Customisation for Codex CLI - Features from Claude Code and OpenCode#336
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughIntroduces a comprehensive git hook and Codex synchronization infrastructure with five new Bash scripts: pre-commit and pre-push git hooks for secret detection and code quality checks, a Codex global state validator, a global hooks installer, and a script to synchronize ECC assets into Codex configuration. Changes
Sequence DiagramsequenceDiagram
actor User
participant SyncScript as sync-ecc-to-codex.sh
participant FileSystem as File System
participant GitConfig as Git Config
participant CodexConfig as Codex Config
participant HookInstaller as Hook Installer
participant SanityChecker as Sanity Checker
User->>SyncScript: Execute (--dry-run or apply)
SyncScript->>FileSystem: Check required paths
SyncScript->>FileSystem: Backup config & AGENTS.md
SyncScript->>CodexConfig: Update AGENTS.md (merge ECC+Codex)
SyncScript->>FileSystem: Sync skills (ECC → Codex)
SyncScript->>FileSystem: Generate prompt manifests & files
SyncScript->>CodexConfig: Normalize MCP servers (pnpm, tokens)
SyncScript->>HookInstaller: Install global git hooks
HookInstaller->>FileSystem: Copy pre-commit/pre-push
HookInstaller->>GitConfig: Set core.hooksPath
SyncScript->>SanityChecker: Run validation checks
SanityChecker->>FileSystem: Verify config, hooks, skills
SyncScript->>User: Log completion summary
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related PRs
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Hey @TGreen87 — this PR has merge conflicts with main. Could you rebase or merge main into your branch? Happy to take another look once that's sorted. |
|
Rebuilt this branch on top of current Restack notes:
Validation in the restack worktree:
|
|
OK
…On Fri, Mar 13, 2026 at 3:26 PM Affaan Mustafa ***@***.***> wrote:
*affaan-m* left a comment (affaan-m/ECC#336)
<#336 (comment)>
Rebuilt this branch on top of current main and force-pushed the refreshed
head.
Restack notes:
- replayed the four original Codex-focused commits onto current main
- kept the current .codex/config.toml from main instead of
reintroducing the older pnpm-only MCP config from this draft branch
- preserved the additive Codex scripts/hooks from the PR
Validation in the restack worktree:
- git diff --check
- bash -n on the added shell scripts and git hooks
—
Reply to this email directly, view it on GitHub
<#336 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BVZO6NQW727VZOIDJT5EXAL4QOZ2PAVCNFSM6AAAAACWHNRTNSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DANJTGI4TMNRRGI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Greptile SummaryThis PR adds ECC (Everything Claude Code) tooling for Codex CLI users: a pair of global git hooks (pre-commit secret scanner, pre-push verifier), an installer for those hooks via Key findings:
Confidence Score: 2/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A([User runs sync-ecc-to-codex.sh]) --> B{--dry-run?}
B -- yes --> C[Print planned actions only]
B -- no --> D[Backup ~/.codex config & AGENTS.md]
D --> E[Compose ~/.codex/AGENTS.md\nfrom ECC AGENTS.md + Codex supplement]
E --> F[Sync skills from .agents/skills\nto ~/.codex/skills]
F --> G[Generate prompt files\nfrom commands/*.md]
G --> H[Generate extension prompts\nrun-tests / check-coverage / security-audit\n+ language rule packs]
H --> I[Normalize MCP servers\nin ~/.codex/config.toml to pnpm dlx]
I --> I1{extract_context7_key\ngrep -oP macOS bug}
I1 -- macOS: returns empty\nkey silently lost --> J
I1 -- Linux: key preserved --> J
J[Invoke install-global-git-hooks.sh] --> K[Copy pre-commit & pre-push\nto ~/.codex/git-hooks/]
K --> L[git config --global\ncore.hooksPath ~/.codex/git-hooks]
L --> M[Run check-codex-global-state.sh\nsanity check]
M --> N([Sync complete])
subgraph pre-commit hook
P([git commit]) --> Q{rg installed?}
Q -- no + 2>/dev/null\nsilent no-op --> S([Hook passes — secrets undetected])
Q -- yes --> R[Scan added lines for secrets]
R --> T{Findings?}
T -- yes --> U([Commit blocked])
T -- no --> S
end
Last reviewed commit: d411887 |
| if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then | ||
| printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2 | ||
| printf '%s\n' "$hits" | head -n 3 >&2 | ||
| has_findings=1 | ||
| fi |
There was a problem hiding this comment.
