Codex Updates & Release Notes

New Features

• Goals are now enabled by default, backed by dedicated storage, and track progress across active turns. (#23300, #23685, #23696, #23732)
• codex remote-control now runs like a foreground command, waits for readiness, reports machine status, and keeps explicit daemon-style start/stop commands. (#22878)
• Permission profiles gained list APIs, inheritance, managed requirements.toml support, runtime refresh behavior, and stronger Windows sandbox integration. (#22928, #23412, #22270, #23433, #22931, #23715)
• Plugin discovery is easier to inspect, with marketplace-aware list output, installed versions, visible marketplace roots, and remote collection support. (#23372, #23584, #23727, #23730)
• Extensions can observe more lifecycle events, including subagent start/stop, tool execution, turn metadata, and async approval/turn processing. (#22782, #22873, #23309, #23688, #23690, #23692)

Bug Fixes

• Fixed TUI startup choosing the wrong working directory when reusing a local app-server socket. (#23538)
• Fixed plan-mode free-form answers so modified Enter keys, like Shift+Enter, no longer submit unexpectedly. (#23536)
• Removed stale background terminal poll events after a process exits. (#23231)
• Preserved raw code-mode exec output unless an explicit output token limit is requested. (#23564)
• Made AGENTS instruction loading more reliable, including local global reads and warnings for invalid UTF-8 instead of silent drops. (#23343, #23232)
• Fixed app-server startup/shutdown races, empty resume/fork paths, plugin upgrade failures, and realtime v1 websocket compatibility. (#23516, #23578, #23400, #23356, #23771)

Documentation

• Added clearer plugin-creator guidance for updating and reinstalling local personal plugins. (#23542)
• Expanded app-server/API docs and schema coverage around managed permission profile requirements. (#23433, #23555)

Chores

• Added a canonical Codex package archive pipeline and moved installers, npm packages, DotSlash, and SDK runtimes toward that shared layout. (#23513, #23582, #23586, #23596, #23635, #23636, #23637, #23638, #23786)
• Fixed Linux Python runtime wheel tags so glibc-based systems can install the runtime artifacts. (#21812)
• Improved release and CI reliability with package-builder tests, prebuilt resource packaging, DotSlash zstd handling, platform-sharded Rust tests, and Codex Linux release runners. (#23760, #23759, #23752, #23358, #23761)

