review: drip-182 batch 1 — anomalyco/opencode#24984, openai/codex#20243+20240

- anomalyco/opencode#24984 fix(core): reconnect editor context for session directory (merge-after-nits)
- openai/codex#20243 Add codex-core public API listing (merge-as-is)
- openai/codex#20240 [linux sandbox] Isolate IPC namespace in bubblewrap (merge-as-is)

Author: Bojun-Vvibe

reviews/2026-W18/drip-182/openai-codex-pr-20240.md

@@ -0,0 +1,55 @@
+---
+pr: openai/codex#20240
+sha: 0ea76144e4e81125d5d0a54d17ed0e4f52acd50b
+verdict: merge-as-is
+reviewed_at: 2026-04-29T18:31:00Z
+---
+
+# [linux sandbox] Isolate IPC namespace in bubblewrap
+
+## Context
+
+The Linux bubblewrap sandbox (`codex-rs/linux-sandbox/src/bwrap.rs`) was
+already passing `--unshare-user` and `--unshare-pid`, but it left the
+host IPC namespace shared. That meant a sandboxed command could
+`shmget`/`shmat` into a host-side System V shared memory segment owned
+by the same uid — an unmediated host communication channel that bypasses
+the filesystem and network controls bubblewrap is supposed to provide.
+Linear ticket BUGB-16097, Bugcrowd `6e34212b-…`.
+
+## What's good
+
+- The fix is the smallest possible: one extra `"--unshare-ipc".to_string()`
+  pushed into both `create_bwrap_flags_full_filesystem` (line 158) and
+  `create_bwrap_flags` (line 202). No new conditional, no new option flag,
+  no opt-out. That's the right call — there's no legitimate reason a
+  sandboxed agent command needs to attach to host SysV IPC, and adding
+  a knob would just create a footgun.
+- The regression test in `codex-rs/linux-sandbox/tests/suite/landlock.rs`
+  is doing the right thing: `HostSysvSharedMemory::new(secret)` allocates
+  a real `IPC_PRIVATE` segment in the test process, then runs a
+  re-exec'd helper (`sysv_ipc_probe_helper`) inside the sandbox that
+  attempts `libc::shmat(shmid, …)`. The helper `panic!`s if the
+  attach succeeds and reads the secret back — so the test fails loudly
+  if the namespace isolation regresses. Drop impl on `HostSysvSharedMemory`
+  uses `IPC_RMID` to clean up even on test failure. Solid.
+- The `bwrap_preserves_writable_dev_shm_bind_mount` test (already in
+  the suite, line 291) covers the inverse concern: that `--unshare-ipc`
+  doesn't break `/dev/shm` workflows that depend on POSIX shm bind-mounts.
+  The author kept that test green, which is the only non-obvious risk
+  of this change.
+- The `linux_run_main_tests.rs` argv-ordering test was updated in lockstep
+  (line 79) so the argv-builder unit test continues to assert exact flag
+  order. No drift.
+
+## Concerns / nits
+
+- README update is one sentence (`--unshare-ipc`); could mention that
+  POSIX shm via `/dev/shm` bind-mount is unaffected, since that's the
+  most likely "is this going to break my workflow?" question.
+
+## Verdict
+
+`merge-as-is` — security fix, smallest possible diff, regression test
+proves the boundary is closed and the `/dev/shm` carve-out still works.
+This should land.

