This release includes 1 breaking change for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Affected surfaces
ReleasePort's take
Moderate signalv0.17.1 migrates from context-pack handoff to approved PRD/test-spec artifact coordination, with supporting improvements to team runtime efficiency and MCP startup safety. Test the execution contract changes in dev before rolling to production.
Why it matters: Execution contract migration changes artifact handoff model. Team runtime avoids redundant MCP startup and idle plan triggers. Verify artifact compatibility and test coordination flows; plan phased rollout if managing large deployments.
Summary
AI summaryApproved execution contract migration replaces older context-pack handoff.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Vulnerable transitive npm packages were updated in the lockfile for release train audit-cleanliness. Vulnerable transitive npm packages were updated in the lockfile for release train audit-cleanliness. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Team and Ultragoal coordination is explicit with leader-owned goal state and parallel execution lanes. Team and Ultragoal coordination is explicit with leader-owned goal state and parallel execution lanes. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Question bridge events are structured for auditable Hermes/MCP coordination around pending and answered states. Question bridge events are structured for auditable Hermes/MCP coordination around pending and answered states. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Setup MCP defaults require explicit confirmation before removal and handle plugin-mode none correctly. Setup MCP defaults require explicit confirmation before removal and handle plugin-mode none correctly. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Setup MCP removal now requires explicit confirmation; doctor output correctly handles plugin‑mode `none` state. Setup MCP removal now requires explicit confirmation; doctor output correctly handles plugin‑mode `none` state. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Bugfix | Medium |
Approved execution contract migration replaces older context-pack handoff with approved PRD/test-spec artifacts. Approved execution contract migration replaces older context-pack handoff with approved PRD/test-spec artifacts. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Team runtime avoids redundant MCP startup, idle Ultragoal plans from accidental triggers, and draft-only startup timeouts. Team runtime avoids redundant MCP startup, idle Ultragoal plans from accidental triggers, and draft-only startup timeouts. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
HUD/tmux resize handling enforces pane height and prevents hook ownership collisions across windows. HUD/tmux resize handling enforces pane height and prevents hook ownership collisions across windows. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Native session overlays preserve generated user AGENTS guidance while omitting project boilerplate from instructions. Native session overlays preserve generated user AGENTS guidance while omitting project boilerplate from instructions. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
oh-my-codex v0.17.1
0.17.1 is a patch release after 0.17.0 focused on release readiness and runtime coordination hardening: Team + Ultragoal handoff guidance, structured question bridge events, setup MCP removal confirmation, Team startup readiness, HUD/tmux ownership fixes, native session overlay preservation, and audit-clean release metadata.
Highlights
- Team + Ultragoal coordination is explicit — Ultragoal remains leader-owned durable goal/ledger state while Team runs parallel execution lanes and returns checkpoint-ready evidence.
- Question bridge events are auditable — structured question bridge events support bounded Hermes/MCP coordination around pending and answered question state.
- Setup MCP defaults are safer — setup-managed MCP removal requires explicit confirmation, and doctor output now handles plugin-mode
nonestate correctly. - Release train is audit-clean — package/Cargo metadata are aligned to
0.17.1, and vulnerable transitive npm packages were updated in the lockfile.
Fixes and compatibility notes
- Approved execution contract migration — approved repository context replaces the older context-pack approved-execution handoff; approved PRD/test-spec artifacts and Team evidence are now the handoff source of truth.
- Team runtime reliability — workers avoid redundant MCP startup, idle Ultragoal plans do not trigger accidental startup, and draft-only Team startup fails after ready timeout.
- HUD/tmux stability — resize handling enforces HUD pane height and avoids hook ownership collisions across windows.
- Native session overlays — generated user AGENTS guidance is preserved while generated project boilerplate is omitted from session instructions.
- Ralph and Lore guardrails — Ralph examples require completion-audit evidence, and the Lore guard accepts compact compliant commits with the required OmX co-author trailer.
Validation
Local pre-tag gates passed: npm run lint, npm run check:no-unused, cargo check --workspace, npm audit --audit-level=high, git diff --check, and git diff --cached --check.
The complete npm test suite was not claimed as a clean local gate in this attached OMX/tmux runtime because prior attempts showed ambient runtime contamination and leaked question-test child processes. The tag workflow remains the authoritative clean CI/publication gate.
Contributors
Thanks to bellman, @dependabot[bot], @grndlvl, @HaD0Yun, @probepark, @weathour, and @Yeachan-Heo for contributing to this release.
Full Changelog: v0.17.0...v0.17.1
Breaking Changes
- Approved repository context replaces older context-pack approved-execution handoff; PRD/test-spec artifacts and Team evidence become the source of truth.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Oh My Codex
All releases →Related context
Related tools
Earlier breaking changes
- v0.18.5 Ultragoal completion now requires independent reviewer and architect evidence before marking complete.
Beta — feedback welcome: [email protected]