OpenAI's command-line coding assistant
Complete changelog with every version since the first release.
Releases (120)
0.144.1
July 9, 2026
- •Fixed standalone installs failing when GitHub returns compact or reordered release metadata. (#31913)
- •Ensured macOS package installs expose the code-mode host alongside the
codexexecutable. (#31913) - •Kept code mode working when the companion host binary is unavailable by falling back to the embedded runtime. (#31913)
0.144.0
July 9, 2026
- •Usage-limit reset credits now show their type and expiration, and let you choose which credit to redeem. (#30488)
- •Added a
writesapp-approval mode that allows declared read-only actions while prompting for writes. (#30482) - •MCP tools can now request authentication interactively without an experimental opt-in. (#28772)
- •App-server hosts can provide Codex authentication at runtime and redirect successful logins to a hosted page. (#28745, #31274)
- •Global pnunen installs are now detected so diagnostics and updates use the correct package manager. (#31503)
- •Selecting Ultra reasoning now warns when high multi-agent concurrency could increase usage quickly. (#31621)
- •Resumed ChatGPT threads recover when compaction references a retired model by retrying with the currently selected model. (#30319)
- •Fixed Code Mode crashes in Intel macOS release binaries. (#30953)
- •Windows sandbox sessions can delete files in writable roots and access the managed primary runtime. (#31138, #31574)
- •Pasted terminal control sequences can no longer corrupt TUI rendering or resumed conversation history. (#31494)
- •Long-running app sessions now refresh expired authentication for the hosted
codex_appsconnector. (#31486) - •Responses WebSockets continue using the low-latency transport while respecting system proxies and custom certificate authorities. (#31441, #31622)
- •Device-code login warnings now explain how to recognize and stop phishing attempts. (#31648)
- •Reduced plugin skill-loading time on remote executors by resolving namespaces once per root. (#31348)
- •Made the
/reviewbranch picker faster and more reliable in large repositories. (#31464)
0.143.0
July 8, 2026
- •Remote plugins are now enabled by default, with richer catalog rows, npm marketplace sources, and visible remote/local versions. (#30297, #26705, #29375, #30981)
- •Codex can route authentication and Responses API traffic through macOS and Windows system proxies, including PAC and WPAD configurations. (#26708, #26709, #31335)
- •Added
codex remote-control pairfor generating manual pairing codes from a running daemon. (#29913) - •Added Amazon Bedrock GPT-5.6 Sol, Terra, and Luna models, with first-class support for
maxreasoning effort. (#30285, #30467) - •MCP tools now use tool search by default, and ChatGPT-hosted MCP servers can explicitly use session authentication. (#29486, #29733)
- •App-server clients can inspect environments, list descendant threads, and fork history through a specific turn. (#30291, #29591, #30277)
- •Fixed Windows ConPTY input handling for line endings and backspace, plus sandbox credential retry edge cases. (#29734, #29624, #29637)
- •Fixed stale TUI safety prompts and cancelled reviews that could leave MCP startup appearing busy. (#30490, #31189)
- •Improved recovery when exec servers are temporarily offline and prevented remote-control token refresh retry storms. (#30098, #30201)
- •Preserved trailing realtime transcript text and terminal rollout events during shutdown. (#29918, #30144)
- •Improved incremental WebSocket request success by ignoring response metadata during comparisons. (#30770)
- •Reduced installer failures from GitHub API rate limits by reusing release metadata. (#31056)
- •Documented UUID7 thread and turn IDs, plus recommended remote-executor integration-test workflows. (#27714, #29790)
- •Updated OpenSSL, Hono, fast-uri, quick-xml, and crossbeam-epoch to address security advisories. (#29487, #29650, #30941, #31308)
0.142.2
June 25, 2026
- •MCP tools now use tool search by default when supported, improving tool discovery while preserving compatibility with older models and providers. (#29486)
- •macOS authentication clients can honor system proxy, PAC, and WPAD settings when
respect_system_proxyis enabled. (#26709) - •Plugins can provide dedicated dark-mode logos through local manifests and remote catalogs. (#29488)
- •Apps can display richer safety-buffering UI using server-provided visibility and faster-model metadata. (#29473)
- •Remote plugin catalogs now return curated featured-plugin rankings. (#29485)
- •Expired Amazon Bedrock credentials now produce actionable recovery guidance instead of a generic authorization error. (#28992)
- •Remote stdio MCP servers now accept absolute working directories written in the remote platform’s path format. (#29493)
- •Remote HTTP(S) image inputs now return clear model-visible validation errors; inline data URLs and local images remain supported. (#29417, #29419)
- •PowerShell commands containing executable AST regions the safety classifier cannot inspect now require approval. (#24092)
- •Code Mode now warns when the selected model lacks the required metadata. (#29490)
- •Updated bundled OpenSSL and esbuild dependencies to patched releases. (#29487, #29489)
- •Successful formatter runs are now quiet while failures still show diagnostics. (#29467)
0.142.0
June 22, 2026
- •
/usagecan now show and redeem earned usage-limit reset credits, with confirmation, retry, and refreshed availability states. (#28154, #28793) - •
/pluginsnow organizes remote plugins into OpenAI Curated, Workspace, and Shared with me sections, while eligible turns can recommend and install relevant plugins. (#26703, #28399, #28400, #27704, #28403) - •Configurable rollout token budgets track usage across agent threads, provide remaining-budget reminders, and abort turns when exhausted. (#28746, #28494, #28707, #29423)
- •App-server clients can configure multi-agent delegation as disabled, explicit-request-only, or proactive at the thread and turn level. (#28685, #28792, #29324)
- •Added an indexed web-search mode that permits live searches while restricting direct page access to server-approved URLs. (#28489)
- •Codex can now receive scheduled UTC time reminders and query the current time directly, including through client-provided app-server clocks. (#28822, #28824, #28835, #29011)
- •Restored reliable Linux TUI rendering after suspending with
Ctrl+Zand resuming withfg. (#28342) - •Exec-server processes and stdio MCP sessions now survive transient disconnects, including signed-URL refresh and retry-safe stdin writes. (#28512, #28374, #28546, #28895)
- •Remote environments now preserve executor-native paths, shells,
AGENTS.mddiscovery, and sandbox behavior across operating systems. (#28146, #28152, #28958, #28983, #29099, #29108, #29113, #29424) - •Plugin loading and installation now handle root marketplace layouts, manifest fallbacks, multiple skill paths, actionable download errors, and immediate tool refreshes. (#28771, #28789, #28790, #28863, #28951)
- •Parent agents now receive terminal subagent errors instead of seeing failed work as an empty successful completion. (#28375)
- •Goal-first threads are once again persisted and returned by
thread/listandthread/search. (#28808) - •Reduced startup and session latency by deferring unnecessary DNS work, warming the model cache, reusing parsed plugin skills, parallelizing skill metadata reads, and skipping redundant catalog synchronization. (#28542, #28699, #28844, #29326, #29005)
- •Reduced persistent-log churn by removing per-event WebSocket payload logging and filtering duplicated telemetry records. (#29432, #29457)
0.141.0
June 18, 2026
- •Remote executors now use authenticated, end-to-end encrypted Noise relay channels. (#26242, #26245)
- •Cross-platform remote execution now preserves executor-native working directories and shells, including filesystem permission paths across app-server and exec-server boundaries. (#27819, #27995, #28032, #28122, #28165, #28367)
- •Selected executor plugins can activate their stdio MCP servers per thread; plugin discovery also adds a created-by-me marketplace and auth-specific curated catalogs. (#27870, #27884, #27893, #28203, #28383)
- •App-server clients can list immediate child threads, correlate external-agent imports with detailed results, and read or redeem rate-limit reset credits. (#26662, #28008, #28143)
