Package Exports
- codex-plugin-cc
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (codex-plugin-cc) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Claude Workspace & Review Plugin For Codex
Codex orchestrates Claude coding workers, then verifies and reviews their work.
The writable workspace lane keeps the originating Codex task active while
Claude runs as a background coding worker. Claude's native agents control
panel opens in a separate terminal, so the user can watch or interact without
blocking Codex. The active Codex model is inherited automatically as the
planner, supervisor, verifier, and reviewer; the plugin never launches a nested
Codex process or hardcodes a GPT model.
The plugin has two explicit surfaces: a writable Codex-supervised Claude coding
workspace and isolated read-only review lanes. Reviews can use Claude Code's
current Opus alias, including the Opus 1M long-context alias, with Read,
Glob, Grep, Task sub-agents, and domain-fenced web access. They do not get
Edit, Write, Bash, raw shell, or repository-controlled Claude settings by
default. Every elite-tier finding must cite tool-call evidence, and malformed
structured output fails closed.
60-Second Quickstart
Public npm is the frictionless install lane:
npm install -g codex-plugin-cc
codex-claude enable
codex-claude doctorFor local development on the plugin itself, install from source:
git clone https://github.com/Kenmege/codex-plugin-cc.git
cd codex-plugin-cc
npm install -g .
codex-claude enable
codex-claude doctorenable registers the plugin with Codex. On current Codex CLI versions it
uses codex plugin marketplace add + codex plugin add through a local wrapper
marketplace; on older runtimes or custom --config paths it falls back to the
legacy TOML stanza writer. Run it once after install; it is idempotent. Restart
Codex CLI after running it. doctor checks Node, Git, Claude Code CLI/version
(minimum 2.1.183 for the default opus / xhigh review profile), Claude
auth, Codex registration, job storage, non-Git folder support, and optional live
Claude runtime access with --probe-runtime.
Dispatch a coding job from a Codex task:
codex-claude workspace --path . -- "implement the requested change and run tests"
codex-claude workspace-status --path . --all --json
codex-claude workspace-logs <session-id>
codex-claude workspace-stop <session-id>The dispatch returns Claude Code's authoritative short session ID immediately;
it fails closed if Claude does not provide one, and a 30-second startup guard
terminates a stalled dispatch process tree. Use
--no-panel for focused follow-up workers and --panel-only to reopen the
control panel. Claude defaults to its rolling opus selector; pass --model
when a different Claude selector is required. Normal mode has native coding
capabilities and permission prompts; --plan is analysis-only. Coding requests
are delivered to Claude over stdin instead of the process argument list, and
privacy-safe lifecycle events exclude prompts and tool arguments.
codex-claude-review remains a fully supported compatibility alias for every
command, including the isolated read-only review lanes.
Or run a read-only review from any git workspace:
codex-claude review
codex-claude review --preset ship --base main
codex-claude review --preset security --add-dir ../shared-libsCodex slash commands are available once the plugin marketplace is loaded:
/claude-review:workspace, /claude-review:review, /claude-review:elite-review,
/claude-review:deep-review, /claude-review:security-review, and
/claude-review:doctor.
Requirements
- Node.js 18.18 or newer.
- Git on
PATH. - Claude Code CLI authenticated locally for direct helper usage.
- Codex CLI with local plugin marketplace support for slash-command usage.
Workspace And Review Lanes
| Lane | Purpose |
|---|---|
workspace |
Writable Claude background worker with a separate control panel and active-session Codex supervision. |
review |
Quick agentic Claude review for everyday diffs. |
adversarial-review |
Skeptical challenge pass for risky changes. |
elite-review |
Exhaustive ship/no-ship review with systemic risks and blind spots. |
deep-review |
Opus max effort with parallel Task sub-agent investigation. |
security-review |
OWASP/CWE-focused review with exploitability classification. |
Presets
Use presets when you want one command that chooses the right lane:
| Preset | Command | Use when |
|---|---|---|
quick |
codex-claude review --preset quick |
Everyday review with high-signal findings. |
ship |
codex-claude review --preset ship --base main |
Pre-merge ship/no-ship gate. Routes to the elite lane. |
security |
codex-claude review --preset security |
Security review without remembering the dedicated command. |
research |
codex-claude folder ./paper --preset research --long-context |
Evidence-heavy code, papers, notes, or research folders. |
deep |
codex-claude review --preset deep --background |
Large or ambiguous tasks that need sub-agent investigation. |
Why Trust The Boundary?