Changelog

Full Changelog:
rust-v0.132.0...rust-v0.133.0

• codex: route global AGENTS reads through LOCAL_FS (@starr-openai)
• fix: default unknown tool schemas to empty schemas (@celia-oai)
• Add tool lifecycle extension contributor (@jif-oai)
• Reduce rust-ci-full Windows nextest timeout flakes (@starr-openai)
• Improve codex remote-control CLI UX (@owenlin0)
• Publish Linux runtime wheels with glibc-compatible tags (@aibrahim-oai)
• [codex] Trim unused TurnContextItem fields (@pakrym-oai)
• Include plugin id in plugin MCP tool metadata (@mzeng-openai)
• [codex] Move pending input into input queue (@pakrym-oai)
• fix(tui): warn on unsupported iTerm2 pet versions (@fcoury-oai)
• [codex-analytics] preserve user thread source for exec threads (@marksteinbrick-oai)
• app-server: use profile ids in v2 permission params (@bolinfest)
• [codex] Remove external websocket session resets (@pakrym-oai)
• cleanup: Remove skill env var dependency prompting (@xl-openai)
• Remove ToolSearch feature toggle (@sayan-oai)
• [1 of 7] Add thread settings to UserInput (@etraut-openai)
• [2 of 7] Remove UserInputWithTurnContext (@etraut-openai)
• [3 of 7] Remove UserTurn (@etraut-openai)
• [codex] Extract turn skill and plugin injections (@pakrym-oai)
• fix(plugins): keep version upgrades additive (@iceweasel-oai)
• [5 of 7] Replace OverrideTurnContext with ThreadSettings (@etraut-openai)
• CI: Customize v8 building (@cconger)
• Remove explicit connector tool undeferral (@sayan-oai)
• core: expose permission profile picker metadata (@viyatb-oai)
• Preserve context baselines for full-history agent forks (@jif-oai)
• feat: dedicated goal DB (@jif-oai)
• Remove ToolsConfig from tool planning (@jif-oai)
• Add body_after_prefix auto-compact token limit scope (@jif-oai)
• Defer v1 multi-agent tools behind tool search (@jif-oai)
• [codex] Allow empty turn/start requests (@pakrym-oai)
• [codex] Move hook request plumbing into hook runtime (@pakrym-oai)
• [codex] Preserve steer input as user input (@pakrym-oai)
• [2 of 4] tui: route app and skill enablement through app server (@etraut-openai)
• [codex] Make contextual user fragments dyn-renderable (@pakrym-oai)
• chore: namespace v1 sub-agent tools (@jif-oai)
• Make deny canonical for filesystem permission entries (@viyatb-oai)
• Harden CLI rate limit window labels (@ase-openai)
• Add SubagentStart hook (@abhinav-oai)
• build: add Codex package builder (@bolinfest)
• Make local environment optional in EnvironmentManager (@starr-openai)
• Refactor exec-server websocket pump (@starr-openai)
• fix(tui): preserve modified enter in plan questions (@fcoury-oai)
• Fix empty rollout path app-server handling (@wiltzius-openai)
• Route local-only app-server gating through processors (@starr-openai)
• Split plugin install discovery into list and request tools (@mzeng-openai)
• fix: serialize unix app-server startup (@efrazer-oai)
• [codex] Honor role-defined spawn service tiers (@aibrahim-oai)
• Add CUA requirements subsection for locked computer use (@adams-oai)
• Fix: TUI starting in wrong CWD (@canvrno-oai)
• build: fetch rg for Codex packages (@bolinfest)
• Remove unused ARC monitor path (@mzeng-openai)
• test: fix multi-agent service tier assertion (@bolinfest)
• build: default Codex package target and output (@bolinfest)
• Fan out rust-ci-full nextest by platform (@starr-openai)
• feat: expose codex-app-server version flag (@bolinfest)
• feat: add permission profile list api (@viyatb-oai)
• Move plugin and skill warmup into session startup (@aibrahim-oai)
• Fix stale background terminal poll events (@etraut-openai)
• [codex] Preserve raw code-mode exec output by default (@aibrahim-oai)
• Warn on invalid UTF-8 in AGENTS.md files (@etraut-openai)
• feat: Add vertical remote plugin collection support (@xl-openai)
• build: package prebuilt Codex entrypoints (@bolinfest)
• ci: build Codex package archives in release workflow (@bolinfest)
• runtime: detect Codex package layout (@bolinfest)
• add encryptedcontent to functioncalloutput (@sayan-oai)
• Migrate exec-server remote registration to environments (@richardopenai)
• Add timeout for remote compaction requests (@jif-oai)
• feat: rename 1 (@jif-oai)
• feat: rename 3 (@jif-oai)
• feat: rename 2 (@jif-oai)
• fix: main (@jif-oai)
• feat: wire goal extension tools to the dedicated goal store (@jif-oai)
• feat: async approval contrib (@jif-oai)
• feat: async turn item process (@jif-oai)
• feat: expose turn-start metadata to extensions (@jif-oai)
• [codex] Hide deferred tools from code mode prompt (@pakrym-oai)
• runtime: use install context for bundled bwrap (@bolinfest)
• [codex] List marketplaces considered by plugi... (@iceweasel-oai)

Appshots are now available in the Codex app on macOS. Press both Command keys to send the frontmost app window to Codex with a screenshot and available text, so Codex can work from context in another app without you copying, pasting, or describing it manually.