- •Realtime clients can explicitly append speech, control how Codex responses enter conversations, and omit startup context. (#27917, #28405)
- •TUI input prompts can auto-resolve after inactivity, with a countdown that pauses on interaction. (#28235)
- •Hook trust bypass now persists through
codex execthread start and resume, while blockingPostToolUsehooks correctly reject code-mode tool calls. (#26434, #28365) - •Plugin capabilities now route consistently by authentication mode, deduplicate conflicting App/MCP declarations, and preserve remote marketplace ordering. (#27461, #27602, #27607, #27902, #27958, #28395)
- •Windows sandbox execution repairs stale credentials automatically and gives PowerShell commands more time before backgrounding. (#27086, #27944)
- •Idle exec-server relays remain connected, and steered user input immediately interrupts
wait_agent. (#28286, #28341) - •Bundled SQLite is pinned to a version containing the WAL-reset corruption fix. (#27992)
- •TLS connections now support P-521 certificate signatures commonly used by enterprise proxies. (#27706)
- •Reduced latency and memory use in large, tool-heavy sessions by caching tool search and eliminating repeated request and history copies. (#27258, #27813, #28306, #28309, #28313, #28323, #28327)
- •Bounded prompt-image caching to 64 MiB and feedback uploads to eight related threads. (#28294, #28332)
- •Terminal resize reflow is now always enabled, ignoring obsolete disabled settings. (#27794)
0.140.0
June 15, 2026
- •Added
/usageviews for daily, weekly, and cumulative account token activity. (#27925) - •
/goalnow preserves oversized text, large pasted blocks, and image attachments, including in remote app-server sessions. (#27508, #27509, #27510) - •Added permanent session deletion through
codex delete,/delete, and app-serverthread/delete, with confirmation safeguards and subagent cleanup. (#25018, #27476) - •Added
/importfor selectively importing setup, project configuration, and recent chats from Claude Code. (#27070, #27071, #27703) - •Typing
@now opens the unified mentions menu for files, plugins, and skills by default. (#27499) - •Added managed Amazon Bedrock API-key authentication and encrypted local storage for CLI and MCP OAuth credentials. (#27443, #27689, #27504, #27535, #27539, #27541)
- •Corrupted SQLite state databases are now backed up and rebuilt automatically from rollout data, including malformed database-directory cases. (#26859, #27719)
- •Prevented
/reviewfrom crashing whenEscis pressed with queued guidance, while preserving that guidance when the review is canceled. (#22879) - •Improved MCP reliability by retrying transient startup failures, reporting unusable OAuth credentials as logged out, and preserving explicitly disabled servers. (#25147, #26713, #27414)
- •Fixed remote plugin uninstall requests and correctly surfaced apps requiring authentication during installation. (#27085, #27223)
- •Persisted “Don’t remind me” update dismissals reliably and cleared stale running-hook indicators after completed turns. (#27619, #27783)
- •Non-TTY background commands can now be interrupted with Ctrl-C while preserving their final output and exit status. (#26734)
- •Clarified contributor guidance around keeping crate APIs narrow and supporting Linux, macOS, and Windows. (#27939, #27966)
- •Improved responsiveness for large repositories and long sessions by preserving Git’s built-in filesystem monitor, avoiding duplicate history reads, accelerating archive lookup, and caching turn-diff rendering. (#26880, #27031, #27276, #27489)
- •Removed the experimental
/realtimevoice controls and related audio dependencies from the TUI. (#27801)
0.139.0
June 9, 2026
- •Code mode can now call standalone web search directly, including from nested JavaScript tool calls, and receive plaintext search results. (#26719)
- •Tool and connector input schemas now preserve
oneOfandallOf, and large schemas keep more shallow structure when compacted, improving compatibility with richer MCP tools. (#24118, #27084) - •
codex doctornow includes editor and pager environment details in the local report while redacting raw values in JSON output. (#27081) - •Plugin marketplace automation is more informative and responsive:
codex plugin marketplace list --jsonnow includes each marketplace source, and plugin lists can return from the cached remote catalog before refreshing in the background. (#27009, #26932) - •
codex resume --last "..."andcodex fork --last "..."now treat the trailing argument as the initial prompt instead of misreading it as a session ID. (#26818) - •MCP startup warnings from subagents now stay in the thread that owns them, avoiding duplicate parent-thread alerts and stuck startup spinners in the TUI. (#26639)
- •Image edits now use the exact referenced image file paths instead of guessing from conversation history, so attached-image edits land on the intended input. (#26486)
- •Bare URLs with
~in the path are now linkified end to end in the TUI instead of being truncated before the tilde. (#27088) - •Thread resets such as
/new,/clear, and/forkno longer drop cloud-managed requirements or feature flags during TUI config reloads. (#25177) - •Sandbox execution now preserves approved escalation decisions and enforces configured proxy-only networking more consistently. (#24981, #27035)
- •Release builds once again publish separate symbol archives with line tables, improving post-release crash symbolication without bringing back the earlier full-debug build slowdown. (#26202)
- •The embedded V8 toolchain was updated to
rusty_v8149.2.0. (#26464)
0.138.0
June 8, 2026
- •The
/appcommand can now hand off the current CLI thread into Codex Desktop on macOS and native Windows, and Windows workspace launches can open directly into Desktop instead of stopping at a manual prompt. (#25638, #26500) - •Local image attachments and standalone image generations now expose their saved file paths to the model, which makes follow-up edits and file references more reliable. (#25944, #25947)
- •Reasoning effort selection is more flexible: the TUI adds fallback shortcuts for terminals that miss
Altbindings, and model-defined effort levels now flow through in the order advertised by the model. (#25623, #26444, #26446) - •App-server integrations can now read account token usage, and Codex auth supports v2 personal access tokens in CLI and app-server flows. (#25344, #25731)
- •Plugin automation got richer structured output: add/remove and marketplace commands support
--json, plugin list JSON includes marketplace source, and plugin detail data now exposes default prompts, remote MCP servers, and unavailable app templates. (#26631, #26417, #25887, #26453, #26317) - •Goal workflows are more predictable: multiline paste in
/goal editno longer submits early, idle auto-turns stay out of Plan mode, and goals stop auto-continuing after terminal turn failures. (#26047, #26147, #26690) - •Forked threads now keep user-renamed titles instead of falling back to the original first-prompt name. (#26075)
- •The TUI no longer adds extra blank space while streaming, and cancelled prompts reopen with the cursor at the end so you can keep editing naturally. (#26636, #26457)
- •TUI config write failures now show the underlying cause, making validation problems and read-only filesystem issues much easier to diagnose. (#26537)
- •Startup is more resilient across environments, with support for
/usr/bin/bash, shorter Linux proxy socket paths, and pre-refresh of expired OAuth-backed MCP credentials. (#26538, #26553, #26482) - •Workspace instruction loading is more accurate for remote and symlinked workspaces, so the right
AGENTS.mdfiles are picked up consistently. (#26205, #26465) - •The CLI README was refreshed to remove stale guidance and better match the current documentation flow. (#26313)
- •TUI startup does less repeated plugin work by reusing discovery results and loading only hook metadata on the critical path. (#26469, #26272)
- •
resume --lastnow finds the newest matching session through the state DB first, which speeds up restore on large local histories. (#26462) - •Large MCP/Ollama streams and long message histories process much faster thanks to optimized byte scanning. (#26265)
0.137.0
June 4, 2026
- •TUI controls now support F13-F24 keybindings, paste in searchable menus, and a compact reasoning-only status/title item (#25329, #25400, #25504).