Secret scan silently disabled when rg is not installed
rg (ripgrep) is not universally installed. When it is absent, the subshell $( ... rg ... 2>/dev/null ) exits non-zero, the if condition evaluates to false, and scan_added_lines silently returns 0 for every pattern — meaning the hook always passes commits through without detecting any secret. The 2>/dev/null suppresses the "command not found" error, so the user gets no indication that scanning was skipped entirely.
Add an upfront check so the hook either aborts loudly or warns the user before proceeding:
| if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then | |
| printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2 | |
| printf '%s\n' "$hits" | head -n 3 >&2 | |
| has_findings=1 | |
| fi | |
| if ! command -v rg >/dev/null 2>&1; then | |
| printf '[ECC pre-commit] WARNING: ripgrep (rg) is not installed. Secret scanning is disabled.\n' >&2 | |
| return 0 | |
| fi | |
| if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then | |
| printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2 | |
| printf '%s\n' "$hits" | head -n 3 >&2 | |
| has_findings=1 | |
| fi |
| extract_context7_key() { | ||
| local file="$1" | ||
| grep -oP -- '--key",[[:space:]]*"\K[^"]+' "$file" | head -n 1 || true | ||
| } |
There was a problem hiding this comment.
grep -oP is not portable to macOS (BSD grep)
macOS ships with BSD grep, which does not support the -P (PCRE) flag. On macOS, this line will silently fail (|| true swallows the error) and always return an empty string. As a result, context7_key will be empty and the existing Context7 API key will be silently dropped when the MCP config is rewritten — users lose their key with no warning.
rg is already used throughout the codebase and supports the same PCRE syntax consistently across platforms. Replace with:
| extract_context7_key() { | |
| local file="$1" | |
| grep -oP -- '--key",[[:space:]]*"\K[^"]+' "$file" | head -n 1 || true | |
| } | |
| extract_context7_key() { | |
| local file="$1" | |
| rg -o -- '--key",\s*"\K[^"]+' "$file" 2>/dev/null | head -n 1 || true | |
| } |
| run_or_echo() { | ||
| if [[ "$MODE" == "dry-run" ]]; then | ||
| printf '[dry-run] %s\n' "$*" | ||
| else | ||
| eval "$@" | ||
| fi | ||
| } |
There was a problem hiding this comment.
eval with user-controlled environment variable
CODEX_HOME is accepted directly from the environment (CODEX_HOME="${CODEX_HOME:-$HOME/.codex}"). All call sites pass strings like:
run_or_echo "mkdir -p \"$CODEX_HOME/...\""If CODEX_HOME is set to a value containing shell metacharacters (e.g. a path with backticks, $() expansion, or spaces that shift quoting), eval will interpret them — potentially executing unintended commands.
The same pattern exists in scripts/codex/install-global-git-hooks.sh at line 29, where ECC_GLOBAL_HOOKS_DIR is the user-controlled variable.
Prefer explicit commands instead of eval. For example:
run_or_echo() {
if [[ "$MODE" == "dry-run" ]]; then
printf '[dry-run] %s\n' "$*"
else
"$@"
fi
}Then call sites should pass arrays (run_or_echo mkdir -p "$DEST_DIR") instead of quoted strings. This eliminates the shell re-evaluation entirely.
|
|
||
| ## Common | ||
| Use \`$PROMPTS_DEST/ecc-rules-pack-common.md\`. | ||
|
|
||
| ## Go Extensions | ||
| - \`$CURSOR_RULES_DIR/golang-coding-style.md\` | ||
| - \`$CURSOR_RULES_DIR/golang-hooks.md\` | ||
| - \`$CURSOR_RULES_DIR/golang-patterns.md\` | ||
| - \`$CURSOR_RULES_DIR/golang-security.md\` | ||
| - \`$CURSOR_RULES_DIR/golang-testing.md\` | ||
|
|
||
| Language-specific guidance overrides common rules when they conflict. | ||
| EOF | ||
|
|
||
| write_extension_prompt "ecc-rules-pack-swift.md" <<EOF | ||
| # ECC Rule Pack: swift (optional) |
There was a problem hiding this comment.
