Skip to content

Releases: shinpr/codex-workflows

Release: v0.2.4

26 Mar 13:26
@shinpr shinpr
v0.2.4
64a40e0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release: v0.2.4 Latest
Latest

This release aligns test generation with skeleton-driven planning.

  • Moves detailed test strategy out of Design Docs and into generated test skeletons
  • Updates planning and task decomposition to use test skeleton metadata and file paths
  • Improves multi-layer integration test orchestration with stricter document inputs and clearer routing
  • Tightens acceptance criteria guidance for better LLM execution accuracy
Assets 2
Loading

Release: v0.2.3

26 Mar 04:24
@shinpr shinpr
v0.2.3
24bb339
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release: v0.2.3

0.2.3

  • Improved reverse-engineering prompts to produce more complete, evidence-backed documentation.
  • Strengthened verification and scope discovery guidance to reduce shallow analysis.
  • Tightened diagnosis investigation prompts and quality gates for more consistent findings.
Loading

Release: v0.2.1

21 Mar 08:35
@shinpr shinpr
v0.2.1
219f404
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release: v0.2.1

What's Changed

  • Generalized language-specific terminology in language-agnostic agent and skill files.
  • Replaced TypeScript-oriented examples and wording with broader contract, data shape, and schema language where appropriate.
  • Made security check guidance less tied to specific languages and runtime APIs.
Loading

Release: v0.2.0

21 Mar 07:49
@shinpr shinpr
v0.2.0
8e39631
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Release: v0.2.0

New: Security Reviewer Agent

A new security-reviewer agent runs after all implementation tasks complete, reviewing code against Design Doc security considerations and coding-rules Security Principles.

Finding Classification

Findings use a 4-category model instead of generic severity levels:

Category Meaning
confirmed_risk Attack surface exists as-is
defense_gap Not immediately exploitable, but a defensive layer is thin
hardening Improvement to reduce exposure
policy Organizational/operational concern, not a technical vulnerability

Each finding includes a rationale field explaining why it was classified that way, reducing false positives and severity inflation.

Status Determination

Status Condition
blocked Committed secret or high-confidence exploitable risk — escalate to user
needs_revision One or more confirmed_risk, or multiple defense_gap on input boundaries
approved_with_notes Only hardening / policy findings
approved No meaningful findings

Workflow Integration

  • All implementation recipes (recipe-implement, recipe-build, recipe-front-build, recipe-fullstack-build, recipe-fullstack-implement) run security-reviewer after all tasks complete, before the completion report
  • All review recipes (recipe-review, recipe-front-review) now include security review alongside code compliance validation
  • approved_with_notes proceeds to completion with notes included in the report

Updated: Security Principles in coding-rules

The Security section has been rewritten with positive, actionable instructions organized into:

  • Secure Defaults — secrets management, parameterized queries, cryptographic libraries
  • Input and Output Boundaries — validation, encoding, error response content
  • Access Control — authentication, authorization, least privilege
  • Knowledge Cutoff Supplement — OWASP 2025 changes, AI-generated code patterns, OpenSSF guidance

A new references/security-checks.md provides grep-friendly detection patterns (stable + trend-sensitive) with a semi-annual review cycle.

Improved: Agent Definition Quality

Three agents rewritten from checklist format to actionable verification pipelines:

  • code-reviewer — 5-step process with per-AC status tracking and partial fulfillment scoring
  • requirement-analyzer — 6-step process with explicit investigation before scale determination
  • work-planner — 6-step process with strategy selection and phase composition

Other Changes

  • requiresTestReview field added to task-executor and task-executor-frontend structured responses, replacing filename-pattern matching for integration-test-reviewer triggering
  • Orchestration vocabulary extended with approved_with_notes and blocked statuses (scoped to security-reviewer), with explicit handling rules distinguishing them from existing approved_with_conditions and rejected
  • Design Doc template Security Considerations section now provides structured prompts (Authentication & Authorization, Input Validation, Sensitive Data Handling)
  • Work plan template final phase now includes a security review task
  • filesModified collection explicitly specified across all recipes for security-reviewer input

Install / Update

npx codex-workflows update
Loading

Release: v0.1.0

17 Mar 13:52
@shinpr shinpr
v0.1.0
71ee78b

Choose a tag to compare

View all tags
Release: v0.1.0

codex-workflows v0.1.0

First release. End-to-end agentic coding workflows for Codex CLI.

What's included

Skills (24)

Foundational (8) — auto-loaded when context matches:

  • coding-rules, testing, ai-development-guide, documentation-criteria, implementation-approach, integration-e2e-testing, task-analyzer, subagents-orchestration-guide
  • TypeScript/React references included for coding-rules and testing
  • Frontend-specific reference for ai-development-guide

Recipe — Backend (10):

  • recipe-implement (universal entry point with layer routing), recipe-design, recipe-plan, recipe-build, recipe-review, recipe-task, recipe-diagnose, recipe-reverse-engineer, recipe-add-integration-tests, recipe-update-doc

Recipe — Frontend (4):

  • recipe-front-design, recipe-front-plan, recipe-front-build, recipe-front-review

Recipe — Fullstack (2):

  • recipe-fullstack-implement, recipe-fullstack-build

Subagents (22)

Document creation: requirement-analyzer, prd-creator, technical-designer, technical-designer-frontend, ui-spec-designer, work-planner, document-reviewer, design-sync

Implementation: task-decomposer, task-executor, task-executor-frontend, quality-fixer, quality-fixer-frontend, acceptance-test-generator, integration-test-reviewer

Analysis: code-reviewer, code-verifier, rule-advisor, scope-discoverer

Diagnosis: investigator, verifier, solver

CLI Installer

npx codex-workflows install    # install to current project
npx codex-workflows update     # update managed files (preserves local changes)
npx codex-workflows status     # show version and file count

Hash-based local change detection — files you've customized are preserved across updates.

Key design decisions

  • Layer separation: Backend, frontend, and fullstack workflows use separate agents and recipes. recipe-implement acts as a thin router that delegates to the appropriate layer-specific flow.
  • Structured agent output: All subagents return JSON with a standardized approval vocabulary (approved, approved_with_conditions, needs_revision, rejected, skipped).
  • File scope enforcement: Task executors validate that modifications stay within the task file's Target Files list. Out-of-scope changes trigger escalation.
  • GPT-optimized instructions: Agent definitions use BLOCKING gates, ENFORCEMENT blocks, and LOADING PROTOCOL patterns tuned for GPT model compliance.
  • Project-aware quality checks: Quality fixers detect available tooling from project configuration before applying checks.

Install

cd your-project
npx codex-workflows install

Requires Codex CLI and Node.js >= 20.

Loading