- •Enterprise/admin flows now show monthly credit limits and can apply cloud-managed config bundles, including EDU workspaces (#24812, #24617, #24619, #24620, #24622, #25963).
- •Remote-control clients can start pairing and list or revoke controller grants through app-server v2 RPCs (#25675, #25785).
- •Plugin workflows gained machine-readable
codex plugin list --jsonoutput and cached remote catalog suggestions (#25330, #25457). - •Hosted web and image tools are available in more code-mode flows, with standalone web searches able to run in parallel (#25176, #25702, #25890, #25923).
- •Multi-agent v2 keeps runtime choice with each thread and exposes cleaner follow-up and metadata defaults for spawned agents (#25266, #25636, #25720, #25721, #25722, #25841, #26114).
- •Cancelling a submitted prompt before visible output now restores the draft, attachments, and collaboration mode for editing (#25316).
- •Slash-command filtering and footer shortcut hints now reset or render according to the current UI state (#25492, #25625).
- •Platform reliability improved for macOS app launches and Windows SQLite startup, thread resume, and sandbox setup refreshes (#25485, #25490, #25509, #25949).
- •Plugin loading preserves app manifest order, deduplicates local/remote curated installs, and treats malformed
skillsfields as warnings (#25491, #25681, #25717, #25782). - •Permission requests and approvals now carry environment identity, and managed MITM proxying exports readable CA bundles to child commands (#25850, #25858, #25862, #22668).
- •Local session history is safer for compressed rollouts, renamed titles, pathless side-chat reloads, and stack-heavy startup/config rebuilds (#25087, #25624, #25661, #25814, #25844, #25847).
- •Added app-server docs and generated schema updates for monthly credit limits, remote-control RPCs, and environment-scoped permission approvals (#24812, #25675, #25785, #25862).
- •Moved repo review rules and contributor conventions into
AGENTS.md, including Rust test-module layout and Python 3 compatibility guidance (#25682, #25690, #25738). - •Root formatting and Justfile workflows are more complete and Windows-aware (#24983, #25165, #25683).
0.136.0
June 1, 2026
- •TUI markdown now keeps web links clickable with OSC 8 metadata, and cramped tables switch to readable key/value records without losing link targets. (#24472, #24636, #24825)
- •Sessions can now be archived from the TUI with
/archiveor from the CLI withcodex archive/codex unarchive; archived sessions are protected from resume/fork until restored. (#25027, #25021) - •App-server integrations can resume a thread with its initial turns page, see richer MCP server status, and launch stdio mode with
codex app-server --stdio. (#23534, #24698, #24940) - •Remote execution setup now supports
CODEX_API_KEYregistration for approved OpenAI hosts, while remote-control websockets use short-lived server tokens instead of ChatGPT access tokens. (#24666, #24141) - •Windows admins get an alpha
codex sandbox setup --elevatedprovisioning path, plus requirements support for allowed Windows sandbox implementations. (#24831, #23766) - •A feature-gated standalone image generation extension can run through the native Codex image artifact completion pipeline. (#24723, #24972)
- •ChatGPT auth refreshes tokens before the five-minute expiry window and shows a relogin-required path for reused refresh tokens instead of collapsing into a generic cloud error. (#23546, #24830)
- •Command-safety hardening prevents
/difffrom running repository-provided Git helpers/hooks, avoids PowerShell parser execution on non-Windows hosts, and rejects browser-origin exec-server websocket handshakes. (#24954, #24946, #24947) - •Sandboxed commands clean up more reliably after interruptions or denied Windows network attempts, and
denyread rules stay enforced for safe-command and approval-bypass paths. (#22729, #19880, #23943) - •Resumed TUI sessions seed prompt history from the session transcript, multiline hook output renders as separate rows, and Vim normal-mode editing behaves correctly. (#24298, #24965, #25022)
- •App-server filesystem watchers debounce later batches correctly, and standalone web search calls now show and restore completed search activity. (#24716, #24693)
- •Bedrock auth now falls back to
AWS_REGION/AWS_DEFAULT_REGION, and unsupported Bedrock GPT service tiers are no longer advertised or sent. (#25171, #25318) - •Python SDK beta docs and package metadata now present the standard
pip install openai-codexpath, refreshed quickstarts, API reference, FAQ, and examples. (#24836, #24866, #24868, #24870) - •Python SDK examples and docs now use the public
CodexConfigname for configuringCodex/AsyncCodex. (#24800) - •The bundled OpenAI Docs skill was updated with current Codex manual routing and a cached manual fetch helper. (#24914)
0.135.0
May 28, 2026
## New Features
- codex doctor now reports richer environment, Git, terminal, app-server, and thread inventory diagnostics for support cases. (#24261, #24311, #24305)
- /status shows remote connection details and server version when the TUI is connected over a remote transport. (#24420)
- Vim mode gained text-object editing, improved word/line-end behavior, and a configurable interrupt-turn binding. (#24382, #24380, #24766)
- /permissions now understands named permission profiles and displays configured custom profiles. (#21559)
- Packaged Codex builds can discover and use the bundled patched zsh helper across supported macOS and Linux targets. (#23756, #24171)
- The Python SDK now exposes friendly Sandbox presets for thread and turn APIs. (#24772)
- install.sh/install.ps1 supports a non-interactive installation mode when CODEX_NON_INTERACTIVE=1 is set. (#21567)
## Bug Fixes
- Markdown tables and multiline lists render more readably in the TUI, with better column sizing and app-style table formatting. (#24489, #24346, #24351)
- TUI output is more stable on macOS and Zellij, avoiding stderr/composer corruption and raw-output overlap. (#24459, #24479, #24593)
- Slash-command completion now preserves existing draft text for commands that accept inline arguments. (#23950)
- Older tmux/iTerm control-mode sessions no longer lose normal Ctrl-C handling from unsupported keyboard enhancement setup. (#24371)
- App mentions now exclude inaccessible or disabled apps instead of offering unusable $ suggestions. (#24625)
- Resume flows now include non-interactive exec sessions when requested and honor cwd overrides for idle cached threads. (#24503, #24528)
## Documentation
- Clarified image-viewing tool detail behavior and removed stale TUI composer documentation references. (#23949, #24641)
- Updated Python SDK docs, examples, and notebook content to use the new sandbox preset API. (#24772)
## Chores
- Updated Rust toolchain pins and SQLx/SQLite dependencies. (#24684, #24728)
- Moved memory runtime state into a dedicated SQLite database. (#24591)
- Removed remaining legacy config-profile consumers and routed more TUI config/plugin state through app-server-owned APIs. (#24076, #24254, #24255, #24265, #24266, #24257)
- Centralized Responses retry handling and MCP tool naming logic to reduce duplicated internal plumbing. (#24131, #21576)
## Changelog
Full Changelog: https://github.com/openai/codex/compare/rust-v0.134.0...rust-v0.135.0
- #24164 fix(remote-control): cap reconnect backoff @apanasenko-oai