Supabase config is unconditionally overwritten with opinionated defaults
The sync removes the entire mcp_servers.supabase and mcp_servers.supabase.env sections and replaces them with a hardcoded @supabase/mcp-server-supabase@latest invocation plus a fixed --features=... argument list. Only the SUPABASE_ACCESS_TOKEN value is preserved.
Users who have a custom Supabase MCP setup (different package version, feature flags, or additional env vars) will have their configuration silently replaced without any confirmation prompt. Consider logging a clear warning before overwriting or at minimum checking whether the existing section already matches the target format before rewriting it.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d411887a8d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if [[ "$MODE" == "dry-run" ]]; then | ||
| "$HOOKS_INSTALLER" --dry-run | ||
| else | ||
| "$HOOKS_INSTALLER" |
There was a problem hiding this comment.
Execute helper scripts via bash to avoid permission denied
This call assumes install-global-git-hooks.sh is executable, but the commit adds that file with mode 100644, so bash scripts/sync-ecc-to-codex.sh fails with exit 126 at this step and never completes the sync workflow. The same pattern is used for the sanity checker later, so the script should invoke helpers with bash ... (or ensure executable bits are set in git) to avoid a hard failure in normal checkouts.
Useful? React with 👍 / 👎.
| printf '\n[mcp_servers.github]\n' | ||
| printf 'command = "bash"\n' | ||
| printf 'args = ["-lc", "%s"]\n' "$(toml_escape "$github_bootstrap")" |
There was a problem hiding this comment.
Preserve existing GitHub PAT when rewriting MCP config
The rewritten GitHub MCP block relies on gh auth token at runtime and no longer writes a [mcp_servers.github.env] token, so users who previously had GITHUB_PERSONAL_ACCESS_TOKEN configured in config.toml but don’t have gh authenticated will lose GitHub MCP access after sync. The migration already preserves Supabase and Context7 credentials, so dropping GitHub credentials here creates a regression for authenticated setups that do not use gh.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
15 issues found across 5 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="scripts/sync-ecc-to-codex.sh">
<violation number="1" location="scripts/sync-ecc-to-codex.sh:44">
P1: Use of `eval` on interpolated command strings enables command injection via environment/path-derived variables.</violation>
<violation number="2" location="scripts/sync-ecc-to-codex.sh:106">
P2: GNU-only `grep -P` is used for key extraction, breaking Context7 key preservation on default macOS/BSD grep.</violation>
<violation number="3" location="scripts/sync-ecc-to-codex.sh:393">
P1: GitHub MCP token in config is removed without migration, potentially breaking auth when `gh auth token` is unavailable.</violation>
<violation number="4" location="scripts/sync-ecc-to-codex.sh:449">
P2: Invoke the hooks installer via bash (or ensure it is executable) so this sync step doesn't fail with permission denied in fresh checkouts.</violation>
<violation number="5" location="scripts/sync-ecc-to-codex.sh:456">
P2: Invoke the sanity checker via bash (or ensure it is executable) so this step doesn't fail with permission denied.</violation>
</file>
<file name="scripts/codex/install-global-git-hooks.sh">
<violation number="1" location="scripts/codex/install-global-git-hooks.sh:29">
P1: Using eval on command strings that include ECC_GLOBAL_HOOKS_DIR allows command injection via shell metacharacters in that env var.</violation>
</file>
<file name="scripts/codex-git-hooks/pre-commit">
<violation number="1" location="scripts/codex-git-hooks/pre-commit:38">
P1: Secret scan fails open when `rg` or `--pcre2` is unavailable, allowing commits without effective scanning.</violation>
<violation number="2" location="scripts/codex-git-hooks/pre-commit:54">
P2: OpenAI secret regex is outdated/narrow and misses hyphenated modern key formats (e.g., project-scoped keys), weakening secret detection.</violation>
<violation number="3" location="scripts/codex-git-hooks/pre-commit:58">
P1: Private-key block regex is malformed for common PEM/OpenSSH headers and misses algorithm-specific `... PRIVATE KEY` secrets.</violation>
</file>
<file name="scripts/codex/check-codex-global-state.sh">
<violation number="1" location="scripts/codex/check-codex-global-state.sh:102">
P2: MCP section existence check uses an unescaped regex pattern, so dotted section names are matched loosely and malformed headers can pass.</violation>
<violation number="2" location="scripts/codex/check-codex-global-state.sh:167">
P2: Prompt counting pipeline can abort the entire checker under strict mode instead of reporting a normal failed check.</violation>
</file>
<file name="scripts/codex-git-hooks/pre-push">
<violation number="1" location="scripts/codex-git-hooks/pre-push:33">
P2: Package-manager detection misses modern Bun lockfiles (`bun.lock`), causing Bun projects to be treated as npm.</violation>
<violation number="2" location="scripts/codex-git-hooks/pre-push:46">
P1: Pre-push script detection conflates execution errors with missing scripts, allowing JS checks to be silently skipped.</violation>
<violation number="3" location="scripts/codex-git-hooks/pre-push:69">
P1: Pre-push executes untrusted repository code without any trust gate, and is intended for global hooksPath installation, creating cross-repo code-execution risk.</violation>
<violation number="4" location="scripts/codex-git-hooks/pre-push:81">
P2: Pre-push hook uses a Yarn Berry-only audit command for all `yarn.lock` repos, which can fail on Yarn Classic and block pushes.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| if [[ "$MODE" == "dry-run" ]]; then | ||
| printf '[dry-run] %s\n' "$*" | ||
| else | ||
| eval "$@" |
There was a problem hiding this comment.
