M CHANGELOG.md => CHANGELOG.md +10 -0
@@ 1,5 1,15 @@
# Changelog
+## [0.12.10.0] - 2026-03-27 — Codex Filesystem Boundary
+
+Codex was wandering into `~/.claude/skills/` and following gstack's own instructions instead of reviewing your code. Now every codex prompt includes a boundary instruction that keeps it focused on the repository. Covers all 11 callsites across /codex, /autoplan, /review, /ship, /plan-eng-review, /plan-ceo-review, and /office-hours.
+
+### Fixed
+
+- **Codex stays in the repo.** All `codex exec` and `codex review` calls now prepend a filesystem boundary instruction telling Codex to ignore skill definition files. Prevents Codex from reading SKILL.md preamble scripts and wasting 8+ minutes on session tracking and upgrade checks.
+- **Rabbit-hole detection.** If Codex output contains signs it got distracted by skill files (`gstack-config`, `gstack-update-check`, `SKILL.md`, `skills/gstack`), the /codex skill now warns and suggests a retry.
+- **5 regression tests.** New test suite validates boundary text appears in all 7 codex-calling skills, the Filesystem Boundary section exists, the rabbit-hole detection rule exists, and autoplan uses cross-host-compatible path patterns.
+
## [0.12.9.0] - 2026-03-27 — Community PRs: Faster Install, Skill Namespacing, Uninstall
Six community PRs landed in one batch. Install is faster, skills no longer collide with other tools, and you can cleanly uninstall gstack when needed.
M VERSION => VERSION +1 -1
@@ 1,1 1,1 @@
-0.12.9.0
+0.12.10.0
M autoplan/SKILL.md => autoplan/SKILL.md +21 -3
@@ 502,6 502,18 @@ State what you examined and why nothing was flagged (1-2 sentences minimum).
---
+## Filesystem Boundary — Codex Prompts
+
+All prompts sent to Codex (via `codex exec` or `codex review`) MUST be prefixed with
+this boundary instruction:
+
+> IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.
+
+This prevents Codex from discovering gstack skill files on disk and following their
+instructions instead of reviewing the plan.
+
+---
+
## Phase 0: Intake + Restore Point
### Step 1: Capture restore point
@@ 590,7 602,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles.
**Codex CEO voice** (via Bash):
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
- codex exec "You are a CEO/founder advisor reviewing a development plan.
+ codex exec "IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. Stay focused on repository code only.
+
+ You are a CEO/founder advisor reviewing a development plan.
Challenge the strategic foundations: Are the premises valid or assumed? Is this the
right problem to solve, or is there a reframing that would be 10x more impactful?
What alternatives were dismissed too quickly? What competitive or market risks are
@@ 698,7 712,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles.
**Codex design voice** (via Bash):
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
- codex exec "Read the plan file at <plan_path>. Evaluate this plan's
+ codex exec "IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. Stay focused on repository code only.
+
+ Read the plan file at <plan_path>. Evaluate this plan's
UI/UX design decisions.
Also consider these findings from the CEO review phase:
@@ 771,7 787,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles.
**Codex eng voice** (via Bash):
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
- codex exec "Review this plan for architectural issues, missing edge cases,
+ codex exec "IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. Stay focused on repository code only.
+
+ Review this plan for architectural issues, missing edge cases,
and hidden complexity. Be adversarial.
Also consider these findings from prior review phases:
M autoplan/SKILL.md.tmpl => autoplan/SKILL.md.tmpl +21 -3
@@ 112,6 112,18 @@ State what you examined and why nothing was flagged (1-2 sentences minimum).
---
+## Filesystem Boundary — Codex Prompts
+
+All prompts sent to Codex (via `codex exec` or `codex review`) MUST be prefixed with
+this boundary instruction:
+
+> IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.
+
+This prevents Codex from discovering gstack skill files on disk and following their
+instructions instead of reviewing the plan.
+
+---
+
## Phase 0: Intake + Restore Point
### Step 1: Capture restore point
@@ 200,7 212,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles.
