Skip to main content
Codex CLI

Codex CLI

Complete Changelog

OpenAI's command-line coding assistant

Complete changelog with every version since the first release.

Latest Version:v0.144.1
Total Releases:120
Source:GitHub Releases

Releases (120)

v0.144.1New

0.144.1

July 9, 2026

  • Fixed standalone installs failing when GitHub returns compact or reordered release metadata. (#31913)
  • Ensured macOS package installs expose the code-mode host alongside the codex executable. (#31913)
  • Kept code mode working when the companion host binary is unavailable by falling back to the embedded runtime. (#31913)
v0.144.0New

0.144.0

July 9, 2026

  • Usage-limit reset credits now show their type and expiration, and let you choose which credit to redeem. (#30488)
  • Added a writes app-approval mode that allows declared read-only actions while prompting for writes. (#30482)
  • MCP tools can now request authentication interactively without an experimental opt-in. (#28772)
  • App-server hosts can provide Codex authentication at runtime and redirect successful logins to a hosted page. (#28745, #31274)
  • Global pnunen installs are now detected so diagnostics and updates use the correct package manager. (#31503)
  • Selecting Ultra reasoning now warns when high multi-agent concurrency could increase usage quickly. (#31621)
  • Resumed ChatGPT threads recover when compaction references a retired model by retrying with the currently selected model. (#30319)
  • Fixed Code Mode crashes in Intel macOS release binaries. (#30953)
  • Windows sandbox sessions can delete files in writable roots and access the managed primary runtime. (#31138, #31574)
  • Pasted terminal control sequences can no longer corrupt TUI rendering or resumed conversation history. (#31494)
  • Long-running app sessions now refresh expired authentication for the hosted codex_apps connector. (#31486)
  • Responses WebSockets continue using the low-latency transport while respecting system proxies and custom certificate authorities. (#31441, #31622)
  • Device-code login warnings now explain how to recognize and stop phishing attempts. (#31648)
  • Reduced plugin skill-loading time on remote executors by resolving namespaces once per root. (#31348)
  • Made the /review branch picker faster and more reliable in large repositories. (#31464)
v0.143.0New

0.143.0

July 8, 2026

  • Remote plugins are now enabled by default, with richer catalog rows, npm marketplace sources, and visible remote/local versions. (#30297, #26705, #29375, #30981)
  • Codex can route authentication and Responses API traffic through macOS and Windows system proxies, including PAC and WPAD configurations. (#26708, #26709, #31335)
  • Added codex remote-control pair for generating manual pairing codes from a running daemon. (#29913)
  • Added Amazon Bedrock GPT-5.6 Sol, Terra, and Luna models, with first-class support for max reasoning effort. (#30285, #30467)
  • MCP tools now use tool search by default, and ChatGPT-hosted MCP servers can explicitly use session authentication. (#29486, #29733)
  • App-server clients can inspect environments, list descendant threads, and fork history through a specific turn. (#30291, #29591, #30277)
  • Fixed Windows ConPTY input handling for line endings and backspace, plus sandbox credential retry edge cases. (#29734, #29624, #29637)
  • Fixed stale TUI safety prompts and cancelled reviews that could leave MCP startup appearing busy. (#30490, #31189)
  • Improved recovery when exec servers are temporarily offline and prevented remote-control token refresh retry storms. (#30098, #30201)
  • Preserved trailing realtime transcript text and terminal rollout events during shutdown. (#29918, #30144)
  • Improved incremental WebSocket request success by ignoring response metadata during comparisons. (#30770)
  • Reduced installer failures from GitHub API rate limits by reusing release metadata. (#31056)
  • Documented UUID7 thread and turn IDs, plus recommended remote-executor integration-test workflows. (#27714, #29790)
  • Updated OpenSSL, Hono, fast-uri, quick-xml, and crossbeam-epoch to address security advisories. (#29487, #29650, #30941, #31308)
v0.142.5

0.142.5

July 1, 2026

  • Prevented full Responses WebSocket request payloads from being written to trace logs. (#30771)
v0.142.4

0.142.4

June 29, 2026

  • No user-facing changes were identified for this release.
v0.142.3

0.142.3

June 26, 2026

  • Maintenance-only patch release with no user-facing changes since 0.142.2.
v0.142.2

0.142.2

June 25, 2026

  • MCP tools now use tool search by default when supported, improving tool discovery while preserving compatibility with older models and providers. (#29486)
  • macOS authentication clients can honor system proxy, PAC, and WPAD settings when respect_system_proxy is enabled. (#26709)
  • Plugins can provide dedicated dark-mode logos through local manifests and remote catalogs. (#29488)
  • Apps can display richer safety-buffering UI using server-provided visibility and faster-model metadata. (#29473)
  • Remote plugin catalogs now return curated featured-plugin rankings. (#29485)
  • Expired Amazon Bedrock credentials now produce actionable recovery guidance instead of a generic authorization error. (#28992)
  • Remote stdio MCP servers now accept absolute working directories written in the remote platform’s path format. (#29493)
  • Remote HTTP(S) image inputs now return clear model-visible validation errors; inline data URLs and local images remain supported. (#29417, #29419)
  • PowerShell commands containing executable AST regions the safety classifier cannot inspect now require approval. (#24092)
  • Code Mode now warns when the selected model lacks the required metadata. (#29490)
  • Updated bundled OpenSSL and esbuild dependencies to patched releases. (#29487, #29489)
  • Successful formatter runs are now quiet while failures still show diagnostics. (#29467)
v0.142.1

0.142.1

June 25, 2026

  • Added opt-in Windows system proxy support for authentication, including PAC, WPAD, static proxies, and bypass rules. (#26708)
v0.142.0

0.142.0

June 22, 2026

  • /usage can now show and redeem earned usage-limit reset credits, with confirmation, retry, and refreshed availability states. (#28154, #28793)
  • /plugins now organizes remote plugins into OpenAI Curated, Workspace, and Shared with me sections, while eligible turns can recommend and install relevant plugins. (#26703, #28399, #28400, #27704, #28403)
  • Configurable rollout token budgets track usage across agent threads, provide remaining-budget reminders, and abort turns when exhausted. (#28746, #28494, #28707, #29423)
  • App-server clients can configure multi-agent delegation as disabled, explicit-request-only, or proactive at the thread and turn level. (#28685, #28792, #29324)
  • Added an indexed web-search mode that permits live searches while restricting direct page access to server-approved URLs. (#28489)
  • Codex can now receive scheduled UTC time reminders and query the current time directly, including through client-provided app-server clocks. (#28822, #28824, #28835, #29011)
  • Restored reliable Linux TUI rendering after suspending with Ctrl+Z and resuming with fg. (#28342)
  • Exec-server processes and stdio MCP sessions now survive transient disconnects, including signed-URL refresh and retry-safe stdin writes. (#28512, #28374, #28546, #28895)
  • Remote environments now preserve executor-native paths, shells, AGENTS.md discovery, and sandbox behavior across operating systems. (#28146, #28152, #28958, #28983, #29099, #29108, #29113, #29424)
  • Plugin loading and installation now handle root marketplace layouts, manifest fallbacks, multiple skill paths, actionable download errors, and immediate tool refreshes. (#28771, #28789, #28790, #28863, #28951)
  • Parent agents now receive terminal subagent errors instead of seeing failed work as an empty successful completion. (#28375)
  • Goal-first threads are once again persisted and returned by thread/list and thread/search. (#28808)
  • Reduced startup and session latency by deferring unnecessary DNS work, warming the model cache, reusing parsed plugin skills, parallelizing skill metadata reads, and skipping redundant catalog synchronization. (#28542, #28699, #28844, #29326, #29005)
  • Reduced persistent-log churn by removing per-event WebSocket payload logging and filtering duplicated telemetry records. (#29432, #29457)
v0.141.0

