fix: tighten codex cli sync detection

Author: KSemenenko

.github/workflows/codex-cli-watch.yml

@@ -32,16 +32,76 @@ jobs:
           set -euo pipefail
 
           SUBMODULE_PATH="submodules/openai-codex"
-          SURFACE_PATHS=(
-            "codex-rs"
-            "docs"
-            "README.md"
-            "CHANGELOG.md"
-            "Cargo.toml"
-            "Cargo.lock"
-            "package.json"
+          MODELS_FILE="codex-rs/core/models.json"
+          CONFIG_SCHEMA_FILE="codex-rs/core/config.schema.json"
+          FLAG_SOURCE_PATHS=(
+            "codex-rs/cli/src/main.rs"
+            "codex-rs/exec/src/cli.rs"
+            "codex-rs/exec/src/main.rs"
           )
 
+          read_file_at_sha() {
+            local sha="$1"
+            local path="$2"
+            git -C "$SUBMODULE_PATH" show "$sha:$path" 2>/dev/null || true
+          }
+
+          extract_flag_snapshot() {
+            local sha="$1"
+            local path
+
+            for path in "${FLAG_SOURCE_PATHS[@]}"; do
+              read_file_at_sha "$sha" "$path"
+            done | grep -Eo -- '--[a-z0-9][a-z0-9-]*' | sort -u || true
+          }
+
+          extract_model_snapshot() {
+            local sha="$1"
+            read_file_at_sha "$sha" "$MODELS_FILE" \
+              | jq -r '.models[]? | (.id // .slug // empty)' \
+              | sed '/^$/d' \
+              | sort -u || true
+          }
+
+          extract_feature_snapshot() {
+            local sha="$1"
+            read_file_at_sha "$sha" "$CONFIG_SCHEMA_FILE" \
+              | jq -r '.properties.features.properties? | keys[]?' \
+              | sed '/^$/d' \
+              | sort -u || true
+          }
+
+          format_snapshot_changes() {
+            local before_file="$1"
+            local after_file="$2"
+            local empty_message="$3"
+
+            local added
+            local removed
+            local formatted=""
+
+            added="$(comm -13 "$before_file" "$after_file" | sed 's/^/- added `/' | sed 's/$/`/' || true)"
+            removed="$(comm -23 "$before_file" "$after_file" | sed 's/^/- removed `/' | sed 's/$/`/' || true)"
+
+            if [ -n "$added" ]; then
+              formatted="$added"
+            fi
+
+            if [ -n "$removed" ]; then
+              if [ -n "$formatted" ]; then
+                formatted="$formatted"$'\n'"$removed"
+              else
+                formatted="$removed"
+              fi
+            fi
+
+            if [ -z "$formatted" ]; then
+              formatted="$empty_message"
+            fi
+
+            printf '%s\n' "$formatted"
+          }
+
           if [ ! -d "$SUBMODULE_PATH/.git" ] && [ ! -f "$SUBMODULE_PATH/.git" ]; then
             echo "Submodule not initialized: $SUBMODULE_PATH"
             echo "has_update=false" >> "$GITHUB_OUTPUT"
@@ -85,29 +145,30 @@ jobs:
             commits='- No commit summary available.'
           fi
 
-          surface_diff="$(git -C "$SUBMODULE_PATH" diff --unified=0 "$current_sha" "$latest_sha" -- "${SURFACE_PATHS[@]}" || true)"
+          tmp_dir="$(mktemp -d)"
+          trap 'rm -rf "$tmp_dir"' EXIT
 
-          changed_flags="$(printf '%s\n' "$surface_diff" | grep -Eo -- '--[a-z0-9][a-z0-9-]*' | sort -u | head -n 200 || true)"
-          changed_models="$(printf '%s\n' "$surface_diff" | grep -Eo -- 'gpt-[0-9][a-z0-9.-]*' | sort -u | head -n 200 || true)"
-          changed_features="$(printf '%s\n' "$surface_diff" | grep -Eo -- 'features\.[a-zA-Z0-9_.-]+' | sed 's/^features\.//' | sort -u | head -n 200 || true)"
+          extract_flag_snapshot "$current_sha" > "$tmp_dir/flags-before.txt"
+          extract_flag_snapshot "$latest_sha" > "$tmp_dir/flags-after.txt"
+          extract_model_snapshot "$current_sha" > "$tmp_dir/models-before.txt"
+          extract_model_snapshot "$latest_sha" > "$tmp_dir/models-after.txt"
+          extract_feature_snapshot "$current_sha" > "$tmp_dir/features-before.txt"
+          extract_feature_snapshot "$latest_sha" > "$tmp_dir/features-after.txt"
 