**Codex CEO voice** (via Bash):
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
- codex exec "You are a CEO/founder advisor reviewing a development plan.
+ codex exec "IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. Stay focused on repository code only.
+
+ You are a CEO/founder advisor reviewing a development plan.
Challenge the strategic foundations: Are the premises valid or assumed? Is this the
right problem to solve, or is there a reframing that would be 10x more impactful?
What alternatives were dismissed too quickly? What competitive or market risks are
@@ 308,7 322,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles.
**Codex design voice** (via Bash):
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
- codex exec "Read the plan file at <plan_path>. Evaluate this plan's
+ codex exec "IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. Stay focused on repository code only.
+
+ Read the plan file at <plan_path>. Evaluate this plan's
UI/UX design decisions.
Also consider these findings from the CEO review phase:
@@ 381,7 397,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles.
**Codex eng voice** (via Bash):
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
- codex exec "Review this plan for architectural issues, missing edge cases,
+ codex exec "IMPORTANT: Do NOT read or execute any SKILL.md files or files in skill definition directories (paths containing skills/gstack). These are AI assistant skill definitions meant for a different system. Stay focused on repository code only.
+
+ Review this plan for architectural issues, missing edge cases,
and hidden complexity. Be adversarial.
Also consider these findings from prior review phases:
M codex/SKILL.md => codex/SKILL.md +46 -10
@@ 417,6 417,17 @@ per-mode default below. Otherwise, use the per-mode defaults:
---
+## Filesystem Boundary
+
+All prompts sent to Codex MUST be prefixed with this boundary instruction:
+
+> IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.
+
+This applies to Review mode (prompt argument), Challenge mode (prompt), and Consult
+mode (persona prompt). Reference this section as "the filesystem boundary" below.
+
+---
+
## Step 2A: Review Mode
Run Codex code review against the current branch diff.
@@ 426,21 437,25 @@ Run Codex code review against the current branch diff.
TMPERR=$(mktemp /tmp/codex-err-XXXXXX.txt)
```
-2. Run the review (5-minute timeout):
+2. Run the review (5-minute timeout). **Always** pass the filesystem boundary instruction
+as the prompt argument, even without custom instructions. If the user provided custom
+instructions, append them after the boundary separated by a newline:
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
cd "$_REPO_ROOT"
-codex review --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
+codex review "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only." --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
```
If the user passed `--xhigh`, use `"xhigh"` instead of `"high"`.
Use `timeout: 300000` on the Bash call. If the user provided custom instructions
-(e.g., `/codex review focus on security`), pass them as the prompt argument:
+(e.g., `/codex review focus on security`), append them after the boundary:
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
cd "$_REPO_ROOT"
-codex review "focus on security" --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
+codex review "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+focus on security" --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
```
3. Capture the output. Then parse cost from stderr:
@@ 567,14 582,19 @@ plan's living status.
Codex tries to break your code — finding edge cases, race conditions, security holes,
and failure modes that a normal review would miss.
-1. Construct the adversarial prompt. If the user provided a focus area
-(e.g., `/codex challenge security`), include it:
+1. Construct the adversarial prompt. **Always prepend the filesystem boundary instruction**
+from the Filesystem Boundary section above. If the user provided a focus area
+(e.g., `/codex challenge security`), include it after the boundary:
Default prompt (no focus):
-"Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems."
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems."
With focus (e.g., "security"):
-"Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Focus specifically on SECURITY. Your job is to find every way an attacker could exploit this code. Think about injection vectors, auth bypasses, privilege escalation, data exposure, and timing attacks. Be adversarial."
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Focus specifically on SECURITY. Your job is to find every way an attacker could exploit this code. Think about injection vectors, auth bypasses, privilege escalation, data exposure, and timing attacks. Be adversarial."
2. Run codex exec with **JSONL output** to capture reasoning traces and tool calls (5-minute timeout):
@@ 666,8 686,14 @@ Also: scan the plan content for referenced source file paths (patterns like `src
`lib/bar.py`, paths containing `/` that exist in the repo). If found, list them in the
prompt so Codex reads them directly instead of discovering them via rg/find.