0.141.0

June 18, 2026

  • Remote executors now use authenticated, end-to-end encrypted Noise relay channels. (#26242, #26245)
  • Cross-platform remote execution now preserves executor-native working directories and shells, including filesystem permission paths across app-server and exec-server boundaries. (#27819, #27995, #28032, #28122, #28165, #28367)
  • Selected executor plugins can activate their stdio MCP servers per thread; plugin discovery also adds a created-by-me marketplace and auth-specific curated catalogs. (#27870, #27884, #27893, #28203, #28383)
  • App-server clients can list immediate child threads, correlate external-agent imports with detailed results, and read or redeem rate-limit reset credits. (#26662, #28008, #28143)
  • Realtime clients can explicitly append speech, control how Codex responses enter conversations, and omit startup context. (#27917, #28405)
  • TUI input prompts can auto-resolve after inactivity, with a countdown that pauses on interaction. (#28235)
  • Hook trust bypass now persists through codex exec thread start and resume, while blocking PostToolUse hooks correctly reject code-mode tool calls. (#26434, #28365)
  • Plugin capabilities now route consistently by authentication mode, deduplicate conflicting App/MCP declarations, and preserve remote marketplace ordering. (#27461, #27602, #27607, #27902, #27958, #28395)
  • Windows sandbox execution repairs stale credentials automatically and gives PowerShell commands more time before backgrounding. (#27086, #27944)
  • Idle exec-server relays remain connected, and steered user input immediately interrupts wait_agent. (#28286, #28341)
  • Bundled SQLite is pinned to a version containing the WAL-reset corruption fix. (#27992)
  • TLS connections now support P-521 certificate signatures commonly used by enterprise proxies. (#27706)
  • Reduced latency and memory use in large, tool-heavy sessions by caching tool search and eliminating repeated request and history copies. (#27258, #27813, #28306, #28309, #28313, #28323, #28327)
  • Bounded prompt-image caching to 64 MiB and feedback uploads to eight related threads. (#28294, #28332)
  • Terminal resize reflow is now always enabled, ignoring obsolete disabled settings. (#27794)
v0.140.0

0.140.0

June 15, 2026

  • Added /usage views for daily, weekly, and cumulative account token activity. (#27925)
  • /goal now preserves oversized text, large pasted blocks, and image attachments, including in remote app-server sessions. (#27508, #27509, #27510)
  • Added permanent session deletion through codex delete, /delete, and app-server thread/delete, with confirmation safeguards and subagent cleanup. (#25018, #27476)
  • Added /import for selectively importing setup, project configuration, and recent chats from Claude Code. (#27070, #27071, #27703)
  • Typing @ now opens the unified mentions menu for files, plugins, and skills by default. (#27499)
  • Added managed Amazon Bedrock API-key authentication and encrypted local storage for CLI and MCP OAuth credentials. (#27443, #27689, #27504, #27535, #27539, #27541)
  • Corrupted SQLite state databases are now backed up and rebuilt automatically from rollout data, including malformed database-directory cases. (#26859, #27719)
  • Prevented /review from crashing when Esc is pressed with queued guidance, while preserving that guidance when the review is canceled. (#22879)
  • Improved MCP reliability by retrying transient startup failures, reporting unusable OAuth credentials as logged out, and preserving explicitly disabled servers. (#25147, #26713, #27414)
  • Fixed remote plugin uninstall requests and correctly surfaced apps requiring authentication during installation. (#27085, #27223)
  • Persisted “Don’t remind me” update dismissals reliably and cleared stale running-hook indicators after completed turns. (#27619, #27783)
  • Non-TTY background commands can now be interrupted with Ctrl-C while preserving their final output and exit status. (#26734)
  • Clarified contributor guidance around keeping crate APIs narrow and supporting Linux, macOS, and Windows. (#27939, #27966)
  • Improved responsiveness for large repositories and long sessions by preserving Git’s built-in filesystem monitor, avoiding duplicate history reads, accelerating archive lookup, and caching turn-diff rendering. (#26880, #27031, #27276, #27489)
  • Removed the experimental /realtime voice controls and related audio dependencies from the TUI. (#27801)
v0.139.0

0.139.0

June 9, 2026

  • Code mode can now call standalone web search directly, including from nested JavaScript tool calls, and receive plaintext search results. (#26719)
  • Tool and connector input schemas now preserve oneOf and allOf, and large schemas keep more shallow structure when compacted, improving compatibility with richer MCP tools. (#24118, #27084)
  • codex doctor now includes editor and pager environment details in the local report while redacting raw values in JSON output. (#27081)
  • Plugin marketplace automation is more informative and responsive: codex plugin marketplace list --json now includes each marketplace source, and plugin lists can return from the cached remote catalog before refreshing in the background. (#27009, #26932)
  • codex resume --last "..." and codex fork --last "..." now treat the trailing argument as the initial prompt instead of misreading it as a session ID. (#26818)
  • MCP startup warnings from subagents now stay in the thread that owns them, avoiding duplicate parent-thread alerts and stuck startup spinners in the TUI. (#26639)
  • Image edits now use the exact referenced image file paths instead of guessing from conversation history, so attached-image edits land on the intended input. (#26486)
  • Bare URLs with ~ in the path are now linkified end to end in the TUI instead of being truncated before the tilde. (#27088)
  • Thread resets such as /new, /clear, and /fork no longer drop cloud-managed requirements or feature flags during TUI config reloads. (#25177)
  • Sandbox execution now preserves approved escalation decisions and enforces configured proxy-only networking more consistently. (#24981, #27035)
  • Release builds once again publish separate symbol archives with line tables, improving post-release crash symbolication without bringing back the earlier full-debug build slowdown. (#26202)
  • The embedded V8 toolchain was updated to rusty_v8 149.2.0. (#26464)
v0.138.0