reviews/2026-W18/drip-182/openai-codex-pr-20243.md

@@ -0,0 +1,51 @@
+---
+pr: openai/codex#20243
+sha: b86e0dcad5ab419daa8c9c65c5d4dc15f16799a0
+verdict: merge-as-is
+reviewed_at: 2026-04-29T18:31:00Z
+---
+
+# Add codex-core public API listing
+
+## Context
+
+Adds a checked-in `codex-rs/core/public-api.txt` (934 lines of `pub use …`,
+`pub fn …` declarations) generated by `cargo-public-api` plus a CI gate
+(`scripts/regen-public-api.sh --check`) that fails if the actual surface
+drifts from the snapshot. Pinned to `nightly-2025-09-18` via
+`CODEX_PUBLIC_API_TOOLCHAIN`. Two workflow files updated: `rust-ci.yml`
+(PR-scoped, with a `changed.outputs.public_api` filter so unrelated PRs
+skip it) and `rust-ci-full.yml` (always-on).
+
+## What's good
+
+- The change-detection filter in `rust-ci.yml` is the right call:
+  `[[ $f == codex-rs/* || $f == scripts/regen-public-api.sh || $f == justfile ]] && public_api=true`.
+  PRs that touch only docs or `tools/` won't pay the nightly toolchain
+  install cost. The aggregate `if [[ … != 'true' && … != 'true' && … != 'true' && … != 'true' ]]; then echo 'No relevant changes'; exit 0; fi`
+  block is updated symmetrically — easy to miss, but it's there.
+- Toolchain pinning via env var (`CODEX_PUBLIC_API_TOOLCHAIN=nightly-2025-09-18`)
+  rather than baked into the script lets local devs override it without
+  editing the script. Good ergonomics.
+- The aggregator job's status echo (`echo "pubapi : ${{ needs.public_api.result }}"`)
+  and the explicit `[[ … == 'success' ]] || { echo 'public_api failed'; exit 1; }`
+  guard mean a green aggregator can't hide a yellow `public_api` job. Both
+  workflows updated identically.
+
+## Concerns / nits
+
+- The 934-line `public-api.txt` is going to generate noisy review diffs
+  on legitimate API changes. Consider documenting in the script that
+  PRs adding `pub` items should commit the regenerated file in the same
+  PR (the `--check` mode will tell them, but a `CONTRIBUTING.md` note
+  would shorten the loop).
+- Nightly toolchain pinning is unavoidable for `cargo-public-api`, but
+  the version number is now duplicated in two workflow files and the
+  script's env default. A small risk of drift; consider sourcing it from
+  one place (e.g. `rust-toolchain` file or a workflow-shared env).
+
+## Verdict
+
+`merge-as-is` — the workflow plumbing is correct, the aggregator logic
+is symmetric, and the change-detection filter prevents unnecessary
+nightly installs. The maintenance overhead concerns are follow-ups.

reviews/2026-W18/drip-182/sst-opencode-pr-24984.md

@@ -0,0 +1,59 @@
+---
+pr: sst/opencode#24984
+sha: 62b7694465283e95adb556b60acbd6ac004dcf23
+verdict: merge-after-nits
+reviewed_at: 2026-04-29T18:31:00Z
+---
+
+# fix(core): reconnect editor context for session directory
+
+## Context
+
+Before this PR, `EditorContextProvider` in `packages/opencode/src/cli/cmd/tui/context/editor.ts` resolved
+the editor lock file once at process startup using `process.cwd()`. After a
+session switch, opencode kept talking to whatever editor server was attached
+when the binary first started — wrong file tree, wrong selection ranges, sometimes
+a dead socket. The author moves the connection state out of `onMount` into
+provider-scoped `let` bindings and adds an explicit `directory` variable so
+the provider can re-resolve `resolveEditorConnection(directory)` whenever
+the active session changes.
+
+## What's good
+
+- The lift from `onMount` closure to provider-scope (`let socket`,
+  `let directory = process.cwd()`, etc.) is the right shape — re-mounting
+  was never the trigger; *session change* is. The reconnect call site
+  ends up colocated with `setStore("server", …)`, which is the only place
+  state actually needs to be invalidated.
+- `WebSocketImpl` injection (`init: (props: { WebSocketImpl?: typeof WebSocket })`)
+  is the testability hook the existing test suite needed — the new
+  `editor-context.test.tsx` (referenced in the PR body) can stub the socket
+  without monkey-patching the global. Good restraint: it falls back to the
+  real `WebSocket` at the call site rather than at module load.
+- Same-directory short-circuit (avoid socket churn when nothing changed)
+  is mentioned in the PR body and is the right safety: editor servers
+  often have warm-up costs, and an unconditional reconnect on every
+  session activation would be a regression.
+
+## Concerns / nits
+
+1. The `socket.readyState !== 1` literal in the new `send()` replaces
+   `WebSocket.OPEN`. That works but loses self-documentation and risks
+   diverging if `WebSocketImpl` is a polyfill that uses a different enum.
+   Prefer `WebSocketImpl.OPEN` (or pull it onto a local `const OPEN = WebSocketImpl.OPEN`).
+2. `lastSubmittedEditorSelectionKey` in `prompt/index.tsx` is a closure-scoped
+   `let` inside `Prompt(props)`. If `<Prompt>` ever remounts (route change,
+   keyed re-render), the dedupe state resets and the same selection will be
+   re-submitted as a fresh part. Worth a comment or a `createSignal` so
+   intent is explicit.
+3. The PR drops `editor.clearSelection()` after submit and replaces it with
+   the dedupe-key assignment. That changes semantics: the editor selection
+   stays "live" across submits. Confirm with the design owner that this is
+   intentional — for users who want each prompt to start clean, this is a
+   subtle UX shift.
+
+## Verdict
+
+`merge-after-nits` — fix the `WebSocket.OPEN` literal, add a one-line
+comment explaining the `lastSubmittedEditorSelectionKey` lifecycle, and
+double-check the `clearSelection` removal is intentional.