- #23756 package: include zsh fork in Codex package @bolinfest
- #23757 Default function tools into tool hooks @abhinav-oai
- #24171 package: add x64 macOS codex-zsh artifact @bolinfest
- #24159 code-mode: merge stored values by key @cconger
- #23983 fix: plugin bundle archive handling for upload and install @xl-openai
- #24261 feat(doctor): add environment diagnostics @fcoury-oai
- #24311 Report app-server version in codex doctor @etraut-openai
- #24314 tui: label compact rate-limit percentages @etraut-openai
- #24420 Show remote connection details in /status @etraut-openai
- #24317 Respect hook trust bypass during TUI startup @etraut-openai
- #24254 TUI config cleanup: oss_provider @etraut-openai
- #24255 TUI config cleanup: trusted projects @etraut-openai
- #24265 TUI config cleanup: MCP inventory @etraut-openai
- #24305 Add doctor thread inventory audit @etraut-openai
- #24346 fix(tui): improve markdown table column allocation @fcoury-oai
- #24351 fix(tui): improve multiline markdown list readability @fcoury-oai
- #24459 fix(tui): prevent macos stderr from corrupting composer @fcoury-oai
- #24479 fix(process-hardening): preserve macos malloc diagnostics @fcoury-oai
- #24474 Log rollout writer OS errors @etraut-openai
- #24076 chore: stop consuming legacy config profiles @jif-oai
- #24131 centralize Responses retry policy @rhan-oai
- #23858 [wip] goal shift @jif-oai
- #24555 chore: drop orphaned codex memories MCP crate @jif-oai
- #24558 chore: move memory prompt builder into extension @jif-oai
- #24562 Add ad-hoc memory note tool @jif-oai
- #24567 Wire metrics client into memories extension @jif-oai
- #24588 fix: drop flake @jif-oai
- #24583 Add memory tool call metrics to memories extension @jif-oai
- #24586 Wire app-server extension event sink @jif-oai
- #24532 Use thread config for TUI MCP inventory @etraut-openai
- #24105 [codex] Make active turn task singular @pakrym-oai
- #21576 Move MCP tool naming mode into manager @pakrym-oai
- #24503 tui: include exec sessions in resume list @etraut-openai
- #24600 feat: gate dedicated memories tools in config @jif-oai
- #21559 tui: add named permission profile picker @viyatb-oai
- #24608 feat: add manual and remote_v2 tags to compaction metric @jif-oai
- #24611 test: clean up apply_patch allow-session artifact @jif-oai
- #24609 Remove reserved namespaces dedup @pakrym-oai
- #23964 Move slash input logic out of chat composer @canvrno-oai
- #24615 Add goal extension telemetry parity @jif-oai
- #24371 fix(tui): avoid modifyOtherKeys for unknown tmux formats @fcoury-oai
- #24626 fix: restore goal accounting after thread resume @jif-oai
- #24591 Move memory state to a dedicated SQLite DB @jif-oai
- #23823 standalone websearch extension @sayan-oai
- #24593 fix(tui): keep raw output above composer in zellij @fcoury-oai
- #24625 tui: keep inaccessible apps out of mentions @canvrno-oai
- #24154 Add experimental turn additional context @pakrym-oai
- #24473 fix(remote-control): surface websocket task stalls @apanasenko-oai
- #24528 Respect resume cwd overrides for idle cached threads @etraut-openai
- #24160 Add forked_from_thread_id turn metadata @owenlin0
- #24646 make direct only allowed caller for standalone websearch @sayan-oai
- #23949 Clarify view_image tool description @fjord-oai
- #24266 TUI config cleanup: plugin mentions @etraut-openai
- #24320 Avoid repeated marketplace upgrades for alternate layouts @etraut-openai
- #23813 windows-sandbox: remove SandboxPolicy runner plumbing @bolinfest
- #24652 [codex] remove plain image wrapper spans @pakrym-oai
- #24623 Attach Windows sandbox log to feedback reports @iceweasel-oai
- #24644 Restore legacy image detail values @rhan-oai
- #24655 [codex-analytics] add grouped session id to runtime events @marksteinbrick-oai
- #24658 [codex] Remove obsolete goal continuation turn marker @pakrym-oai
- #24660 fix: dont compact standalone websearch schema @sayan-oai
- #24667 fix(core): instrument stalled tool-listing handoff @apanasenko-oai
- #24684 Uprev Rust toolchain pins to 1.95.0 @anp-oai
- #21567 fix: add noninteractive install script mode @efrazer-oai
- #24707 Allow runtime enablement for remote plugins @xl-openai
- #24714 fix(auto-review) skip legacy notify for auto review threads @dylan-hurd-oai
- #24690 Revert "Add Bedrock Mantle GovCloud region (#23860)" @celia-oai
- #24628 feat: handle goal usage limits in goal extension @jif-oai
- #24746 Fix guardian review test user input @jif-oai
- #24744 feat: add thread idle lifecycle hook @jif-oai
- #24751 Drop startup context when truncating forked rollouts @jif-oai
- #24257 TUI config cleanup: plugin marketplace @etraut-openai
- #24380 fix(tui): complete vim word-end and line-end behavior @fcoury-oai
- #24728 Bump SQLx to pick up newer bundled SQLite @jif-oai
- #24637 fix: run standalone updates noninteractively @efrazer-oai
- #24778 make vercel webhook url an env secret @sayan-oai
- #23950 fix: Preserve draft text when completing argument-taking slash commands @canvrno-oai
- #24641 [codex] Remove stale composer narrative doc references @canvrno-oai
- #24368 [codex] add compaction metadata to turn headers @ningyi-oai
- #24772 [codex] Add friendly Python SDK sandbox presets @aibrahim-oai
- #24382 feat(tui): add vim text object bindings @fcoury-oai
- #24766 feat(tui): make turn interruption keybind configurable @fcoury-oai
- #24489 feat(tui): render markdown tables in app style [1 of 2] @fcoury-oai
- #24713 chore: enable namespace tools for Bedrock @celia-oai
0.134.0
May 26, 2026
- •Added search across local conversation history, including case-insensitive content matches with result previews. (#23519, #23921)
- •Made
--profilethe primary profile selector across CLI, TUI permissions, and sandbox flows, with legacy profile configs rejected through migration guidance. (#23708, #23883, #23890, #24051, #24055, #24059, #24067, #24110) - •Improved MCP setup with per-server environment targeting and OAuth options for streamable HTTP servers. (#23583, #24120)
- •Made connector tool schemas more reliable by preserving local
$ref/$defsstructures and compacting oversized schemas before exposure. (#23357, #23904) - •Let read-only MCP tools run concurrently when they advertise
readOnlyHint. (#23750) - •Added richer extension and hook context, including conversation history for extension tools and subagent identity in hook inputs. (#22882, #23963)
- •Improved remote reliability by reconnecting stale exec-server websocket clients, retrying remote control immediately after auth recovery, and retrying remote compaction v2 streams. (#23867, #23775, #23951)
- •Fixed Windows TUI rendering corruption by restoring virtual terminal mode before drawing. (#24082)
- •Displayed workspace-specific usage-limit messages for credit and spend-cap failures. (#24114)
- •Allowed plugin skills to reuse shared plugin-level icon assets. (#23776)
- •Preserved active permission profile metadata when syncing auto-review runtime settings. (#23956)
- •Ensured Node-based tools honor Codex’s managed network proxy environment. (#23905)
- •Documented the curl and PowerShell installer paths in the README. (#24106)
- •Updated developer docs to prefer
just testover directcargo testfor repo-local test runs. (#23910) - •Added profile migration documentation links to relevant config errors. (#23879)
0.133.0
May 21, 2026
- •Goals are now enabled by default, backed by dedicated storage, and track progress across active turns. (#23300, #23685, #23696, #23732)
