feat(codex-probe): add update-check helper alongside known-bad warning#1861
Open
Rahgnoruk wants to merge 1 commit into
Open
feat(codex-probe): add update-check helper alongside known-bad warning#1861Rahgnoruk wants to merge 1 commit into
Rahgnoruk wants to merge 1 commit into
Conversation
_gstack_codex_update_check compares the locally installed Codex CLI to npm's
@openai/codex `latest` tag and prints one INFO line when an upgrade is
available. Wired into the same detection blocks as _gstack_codex_version_check
so /ship Step 11, /autoplan, /codex, and the review-army design voice all
surface a freshness signal on top of the existing known-bad-versions deny-list.
Results are cached for 24h at ${GSTACK_HOME:-$HOME/.gstack}/.codex-version-check
so /ship invocations don't hammer the npm registry. Network call is best-effort
(`-m 5` curl timeout, all failure modes silent) — never blocks the workflow.
Tony triggered this during /release-sync after PR garrytan#194 landed: codex-cli 0.122.0
→ 0.136.0 silently rendered the 0.122.0 hang workaround obsolete because /ship
had no codex-freshness signal — only the static known-bad list (0.120.0/1/2)
caught regressions.
Adds 8 tests in test/codex-hardening.test.ts covering the fresh-cache happy
path, identity (local == latest), pre-release (local ahead of latest), broken
codex binary, network failure (no cache written on failure), stale-cache
(>24h mtime) re-fetch, independence from _gstack_codex_version_check, and the
cache file write side-effect.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Codex CLI ships patch releases regularly and individual versions sometimes regress in ways the known-bad deny-list in
_gstack_codex_version_checkcatches only retroactively. The deny-list is a static set of bad SHAs; it gives no signal when the current version is simply old.Concretely: in my install I was running 0.122.0 for weeks, with a memory note about a stdin-deadlock workaround. Codex 0.136.0 had been on npm for days.
/shipStep 11 had no freshness signal anywhere in the adversarial-review pipeline — only the deny-list. The stale workaround memory drove a bad routing decision (I almost skipped the Codex adversarial pass thinking Codex was still broken) before I noticed the upgrade by accident. Once I upgraded to 0.136.0 the old workaround was obsolete./shipshould surface "you're behind npm latest" the same way it surfaces "you're on a known-bad". One INFO line, non-blocking, cached so it costs almost nothing.What
New
_gstack_codex_update_checkinbin/gstack-codex-probe, wired into the existing detection blocks that/ship,/autoplan,/codex, and the design voice already use.Behaviour:
codex --version.\${GSTACK_HOME:-\$HOME/.gstack}/.codex-version-check. Avoids hammering registry.npmjs.org on every/shipinvocation.curl -fsSL -m 5 https://registry.npmjs.org/@openai/codex/latest | jq -r '.version'. 5s timeout so a slow registry never blocks a workflow.```
INFO: Codex CLI 0.122.0 available: 0.136.0. Upgrade: `npm install -g @openai/codex@latest`
```
Out of scope (deliberate): auto-upgrade, prompt the user, per-project pinning, fail/skip on outdated. The user runs `npm install -g @openai/codex@latest` themselves; this just makes the staleness visible.
How it's wired
All non-Claude hosts (Cursor, Factory, GBrain, Hermes, Kiro, OpenClaw, OpenCode, Slate, .agents/Codex) inherit the check via the resolvers/tmpls when they regenerate locally — verified post-regen with grep across all host outputs.
Tests
8 new tests in `test/codex-hardening.test.ts` (35/37 pass locally; the 2 fails are pre-existing Windows narrow-PATH timeout-wrapper tests on `main`):
Test plan to manually verify:
🤖 Generated with Claude Code