Summary
CrossVendorAudit.ts resolves the codex CLI from a single hard-coded path:
const CODEX_BIN = join(HOME, ".bun", "bin", "codex");
If codex is installed anywhere else — e.g. a Homebrew install at /opt/homebrew/bin/codex — that path doesn't exist, so main()'s guard:
if (!existsSync(CODEX_BIN)) {
const resp = { verdict: "skipped", reason: "codex CLI not installed" };
...
}
returns verdict: "skipped". A skipped audit is a no-op that reads like a pass to a hurried reader, so a codex binary living outside ~/.bun/bin silently disables the entire cross-vendor audit — with no error surfaced.
Impact
The cross-vendor audit is a verification gate. A relocated codex binary quietly turns it off. That's the most dangerous failure shape: nothing signals that the independent second look never ran.
Suggested fix
Resolve codex robustly instead of hard-coding one location — honor an explicit override, then PATH, then common install dirs, falling back to the old path so the "not found" guard still reports cleanly when codex is genuinely absent:
function resolveCodexBin(): string {
const override = process.env.CODEX_BIN;
if (override && existsSync(override)) return override;
const fromPath = Bun.which("codex");
if (fromPath) return fromPath;
const candidates = [
"/opt/homebrew/bin/codex",
"/usr/local/bin/codex",
join(HOME, ".bun", "bin", "codex"),
];
return candidates.find((p) => existsSync(p)) ?? join(HOME, ".bun", "bin", "codex");
}
const CODEX_BIN = resolveCodexBin();
Optionally sharpen the skip reason to "codex CLI not found on PATH, $CODEX_BIN, or common install dirs" so a genuine absence is distinguishable from a misconfigured path.
Happy to open a PR if useful.
Summary
CrossVendorAudit.tsresolves thecodexCLI from a single hard-coded path:If
codexis installed anywhere else — e.g. a Homebrew install at/opt/homebrew/bin/codex— that path doesn't exist, somain()'s guard:returns
verdict: "skipped". A skipped audit is a no-op that reads like a pass to a hurried reader, so acodexbinary living outside~/.bun/binsilently disables the entire cross-vendor audit — with no error surfaced.Impact
The cross-vendor audit is a verification gate. A relocated
codexbinary quietly turns it off. That's the most dangerous failure shape: nothing signals that the independent second look never ran.Suggested fix
Resolve
codexrobustly instead of hard-coding one location — honor an explicit override, thenPATH, then common install dirs, falling back to the old path so the "not found" guard still reports cleanly when codex is genuinely absent:Optionally sharpen the skip reason to
"codex CLI not found on PATH, $CODEX_BIN, or common install dirs"so a genuine absence is distinguishable from a misconfigured path.Happy to open a PR if useful.