- •
codex remote-controlnow runs like a foreground command, waits for readiness, reports machine status, and keeps explicit daemon-stylestart/stopcommands. (#22878) - •Permission profiles gained list APIs, inheritance, managed
requirements.tomlsupport, runtime refresh behavior, and stronger Windows sandbox integration. (#22928, #23412, #22270, #23433, #22931, #23715) - •Plugin discovery is easier to inspect, with marketplace-aware list output, installed versions, visible marketplace roots, and remote collection support. (#23372, #23584, #23727, #23730)
- •Extensions can observe more lifecycle events, including subagent start/stop, tool execution, turn metadata, and async approval/turn processing. (#22782, #22873, #23309, #23688, #23690, #23692)
- •Fixed TUI startup choosing the wrong working directory when reusing a local app-server socket. (#23538)
- •Fixed plan-mode free-form answers so modified Enter keys, like Shift+Enter, no longer submit unexpectedly. (#23536)
- •Removed stale background terminal poll events after a process exits. (#23231)
- •Preserved raw code-mode exec output unless an explicit output token limit is requested. (#23564)
- •Made AGENTS instruction loading more reliable, including local global reads and warnings for invalid UTF-8 instead of silent drops. (#23343, #23232)
- •Fixed app-server startup/shutdown races, empty resume/fork paths, plugin upgrade failures, and realtime v1 websocket compatibility. (#23516, #23578, #23400, #23356, #23771)
- •Added clearer plugin-creator guidance for updating and reinstalling local personal plugins. (#23542)
- •Expanded app-server/API docs and schema coverage around managed permission profile requirements. (#23433, #23555)
- •Added a canonical Codex package archive pipeline and moved installers, npm packages, DotSlash, and SDK runtimes toward that shared layout. (#23513, #23582, #23586, #23596, #23635, #23636, #23637, #23638, #23786)
- •Fixed Linux Python runtime wheel tags so glibc-based systems can install the runtime artifacts. (#21812)
0.132.0
May 20, 2026
- •The Python SDK now supports first-class authentication, including API key login, ChatGPT browser and device-code flows, account inspection, and logout APIs. (#23093)
- •Python turn APIs are easier to use for text-only workflows: you can pass a plain string as input, and handle-based runs now return a richer
TurnResultwith collected items, timing, and usage data. (#23151, #23162) - •
codex exec resumenow accepts--output-schema, so resumed automations can keep session context while still enforcing structured JSON output. (#23123) - •TUI startup is faster because terminal capability probes are now batched instead of waiting on several serial checks before the first interactive frame. (#23175)
- •Remote executor registration can now use standard Codex auth instead of a separate registry credential flow. (#22769)
- •App-server turns can preserve requested image fidelity, including original-resolution local images, across user inputs and image-producing tools. (#20693)
- •Goal continuations now stop when they hit usage limits or a repeated blocker instead of looping and burning more tokens, and completion responses phrase usage more naturally. (#23094, #22907)
- •The session picker is easier to trust: renamed threads now show
name (thread-id)in resume hints, and pasted text works in the picker search box. (#23234, #23338) - •Multi-session TUI flows are more reliable: in-progress MCP calls stay marked as active during replay, and elicitation replies are sent back to the thread that requested them. (#23236, #23241)
- •Remote sessions now keep websocket connections alive and show repo-relative diff paths again instead of
/tmp/...-prefixed paths. (#23226, #23261) - •Windows installs are more robust:
codex doctornow detects npm-managed installs correctly, and MSVC release binaries no longer depend on separately installed VC++ runtime DLLs. (#22967, #22905) - •TUI polish fixes include immediate shutdown feedback on exit, hiding the ChatGPT usage link for non-OpenAI providers, and keeping a cleared Fast tier from reappearing after side-thread resume. (#23323, #23127, #23121)
- •The Python SDK docs, FAQ, and examples were refreshed around the new auth flow and turn APIs, with clearer setup guidance and simpler text-only examples. (#22941, #23093, #23151, #23162)
- •Memory summaries are now versioned and rebuilt when the stored format is stale, which should keep long-lived memory context leaner and more predictable. (#23148)
0.131.0
May 18, 2026
- •The TUI now offers richer session controls and display: data-driven service-tier commands, blended token usage, permissions/approval mode, effective workspace roots, and responsive Markdown tables. (#21745, #21906, #21991, #21669, #21677, #22052, #22612)
- •
@mentions now search files, directories, plugins, and skills in one picker, backed by app-server plugin metadata. (#19068, #22375) - •Plugin workflows gained marketplace CLI commands, version-aware sharing, share checkout, clearer shared-workspace buckets, and default-enabled plugin hooks. (#21396, #22397, #22425, #22435, #22549)
- •Remote workflows now support daemon-managed
codex remote-control, runtime enable/disable APIs, status reads, and registry-backed/configured remote environments. (#20718, #22218, #22562, #22578, #22877, #20667, #21323) - •The Python SDK moved to
openai-codex/openai_codex, with pinned runtime-generated types, concurrent turn routing, approval modes, and integration coverage. (#21778, #21891, #21893, #21896, #21905, #21910, #22014) - •Added
codex doctorfor support-ready diagnostics across runtime, auth, terminal, network, config, and local state. (#22336) - •Fixed several TUI interaction and rendering issues, including URL wrapping, light-mode selection contrast, Shift+Enter in tmux,
/reviewMCP startup status,/sideEsc handling, and network approval history text. (#21760, #21950, #21943, #21624, #22710, #22229) - •Hardened Windows sandbox behavior around deny-read rules, scoped write roots, ineffective firewall policy, and PowerShell edge cases. (#18202, #21479, #22353, #21400, #22643)
- •Preserved managed read restrictions during permission escalation and cleaned up workspace-root permission profile resolution. (#15977, #22624, #22683)
- •Made app-server and local state startup safer by preserving SQLite data, failing closed when state cannot open, adding recovery paths, and softening optional metadata sync failures. (#21831, #21847, #22580, #22734, #22899)
- •Improved Git and auth reliability by using root worktree hooks consistently, ignoring repo hook/fsmonitor config in helper commands, binding local MCP OAuth callbacks, and revoking superseded login tokens. (#21969, #22843, #22652, #20237, #21747)
- •Reduced remote and Windows cleanup friction with longer exec-server transport timeouts, quieter
taskkillcleanup, and non-queued plugin reads. (#21825, #21759, #22058, #22703) - •Clarified that general Codex product docs should not be added to this repo, while app-server API docs remain in scope. (#21772)
- •Updated plugin-creator guidance for the simplified local plugin handoff links. (#22240)
- •Documented new app-server/API contracts for remote environments and the desktop-owned config namespace. (#21323, #22584)
0.130.0
May 8, 2026