0.138.0

June 8, 2026

  • The /app command can now hand off the current CLI thread into Codex Desktop on macOS and native Windows, and Windows workspace launches can open directly into Desktop instead of stopping at a manual prompt. (#25638, #26500)
  • Local image attachments and standalone image generations now expose their saved file paths to the model, which makes follow-up edits and file references more reliable. (#25944, #25947)
  • Reasoning effort selection is more flexible: the TUI adds fallback shortcuts for terminals that miss Alt bindings, and model-defined effort levels now flow through in the order advertised by the model. (#25623, #26444, #26446)
  • App-server integrations can now read account token usage, and Codex auth supports v2 personal access tokens in CLI and app-server flows. (#25344, #25731)
  • Plugin automation got richer structured output: add/remove and marketplace commands support --json, plugin list JSON includes marketplace source, and plugin detail data now exposes default prompts, remote MCP servers, and unavailable app templates. (#26631, #26417, #25887, #26453, #26317)
  • Goal workflows are more predictable: multiline paste in /goal edit no longer submits early, idle auto-turns stay out of Plan mode, and goals stop auto-continuing after terminal turn failures. (#26047, #26147, #26690)
  • Forked threads now keep user-renamed titles instead of falling back to the original first-prompt name. (#26075)
  • The TUI no longer adds extra blank space while streaming, and cancelled prompts reopen with the cursor at the end so you can keep editing naturally. (#26636, #26457)
  • TUI config write failures now show the underlying cause, making validation problems and read-only filesystem issues much easier to diagnose. (#26537)
  • Startup is more resilient across environments, with support for /usr/bin/bash, shorter Linux proxy socket paths, and pre-refresh of expired OAuth-backed MCP credentials. (#26538, #26553, #26482)
  • Workspace instruction loading is more accurate for remote and symlinked workspaces, so the right AGENTS.md files are picked up consistently. (#26205, #26465)
  • The CLI README was refreshed to remove stale guidance and better match the current documentation flow. (#26313)
  • TUI startup does less repeated plugin work by reusing discovery results and loading only hook metadata on the critical path. (#26469, #26272)
  • resume --last now finds the newest matching session through the state DB first, which speeds up restore on large local histories. (#26462)
  • Large MCP/Ollama streams and long message histories process much faster thanks to optimized byte scanning. (#26265)
v0.137.0

0.137.0

June 4, 2026

  • TUI controls now support F13-F24 keybindings, paste in searchable menus, and a compact reasoning-only status/title item (#25329, #25400, #25504).
  • Enterprise/admin flows now show monthly credit limits and can apply cloud-managed config bundles, including EDU workspaces (#24812, #24617, #24619, #24620, #24622, #25963).
  • Remote-control clients can start pairing and list or revoke controller grants through app-server v2 RPCs (#25675, #25785).
  • Plugin workflows gained machine-readable codex plugin list --json output and cached remote catalog suggestions (#25330, #25457).
  • Hosted web and image tools are available in more code-mode flows, with standalone web searches able to run in parallel (#25176, #25702, #25890, #25923).
  • Multi-agent v2 keeps runtime choice with each thread and exposes cleaner follow-up and metadata defaults for spawned agents (#25266, #25636, #25720, #25721, #25722, #25841, #26114).
  • Cancelling a submitted prompt before visible output now restores the draft, attachments, and collaboration mode for editing (#25316).
  • Slash-command filtering and footer shortcut hints now reset or render according to the current UI state (#25492, #25625).
  • Platform reliability improved for macOS app launches and Windows SQLite startup, thread resume, and sandbox setup refreshes (#25485, #25490, #25509, #25949).
  • Plugin loading preserves app manifest order, deduplicates local/remote curated installs, and treats malformed skills fields as warnings (#25491, #25681, #25717, #25782).
  • Permission requests and approvals now carry environment identity, and managed MITM proxying exports readable CA bundles to child commands (#25850, #25858, #25862, #22668).
  • Local session history is safer for compressed rollouts, renamed titles, pathless side-chat reloads, and stack-heavy startup/config rebuilds (#25087, #25624, #25661, #25814, #25844, #25847).
  • Added app-server docs and generated schema updates for monthly credit limits, remote-control RPCs, and environment-scoped permission approvals (#24812, #25675, #25785, #25862).
  • Moved repo review rules and contributor conventions into AGENTS.md, including Rust test-module layout and Python 3 compatibility guidance (#25682, #25690, #25738).
  • Root formatting and Justfile workflows are more complete and Windows-aware (#24983, #25165, #25683).
v0.136.0

0.136.0

June 1, 2026

  • TUI markdown now keeps web links clickable with OSC 8 metadata, and cramped tables switch to readable key/value records without losing link targets. (#24472, #24636, #24825)
  • Sessions can now be archived from the TUI with /archive or from the CLI with codex archive / codex unarchive; archived sessions are protected from resume/fork until restored. (#25027, #25021)
  • App-server integrations can resume a thread with its initial turns page, see richer MCP server status, and launch stdio mode with codex app-server --stdio. (#23534, #24698, #24940)
  • Remote execution setup now supports CODEX_API_KEY registration for approved OpenAI hosts, while remote-control websockets use short-lived server tokens instead of ChatGPT access tokens. (#24666, #24141)
  • Windows admins get an alpha codex sandbox setup --elevated provisioning path, plus requirements support for allowed Windows sandbox implementations. (#24831, #23766)
  • A feature-gated standalone image generation extension can run through the native Codex image artifact completion pipeline. (#24723, #24972)
  • ChatGPT auth refreshes tokens before the five-minute expiry window and shows a relogin-required path for reused refresh tokens instead of collapsing into a generic cloud error. (#23546, #24830)
  • Command-safety hardening prevents /diff from running repository-provided Git helpers/hooks, avoids PowerShell parser execution on non-Windows hosts, and rejects browser-origin exec-server websocket handshakes. (#24954, #24946, #24947)
  • Sandboxed commands clean up more reliably after interruptions or denied Windows network attempts, and deny read rules stay enforced for safe-command and approval-bypass paths. (#22729, #19880, #23943)
  • Resumed TUI sessions seed prompt history from the session transcript, multiline hook output renders as separate rows, and Vim normal-mode editing behaves correctly. (#24298, #24965, #25022)
  • App-server filesystem watchers debounce later batches correctly, and standalone web search calls now show and restore completed search activity. (#24716, #24693)
  • Bedrock auth now falls back to AWS_REGION / AWS_DEFAULT_REGION, and unsupported Bedrock GPT service tiers are no longer advertised or sent. (#25171, #25318)
  • Python SDK beta docs and package metadata now present the standard pip install openai-codex path, refreshed quickstarts, API reference, FAQ, and examples. (#24836, #24866, #24868, #24870)
  • Python SDK examples and docs now use the public CodexConfig name for configuring Codex / AsyncCodex. (#24800)
  • The bundled OpenAI Docs skill was updated with current Codex manual routing and a cached manual fetch helper. (#24914)
v0.135.0

