oh-my-customcodex 0.5.19 → 0.5.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -13,7 +13,7 @@
13
13
 
14
14
  **[한국어 문서 (Korean)](./README_ko.md)**
15
15
 
16
- 50 agents. 121 skills. 22 rules. One command.
16
+ 50 agents. 121 skills. 23 rules. One command.
17
17
 
18
18
  ```bash
19
19
  npm install -g oh-my-customcodex && cd your-project && omcustomcodex init
@@ -217,15 +217,15 @@ All commands are invoked inside the oh-my-customcodex GPT Codex + OMX session.
217
217
 
218
218
  ---
219
219
 
220
- ### Rules (22)
220
+ ### Rules (23)
221
221
 
222
222
  | Priority | Count | Purpose |
223
223
  |----------|-------|---------|
224
224
  | **MUST** | 14 | Safety, permissions, agent design, identification, orchestration, verification, completion, enforcement |
225
- | **SHOULD** | 6 | Interaction, error handling, memory, HUD, ecomode, ontology routing |
225
+ | **SHOULD** | 7 | Interaction, error handling, memory, HUD, ecomode, ontology routing, verification ladder |
226
226
  | **MAY** | 1 | Optimization |
227
227
 
228
- Key rules: R010 (orchestrator never writes files), R009 (parallel execution mandatory), R017 (sauron verification before push), R020 (completion verification before declaring done), R021 (advisory-first enforcement model).
228
+ Key rules: R010 (orchestrator never writes files), R009 (parallel execution mandatory), R017 (sauron verification before push), R020 (completion verification before declaring done), R021 (advisory-first enforcement model), R023 (verification ladder).
229
229
 
230
230
  ---
231
231
 
@@ -281,7 +281,7 @@ your-project/
281
281
  ├── AGENTS.md # Entry point
282
282
  ├── .codex/
283
283
  │ ├── agents/ # 50 agent definitions
284
- │ ├── rules/ # 22 governance rules (R000-R021)
284
+ │ ├── rules/ # 23 governance rules (R000-R023)
285
285
  │ ├── hooks/ # 15 lifecycle hook scripts
286
286
  │ ├── schemas/ # Tool input validation schemas
287
287
  │ ├── specs/ # Extracted canonical specs
package/dist/cli/index.js CHANGED
@@ -3091,7 +3091,7 @@ var init_package = __esm(() => {
3091
3091
  workspaces: [
3092
3092
  "packages/*"
3093
3093
  ],
3094
- version: "0.5.19",
3094
+ version: "0.5.21",
3095
3095
  requiresCC: ">=2.1.121",
3096
3096
  claudeCode: {
3097
3097
  minimumVersion: "2.1.121",
@@ -26418,6 +26418,17 @@ function isCacheFresh(cache, now, cacheTtlMs) {
26418
26418
  }
26419
26419
  return now - checkedAt < cacheTtlMs;
26420
26420
  }
26421
+ function readFreshPlausibleCachedVersion(cachePath, currentVersion, now, cacheTtlMs) {
26422
+ const cache = readCache(cachePath);
26423
+ if (!cache || !isCacheFresh(cache, now, cacheTtlMs)) {
26424
+ return null;
26425
+ }
26426
+ const cachedVersion = normalizeVersion(cache.latestVersion);
26427
+ if (!cachedVersion || !isVersionPlausible(currentVersion, cachedVersion)) {
26428
+ return null;
26429
+ }
26430
+ return cachedVersion;
26431
+ }
26421
26432
  function fetchLatestVersionFromNpm(packageName = DEFAULT_PACKAGE_NAME) {
26422
26433
  try {
26423
26434
  const output = execSync2(`npm view ${packageName} version --json`, {
@@ -26534,7 +26545,8 @@ function executeSelfUpdate(options = {}) {
26534
26545
  if (!options.silent) {
26535
26546
  console.log(i18n.t("cli.selfUpdate.updatingGlobal", { version: latestVersion }));
26536
26547
  }
26537
- const installed = installGlobalPackage(packageName, latestVersion, options.silent ?? false);
26548
+ const installPackage = options.installPackage || installGlobalPackage;
26549
+ const installed = installPackage(packageName, latestVersion, options.silent ?? false);
26538
26550
  if (installed) {
26539
26551
  if (!options.silent) {
26540
26552
  console.log(i18n.t("cli.selfUpdate.updated", { version: latestVersion }));
@@ -26563,20 +26575,13 @@ function checkSelfUpdate(options) {
26563
26575
  reason: "invalid-current-version"
26564
26576
  };
26565
26577
  }
26566
- let latestVersion = null;
26567
- let usedCache = false;
26568
- const cache = readCache(cachePath);
26569