- •Plugin details now show bundled hooks, and plugin sharing exposes link metadata plus discoverability controls. (#21447, #21495, #21637)
- •Added
codex remote-controlas a simpler entrypoint for starting a headless, remotely controllable app-server. (#21424) - •App-server clients can page large threads with unloaded, summary, or full turn item views. (#21566)
- •Bedrock auth can now use AWS console-login credentials from
aws loginprofiles. (#21623) - •
view_imagecan resolve files through the selected environment for multi-environment sessions. (#21143) - •Live app-server threads now pick up config changes without requiring a restart. (#21187)
- •Turn diffs stay accurate across apply-patch operations, including partial failures that still mutated files. (#21180, #21518)
- •Thread summaries, renames, resume, and fork paths work better through
ThreadStore, including threads without local rollout paths. (#21264, #21265, #21266) - •Remote compaction now emits
response.processedfor v2 streams and avoids sendingservice_tieron API-key compact requests. (#21642, #21676) - •Windows sandbox setup now grants sandbox users access to the desktop runtime binary cache. (#21564)
- •Removed stale “research preview” wording from the
codex execstartup banner. (#21683) - •Fixed issue templates so CLI reports keep the intended guidance, labels apply correctly, and feature requests link to the right contributing docs. (#21685, #21686, #21688)
- •Updated install and tooling docs to consistently use
cargo install --locked. (#21592) - •Added a faster Cargo profiling build profile and disabled empty doctest targets to speed up Rust development loops. (#21574, #21584)
- •Hardened dependency and CI hygiene with fully qualified GitHub Action pins, a Dependabot cooldown, and a
cargo-shearupgrade. (#21436, #21547, #21599)
0.129.0
May 7, 2026
- •The TUI now supports modal Vim editing in the composer, including
/vim, default-mode config, and Vim-specific keymap contexts. (#18595) - •TUI workflows are easier to resume and copy from with a redesigned resume/fork picker, raw scrollback mode,
/idecontext injection, and workspace-aware/diff. (#20065, #20819, #20294, #21001) - •The status line can show theme-aware colors plus optional PR and branch-change summaries, and
/keymap debughelps inspect terminal key events. (#19631, #20892, #20794) - •Plugin management now supports workspace sharing, share access controls, source filtering, local share path tracking, marketplace removal/upgrades, remote bundle sync, and admin-disabled status handling. (#20278, #21124, #21419, #20560, #19843, #20478, #20268, #20298)
- •Hooks can be browsed and toggled from
/hooks, can run before/after compaction, and can addPreToolUsecontext; Codex Apps auth and eligible MCP elicitations now surface through TUI/Guardian flows. (#19882, #19905, #20692, #19193, #19431) - •Experimental goals are now discoverable, stay paused across resume unless the user opts back in, and show clearer validation and multi-day duration output. (#20083, #20790, #20746, #20558)
- •
/copyworks better in tmux, Alt+Enter and modified Delete/Backspace keys behave correctly, and Windows typing/paste latency was reduced. (#20207, #20535, #21058, #18914) - •Large paste placeholders and Ctrl+C-stashed drafts now survive clear/editor workflows without corrupting draft history. (#21091, #21190, #21351, #21397)
- •TUI startup and accessibility were tightened by bounding terminal probes, clearing the first inline viewport render, and honoring
animations = falsefor live rows. (#20654, #21450, #20564) - •Linux sandbox startup is more reliable across older
bwrap, slow mount probes, symlink-protected paths, and shared/tmpsetups. (#20628, #20111, #21127, #21234) - •Windows sandbox and exec policy now handle named pipes, ConPTY teardown, PowerShell-wrapped allow rules, worktree
safe.directory, and unsafe Git options more reliably. (#20270, #20685, #20336, #21409, #21275) - •Fixed custom CA login behind TLS-inspecting proxies, Bedrock runtime endpoint reporting, dangerous project config keys, heredoc redirect approval matching, and unbounded MCP/hook output growth. (#20676, #20275, #20098, #20113, #20260, #21069)
- •Updated the embedded OpenAI Docs sample skill so API-key setup guidance stays aligned with other docs variants. (#21263)
- •Documented how generated git commit attribution is gated by
codex_git_commitand configured inconfig.toml. (#21379) - •Removed local-only planning/spec docs and redirected config docs toward the maintained external documentation surface. (#20896)
0.128.0
April 30, 2026
- •Added persisted
/goalworkflows with app-server APIs, model tools, runtime continuation, and TUI controls for create, pause, resume, and clear. (#18073, #18074, #18075, #18076, #18077, #20082) - •Added
codex update, configurable TUI keymaps, plan-mode nudges, action-required terminal titles, and active-turn/statuslineand/titleedits. (#19933, #18593, #19901, #18372, #19917) - •Expanded permission profiles with built-in defaults, sandbox CLI profile selection, cwd controls, and active-profile metadata for clients. (#19900, #20117, #20118, #20095)
- •Improved plugin workflows with marketplace installation, remote bundle caching, remote uninstall, plugin-bundled hooks, hook enablement state, and external-agent config import. (#18704, #19914, #19456, #19705, #19840, #19949)
- •Added external agent session import, including background imports and imported-session title handling. (#19895, #20284, #20261)
- •Made MultiAgentV2 configuration more explicit with thread caps, wait-time controls, root/subagent hints, and v2-specific depth handling. (#19360, #19792, #19805, #20052, #20180)
- •Fixed several resume and interruption issues, including stale interrupt hangs, persisted provider restoration, large remote resume responses, and slow filtered resume lists. (#18392, #19287, #19920, #19591)
- •Improved TUI reliability around terminal resize reflow, markdown list spacing, slash-command popup layout, keyboard cleanup, shell-mode escape, and working status updates. (#18575, #19706, #19511, #19625, #19986, #19939)
- •Hardened managed network behavior for deferred denials, proxy bypass defaults, resolved target checks, IPv6 host matching, and
git -Capproval handling. (#19184, #20002, #19999, #19995, #20085) - •Fixed Windows sandbox and PTY edge cases, including pseudoconsole startup, elevated runner process handling, core shell environment inheritance, and named-pipe validation. (#20042, #19211, #20089, #19283)
- •Fixed Bedrock model support for
apply_patch, GPT-5.4 reasoning levels, and updated Bedrock GPT-5.4 endpoint/model metadata. (#19416, #19461, #20109) - •Fixed MCP/plugin edge cases around stdio server cleanup, plugin MCP approval persistence, and custom MCP metadata isolation. (#19753, #19537, #19836, #19875)
- •Updated the bundled OpenAI Docs skill for GPT-5.5,
gpt-image-2, and clearer upgrade guidance. (#19407, #19443, #19422) - •Clarified contributor-facing docs, including the PR template, Rust async trait guidance, and README wording. (#19912, #20242, #19514)
- •Added a checked-in
codex-corepublic API listing and a ThreadManager sample crate. (#20243, #20141)
0.125.0
April 24, 2026
- •App-server integrations now support Unix socket transport, pagination-friendly resume/fork, sticky environments, and remote thread config/store plumbing. (#18255, #18892, #18897, #18908, #19008, #19014)
- •App-server plugin management can install remote plugins and upgrade configured marketplaces. (#18917, #19074)