This launch also includes:

• Goal mode is no longer an experimental feature and is available in the Codex app, IDE extension, and CLI. With Goal mode, you can have Codex drive toward a specific objective for hours or even days.
• Remote computer use, so Codex can use desktop apps after your Mac locks, including remotely via Codex Mobile. Codex scopes locked use to active, trusted computer use turns and includes safeguards such as short-lived authorization, covered displays, relock on local input, and manual-unlock fallback.
• Plugin sharing through marketplace sources is available for ChatGPT Business. Enterprise support is coming soon. Teams can distribute reusable plugin bundles that include skills, app integrations, and MCP servers.
• Advanced in-app browser annotations let you tweak styling such as font size, colors, and spacing directly using annotations. This gives Codex a clearer signal for changes.
• Browser-use improvements across in-app browser & Chrome:
  • Codex can now download and extract all image assets from a page much more quickly.
  • Codex can now extract structured data from pages more effectively and find information more quickly with a read-only JS sandbox.
• Chrome extension will create less clutter when using it. Codex will no longer create tab groups when taking over existing tabs, and at the end of a task for handoff. Instead, it uses tab icons to indicate status.
• Significantly improved reliability for browser use. We fixed bugs on Windows, flaky availability of the plugin to non geo-blocked regions, and many other issues impacting performance.

New Features

• The TUI now offers richer session controls and display: data-driven service-tier commands, blended token usage, permissions/approval mode, effective workspace roots, and responsive Markdown tables. (#21745, #21906, #21991, #21669, #21677, #22052, #22612)
• @mentions now search files, directories, plugins, and skills in one picker, backed by app-server plugin metadata. (#19068, #22375)
• Plugin workflows gained marketplace CLI commands, version-aware sharing, share checkout, clearer shared-workspace buckets, and default-enabled plugin hooks. (#21396, #22397, #22425, #22435, #22549)
• Remote workflows now support daemon-managed codex remote-control, runtime enable/disable APIs, status reads, and registry-backed/configured remote environments. (#20718, #22218, #22562, #22578, #22877, #20667, #21323)
• The Python SDK moved to openai-codex/openai_codex, with pinned runtime-generated types, concurrent turn routing, approval modes, and integration coverage. (#21778, #21891, #21893, #21896, #21905, #21910, #22014)
• Added codex doctor for support-ready diagnostics across runtime, auth, terminal, network, config, and local state. (#22336)

Bug Fixes

• Fixed several TUI interaction and rendering issues, including URL wrapping, light-mode selection contrast, Shift+Enter in tmux, /review MCP startup status, /side Esc handling, and network approval history text. (#21760, #21950, #21943, #21624, #22710, #22229)
• Hardened Windows sandbox behavior around deny-read rules, scoped write roots, ineffective firewall policy, and PowerShell edge cases. (#18202, #21479, #22353, #21400, #22643)
• Preserved managed read restrictions during permission escalation and cleaned up workspace-root permission profile resolution. (#15977, #22624, #22683)
• Made app-server and local state startup safer by preserving SQLite data, failing closed when state cannot open, adding recovery paths, and softening optional metadata sync failures. (#21831, #21847, #22580, #22734, #22899)
• Improved Git and auth reliability by using root worktree hooks consistently, ignoring repo hook/fsmonitor config in helper commands, binding local MCP OAuth callbacks, and revoking superseded login tokens. (#21969, #22843, #22652, #20237, #21747)
• Reduced remote and Windows cleanup friction with longer exec-server transport timeouts, quieter taskkill cleanup, and non-queued plugin reads. (#21825, #21759, #22058, #22703)

Documentation

• Clarified that general Codex product docs should not be added to this repo, while app-server API docs remain in scope. (#21772)
• Updated plugin-creator guidance for the simplified local plugin handoff links. (#22240)
• Documented new app-server/API contracts for remote environments and the desktop-owned config namespace. (#21323, #22584)

Chores

• Improved CI and release reliability across Rust CI, exact PR-head checkout, Windows Bazel sharding, unsigned macOS artifacts, and signed macOS promotion. (#21604, #21628, #21835, #22408, #22559, #22649, #22737, #22788, #22900)
• Split large TUI ChatWidget, history, and composer code into focused modules without intended behavior changes. (#21866, #22269, #22407, #22433, #22518, #22537, #22704, #22581, #22656)
• Continued extracting extension and tool internals, including shared tool contracts plus guardian and memory extension plumbing. (#21736, #21737, #21738, #22138, #22147, #22216, #22258, #22344, #22476, #22480, #22485, #22498)
• Removed obsolete tool paths, feature flags, config gates, and legacy hooks as defaults stabilized. (#21651, #21805, #22173, #22246, #22565, #22711, #22717, #22724, #22730)

