Skip to content

feat(codex): first-class Codex CLI skill runtime#902

Open
dpol1 wants to merge 5 commits into
apache:mainfrom
dpol1:313-codex-runtime
Open

feat(codex): first-class Codex CLI skill runtime#902
dpol1 wants to merge 5 commits into
apache:mainfrom
dpol1:313-codex-runtime

Conversation

@dpol1

@dpol1 dpol1 commented Jul 18, 2026

Copy link
Copy Markdown
Member

Summary

  • Closes feat(adapter/codex): first-class Codex CLI skill runtime #313: makes OpenAI Codex a first-class Magpie skill runtime instead of a delegation target, per RFC-AI-0004 Principle 3 (vendor neutrality). A maintainer with only Codex installed can now discover and run Magpie skills end to end.
  • Ships a committed, reviewed Codex posture: .codex/config.toml (workspace-write, network off, on-request approvals) and .codex/rules/magpie.rules (scoped read allows, prompted remote mutations, forbidden credential disclosure). sandbox-lint --codex validates both statically.
  • Skips the SKILL.md-to-AGENTS.md conversion the issue suggested: Codex scans the canonical .agents/skills symlinks natively, so SKILL.md stays the single source. The setup and setup-isolated skills route Codex sessions to explicit Codex steps before any Claude-only branch, and new eval fixtures pin that routing.

Type of change

  • Skill change (.claude/skills/<name>/) — eval fixtures updated below
  • Tool / bridge contract (tools/<system>/*.md)
  • Python package (tools/*/ with pyproject.toml)
  • Groovy reference impl
  • Cross-cutting (RFC, AGENTS.md, sandbox, privacy-LLM)
  • Documentation (docs/, README.md, CONTRIBUTING.md)
  • Project template (projects/_template/)
  • CI / dev loop (prek, workflows, validators)
  • Other:

Test plan

  • prek run --all-files passes (all hooks green, including check-placeholders, symlink-lint, workspace ruff/mypy/pytest, skill-and-tool-validate, spec-validate)
  • For Python packages touched: uv run pytest (103 passed in tools/sandbox-lint, including the new tests/test_codex.py invariant cases for tampered configs and rules) / ruff check / mypy all clean
  • For Groovy bridges touched: not touched
  • For skill changes: eval suite passes for the affected skill
    (`PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/e
  • For skill behaviour changes: a new or updated eval fixture is included in this PR
    (runtime-routing suites for all four setup-isolated-setup-* skills, each with a cg the Codex branch is taken and no .claude` file is treated as a failure)
  • Other: end-to-end smoke on a real Codex session (/skills discovery, $magpie-security-issue-triage invocation, approval prompt on a gh mutation)

RFC-AI-0004 compliance

  • HITL — any new mutation is gated on explicit user confirmation
    (approval_policy = "on-request"; exec-policy rules prompt on gh pr/gh issue mu
  • Sandbox — no new unrestricted host access; network reach declared in the adapter
    (workspace-write with network_access = false; networked bridges cross the native
  • Vendor neutrality — placeholders (<PROJECT>, <tracker>, <upstream>, <security-list>) used in all skill / tool prose (the check-placeholders prek hook is the mechanical gate)
  • Conversational + correctable — agentic-override path documented if behaviour is
  • Write-access discipline — no autonomous outbound messages; drafts only, sent on confirmation
  • Privacy LLM — private content does not reach a non-approved LLM; redactor invoke

Linked issues

Closes #313.

Notes for reviewers (optional)

  • The issue proposed mapping SKILL.md onto Codex's AGENTS.md convention. This PR rejects tee would be a second source that drifts from .claude/skills. Codex follows the existing.agents/skills symlinks, so nothing is duplicated. If that call looks wrong, the runtime-contract table in docs/adapters/codex.md is the place to push back.
  • sandbox-lint parses magpie.rules by splitting on prefix_rule( after dropping commeeal Starlark parser. Deliberate trade-off: the invariants only need block-level matching,and a parser dependency felt heavier than the problem. Tampering cases are covered in tests/test_codex.py.
  • Two known gaps, both documented in the adapter's limitations section: agent-guard denialodex hook yet, and the exec-policy rule format is an evolving Codex interface, so theadapter stays experimental until a minimum Codex version is pinned.
  • Project trust stays a human decision. Adoption never edits Codex trust state, and pre-exfiguration survives adopt and upgrade.

dpol1 added 5 commits July 17, 2026 16:42
…y profile

The .codex/ profile makes Codex a first-class Magpie runtime (issue apache#313):
config.toml pins the workspace-write sandbox with workspace network access
disabled and on-request approvals, loaded only after the operator trusts
the project; rules/magpie.rules is the human-in-the-loop layer — scoped
read-only GitHub operations are allowed, known remote mutations prompt,
and credential disclosure (gh auth token|refresh) is forbidden.

Signed-off-by: Davide Polato <dpol1@apache.org>
The new mode lints .codex/config.toml and rules/magpie.rules as one
contract: workspace-write sandbox, workspace network access off,
on-request approvals, and representative exec-policy coverage (remote
mutations prompt, gh auth token forbidden, a scoped read-only allow rule
present, gh release download never unconditionally allowed). Invariants
only — unrelated adopter Codex configuration is preserved.

The rule parser strips full-line comments before splitting on
declaration starts, so a commented-out rule cannot satisfy an invariant
and a ')' inside a justification cannot truncate a block. Codex leaves
the harness-neutral posture lists now that it has a dedicated mode.

Signed-off-by: Davide Polato <dpol1@apache.org>
docs/adapters/codex.md is the operator contract: skill discovery from the
canonical .agents/skills tree, install and verify lifecycle, the sandbox
and HITL security model, the explicit deterministic-guard gap (agent-guard
stays reachable only via its harness-neutral --check/--exec modes), and
the trust boundary. Codex is labelled experimental everywhere it is
promoted (prerequisites, adapter registry, vendor-neutrality) until a
minimum tested runtime version and an adopter pilot are recorded; the
secure-agent-setup doc routes Codex readers to the adapter before the
Claude-only sections.

Signed-off-by: Davide Polato <dpol1@apache.org>
… the adopter lifecycle

Each of the four setup-isolated skills now starts with a runtime-routing
section: a Codex session follows the adapter's install/verify/update/
doctor branch and never treats a missing .claude file as a failure; the
Claude Code branch is unchanged. The magpie-setup lifecycle handles the
committed Codex policy end to end — adopt merges config.toml and
magpie.rules preserving unrelated keys and validates with sandbox-lint
--codex, verify gains check 8g, upgrade reports policy drift without
auto-weakening, and unadopt removes only Magpie-owned values while never
touching Codex project trust.

Signed-off-by: Davide Polato <dpol1@apache.org>
…ime spec

One single-case runtime-routing suite per setup-isolated skill asserts
the new routing step: a Codex session must follow the Codex adapter, not
require .claude files, and stop before the Claude-specific branch. The
spec-loop entry records the contract, acceptance criteria, validation
commands, and known gaps of the experimental Codex runtime.

Signed-off-by: Davide Polato <dpol1@apache.org>
@dpol1 dpol1 changed the title 313 codex runtime feat(codex): first-class Codex CLI skill runtime Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(adapter/codex): first-class Codex CLI skill runtime

1 participant