-Prepend the persona to the user's prompt:
-"You are a brutally honest technical reviewer. Review this plan for: logical gaps and
+**Always prepend the filesystem boundary instruction** from the Filesystem Boundary
+section above to every prompt sent to Codex, including plan reviews and free-form
+consult questions.
+
+Prepend the boundary and persona to the user's prompt:
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+You are a brutally honest technical reviewer. Review this plan for: logical gaps and
unstated assumptions, missing error handling or edge cases, overcomplexity (is there a
simpler approach?), feasibility risks (what could go wrong?), and missing dependencies
or sequencing issues. Be direct. Be terse. No compliments. Just the problems.
@@ 676,6 702,11 @@ Also review these source files referenced in the plan: <list of referenced files
THE PLAN:
<full plan content, embedded verbatim>"
+For non-plan consult prompts (user typed `/codex <question>`), still prepend the boundary:
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+<user's question>"
+
4. Run codex exec with **JSONL output** to capture reasoning traces (5-minute timeout):
If the user passed `--xhigh`, use `"xhigh"` instead of `"medium"`.
@@ 802,3 833,8 @@ If token count is not available, display: `Tokens: unknown`
- **5-minute timeout** on all Bash calls to codex (`timeout: 300000`).
- **No double-reviewing.** If the user already ran `/review`, Codex provides a second
independent opinion. Do not re-run Claude Code's own review.
+- **Detect skill-file rabbit holes.** After receiving Codex output, scan for signs
+ that Codex got distracted by skill files: `gstack-config`, `gstack-update-check`,
+ `SKILL.md`, or `skills/gstack`. If any of these appear in the output, append a
+ warning: "Codex appears to have read gstack skill files instead of reviewing your
+ code. Consider retrying."
M codex/SKILL.md.tmpl => codex/SKILL.md.tmpl +46 -10
@@ 77,6 77,17 @@ per-mode default below. Otherwise, use the per-mode defaults:
---
+## Filesystem Boundary
+
+All prompts sent to Codex MUST be prefixed with this boundary instruction:
+
+> IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.
+
+This applies to Review mode (prompt argument), Challenge mode (prompt), and Consult
+mode (persona prompt). Reference this section as "the filesystem boundary" below.
+
+---
+
## Step 2A: Review Mode
Run Codex code review against the current branch diff.
@@ 86,21 97,25 @@ Run Codex code review against the current branch diff.
TMPERR=$(mktemp /tmp/codex-err-XXXXXX.txt)
```
-2. Run the review (5-minute timeout):
+2. Run the review (5-minute timeout). **Always** pass the filesystem boundary instruction
+as the prompt argument, even without custom instructions. If the user provided custom
+instructions, append them after the boundary separated by a newline:
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
cd "$_REPO_ROOT"
-codex review --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
+codex review "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only." --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
```
If the user passed `--xhigh`, use `"xhigh"` instead of `"high"`.
Use `timeout: 300000` on the Bash call. If the user provided custom instructions
-(e.g., `/codex review focus on security`), pass them as the prompt argument:
+(e.g., `/codex review focus on security`), append them after the boundary:
```bash
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
cd "$_REPO_ROOT"
-codex review "focus on security" --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
+codex review "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+focus on security" --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
```
3. Capture the output. Then parse cost from stderr:
@@ 162,14 177,19 @@ rm -f "$TMPERR"
Codex tries to break your code — finding edge cases, race conditions, security holes,
and failure modes that a normal review would miss.
-1. Construct the adversarial prompt. If the user provided a focus area
-(e.g., `/codex challenge security`), include it:
+1. Construct the adversarial prompt. **Always prepend the filesystem boundary instruction**
+from the Filesystem Boundary section above. If the user provided a focus area
+(e.g., `/codex challenge security`), include it after the boundary:
Default prompt (no focus):
-"Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems."
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems."
With focus (e.g., "security"):
-"Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Focus specifically on SECURITY. Your job is to find every way an attacker could exploit this code. Think about injection vectors, auth bypasses, privilege escalation, data exposure, and timing attacks. Be adversarial."