- if (cache && isCacheFresh(cache, now, cacheTtlMs)) {
26570
- const cachedVersion = normalizeVersion(cache.latestVersion);
26571
- if (isVersionPlausible(currentVersion, cachedVersion)) {
26572
- latestVersion = cachedVersion;
26573
- usedCache = true;
26574
- }
26575
- }
26578
+ let latestVersion = readFreshPlausibleCachedVersion(cachePath, currentVersion, now, cacheTtlMs);
26579
+ const usedCache = Boolean(latestVersion);
26576
26580
  if (!latestVersion) {
26577
26581
  const fetched = fetchLatestVersion(packageName);
26578
- if (fetched && isVersionPlausible(currentVersion, fetched)) {
26579
- latestVersion = fetched;
26582
+ const fetchedVersion = fetched ? normalizeVersion(fetched) : "";
26583
+ if (fetchedVersion) {
26584
+ latestVersion = fetchedVersion;
26580
26585
  writeCache(cachePath, latestVersion, now);
26581
26586
  }
26582
26587
  }
package/dist/index.js CHANGED
@@ -2316,7 +2316,7 @@ var package_default = {
2316
2316
  workspaces: [
2317
2317
  "packages/*"
2318
2318
  ],
2319
- version: "0.5.19",
2319
+ version: "0.5.21",
2320
2320
  requiresCC: ">=2.1.121",
2321
2321
  claudeCode: {
2322
2322
  minimumVersion: "2.1.121",
package/package.json CHANGED
@@ -3,7 +3,7 @@
3
3
  "workspaces": [
4
4
  "packages/*"
5
5
  ],
6
- "version": "0.5.19",
6
+ "version": "0.5.21",
7
7
  "requiresCC": ">=2.1.121",
8
8
  "claudeCode": {
9
9
  "minimumVersion": "2.1.121",
@@ -102,6 +102,16 @@
102
102
  ],
103
103
  "description": "Block Bash/Write/Edit writes into .claude/ sensitive paths before Claude Code permission prompts fire"
104
104
  },
105
+ {
106
+ "matcher": "tool == \"Bash\" && tool_input.command matches \"(^|[[:space:];&|])(status|path|argv)[[:space:]]*=\"",
107
+ "hooks": [
108
+ {
109
+ "type": "command",
110
+ "command": "bash .codex/hooks/scripts/shell-reserved-var-advisor.sh"
111
+ }
112
+ ],
113
+ "description": "Warn on zsh/bash reserved variable assignments such as status=, path=, or argv= before shell execution (R020/#1491)"
114
+ },
105
115
  {
106
116
  "matcher": "tool == \"Bash\"",
107
117
  "hooks": [
@@ -0,0 +1,25 @@
1
+ #!/usr/bin/env bash
2
+ # shell-reserved-var-advisor.sh — advisory guard for zsh/bash special variable assignments.
3
+ # Trigger: PreToolUse (Bash matcher)
4
+
5
+ set -euo pipefail
6
+
7
+ input=$(cat)
8
+ command=$(printf '%s' "$input" | jq -r '.tool_input.command // ""' 2>/dev/null || true)
9
+
10
+ if [ -z "$command" ]; then
11
+ printf '%s' "$input"
12
+ exit 0
13
+ fi
14
+
15
+ # zsh exposes several lowercase special parameters as read-only or semantically
16
+ # dangerous. `status=...` is the frequent footgun in polling snippets; `path`
17
+ # and `argv` are arrays/special parameters. Match assignment starts after common
18
+ # shell separators or whitespace, but do not match safe names like run_status=.
19
+ if printf '%s\n' "$command" | grep -Eq '(^|[[:space:];&|])(status|path|argv)[[:space:]]*='; then
20
+ echo '[Hook] WARNING: reserved shell variable assignment detected (R020/#1491).' >&2
21
+ echo '[Hook] Avoid zsh/bash special names: status, path, argv.' >&2
22
+ echo '[Hook] Use safe names such as run_status, cmd_path, or args before executing.' >&2
23
+ fi
24
+
25
+ printf '%s' "$input"
@@ -24,7 +24,6 @@ tools: [Read, Write, ...] # Allowed tools
24
24
  | `opus` | claude-opus-4-6 | Complex reasoning, architecture |
25
25
  | `opusplan` | claude-opus-4-6 + plan mode | Architecture planning with approval gates |
26
26
  | `opus47` | claude-opus-4-7 | Latest Opus model, supports xhigh effort |
27
-
28
27
  Extended context suffix: `[1m]` (e.g., `claude-opus-4-6[1m]`) — enables 1M token context window.
29
28
 
30
29
  <!-- DETAIL: Fallback Models and Thinking Toggle (Claude Code v2.1.166+)
@@ -88,6 +87,7 @@ This Codex port ships `.claude` compatibility templates. When updating those tem
88
87
  - v2.1.162: `claude agents --json` includes waiting/blocker metadata and explicit `--tools Grep/Glob` behavior is fixed; compatibility prompts may use those fields when diagnosing stuck Claude sessions.