0.135.0

May 28, 2026

## New Features - codex doctor now reports richer environment, Git, terminal, app-server, and thread inventory diagnostics for support cases. (#24261, #24311, #24305) - /status shows remote connection details and server version when the TUI is connected over a remote transport. (#24420) - Vim mode gained text-object editing, improved word/line-end behavior, and a configurable interrupt-turn binding. (#24382, #24380, #24766) - /permissions now understands named permission profiles and displays configured custom profiles. (#21559) - Packaged Codex builds can discover and use the bundled patched zsh helper across supported macOS and Linux targets. (#23756, #24171) - The Python SDK now exposes friendly Sandbox presets for thread and turn APIs. (#24772) - install.sh/install.ps1 supports a non-interactive installation mode when CODEX_NON_INTERACTIVE=1 is set. (#21567) ## Bug Fixes - Markdown tables and multiline lists render more readably in the TUI, with better column sizing and app-style table formatting. (#24489, #24346, #24351) - TUI output is more stable on macOS and Zellij, avoiding stderr/composer corruption and raw-output overlap. (#24459, #24479, #24593) - Slash-command completion now preserves existing draft text for commands that accept inline arguments. (#23950) - Older tmux/iTerm control-mode sessions no longer lose normal Ctrl-C handling from unsupported keyboard enhancement setup. (#24371) - App mentions now exclude inaccessible or disabled apps instead of offering unusable $ suggestions. (#24625) - Resume flows now include non-interactive exec sessions when requested and honor cwd overrides for idle cached threads. (#24503, #24528) ## Documentation - Clarified image-viewing tool detail behavior and removed stale TUI composer documentation references. (#23949, #24641) - Updated Python SDK docs, examples, and notebook content to use the new sandbox preset API. (#24772) ## Chores - Updated Rust toolchain pins and SQLx/SQLite dependencies. (#24684, #24728) - Moved memory runtime state into a dedicated SQLite database. (#24591) - Removed remaining legacy config-profile consumers and routed more TUI config/plugin state through app-server-owned APIs. (#24076, #24254, #24255, #24265, #24266, #24257) - Centralized Responses retry handling and MCP tool naming logic to reduce duplicated internal plumbing. (#24131, #21576) ## Changelog Full Changelog: https://github.com/openai/codex/compare/rust-v0.134.0...rust-v0.135.0 - #24164 fix(remote-control): cap reconnect backoff @apanasenko-oai - #23756 package: include zsh fork in Codex package @bolinfest - #23757 Default function tools into tool hooks @abhinav-oai - #24171 package: add x64 macOS codex-zsh artifact @bolinfest - #24159 code-mode: merge stored values by key @cconger - #23983 fix: plugin bundle archive handling for upload and install @xl-openai - #24261 feat(doctor): add environment diagnostics @fcoury-oai - #24311 Report app-server version in codex doctor @etraut-openai - #24314 tui: label compact rate-limit percentages @etraut-openai - #24420 Show remote connection details in /status @etraut-openai - #24317 Respect hook trust bypass during TUI startup @etraut-openai - #24254 TUI config cleanup: oss_provider @etraut-openai - #24255 TUI config cleanup: trusted projects @etraut-openai - #24265 TUI config cleanup: MCP inventory @etraut-openai - #24305 Add doctor thread inventory audit @etraut-openai - #24346 fix(tui): improve markdown table column allocation @fcoury-oai - #24351 fix(tui): improve multiline markdown list readability @fcoury-oai - #24459 fix(tui): prevent macos stderr from corrupting composer @fcoury-oai - #24479 fix(process-hardening): preserve macos malloc diagnostics @fcoury-oai - #24474 Log rollout writer OS errors @etraut-openai - #24076 chore: stop consuming legacy config profiles @jif-oai - #24131 centralize Responses retry policy @rhan-oai - #23858 [wip] goal shift @jif-oai - #24555 chore: drop orphaned codex memories MCP crate @jif-oai - #24558 chore: move memory prompt builder into extension @jif-oai - #24562 Add ad-hoc memory note tool @jif-oai - #24567 Wire metrics client into memories extension @jif-oai - #24588 fix: drop flake @jif-oai - #24583 Add memory tool call metrics to memories extension @jif-oai - #24586 Wire app-server extension event sink @jif-oai - #24532 Use thread config for TUI MCP inventory @etraut-openai - #24105 [codex] Make active turn task singular @pakrym-oai - #21576 Move MCP tool naming mode into manager @pakrym-oai - #24503 tui: include exec sessions in resume list @etraut-openai - #24600 feat: gate dedicated memories tools in config @jif-oai - #21559 tui: add named permission profile picker @viyatb-oai - #24608 feat: add manual and remote_v2 tags to compaction metric @jif-oai - #24611 test: clean up apply_patch allow-session artifact @jif-oai - #24609 Remove reserved namespaces dedup @pakrym-oai - #23964 Move slash input logic out of chat composer @canvrno-oai - #24615 Add goal extension telemetry parity @jif-oai - #24371 fix(tui): avoid modifyOtherKeys for unknown tmux formats @fcoury-oai - #24626 fix: restore goal accounting after thread resume @jif-oai - #24591 Move memory state to a dedicated SQLite DB @jif-oai - #23823 standalone websearch extension @sayan-oai - #24593 fix(tui): keep raw output above composer in zellij @fcoury-oai - #24625 tui: keep inaccessible apps out of mentions @canvrno-oai - #24154 Add experimental turn additional context @pakrym-oai - #24473 fix(remote-control): surface websocket task stalls @apanasenko-oai - #24528 Respect resume cwd overrides for idle cached threads @etraut-openai - #24160 Add forked_from_thread_id turn metadata @owenlin0 - #24646 make direct only allowed caller for standalone websearch @sayan-oai - #23949 Clarify view_image tool description @fjord-oai - #24266 TUI config cleanup: plugin mentions @etraut-openai - #24320 Avoid repeated marketplace upgrades for alternate layouts @etraut-openai - #23813 windows-sandbox: remove SandboxPolicy runner plumbing @bolinfest - #24652 [codex] remove plain image wrapper spans @pakrym-oai - #24623 Attach Windows sandbox log to feedback reports @iceweasel-oai - #24644 Restore legacy image detail values @rhan-oai - #24655 [codex-analytics] add grouped session id to runtime events @marksteinbrick-oai - #24658 [codex] Remove obsolete goal continuation turn marker @pakrym-oai - #24660 fix: dont compact standalone websearch schema @sayan-oai - #24667 fix(core): instrument stalled tool-listing handoff @apanasenko-oai - #24684 Uprev Rust toolchain pins to 1.95.0 @anp-oai - #21567 fix: add noninteractive install script mode @efrazer-oai - #24707 Allow runtime enablement for remote plugins @xl-openai - #24714 fix(auto-review) skip legacy notify for auto review threads @dylan-hurd-oai - #24690 Revert "Add Bedrock Mantle GovCloud region (#23860)" @celia-oai - #24628 feat: handle goal usage limits in goal extension @jif-oai - #24746 Fix guardian review test user input @jif-oai - #24744 feat: add thread idle lifecycle hook @jif-oai - #24751 Drop startup context when truncating forked rollouts @jif-oai - #24257 TUI config cleanup: plugin marketplace @etraut-openai - #24380 fix(tui): complete vim word-end and line-end behavior @fcoury-oai - #24728 Bump SQLx to pick up newer bundled SQLite @jif-oai - #24637 fix: run standalone updates noninteractively @efrazer-oai - #24778 make vercel webhook url an env secret @sayan-oai - #23950 fix: Preserve draft text when completing argument-taking slash commands @canvrno-oai - #24641 [codex] Remove stale composer narrative doc references @canvrno-oai - #24368 [codex] add compaction metadata to turn headers @ningyi-oai - #24772 [codex] Add friendly Python SDK sandbox presets @aibrahim-oai - #24382 feat(tui): add vim text object bindings @fcoury-oai - #24766 feat(tui): make turn interruption keybind configurable @fcoury-oai - #24489 feat(tui): render markdown tables in app style [1 of 2] @fcoury-oai - #24713 chore: enable namespace tools for Bedrock @celia-oai

