #1679 are met: commandSpecific is stripped before createCodexCli, only Codex CLI-supported keys are forwarded, error scenarios are prevented, and a unit test verifies commandSpecific is not included in defaultSettings.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing #1679: codex-cli.js removes commandSpecific, tests verify the fix, and changeset documents the patch release with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

tests/unit/ai-providers/codex-cli.test.js (1)

106-115: Good coverage of the regression.

Test asserts both the negative (no commandSpecific forwarded) and positive (other keys like allowNpx still pass through) cases. mockReturnValueOnce composes correctly with the jest.clearAllMocks() in beforeEach.

One optional strengthening: also assert createCodexCli was called exactly once and that defaultSettings does not contain any nested reference to the 'parse-prd' override keys (e.g., approvalMode: 'never'), to guard against a future partial-merge regression. Not a blocker.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/ai-providers/codex-cli.test.js` around lines 106 - 115, Add two
extra assertions to harden the test: assert that createCodexCli was called
exactly once after calling provider.getClient({ commandName: 'parse-prd' }) and
assert that the produced call.defaultSettings has no nested override keys from
commandSpecific (e.g., does not contain approvalMode or any property
'parse-prd'). Locate the existing test that mocks getCodexCliSettingsForCommand
and inspects createCodexCli.mock.calls[0][0] (symbols:
getCodexCliSettingsForCommand, provider.getClient, createCodexCli,
call.defaultSettings) and add expectations for createCodexCli.mock.calls.length
=== 1 and that call.defaultSettings neither has property 'approvalMode' nor any
nested object keyed by 'parse-prd'.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/unit/ai-providers/codex-cli.test.js`:
- Around line 106-115: Add two extra assertions to harden the test: assert that
createCodexCli was called exactly once after calling provider.getClient({
commandName: 'parse-prd' }) and assert that the produced call.defaultSettings
has no nested override keys from commandSpecific (e.g., does not contain
approvalMode or any property 'parse-prd'). Locate the existing test that mocks
getCodexCliSettingsForCommand and inspects createCodexCli.mock.calls[0][0]
(symbols: getCodexCliSettingsForCommand, provider.getClient, createCodexCli,
call.defaultSettings) and add expectations for createCodexCli.mock.calls.length
=== 1 and that call.defaultSettings neither has property 'approvalMode' nor any
nested object keyed by 'parse-prd'.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9526fd1e-3d5c-494a-9723-36c680ba5bb4

📥 Commits

Reviewing files that changed from the base of the PR and between 1c7365c and c29712e.

📒 Files selected for processing (3)

• .changeset/fix-codex-commandspecific-leak.md
• src/ai-providers/codex-cli.js
• tests/unit/ai-providers/codex-cli.test.js

[octo-patch]

Thanks @coderabbitai — applied the optional strengthening in 752d96f:

• Added expect(createCodexCli).toHaveBeenCalledTimes(1) to ensure the single getClient invocation produces exactly one downstream call.
• Added expect(call.defaultSettings).not.toHaveProperty('approvalMode') so any future partial-merge regression that leaks a nested commandSpecific override key into the top-level defaultSettings will fail the test.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@octo-patch: Those are solid additions — the call-count guard and the approvalMode negative assertion together give the test much better regression coverage. Thanks for incorporating them!

---

🧠 Learnings used

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tests.mdc:0-0
Timestamp: 2025-11-24T18:03:46.713Z
Learning: Applies to **/*.test.js : When testing CLI commands built with Commander.js: test command action handlers directly rather than mocking the entire Commander chain; create simplified test-specific implementations of command handlers; explicitly handle all options including defaults and shorthand flags; include null/undefined checks for optional parameters; use fixtures for consistent sample data.

---

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T22:09:45.455Z
Learning: Applies to apps/cli/**/*.{spec,test}.ts : In unit tests for apps/cli, mock tm-core responses but use real Commander/chalk/inquirer/other npm packages to test display logic

---

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tests.mdc:0-0
Timestamp: 2025-11-24T18:03:46.713Z
Learning: Applies to **/*.test.js : When testing console assertions: ensure assertion matches actual arguments passed; if code logs a single formatted string, assert against that single string using `expect.stringContaining` or exact match, not multiple arguments; verify exact behavior of the code being tested.

---

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1444
File: apps/cli/src/utils/auto-update/changelog.ts:103-111
Timestamp: 2025-11-25T18:32:29.828Z
Learning: The claude-task-master project uses a custom changelog format with PR numbers and author acknowledgements in the pattern `- [`#PR`](...) Thanks [author]! - Description`, which is parsed by the regex in apps/cli/src/utils/auto-update/changelog.ts.

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!