Piping · dependabot · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.codex/skills/clawbot-feishu-debug/SKILL.md b/.codex/skills/clawbot-feishu-debug/SKILL.md
@@ -0,0 +1,32 @@
+---
+name: clawbot-feishu-debug
+description: Use when debugging Codex clawbot and Feishu integration problems such as missing sessions, missing inbound messages, reaction failures, websocket health, session binding, or reply forwarding.
+---
+
+Debug clawbot in this order:
+
+1. Check workspace-local state under `.codex/clawbot/`:
+   - `config.toml`
+   - `runtime.json`
+   - `sessions.json`
+   - `bindings.json`
+   - `unread_messages.jsonl`
+   - `inbound_receipts.json`
+2. Distinguish these cases clearly:
+   - REST send path works
+   - runtime says `connected`
+   - websocket inbound events are actually arriving
+   These are not the same thing.
+3. Verify the bot identity and app credentials match the intended Feishu app.
+4. For session issues, check whether the session is auto-discovered, manually bound, reachable by the current bot, and still visible through Feishu APIs.
+5. For repeated messages, check dedupe state in `inbound_receipts.json`.
+6. For reaction failures, use exact official Feishu `emoji_type` names only.
+
+Useful checks:
+
+- `runtime.json` proving `connected` is not enough; confirm new inbound state is landing in unread / receipt files.
+- If a session is bound but no inbound message lands in local state, suspect websocket delivery before suspecting thread routing.
+- If send fails with “Bot/User can NOT be out of the chat”, the bound `chat_id` is invalid for the current bot.
+
+Prefer concrete file evidence over speculation, and end with the smallest next verification command.
+
diff --git a/.codex/skills/codex-loop-debug/SKILL.md b/.codex/skills/codex-loop-debug/SKILL.md
@@ -0,0 +1,31 @@
+---
+name: codex-loop-debug
+description: Use when debugging Codex loop behavior such as before-turn or after-turn ordering, queue semantics, until_no_followup behavior, /stop handling, or stale running background loop UI in TUI.
+---
+
+Treat loop issues as scheduler problems first, UI problems second.
+
+Debug in this order:
+
+1. Confirm the active workspace and inspect:
+   - `.codex/loop_timers.json`
+   - `.codex/loop_trigger_queues.json`
+2. Separate these failure classes:
+   - trigger configuration is empty or wrong
+   - scheduler queue / round semantics are wrong
+   - follow-up submission keeps the chain alive
+   - `/stop` is not interrupting the active loop task
+   - TUI background loop indicator is stale
+3. For `after-turn`, reason in rounds:
+   - all handlers in trigger order
+   - each follow-up drained serially
+   - next round only after the current follow-up queue is done
+4. For “it keeps running forever”, check whether the loop keeps generating follow-up user turns. If yes, `until_no_followup` will never stop.
+5. For UI banner bugs, verify whether scheduler state is really empty before blaming `chatwidget`.
+
+Useful principles:
+
+- One thread should have one serial after-turn runner.
+- Queue state is a better source of truth than a single boolean gate.
+- If the user asks for fail-fast behavior, do not preserve legacy loop semantics just to smooth migration.
+
diff --git a/.codex/skills/deep-discovery/SKILL.md b/.codex/skills/deep-discovery/SKILL.md
@@ -0,0 +1,31 @@
+---
+name: deep-discovery
+description: "Use when the user wants a design-first workflow: read local docs like AGENTS.md and proposal/design files, ask detailed follow-up questions, use question tool where helpful, and only produce proposal/design/todos after high-confidence understanding."
+---
+
+This skill is for design and discovery work before implementation.
+
+Default flow:
+
+1. Read local context first:
+   - `AGENTS.md`
+   - `README.md`
+   - `design.md`
+   - `proposal.md`
+   - other nearby docs the task explicitly references
+2. Build understanding before proposing a solution.
+3. Ask complete follow-up questions. When many answers are needed, prefer the `question` tool.
+4. Keep asking until the user's real goal, constraints, and success criteria are clear enough to design against.
+5. Then summarize using STAR:
+   - Situation
+   - Task
+   - Action
+   - Result
+6. Use first-principles reasoning. If the requested path is not the best path, say so and explain why.
+
+Guardrails:
+
+- Do not rush into code when the user asked for proposal or design first.
+- Do not assume the user already knows the best solution shape.
+- If motivation or constraints are unclear, pause and ask instead of inventing certainty.