Changelog

Full Changelog:

rust-v0.130.0...rust-v0.131.0

New Features

• Plugin details now show bundled hooks, and plugin sharing exposes link metadata plus discoverability controls. (#21447, #21495, #21637)
• Added codex remote-control as a simpler entrypoint for starting a headless, remotely controllable app-server. (#21424)
• App-server clients can page large threads with unloaded, summary, or full turn item views. (#21566)
• Bedrock auth can now use AWS console-login credentials from aws login profiles. (#21623)
• view_image can resolve files through the selected environment for multi-environment sessions. (#21143)

Bug Fixes

• Live app-server threads now pick up config changes without requiring a restart. (#21187)
• Turn diffs stay accurate across apply-patch operations, including partial failures that still mutated files. (#21180, #21518)
• Thread summaries, renames, resume, and fork paths work better through ThreadStore, including threads without local rollout paths. (#21264, #21265, #21266)
• Remote compaction now emits response.processed for v2 streams and avoids sending service_tier on API-key compact requests. (#21642, #21676)
• Windows sandbox setup now grants sandbox users access to the desktop runtime binary cache. (#21564)
• Removed stale “research preview” wording from the codex exec startup banner. (#21683)

Documentation

• Fixed issue templates so CLI reports keep the intended guidance, labels apply correctly, and feature requests link to the right contributing docs. (#21685, #21686, #21688)
• Updated install and tooling docs to consistently use cargo install --locked. (#21592)

Chores

• Added a faster Cargo profiling build profile and disabled empty doctest targets to speed up Rust development loops. (#21574, #21584)
• Hardened dependency and CI hygiene with fully qualified GitHub Action pins, a Dependabot cooldown, and a cargo-shear upgrade. (#21436, #21547, #21599)
• Simplified internal surfaces by removing unused device-key APIs, extra skills roots, the remote thread-store implementation, and string-keyed MCP tool maps. (#21487, #21485, #21596, #21454)
• Added configurable OpenTelemetry trace metadata and richer review/feedback analytics for better debugging and triage. (#21556, #18747, #21434, #21498)

Changelog

Full Changelog: rust-v0.129.0...rust-v0.130.0

New features

• Added an in-app trust review flow for hooks and kept Hooks settings reachable even before hooks are fully configured.

Performance improvements and bug fixes

• Restored tooltip-wrapped dropdowns that could stop opening after the tooltip rewrite.

• Preserved in-progress message edits across thread switches.

• Fixed several desktop workflow regressions, including

  Ctrl+V

  paste in the Windows terminal, opening modified external links outside the in-app browser, and keeping feedback slash commands attached to the right thread.

• Improved loading and panel polish by showing model loading while a thread resumes, hiding unavailable model controls during load, and bundling summary-panel layout and hover fixes.

• Kept the Computer Use settings control visible even when uninstalled and disabled problematic extension hover panels.

• Additional performance improvements and bug fixes.

New features

• Added dictation cleanup plus a configurable dictation dictionary for names, file paths, and code symbols.
• Added zoom and download controls to the image lightbox.

Performance improvements and bug fixes

• Improved voice and dictation error messages for microphone, connection, and quota failures.
• Fixed in-app browser comment markers so they stay aligned across scrolling, zoom, and responsive layout changes.
• Made pull request creation and recovery flows more reliable by preserving newly created pull request state, classifying more app-server failures as restart-required, and stopping exhausted remote reconnect loops.
• Additional performance improvements and bug fixes.