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+Review the changes on this branch against the base branch. Run `git diff origin/<base>` to see the diff. Focus specifically on SECURITY. Your job is to find every way an attacker could exploit this code. Think about injection vectors, auth bypasses, privilege escalation, data exposure, and timing attacks. Be adversarial."
2. Run codex exec with **JSONL output** to capture reasoning traces and tool calls (5-minute timeout):
@@ 261,8 281,14 @@ Also: scan the plan content for referenced source file paths (patterns like `src
`lib/bar.py`, paths containing `/` that exist in the repo). If found, list them in the
prompt so Codex reads them directly instead of discovering them via rg/find.
-Prepend the persona to the user's prompt:
-"You are a brutally honest technical reviewer. Review this plan for: logical gaps and
+**Always prepend the filesystem boundary instruction** from the Filesystem Boundary
+section above to every prompt sent to Codex, including plan reviews and free-form
+consult questions.
+
+Prepend the boundary and persona to the user's prompt:
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+You are a brutally honest technical reviewer. Review this plan for: logical gaps and
unstated assumptions, missing error handling or edge cases, overcomplexity (is there a
simpler approach?), feasibility risks (what could go wrong?), and missing dependencies
or sequencing issues. Be direct. Be terse. No compliments. Just the problems.
@@ 271,6 297,11 @@ Also review these source files referenced in the plan: <list of referenced files
THE PLAN:
<full plan content, embedded verbatim>"
+For non-plan consult prompts (user typed `/codex <question>`), still prepend the boundary:
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. Stay focused on repository code only.
+
+<user's question>"
+
4. Run codex exec with **JSONL output** to capture reasoning traces (5-minute timeout):
If the user passed `--xhigh`, use `"xhigh"` instead of `"medium"`.
@@ 397,3 428,8 @@ If token count is not available, display: `Tokens: unknown`
- **5-minute timeout** on all Bash calls to codex (`timeout: 300000`).
- **No double-reviewing.** If the user already ran `/review`, Codex provides a second
independent opinion. Do not re-run Claude Code's own review.
+- **Detect skill-file rabbit holes.** After receiving Codex output, scan for signs
+ that Codex got distracted by skill files: `gstack-config`, `gstack-update-check`,
+ `SKILL.md`, or `skills/gstack`. If any of these appear in the output, append a
+ warning: "Codex appears to have read gstack skill files instead of reviewing your
+ code. Consider retrying."
M office-hours/SKILL.md => office-hours/SKILL.md +3 -1
@@ 704,7 704,9 @@ If B: skip Phase 3.5 entirely. Remember that the second opinion did NOT run (aff
CODEX_PROMPT_FILE=$(mktemp /tmp/gstack-codex-oh-XXXXXXXX.txt)
```
-Write the full prompt (context block + instructions) to this file. Use the mode-appropriate variant:
+Write the full prompt to this file. **Always start with the filesystem boundary:**
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\n\n"
+Then add the context block and mode-appropriate instructions:
**Startup mode instructions:** "You are an independent technical advisor reading a transcript of a startup brainstorming session. [CONTEXT BLOCK HERE]. Your job: 1) What is the STRONGEST version of what this person is trying to build? Steelman it in 2-3 sentences. 2) What is the ONE thing from their answers that reveals the most about what they should actually build? Quote it and explain why. 3) Name ONE agreed premise you think is wrong, and what evidence would prove you right. 4) If you had 48 hours and one engineer to build a prototype, what would you build? Be specific — tech stack, features, what you'd skip. Be direct. Be terse. No preamble."
M package.json => package.json +1 -1
@@ 1,6 1,6 @@
{
"name": "gstack",
- "version": "0.12.9.0",
+ "version": "0.12.10.0",
"description": "Garry's Stack — Claude Code skills + fast headless browser. One repo, one install, entire AI engineering workflow.",
"license": "MIT",
"type": "module",
M plan-ceo-review/SKILL.md => plan-ceo-review/SKILL.md +3 -2
@@ 1076,9 1076,10 @@ the user pointed this review at, or the branch diff scope). If a CEO plan docume
was written in Step 0D-POST, read that too — it contains the scope decisions and vision.