v0.134.0

0.134.0

May 26, 2026

  • Added search across local conversation history, including case-insensitive content matches with result previews. (#23519, #23921)
  • Made --profile the primary profile selector across CLI, TUI permissions, and sandbox flows, with legacy profile configs rejected through migration guidance. (#23708, #23883, #23890, #24051, #24055, #24059, #24067, #24110)
  • Improved MCP setup with per-server environment targeting and OAuth options for streamable HTTP servers. (#23583, #24120)
  • Made connector tool schemas more reliable by preserving local $ref/$defs structures and compacting oversized schemas before exposure. (#23357, #23904)
  • Let read-only MCP tools run concurrently when they advertise readOnlyHint. (#23750)
  • Added richer extension and hook context, including conversation history for extension tools and subagent identity in hook inputs. (#22882, #23963)
  • Improved remote reliability by reconnecting stale exec-server websocket clients, retrying remote control immediately after auth recovery, and retrying remote compaction v2 streams. (#23867, #23775, #23951)
  • Fixed Windows TUI rendering corruption by restoring virtual terminal mode before drawing. (#24082)
  • Displayed workspace-specific usage-limit messages for credit and spend-cap failures. (#24114)
  • Allowed plugin skills to reuse shared plugin-level icon assets. (#23776)
  • Preserved active permission profile metadata when syncing auto-review runtime settings. (#23956)
  • Ensured Node-based tools honor Codex’s managed network proxy environment. (#23905)
  • Documented the curl and PowerShell installer paths in the README. (#24106)
  • Updated developer docs to prefer just test over direct cargo test for repo-local test runs. (#23910)
  • Added profile migration documentation links to relevant config errors. (#23879)
v0.133.0

0.133.0

May 21, 2026

  • Goals are now enabled by default, backed by dedicated storage, and track progress across active turns. (#23300, #23685, #23696, #23732)
  • codex remote-control now runs like a foreground command, waits for readiness, reports machine status, and keeps explicit daemon-style start/stop commands. (#22878)
  • Permission profiles gained list APIs, inheritance, managed requirements.toml support, runtime refresh behavior, and stronger Windows sandbox integration. (#22928, #23412, #22270, #23433, #22931, #23715)
  • Plugin discovery is easier to inspect, with marketplace-aware list output, installed versions, visible marketplace roots, and remote collection support. (#23372, #23584, #23727, #23730)
  • Extensions can observe more lifecycle events, including subagent start/stop, tool execution, turn metadata, and async approval/turn processing. (#22782, #22873, #23309, #23688, #23690, #23692)
  • Fixed TUI startup choosing the wrong working directory when reusing a local app-server socket. (#23538)
  • Fixed plan-mode free-form answers so modified Enter keys, like Shift+Enter, no longer submit unexpectedly. (#23536)
  • Removed stale background terminal poll events after a process exits. (#23231)
  • Preserved raw code-mode exec output unless an explicit output token limit is requested. (#23564)
  • Made AGENTS instruction loading more reliable, including local global reads and warnings for invalid UTF-8 instead of silent drops. (#23343, #23232)
  • Fixed app-server startup/shutdown races, empty resume/fork paths, plugin upgrade failures, and realtime v1 websocket compatibility. (#23516, #23578, #23400, #23356, #23771)
  • Added clearer plugin-creator guidance for updating and reinstalling local personal plugins. (#23542)
  • Expanded app-server/API docs and schema coverage around managed permission profile requirements. (#23433, #23555)
  • Added a canonical Codex package archive pipeline and moved installers, npm packages, DotSlash, and SDK runtimes toward that shared layout. (#23513, #23582, #23586, #23596, #23635, #23636, #23637, #23638, #23786)
  • Fixed Linux Python runtime wheel tags so glibc-based systems can install the runtime artifacts. (#21812)
v0.132.0

0.132.0

May 20, 2026

  • The Python SDK now supports first-class authentication, including API key login, ChatGPT browser and device-code flows, account inspection, and logout APIs. (#23093)
  • Python turn APIs are easier to use for text-only workflows: you can pass a plain string as input, and handle-based runs now return a richer TurnResult with collected items, timing, and usage data. (#23151, #23162)
  • codex exec resume now accepts --output-schema, so resumed automations can keep session context while still enforcing structured JSON output. (#23123)
  • TUI startup is faster because terminal capability probes are now batched instead of waiting on several serial checks before the first interactive frame. (#23175)
  • Remote executor registration can now use standard Codex auth instead of a separate registry credential flow. (#22769)
  • App-server turns can preserve requested image fidelity, including original-resolution local images, across user inputs and image-producing tools. (#20693)
  • Goal continuations now stop when they hit usage limits or a repeated blocker instead of looping and burning more tokens, and completion responses phrase usage more naturally. (#23094, #22907)
  • The session picker is easier to trust: renamed threads now show name (thread-id) in resume hints, and pasted text works in the picker search box. (#23234, #23338)
  • Multi-session TUI flows are more reliable: in-progress MCP calls stay marked as active during replay, and elicitation replies are sent back to the thread that requested them. (#23236, #23241)
  • Remote sessions now keep websocket connections alive and show repo-relative diff paths again instead of /tmp/...-prefixed paths. (#23226, #23261)
  • Windows installs are more robust: codex doctor now detects npm-managed installs correctly, and MSVC release binaries no longer depend on separately installed VC++ runtime DLLs. (#22967, #22905)
  • TUI polish fixes include immediate shutdown feedback on exit, hiding the ChatGPT usage link for non-OpenAI providers, and keeping a cleared Fast tier from reappearing after side-thread resume. (#23323, #23127, #23121)
  • The Python SDK docs, FAQ, and examples were refreshed around the new auth flow and turn APIs, with clearer setup guidance and simpler text-only examples. (#22941, #23093, #23151, #23162)
  • Memory summaries are now versioned and rebuilt when the stored format is stale, which should keep long-lived memory context leaner and more predictable. (#23148)
v0.131.0

0.131.0

May 18, 2026

  • The TUI now offers richer session controls and display: data-driven service-tier commands, blended token usage, permissions/approval mode, effective workspace roots, and responsive Markdown tables. (#21745, #21906, #21991, #21669, #21677, #22052, #22612)
  • @ mentions now search files, directories, plugins, and skills in one picker, backed by app-server plugin metadata. (#19068, #22375)
  • Plugin workflows gained marketplace CLI commands, version-aware sharing, share checkout, clearer shared-workspace buckets, and default-enabled plugin hooks. (#21396, #22397, #22425, #22435, #22549)
  • Remote workflows now support daemon-managed codex remote-control, runtime enable/disable APIs, status reads, and registry-backed/configured remote environments. (#20718, #22218, #22562, #22578, #22877, #20667, #21323)
  • The Python SDK moved to openai-codex / openai_codex, with pinned runtime-generated types, concurrent turn routing, approval modes, and integration coverage. (#21778, #21891, #21893, #21896, #21905, #21910, #22014)
  • Added codex doctor for support-ready diagnostics across runtime, auth, terminal, network, config, and local state. (#22336)
  • Fixed several TUI interaction and rendering issues, including URL wrapping, light-mode selection contrast, Shift+Enter in tmux, /review MCP startup status, /side Esc handling, and network approval history text. (#21760, #21950, #21943, #21624, #22710, #22229)
  • Hardened Windows sandbox behavior around deny-read rules, scoped write roots, ineffective firewall policy, and PowerShell edge cases. (#18202, #21479, #22353, #21400, #22643)
  • Preserved managed read restrictions during permission escalation and cleaned up workspace-root permission profile resolution. (#15977, #22624, #22683)
  • Made app-server and local state startup safer by preserving SQLite data, failing closed when state cannot open, adding recovery paths, and softening optional metadata sync failures. (#21831, #21847, #22580, #22734, #22899)
  • Improved Git and auth reliability by using root worktree hooks consistently, ignoring repo hook/fsmonitor config in helper commands, binding local MCP OAuth callbacks, and revoking superseded login tokens. (#21969, #22843, #22652, #20237, #21747)
  • Reduced remote and Windows cleanup friction with longer exec-server transport timeouts, quieter taskkill cleanup, and non-queued plugin reads. (#21825, #21759, #22058, #22703)
  • Clarified that general Codex product docs should not be added to this repo, while app-server API docs remain in scope. (#21772)
  • Updated plugin-creator guidance for the simplified local plugin handoff links. (#22240)
  • Documented new app-server/API contracts for remote environments and the desktop-owned config namespace. (#21323, #22584)
v0.130.0