- Read-only by default:
Edit,Write,NotebookEdit, raw shell, and raw git are outside the safe-mode tool catalog. - Prompt-injection resistant framing: diff, focus text, and workspace guidance are wrapped as untrusted data before Claude sees them.
- Fenced external access:
WebFetchstarts with a domain allowlist and expands only through explicit--web-domainflags. - Fail-closed local inputs: snapshots require successful Git ignore discovery, run inside a private per-user namespace, preserve live sessions during cleanup, and exclude secret-bearing files by default.
- Strict release controls: pinned GitHub Actions, Node 18/20/22 CI, package content checks, tag/package version matching, and npmjs publishing with provenance attestation once the human publish gate is enabled.
- Runtime validation: structured review output is validated before rendering, including persisted background-job results.
This repository started from OpenAI's Apache-2.0 Codex plugin reference
preserved under plugins/codex/, and keeps that history. The runtime here is
deliberately reversed:
- upstream plugin: Claude Code -> Codex review/runtime
- this plugin: Codex -> Claude review/runtime
Reviewer Composition
This repository dogfoods its own thesis: every pull request is designed for review by four agents with distinct strengths.
| Reviewer | Trigger | Strength |
|---|---|---|
| GitHub Copilot | GitHub App / repository setting | breadth, fast, high-recall on style and obvious bugs |
| Codex (OpenAI) | installed GitHub App or @codex PR comment where configured |
senior-engineer reasoning, forensic depth on architecture and release safety |
| Devin (Cognition) | installed GitHub App or @devin PR comment where configured |
autonomous engineering; can implement fixes, not just review |
| Claude (Anthropic Opus alias) | @claude PR comment, plus automatic on PR open |
adversarial code review, evidence-cited findings, schema-enforced output through this plugin |
This repository ships Claude automation in .github/workflows/claude.yml.
Copilot, Codex, and Devin reviewer behavior depends on the GitHub Apps and
repository settings installed on the target repository; forks must configure
those separately. Contributors should expect overlapping but complementary
feedback on the maintained repository.
Claude auto-review is skipped on untrusted fork PRs when GitHub withholds
repository Actions secrets; maintainers can still trigger a safe follow-up once
the PR is ready for deeper review.
Disagreements between reviewers are productive. The v0.2.x to v0.2.1
hardening of this plugin came from a Claude Opus plus OpenAI Codex
adversarial review pair where both returned independent NO_SHIP verdicts on
convergent control-plane issues.
Detailed Capabilities
Five review lanes, all agentic by default:
/claude-review:workspace— dispatch a writable Claude worker, open its native agent panel in another terminal, and keep the active Codex task in control for status polling, verification, review, and focused repairs./claude-review:review— quick agentic Claude review (Opus alias, xhigh effort)./claude-review:adversarial-review— agentic skeptical challenge pass./claude-review:elite-review— exhaustive single-agent ship/no-ship review with evidence-cited findings, systemic risks, blind spots, and exploration log./claude-review:deep-review— Opus alias atmaxeffort with parallel sub-agent dispatch (up to fourTasksub-investigations per turn)./claude-review:security-review— security-focused agentic pass with OWASP/CWE mapping and exploitability classification./claude-review:doctor— first-run diagnostics for installation and runtime readiness.
Plus the operational surface:
/claude-review:setup— verify local Claude CLI readiness and report whether subscription auth is detected (which suppresses budget caps). Use--jsonfor machine-parseable hook output.codex-claude doctor— first-run diagnostic for Node, Git, Claude, Codex registration, writable job storage, and optional live runtime probing./claude-review:status,/claude-review:result,/claude-review:cancel— manage background review jobs.codex-claude— direct CLI fallback outside slash commands.- Bundled Codex skill metadata (
skills/claude-review/SKILL.md) lets current Codex plugin runtimes discover when to route natural-language review requests to the helper, not just explicit slash-command invocations.
