github Yeachan-Heo/oh-my-codex v0.5.1
v0.5.1 — Team hardening, worktree orchestration, security fixes & ralph CLI
on GitHub

latest releases: v0.17.3, v0.17.2, v0.17.1...
3 months ago

oh-my-codex v0.5.1

This patch release delivers a major hardening wave across the team/claim lifecycle, four security fixes, native git worktree orchestration for team workers, the new omx ralph CLI subcommand, and dozens of targeted bug fixes accumulated since v0.5.0.

Highlights

omx ralph CLI Subcommand

Start a ralph persistence loop directly from your terminal: 

omx ralph "implement the auth module"

No more manually invoking $ralph inside a running session — the CLI now handles it end-to-end (closes #153).

Native Worktree Orchestration for Team Mode

Team workers now launch in isolated git worktrees with canonical state-root metadata. Each worker operates in its own worktree, preventing file-level conflicts between parallel agents. The leader and all workers share a consistent view of team state via cross-worktree state resolution in MCP tools and the notify hook.

Security Hardening (4 CVEs mitigated)

  • Command injection in capturePaneContent (closes #156)
  • Command injection in notifier via exec string interpolation (closes #157)
  • Stale/reused PID risk in reply-listener (closes #158)
  • Path traversal in MCP state/team tool identifiers (closes #159)

Team/Claim Lifecycle — 15 fixes

The task claim protocol is now substantially hardened: ghost workers rejected, lease expiry enforced, terminal regressions blocked, duplicate events eliminated, and lifecycle field mutations gated behind claim tokens.

What's Changed

Added

  • Native worktree orchestration for team mode — Workers launch in git worktrees with canonical state-root metadata for true parallel isolation.
  • Cross-worktree team state resolution — MCP state tools and notify hook resolve team state across worktrees.
  • omx ralph CLI subcommandomx ralph "<task>" starts ralph from the command line (closes #153).
  • Scoped ralph state with canonical persistence migration — Session-scoped state with automatic migration from legacy flat paths.
  • Claim-safe team transition MCP toolteam_transition_task applies transitions atomically with claim-token verification.
  • Clean tmux pane output before notifications — ANSI escapes and tmux artifacts stripped before sending.
  • Startup codebase map injection hook — Lightweight file-tree snapshot injected at session start (closes #136).

Changed

  • notify-hook.js refactored into layered sub-modules — Split into event routing, tmux integration, and notification dispatch modules (closes #177).
  • ralplan defaults to non-interactive mode — Pass --interactive to restore prompt-gated flow (closes #144).
  • Removed /research skill — Use $scientist or $external-context instead (closes #148).

Fixed

Security

  • Command injection in capturePaneContent → safe arg arrays (closes #156)
  • Command injection in notifier → execFile + args (closes #157)
  • Stale PID risk in reply-listener → process identity verification (closes #158)
  • Path traversal in MCP identifiers → input normalization (closes #159)
  • Untracked files excluded from codebase map to prevent leakage

Team / Claim Lifecycle

  • Claim lease expiry enforced in transition/release flows (closes #176)
  • Duplicate task_completed events eliminated (closes #161)
  • claimTask returns task_not_found for missing tasks (closes #167)
  • Claims on completed/failed tasks rejected upfront (closes #160)
  • Ghost worker IDs rejected in claimTask (closes #179)
  • Terminal → non-terminal status regressions blocked
  • In-progress claim takeover prevented when expected_version omitted (closes #173)
  • releaseTaskClaim no longer reopens terminal tasks (closes #174)
  • task_failed emitted instead of worker_stopped on failure (closes #171)
  • team_update_task rejects lifecycle mutations without claim token (closes #172)
  • updateTask payload validation added (closes #163)
  • team_leader_nudge added to team_append_event schema enum (closes #175)
  • Canonical session names in getTeamTmuxSessions (closes #170)

Worktree / CLI

  • --worktree <name> space-separated form consumed correctly (closes #203)
  • Orphan --model flag dropped from worker argv (closes #162)
  • spawnSync sleep → Atomics.wait for reliability (closes #164)

Hooks / tmux

  • Copy-mode scroll and clipboard copy in xhigh/madmax sessions (closes #206)
  • Thin orchestrator restored in notify-hook.js (closes #205)

Dependencies

  • ajv pinned to >=8.18.0, hono to >=4.11.10 via npm overrides

Performance

  • listTasks file reads parallelized with Promise.all (closes #168)

Install / Upgrade

npm install -g oh-my-codex@0.5.1
omx setup   # re-run to update skills and AGENTS.md

Full diff: v0.5.0...v0.5.1

Check out latest releases or
releases around Yeachan-Heo/oh-my-codex v0.5.1

Don't miss a new oh-my-codex release

NewReleases is sending notifications on new releases.

Get notifications