0.130.0

May 8, 2026

  • Plugin details now show bundled hooks, and plugin sharing exposes link metadata plus discoverability controls. (#21447, #21495, #21637)
  • Added codex remote-control as a simpler entrypoint for starting a headless, remotely controllable app-server. (#21424)
  • App-server clients can page large threads with unloaded, summary, or full turn item views. (#21566)
  • Bedrock auth can now use AWS console-login credentials from aws login profiles. (#21623)
  • view_image can resolve files through the selected environment for multi-environment sessions. (#21143)
  • Live app-server threads now pick up config changes without requiring a restart. (#21187)
  • Turn diffs stay accurate across apply-patch operations, including partial failures that still mutated files. (#21180, #21518)
  • Thread summaries, renames, resume, and fork paths work better through ThreadStore, including threads without local rollout paths. (#21264, #21265, #21266)
  • Remote compaction now emits response.processed for v2 streams and avoids sending service_tier on API-key compact requests. (#21642, #21676)
  • Windows sandbox setup now grants sandbox users access to the desktop runtime binary cache. (#21564)
  • Removed stale “research preview” wording from the codex exec startup banner. (#21683)
  • Fixed issue templates so CLI reports keep the intended guidance, labels apply correctly, and feature requests link to the right contributing docs. (#21685, #21686, #21688)
  • Updated install and tooling docs to consistently use cargo install --locked. (#21592)
  • Added a faster Cargo profiling build profile and disabled empty doctest targets to speed up Rust development loops. (#21574, #21584)
  • Hardened dependency and CI hygiene with fully qualified GitHub Action pins, a Dependabot cooldown, and a cargo-shear upgrade. (#21436, #21547, #21599)
v0.129.0

0.129.0

May 7, 2026

  • The TUI now supports modal Vim editing in the composer, including /vim, default-mode config, and Vim-specific keymap contexts. (#18595)
  • TUI workflows are easier to resume and copy from with a redesigned resume/fork picker, raw scrollback mode, /ide context injection, and workspace-aware /diff. (#20065, #20819, #20294, #21001)
  • The status line can show theme-aware colors plus optional PR and branch-change summaries, and /keymap debug helps inspect terminal key events. (#19631, #20892, #20794)
  • Plugin management now supports workspace sharing, share access controls, source filtering, local share path tracking, marketplace removal/upgrades, remote bundle sync, and admin-disabled status handling. (#20278, #21124, #21419, #20560, #19843, #20478, #20268, #20298)
  • Hooks can be browsed and toggled from /hooks, can run before/after compaction, and can add PreToolUse context; Codex Apps auth and eligible MCP elicitations now surface through TUI/Guardian flows. (#19882, #19905, #20692, #19193, #19431)
  • Experimental goals are now discoverable, stay paused across resume unless the user opts back in, and show clearer validation and multi-day duration output. (#20083, #20790, #20746, #20558)
  • /copy works better in tmux, Alt+Enter and modified Delete/Backspace keys behave correctly, and Windows typing/paste latency was reduced. (#20207, #20535, #21058, #18914)
  • Large paste placeholders and Ctrl+C-stashed drafts now survive clear/editor workflows without corrupting draft history. (#21091, #21190, #21351, #21397)
  • TUI startup and accessibility were tightened by bounding terminal probes, clearing the first inline viewport render, and honoring animations = false for live rows. (#20654, #21450, #20564)
  • Linux sandbox startup is more reliable across older bwrap, slow mount probes, symlink-protected paths, and shared /tmp setups. (#20628, #20111, #21127, #21234)
  • Windows sandbox and exec policy now handle named pipes, ConPTY teardown, PowerShell-wrapped allow rules, worktree safe.directory, and unsafe Git options more reliably. (#20270, #20685, #20336, #21409, #21275)
  • Fixed custom CA login behind TLS-inspecting proxies, Bedrock runtime endpoint reporting, dangerous project config keys, heredoc redirect approval matching, and unbounded MCP/hook output growth. (#20676, #20275, #20098, #20113, #20260, #21069)
  • Updated the embedded OpenAI Docs sample skill so API-key setup guidance stays aligned with other docs variants. (#21263)
  • Documented how generated git commit attribution is gated by codex_git_commit and configured in config.toml. (#21379)
  • Removed local-only planning/spec docs and redirected config docs toward the maintained external documentation surface. (#20896)
v0.128.0

0.128.0

April 30, 2026

  • Added persisted /goal workflows with app-server APIs, model tools, runtime continuation, and TUI controls for create, pause, resume, and clear. (#18073, #18074, #18075, #18076, #18077, #20082)
  • Added codex update, configurable TUI keymaps, plan-mode nudges, action-required terminal titles, and active-turn /statusline and /title edits. (#19933, #18593, #19901, #18372, #19917)
  • Expanded permission profiles with built-in defaults, sandbox CLI profile selection, cwd controls, and active-profile metadata for clients. (#19900, #20117, #20118, #20095)
  • Improved plugin workflows with marketplace installation, remote bundle caching, remote uninstall, plugin-bundled hooks, hook enablement state, and external-agent config import. (#18704, #19914, #19456, #19705, #19840, #19949)
  • Added external agent session import, including background imports and imported-session title handling. (#19895, #20284, #20261)
  • Made MultiAgentV2 configuration more explicit with thread caps, wait-time controls, root/subagent hints, and v2-specific depth handling. (#19360, #19792, #19805, #20052, #20180)
  • Fixed several resume and interruption issues, including stale interrupt hangs, persisted provider restoration, large remote resume responses, and slow filtered resume lists. (#18392, #19287, #19920, #19591)
  • Improved TUI reliability around terminal resize reflow, markdown list spacing, slash-command popup layout, keyboard cleanup, shell-mode escape, and working status updates. (#18575, #19706, #19511, #19625, #19986, #19939)
  • Hardened managed network behavior for deferred denials, proxy bypass defaults, resolved target checks, IPv6 host matching, and git -C approval handling. (#19184, #20002, #19999, #19995, #20085)
  • Fixed Windows sandbox and PTY edge cases, including pseudoconsole startup, elevated runner process handling, core shell environment inheritance, and named-pipe validation. (#20042, #19211, #20089, #19283)
  • Fixed Bedrock model support for apply_patch, GPT-5.4 reasoning levels, and updated Bedrock GPT-5.4 endpoint/model metadata. (#19416, #19461, #20109)
  • Fixed MCP/plugin edge cases around stdio server cleanup, plugin MCP approval persistence, and custom MCP metadata isolation. (#19753, #19537, #19836, #19875)
  • Updated the bundled OpenAI Docs skill for GPT-5.5, gpt-image-2, and clearer upgrade guidance. (#19407, #19443, #19422)
  • Clarified contributor-facing docs, including the PR template, Rust async trait guidance, and README wording. (#19912, #20242, #19514)
  • Added a checked-in codex-core public API listing and a ThreadManager sample crate. (#20243, #20141)
v0.125.0