+- Once the goal is clear, keep the proposal concrete: data model, state model, file touch points, and validation commands.
diff --git a/.codex/skills/enhanced-release/SKILL.md b/.codex/skills/enhanced-release/SKILL.md
@@ -0,0 +1,24 @@
+---
+name: enhanced-release
+description: Use when the user asks to cut, push, or monitor a release tag on the enhanced Codex fork, especially when they mention enhanced-release, new tag, GitHub release workflow, or release run status.
+---
+
+For this fork, the standard release path is the `enhanced-release` GitHub workflow on `Piping/codex-enhanced`.
+
+Default workflow:
+
+1. Inspect `git status --short`, `git tag --sort=-version:refname`, and recent commits.
+2. Determine the next patch version instead of reusing the current workspace version.
+3. Update the workspace version before tagging.
+4. Keep the release commit narrow. Do not pull in unrelated untracked files.
+5. Create a release commit like `chore: release x.y.z`.
+6. Create tag `vx.y.z`.
+7. Push `main` and the tag to remote `enhanced`.
+8. Query the `enhanced-release` workflow run and report the run id and status.
+
+Guardrails:
+
+- Do not assume `HEAD` already has the right version number.
+- Do not include scratch files, local scripts, `.drawio` sources, or other unrelated untracked files unless the user explicitly asks.
+- If the user asks for the workflow by name, make sure the response explicitly references `enhanced-release`.
+
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,11 +36,12 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
-          # Use a rust-release version that includes all native binaries.
-          CODEX_VERSION=0.115.0
+          CODEX_VERSION="$(grep -m1 '^version' codex-rs/Cargo.toml | sed -E 's/version *= *"([^"]+)".*/\1/')"
           OUTPUT_DIR="${RUNNER_TEMP}"
           python3 ./scripts/stage_npm_packages.py \
             --release-version "$CODEX_VERSION" \
+            --github-repo "$GITHUB_REPOSITORY" \
+            --workflow-name ".github/workflows/enhanced-release.yml" \
             --package codex \
             --output-dir "$OUTPUT_DIR"
           PACK_OUTPUT="${OUTPUT_DIR}/codex-npm-${CODEX_VERSION}.tgz"

diff --git a/.github/workflows/enhanced-release.yml b/.github/workflows/enhanced-release.yml
@@ -0,0 +1,234 @@
+name: enhanced-release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: Existing tag to build and publish, for example v0.1.1
+        required: true
+        type: string
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name || inputs.release_tag }}
+  cancel-in-progress: true
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      release_tag: ${{ steps.meta.outputs.release_tag }}
+      release_version: ${{ steps.meta.outputs.release_version }}
+      checkout_ref: ${{ steps.meta.outputs.checkout_ref }}
+    steps:
+      - name: Resolve release metadata
+        id: meta
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
+            release_tag="${{ inputs.release_tag }}"
+            checkout_ref="refs/tags/${release_tag}"
+          else
+            release_tag="${GITHUB_REF_NAME}"
+            checkout_ref="${GITHUB_REF}"
+          fi
+
+          [[ "${release_tag}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-(alpha|beta)(\.[0-9]+)?)?$ ]] \
+            || { echo "Release tag ${release_tag} is not in the expected format."; exit 1; }
+
+          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
+          echo "release_version=${release_tag#v}" >> "$GITHUB_OUTPUT"
+          echo "checkout_ref=${checkout_ref}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout release ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.meta.outputs.checkout_ref }}
+
+      - uses: dtolnay/rust-toolchain@1.100
+
+      - name: Validate tag matches Cargo version
+        shell: bash
+        run: |
+          set -euo pipefail
+          cargo_ver="$(grep -m1 '^version' codex-rs/Cargo.toml | sed -E 's/version *= *"([^"]+)".*/\1/')"
+          tag_ver="${{ steps.meta.outputs.release_version }}"
+          [[ "${tag_ver}" == "${cargo_ver}" ]] \
+            || { echo "Tag version ${tag_ver} does not match Cargo.toml ${cargo_ver}."; exit 1; }
+
+  build:
+    needs: prepare
+    name: build-${{ matrix.target }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: codex-rs
+    env:
+      CARGO_INCREMENTAL: "0"
+      CARGO_PROFILE_RELEASE_LTO: fat
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            archive_ext: tar.gz
+            archive_kind: tar
+          - runner: macos-15-intel
+            target: x86_64-apple-darwin
+            archive_ext: tar.gz
+            archive_kind: tar
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-gnu