P1: Use of eval on interpolated command strings enables command injection via environment/path-derived variables.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/sync-ecc-to-codex.sh, line 44:
<comment>Use of `eval` on interpolated command strings enables command injection via environment/path-derived variables.</comment>
<file context>
@@ -0,0 +1,466 @@
+ if [[ "$MODE" == "dry-run" ]]; then
+ printf '[dry-run] %s\n' "$*"
+ else
+ eval "$@"
+ fi
+}
</file context>
| context7_key="$(extract_context7_key "$CONFIG_FILE")" | ||
| github_bootstrap='token=$(gh auth token 2>/dev/null || true); if [ -n "$token" ]; then export GITHUB_PERSONAL_ACCESS_TOKEN="$token"; fi; exec pnpm dlx @modelcontextprotocol/server-github' | ||
|
|
||
| remove_section_inplace "$CONFIG_FILE" "mcp_servers.github.env" |
There was a problem hiding this comment.
P1: GitHub MCP token in config is removed without migration, potentially breaking auth when gh auth token is unavailable.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/sync-ecc-to-codex.sh, line 393:
<comment>GitHub MCP token in config is removed without migration, potentially breaking auth when `gh auth token` is unavailable.</comment>
<file context>
@@ -0,0 +1,466 @@
+ context7_key="$(extract_context7_key "$CONFIG_FILE")"
+ github_bootstrap='token=$(gh auth token 2>/dev/null || true); if [ -n "$token" ]; then export GITHUB_PERSONAL_ACCESS_TOKEN="$token"; fi; exec pnpm dlx @modelcontextprotocol/server-github'
+
+ remove_section_inplace "$CONFIG_FILE" "mcp_servers.github.env"
+ remove_section_inplace "$CONFIG_FILE" "mcp_servers.github"
+ remove_section_inplace "$CONFIG_FILE" "mcp_servers.memory"
</file context>
| if [[ "$MODE" == "dry-run" ]]; then | ||
| printf '[dry-run] %s\n' "$*" | ||
| else | ||
| eval "$*" |
There was a problem hiding this comment.
P1: Using eval on command strings that include ECC_GLOBAL_HOOKS_DIR allows command injection via shell metacharacters in that env var.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/codex/install-global-git-hooks.sh, line 29:
<comment>Using eval on command strings that include ECC_GLOBAL_HOOKS_DIR allows command injection via shell metacharacters in that env var.</comment>
<file context>
@@ -0,0 +1,63 @@
+ if [[ "$MODE" == "dry-run" ]]; then
+ printf '[dry-run] %s\n' "$*"
+ else
+ eval "$*"
+ fi
+}
</file context>
| scan_added_lines "$file" "GitHub classic token" 'ghp_[A-Za-z0-9]{36}' | ||
| scan_added_lines "$file" "GitHub fine-grained token" 'github_pat_[A-Za-z0-9_]{20,}' | ||
| scan_added_lines "$file" "AWS access key" 'AKIA[0-9A-Z]{16}' | ||
| scan_added_lines "$file" "private key block" '-----BEGIN (RSA|EC|OPENSSH|DSA|PRIVATE) KEY-----' |
There was a problem hiding this comment.
