Skip to content

chore(deps): bump bundled agents to latest#925

Open
dohooo wants to merge 4 commits into
mainfrom
automation/bump-bundled-vendors
Open

chore(deps): bump bundled agents to latest#925
dohooo wants to merge 4 commits into
mainfrom
automation/bump-bundled-vendors

Conversation

@dohooo

@dohooo dohooo commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Automated daily bundled-agent vendor bump. Only the in-scope bundled agent providers are touched (Claude Code + agent-sdk lockstep, Codex, Cursor SDK, OpenCode, Kimi); supporting tools (gh/glab/cloudflared/llama.cpp/node) are excluded.

Long-lived PR on the fixed automation/bump-bundled-vendors branch. Updated 2026-07-13: Codex advanced further upstream (0.144.2 → 0.144.3) since the last push, so the newer bump was applied on top to keep the bundle at latest.

Version changes (vs main)

Vendor Current (main) Target SHA256
@anthropic-ai/claude-agent-sdk 0.3.205 0.3.207 n/a (npm SDK)
@anthropic-ai/claude-code 2.1.205 2.1.207 ✅ arm64 + x64
@openai/codex 0.144.0 0.144.3 ✅ arm64 + x64
@cursor/sdk 1.0.23 1.0.23 ✅ already current
@opencode-ai/sdk + opencode-ai 1.17.18 1.17.18 ✅ already current
Kimi (MoonshotAI/kimi-code) 0.21.0 newer avail. ⏸️ deferred (see note)

Claude lockstep ✅

@anthropic-ai/claude-agent-sdk@0.3.207 resolves claudeCodeVersion: "2.1.207" — SDK↔CLI patch matched. CLAUDE_CODE_SHA256["2.1.207"] present (arm64 + x64). Both already at the latest npm latest dist-tag.

Codex 0.144.3

CODEX_SHA256["0.144.3"] added (arm64 + x64), computed straight from the npm tarballs via npm_vendor_sha.sh. The superseded uncommitted 0.144.2 key was replaced for a clean single-version diff. Codex is a patch bump within 0.144.xcodex-package.json layoutVersion unchanged (still 1), so no stage-vendor.ts layout change needed.

Kimi deferred (needs an environment with GitHub-release access)

Kimi is a class-C GitHub-release binary whose SHA256 must be sourced from its release assets on MoonshotAI/kimi-code. A newer Kimi is available upstream, but this cloud sandbox's egress is scoped to dohooo/helmor only — api.github.com/repos/MoonshotAI/kimi-code/... returns 403 (re-verified this run), so the newer asset SHAs cannot be computed or verified here. Pinning a guessed SHA would hard-fail the build gate, so Kimi is intentionally left at 0.21.0. Bump it from an environment with access to the kimi release assets (check the ACP protocol version when doing so; Kimi releases are typically TUI/web-only and low-value).

Breaking-change assessment

All bumps are additive same-line patch deltas. bun run typecheck — the SDK export/type-break detector — passed, so no removed/renamed SDK exports. Rust pipeline fixtures (stdout event-shape contract) replay green → assessed no impact. Codex layoutVersion unchanged (1).

Local verification gates (codex 0.144.3 revision)

Gate Result
bun install ✅ resolved 0.3.207 / 2.1.207 / 0.144.3; lockstep claudeCodeVersion: 2.1.207 verified
bun run typecheck ✅ pass
bun test ✅ 418 pass / 1 skip / 0 fail
cargo test --test pipeline_scenarios --test pipeline_fixtures --test pipeline_streams ✅ pass (scenarios 119, fixtures 2, streams 1)
codex + claude-code SHA256 (arm64 + x64) ✅ computed from npm tarballs via npm_vendor_sha.sh

The heavy bun run build (full staging + SHA256 verification + cross-arch) was not run locally — no stage-vendor.ts layout change, and SHAs were computed straight from the npm tarballs. CI re-runs the full build, which is the gate that exercises SHA256 verification + cross-arch staging.

Changeset

.changeset/bump-bundled-agents.md — single, in-place helmor patch naming the bundled Claude Code and Codex agents brought to latest. No in-app announcement (routine maintenance).

🤖 Automated daily bundled-vendor bump.

@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
helmor-marketing Ignored Ignored Preview Jul 13, 2026 8:16am

Request Review

@dohooo dohooo force-pushed the automation/bump-bundled-vendors branch 2 times, most recently from 13d2bd2 to e9b035d Compare July 10, 2026 06:10
Bump Claude Code + claude-agent-sdk (lockstep) to 2.1.206/0.3.206 and
Codex to 0.144.1. Cursor and OpenCode already current; Kimi bump deferred
(release-asset SHA256 unreachable from the automation sandbox).

Claude-Session: https://claude.ai/code/session_013f2wz3YAhNjd23SmiVbuTF
@dohooo dohooo force-pushed the automation/bump-bundled-vendors branch from e9b035d to f4591b1 Compare July 10, 2026 08:08
claude added 3 commits July 13, 2026 02:14
Bump Claude Code + agent-sdk to 2.1.207 / 0.3.207 (lockstep), keep Codex at
0.144.1. Cursor and OpenCode already current; Kimi deferred (release assets
unreachable from this sandbox).

Claude-Session: https://claude.ai/code/session_0162xeT9LJzy5GLPpqA5eMoQ
Bump @openai/codex 0.144.1 -> 0.144.2 (latest). All local gates pass.

Claude-Session: https://claude.ai/code/session_01RbxSjuRC9v2JQUqFGCs5BQ
Bump @openai/codex 0.144.2 → 0.144.3 (latest npm dist-tag). Claude Code
(2.1.207) and claude-agent-sdk (0.3.207) already at latest and lockstep-matched.
CODEX_SHA256 arm64 + x64 computed from npm tarballs.

Claude-Session: https://claude.ai/code/session_01Kp1XoKpKigunzjYRBZcgQP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants