nisavid · nisavid · May 11, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -47,6 +47,25 @@ jobs:
           bash -n contrib/user-local-install/files/.local/bin/codex-app-update
           bash -n contrib/user-local-install/files/.local/bin/codex-app-version
           bash -n contrib/user-local-install/files/share/common.sh
+          bash -n scripts/ci/update-nix-hashes.sh
+
+      - name: Check Node patcher syntax
+        run: |
+          set -euo pipefail
+          node --check scripts/patch-linux-window-ui.js
+          node --check scripts/patch-linux-window-ui.test.js
+          for file in scripts/patches/*.js; do
+            node --check "$file"
+          done
+          for file in linux-features/*/patch.js; do
+            [ -f "$file" ] || continue
+            node --check "$file"
+          done
+          feature_tests=(linux-features/*/test.js)
+          if [ -e "${feature_tests[0]}" ]; then
+            node --test --test-concurrency=1 "${feature_tests[@]}"
+          fi
+          node --check scripts/ci/validate-patch-report.js
 
       - name: Check Rust formatting
         run: cargo fmt --check

diff --git a/.github/workflows/update-codex-hash.yml b/.github/workflows/update-codex-hash.yml
@@ -1,8 +1,8 @@
-name: Update Codex.dmg hash
+name: Update Nix upstream hashes
 
 on:
   schedule:
-    - cron: '0 6 * * *'
+    - cron: '0 */2 * * *'
   workflow_dispatch: {}
 
 permissions:
@@ -12,66 +12,60 @@ permissions:
 jobs:
   update-hash:
     runs-on: ubuntu-latest
+    env:
+      NIX_CONFIG: experimental-features = nix-command flakes
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
 
-      - name: Download upstream Codex.dmg
-        run: curl -fL --retry 3 -o /tmp/Codex.dmg https://persistent.oaistatic.com/codex-app-prod/Codex.dmg
+      - name: Refresh Nix fixed-output hashes
+        run: scripts/ci/update-nix-hashes.sh
 
-      - name: Compute SRI hash and update flake.nix
+      - name: Commit refreshed hashes
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
 
-          NEW_HASH=$(nix hash file --sri --type sha256 /tmp/Codex.dmg)
-          echo "Upstream hash: $NEW_HASH"
-
-          if ! [[ "$NEW_HASH" =~ ^sha256-[A-Za-z0-9+/=]{44}$ ]]; then
-            echo "Refusing to proceed: computed hash '$NEW_HASH' is not a valid SRI sha256." >&2
-            exit 1
-          fi
-
-          CURRENT_HASH=$(sed -nE 's/.*hash = "(sha256-[^"]+)".*/\1/p' flake.nix | head -n 1)
-          echo "Current hash:  $CURRENT_HASH"
-
-          if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
-            echo "Hash unchanged, nothing to do."
+          if git diff --quiet -- flake.nix; then
+            echo "Nix hashes unchanged, nothing to do."
             exit 0
           fi
 
-          sed -i "s|hash = \"sha256-[^\"]*\";|hash = \"$NEW_HASH\";|" flake.nix
+          CODEX_DMG_HASH="$(scripts/ci/update-nix-hashes.sh read-flake-hash 'codexDmg = pkgs.fetchurl {' 'hash = ')"
+          PAYLOAD_HASH="$(scripts/ci/update-nix-hashes.sh read-flake-hash 'codexDesktopPayload = pkgs.stdenv.mkDerivation {' 'outputHash = ')"
 
           git config user.name  "codex-dmg-hash-bot"
           git config user.email "actions@github.com"
           BRANCH="bot/update-codex-dmg-hash"
           git fetch origin "$BRANCH:refs/remotes/origin/$BRANCH" || true
           git checkout -B "$BRANCH"
           git add flake.nix
-          git commit -m "fix(nix): update Codex.dmg hash
-
-          Upstream binary changed; refreshed SRI hash to $NEW_HASH.
-
-          [skip ci]"
+          git commit \
+            -m "fix(nix): update upstream Nix hashes" \
+            -m "Refreshed Codex.dmg SRI hash to $CODEX_DMG_HASH." \
+            -m "Refreshed codexDesktopPayload recursive outputHash to $PAYLOAD_HASH." \
+            -m "[skip ci]"
           git push --force-with-lease origin "$BRANCH"
 
-          PR_BODY="Upstream binary changed; refreshed SRI hash to \`$NEW_HASH\`.
+          PR_BODY="Refreshed Codex.dmg SRI hash to \`$CODEX_DMG_HASH\`.
+
+          Refreshed codexDesktopPayload recursive outputHash to \`$PAYLOAD_HASH\`.
 