P1: Private-key block regex is malformed for common PEM/OpenSSH headers and misses algorithm-specific ... PRIVATE KEY secrets.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/codex-git-hooks/pre-commit, line 58:
<comment>Private-key block regex is malformed for common PEM/OpenSSH headers and misses algorithm-specific `... PRIVATE KEY` secrets.</comment>
<file context>
@@ -0,0 +1,77 @@
+ scan_added_lines "$file" "GitHub classic token" 'ghp_[A-Za-z0-9]{36}'
+ scan_added_lines "$file" "GitHub fine-grained token" 'github_pat_[A-Za-z0-9_]{20,}'
+ scan_added_lines "$file" "AWS access key" 'AKIA[0-9A-Z]{16}'
+ scan_added_lines "$file" "private key block" '-----BEGIN (RSA|EC|OPENSSH|DSA|PRIVATE) KEY-----'
+ scan_added_lines "$file" "generic credential assignment" "(?i)\\b(api[_-]?key|secret|password|token)\\b\\s*[:=]\\s*['\\\"][^'\\\"]{12,}['\\\"]"
+done <<< "$staged_files"
</file context>
| scan_added_lines "$file" "private key block" '-----BEGIN (RSA|EC|OPENSSH|DSA|PRIVATE) KEY-----' | |
| scan_added_lines "$file" "private key block" '-----BEGIN (?:(?:RSA|EC|OPENSSH|DSA) PRIVATE KEY|PRIVATE KEY)-----' |
| if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then | ||
| printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2 | ||
| printf '%s\n' "$hits" | head -n 3 >&2 | ||
| has_findings=1 | ||
| fi |
There was a problem hiding this comment.
P1: Secret scan fails open when rg or --pcre2 is unavailable, allowing commits without effective scanning.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/codex-git-hooks/pre-commit, line 38:
<comment>Secret scan fails open when `rg` or `--pcre2` is unavailable, allowing commits without effective scanning.</comment>
<file context>
@@ -0,0 +1,77 @@
+ return 0
+ fi
+
+ if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then
+ printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2
+ printf '%s\n' "$hits" | head -n 3 >&2
</file context>
| if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then | |
| printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2 | |
| printf '%s\n' "$hits" | head -n 3 >&2 | |
| has_findings=1 | |
| fi | |
| if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then | |
| printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2 | |
| printf '%s\n' "$hits" | head -n 3 >&2 | |
| has_findings=1 | |
| else | |
| rc=$? | |
| if [[ "$rc" -gt 1 ]]; then | |
| printf '\n[ECC pre-commit] Secret scan failed (rg error, exit %s). Aborting commit.\n' "$rc" >&2 | |
| printf '[ECC pre-commit] Ensure ripgrep is installed with PCRE2 support.\n' >&2 | |
| exit 1 | |
| fi | |
| fi |
| 'mcp_servers.sequential-thinking' \ | ||
| 'mcp_servers.context7-mcp' | ||
| do | ||
| if rg -n "^\[$section\]" "$CONFIG_FILE" >/dev/null 2>&1; then |
There was a problem hiding this comment.
P2: MCP section existence check uses an unescaped regex pattern, so dotted section names are matched loosely and malformed headers can pass.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/codex/check-codex-global-state.sh, line 102:
<comment>MCP section existence check uses an unescaped regex pattern, so dotted section names are matched loosely and malformed headers can pass.</comment>
<file context>
@@ -0,0 +1,221 @@
+ 'mcp_servers.sequential-thinking' \
+ 'mcp_servers.context7-mcp'
+ do
+ if rg -n "^\[$section\]" "$CONFIG_FILE" >/dev/null 2>&1; then
+ ok "MCP section [$section] exists"
+ else
</file context>
| case "$pm" in | ||
| pnpm) pnpm audit --prod || fail "pnpm audit failed" ;; | ||
| bun) bun audit || fail "bun audit failed" ;; | ||
| yarn) yarn npm audit --recursive || fail "yarn audit failed" ;; |
There was a problem hiding this comment.