0.125.0

April 24, 2026

  • App-server integrations now support Unix socket transport, pagination-friendly resume/fork, sticky environments, and remote thread config/store plumbing. (#18255, #18892, #18897, #18908, #19008, #19014)
  • App-server plugin management can install remote plugins and upgrade configured marketplaces. (#18917, #19074)
  • Permission profiles now round-trip across TUI sessions, user turns, MCP sandbox state, shell escalation, and app-server APIs. (#18284, #18285, #18286, #18287, #19231)
  • Model providers now own model discovery, with AWS/Bedrock account state exposed to app clients. (#18950, #19048)
  • codex exec --json now reports reasoning-token usage for programmatic consumers. (#19308)
  • Rollout tracing now records tool, code-mode, session, and multi-agent relationships, with a debug reducer command for inspection. (#18878, #18879, #18880)
  • Interrupting /review and exiting the TUI no longer leaves the interface wedged on delegate startup or unsubscribe. (#18921)
  • Exec-server no longer drops buffered output after process exit and now waits correctly for stream closure. (#18946, #19130)
  • App-server now respects explicitly untrusted project config instead of auto-persisting trust. (#18626)
  • WebSocket app-server clients are less likely to disconnect during bursts of turn and tool-output notifications. (#19246)
  • Windows sandbox startup handles multiple CLI versions and installed app directories better, and background Start-Process calls avoid visible PowerShell windows. (#19044, #19180, #19214)
  • Config/schema handling now rejects conflicting MultiAgentV2 thread limits, resolves relative agent-role config paths, hides unsupported MCP bearer-token fields, and rejects invalid js_repl image MIME types. (#19129, #19261, #19294, #19292)
  • App-server docs and generated schemas were refreshed for the new transport, thread, marketplace, sticky environment, and permission-profile APIs. (#18255, #18897, #19014, #19074, #19231)
  • Rollout-trace documentation now covers the debug trace reduction workflow. (#18880)
  • Refreshed models.json and related core, app-server, SDK, and TUI fixtures for the latest model catalog and reasoning defaults. (#19323)
v0.124.0

0.124.0

April 23, 2026

  • The TUI now has quick reasoning controls: Alt+, lowers reasoning, Alt+. raises it, and accepted model upgrades now reset reasoning to the new model’s default instead of carrying over stale settings. (#18866, #19085)
  • App-server sessions can now manage multiple environments and choose an environment and working directory per turn, which makes multi-workspace and remote setups easier to target precisely. (#18401, #18416)
  • Added first-class Amazon Bedrock support for OpenAI-compatible providers, including AWS SigV4 signing and AWS credential-based auth. (#17820)
  • Remote plugin marketplaces can now be listed and read directly, with more reliable detail lookups and larger result pages. (#18452, #19079)
  • Hooks are now stable, can be configured inline in config.toml and managed requirements.toml, and can observe MCP tools as well as apply_patch and long-running Bash sessions. (#18893, #18385, #18391, #18888, #19012)
  • Eligible ChatGPT plans now default to the Fast service tier unless you explicitly opt out. (#19053)
  • Preserved Cloudflare cookies across approved ChatGPT hosts, reducing auth breakage in HTTP-backed ChatGPT flows. (#17783)
  • Fixed remote app-server reliability issues so websocket events keep draining under load and shutdown no longer fails when the remote worker exits during cleanup. (#18932, #18936)
  • Fixed permission-mode drift so /permissions changes survive side conversations and updated Full Access state is correctly reflected in MCP approval handling. (#18924, #19033)
  • Fixed wait_agent so it returns promptly when mailbox work is already queued instead of waiting for a fresh notification or timing out. (#18968)
  • Fixed local stdio MCP launches for relative commands without an explicit cwd, bringing fallback path resolution in line with CLI behavior. (#19031)
  • Startup now fails less often on managed config edge cases: unknown feature requirements warn instead of aborting, and cloud-requirements errors are clearer about what failed. (#19038, #19078)
v0.123.0

0.123.0

April 23, 2026

  • Added a built-in amazon-bedrock model provider with configurable AWS profile support (#18744).
  • Added /mcp verbose for full MCP server diagnostics, resources, and resource templates while keeping plain /mcp fast (#18610).
  • Made plugin MCP loading accept both mcpServers and top-level server maps in .mcp.json (#18780).
  • Improved realtime handoffs so background agents receive transcript deltas and can explicitly stay silent when appropriate (#18597, #18761, #18635).
  • Added host-specific remote_sandbox_config requirements for remote environments (#18763).
  • Refreshed bundled model metadata, including the current gpt-5.4 default (#18586, #18388, #18719).
  • Fixed /copy after rollback so it copies the latest visible assistant response, not a pre-rollback response (#18739).
  • Queued normal follow-up text submitted while a manual shell command is running, preventing stuck Working states (#18820).
  • Fixed Unicode/dead-key input in VS Code WSL terminals by disabling the enhanced keyboard mode there (#18741).
  • Prevented stale proxy environment variables from being restored from shell snapshots (#17271).
  • Made codex exec inherit root-level shared flags such as sandbox and model options (#18630).
  • Removed leaked review prompts from TUI transcripts (#18659).
  • Added and tightened the Code Review skill instructions used by Codex-driven reviews (#18746, #18818).
  • Documented intentional await-across-lock cases and enabled Clippy linting for them (#18423, #18698).
  • Updated app-server protocol docs for threadless MCP resource reads and namespaced dynamic tools (#18292, #18413).
v0.122.0

0.122.0

April 20, 2026

  • Standalone installs are more self-contained, and codex app now opens or installs Desktop correctly on Windows and Intel Macs (#17022, #18500).
  • The TUI can open /side conversations for quick side questions, and queued input now supports slash commands and ! shell prompts while work is running (#18190, #18542).
  • Plan Mode can start implementation in a fresh context, with context-usage shown before deciding whether to carry the planning thread forward (#17499, #18573).
  • Plugin workflows now include tabbed browsing, inline enable/disable toggles, marketplace removal, and remote, cross-repo, or local marketplace sources (#18222, #18395, #17752, #17751, #17277, #18017, #18246).
  • Filesystem permissions now support deny-read glob policies, managed deny-read requirements, platform sandbox enforcement, and isolated codex exec runs that ignore user config or rules (#15979, #17740, #18096, #18646).
  • Tool discovery and image generation are now enabled by default, with higher-detail image handling and original-detail metadata support for MCP and js_repl image outputs (#17854, #17153, #17714, #18386).
  • App-server approvals, user-input prompts, and MCP elicitations now disappear from the TUI when another client resolves them, instead of leaving stale prompts behind (#15134).
  • Remote-control startup now tolerates missing ChatGPT auth, and MCP startup cancellation works again through app-server sessions (#18117, #18078).
  • Resumed and forked app-server threads now replay token usage immediately so context/status UI starts with the restored state (#18023).
  • Security-sensitive flows were tightened: logout revokes managed ChatGPT tokens, project hooks and exec policies require trusted workspaces, and Windows sandbox setup avoids broad user-profile and SSH-root grants (#17825, #14718, #18443, #18493).
  • Sandboxed apply_patch writes work correctly with split filesystem policies, and file watchers now notice files created after watching begins (#18296, #18492).
  • Several TUI rough edges were fixed, including fatal skills-list failures, invalid resume hints, duplicate context statusline entries, /model menu loops, redundant memory notices, and terminal title quoting in iTerm2 (#18061, #18059, #18054, #18154, #18580, #18261).
  • Added a security-boundaries reference to SECURITY.md for sandboxing, approvals, and network controls (#17848, #18004).
  • Documented custom MCP server approval defaults and exec-server stdin behavior (#17843, #18086).
  • Updated app-server docs for plugin API changes, marketplace removal, resume/fork token-usage replay, and warning notifications (#17277, #17751, #18023, #18298).
v0.121.0