New Features

• The TUI now supports modal Vim editing in the composer, including /vim, default-mode config, and Vim-specific keymap contexts. (#18595)
• TUI workflows are easier to resume and copy from with a redesigned resume/fork picker, raw scrollback mode, /ide context injection, and workspace-aware /diff. (#20065, #20819, #20294, #21001)
• The status line can show theme-aware colors plus optional PR and branch-change summaries, and /keymap debug helps inspect terminal key events. (#19631, #20892, #20794)
• Plugin management now supports workspace sharing, share access controls, source filtering, local share path tracking, marketplace removal/upgrades, remote bundle sync, and admin-disabled status handling. (#20278, #21124, #21419, #20560, #19843, #20478, #20268, #20298)
• Hooks can be browsed and toggled from /hooks, can run before/after compaction, and can add PreToolUse context; Codex Apps auth and eligible MCP elicitations now surface through TUI/Guardian flows. (#19882, #19905, #20692, #19193, #19431)
• Experimental goals are now discoverable, stay paused across resume unless the user opts back in, and show clearer validation and multi-day duration output. (#20083, #20790, #20746, #20558)

Bug Fixes

• Live app-server threads now pick up config changes without requiring a restart. (#21187)
• Turn diffs stay accurate across apply-patch operations, including partial failures that still mutated files. (#21180, #21518)
• Thread summaries, renames, resume, and fork paths work better through ThreadStore, including threads without local rollout paths. (#21264, #21265, #21266)
• Remote compaction now emits response.processed for v2 streams and avoids sending service_tier on API-key compact requests. (#21642, #21676)
• Windows sandbox setup now grants sandbox users access to the desktop runtime binary cache. (#21564)
• Removed stale “research preview” wording from the codex exec startup banner. (#21683)

Documentation

• Fixed issue templates so CLI reports keep the intended guidance, labels apply correctly, and feature requests link to the right contributing docs. (#21685, #21686, #21688)
• Updated install and tooling docs to consistently use cargo install --locked. (#21592)

Chores

• Added a faster Cargo profiling build profile and disabled empty doctest targets to speed up Rust development loops. (#21574, #21584)
• Hardened dependency and CI hygiene with fully qualified GitHub Action pins, a Dependabot cooldown, and a cargo-shear upgrade. (#21436, #21547, #21599)
• Simplified internal surfaces by removing unused device-key APIs, extra skills roots, the remote thread-store implementation, and string-keyed MCP tool maps. (#21487, #21485, #21596, #21454)
• Added configurable OpenTelemetry trace metadata and richer review/feedback analytics for better debugging and triage. (#21556, #18747, #21434, #21498)

Changelog

Full Changelog:

rust-v0.128.0...rust-v0.129.0

New Features

• Added persisted /goal workflows with app-server APIs, model tools, runtime continuation, and TUI controls for create, pause, resume, and clear. (#18073, #18074, #18075, #18076, #18077, #20082)
• Added codex update, configurable TUI keymaps, plan-mode nudges, action-required terminal titles, and active-turn /statusline and /title edits. (#19933, #18593, #19901, #18372, #19917)
• Expanded permission profiles with built-in defaults, sandbox CLI profile selection, cwd controls, and active-profile metadata for clients. (#19900, #20117, #20118, #20095)
• Improved plugin workflows with marketplace installation, remote bundle caching, remote uninstall, plugin-bundled hooks, hook enablement state, and external-agent config import. (#18704, #19914, #19456, #19705, #19840, #19949)
• Added external agent session import, including background imports and imported-session title handling. (#19895, #20284, #20261)
• Made MultiAgentV2 configuration more explicit with thread caps, wait-time controls, root/subagent hints, and v2-specific depth handling. (#19360, #19792, #19805, #20052, #20180)

Bug Fixes

• Fixed several resume and interruption issues, including stale interrupt hangs, persisted provider restoration, large remote resume responses, and slow filtered resume lists. (#18392, #19287, #19920, #19591)
• Improved TUI reliability around terminal resize reflow, markdown list spacing, slash-command popup layout, keyboard cleanup, shell-mode escape, and working status updates. (#18575, #19706, #19511, #19625, #19986, #19939)
• Hardened managed network behavior for deferred denials, proxy bypass defaults, resolved target checks, IPv6 host matching, and git -C approval handling. (#19184, #20002, #19999, #19995, #20085)
• Fixed Windows sandbox and PTY edge cases, including pseudoconsole startup, elevated runner process handling, core shell environment inheritance, and named-pipe validation. (#20042, #19211, #20089, #19283)
• Fixed Bedrock model support for apply_patch, GPT-5.4 reasoning levels, and updated Bedrock GPT-5.4 endpoint/model metadata. (#19416, #19461, #20109)
• Fixed MCP/plugin edge cases around stdio server cleanup, plugin MCP approval persistence, and custom MCP metadata isolation. (#19753, #19537, #19836, #19875)