89
88
  - v2.1.163: managed `requiredMinimumVersion`/`requiredMaximumVersion`, `/plugin list`, Stop/SubagentStop `hookSpecificOutput.additionalContext`, and skill command literal `\$` escaping are available. Hook/skill template changes should preserve these affordances.
90
89
  - v2.1.165: bug-fix/reliability release; no local template change required beyond compatibility confirmation. v2.1.166: fallbackModel availability failover and thinking-disable controls are Claude compatibility settings, not Codex/OMX routing. v2.1.167/v2.1.168: bug-fix-only compatibility confirmation.
90
+ - v2.1.170: Claude compatibility sessions gain access to the `fable` alias (`claude-fable-5`) and fix a VS Code integrated-terminal transcript persistence bug. Skills that rely on transcript replay (for example `homework`) should prefer v2.1.170+ in Claude-template sessions. No Codex runtime model-routing change.
91
91
  -->
92
92
 
93
93
  ## Hook Event Types
@@ -8,6 +8,18 @@
8
8
 
9
9
  Available when `OMCODEX_AGENT_TEAMS=1` or `TeamCreate` / `SendMessage` exists.
10
10
 
11
+ ## Gate Transparency Scope
12
+
13
+ R018 gate-transparency announcements apply only when Agent Teams are enabled or callable; otherwise R009 parallel-execution announcements are sufficient.
14
+
15
+ <!--
16
+ DETAIL: Gate Transparency Scope
17
+ | Runtime state | Required |
18
+ |---------------|----------|
19
+ | Agent Teams enabled/callable | Announce the R018 gate result for qualifying 3+ agent dispatches |
20
+ | Agent Teams disabled/unavailable | Use R009 `[N]` dispatch format and state the fallback only if useful for clarity |
21
+ -->
22
+
11
23
  ## Decision Matrix
12
24
 
13
25
  | Scenario | Preferred | Reason |
@@ -67,6 +67,17 @@ Parallel batches return results together, so a same-batch permanent dispatch pro
67
67
 
68
68
  Example: do not diagnose `triage-dispatch.yml` from memory, create an issue, and delegate a fix in the same parallel call before reading the workflow. If the read later shows a different root cause, the issue, PR, and commit trail become correction debt even when the eventual code direction is acceptable.
69
69
 
70
+ ### Proxy Signal vs Canonical Ground-Truth
71
+
72
+ When diagnosing pipeline or data state, verify the canonical store — the authoritative DB, registry, API, or system-of-record — before characterizing state from a secondary proxy such as a `.txt` artifact, filesystem mtime, cached file, or one ingestion path.
73
+
74
+ | Anti-pattern | Required |
75
+ |--------------|----------|
76
+ | Characterize pipeline health from a filesystem proxy | Query the canonical store first |
77
+ | Generalize one ingestion path's failure to the whole pipeline | Check the final landing store across all relevant paths before alarming or reprocessing |
78
+
79
+ A single path's failure does not prove the whole multi-path system is down.
80
+
70
81
  ## Degraded-Output Re-Verification Gate
71
82
 
72
83
  When tool output shows provider instability, buffering, truncation, duplicated chunks, `529`, timeout recovery, or `(no result)` while a permanent action is being considered, treat the current read as degraded. Do not characterize corruption, missing files, stale state, release failure, or data loss from that single degraded read.
@@ -164,6 +175,17 @@ When a user sends a new instruction while work is in progress, completion status
164
175
  3. If the new message adds a requirement, add it to the completion contract before closing.
165
176
  4. If no conflict exists, continue but explicitly preserve the new requirement in the next verification pass.
166
177
 
178
+ ### Interrupt ≠ Prior-Request Cancellation
179
+
180
+ If the first message after an interrupt is ambiguous, do not assume the prior request was cancelled. The user may be continuing a multi-message request, correcting input, or starting a new request. Keep the prior non-destructive context alive and ask once only when the new message cannot be classified as a clear instruction.
181
+
182
+ **Safety carve-out:** if the interrupted work is destructive or irreversible (`git reset --hard`, `git clean -fd`, broad `rm`, force push, tunnel/DNS/k8s/infra deletion, production state changes), halt first and require explicit re-authorization before resuming. Interrupts retain their emergency-stop value for risky work.
183
+
184
+ | Anti-pattern | Required |
185
+ |--------------|----------|
186
+ | Treat an ambiguous interrupt as cancellation and switch to unrelated work | Preserve context and clarify intent once |
187
+ | Continue destructive work after an ambiguous interrupt | Stop immediately; resume only after explicit re-authorization |
188
+
167
189
  ### Tool-Call Payload Completeness
168
190
 
169
191
  도구 호출의 required 파라미터는 invoke 전에 확인한다(완료 선언 후가 아니라 호출 시점의 전제조건). announce(prefix)만 출력하고 payload의 required 필드를 누락하는 패턴은 R008 "Required-Parameter Completeness Check"가 canonical owner다. Reference: #1487 / upstream #1324.
