Codex supports per-commit review loops and GitHub browser fallback in user tests

• steipete's per-commit post says Codex is now reviewing every commit that lands on main, opening a fix PR when it finds a regression or security issue, then handing that PR to another review agent for up to five loops.
• The clearest example came from steipete's security report screenshot, where Codex flagged a tarball checker bug that could leak host-file snippets into logs or hang validation jobs.
• When the API path broke, steipete's GitHub fallback post showed Codex opening GitHub in a browser, typing into the comment box, and closing the issue, while steipete's Cloudflare token post showed the same browser path creating a new API key.
• Other users are treating the browser as the main interface, not a backup: danshipper's PostHog workflow used Codex inside PostHog for live product analysis, and danshipper's Proof workflow used it alongside a document editor for realtime writing.
• Creative experiments are already spilling into plugins, with ai_artworkgen's HyperFrames demo using a Codex plugin to apply glitch, chromatic aberration, ripple, and VHS effects to video.

You can inspect the openclaw fix PR, read the underlying security report record, try Proof, and watch Codex drift from terminal helper into a browser coworker across coding, analytics, writing, and media workflows.

The most concrete workflow here is not chat-driven coding, it is commit-driven QA. According to steipete's per-commit post, every main-branch commit gets a Codex review pass, and a second Codex instance opens a PR if the issue is still relevant.

The report in steipete's security report screenshot shows the kind of bug this catches: a tarball checker that followed extracted symlinks outside the package, which could expose readable host data in logs or stall package validation. The fix path then surfaced publicly in the linked openclaw PR.

When GitHub rate limits blocked the normal path, steipete's GitHub fallback post showed Codex switching to browser actions, reading network requests, typing into the issue UI, and closing the thread. In a second example, steipete's Cloudflare token post showed Codex navigating Cloudflare's dashboard to mint a fresh scoped API key after complaining that the existing key lacked permissions.

That turns the browser into a permissions and UI escape hatch. The interesting part is not just web browsing, it is that the same agent keeps the task alive when the clean API route fails.

Dan Shipper's two posts push the pattern further. In danshipper's PostHog workflow, Codex used PostHog inside its app, wrote queries, read the results, and kicked off agents that could open PRs or run production database requests tied to the analysis.

In danshipper's Proof workflow, the right pane stayed on the document while Codex looped in parallel on the left. Shipper also linked directly to Proof, which makes this less like browser automation theater and more like a new split-pane working style for web apps.

HyperFrames effects demo

The most creative use in this batch came from ai_artworkgen's HyperFrames demo, which used the HyperFrames plugin on Codex to transform an attached video. The prompt named four effects, and the output showcased them as a menu:

• Glitch
• Chromatic aberration
• Ripple
• VHS tape

That is a small demo, but it adds one more surface to the pattern. The same browser-and-tool harness showing up in code review, writing, and analytics is already reaching video workflows too.