Construct this prompt (substitute the actual plan content — if plan content exceeds 30KB,
-truncate to the first 30KB and note "Plan truncated for size"):
+truncate to the first 30KB and note "Plan truncated for size"). **Always start with the
+filesystem boundary instruction:**
-"You are a brutally honest technical reviewer examining a development plan that has
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\n\nYou are a brutally honest technical reviewer examining a development plan that has
already been through a multi-section review. Your job is NOT to repeat that review.
Instead, find what it missed. Look for: logical gaps and unstated assumptions that
survived the review scrutiny, overcomplexity (is there a fundamentally simpler
M plan-eng-review/SKILL.md => plan-eng-review/SKILL.md +3 -2
@@ 734,9 734,10 @@ the user pointed this review at, or the branch diff scope). If a CEO plan docume
was written in Step 0D-POST, read that too — it contains the scope decisions and vision.
Construct this prompt (substitute the actual plan content — if plan content exceeds 30KB,
-truncate to the first 30KB and note "Plan truncated for size"):
+truncate to the first 30KB and note "Plan truncated for size"). **Always start with the
+filesystem boundary instruction:**
-"You are a brutally honest technical reviewer examining a development plan that has
+"IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\n\nYou are a brutally honest technical reviewer examining a development plan that has
already been through a multi-section review. Your job is NOT to repeat that review.
Instead, find what it missed. Look for: logical gaps and unstated assumptions that
survived the review scrutiny, overcomplexity (is there a fundamentally simpler
M review/SKILL.md => review/SKILL.md +2 -2
@@ 983,7 983,7 @@ Claude's structured review already ran. Now add a **cross-model adversarial chal
```bash
TMPERR_ADV=$(mktemp /tmp/codex-adv-XXXXXXXX)
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
-codex exec "Review the changes on this branch against the base branch. Run git diff origin/<base> to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems." -C "$_REPO_ROOT" -s read-only -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR_ADV"
+codex exec "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\n\nReview the changes on this branch against the base branch. Run git diff origin/<base> to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems." -C "$_REPO_ROOT" -s read-only -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR_ADV"
```
Set the Bash tool's `timeout` parameter to `300000` (5 minutes). Do NOT use the `timeout` shell command — it doesn't exist on macOS. After the command completes, read stderr:
@@ 1030,7 1030,7 @@ Claude's structured review already ran. Now run **all three remaining passes** f
TMPERR=$(mktemp /tmp/codex-review-XXXXXXXX)
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
cd "$_REPO_ROOT"
-codex review --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
+codex review "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\n\nReview the diff against the base branch." --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
```
Set the Bash tool's `timeout` parameter to `300000` (5 minutes). Do NOT use the `timeout` shell command — it doesn't exist on macOS. Present output under `CODEX SAYS (code review):` header.
M scripts/resolvers/review.ts => scripts/resolvers/review.ts +10 -5
@@ 1,5 1,7 @@
import type { TemplateContext } from './types';
+const CODEX_BOUNDARY = 'IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\\n\\n';
+
export function generateReviewDashboard(_ctx: TemplateContext): string {
return `## Review Readiness Dashboard
@@ 281,7 283,9 @@ If B: skip Phase 3.5 entirely. Remember that the second opinion did NOT run (aff
CODEX_PROMPT_FILE=$(mktemp /tmp/gstack-codex-oh-XXXXXXXX.txt)
\`\`\`
-Write the full prompt (context block + instructions) to this file. Use the mode-appropriate variant:
+Write the full prompt to this file. **Always start with the filesystem boundary:**
+"${CODEX_BOUNDARY}"
+Then add the context block and mode-appropriate instructions:
**Startup mode instructions:** "You are an independent technical advisor reading a transcript of a startup brainstorming session. [CONTEXT BLOCK HERE]. Your job: 1) What is the STRONGEST version of what this person is trying to build? Steelman it in 2-3 sentences. 2) What is the ONE thing from their answers that reveals the most about what they should actually build? Quote it and explain why. 3) Name ONE agreed premise you think is wrong, and what evidence would prove you right. 4) If you had 48 hours and one engineer to build a prototype, what would you build? Be specific — tech stack, features, what you'd skip. Be direct. Be terse. No preamble."