@@ -212,6 +234,30 @@ Related memory records:
212
234
  - `feedback_subagent_pre_existing_claims.md` — subagent false-positive pattern
213
235
  -->
214
236
 
237
+ ## CI Publish-Step Error vs Published-Artifact Ground Truth
238
+
239
+ A CI publish/deploy step that logs an error has not necessarily failed. The step may recover through a fallback or the error may be non-fatal. Before declaring a publish/release failed, re-running it, rolling it back, or changing release workflow logic, verify the published artifact directly.
240
+
241
+ | Publish target | Ground-truth check |
242
+ |----------------|--------------------|
243
+ | npm | `npm view <pkg> version` equals expected |
244
+ | GitHub Release | `gh release view <tag>` exists and is not draft |
245
+ | Docker/registry image | image tag or manifest exists |
246
+ | Run outcome | `gh run view <id> --json jobs` conclusions, not one step log line |
247
+
248
+ ## State-Change Claim → Live System Verification
249
+
250
+ Before closing or marking-done a task that claims an infrastructure/resource state change, verify the actual live system state rather than only the command attempt.
251
+
252
+ | Claimed state change | Live ground-truth check |
253
+ |----------------------|-------------------------|
254
+ | Service stopped | `launchctl list`, `systemctl status`, or equivalent shows inactive/absent |
255
+ | k8s resource torn down | `kubectl get <resource>` returns NotFound |
256
+ | Container removed | `docker ps -a` does not list it |
257
+ | Process killed | `pgrep`/`ps` check returns empty |
258
+
259
+ "Issued the teardown" is not evidence that the resource is down.
260
+
215
261
  ## Integration
216
262
 
217
263
  | Rule | Interaction |
@@ -210,6 +210,19 @@ When announcing a parallel dispatch in prose text (not the Agent tool call itsel
210
210
  The list form mirrors the tool-call `[N]` prefix pattern and scales better to 3+ concurrent agents.
211
211
  -->
212
212
 
213
+ <!--
214
+ DETAIL: Parallel Feature Integration Gate
215
+
216
+ ## Parallel Feature Integration Gate
217
+
218
+ When parallel feature agents edit interdependent code, isolated passes are not enough: run aggregate build plus runtime/smoke verification on the merged worktree before declaring done.
219
+
220
+ | Anti-pattern | Required |
221
+ |--------------|----------|
222
+ | Accept each subagent's isolated pass as release-ready | Re-run aggregate verification on the merged worktree |
223
+ | Skip runtime smoke because every file-domain lane passed | Smoke the integrated feature path or device/browser/app surface |
224
+ -->
225
+
213
226
  ## Result Aggregation
214
227
 
215
228
  ```
@@ -17,6 +17,23 @@
17
17
  - Do not rotate, delete, recreate, or replace credentials unless the user explicitly requested that exact credential action.
18
18
  - Before irreversible action on shared infrastructure or credentials, reconfirm the target, namespace/account/project, requested scope, rollback path, and user authorization.
19
19
  - Stop instead of chaining privileged actions when the next step would affect a different credential, tunnel, namespace, pod, cluster, account, or shared service than the user requested.
20
+ - When a credential/token is needed, ask for the specific value or file before running blind discovery scans (`env | grep`, repo-wide token greps, credential-store dumps). If a classifier blocks a credential action once while a standing user-deny is active, switch to a user-runs command and do not retry by another mechanism.
21
+
22
+ ### Standing User-Deny + Classifier Block
23
+
24
+ When the user has a standing "do not touch X" constraint and a safety classifier blocks an action on X once, immediately switch to a user-runs command/instruction path. Do not retry the blocked edit, scan, or credential action via another mechanism.
25
+
26
+ ### Infra-Diagnostic File Checks — Metadata, Not Contents
27
+
28
+ When diagnosing infrastructure or health issues, file checks must stay metadata-only: `ls -la` for existence, size, permissions, and mtime. Do not `cat .env`, inspect credential JSON keys, or read secret contents into the transcript just to confirm configuration exists.
29
+
30
+ | Anti-pattern | Required |
31
+ |--------------|----------|
32
+ | `cat .env` / inspect OAuth or credential keys during a health diagnosis | `ls -la .env` or request the exact value from the user if genuinely needed |
33
+
34
+ ### Infra/Resource Deletion Blast Radius
35
+
36
+ Before deleting shared infrastructure resources (tunnels, DNS records, k8s resources, load balancers, security groups), enumerate every endpoint, route, selector, target, or rule served by that resource — not only the hostname or object the user named. Prefer reversible disable/detach/stop actions when they satisfy the task.
