Skip to content

Add local Codex PR review script (ported from knowmarks)#54

Merged
spaceshipmike merged 1 commit into
mainfrom
chore/port-codex-review-script
Jun 25, 2026
Merged

Add local Codex PR review script (ported from knowmarks)#54
spaceshipmike merged 1 commit into
mainfrom
chore/port-codex-review-script

Conversation

@spaceshipmike

Copy link
Copy Markdown
Owner

What

Ports knowmarks' local Codex PR-review tool to setlist as scripts/codex_review.py.

It runs a local Codex review of a PR ($0, on the ChatGPT/Codex subscription — no API key), posts a structured verdict (APPROVE / REQUEST_CHANGES + severity-tagged findings) as a PR comment, and can squash-merge when Codex approves with no P1/P2 findings. The GitHub-hosted Check workflow verifies build/tests; this owns the correctness/logic review + merge.

Why this shape (setlist is public)

setlist is a public repo, so per ~/.claude/rules/self-hosted-ci-runner.md it intentionally stays GitHub-hosted for CI — knowmarks' self-hosted NAS runner and pr-pipeline.yml are deliberately not ported. This is the one piece that is safe and worth porting, because it runs on your Mac, never in CI.

All of knowmarks' hardening is preserved:

  • author == OWNER gate — only ever reviews/merges your own PRs; a stranger's PR is rejected.
  • Untrusted-worktree instruction stripping — removes AGENTS.md / codex.md / .codex from the reviewed worktree so a PR can't instruct its own approver (the diff still shows them as changes to scrutinize). CLAUDE.md is left alone — Codex doesn't load it.
  • Fail-closed CI-green gate — requires the always-on changes gateway present-and-passing, so a pipeline that never ran can't read as green.
  • Gate-self-modification guard — a PR touching this script or .github/workflows/ is never auto-merged.
  • Head-SHA-pinned merge — refuses if the head moved since the review.

Usage

python3 scripts/codex_review.py <PR> [--dry-run] [--no-ci-check]

Requires gh (authenticated) and codex (logged in) on PATH. Stdlib only — no uv/venv.

First real run: reviewed #53 (--dry-run) → APPROVE, 0 findings.

Note: this PR adds a gate file, so by its own rules it will not auto-merge — it needs a human merge.

🤖 Generated with Claude Code

scripts/codex_review.py runs a local Codex review of a PR ($0, on the
ChatGPT/Codex subscription — no API key), posts a structured verdict as a
PR comment, and optionally squash-merges when Codex APPROVEs with no P1/P2
findings. CI (the GitHub-hosted Check workflow) verifies build/tests; this
owns the correctness/logic review + merge.

Ported from knowmarks with setlist-specific wiring (REPO, the Check/changes
gateway, npm context) and all of the original hardening preserved: author ==
OWNER gate, untrusted-worktree instruction stripping, fail-closed CI-green
gate, gate-self-modification guard, and head-SHA-pinned merge.

Usage: python3 scripts/codex_review.py <PR> [--dry-run] [--no-ci-check]

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014iR9LcchEebnoyt5GLRzev
@spaceshipmike spaceshipmike force-pushed the chore/port-codex-review-script branch from 48c2ae8 to f8b3452 Compare June 25, 2026 19:26
@spaceshipmike

Copy link
Copy Markdown
Owner Author

🤖 Codex review — APPROVE

Local Codex review of this PR's changes against origin/main.

Reviewed the PR diff and surrounding gate/CI context. The new local Codex review script is fail-closed on CI/query/review errors, strips PR-controlled Codex instruction files before review, pins the merge to the reviewed head SHA, and refuses auto-merge for gate-modifying PRs unless explicitly overridden. No blocking correctness or security issue found.

No issues found.

@spaceshipmike spaceshipmike merged commit 6a60a1b into main Jun 25, 2026
2 checks passed
@spaceshipmike spaceshipmike deleted the chore/port-codex-review-script branch June 25, 2026 19:29
spaceshipmike added a commit that referenced this pull request Jun 25, 2026
Second /close. Covers the post-#53 work (#54 Codex script, RELEASING.md runbook, the notarized beta.22 release). INVARIANTS: filled the 'Release / propagation' placeholder with a PROSE invariant (CI-only notarized distribution; tag==versions+lockfile; tag/secrets clauses already ENFORCED by release.yml). lessons: +#desktop-app candidate (single-instance-lock-on-shared-userData trap; e2e tests out/ not the packaged artifact). Follow-up #57 (lockfile-sync gate). steward marker → 7b443be.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014iR9LcchEebnoyt5GLRzev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant