Redesign Codex upstream Radar automation

.github/workflows/refresh-github-signals.yml → .github/workflows/refresh-release-delta.yml

@@ -1,11 +1,11 @@
-name: Refresh GitHub Signals
+name: Refresh Release Delta
 
 permissions:
   contents: write
 
 on:
   schedule:
-    - cron: "0 * * * *"
+    - cron: "17 * * * *"
   workflow_dispatch:
 
 concurrency:
@@ -14,9 +14,9 @@ concurrency:
 
 jobs:
   refresh:
-    name: Refresh GitHub-backed Decodex signals
+    name: Refresh Codex release checkpoints
     runs-on: ubuntu-latest
-    timeout-minutes: 45
+    timeout-minutes: 30
     env:
       GH_API_TOKEN: ${{ secrets.GITHUB_PAT_Y }}
     steps:
@@ -37,40 +37,18 @@ jobs:
         working-directory: site
         run: npm ci
 
-      - name: Install Codex CLI
-        run: npm install -g @openai/codex@0.116.0
-
-      - name: Prepare Codex auth.json
-        env:
-          CODEX_AUTH_JSON: ${{ secrets.CODEX_AUTH_JSON }}
-        run: |
-          if [ -z "$CODEX_AUTH_JSON" ]; then
-            echo "CODEX_AUTH_JSON secret is not set." >&2
-            exit 1
-          fi
-
-          codex_home="$RUNNER_TEMP/codex-home"
-          mkdir -p "$codex_home"
-          printf '%s' "$CODEX_AUTH_JSON" > "$codex_home/auth.json"
-          chmod 600 "$codex_home/auth.json"
-          echo "CODEX_HOME=$codex_home" >> "$GITHUB_ENV"
-
-      - name: Verify Codex auth
-        run: codex login status
-
-      - name: Refresh GitHub signal artifacts
+      - name: Refresh release delta
         run: |
-          python3 scripts/github/sync_latest_signals.py \
+          python3 scripts/github/build_release_delta.py \
             --repo openai/codex \
+            --signals-dir site/src/content/signals \
+            --out site/src/content/release-deltas/openai-codex-latest.json \
             --token-env GH_API_TOKEN
 
       - name: Detect content changes
         id: changes
         run: |
           if [ -z "$(git status --porcelain -- \
-            artifacts/github/bundles \
-            artifacts/github/analysis \
-            site/src/content/signals \
             site/src/content/release-deltas/openai-codex-latest.json)" ]; then
             echo "changed=false" >> "$GITHUB_OUTPUT"
           else
@@ -81,15 +59,11 @@ jobs:
         if: steps.changes.outputs.changed == 'true'
         run: cargo make decodex-checks
 
-      - name: Commit refreshed GitHub artifacts
+      - name: Commit refreshed release delta
         if: steps.changes.outputs.changed == 'true'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add \
-            artifacts/github/bundles \
-            artifacts/github/analysis \
-            site/src/content/signals \
-            site/src/content/release-deltas/openai-codex-latest.json
-          git commit -m "chore(decodex): refresh github signals"
+          git add site/src/content/release-deltas/openai-codex-latest.json
+          git commit -m "chore(decodex): refresh release delta"
           git push origin HEAD:main

.github/workflows/refresh-upstream-radar.yml

@@ -0,0 +1,68 @@
+name: Refresh Upstream Radar
+
+permissions:
+  contents: write
+
+on:
+  schedule:
+    - cron: "0 */6 * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  refresh:
+    name: Refresh Codex upstream queue
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      GH_API_TOKEN: ${{ secrets.GITHUB_PAT_Y }}
+    steps:
+      - name: Fetch latest code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: site/package-lock.json
+
+      - name: Install site dependencies
+        working-directory: site
+        run: npm ci
+
+      - name: Refresh upstream review queue
+        run: |
+          python3 scripts/github/sync_upstream_radar.py \
+            --repo openai/codex \
+            --token-env GH_API_TOKEN \
+            --search-limit 40
+
+      - name: Detect content changes
+        id: changes
+        run: |
+          if [ -z "$(git status --porcelain -- \
+            artifacts/github/review-queue)" ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run repo-native validation
+        if: steps.changes.outputs.changed == 'true'
+        run: cargo make decodex-checks
+
+      - name: Commit refreshed GitHub artifacts
+        if: steps.changes.outputs.changed == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add artifacts/github/review-queue
+          git commit -m "chore(decodex): refresh upstream radar"
+          git push origin HEAD:main

Makefile.toml

@@ -61,6 +61,10 @@ dependencies = [
 workspace = false
 script = [
 	"python3 scripts/github/validate_change_bundle.py artifacts/github/bundles",
+	"python3 scripts/github/validate_upstream_review.py artifacts/github/review-queue",
+	"python3 scripts/github/validate_upstream_review.py artifacts/github/reviews",
+	"python3 scripts/github/test_social_post_contract.py",
+	"python3 scripts/github/validate_social_post.py artifacts/social/x",
 	"python3 scripts/github/validate_signal_entry.py site/src/content/signals",
 ]
 

README.md

@@ -2,7 +2,7 @@
 
 # Decodex
 
-Repo-native agent orchestration and public Codex signal publishing.
+Repo-native agent orchestration, upstream Codex radar, and public publishing.
 
 [![License](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
 [![Language Checks](https://github.com/hack-ink/decodex/actions/workflows/language.yml/badge.svg?branch=main)](https://github.com/hack-ink/decodex/actions/workflows/language.yml)
@@ -21,13 +21,14 @@ Repo-native agent orchestration and public Codex signal publishing.
 - Local operator listener with a dashboard at `/` and `/dashboard`, WebSocket
   snapshot/control traffic at `/dashboard/control`, Decodex App snapshot/account
   APIs under `/api/`, and `GET /livez` for liveness.
-- Static Astro site that publishes GitHub-backed Codex change signals.
-- Deterministic GitHub signal pipeline for change bundles, release deltas, rendered
-  signal entries, and content validation.
+- Static Astro site that publishes curated Decodex Radar and Publisher output.
+- Deterministic GitHub upstream Radar pipeline for review queues, change bundles,
+  release deltas, rendered signal entries, and content validation.
 - Repo-local Radar skills for upstream Codex triage, code analysis, release analysis,
-  signal drafting, and X post drafting.
-- Publisher workflow for checked-in upstream impact classification and reviewable X
-  drafts for `@decodexspace`.
+  signal drafting, and X publishing.
+- Publisher workflow for checked-in upstream reviews, impact classification, curated
+  public signals, and automated low-frequency X publication records for
+  `@decodexspace`.
 - Installable Decodex plugin with reusable agent-facing skills for planning,
   manual CLI, automation, commit, land, and labels.
 - Repository documentation split by question type into spec, runbook, reference, and
@@ -60,26 +61,29 @@ runtime.
 - `apps/decodex-app/` owns the native macOS app that manages Decodex
   Codex accounts through the bundled Rust app helper.
 - `site/` owns the Astro static site and checked-in public content.
-- `scripts/github/` owns deterministic GitHub bundle, release-delta, render, and
-  validation scripts.
-- `artifacts/github/` owns checked-in GitHub bundles and editorial analysis drafts.
+- `scripts/github/` owns deterministic upstream review queue, GitHub bundle,
+  release-delta, render, and validation scripts.
+- `artifacts/github/` owns checked-in review queues, upstream reviews, GitHub bundles,
+  impact records, and editorial analysis drafts.
 - `artifacts/archive/` owns checked-in recovery manifests for cold Radar batches stored
   as GitHub Release assets.
-- `artifacts/social/` owns checked-in Publisher social draft artifacts.
+- `artifacts/social/` owns checked-in Publisher publication records and generated-media
+  evidence.
 - `plugins/decodex/` owns the installable Decodex plugin and reusable agent-facing
   skills.
 - `dev/skills/` owns repository-development skills for Radar analysis and Publisher
-  drafting. They are not packaged with the installable Decodex plugin.
+  publishing. They are not packaged with the installable Decodex plugin.
 - `docs/` remains the authoritative documentation surface.
 
 Runtime authority stays in `apps/decodex/src/`, the registered project contracts under
 `~/.codex/decodex/projects/<service-id>/`, and the governing specs under `docs/spec/`.
 Public site authority stays in `site/`, `scripts/github/`, `artifacts/github/`, and
 the site/content specs.
 
