release: prepare v8.0.4

[gaelic-ghost]

Release

• prepares v8.0.4 from branch security/repo-wide-audit
• keeps protected main updates behind pull request review and CI
• release tag v8.0.4 will be created after CI and the review-comment gate pass, so failed or still-discussed release candidates do not get tagged

Review Loop

Before merge and tagging, scripts/repo-maintenance/release.sh watches CI and stops on review comments unless the maintainer has already addressed or resolved them and reruns with --review-comments-addressed.

Summary by CodeRabbit

• Chores

  • Bumped plugin version to 8.0.4
  • Raised TTS dependency floors (SpeakSwiftly and TextForSpeech)

• Documentation

  • Added a repo-wide security audit report and follow-up roadmap milestone
  • Streamlined hook guidance and docs to register only the Stop TTS hook (removed PermissionRequest probe)
  • Updated maintainers' and release notes to reflect these changes

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5ae04df0-d5f5-4245-878b-358e11b1e8c5

📥 Commits

Reviewing files that changed from the base of the PR and between 71811de and e909adc.

📒 Files selected for processing (5)

• API.md
• Package.swift
• docs/maintainers/plugin-install-testing.md
• docs/maintainers/skills-surface-audit.md
• docs/releases/v8.0.4-release-notes.md

✅ Files skipped from review due to trivial changes (5)

• Package.swift
• docs/maintainers/plugin-install-testing.md
• docs/releases/v8.0.4-release-notes.md
• docs/maintainers/skills-surface-audit.md
• API.md

---

📝 Walkthrough

Walkthrough

Removed the PermissionRequest Codex hook probe from the plugin to address security concerns, updated SpeakSwiftly to 9.0.2 and TextForSpeech to 0.22.1, incremented plugin version to 8.0.4, updated hook validation tooling, and added security audit documentation with roadmap follow-up tracking.

Changes

PermissionRequest Hook Removal and v8.0.4 Release

Layer / File(s)	Summary
Hook configuration, script removal, and version bump hooks/hooks.json, hooks/permission-request-log.mjs, .codex-plugin/plugin.json, .codex/hooks.json	PermissionRequest hook definition removed from configuration; associated Node CLI logging script deleted; plugin version incremented to 8.0.4 and Stop hook command path updated to point to the new version; .codex/hooks.json cleaned to remove PermissionRequest entry.
Hook doctor validation and test updates scripts/codex-hooks-doctor.mjs, scripts/codex-hooks-doctor.test.mjs	Doctor script removes validation of PermissionRequest hooks (repo, global, and Socket cached paths), adjusts expected hook review-state keys to include only Stop hook identities, removes PermissionRequest log summary reporting; tests updated to expect Stop hook identities instead of permission_request identities in review state assertions.
Dependency version updates Package.swift, Package.resolved, API.md	SpeakSwiftly minimum raised from 9.0.0 to 9.0.2 with corresponding lockfile hash/revision updates; TextForSpeech resolved checkout advanced to 0.22.1 while keeping manifest floor at 0.22.0; API documentation updated to match.
User and operator guidance AGENTS.md, docs/codex-hooks-tts.md, skills/speak-swiftly-codex-hooks/SKILL.md, docs/maintainers/plugin-install-testing.md	Codex 0.129.0 hook approval guidance narrowed to Stop hook only; plugin-managed and Socket-managed hook documentation refocused on Stop hook lifecycle; Codex 0.129.0 per-hook review configuration instructions added; doctor expected output updated to show two Stop-only cache commands; troubleshooting/probe outcome documentation removed.
Developer documentation and security audit tracking docs/maintainers/skills-surface-audit.md, docs/maintainers/source-layout.md, docs/security-audits/README.md, docs/security-audits/2026-05-12-repo-wide-audit.md, ROADMAP.md, docs/releases/v8.0.4-release-notes.md	Skill scope descriptions updated to remove permission-request probing references; source layout explicitly documents hooks/ directory and updated tool descriptions; new security audit framework with README and dated report documenting nine findings (path handling, YAML injection, filesystem export, MCP limits, sensitive logging, request disclosure, error exposure, non-loopback risk); Milestone 21 added to roadmap for audit follow-through tracking; v8.0.4 release notes created documenting dependency updates, hook probe removal, and security audit initiation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• gaelic-ghost/SpeakSwiftlyServer#93: PR #93 added/updated the PermissionRequest hook and versioned hook script paths for v8.0.3, while this PR removes the PermissionRequest hook/script and advances to v8.0.4—they modify the same hook entries and plugin version in opposing directions.
• gaelic-ghost/SpeakSwiftlyServer#92: Both PRs modify the plugin manifest version and hooks configuration (updating hook command paths in hooks/hooks.json and .codex-plugin/plugin.json).
• gaelic-ghost/SpeakSwiftlyServer#88: Related changes to codex hooks tooling and expected hook review-state keys; this PR continues that line by removing PermissionRequest and narrowing expectations to Stop.

