Support Codex comment checker hooks

[code-yeongyu]

Summary

• Add Codex comment-checker PostToolUse hook support.
• Bump bundled comment-checker dependency to 0.7.1.
• Harden malformed hook input and bundled checker binary resolution.

Improvement table

Area	Baseline before this PR	Final pinned behavior	Delta / proof
Codex edit coverage	Codex write/edit/multi_edit/apply_patch events were not all supported.	write, edit, multi_edit/multiedit, and apply_patch payloads map to checker requests.	Behavior pinned in test/codex-hook.test.ts.
Malformed hook input	Bad JSON or wrong-shape PostToolUse input could be noisy.	Malformed and invalid hook stdin no-op with exit 0 and no stderr.	Bad-input behavior pinned in test/codex-hook.test.ts and manual CLI smoke.
Checker output resource bound	Child-process output could grow without a plugin-level cap.	MAX_PROCESS_OUTPUT_BYTES = 64 KiB; noisy stderr is truncated with marker.	Resource cap pinned in test/runner.test.ts.
Optional checker dependency	Missing native checker could break hook use.	Missing checker resolves to a missing result and emits no hook output.	Missing binary path pinned in test/runner.test.ts.

Verification

• npm test
• npm run check
• npm pack --dry-run
• no-excuse TypeScript gate
• installed CLI smoke: usage, bad JSON, valid PostToolUse

Review

• Local verification completed for Codex plugin behavior.
• Cubic review passed before merge.

[cubic-dev-ai]

3 issues found across 27 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/core.ts">

<violation number="1" location="src/core.ts:130">
P2: `extractEditRequest` should require both `old_string` and `new_string`; current logic accepts malformed one-sided edits and forwards invalid checker input.</violation>
</file>

<file name="test/runner.test.ts">

<violation number="1" location="test/runner.test.ts:38">
P3: Don't assert `vendor` in the resolved binary path; the resolver also has a valid non-vendor fallback path.</violation>
</file>

<file name="src/codex-hook.ts">

<violation number="1" location="src/codex-hook.ts:50">
P2: `transcript_path` is forwarded without a runtime type check, but the input guard does not validate that field. Malformed payloads can pass and propagate a non-string transcript path.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic}

[code-yeongyu]

Status update: CI matrix, GitGuardian, and Cubic are all green for head 3f1348f. The earlier Cubic findings were fixed, but the PR remains REVIEW_REQUIRED / BLOCKED by base branch policy, and repository auto-merge is disabled. Please review and merge through the protected-branch flow; no admin bypass was used.

[code-yeongyu]

Status update: CI matrix, GitGuardian, and Cubic are green for head 3f1348f. The earlier Cubic findings were fixed, but this remains REVIEW_REQUIRED / BLOCKED by base branch policy, and repository auto-merge is disabled. Please review and merge through the protected-branch flow. No admin bypass was used.