- •Permission profiles now round-trip across TUI sessions, user turns, MCP sandbox state, shell escalation, and app-server APIs. (#18284, #18285, #18286, #18287, #19231)
- •Model providers now own model discovery, with AWS/Bedrock account state exposed to app clients. (#18950, #19048)
- •
codex exec --jsonnow reports reasoning-token usage for programmatic consumers. (#19308) - •Rollout tracing now records tool, code-mode, session, and multi-agent relationships, with a debug reducer command for inspection. (#18878, #18879, #18880)
- •Interrupting
/reviewand exiting the TUI no longer leaves the interface wedged on delegate startup or unsubscribe. (#18921) - •Exec-server no longer drops buffered output after process exit and now waits correctly for stream closure. (#18946, #19130)
- •App-server now respects explicitly untrusted project config instead of auto-persisting trust. (#18626)
- •WebSocket app-server clients are less likely to disconnect during bursts of turn and tool-output notifications. (#19246)
- •Windows sandbox startup handles multiple CLI versions and installed app directories better, and background
Start-Processcalls avoid visible PowerShell windows. (#19044, #19180, #19214) - •Config/schema handling now rejects conflicting MultiAgentV2 thread limits, resolves relative agent-role config paths, hides unsupported MCP bearer-token fields, and rejects invalid
js_replimage MIME types. (#19129, #19261, #19294, #19292) - •App-server docs and generated schemas were refreshed for the new transport, thread, marketplace, sticky environment, and permission-profile APIs. (#18255, #18897, #19014, #19074, #19231)
- •Rollout-trace documentation now covers the debug trace reduction workflow. (#18880)
- •Refreshed
models.jsonand related core, app-server, SDK, and TUI fixtures for the latest model catalog and reasoning defaults. (#19323)
0.124.0
April 23, 2026
- •The TUI now has quick reasoning controls:
Alt+,lowers reasoning,Alt+.raises it, and accepted model upgrades now reset reasoning to the new model’s default instead of carrying over stale settings. (#18866, #19085) - •App-server sessions can now manage multiple environments and choose an environment and working directory per turn, which makes multi-workspace and remote setups easier to target precisely. (#18401, #18416)
- •Added first-class Amazon Bedrock support for OpenAI-compatible providers, including AWS SigV4 signing and AWS credential-based auth. (#17820)
- •Remote plugin marketplaces can now be listed and read directly, with more reliable detail lookups and larger result pages. (#18452, #19079)
- •Hooks are now stable, can be configured inline in
config.tomland managedrequirements.toml, and can observe MCP tools as well asapply_patchand long-running Bash sessions. (#18893, #18385, #18391, #18888, #19012) - •Eligible ChatGPT plans now default to the Fast service tier unless you explicitly opt out. (#19053)
- •Preserved Cloudflare cookies across approved ChatGPT hosts, reducing auth breakage in HTTP-backed ChatGPT flows. (#17783)
- •Fixed remote app-server reliability issues so websocket events keep draining under load and shutdown no longer fails when the remote worker exits during cleanup. (#18932, #18936)
- •Fixed permission-mode drift so
/permissionschanges survive side conversations and updated Full Access state is correctly reflected in MCP approval handling. (#18924, #19033) - •Fixed
wait_agentso it returns promptly when mailbox work is already queued instead of waiting for a fresh notification or timing out. (#18968) - •Fixed local stdio MCP launches for relative commands without an explicit
cwd, bringing fallback path resolution in line with CLI behavior. (#19031) - •Startup now fails less often on managed config edge cases: unknown feature requirements warn instead of aborting, and cloud-requirements errors are clearer about what failed. (#19038, #19078)
0.123.0
April 23, 2026
- •Added a built-in
amazon-bedrockmodel provider with configurable AWS profile support (#18744). - •Added
/mcp verbosefor full MCP server diagnostics, resources, and resource templates while keeping plain/mcpfast (#18610). - •Made plugin MCP loading accept both
mcpServersand top-level server maps in.mcp.json(#18780). - •Improved realtime handoffs so background agents receive transcript deltas and can explicitly stay silent when appropriate (#18597, #18761, #18635).
- •Added host-specific
remote_sandbox_configrequirements for remote environments (#18763). - •Refreshed bundled model metadata, including the current
gpt-5.4default (#18586, #18388, #18719). - •Fixed
/copyafter rollback so it copies the latest visible assistant response, not a pre-rollback response (#18739). - •Queued normal follow-up text submitted while a manual shell command is running, preventing stuck
Workingstates (#18820). - •Fixed Unicode/dead-key input in VS Code WSL terminals by disabling the enhanced keyboard mode there (#18741).
- •Prevented stale proxy environment variables from being restored from shell snapshots (#17271).
- •Made
codex execinherit root-level shared flags such as sandbox and model options (#18630). - •Removed leaked review prompts from TUI transcripts (#18659).
- •Added and tightened the Code Review skill instructions used by Codex-driven reviews (#18746, #18818).
- •Documented intentional await-across-lock cases and enabled Clippy linting for them (#18423, #18698).
- •Updated app-server protocol docs for threadless MCP resource reads and namespaced dynamic tools (#18292, #18413).
0.122.0
April 20, 2026
- •Standalone installs are more self-contained, and
codex appnow opens or installs Desktop correctly on Windows and Intel Macs (#17022, #18500). - •The TUI can open
/sideconversations for quick side questions, and queued input now supports slash commands and!shell prompts while work is running (#18190, #18542). - •Plan Mode can start implementation in a fresh context, with context-usage shown before deciding whether to carry the planning thread forward (#17499, #18573).
- •Plugin workflows now include tabbed browsing, inline enable/disable toggles, marketplace removal, and remote, cross-repo, or local marketplace sources (#18222, #18395, #17752, #17751, #17277, #18017, #18246).
- •Filesystem permissions now support deny-read glob policies, managed deny-read requirements, platform sandbox enforcement, and isolated
codex execruns that ignore user config or rules (#15979, #17740, #18096, #18646). - •Tool discovery and image generation are now enabled by default, with higher-detail image handling and original-detail metadata support for MCP and
js_replimage outputs (#17854, #17153, #17714, #18386). - •App-server approvals, user-input prompts, and MCP elicitations now disappear from the TUI when another client resolves them, instead of leaving stale prompts behind (#15134).
- •Remote-control startup now tolerates missing ChatGPT auth, and MCP startup cancellation works again through app-server sessions (#18117, #18078).
- •Resumed and forked app-server threads now replay token usage immediately so context/status UI starts with the restored state (#18023).
- •Security-sensitive flows were tightened: logout revokes managed ChatGPT tokens, project hooks and exec policies require trusted workspaces, and Windows sandbox setup avoids broad user-profile and SSH-root grants (#17825, #14718, #18443, #18493).