Poem

🐰 A probe too keen, a log too loud,
Now silenced sits the curious crowd.
Swift lips speak safe, their secrets veiled,
Audits set paths where gaps once sailed.
Hop on—keep watch, and guard the trail.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'release: prepare v8.0.4' clearly and concisely summarizes the main objective of the pull request—preparing version 8.0.4 for release, which is directly reflected in the numerous version bumps, dependency updates, new documentation, and removal of deprecated hooks throughout the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/repo-wide-audit

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/maintainers/skills-surface-audit.md (1)

3-3: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the Last audited date to this audit pass.

Last audited: 2026-05-04 looks stale given this PR’s security-audit follow-through updates on 2026-05-12. Please bump the date so maintainer metadata stays accurate.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/maintainers/skills-surface-audit.md` at line 3, Update the maintainer
metadata by changing the "Last audited: 2026-05-04" entry in
docs/maintainers/skills-surface-audit.md to "Last audited: 2026-05-12" so the
file reflects this PR’s audit date; locate the literal "Last audited" line and
replace the date accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@API.md`:
- Line 229: The Supported Versions matrix in API.md lists TextForSpeech as
0.22.0 but the PR updates it to 0.22.1; update the version string for
TextForSpeech in the document (replace "TextForSpeech from 0.22.0" with
"TextForSpeech from 0.22.1") so the Supported Versions section matches the
resolved dependency in this PR and keep the rest of the version entries
unchanged.

In `@docs/maintainers/plugin-install-testing.md`:
- Around line 44-45: The sentence describing hook doctor output is duplicated
and ambiguous; update the line that currently reads "The hook doctor reports one
installed-cache dispatcher command for `Stop` and one for `Stop`." to explicitly
state there are two such commands — e.g. "The hook doctor reports two
installed-cache dispatcher commands for `Stop`." — so readers clearly understand
the expectation from the hook doctor output.

---

Outside diff comments:
In `@docs/maintainers/skills-surface-audit.md`:
- Line 3: Update the maintainer metadata by changing the "Last audited:
2026-05-04" entry in docs/maintainers/skills-surface-audit.md to "Last audited:
2026-05-12" so the file reflects this PR’s audit date; locate the literal "Last
audited" line and replace the date accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 28912ab4-3882-4b9f-8446-77e4da632b49

📥 Commits

Reviewing files that changed from the base of the PR and between ac0e469 and 71811de.

📒 Files selected for processing (19)

• .codex-plugin/plugin.json
• .codex/hooks.json
• AGENTS.md
• API.md
• Package.resolved
• Package.swift
• ROADMAP.md
• docs/codex-hooks-tts.md
• docs/maintainers/plugin-install-testing.md
• docs/maintainers/skills-surface-audit.md
• docs/maintainers/source-layout.md
• docs/releases/v8.0.4-release-notes.md
• docs/security-audits/2026-05-12-repo-wide-audit.md
• docs/security-audits/README.md
• hooks/hooks.json
• hooks/permission-request-log.mjs
• scripts/codex-hooks-doctor.mjs
• scripts/codex-hooks-doctor.test.mjs
• skills/speak-swiftly-codex-hooks/SKILL.md

💤 Files with no reviewable changes (3)

• .codex/hooks.json
• hooks/permission-request-log.mjs
• scripts/codex-hooks-doctor.mjs