Documentation

• Updated the bundled OpenAI Docs skill for GPT-5.5, gpt-image-2, and clearer upgrade guidance. (#19407, #19443, #19422)
• Clarified contributor-facing docs, including the PR template, Rust async trait guidance, and README wording. (#19912, #20242, #19514)
• Added a checked-in codex-core public API listing and a ThreadManager sample crate. (#20243, #20141)

Chores

• Published codex-app-server release artifacts, stopped publishing GNU Linux binaries, and increased release workflow timeouts. (#19447, #19445, #20271, #20343)
• Added Codex-pinned versioning for the Python app-server SDK package. (#18996)
• Deprecated --full-auto while steering users toward explicit permission profiles and trust flows. (#20133)
• Stabilized CI and release plumbing with Bazel setup migration, release smoke-test pinning, and updated workflow pins/timeouts. (#19851, #19854, #19472)

Changelog

Full Changelog:

rust-v0.125.0...rust-v0.128.0

New features

• Added a tooltip on realtime delegation messages to clarify that Codex uses the surrounding voice conversation as context.

Performance improvements and bug fixes

• Fixed search in long review files so next and previous results reliably jump to off-screen matches.
• Kept embedded MCP app panels from restarting or losing state during fullscreen changes and thread reloads.
• Fixed several desktop regressions, including tray crashes when the local connection is missing, duplicate macOS fullscreen menu entries, and broken global dictation hotkeys on older macOS versions.
• Additional performance improvements and bug fixes.

New Features

• Added a built-in amazon-bedrock model provider with configurable AWS profile support (#18744).
• Added /mcp verbose for full MCP server diagnostics, resources, and resource templates while keeping plain /mcp fast (#18610).
• Made plugin MCP loading accept both mcpServers and top-level server maps in .mcp.json (#18780).
• Improved realtime handoffs so background agents receive transcript deltas and can explicitly stay silent when appropriate (#18597, #18761, #18635).
• Added host-specific remote_sandbox_config requirements for remote environments (#18763).
• Refreshed bundled model metadata, including the current gpt-5.4 default (#18586, #18388, #18719).

Bug Fixes

• Fixed /copy after rollback so it copies the latest visible assistant response, not a pre-rollback response (#18739).
• Queued normal follow-up text submitted while a manual shell command is running, preventing stuck Working states (#18820).
• Fixed Unicode/dead-key input in VS Code WSL terminals by disabling the enhanced keyboard mode there (#18741).
• Prevented stale proxy environment variables from being restored from shell snapshots (#17271).
• Made codex exec inherit root-level shared flags such as sandbox and model options (#18630).
• Removed leaked review prompts from TUI transcripts (#18659).

Documentation

• Added and tightened the Code Review skill instructions used by Codex-driven reviews (#18746, #18818).
• Documented intentional await-across-lock cases and enabled Clippy linting for them (#18423, #18698).
• Updated app-server protocol docs for threadless MCP resource reads and namespaced dynamic tools (#18292, #18413).

Chores

• Fixed high-severity dependency alerts by pinning patched JS and Rust dependencies (#18167).
• Reduced Rust dev build debug-info overhead while preserving useful backtraces (#18844).
• Refreshed generated Python app-server SDK types from the current schema (#18862).

Changelog

Full Changelog:

rust-v0.122.0...rust-v0.123.0

New features

• Added local branch search and non-image file pasting in the composer.
• Added collapsible sidebar sections, tray usage-limit surfacing, and a command-palette theme switcher.