-          if [ -z "$changed_flags" ]; then
-            changed_flags='- (no CLI flag tokens detected from diff)'
-          else
-            changed_flags="$(printf '%s\n' "$changed_flags" | sed 's/^/- `/' | sed 's/$/`/')"
-          fi
+          changed_flags="$(format_snapshot_changes \
+            "$tmp_dir/flags-before.txt" \
+            "$tmp_dir/flags-after.txt" \
+            "- (no CLI flag surface change detected from CLI sources)")"
 
-          if [ -z "$changed_models" ]; then
-            changed_models='- (no model tokens detected from diff)'
-          else
-            changed_models="$(printf '%s\n' "$changed_models" | sed 's/^/- `/' | sed 's/$/`/')"
-          fi
+          changed_models="$(format_snapshot_changes \
+            "$tmp_dir/models-before.txt" \
+            "$tmp_dir/models-after.txt" \
+            "- (no model catalog change detected from models.json)")"
 
-          if [ -z "$changed_features" ]; then
-            changed_features='- (no feature tokens detected from diff)'
-          else
-            changed_features="$(printf '%s\n' "$changed_features" | sed 's/^/- `/' | sed 's/$/`/')"
-          fi
+          changed_features="$(format_snapshot_changes \
+            "$tmp_dir/features-before.txt" \
+            "$tmp_dir/features-after.txt" \
+            "- (no feature flag surface change detected from config schema)")"
 
           {
             echo "cli_changed_files<<EOF"
@@ -214,13 +275,13 @@ jobs:
               '## Changed files (CLI-relevant)',
               changedFiles || '- (No file list available)',
               '',
-              '## Potential CLI flag changes from diff',
+              '## Detected CLI flag surface changes',
               changedFlags,
               '',
-              '## Potential model changes from diff',
+              '## Detected model catalog changes',
               changedModels,
               '',
-              '## Potential feature changes from diff',
+              '## Detected feature flag changes',
               changedFeatures,
               '',
               '## Commits',

CodexSharpSDK.Tests/Integration/CodexCliSmokeTests.cs

@@ -30,6 +30,8 @@ public class CodexCliSmokeTests
     private const string StatusCommand = "status";
     private const string HelpFlag = "--help";
     private const string VersionToken = "codex-cli";
+    private const string RootHelpToken = "Codex CLI";
+    private const string RootHelpCommandToken = "exec";
     private const string ExecHelpToken = "Run Codex non-interactively";
     private const string NotLoggedInToken = "Not logged in";
     private const string NotAuthenticatedToken = "Not authenticated";
@@ -54,6 +56,19 @@ public async Task CodexCli_Smoke_VersionCommand_ReturnsCodexCliVersion()
         await Assert.That(output.Contains(VersionToken, StringComparison.OrdinalIgnoreCase)).IsTrue();
     }
 
+    [Test]
+    public async Task CodexCli_Smoke_HelpCommand_ReturnsRootCommands()
+    {
+        var executablePath = ResolveExecutablePath();
+
+        var result = await RunCodexAsync(executablePath, null, HelpFlag);
+        await Assert.That(result.ExitCode).IsEqualTo(0);
+
+        var output = string.Concat(result.StandardOutput, result.StandardError);
+        await Assert.That(output.Contains(RootHelpToken, StringComparison.Ordinal)).IsTrue();
+        await Assert.That(output.Contains(RootHelpCommandToken, StringComparison.Ordinal)).IsTrue();
+    }
+
     [Test]
     public async Task CodexCli_Smoke_ExecHelpCommand_ReturnsSuccess()
     {