P2: Pre-push hook uses a Yarn Berry-only audit command for all yarn.lock repos, which can fail on Yarn Classic and block pushes.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/codex-git-hooks/pre-push, line 81:
<comment>Pre-push hook uses a Yarn Berry-only audit command for all `yarn.lock` repos, which can fail on Yarn Classic and block pushes.</comment>
<file context>
@@ -0,0 +1,110 @@
+ case "$pm" in
+ pnpm) pnpm audit --prod || fail "pnpm audit failed" ;;
+ bun) bun audit || fail "bun audit failed" ;;
+ yarn) yarn npm audit --recursive || fail "yarn audit failed" ;;
+ npm) npm audit --omit=dev || fail "npm audit failed" ;;
+ *) npm audit --omit=dev || fail "npm audit failed" ;;
</file context>
| detect_pm() { | ||
| if [[ -f "pnpm-lock.yaml" ]]; then | ||
| echo "pnpm" | ||
| elif [[ -f "bun.lockb" ]]; then |
There was a problem hiding this comment.
P2: Package-manager detection misses modern Bun lockfiles (bun.lock), causing Bun projects to be treated as npm.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/codex-git-hooks/pre-push, line 33:
<comment>Package-manager detection misses modern Bun lockfiles (`bun.lock`), causing Bun projects to be treated as npm.</comment>
<file context>
@@ -0,0 +1,110 @@
+detect_pm() {
+ if [[ -f "pnpm-lock.yaml" ]]; then
+ echo "pnpm"
+ elif [[ -f "bun.lockb" ]]; then
+ echo "bun"
+ elif [[ -f "yarn.lock" ]]; then
</file context>
| elif [[ -f "bun.lockb" ]]; then | |
| elif [[ -f "bun.lock" || -f "bun.lockb" ]]; then |
| if [[ "$MODE" == "dry-run" ]]; then | ||
| printf '[dry-run] %s\n' "$SANITY_CHECKER" | ||
| else | ||
| "$SANITY_CHECKER" |
There was a problem hiding this comment.
P2: Invoke the sanity checker via bash (or ensure it is executable) so this step doesn't fail with permission denied.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/sync-ecc-to-codex.sh, line 456:
<comment>Invoke the sanity checker via bash (or ensure it is executable) so this step doesn't fail with permission denied.</comment>
<file context>
@@ -0,0 +1,466 @@
+if [[ "$MODE" == "dry-run" ]]; then
+ printf '[dry-run] %s\n' "$SANITY_CHECKER"
+else
+ "$SANITY_CHECKER"
+fi
+
</file context>
| if [[ "$MODE" == "dry-run" ]]; then | ||
| "$HOOKS_INSTALLER" --dry-run | ||
| else | ||
| "$HOOKS_INSTALLER" |
There was a problem hiding this comment.
P2: Invoke the hooks installer via bash (or ensure it is executable) so this sync step doesn't fail with permission denied in fresh checkouts.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/sync-ecc-to-codex.sh, line 449:
<comment>Invoke the hooks installer via bash (or ensure it is executable) so this sync step doesn't fail with permission denied in fresh checkouts.</comment>
<file context>
@@ -0,0 +1,466 @@
+if [[ "$MODE" == "dry-run" ]]; then
+ "$HOOKS_INSTALLER" --dry-run
+else
+ "$HOOKS_INSTALLER"
+fi
+
</file context>
* chore(codex): add global ecc sync script and pnpm mcp config * chore(codex): include codex supplement when syncing agents * feat(codex): add global git safety hooks and QA/rule prompt packs * feat(codex): add global regression sanity check command --------- Co-authored-by: TGreen87 <your-email@example.com>
Description
Type of Change
fix:Bug fixfeat:New featurerefactor:Code refactoringdocs:Documentationtest:Testschore:Maintenance/toolingci:CI/CD changesChecklist
node tests/run-all.js)Summary by cubic
Adds ECC tooling to Codex CLI: global git safety hooks, a sync script that backs up and updates ~/.codex (AGENTS + Codex supplement, skills, prompts, QA/rule packs), and MCP servers normalized to
pnpm dlx. Adds a sanity checker to validate the global Codex state for consistent, safe setups.New Features
pnpm dlxfor@modelcontextprotocol/*,@upstash/context7-mcp,@playwright/mcp, with GitHub PAT bootstrap viagh.Migration
pnpmis installed; MCP servers now run viapnpm dlx.Written for commit d411887. Summary will update on new commits.
Summary by CodeRabbit
New Features
Chores