[codex] Add ULW resume snapshots

[datell1357]

Summary

Adds repo-native ULW resume snapshots and surfaces safe snapshot handoff context from start-work-continuation.

• ulw-loop now writes bounded, redacted .omo/ulw-loop[/<session-id>]/snapshots/latest.md files after successful state mutations.
• Snapshot writes use temp-file/rename semantics and preserve the previous latest.md if refresh fails after a durable mutation.
• start-work-continuation reads only matching, relevant, safe snapshots and includes a bounded next-action block in the Stop hook directive.
• Unsafe, malformed, oversized, wrong-session, wrong-worktree, or prompt-injection-like snapshots are ignored and existing Boulder fallback behavior remains.
• Adds focused tests, fixture helpers, README updates, and changelog notes for both components.

Why

codex resume continues prior Codex conversation state, but a fresh session may not have the previous transcript. This adds a repo-native task-state handoff so a new session can resume from ULW goal/criteria/evidence state without storing raw transcripts or secrets.

Security and data minimization

• Snapshots are bounded and redact auth headers, cookies, API keys, token families, URL credentials, transcript blocks, and instruction-injection text.
• The start-work reader rejects unredacted secrets and model-facing Next Action text, including quote/backtick-wrapped role markers and override/tool-call bait.
• The hook only renders a minimal snapshot path + next action summary when the snapshot is relevant and safe.

Validation

From plugins/omo:

npm test --workspace @code-yeongyu/codex-start-work-continuation -- test/ulw-snapshot-reader.test.ts test/codex-hook.test.ts
# 2 files passed, 52 tests passed

npm test --workspace @code-yeongyu/codex-ulw-loop -- test/snapshot.test.ts test/snapshot-git.test.ts test/snapshot-redaction.test.ts test/cli-snapshot-refresh.test.ts test/cli-snapshot-preservation.test.ts test/paths.test.ts test/evidence.test.ts test/plan-crud.test.ts test/review-blockers.test.ts test/cli-create-goals.test.ts
# 10 files passed, 79 tests passed

npm run typecheck --workspace @code-yeongyu/codex-start-work-continuation
npm run typecheck --workspace @code-yeongyu/codex-ulw-loop
npm run lint --workspace @code-yeongyu/codex-start-work-continuation
npm run lint --workspace @code-yeongyu/codex-ulw-loop

Additional verification completed locally:

• Final Verification F1-F5 approved.
• 5-lane review-work gate passed after prompt-injection fixes.
• Debugging gate passed with built CLI Stop-hook matrix and temp-repo mutation rehearsal.
• Built Stop hook rendered safe snapshots and omitted quoted role-marker, backtick system override, tool/function/execute-command, and CANARY bait.
• Built ULW temp-repo mutation persisted state, emitted snapshot warning, and preserved previous latest.md on simulated snapshot refresh failure.

Known pre-existing issue

The full @code-yeongyu/codex-ulw-loop suite is still red on main due to unrelated quality-gate fixture failures. I filed this separately as:

• ulw-loop quality-gate tests fail on main due to missing manualQa artifact fixture path #93

The failure was observed on baseline d4c4f05 before this change and is isolated to quality-gate-doc.test.ts / quality-gate.test.ts with:

UlwLoopError: manualQa.artifactRefs[0].path must point to an existing artifact.

This PR's focused/touched snapshot and start-work tests pass.

---

Summary by cubic

Adds repo-native ULW resume snapshots and surfaces a safe next-action handoff in the Start-work Stop hook so new Codex turns can resume without prior transcripts. This keeps handoff minimal, redacted, and bounded.

