Skip to content

release(v0.2.0): hook fail-open hardening + uninstall helper#11

Merged
saurabhjain1592 merged 3 commits intomainfrom
release/v0.2.0
Apr 8, 2026
Merged

release(v0.2.0): hook fail-open hardening + uninstall helper#11
saurabhjain1592 merged 3 commits intomainfrom
release/v0.2.0

Conversation

@saurabhjain1592
Copy link
Copy Markdown
Member

@saurabhjain1592 saurabhjain1592 commented Apr 8, 2026

Summary

Codex plugin v0.2.0 (dated 2026-04-09).

  • Fail-open hardening (issue #1545 Direction 3 in axonflow-enterprise)
  • New uninstall.sh cleanup helper for the cache-directory-leftover behavior
  • Version bump 0.1.0 → 0.2.0

Changes

scripts/pre-tool-check.sh

Explicit curl exit code check so timeouts / DNS / connection refused always fail-open. JSON-RPC error handling split by code:

Code Meaning Decision
-32001 Auth failure block (operator fixable)
-32601 Method not found block (version mismatch)
-32602 Invalid params block (plugin bug)
-32603 Internal error allow (server fault)
-32700 Parse error allow (transient)
other unknown allow

scripts/uninstall.sh

Codex CLI /plugins uninstall leaves the cache directory behind. Cleanup helper fixes that.

Related

  • axonflow-enterprise#1547 ships matching platform changes

@saurabhjain1592
release(v0.2.0): hook fail-open hardening + uninstall cleanup helper
07c430b 
#1545 Direction 3 — Hook fail-open audit

- scripts/pre-tool-check.sh now distinguishes curl exit code (network
  failure) from HTTP success with body (potentially an error response)
- Fail-closed (block, exit 2) only on operator-fixable JSON-RPC errors:
    -32001 auth failure
    -32601 method not found (plugin/agent version mismatch)
    -32602 invalid params (plugin bug)
- Fail-open (allow, exit 0) on everything else: timeouts, DNS failures,
  connection refused, TCP reset, HTTP 5xx, JSON-RPC -32603 internal
  errors, and JSON-RPC -32700 parse errors
- Rationale: transient governance infrastructure issues should never
  block legitimate dev workflows. Only operator-fixable broken
  configurations should fail closed.

Uninstall cleanup helper

- scripts/uninstall.sh cleans up the plugin cache directory that Codex
  CLI's built-in /plugins uninstall leaves behind (known CLI behavior,
  not a plugin bug — Codex treats local-source plugins as persistent
  on-disk sources). Supports --dry-run.
- Reports AxonFlow references in config.toml and hooks.json without
  modifying them (user-owned configuration).

Version bump .codex-plugin/plugin.json: 0.1.0 → 0.2.0
@saurabhjain1592
docs(changelog): promote Unreleased to v0.2.0
13f2c87
@saurabhjain1592
test: update regression expectation to match new error message
f8e78b5 
The pre-tool-check hook's auth-error stderr message changed from
'AxonFlow governance error:' to 'AxonFlow governance blocked:' as
part of the #1545 Direction 3 fail-open hardening (where only
operator-fixable errors block — the new message makes that
distinction clearer).
@saurabhjain1592 saurabhjain1592 merged commit 9e76b5c into main Apr 8, 2026
3 checks passed
@saurabhjain1592 saurabhjain1592 deleted the release/v0.2.0 branch April 10, 2026 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saurabhjain1592