chore(deps): bump claude-agent-sdk to 0.2.121, codex-sdk to 0.125.0

[Wirasm]

Summary

• Problem: Both vendor SDKs were ~30 patch releases behind (@anthropic-ai/claude-agent-sdk ^0.2.89 vs 0.2.121; @openai/codex-sdk ^0.116.0 vs 0.125.0). Behind-ness was surfaced while diagnosing a workflow-routing bug where Codex rejected a Claude model alias with a non-fatal warning.
• Why it matters: Newer model aliases / IDs (e.g. claude-opus-4-7[1m], current GPT-5.x variants) are validated server-side by the SDKs. Staying on old pins doesn't break anything per se, but it widens the gap before the next bump and slows iteration on follow-up provider work.
• What changed: Three pin bumps in package.json + packages/providers/package.json, plus the regenerated bun.lock.
• What did NOT change: Zero source code changes. No API surface used by Archon shifted. The Claude SDK's options.env overlay/replace flap (introduced in 0.2.113, reverted in 0.2.111-line — confirmed against the SDK CHANGELOG) is a no-op for Archon because buildSubprocessEnv() already passes { ...process.env }.

UX Journey

No user-facing behavior change. Workflow execution, platform adapters, and CLI surfaces are identical before and after.

Architecture Diagram

No architectural change — pure dependency version bump. Same modules, same edges, same exports.

Connection inventory:

From	To	Status	Notes
@archon/providers (claude)	@anthropic-ai/claude-agent-sdk	unchanged	version pin moved
@archon/providers (codex)	@openai/codex-sdk	unchanged	version pin moved
root workspace	@anthropic-ai/claude-agent-sdk	unchanged	version pin moved

Label Snapshot

• Risk: risk: low
• Size: size: XS
• Scope: dependencies
• Module: providers:claude, providers:codex

Change Metadata

• Change type: chore
• Primary scope: multi (root + @archon/providers)

Linked Issue

• Closes #
• Related #
• Depends on # (if stacked)
• Supersedes # (if replacing older PR)

Validation Evidence (required)

bun run validate
# EXIT=0

All five gates pass on the bumped SDKs:

• check:bundled ✓
• type-check (10 packages) ✓
• lint --max-warnings 0 ✓
• format:check ✓
• tests (every package, every file 0 fail) ✓

Security Impact (required)

• New permissions/capabilities? No
• New external network calls? No
• Secrets/tokens handling changed? No
• File system access scope changed? No

Patch-level upstream releases only — no new transitive dependencies of note. Vendor SDKs continue to talk to the same Anthropic / OpenAI endpoints with the same auth flow.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Database migration needed? No

Existing workflow YAMLs, .archon/config.yaml files, and stored sessions continue to work unchanged.

Human Verification (required)

• Verified scenarios: bun install resolves cleanly to 0.2.121 / 0.125.0 in the lockfile; full bun run validate returns EXIT=0; the SDK API surface used by packages/providers/src/claude/provider.ts and packages/providers/src/codex/provider.ts (query, Options, message events) type-checks against the new .d.ts.
• Edge cases checked: Reviewed Claude SDK CHANGELOG for breaking changes between 0.2.89 and 0.2.121 — only options.env overlay/replace flap, which is a no-op for Archon's { ...process.env } usage. Codex SDK release notes 0.116 → 0.125 show no documented JS API changes.
• What was not verified: Did not run a live workflow against either provider end-to-end (would require real API credits and a real Claude / Codex CLI on the harness). Type-check + tests provide enough coverage that a regression here would have surfaced.

Side Effects / Blast Radius (required)

• Affected subsystems/workflows: Anything that runs a Claude or Codex node in a workflow, plus direct chat through either provider.
• Potential unintended effects: A latent SDK regression we couldn't reproduce in unit tests could surface only at request time. Low likelihood given the patch-level cadence and the existing test coverage of the wrapper code.
• Guardrails/monitoring for early detection: Existing dag.node_sdk_error_result log event catches result-level errors; provider-level Pino logs (stream_error, turn_failed) catch streaming issues.

Rollback Plan (required)

• Fast rollback command/path: git revert <merge-sha> and re-run bun install. No DB or filesystem state is touched.
• Feature flags or config toggles: None — pure dependency pin.
• Observable failure symptoms: A user-visible regression would show up as either workflow nodes failing on query() calls or as a TypeScript build break on bun run type-check. Both are caught immediately in CI.

Risks and Mitigations

• Risk: Undocumented SDK regression in the 32 patch / 9 minor releases we skip past.
  • Mitigation: Full validation suite passes, including the provider-level test files (packages/providers/src/claude/provider.test.ts, packages/providers/src/codex/provider.test.ts). Rollback is a one-line revert if a real-world issue surfaces.

Summary by CodeRabbit

• Chores
  • Updated project dependencies to the latest compatible versions.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6265dd3a-69b3-490a-a2d5-667f8581727f

📥 Commits

Reviewing files that changed from the base of the PR and between 2220ffe and d141bb1.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• package.json
• packages/providers/package.json

---

📝 Walkthrough

Walkthrough

Dependency versions are updated across two package.json files. The root package.json upgrades @anthropic-ai/claude-agent-sdk to version 0.2.121, while packages/providers/package.json upgrades both @anthropic-ai/claude-agent-sdk to 0.2.121 and @openai/codex-sdk to 0.125.0.

Changes

Cohort / File(s)	Summary
Dependency Updates package.json, packages/providers/package.json	Bumped @anthropic-ai/claude-agent-sdk to ^0.2.121 in both files and upgraded @openai/codex-sdk to ^0.125.0 in providers package.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 Hopping through versions with glee,
Dependencies dance wild and free,
From point two to one-two-one,
The SDK upgrades are done!
Carrots and code, a perfect blend,
On which we can always depend! 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping two SDK dependency versions. It directly matches the changeset which updates @anthropic-ai/claude-agent-sdk and @openai/codex-sdk in package files.
Description check	✅ Passed	The description comprehensively covers all major template sections including summary, architecture, validation evidence, security impact, compatibility, human verification, side effects, and rollback plan with appropriate detail for a dependency bump.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-sdks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}