• New Features

  • @code-yeongyu/codex-ulw-loop: Writes redacted, size-bounded snapshots at .omo/ulw-loop[/<session-id>]/snapshots/latest.md after successful mutations using temp-file+rename, preserving the previous snapshot on refresh failure.
  • @code-yeongyu/codex-ulw-loop: Snapshots summarize goal status, criteria counts, pending items, short evidence excerpts, changed files (git porcelain), and one next action; secrets and injection text are stripped.
  • @code-yeongyu/codex-start-work-continuation: Reads only matching, in-workspace snapshots and injects a minimal block with snapshot path and next action into the Stop-hook directive; ignores malformed, oversized, mismatched, or unsafe snapshots and falls back to Boulder-only context.
  • Docs and focused tests added for both components.

• Migration

  • No changes required; snapshots are written on successful ulw-loop commands and the Stop hook consumes them automatically when safe.
  • For session-scoped handoffs, set --session-id or OMO_ULW_LOOP_SESSION_ID to match the Codex session id; this complements codex resume and does not replace it.

^{Written for commit 0fd751e. Summary will update on new commits.}

[github-actions]

Thanks for the PR! Changes to LazyCodex land through oh-my-openagent — could you open this against omo-codex over there instead? PRs in this repository can't be merged.

This PR was closed because it changes source-code paths in this repository:

plugins/omo/components/start-work-continuation/CHANGELOG.md
plugins/omo/components/start-work-continuation/README.md
plugins/omo/components/start-work-continuation/directive.md
plugins/omo/components/start-work-continuation/src/codex-hook.ts
plugins/omo/components/start-work-continuation/src/ulw-snapshot-reader.ts
plugins/omo/components/start-work-continuation/test/codex-hook.test.ts
plugins/omo/components/start-work-continuation/test/fixtures/hook-test-utils.ts
plugins/omo/components/start-work-continuation/test/fixtures/ulw-snapshot.ts
plugins/omo/components/start-work-continuation/test/ulw-snapshot-reader.test.ts
plugins/omo/components/ulw-loop/CHANGELOG.md
plugins/omo/components/ulw-loop/README.md
plugins/omo/components/ulw-loop/src/checkpoint.ts
plugins/omo/components/ulw-loop/src/constants.ts
plugins/omo/components/ulw-loop/src/evidence.ts
plugins/omo/components/ulw-loop/src/paths.ts
plugins/omo/components/ulw-loop/src/plan-crud.ts
plugins/omo/components/ulw-loop/src/review-blockers.ts
plugins/omo/components/ulw-loop/src/snapshot-redaction.ts
plugins/omo/components/ulw-loop/src/snapshot-renderer.ts
plugins/omo/components/ulw-loop/src/snapshot-types.ts
plugins/omo/components/ulw-loop/src/snapshot.ts
plugins/omo/components/ulw-loop/src/steering.ts
plugins/omo/components/ulw-loop/test/cli-create-goals.test.ts
plugins/omo/components/ulw-loop/test/cli-snapshot-preservation.test.ts
plugins/omo/components/ulw-loop/test/cli-snapshot-refresh.test.ts
plugins/omo/components/ulw-loop/test/evidence.test.ts
plugins/omo/components/ulw-loop/test/paths.test.ts
plugins/omo/components/ulw-loop/test/plan-crud.test.ts
plugins/omo/components/ulw-loop/test/review-blockers.test.ts
plugins/omo/components/ulw-loop/test/snapshot-git.test.ts
plugins/omo/components/ulw-loop/test/snapshot-redaction.test.ts
plugins/omo/components/ulw-loop/test/snapshot.test.ts

If you're working with a coding agent, prompt it like this:

I opened #94 ("[codex] Add ULW resume snapshots") against code-yeongyu/lazycodex, but changes there land through code-yeongyu/oh-my-openagent, where the Codex implementation lives under packages/omo-codex. Read my original PR, then open an equivalent PR against code-yeongyu/oh-my-openagent. In the new PR body, link the original PR (#94), explain that it was first opened against lazycodex, and describe in detail what that PR changed and why.

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
-	-	Generic High Entropy Secret	0fd751e	plugins/omo/components/ulw-loop/test/snapshot-redaction.test.ts	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}