Fix remaining prepublish release blockers

[code-yeongyu]

Summary

This PR fixes the remaining pre-publish blockers found in the release gate. It prevents CodeGraph child processes from inheriting ambient provider/API tokens, keeps Atlas from treating active full-session background output as completed work, tightens Codex CodeGraph release coverage, fixes web-terminal Authorization redaction, and gives the download-stats workflow the GitHub token it needs.

Changes

• CodeGraph process safety

  • Added a shared buildCodegraphChildEnv helper that only preserves OS/runtime essentials and explicit CodeGraph variables.
  • Routed Codex CodeGraph hook, worker, MCP serve, and OpenCode bootstrap command execution through the sanitized child environment.
  • Added Windows .js/.cjs/.mjs launcher handling so Node script entrypoints are executed through the active Node binary.

• Atlas background-output handling

  • Treats # Full Session Output with active statuses (pending, running, error, cancelled, interrupt) as incomplete, so Atlas leaves the output untouched.
  • Keeps the completed full-session path covered so verification reminders still append when a background task really is done.

• Release/CI gates

  • test:codex now runs the CodeGraph component typecheck and runtime tests before packaged Codex checks.
  • Workflow guard tests assert the new CodeGraph component gate stays ordered before packaged Codex checks.
  • CodeGraph component tests use bun test ./test and platform-neutral assertions so Windows no longer treats test globs or escaped paths as failures.

• QA and workflow hardening

  • Web-terminal redaction now covers JSON/object/single-quoted Authorization header shapes.
  • The stats workflow exports GH_TOKEN for both fetch and send steps while keeping POSTHOG_KEY scoped to send only.

QA & Evidence

• Targeted branch tests

  • Command: bun test packages/utils/src/codegraph-env.test.ts packages/omo-opencode/src/hooks/codegraph-bootstrap/codegraph-bootstrap.test.ts packages/omo-opencode/src/hooks/atlas/tool-execute-after-subagent-completion.test.ts script/codex-test-script.test.ts script/publish-workflow.test.ts script/stats.test.ts script/web-terminal-visual-qa.test.ts
  • Observed: 66 pass, 0 fail
  • Artifact: .omo/evidence/20260628-prepublish-blockers-round2/targeted-bun-tests.out

• CodeGraph component typecheck and runtime tests

  • Commands: npm --prefix packages/omo-codex/plugin/components/codegraph run typecheck, npm --prefix packages/omo-codex/plugin/components/codegraph test
  • Observed: typecheck exit 0; runtime tests 46 pass, 0 fail
  • Artifacts: .omo/evidence/20260628-prepublish-blockers-round2/codegraph-component-typecheck-after-review-fix.log, .omo/evidence/20260628-prepublish-blockers-round2/codegraph-component-test-after-typecheck-fix.log

• Generated skill drift

  • Command: node --test packages/omo-codex/plugin/test/sync-skills.test.mjs packages/omo-codex/plugin/test/sync-skills-orchestration.test.mjs
  • Observed: 23 pass, 0 fail; generated skill copies have no hand-authored drift
  • Artifact: .omo/evidence/20260628-prepublish-blockers-round2/sync-skills-test.out

• Codex compatibility gate

  • Command: bun run test:codex
  • Observed: passed with the inserted CodeGraph component typecheck and component tests in the gate; final summary 421 pass, 0 fail
  • Artifact: .omo/evidence/20260628-prepublish-blockers-round2/test-codex-after-codegraph-typecheck-gate-fix.log

• Codex live harness QA

  • Commands: bash .agents/skills/codex-qa/scripts/lib/common.sh --self-check, bash .agents/skills/codex-qa/scripts/app-server-drive.sh --plugin
  • Observed: isolated CODEX_HOME, local mock model, turn completed, hook/completed for sessionStart, userPromptSubmit, and stop, real ~/.codex/config.toml unchanged
  • Artifacts: .omo/evidence/20260628-prepublish-blockers-round2/codex-qa-common-self-check-after-typecheck-fix.log, .omo/evidence/20260628-prepublish-blockers-round2/codex-app-server-plugin-after-typecheck-fix.json

• OpenCode live harness QA

  • Command: bash /Users/yeongyu/local-workspaces/omo/.agents/skills/opencode-qa/scripts/sse-hook-probe.sh --self-test
  • Observed: isolated OpenCode server emitted server.connected; live OpenCode DB session count stayed 5737 -> 5737
  • Artifact: .omo/evidence/20260628-prepublish-blockers-round2/opencode-sse-self-test.out

• Pre-push gates

  • Commands: bun run typecheck, bun run build, bun test
  • Observed: typecheck passed, build passed, full bun test reported 10283 pass, 2 skip, 0 fail
  • Artifacts: .omo/evidence/20260628-prepublish-blockers-round2/typecheck.out, .omo/evidence/20260628-prepublish-blockers-round2/build.out, .omo/evidence/20260628-prepublish-blockers-round2/bun-test.out

Full evidence summary: .omo/evidence/20260628-prepublish-blockers-round2/qa-summary.md
Manual QA matrix: .omo/evidence/20260628-prepublish-blockers-round2/manual-qa-matrix.md
Round notepad: .omo/notepads/pr-5697-prepublish-blockers-round2.md

Risks & Residuals

• The CodeGraph env allowlist is intentionally narrow. Tests cover that provider tokens are dropped and CodeGraph runtime variables survive.
• OpenCode live QA proves the real isolated server/SSE surface and database isolation; the Atlas hook behavior itself is asserted with targeted hook tests rather than a real model turn.
• A reviewer noted a non-blocking Atlas transcript-body regex edge case; it is recorded in the matrix as follow-up risk and is outside this blocker repair scope.
• Evidence files are local .omo/evidence artifacts and are not committed to the PR branch; they will be synced back to the main worktree after merge per the repo workflow.