- •Sandboxed
apply_patchwrites work correctly with split filesystem policies, and file watchers now notice files created after watching begins (#18296, #18492). - •Several TUI rough edges were fixed, including fatal skills-list failures, invalid resume hints, duplicate context statusline entries,
/modelmenu loops, redundant memory notices, and terminal title quoting in iTerm2 (#18061, #18059, #18054, #18154, #18580, #18261). - •Added a security-boundaries reference to
SECURITY.mdfor sandboxing, approvals, and network controls (#17848, #18004). - •Documented custom MCP server approval defaults and exec-server stdin behavior (#17843, #18086).
- •Updated app-server docs for plugin API changes, marketplace removal, resume/fork token-usage replay, and warning notifications (#17277, #17751, #18023, #18298).
0.121.0
April 15, 2026
- •Added
codex marketplace addand app-server support for installing plugin marketplaces from GitHub, git URLs, local directories, and directmarketplace.jsonURLs (#17087, #17717, #17756). - •Added TUI prompt history improvements, including
Ctrl+Rreverse search and local recall for accepted slash commands (#17550, #17336). - •Added TUI and app-server controls for memory mode, memory reset/deletion, and memory-extension cleanup (#17632, #17626, #17913, #17937, #17844).
- •Expanded MCP/plugin support with MCP Apps tool calls, namespaced MCP registration, parallel-call opt-in, and sandbox-state metadata for MCP servers (#17364, #17404, #17667, #17763).
- •Added realtime and app-server APIs for output modality, transcript completion events, raw turn item injection, and symlink-aware filesystem metadata (#17701, #17703, #17719).
- •Added a secure devcontainer profile with bubblewrap support, plus macOS sandbox allowlists for Unix sockets (#10431, #17547, #17654).
- •Fixed macOS sandbox/proxy handling for private DNS and removed the
danger-full-accessdenylist-only network mode (#17370, #17732). - •Fixed Windows cwd/session matching so
resume --lastandthread/listwork when paths use verbatim prefixes (#17414). - •Fixed rate-limit/account handling for
proliteplans and made unknown WHAM plan values decodable (#17419). - •Made Guardian timeouts distinct from policy denials, with timeout-specific guidance and visible TUI history entries (#17381, #17486, #17521, #17557).
- •Stabilized app-server behavior by avoiding premature thread unloads, tolerating failed trust persistence on startup, and skipping broken symlinks in
fs/readDirectory(#17398, #17595, #17907). - •Fixed MCP/tool-call edge cases including flattened deferred tool names, elicitation timeout accounting, and empty namespace descriptions (#17556, #17566, #17946).
- •Documented the secure devcontainer profile and its bubblewrap requirements (#10431, #17547).
- •Added TUI composer documentation for history search behavior (#17550).
- •Updated app-server docs for new MCP, marketplace, turn injection, memory reset, filesystem metadata, external-agent migration, and websocket token-hash APIs (#17364, #17717, #17703, #17913, #17719, #17855, #17871).
0.120.0
April 11, 2026
- •Realtime V2 can now stream background agent progress while work is still running and queue follow-up responses until the active response completes (#17264, #17306)
- •Hook activity in the TUI is easier to scan, with live running hooks shown separately and completed hook output kept only when useful (#17266)
- •Custom TUI status lines can include the renamed thread title (#17187)
- •Code-mode tool declarations now include MCP
outputSchemadetails so structured tool results are typed more precisely (#17210) - •SessionStart hooks can distinguish sessions created by
/clearfrom fresh startup or resume sessions (#17073) - •Fixed Windows elevated sandbox handling for split filesystem policies, including read-only carveouts under writable roots (#14568)
- •Fixed sandbox permission handling for symlinked writable roots and carveouts, preventing failures in shell and
apply_patchworkflows (#15981) - •Fixed
codex --remote wss://...panics by installing the Rustls crypto provider before TLS websocket connections (#17288) - •Preserved tool search result ordering instead of alphabetically reordering results (#17263)
- •Fixed live Stop-hook prompts so they appear immediately instead of only after thread history reloads (#17189)
- •Fixed app-server MCP cleanup on disconnect so unsubscribed threads and resources are torn down correctly (#17223)
- •Documented the elevated vs restricted-token Windows sandbox support split in the core README (#14568)
- •Updated app-server protocol documentation for the new
/clearSessionStart source (#17073) - •Made rollout recording more reliable by retrying failed flushes and surfacing durability failures instead of dropping buffered items (#17214)
- •Added analytics schemas and metadata wiring for compaction and Guardian review events (#17155, #17055)
0.119.0
April 10, 2026
- •Realtime voice sessions now default to the v2 WebRTC path, with configurable transport, voice selection, native TUI media support, and app-server coverage for the new flow (#16960, #17057, #17058, #17093, #17097, #17145, #17165, #17176, #17183, #17188).
- •MCP Apps and custom MCP servers gained richer support, including resource reads, tool-call metadata, custom-server tool search, server-driven elicitations, file-parameter uploads, and more reliable plugin cache refreshes (#16082, #16465, #16944, #17043, #15197, #16191, #16947).
- •Remote/app-server workflows now support egress websocket transport, remote
--cdforwarding, runtime remote-control enablement, sandbox-aware filesystem APIs, and an experimentalcodex exec-serversubcommand (#15951, #16700, #16973, #16751, #17059, #17142, #17162). - •The TUI can copy the latest agent response with
Ctrl+O, including better clipboard behavior over SSH and across platforms (#16966). - •
/resumecan now jump directly to a session by ID or name from the TUI (#17222). - •TUI notifications are more configurable, including Warp OSC 9 support and an opt-in mode for notifications even while the terminal is focused (#17174, #17175).
- •The TUI starts faster by fetching rate limits asynchronously, and
/statusnow refreshes stale limits instead of showing frozen or misleading quota information (#16201, #17039). - •Resume flows are more stable: the picker no longer flashes false empty states, uses fresher thread names, stabilizes timestamp labels, preserves resume hints on zero-token exits, and avoids crashing when resuming the current thread (#16591, #16601, #16822, #16987, #17086).
- •Composer and chat behavior are smoother, including fixed paste teardown, CJK word navigation, stale
/copyoutput, percent-decoded local file links, and clearer truncated exec-output hints (#16202, #16829, #16648, #16810, #17076). - •Fast Mode no longer stays stuck on after
/fast offin app-server-backed TUI sessions (#16833). - •MCP status and startup are less noisy and faster: hyphenated server names list tools correctly,
/mcpavoids slow full inventory probes, disabled servers skip auth probing, and residency headers are honored bycodex mcp-server(#16674, #16831, #17098, #16952). - •Sandbox, network, and platform edge cases were tightened, including clearer read-only
apply_patcherrors, refreshed network proxy policy after sandbox changes, suppressed irrelevant bubblewrap warnings, a macOS HTTP-client sandbox panic fix, and Windows firewall address handling (#16885, #17040, #16667, #16670, #17053). - •The README now uses the current ChatGPT Business plan name (#16348).
- •Developer guidance for
argument_comment_lintwas updated to favor getting CI started instead of blocking on slow local lint runs (#16375). - •Obsolete
codex-cliREADME content was removed to avoid stale setup guidance (#17096).