           This scheduled workflow opens a PR for maintainer review instead of pushing directly to main."
 
           PR_NUMBER="$(gh pr list --repo nisavid/codex-app-linux --base main --head "$BRANCH" --state open --json number --jq '.[0].number // empty')"
           if [ -n "$PR_NUMBER" ]; then
             gh pr edit "$PR_NUMBER" \
               --repo nisavid/codex-app-linux \
-              --title "fix(nix): update Codex.dmg hash" \
+              --title "fix(nix): update upstream Nix hashes" \
               --body "$PR_BODY"
           else
             gh pr create \
               --repo nisavid/codex-app-linux \
               --base main \
               --head "$BRANCH" \
-              --title "fix(nix): update Codex.dmg hash" \
+              --title "fix(nix): update upstream Nix hashes" \
               --body "$PR_BODY"
           fi
diff --git a/.github/workflows/upstream-build-app.yml b/.github/workflows/upstream-build-app.yml
@@ -134,7 +134,11 @@ jobs:
           JSON
 
       - name: Build app from upstream DMG
-        run: make build-app DMG=/tmp/codex-upstream-ci/Codex.dmg
+        run: |
+          set -euo pipefail
+          CODEX_PATCH_REPORT_JSON="$GITHUB_WORKSPACE/patch-report.json" \
+            make build-app DMG=/tmp/codex-upstream-ci/Codex.dmg
+          node scripts/ci/validate-patch-report.js patch-report.json --profile upstream-build
 
       - name: Upload upstream DMG metadata artifact
         uses: actions/upload-artifact@v7

diff --git a/.gitignore b/.gitignore
@@ -8,6 +8,7 @@ bin/codex-*
 target/
 dist/
 dist-next/
+linux-features/features.json
 .idea/
 .claude/
 /.codex

diff --git a/AGENTS.md b/AGENTS.md
@@ -77,7 +77,7 @@ Treat this file as always-loaded agent policy. Keep detailed package recipes, ru
 - Linux package templates, maintainer scripts, desktop entry, service unit, packaged runtime helper: `packaging/linux/`
 - Rust updater service and CLI: `updater/`
 - Updater crate version and versioning policy: `updater/Cargo.toml` and
-  `docs/maintainers/package-runtime-maintenance.md` (current version: `0.7.0`)
+  `docs/maintainers/package-runtime-maintenance.md` (current version: `0.7.1`)
 - User-facing overview and install guidance: `README.md`
 - Webview server design decision and acceptance criteria: `docs/webview-server-evaluation.md`
 - Fork-specific contracts and upstream-sync review inventory: `docs/maintainers/fork-divergences.md`

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ## [Unreleased]
 
+## [0.7.1] - 2026-05-06
+
+### Fixed
+
+- The Chrome native-messaging host now evicts stale browser clients when a newer Codex browser client connects, preventing old Node REPL sessions from repeatedly reattaching CDP and driving extension service-worker CPU.
+- The bundled Chrome plugin is now auto-installed during app startup, matching Browser Use, so the plugin page no longer falls back to an install button after restart when the Linux native host is already staged.
+- Local auto-update rebuilds and package builds now find the Rust toolchain reliably when `cargo` is installed via `rustup` under `~/.cargo/bin`, even if the `codex-app-updater` user service or packaging scripts inherit a reduced `PATH`.
+
+### Added
+
+- Regression coverage for the build-environment fix: updater path construction now has a unit test for `~/.cargo/bin`, and packaging helpers resolve `cargo` through the same fallback path used by Linux Computer Use staging.
+
 ## [0.7.0] - 2026-05-04
 
 ### Added
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ bin/codex-* @@
     target/
     dist/
     dist-next/
+    linux-features/features.json
     .idea/
     .claude/
     /.codex
@@ Expand Down @@