Directory.Build.props

@@ -17,7 +17,7 @@
   </PropertyGroup>
 
   <!-- NuGet package metadata and versioning -->
-  <PropertyGroup Condition="'$(IsPackable)' == 'true'">
+  <PropertyGroup>
     <Authors>ManagedCode</Authors>
     <Company>ManagedCode</Company>
     <RepositoryType>GitHub</RepositoryType>
@@ -28,11 +28,11 @@
     <PublishRepositoryUrl>true</PublishRepositoryUrl>
     <EmbedUntrackedSources>true</EmbedUntrackedSources>
     <EnablePackageValidation>true</EnablePackageValidation>
-    <Version>0.1.2</Version>
+    <Version>0.1.3</Version>
     <PackageVersion>$(Version)</PackageVersion>
   </PropertyGroup>
 
-  <ItemGroup Condition="'$(IsPackable)' == 'true'">
+  <ItemGroup>
     <None Include="$(MSBuildThisFileDirectory)README.md" Pack="true" PackagePath="/" Visible="false" />
   </ItemGroup>
 

docs/Features/release-and-sync-automation.md

@@ -35,14 +35,16 @@ Keep package quality and upstream Codex CLI parity automatically verified throug
 - CI must run build and tests on every push/PR.
 - CI and Release workflows must execute full solution tests before smoke subsets, excluding auth-required tests with `-- --treenode-filter "/*/*/*/*[RequiresCodexAuth!=true]"`.
 - Codex CLI smoke test workflow steps must run `CodexCli_Smoke_*` via `CodexSharpSDK.Tests` project scope to avoid false `zero tests ran` failures in non-smoke test assemblies.
+- Codex CLI smoke validation must cover both `codex --help` and `codex exec --help`, proving root and non-interactive help surfaces stay discoverable.
 - Release workflow must build/test before pack/publish.
 - Release workflow must read package version from `Directory.Build.props`.
 - Release workflow must validate semantic version format before packaging.
+- Release workflow must fail if the produced `.nupkg` version does not match `Directory.Build.props`.
 - Release workflow must use generated GitHub release notes.
 - Release workflow must create/push git tag `v<version>` before publishing GitHub release.
 - Codex CLI watch runs daily and opens issue when upstream `openai/codex` changed since pinned submodule SHA.
 - Completing a Codex CLI sync issue must update the pinned `submodules/openai-codex` commit after validation.
-- Sync issue body must include detected candidate changes for CLI flags/models/features and actionable checklist.
+- Sync issue body must derive flag changes from CLI source snapshots, model changes from `codex-rs/core/models.json`, and feature changes from `codex-rs/core/config.schema.json` so alerts stay actionable.
 - Sync issue must assign Copilot by default.
 - Duplicate sync issue for same upstream SHA is not allowed.
 
@@ -71,6 +73,7 @@ flowchart LR
 - `codex features list`
 - `dotnet build ManagedCode.CodexSharpSDK.slnx -c Release -warnaserror`
 - `dotnet test --solution ManagedCode.CodexSharpSDK.slnx -c Release`
+- `dotnet pack CodexSharpSDK/CodexSharpSDK.csproj -c Release --no-build -o artifacts`
 
 ### Workflow mapping
 

docs/Testing/strategy.md

@@ -15,6 +15,7 @@ Verify `ManagedCode.CodexSharpSDK` behavior against real Codex CLI contracts, wi
 - Use the real installed `codex` CLI for process interaction tests; do not use `FakeCodexProcessRunner` doubles.
 - Treat `codex` as a prerequisite for real integration runs and install it in CI/local setup before running those tests.
 - CI validates Codex CLI smoke behavior on Linux/macOS/Windows without requiring login: CLI must be discoverable and invokable.
+- Smoke coverage validates both `codex --help` and `codex exec --help` before unauthenticated login checks.
 - Cross-platform CI smoke also validates unauthenticated behavior in an isolated profile (`codex login status` must report `Not logged in`), proving binary discovery + process launch without relying on local credentials.
 - Real integration runs must use existing Codex CLI login/session; test harness does not use API key environment variables.
 - Real integration model selection must be explicit: set `CODEX_TEST_MODEL` or define `model` in `~/.codex/config.toml` (no hardcoded fallback model).