20
37
 
21
38
  ## Required Before Destructive Operations
22
39
 
@@ -26,6 +26,9 @@
26
26
  | Clear | Execute immediately |
27
27
  | Ambiguous | `[Confirm] Understood "{request}" as {interpretation}. Proceed?` |
28
28
  | Risky | `[Warning] This action has {risk}. Continue? Yes: {action} / No: Cancel` |
29
+ | Interrupt (ambiguous first message) | Do not assume the prior request is cancelled. The first message after an interrupt may be continuation, correction, or a new request. If the in-progress action is risky/destructive, apply the Risky row first and halt before clarification. |
30
+
31
+ Request handling precedence: **Risky > Interrupt > Ambiguous > Clear**. Clear new instructions should still be executed directly; the interrupt row exists only for ambiguous first messages after an interruption.
29
32
 
30
33
  ## External Product UI Claims
31
34
 
@@ -22,6 +22,20 @@ Agent frontmatter `memory: project|user|local` enables persistent memory:
22
22
  | `project` | `.codex/agent-memory/<name>/` | Yes |
23
23
  | `local` | `.codex/agent-memory-local/<name>/` | No |
24
24
 
25
+ <!--
26
+ DETAIL: Project memory root guard
27
+
28
+ ## Subagent `memory: project` Source-Tree Pollution Guard
29
+
30
+ A subagent working from a subdirectory must not create nested `.codex/agent-memory/` or `.claude/agent-memory/` directories inside source packages.
31
+
32
+ | Anti-pattern | Required |
33
+ |--------------|----------|
34
+ | Accept nested `src/**/.codex/agent-memory/` or `src/**/.claude/agent-memory/` created by a worker | Verify memory writes land at project-root `.codex/` (or template-root `.claude/` for compatibility) and remove nested memory directories before commit |
35
+
36
+ Before committing subagent work, check for nested memory pollution with a targeted search such as `find . \\( -path '*/src/*/.codex/agent-memory' -o -path '*/src/*/.claude/agent-memory' \\) -print`.
37
+ -->
38
+
25
39
  ## When to Use Searchable MCP Memory
26
40
 
27
41
  | Scenario | Native | AgentMemory-compatible / omx-memory |
@@ -0,0 +1,124 @@
1
+ # [SHOULD] Verification Ladder Rules
2
+
3
+ > **Priority**: SHOULD | **ID**: R023
4
+ > **Codex port**: `.codex/**` is the active rule/runtime surface; `templates/.claude/**` mirrors compatibility guidance.
5
+
6
+ ## Core Rule
7
+
8
+ 검증은 비용/속도 ladder로 구성한다: **결정론적 검사 → cheap LLM → expensive LLM → human**. 가장 저렴한 tier가 먼저 통과해야 다음 tier로 진행한다. 더 낮은 tier에서 잡을 수 있는 문제를 더 비싼 tier에 보내지 않는다.
9
+
10
+ ## Ladder Tiers
11
+
12
+ | Tier | 도구 | 비용 | 속도 | 적용 시점 |
13
+ |------|------|------|------|-----------|
14
+ | **1: Deterministic** | hooks, linters, type-check, JSON schema | $0 | <1s | Pre-write, write-time |
15
+ | **2: Cheap LLM** | haiku-based skills (`dev-review`, `action-validator`) | $ | <30s | Per-file review |
16
+ | **3: Expensive LLM** | sonnet/opus skills (`deep-verify`, `adversarial-review`, `multi-model-verification`, `evaluator-optimizer`) | $$$ | 1-5분 | Pre-commit, PR review |
17
+ | **4: Human** | maintainer review | time | hours-days | Final gate, contested decisions |
18
+
19
+ ## Shift-left 원칙
20
+
21
+ 결정론적 단계가 잡을 수 있는 문제는 LLM에 보내지 않는다. LLM 검증은 ambiguous/semantic 문제에 집중한다.
22
+
23
+ - **좋은 예**: JSON schema 오류 → Tier 1 hook이 차단 → LLM에 미전달
24
+ - **나쁜 예**: 탭/스페이스 혼용 오류 → sonnet으로 전달 → 불필요한 비용 발생
25
+
26
+ R013 (SHOULD-ecomode)의 "저렴한 검증 우선" 원칙과 정합: ecomode는 출력 토큰을 절약하고, R023은 검증 비용을 절약한다.