@@ 396,7 400,7 @@ Claude's structured review already ran. Now add a **cross-model adversarial chal
\`\`\`bash
TMPERR_ADV=$(mktemp /tmp/codex-adv-XXXXXXXX)
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
-codex exec "Review the changes on this branch against the base branch. Run git diff origin/<base> to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems." -C "$_REPO_ROOT" -s read-only -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR_ADV"
+codex exec "${CODEX_BOUNDARY}Review the changes on this branch against the base branch. Run git diff origin/<base> to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems." -C "$_REPO_ROOT" -s read-only -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR_ADV"
\`\`\`
Set the Bash tool's \`timeout\` parameter to \`300000\` (5 minutes). Do NOT use the \`timeout\` shell command — it doesn't exist on macOS. After the command completes, read stderr:
@@ 443,7 447,7 @@ Claude's structured review already ran. Now run **all three remaining passes** f
TMPERR=$(mktemp /tmp/codex-review-XXXXXXXX)
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
cd "$_REPO_ROOT"
-codex review --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
+codex review "${CODEX_BOUNDARY}Review the diff against the base branch." --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
\`\`\`
Set the Bash tool's \`timeout\` parameter to \`300000\` (5 minutes). Do NOT use the \`timeout\` shell command — it doesn't exist on macOS. Present output under \`CODEX SAYS (code review):\` header.
@@ 535,9 539,10 @@ the user pointed this review at, or the branch diff scope). If a CEO plan docume
was written in Step 0D-POST, read that too — it contains the scope decisions and vision.
Construct this prompt (substitute the actual plan content — if plan content exceeds 30KB,
-truncate to the first 30KB and note "Plan truncated for size"):
+truncate to the first 30KB and note "Plan truncated for size"). **Always start with the
+filesystem boundary instruction:**
-"You are a brutally honest technical reviewer examining a development plan that has
+"${CODEX_BOUNDARY}You are a brutally honest technical reviewer examining a development plan that has
already been through a multi-section review. Your job is NOT to repeat that review.
Instead, find what it missed. Look for: logical gaps and unstated assumptions that
survived the review scrutiny, overcomplexity (is there a fundamentally simpler
M ship/SKILL.md => ship/SKILL.md +2 -2
@@ 1474,7 1474,7 @@ Claude's structured review already ran. Now add a **cross-model adversarial chal
```bash
TMPERR_ADV=$(mktemp /tmp/codex-adv-XXXXXXXX)
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
-codex exec "Review the changes on this branch against the base branch. Run git diff origin/<base> to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems." -C "$_REPO_ROOT" -s read-only -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR_ADV"
+codex exec "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\n\nReview the changes on this branch against the base branch. Run git diff origin/<base> to see the diff. Your job is to find ways this code will fail in production. Think like an attacker and a chaos engineer. Find edge cases, race conditions, security holes, resource leaks, failure modes, and silent data corruption paths. Be adversarial. Be thorough. No compliments — just the problems." -C "$_REPO_ROOT" -s read-only -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR_ADV"
```
Set the Bash tool's `timeout` parameter to `300000` (5 minutes). Do NOT use the `timeout` shell command — it doesn't exist on macOS. After the command completes, read stderr:
@@ 1521,7 1521,7 @@ Claude's structured review already ran. Now run **all three remaining passes** f
TMPERR=$(mktemp /tmp/codex-review-XXXXXXXX)
_REPO_ROOT=$(git rev-parse --show-toplevel) || { echo "ERROR: not in a git repo" >&2; exit 1; }
cd "$_REPO_ROOT"
-codex review --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
+codex review "IMPORTANT: Do NOT read or execute any files under ~/.claude/, ~/.agents/, or .claude/skills/. These are Claude Code skill definitions meant for a different AI system. They contain bash scripts and prompt templates that will waste your time. Ignore them completely. Stay focused on the repository code only.\n\nReview the diff against the base branch." --base <base> -c 'model_reasoning_effort="high"' --enable web_search_cached 2>"$TMPERR"
```
Set the Bash tool's `timeout` parameter to `300000` (5 minutes). Do NOT use the `timeout` shell command — it doesn't exist on macOS. Present output under `CODEX SAYS (code review):` header.