Agent Capabilities (safe-mode default)
Each review lane spawns a Claude session with a shell-free, fenced tool catalog. Native workspace tools provide structured investigation without exposing repository-defined shell permissions.
| Tool | Notes |
|---|---|
Read |
Workspace-scoped file read with line ranges. Replaces cat/head/tail. |
Glob |
Workspace-scoped file pattern search. Replaces find/ls. |
Grep |
Ripgrep-backed regex with structured matches. Replaces grep/rg. |
Task |
Dispatch parallel sub-agents (deep-review may fan out 4-way). |
WebSearch |
Web search (broad). |
WebFetch |
Default domain allowlist (vendor docs, NIST/CWE/OWASP, package |
registries, NICE/BNF/BMJ/Lancet/NHS); extend with --web-domain. |
Edit, Write, and NotebookEdit are explicitly disallowed, and Bash is
absent from both the safe tool catalog and permission rules. Persistent
user/project/local Claude settings are not loaded in safe mode. The bundled
git-safe.mjs remains a hardened standalone compatibility helper, but is not
exposed to safe review sessions. Runtime test execution remains the outer
Codex orchestrator's verification responsibility.
--permission-mode is whitelisted to default and plan only. Passing
anything else (bypassPermissions, acceptEdits, etc.) causes the helper
to refuse to launch the review.
The reviewer system prompt establishes a hard trust boundary: review
material is wrapped in <untrusted_diff> / <untrusted_focus> /
<workspace_guidance> tags and the agent is instructed to treat their
contents as data, never as instructions — defeating prompt-injection from
hostile diff content.
Escape hatch
For workflows where the diff is fully trusted (your own branch on a private repo) and you want raw shell access:
codex-claude review --unrestricted--unrestricted switches the agent to the full default tool catalog
(including raw Bash) and emits a loud WARNING: --unrestricted set. Trust boundary disabled. note in the rendered output and run log. Never use
--unrestricted against an untrusted diff.
Default Profile
Quality-first reviews default to:
- model:
opus - effort:
xhigh - mode: agentic-safe (read-only fenced tools enabled)
Large review snapshots automatically switch to a long-context profile:
- model:
opus[1m] - effort:
xhigh - Claude Code accepts model aliases such as
opusandsonnet, and the[1m]suffix selects the long-context variant where the user's Claude plan and model access support it.
Deep-review lane defaults:
- model:
opus - effort:
max - budget cap:
--max-budget-usd 25(only honored on api-key auth; on subscription auth the helper suppresses--max-budget-usdand surfaces a NOTE. Use--timeout-msfor a wall-clock cap.)
/claude-review:setup now reports whether subscription auth is detected so
you know up-front whether the budget cap will apply.
Install
npmjs public install
Install from npmjs:
npm install -g codex-plugin-cc
codex-claude enable
codex-claude doctor --probe-runtimeIf you previously installed the historical scoped package or a source checkout
and npm reports EEXIST for codex-claude-review, remove the old global
package first:
npm uninstall -g @kenmege/codex-plugin-cc codex-plugin-cc
npm install -g codex-plugin-cc
codex-claude enable
codex-claude doctorSource install
Install the helper binary:
npm install -g .Or link it during development:
npm linkThen load the plugin in Codex from this repository root. The plugin manifest is:
.codex-plugin/plugin.json
The private Codex lane (this repo's local marketplace) should stay local-only:
codex plugin marketplace add <repo-root>This loads .agents/plugins/marketplace.json as the
claude-review-private marketplace. Do not install the private lane from a
GitHub URL unless intentionally testing the public marketplace path.
GitHub Packages historical install
v1.0.4 was also published under the historical GitHub Packages name
@kenmege/codex-plugin-cc. This is no longer the recommended public install
path because GitHub Packages npm installs require developer-machine auth.
echo "@kenmege:registry=https://npm.pkg.github.com" > ~/.npmrc
echo "//npm.pkg.github.com/:_authToken=YOUR_CLASSIC_PAT" >> ~/.npmrc
npm install -g @kenmege/codex-plugin-ccDo not commit a token-bearing .npmrc.
Direct CLI Usage
codex-claude doctor
codex-claude doctor --probe-runtime
codex-claude setup
codex-claude setup --json
codex-claude review
codex-claude review --preset ship --base main
codex-claude review --preset security
codex-claude folder ./paper --preset research --long-context
codex-claude review --preset deep --background
codex-claude review --base main
codex-claude adversarial-review --background look for migration risk
codex-claude elite-review focus on architecture and rollback
codex-claude deep-review --background --timeout-ms 1800000
codex-claude security-review --add-dir ../shared-libs --web-domain 'https://snyk.io/*'
codex-claude review --inherit-mcp --mcp-config /tmp/linear.mcp.json
codex-claude review --unrestricted # trust boundary off, raw shell
codex-claude status
codex-claude result <job-id>
codex-claude cancel <job-id>setup --json redacts local auth identity by default. It may still report
auth method, API provider, and subscription type so automation can distinguish
subscription auth from API-key auth without exposing the account address.
Slash Commands
Once the plugin marketplace is loaded, these /claude-review:* commands are
available from inside a Codex CLI session. They are thin wrappers that invoke
the bundled codex-claude helper and return its output directly.
Review commands
/claude-review:review— Run an agentic Claude review (Opus alias by default) against the current git workspace./claude-review:elite-review— Run an elite, high-scrutiny review./claude-review:deep-review— Run a deep, multi-agent review (Opus alias, max effort)./claude-review:adversarial-review— Run a harder challenge review against the current workspace./claude-review:security-review— Run a security-focused agentic review.
/claude-review:review --preset ship --base main
/claude-review:adversarial-review --base mainJob and setup commands
/claude-review:status— Show running and recent review jobs for the current workspace./claude-review:result— Show the stored final output for a finished job./claude-review:cancel— Cancel an active background review job./claude-review:setup— Verify that the local Claude review runtime is installed and authenticated./claude-review:enable— Register the plugin in the local Codex CLI config./claude-review:doctor— Diagnose installation, Claude auth, Codex registration, and runtime readiness.
Flags
All review-like commands accept:
| Flag | Purpose |
|---|---|
--background |
Detach the review as a background job |
--base <ref> |
Base ref for branch diff (default: auto-detect origin/main) |
--scope auto|working-tree|branch|directory |
Override scope detection |
--preset quick|ship|security|research|deep |
Choose a role workflow |
--model <name> |
Override the model (e.g., opus[1m] or a full Claude model name) |
--effort low|medium|high|xhigh|max |
Override effort |
--profile quality|long-context |
Force a profile |
--long-context |
Opt into Claude Code's Opus 1M long-context alias |
--legacy |
Disable agentic mode (structured output only, no tool access) |
--agentic |
Force agentic mode on (default for all lanes) |
--unrestricted |
Disable the safe-mode tool fence (raw shell, loud banner). |
--mcp-config <file-or-json> |
Attach an MCP server (repeatable) |
--inherit-mcp |
Also inherit project/local MCPs (default off → strict-mcp on) |
--max-budget-usd <n> |
Cap review spend (api-key auth only; suppressed under subscription) |
--add-dir <path> |
Grant tool access to extra directories (repeatable) |
--web-domain <pattern> |
Add a WebFetch allowlist entry (repeatable) |
--system-prompt-extra <s> |
Append workspace-specific reviewer guidance |
--quiet |
Suppress non-essential rendered detail |
--debug |
Add diagnostic job-log lines |
--permission-mode <mode> |
One of: default, plan (others rejected) |
--timeout-ms <n> |
Override review timeout (lane default: 30 minutes) |
Setup accepts --json for machine-parseable readiness checks. Doctor accepts
--json, --config <path>, --job-dir <path>, and --probe-runtime.
Runtime Hardening
--setting-sources=excludes persistent user, project, and local Claude settings from safe reviews, preventing repository settings from restoring shell permissions or hooks. Unrestricted and setup flows retain their documented settings behavior.--strict-mcp-configis on by default so the agent's MCP tool surface is exactly the set the user passed via--mcp-config. Opt out with--inherit-mcp.--no-session-persistencekeeps review sessions off-disk.--exclude-dynamic-system-prompt-sectionsimproves cross-user prompt-cache reuse.--include-partial-messagesso the streaming activity log captures tool-call telemetry, token counts, cost, and duration.- Subscription auth detection (
isSubscriptionAuth) automatically suppresses--max-budget-usd(which Claude only enforces on api-key auth) and surfaces a NOTE in rendered output, job logs, and invocation metadata explaining why the cap is not honored. - The stream parser tracks malformed JSON line count, exposes it under
activity.parseErrors, and fails closed when no structured output can be recovered. - Structured output is validated again after parsing. Missing arrays, malformed rich findings, or empty agentic evidence fail the job before rendering.
--add-dirresolves symlinks withrealpath, rejects filesystem root, unreadable paths, non-directories, and paths outside the allowed boundary before Claude starts. The default boundary is the parent of the workspace root; setCODEX_CLAUDE_ADD_DIR_BOUNDARY=/absolute/pathto tighten or intentionally extend that boundary for a trusted monorepo layout.--mcp-configvalues are parsed as JSON and checked for MCP server structure before they are passed to Claude.- Foreground Claude calls are launched with timeout/interruption handling; a timeout kills the spawned process tree and marks the job failed.
setupperforms a live non-interactive structured-output probe instead of trustingclaude auth statusalone.
elite-review, deep-review, and security-review use a richer agentic
schema (schemas/agentic-review-output.schema.json) that schema-enforces
evidence as minItems: 1 per finding, minLength: 1 on every string
field. The agent cannot emit empty evidence and pass validation.