27
+
28
+ ## 기존 자산 매핑
29
+
30
+ | Tier | 자산 | 역할 |
31
+ |------|------|------|
32
+ | **Tier 1** | `.codex/hooks/ (and mirrored templates/.claude/hooks/)` (PreToolUse hooks) | 도구 호출 전 결정론적 차단 |
33
+ | **Tier 1** | `mgr-sauron` (R017 구조 검증) | 에이전트/스킬/가이드 frontmatter 검증 |
34
+ | **Tier 1** | pre-commit configs, linters | 코드 품질 정적 검사 |
35
+ | **Tier 2** | `dev-review` | 파일 단위 haiku 코드 리뷰 |
36
+ | **Tier 2** | `action-validator` | CI/CD 액션 구문 검증 |
37
+ | **Tier 2** | `pre-generation-arch-check` | 생성 전 아키텍처 lite 점검 |
38
+ | **Tier 3** | `deep-verify` | 다단계 품질 검증 (sonnet) |
39
+ | **Tier 3** | `adversarial-review` | 공격자 시각 보안 리뷰 (opus) |
40
+ | **Tier 3** | `multi-model-verification` | 복수 모델 교차 검증 |
41
+ | **Tier 3** | `evaluator-optimizer` | 평가-개선 반복 루프 |
42
+ | **Tier 3** | `worker-reviewer-pipeline` | 구현-리뷰 파이프라인 |
43
+ | **Tier 4** | maintainer manual review | PR approval, final gate |
44
+
45
+ ## R021과의 관계
46
+
47
+ R021 (MUST-enforcement-policy)과 R023은 **직교**한다. 두 규칙은 서로 다른 차원을 다룬다:
48
+
49
+ | 규칙 | 질문 | 차원 |
50
+ |------|------|------|
51
+ | **R021** | "어떻게 강제할 것인가?" | Hard block / Soft block / Advisory |
52
+ | **R023** | "어떤 비용으로 검증할 것인가?" | Deterministic / Cheap LLM / Expensive LLM |
53
+
54
+ 같은 도구가 두 규칙에 동시에 속할 수 있다:
55
+
56
+ - `mgr-sauron`: R021 관점에서 Advisory (PostToolUse hook), R023 관점에서 Tier 1 (구조 검증)
57
+ - `deep-verify`: R021 관점에서 Prompt-based (blocking 없음), R023 관점에서 Tier 3 (expensive LLM)
58
+ - `.codex/hooks/ (and mirrored templates/.claude/hooks/)` stage-blocker: R021 관점에서 Hard Block, R023 관점에서 Tier 1
59
+
60
+ R021은 위반 시 어떻게 멈출지를, R023은 어떤 순서로 검증할지를 정의한다.
61
+
62
+ ## Self-Check
63
+
64
+ 새 검증 도구 추가 시:
65
+
66
+ - [ ] 어느 tier에 속하는지 명확한가?
67
+ - [ ] 같은 tier 내 중복 도구는 없는가?
68
+ - [ ] Tier 1에서 잡을 수 있는 문제를 다루는가? (상위 tier 대신 시프트 권고)
69
+ - [ ] Ladder 순서를 문서화했는가? (어떤 검사를 먼저 실행하는지)
70
+
71
+ ## Safety-Signal Rule Authoring — Carve-Out Pre-Check (shift-left)
72
+
73
+ > Origin: #1353 (인터럽트 룰 #1341의 후속 회고에서 발견된 R001 carve-out 누락) — 인터럽트 룰(R003/R020)을 작성할 때 R001 파괴적-작업 carve-out을 1차 작성에서 빠뜨렸고, Tier 3 적대적 검증이 release-blocking으로 포착해 보정했다. Tier 3가 잡았으나, 같은 결함을 Tier 1(작성 시점 결정론적 점검)로 시프트하면 비용이 낮다.
74
+
75
+ 런타임 안전-신호 동작을 정의하는 룰(인터럽트·취소·halt·중단·emergency-stop 등)을 추가/수정할 때, 작성 단계(Tier 1)에서 다음을 사전 점검한다 — Tier 3 적대적 검증에 의존하기 전에 (이 checklist 같은 메타-룰은 대상 아님):
76
+
77
+ - [ ] 이 룰이 R001 파괴적·비가역 작업(`git reset --hard`, `clean -fd`, `rm`, 터널/DNS/k8s/인프라 삭제) 컨텍스트에서도 안전한가? (fail-closed carve-out 필요 여부)
78
+ - [ ] "진행/계속(proceed)" 류 지시의 대상이 파괴적 작업의 계속으로 오독될 여지가 없는가?
79
+ - [ ] 안전-신호의 fail-safe 의미(emergency-halt)를 약화시키지 않는가? (stop-first ask-after 우선)
80
+ - [ ] 기존 안전 규칙(R001/R002)과의 우선순위가 명시되어 있는가?