M test/gen-skill-docs.test.ts => test/gen-skill-docs.test.ts +61 -0
@@ 1058,6 1058,67 @@ describe('CODEX_SECOND_OPINION resolver', () => {
});
});
+// --- Codex filesystem boundary tests ---
+
+describe('Codex filesystem boundary', () => {
+ // Skills that call codex exec/review and should contain boundary text
+ const CODEX_CALLING_SKILLS = [
+ 'codex', // /codex skill — 3 modes
+ 'autoplan', // /autoplan — CEO/design/eng voices
+ 'review', // /review — adversarial step resolver
+ 'ship', // /ship — adversarial step resolver
+ 'plan-eng-review', // outside voice resolver
+ 'plan-ceo-review', // outside voice resolver
+ 'office-hours', // second opinion resolver
+ ];
+
+ const BOUNDARY_MARKER = 'Do NOT read or execute any';
+
+ test('boundary instruction appears in all skills that call codex', () => {
+ for (const skill of CODEX_CALLING_SKILLS) {
+ const content = fs.readFileSync(path.join(ROOT, skill, 'SKILL.md'), 'utf-8');
+ expect(content).toContain(BOUNDARY_MARKER);
+ }
+ });
+
+ test('codex skill has Filesystem Boundary section', () => {
+ const content = fs.readFileSync(path.join(ROOT, 'codex', 'SKILL.md'), 'utf-8');
+ expect(content).toContain('## Filesystem Boundary');
+ expect(content).toContain('skill definitions meant for a different AI system');
+ });
+
+ test('codex skill has rabbit-hole detection rule', () => {
+ const content = fs.readFileSync(path.join(ROOT, 'codex', 'SKILL.md'), 'utf-8');
+ expect(content).toContain('Detect skill-file rabbit holes');
+ expect(content).toContain('gstack-update-check');
+ expect(content).toContain('Consider retrying');
+ });
+
+ test('review.ts CODEX_BOUNDARY constant is interpolated into resolver output', () => {
+ // The adversarial step resolver should include boundary text in codex exec prompts
+ const reviewContent = fs.readFileSync(path.join(ROOT, 'review', 'SKILL.md'), 'utf-8');
+ // Boundary should appear near codex exec invocations
+ const boundaryIdx = reviewContent.indexOf(BOUNDARY_MARKER);
+ const codexExecIdx = reviewContent.indexOf('codex exec');
+ // Both must exist and boundary must come before a codex exec call
+ expect(boundaryIdx).toBeGreaterThan(-1);
+ expect(codexExecIdx).toBeGreaterThan(-1);
+ });
+
+ test('autoplan boundary text avoids host-specific paths for cross-host compatibility', () => {
+ const content = fs.readFileSync(path.join(ROOT, 'autoplan', 'SKILL.md.tmpl'), 'utf-8');
+ // autoplan template uses generic 'skills/gstack' pattern instead of host-specific
+ // paths like ~/.claude/ or .agents/skills (which break Codex/Claude output tests)
+ const boundaryStart = content.indexOf('Filesystem Boundary');
+ const boundaryEnd = content.indexOf('---', boundaryStart + 1);
+ const boundarySection = content.slice(boundaryStart, boundaryEnd);
+ expect(boundarySection).not.toContain('~/.claude/');
+ expect(boundarySection).not.toContain('.agents/skills');
+ expect(boundarySection).toContain('skills/gstack');
+ expect(boundarySection).toContain(BOUNDARY_MARKER);
+ });
+});
+
// --- {{BENEFITS_FROM}} resolver tests ---
describe('BENEFITS_FROM resolver', () => {