diff --git a/bin/gstack-config b/bin/gstack-config index 01defcef8..52936ffa2 100755 --- a/bin/gstack-config +++ b/bin/gstack-config @@ -86,7 +86,16 @@ CONFIG_HEADER='# gstack configuration — edit freely, changes take effect on ne # # --no-plan-tune-hooks, or env GSTACK_PLAN_TUNE_HOOKS. # # ─── Advanced ──────────────────────────────────────────────────────── -# codex_reviews: enabled # disabled = skip Codex adversarial reviews in /ship +# codex_reviews: enabled # Master switch for Codex cross-model review. enabled = +# # Codex runs as a standard step in /review, /ship, +# # /document-release, plan reviews, and /autoplan (auto +# # falls back to a Claude subagent if Codex is missing or +# # not authenticated). disabled = skip all Codex passes. +# # Asymmetry on disabled: diff-review (/review, /ship) still +# # runs the free Claude adversarial subagent; plan-review and +# # /document-release skip the outside-voice step entirely. +# # An invalid value is REJECTED (existing value preserved) so +# # a typo cannot silently turn paid Codex calls on or off. # gstack_contributor: false # true = file field reports when gstack misbehaves # skip_eng_review: false # true = skip eng review gate in /ship (not recommended) # @@ -302,6 +311,13 @@ case "${1:-}" in echo "Warning: plan_tune_hooks '$VALUE' not recognized. Valid values: prompt, yes, no. Using prompt." >&2 VALUE="prompt" fi + # codex_reviews controls PAID Codex calls. Unlike the warn-and-default keys above, + # an invalid value is REJECTED and the existing setting is left unchanged — a typo + # must never silently flip the switch and turn paid Codex calls on or off. + if [ "$KEY" = "codex_reviews" ] && [ "$VALUE" != "enabled" ] && [ "$VALUE" != "disabled" ]; then + echo "Error: codex_reviews '$VALUE' not recognized. Valid values: enabled, disabled. Existing value left unchanged." >&2 + exit 1 + fi mkdir -p "$STATE_DIR" # Write annotated header on first creation if [ ! -f "$CONFIG_FILE" ]; then