81
+
82
+ 하나라도 불확실하면 **먼저 carve-out을 명시(Tier 1 우선 해결)**하고, 그래도 불확실하면 Tier 3 적대적 검증(`adversarial-review`, `multi-model-verification`)을 통과시킨 뒤 release한다 (ladder 순서 유지). 이는 R023 shift-left 원칙(저렴한 tier 우선)을 룰 작성 자체에 적용한 것이며, R016 룰 작성 워크플로우의 Tier-1 품질 게이트로 동작한다 (R016은 위반 후 룰 업데이트 소유, R023 carve-out은 안전-신호 룰 작성 시 사전 점검 — 직교). Closes #1353.
83
+
84
+ ## Integration
85
+
86
+ | 규칙 | 상호작용 |
87
+ |------|---------|
88
+ | R009 (Parallel Execution) | Tier 1-2 검사는 독립 파일에 대해 병렬 실행 가능 |
89
+ | R013 (Ecomode) | 컨텍스트 압박 시 Tier 3를 Tier 2로 다운그레이드 고려 |
90
+ | R017 (Sync Verification) | Phase 1-3 검증 단계는 R023 Tier 1-3에 대응 |
91
+ | R021 (Enforcement Policy) | 직교: R021은 blocking 방식, R023은 검증 비용 순서 |
92
+
93
+ ## Workflow Prompt & Verifier Ground-Truth
94
+
95
+ > Origin: #1266 ③ (High) — a Workflow built the agent prompt as `await agent(prompt) + FACTS`, concatenating the guardrail fact-sheet onto the RETURN VALUE instead of the prompt. The writer never received the facts, hallucinated an in-cluster hostname (`secretary-mcp`), and the adversarial verifier couldn't catch it (the fact was in no source it had).
96
+
97
+ ### Prompt Completion Before Call
98
+
99
+ Workflow/agent prompts MUST be fully assembled into the prompt string **before** the `agent()` / Agent tool call. Post-call concatenation onto the return value is a footgun — the agent never sees the appended content.
100
+
101
+ | Anti-pattern | Required |
102
+ |--------------|----------|
103
+ | `const r = await agent(prompt) + FACTS` | `const r = await agent(prompt + FACTS)` — assemble first |
104
+
105
+ ### Workflow Script Sanity Check
106
+
107
+ Before invoking a Workflow script, deterministically verify:
108
+
109
+ | Check | Why |
110
+ |-------|-----|
111
+ | No unresolved placeholders (`{phase1_summary}`, `TODO`, `<...>`, `{{ }}`) remain in any agent prompt string | An unfilled placeholder reaches the agent verbatim → garbled task |
112
+ | Template-literal / string concatenation produces the intended prompt (assemble-before-call, see above) | Post-call concatenation (`agent(prompt) + FACTS`) silently drops content |
113
+ | Script parses — balanced braces/quotes, valid JS | A syntax error aborts the entire run after partial work |
114
+
115
+ #### Common Violation (#1271)
116
+ Session 106 follow-up to #1266 ③: a Workflow authoring error recurred — the guardrail fact-sheet was concatenated onto the agent's RETURN VALUE instead of the prompt string, and a placeholder/assembly slip went uncaught because no pre-run sanity check existed. This check is the deterministic Tier-1 guard that catches such slips before the expensive run.
117
+
118
+ Origin: #1271 (Workflow authoring error recurrence, session 106).
119
+
120
+ ### Verifier Ground-Truth for Cross-Cutting Facts
121
+
122
+ Cross-cutting facts not verifiable from the primary source (external URLs, in-cluster DNS/hostnames, infra topology) MUST be supplied to the verifier as explicit ground-truth. Otherwise an adversarial verifier cannot distinguish a hallucinated value from a correct one — a verification blind spot.
123
+
124
+ Cross-reference: R009 (giant-prompt decomposition), `worker-reviewer-pipeline` skill.
@@ -124,6 +124,14 @@ rules:
124
124
  priority: SHOULD
125
125
  scope: all
126
126
 
127
+ # Verification Ladder - SHOULD
128
+ - id: R023
129
+ name: verification-ladder
130
+ title: Verification Ladder Rules
131
+ path: ./SHOULD-verification-ladder.md
132
+ priority: SHOULD
133
+ scope: all
134
+
127
135
  # Agent Teams - MUST (Conditional)
128
136
  - id: R018
129
137
  name: agent-teams
@@ -161,6 +161,17 @@ Invoke the `omcustomcodex:feedback` skill with the drafted issue content. The us
161
161
 
162
162
  If `--dry-run` is active, skip this phase and output the draft directly to the conversation instead.
163
163
 
164
+ ## Cross-Project Import Compatibility
165
+
166
+ When `homework` is imported into another project, Phase 5 depends on `omcustomcodex:feedback` being available and model-invocable in that project.