0.121.0

April 15, 2026

  • Added codex marketplace add and app-server support for installing plugin marketplaces from GitHub, git URLs, local directories, and direct marketplace.json URLs (#17087, #17717, #17756).
  • Added TUI prompt history improvements, including Ctrl+R reverse search and local recall for accepted slash commands (#17550, #17336).
  • Added TUI and app-server controls for memory mode, memory reset/deletion, and memory-extension cleanup (#17632, #17626, #17913, #17937, #17844).
  • Expanded MCP/plugin support with MCP Apps tool calls, namespaced MCP registration, parallel-call opt-in, and sandbox-state metadata for MCP servers (#17364, #17404, #17667, #17763).
  • Added realtime and app-server APIs for output modality, transcript completion events, raw turn item injection, and symlink-aware filesystem metadata (#17701, #17703, #17719).
  • Added a secure devcontainer profile with bubblewrap support, plus macOS sandbox allowlists for Unix sockets (#10431, #17547, #17654).
  • Fixed macOS sandbox/proxy handling for private DNS and removed the danger-full-access denylist-only network mode (#17370, #17732).
  • Fixed Windows cwd/session matching so resume --last and thread/list work when paths use verbatim prefixes (#17414).
  • Fixed rate-limit/account handling for prolite plans and made unknown WHAM plan values decodable (#17419).
  • Made Guardian timeouts distinct from policy denials, with timeout-specific guidance and visible TUI history entries (#17381, #17486, #17521, #17557).
  • Stabilized app-server behavior by avoiding premature thread unloads, tolerating failed trust persistence on startup, and skipping broken symlinks in fs/readDirectory (#17398, #17595, #17907).
  • Fixed MCP/tool-call edge cases including flattened deferred tool names, elicitation timeout accounting, and empty namespace descriptions (#17556, #17566, #17946).
  • Documented the secure devcontainer profile and its bubblewrap requirements (#10431, #17547).
  • Added TUI composer documentation for history search behavior (#17550).
  • Updated app-server docs for new MCP, marketplace, turn injection, memory reset, filesystem metadata, external-agent migration, and websocket token-hash APIs (#17364, #17717, #17703, #17913, #17719, #17855, #17871).
v0.120.0

0.120.0

April 11, 2026

  • Realtime V2 can now stream background agent progress while work is still running and queue follow-up responses until the active response completes (#17264, #17306)
  • Hook activity in the TUI is easier to scan, with live running hooks shown separately and completed hook output kept only when useful (#17266)
  • Custom TUI status lines can include the renamed thread title (#17187)
  • Code-mode tool declarations now include MCP outputSchema details so structured tool results are typed more precisely (#17210)
  • SessionStart hooks can distinguish sessions created by /clear from fresh startup or resume sessions (#17073)
  • Fixed Windows elevated sandbox handling for split filesystem policies, including read-only carveouts under writable roots (#14568)
  • Fixed sandbox permission handling for symlinked writable roots and carveouts, preventing failures in shell and apply_patch workflows (#15981)
  • Fixed codex --remote wss://... panics by installing the Rustls crypto provider before TLS websocket connections (#17288)
  • Preserved tool search result ordering instead of alphabetically reordering results (#17263)
  • Fixed live Stop-hook prompts so they appear immediately instead of only after thread history reloads (#17189)
  • Fixed app-server MCP cleanup on disconnect so unsubscribed threads and resources are torn down correctly (#17223)
  • Documented the elevated vs restricted-token Windows sandbox support split in the core README (#14568)
  • Updated app-server protocol documentation for the new /clear SessionStart source (#17073)
  • Made rollout recording more reliable by retrying failed flushes and surfacing durability failures instead of dropping buffered items (#17214)
  • Added analytics schemas and metadata wiring for compaction and Guardian review events (#17155, #17055)
v0.119.0

0.119.0

April 10, 2026

  • Realtime voice sessions now default to the v2 WebRTC path, with configurable transport, voice selection, native TUI media support, and app-server coverage for the new flow (#16960, #17057, #17058, #17093, #17097, #17145, #17165, #17176, #17183, #17188).
  • MCP Apps and custom MCP servers gained richer support, including resource reads, tool-call metadata, custom-server tool search, server-driven elicitations, file-parameter uploads, and more reliable plugin cache refreshes (#16082, #16465, #16944, #17043, #15197, #16191, #16947).
  • Remote/app-server workflows now support egress websocket transport, remote --cd forwarding, runtime remote-control enablement, sandbox-aware filesystem APIs, and an experimental codex exec-server subcommand (#15951, #16700, #16973, #16751, #17059, #17142, #17162).
  • The TUI can copy the latest agent response with Ctrl+O, including better clipboard behavior over SSH and across platforms (#16966).
  • /resume can now jump directly to a session by ID or name from the TUI (#17222).
  • TUI notifications are more configurable, including Warp OSC 9 support and an opt-in mode for notifications even while the terminal is focused (#17174, #17175).
  • The TUI starts faster by fetching rate limits asynchronously, and /status now refreshes stale limits instead of showing frozen or misleading quota information (#16201, #17039).
  • Resume flows are more stable: the picker no longer flashes false empty states, uses fresher thread names, stabilizes timestamp labels, preserves resume hints on zero-token exits, and avoids crashing when resuming the current thread (#16591, #16601, #16822, #16987, #17086).
  • Composer and chat behavior are smoother, including fixed paste teardown, CJK word navigation, stale /copy output, percent-decoded local file links, and clearer truncated exec-output hints (#16202, #16829, #16648, #16810, #17076).
  • Fast Mode no longer stays stuck on after /fast off in app-server-backed TUI sessions (#16833).
  • MCP status and startup are less noisy and faster: hyphenated server names list tools correctly, /mcp avoids slow full inventory probes, disabled servers skip auth probing, and residency headers are honored by codex mcp-server (#16674, #16831, #17098, #16952).
  • Sandbox, network, and platform edge cases were tightened, including clearer read-only apply_patch errors, refreshed network proxy policy after sandbox changes, suppressed irrelevant bubblewrap warnings, a macOS HTTP-client sandbox panic fix, and Windows firewall address handling (#16885, #17040, #16667, #16670, #17053).
  • The README now uses the current ChatGPT Business plan name (#16348).
  • Developer guidance for argument_comment_lint was updated to favor getting CI started instead of blocking on slow local lint runs (#16375).
  • Obsolete codex-cli README content was removed to avoid stale setup guidance (#17096).
Showing 30 of 120