After schema validation, every finding's evidence[].tool is cross-checked
against the actual tool-use stream observed in this run via
crossCheckEvidenceAgainstStream. Citations whose tool name does not match
any observed call are flagged with a ⚠ Evidence cross-check annotation in
the rendered output and counted in the aggregate. The check is lenient —
findings are not deleted or downgraded, since tools invoked inside Task
sub-agent calls do not appear in the parent stream and a citation may
legitimately reference one of those. The annotation is a "treat as a
fabrication-or-subagent signal" prompt for the operator, not a hard failure.
Workspace State
Per-workspace review state is stored under:
.claude-review/jobs/*.job.json.claude-review/jobs/*.input.json.claude-review/jobs/*.log
Background jobs survive across Codex turns without polluting global state.
The .claude-review/ directory is excluded from review snapshots so review
artefacts do not feed back into themselves.
Pass --job-dir <path> (or set CODEX_CLAUDE_REVIEW_JOB_DIR) to keep every
job record, immutable input, prompt, and log in an alternate directory. Reuse
the same option with status, result, and cancel. Job IDs accept only
1–128 ASCII letters, digits, underscores, and hyphens.
Directory snapshots live under the versioned, privately owned
~/.claude-review/snapshots/ namespace by default. Pass
--snapshot-temp-root <path> to select another isolated root.
Stale cleanup validates the namespace and snapshot metadata, preserves workers
whose owner PID is still live, atomically claims dead snapshots, and never
scans or deletes similarly named directories outside that namespace.
Job records are versioned with schemaVersion: 1, created with exclusive file
creation, and updated with atomic writes. status marks long-running jobs as
stalled when their timeout window has elapsed.
Exit Codes
| Code | Meaning |
|---|---|
0 |
Clean command or review with no ship-blocking findings |
1 |
Operational/runtime error |
2 |
Invalid usage or validation error |
3 |
Review completed and found ship-blocking findings |
The same gating contract applies when a review is run in the background:
codex-claude result <job-id> re-validates the persisted result and
exits 3 when the completed job contains ship-blocking findings.
Supported Platforms
Supported and tested development platforms are macOS and Linux with Node.js
18.18 or newer. Windows is not a supported v1 platform because process-tree
termination and shell/tool semantics have not been verified there. Run
codex-claude doctor --probe-runtime on a new machine before trusting a
release gate there, because Claude Code runtime behavior and local auth state
still depend on the host environment.
Development
npm run lint
npm test
npm run check
npm run pack:checkThe npm package intentionally omits package.json.private so npmjs publishing
can run when explicitly enabled. The release workflow validates tags and only
publishes when repository variable NPMJS_PUBLISH_ENABLED=true and the npm
trusted publisher for the Kenmege/codex-plugin-cc release.yml workflow is
configured. GitHub OIDC supplies short-lived publishing access; the workflow
does not use a long-lived npm publishing secret. Release tags must match the
package version exactly:
package.json version X.Y.Z is published only from tag vX.Y.Z; a
prerelease smoke must first commit matching X.Y.Z-rc.1 metadata before
pushing tag vX.Y.Z-rc.1.
Repository Layout
.codex-plugin/plugin.json
commands/
review.md
adversarial-review.md
elite-review.md
deep-review.md
security-review.md
setup.md
status.md
result.md
cancel.md
docs/plans/
schemas/
review-output.schema.json
elite-review-output.schema.json
agentic-review-output.schema.json
scripts/
claude-review-companion.mjs
bin/
git-safe.mjs
lib/
args.mjs
claude.mjs
git.mjs
process.mjs
render.mjs
state.mjs
workspace.mjs
test/The original Claude Code plugin subtree remains under plugins/codex/ as an
upstream reference while this Codex-native runtime is developed at the repo
root. Its Codex prompt guidance tracks the current OpenAI model family:
gpt-5.5 for complex coding/research work, gpt-5.4-mini for lighter
subtasks, and the spark shortcut for gpt-5.3-codex-spark preview runs when
that model is available to the user.