167
+
168
+ | Condition | Behavior |
169
+ |-----------|----------|
170
+ | `omcustomcodex:feedback` model-invocable | Use the normal Phase 4A preview + confirmation gate |
171
+ | feedback skill missing or model invocation disabled | Fall back to manual submission: present the drafted findings to the user, write the dry-run artifact when possible, and ask the user to file/run the feedback workflow themselves |
172
+
173
+ Do not silently drop a retrospective because the imported feedback skill cannot be invoked.
174
+
164
175
  ### Phase 6: Output Summary
165
176
 
166
177
  ```
@@ -2,6 +2,17 @@
2
2
 
3
3
  This guide records Claude Code release-note impact that affects the Claude compatibility template. The Codex-native runtime still uses `.codex/**` and OMX as the primary surface.
4
4
 
5
+ ## v2.1.170
6
+
7
+ Published: 2026-06-10.
8
+
9
+ Source: upstream oh-my-customcode #1352/#1354, Codex port #1504.
10
+
11
+ | Change | Impact on oh-my-customcodex | Action |
12
+ |--------|------------------------------|--------|
13
+ | Claude Fable 5 is available through the `fable` alias (`claude-fable-5`) | Useful only for packaged Claude compatibility sessions needing mythos-class reasoning; Codex-native subagents continue to use the OMX model contract and `reasoning_effort`. | Document in R006 as Claude-compatibility metadata. Do not change Codex routing defaults. |
14
+ | VS Code integrated-terminal sessions save transcripts correctly and show them in `--resume` | Improves Claude-template workflows that depend on transcript replay, including imported `homework`/retrospective flows. | Prefer Claude Code v2.1.170+ when testing Claude compatibility transcript-dependent skills. No Codex runtime change. |
15
+
5
16
  ## v2.1.168
6
17
 
7
18
  Published: 2026-06-07.
@@ -1,17 +1,17 @@
1
1
  {
2
- "version": "0.5.19",
2
+ "version": "0.5.21",
3
3
  "requiresCC": ">=2.1.121",
4
4
  "claudeCode": {
5
5
  "minimumVersion": "2.1.121",
6
6
  "protectedPathBypassVersion": "2.1.126"
7
7
  },
8
- "lastUpdated": "2026-06-06T00:00:00.000Z",
8
+ "lastUpdated": "2026-06-11T00:00:00.000Z",
9
9
  "components": [
10
10
  {
11
11
  "name": "rules",
12
12
  "path": ".codex/rules",
13
13
  "description": "Agent behavior rules and guidelines",
14
- "files": 22
14
+ "files": 23
15
15
  },
16
16
  {
17
17
  "name": "agents",
@@ -140,6 +140,10 @@ steps:
140
140
  6. Halt if current failures exceed baseline; otherwise report pass/fail counts and delta.
141
141
  7. Run `bun run build` when available.
142
142
 
143
+ Documentation/template validation:
144
+ - For local or CI docs validation, run `bun run .github/scripts/validate-docs.ts --programmatic-only` (or the repo's equivalent validate-docs command with `--programmatic-only`) before assuming a validation failure is an authentication failure.
145
+ - Treat interactive/auth-dependent validate-docs output as inconclusive until the programmatic-only path has been tried.
146
+
143
147
  Halt on lint errors, typecheck errors, new test failures, build failure, or lockfile drift.
144
148
  description: Auto-detected build + test verification with mandatory bun test baseline delta guard
145
149
 
@@ -155,6 +159,13 @@ steps:
155
159
 
156
160
  Required version preflight for npm package releases:
157
161
  - Determine NEW_VERSION before creating a release branch, PR, or tag.
162
+ - Version decision (semver) — PATCH-PREFERRED policy from v1.0.0 onward:
163
+ * No existing tags → v0.1.0.
164
+ * Previous tag exists → default to patch. When in doubt, patch; do not reflexively bump minor for rule/doc/skill/config/wiki/workflow edits.
165
+ * patch (DEFAULT): bugfixes, hardening, rule/doc/skill/config/wiki/workflow changes, compatibility notes, and release-process guardrails.
166
+ * minor: only a genuinely new user-facing capability, such as a new skill/agent/command adding visible surface, not a refinement of an existing one.
167
+ * major: breaking changes to user-facing contracts (CLI flags, public skill/command names, public API) or a deliberate milestone declaration such as v1.0.0.
168
+ * If a previous tag is ahead of the source version, use the next available skip-version.
158
169
  - Update `package.json` and `templates/manifest.json` to NEW_VERSION in the same commit.
159
170
  - Promote `CHANGELOG.md` before the release PR/tag: move non-empty `## [Unreleased]` entries into `## [NEW_VERSION] - YYYY-MM-DD`, then re-create an empty `## [Unreleased]` section above it.
160
171
  - If `CHANGELOG.md` has no user/package-visible entry for NEW_VERSION, add a concise release summary before continuing instead of relying on GitHub auto-generated release notes.