-Historical Radar trace is local by default. `scripts/github/sync_latest_signals.py`
-writes `.decodex/radar.sqlite3` so every inspected upstream commit can be tracked
-without publishing every low-level or skipped item to the static site or Git history.
+Historical Radar trace is local by default. `scripts/github/sync_upstream_radar.py`
+writes `.decodex/radar.sqlite3` and refreshes `upstream_review_queue/v1` so every
+inspected upstream commit can be tracked before AI review decides whether it deserves
+Decodex follow-up, public content, or only ledger trace.
 
 ## Runtime platform support
 
@@ -187,28 +191,33 @@ The public site does not own:
 The static-site boundary is recorded in `docs/decisions/static-public-site.md`. GitHub
 Pages setup for `https://decodex.space` lives in `docs/runbook/github-pages-deploy.md`.
 
-## GitHub Signal Pipeline
+## Upstream Radar Pipeline
 
-The GitHub-first public signal path stays deterministic and reviewable:
+The upstream Codex Radar path starts deterministic and becomes editorial only after
+Codex automation reviews source evidence:
 
-- `scripts/github/build_change_bundle.py` builds normalized GitHub bundles under
-  `artifacts/github/bundles/`.
+- `scripts/github/sync_upstream_radar.py` records every observed recent upstream
+  commit, resolves PRs when possible, and refreshes
+  `artifacts/github/review-queue/openai-codex-latest.json`.
 - `dev/skills/README.md` routes the repo-local Radar and editorial instructions. They
   are not part of the installable Decodex plugin distribution.
-- `scripts/github/sync_latest_signals.py` discovers recent upstream commits, resolves
-  them back to PRs when possible, and refreshes content artifacts.
+- `scripts/github/build_change_bundle.py` builds normalized GitHub bundles under
+  `artifacts/github/bundles/` when a queued subject needs full source context.
 - `scripts/github/backfill_release_range.py` fills release-window gaps before a
   release or prerelease summary, but daily Radar still starts from the commit stream.
+- `docs/spec/upstream-review.md` records the queue and AI review boundary.
 - `docs/spec/upstream-impact.md` records how upstream Codex changes are classified for
   public signals and Control Plane follow-up work.
 - `scripts/github/render_signal_entry.py` renders reviewed analysis drafts into site
   content.
 - `scripts/github/validate_signal_entry.py` validates the published signal collection.
-- `docs/spec/social-post-draft.md` and
-  `docs/runbook/social-publishing-workflow.md` govern optional checked-in X drafts
-  before external publication.
-- `.github/workflows/refresh-github-signals.yml` refreshes GitHub-backed signals every
-  hour from a trusted runner.
+- `docs/spec/social-publishing.md` and
+  `docs/runbook/social-publishing-workflow.md` govern automated low-frequency X
+  publication for `@decodexspace`.
+- `.github/workflows/refresh-upstream-radar.yml` refreshes deterministic upstream
+  queue metadata every six hours.
+- `.github/workflows/refresh-release-delta.yml` refreshes release and prerelease
+  checkpoint metadata every hour.
 - `.github/workflows/deploy-pages.yml` publishes the Astro site to GitHub Pages on
   pushes to `main`.
 
@@ -276,7 +285,7 @@ The tracked workspace currently keeps:
   validation script surface
 - `artifacts/github/` as checked-in GitHub bundle and analysis artifacts
 - `plugins/decodex/` as the canonical installable Decodex plugin source
-- `dev/skills/` as repo-development Radar analysis and Publisher drafting skills that
+- `dev/skills/` as repo-development Radar analysis and Publisher publishing skills that
   are not packaged with the installable Decodex plugin
 - `docs/spec/` as the normative runtime, workflow, site, and content contract lane
 - `docs/runbook/` as the operator procedures, validation sequences, deployment steps,

artifacts/github/README.md

@@ -7,7 +7,7 @@ This directory stores checked-in GitHub signal pipeline artifacts.
 - `impact/` holds optional `upstream_impact/v1` classifications.
 
 `bundles/` and `analysis/` are hot raw artifact directories. Keep raw entries in Git for
-at most 28 days, then move cold batches to dedicated `radar-archive-*` GitHub Release
+at most 21 days, then move cold batches to dedicated `radar-archive-*` GitHub Release
 assets and keep the recovery manifest under `artifacts/archive/index/`.
 
 Executable automation for these artifacts lives under `scripts/github/`. Repo-local

artifacts/github/review-queue/.gitkeep

@@ -0,0 +1 @@
+