Codebase Argus: a read-only Codex CLI review boundary on a real PR #33807
AaronZ345
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I have been building Codebase Argus, a read-only review desk that gives deterministic checks and coding agents the same pull request evidence.
The Codex CLI boundary turned out to be the interesting part. A long review packet could inherit local user configuration, repository rules, and plugin context, then finish without a usable structured result. The adapter now runs
codex execwith a read-only sandbox plus--ephemeral,--ignore-user-config,--ignore-rules, and--color never. The goal is to make the supplied evidence packet the complete review context while preventing repository changes.I tested that path on CowAgent #2965. The deterministic and Codex passes both rated it low risk; Codex also preserved one specific integration-test boundary rather than inventing a blocker. The command and result are reproducible from the case study.
There is also a GitHub Action for the deterministic path. It writes to the job summary and does not post comments or modify the pull request.
I am curious how other Codex CLI users draw this boundary: should an automated reviewer always ignore ambient user and repository instructions when the caller already supplies a complete evidence packet, or should selected project rules be passed through explicitly?
Beta Was this translation helpful? Give feedback.
All reactions