+            archive_ext: tar.gz
+            archive_kind: tar
+          - runner: windows-2022
+            target: x86_64-pc-windows-msvc
+            archive_ext: zip
+            archive_kind: zip
+    steps:
+      - name: Checkout release ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.prepare.outputs.checkout_ref }}
+
+      - uses: dtolnay/rust-toolchain@1.100
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Install sccache
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        with:
+          tool: sccache
+
+      - name: Enable sccache wrapper
+        shell: bash
+        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+
+      - name: Clear workspace build rustflags for CI release builds
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
+
+      - name: Use default macOS linker
+        if: ${{ runner.os == 'macOS' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_AARCH64_APPLE_DARWIN_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_X86_64_APPLE_DARWIN_RUSTFLAGS=" >> "$GITHUB_ENV"
+
+      - name: Install Linux build dependencies
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y libcap-dev pkg-config protobuf-compiler
+
+      - name: Install macOS build dependencies
+        if: ${{ runner.os == 'macOS' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if ! command -v protoc >/dev/null 2>&1; then
+            brew install protobuf
+          fi
+
+      - name: Install Windows build dependencies
+        if: ${{ runner.os == 'Windows' }}
+        shell: pwsh
+        run: |
+          if (-not (Get-Command protoc -ErrorAction SilentlyContinue)) {
+            choco install protoc -y --no-progress
+          }
+
+      - name: Build release binaries
+        shell: bash
+        run: |
+          set -euo pipefail
+          cargo build --locked --release --target "${{ matrix.target }}" --bin codex --bin codex-responses-api-proxy
+
+      - name: Package unix artifacts
+        if: ${{ matrix.archive_kind == 'tar' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          stage_dir="dist/${{ matrix.target }}"
+          archive_name="codex-enhanced-${{ needs.prepare.outputs.release_version }}-${{ matrix.target }}.${{ matrix.archive_ext }}"
+
+          mkdir -p "${stage_dir}"
+          cp "target/${{ matrix.target }}/release/codex" "${stage_dir}/codex"
+          cp "target/${{ matrix.target }}/release/codex-responses-api-proxy" "${stage_dir}/codex-responses-api-proxy"
+
+          tar -C "${stage_dir}" -czf "${archive_name}" codex codex-responses-api-proxy
+
+      - name: Package windows artifacts
+        if: ${{ matrix.archive_kind == 'zip' }}
+        shell: pwsh
+        run: |
+          $stageDir = "dist/${{ matrix.target }}"
+          $archiveName = "codex-enhanced-${{ needs.prepare.outputs.release_version }}-${{ matrix.target }}.${{ matrix.archive_ext }}"
+
+          New-Item -ItemType Directory -Force -Path $stageDir | Out-Null
+          Copy-Item "target/${{ matrix.target }}/release/codex.exe" "$stageDir/codex.exe"
+          Copy-Item "target/${{ matrix.target }}/release/codex-responses-api-proxy.exe" "$stageDir/codex-responses-api-proxy.exe"
+
+          Compress-Archive -Path "$stageDir/codex.exe", "$stageDir/codex-responses-api-proxy.exe" -DestinationPath $archiveName -Force
+
+      - name: Upload packaged artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-${{ matrix.target }}
+          path: codex-rs/codex-enhanced-${{ needs.prepare.outputs.release_version }}-${{ matrix.target }}.${{ matrix.archive_ext }}
+          if-no-files-found: error
+
+  release:
+    needs:
+      - prepare
+      - build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout release ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.prepare.outputs.checkout_ref }}
+
+      - name: Download packaged artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: release-*
+          path: release-artifacts
+          merge-multiple: true
+
+      - name: Write release notes from tag commit message
+        shell: bash
+        run: |
+          set -euo pipefail
+          commit="$(git rev-parse "${{ needs.prepare.outputs.checkout_ref }}^{commit}")"
+          git log -1 --format=%B "${commit}" > release-notes.md
+          echo >> release-notes.md
+
+      - name: Publish GitHub Release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ needs.prepare.outputs.release_tag }}
+          name: Codex Enhanced ${{ needs.prepare.outputs.release_version }}
+          body_path: release-notes.md
+          files: release-artifacts/*
+          fail_on_unmatched_files: true
+          prerelease: ${{ contains(needs.prepare.outputs.release_version, '-') }}