c07f66c9ec
## Why Installing `@openai/codex` currently places a Dotslash `rg` manifest at `node_modules/@openai/codex/bin/rg`, even though the native optional dependency already ships the actual helper under `vendor/<target>/codex-path/rg`. The launcher prepends that `codex-path` directory, so the top-level `bin/rg` file is redundant in the npm install. The remaining direct consumers of the manifest are package-building paths: `scripts/codex_package/ripgrep.py` and `codex-cli/scripts/install_native_deps.py`. Keeping the manifest under `codex-cli/bin` makes it look like a shipped npm binary, so this moves it next to the package-builder code that owns it. The checked-in `@openai/codex` package metadata should likewise describe only the meta package payload; generated platform packages continue to publish `vendor`. ## What Changed - Moved the Dotslash ripgrep manifest from `codex-cli/bin/rg` to `scripts/codex_package/rg`. - Updated the package builder, npm native-artifact hydrator, README, and CLI help text to reference the new manifest location. - Stopped `codex-cli/scripts/build_npm_package.py` from copying `rg` into the `@openai/codex` meta package. - Narrowed the checked-in meta package `files` whitelist to `bin/codex.js`. ## Verification - `python3 -m unittest discover -s scripts/codex_package -p "test_*.py"` - `python3 -m unittest discover -s codex-cli/scripts -p "test_*.py"` - `python3 -m py_compile codex-cli/scripts/build_npm_package.py codex-cli/scripts/install_native_deps.py scripts/codex_package/ripgrep.py scripts/codex_package/cli.py scripts/stage_npm_packages.py` - `codex-cli/scripts/build_npm_package.py --package codex --version 0.0.0-test --pack-output <tmp>/codex-meta-no-vendor.tgz` - `tar -tf <tmp>/codex-meta-no-vendor.tgz` showed only `package/bin/codex.js`, `package/package.json`, and `package/README.md`. - Direct staging check showed `codex` uses `files: ["bin/codex.js"]` while `codex-darwin-arm64` still uses `files: ["vendor"]`. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/23833). * #23836 * __->__ #23833
Codex package builder
This package contains the implementation behind scripts/build_codex_package.py.
The top-level script is the stable executable entry point; these modules keep the
package-building logic split by responsibility.
The builder creates a canonical Codex package directory:
.
├── codex-package.json
├── bin
│ └── <entrypoint>[.exe]
├── codex-resources
│ ├── bwrap # Linux only
│ ├── codex-command-runner.exe # Windows only
│ └── codex-windows-sandbox-setup.exe # Windows only
└── codex-path
└── rg[.exe]
The package directory is the primary artifact. Archive formats such as
.tar.gz, .tar.zst, and .zip are serializations of that directory.
If --target is omitted, the builder uses the release target for the current
host platform. On Linux, that default is a musl target to match Codex release
artifacts; pass a GNU Linux target explicitly for native glibc local builds. If
--package-dir is omitted, the builder creates a new temporary directory and
prints its path after the package is built.
The --variant flag selects the package entrypoint. Supported variants are
codex and codex-app-server. The version field in codex-package.json is
read from [workspace.package].version in codex-rs/Cargo.toml.
Source-built artifacts
Artifacts built from this repository are built by the package builder in one
grouped cargo build command per package when they are needed and no prebuilt
override was provided:
- all targets: the selected entrypoint, unless
--entrypoint-binis provided - Linux targets:
bwrap, unless--bwrap-binis provided - Windows targets:
codex-command-runnerandcodex-windows-sandbox-setup, unless the corresponding prebuilt helper flags are provided
The default cargo profile is dev-small because local iteration should favor
fast, small builds. Release jobs should pass --cargo-profile release and an
explicit target. Release jobs that already built and signed/notarized the
entrypoint should pass --entrypoint-bin so the package contains that exact
binary instead of rebuilding it.
Release jobs that already built package resource binaries should also pass the
corresponding resource flags: --bwrap-bin for Linux packages, and
--codex-command-runner-bin plus --codex-windows-sandbox-setup-bin for
Windows packages. This keeps package archive creation as a pure staging step
after signing instead of rebuilding resources.
rg is not built from this repository, so the builder fetches it from the
DotSlash manifest at scripts/codex_package/rg. Downloaded archives are cached
under $TMPDIR/codex-package/<target>-rg and are reused only after the recorded
size and SHA-256 digest have been verified. Pass --rg-bin to use a local
ripgrep executable instead.