feat(codex): mirror Phase 1 hooks to ~/.codex via curated allowlist (ADR-182)

[notque]

Summary

Extend install.sh to mirror a curated allowlist of 6 Phase 1 hooks to ~/.codex/hooks/, generate ~/.codex/hooks.json from the allowlist, and set the codex_hooks feature flag in ~/.codex/config.toml. This gives Codex CLI sessions the same session-start injection and Bash-scanning governance that Claude Code sessions already have.

Implements ADR-182. The ADR (adr/182-codex-hooks-mirror.md, local only) was revised mid-implementation after an audit revealed the original draft Phase 1 list had misclassified 3 Edit/Write interceptors as safe. The corrected allowlist and the regression guard test catch this class of error automatically going forward.

Why a curated allowlist, not wholesale mirror

OpenAI Codex CLI v0.114.0 added experimental hook support with a schema nearly identical to Claude Code's, BUT openai/codex#16732 (still open as of April 2026) limits PreToolUse/PostToolUse hooks to fire only for the Bash tool. Tool calls through apply_patch, Write, Edit, MCP, and WebSearch do not trigger hooks.

A wholesale mirror of hooks/*.py would register every Edit/Write interceptor on Codex, where they would never fire. Silently-registered-but-never-invoked hooks are worse than missing hooks because users assume the hook is protecting them. The allowlist approach is explicit inclusion with a regression guard to prevent accidental Phase 2 promotion.

Phase 1 hooks (shipping now)

Event	Hook	Matcher
SessionStart	kairos-briefing-injector.py	startup|resume
SessionStart	operator-context-detector.py	startup|resume
SessionStart	team-config-loader.py	startup|resume
SessionStart	rules-distill-injector.py	startup|resume
Stop	session-learning-recorder.py	(none)
PostToolUse	posttool-bash-injection-scan.py	Bash

Phase 2 hooks (deliberately excluded)

Edit/Write interceptors: adr-enforcement.py, pretool-config-protection.py, creation-protocol-enforcer.py, posttool-rename-sweep.py, pretool-plan-gate.py, pretool-unified-gate.py, pretool-adr-creation-gate.py, reference-loading-enforcer.py, reference-loading-gate.py, plus three hooks the ADR draft misclassified (pretool-prompt-injection-scanner.py, suggest-compact.py, sql-injection-detector.py) which are actually PreToolUse/PostToolUse with Write|Edit matchers.

Phase 2 unblocks when openai/codex#16732 ships upstream.

What's in this PR

New files:

• scripts/codex-hooks-allowlist.txt (authoritative Phase 1 list with exclusion rationale as comments)
• scripts/generate-codex-hooks-json.py (allowlist to hooks.json generator, stdlib only)
• scripts/ensure-codex-feature-flag.py (TOML-aware config.toml merger with backup)

New tests (50 passing + 1 intentional skip):

• scripts/tests/test_generate_codex_hooks_json.py (16 tests: schema, CLI, determinism, event ordering, malformed input)
• scripts/tests/test_ensure_codex_feature_flag.py (21 tests: TOML merge, idempotency, codex_hooks=false error path, preservation of existing sections)
• scripts/tests/test_codex_hooks_allowlist.py (6 tests: regression guard against Phase 2 promotion. Scans hook source for Edit|Write|apply_patch matcher patterns; tests that Phase 2 hook filenames from the ADR are NOT in the allowlist)
• scripts/tests/test_codex_hooks_install.py (7 tests + 1 skip: end-to-end install.sh verification against a tempdir HOME; mirrors files, generates valid hooks.json, sets feature flag, preserves existing config sections, uninstall symmetry)

Modified:

• install.sh (+129 lines: CODEX_HOOKS_DIR variable, Syncing Codex hooks mirror block, uninstall cleanup, Codex version warning for <0.114.0)
• README.md (+24 lines: new ## Codex CLI Parity section explaining what mirrors, what does not, and the #16732 upstream blocker)

Test plan

• pytest scripts/tests/test_codex_hooks_*.py scripts/tests/test_generate_codex_hooks_json.py scripts/tests/test_ensure_codex_feature_flag.py -v (50 passed, 1 skipped in 43s)
• ruff check and ruff format --check on all new Python files (clean)
• bash -n install.sh (syntax OK)
• bash install.sh --dry-run --symlink (prints correct Codex hooks section, no side effects)
• Tempdir end-to-end: HOME=\$TMP bash install.sh --copy --force populates ~/.codex/hooks/ with all 6 Phase 1 files plus hooks/lib/, generates valid hooks.json with correct matchers, sets [features] codex_hooks = true in config.toml while preserving existing sections
• Tempdir uninstall: bash install.sh --uninstall removes ~/.codex/hooks/, archives hooks.json with timestamp, leaves config.toml feature flag untouched
• Regression guard test fails if any Phase 1 allowlisted hook contains Edit/Write matcher patterns
• Allowlist format test fails on duplicate entries, missing hooks, wrong regex

References

• ADR-182 (adr/182-codex-hooks-mirror.md, local only)
• Upstream hooks docs: https://developers.openai.com/codex/hooks
• Upstream blocker for Phase 2: ApplyPatchHandler doesn't emit PreToolUse/PostToolUse hook event. Hooks only fire for Bash tool. openai/codex#16732
• PreToolUse/PostToolUse request (shipped in v0.114.0): Add PreToolUse and PostToolUse hook events for code quality enforcement openai/codex#14754
• Prior art: feat(install): mirror toolkit agents to ~/.codex/agents #373 mirrored agents to ~/.codex/agents alongside the earlier skills mirror