Performance improvements and bug fixes

• Made review faster and more stable with better diff batching and preserved diff and search state.
• Fixed projectless cwd and permissions handling, default file opening, spreadsheet suggestions, and remote-control reconnect issues.
• Additional performance improvements and bug fixes.

New Features

• App-server integrations now support Unix socket transport, pagination-friendly resume/fork, sticky environments, and remote thread config/store plumbing. (#18255, #18892, #18897, #18908, #19008, #19014)
• App-server plugin management can install remote plugins and upgrade configured marketplaces. (#18917, #19074)
• Permission profiles now round-trip across TUI sessions, user turns, MCP sandbox state, shell escalation, and app-server APIs. (#18284, #18285, #18286, #18287, #19231)
• Model providers now own model discovery, with AWS/Bedrock account state exposed to app clients. (#18950, #19048)
• codex exec --json now reports reasoning-token usage for programmatic consumers. (#19308)
• Rollout tracing now records tool, code-mode, session, and multi-agent relationships, with a debug reducer command for inspection. (#18878, #18879, #18880)

Bug Fixes

• Interrupting /review and exiting the TUI no longer leaves the interface wedged on delegate startup or unsubscribe. (#18921)
• Exec-server no longer drops buffered output after process exit and now waits correctly for stream closure. (#18946, #19130)
• App-server now respects explicitly untrusted project config instead of auto-persisting trust. (#18626)
• WebSocket app-server clients are less likely to disconnect during bursts of turn and tool-output notifications. (#19246)
• Windows sandbox startup handles multiple CLI versions and installed app directories better, and background Start-Process calls avoid visible PowerShell windows. (#19044, #19180, #19214)
• Config/schema handling now rejects conflicting MultiAgentV2 thread limits, resolves relative agent-role config paths, hides unsupported MCP bearer-token fields, and rejects invalid js_repl image MIME types. (#19129, #19261, #19294, #19292)

Documentation

• App-server docs and generated schemas were refreshed for the new transport, thread, marketplace, sticky environment, and permission-profile APIs. (#18255, #18897, #19014, #19074, #19231)
• Rollout-trace documentation now covers the debug trace reduction workflow. (#18880)

Chores

• Refreshed models.json and related core, app-server, SDK, and TUI fixtures for the latest model catalog and reasoning defaults. (#19323)
• Windows Bazel CI now uses a stable PATH and shared query startup path for better cache reuse. (#19161, #19232)
• Plugin marketplace add/remove/startup-sync internals moved out of codex-core, and curated plugin cache versions now use short SHAs. (#19099, #19095)
• Reverted a macOS signing entitlement change after it caused alpha startup failures. (#19167, #19350)
• Stabilized flaky approval-popup and plugin MCP tool-discovery tests. (#19178, #19191)

Changelog

Full Changelog:

rust-v0.124.0...rust-v0.125.0

New Features

• The TUI now has quick reasoning controls: Alt+, lowers reasoning, Alt+. raises it, and accepted model upgrades now reset reasoning to the new model’s default instead of carrying over stale settings. (#18866, #19085)
• App-server sessions can now manage multiple environments and choose an environment and working directory per turn, which makes multi-workspace and remote setups easier to target precisely. (#18401, #18416)
• Added first-class Amazon Bedrock support for OpenAI-compatible providers, including AWS SigV4 signing and AWS credential-based auth. (#17820)
• Remote plugin marketplaces can now be listed and read directly, with more reliable detail lookups and larger result pages. (#18452, #19079)
• Hooks are now stable, can be configured inline in config.toml and managed requirements.toml, and can observe MCP tools as well as apply_patch and long-running Bash sessions. (#18893, #18385, #18391, #18888, #19012)
• Eligible ChatGPT plans now default to the Fast service tier unless you explicitly opt out. (#19053)

Bug Fixes

• Preserved Cloudflare cookies across approved ChatGPT hosts, reducing auth breakage in HTTP-backed ChatGPT flows. (#17783)
• Fixed remote app-server reliability issues so websocket events keep draining under load and shutdown no longer fails when the remote worker exits during cleanup. (#18932, #18936)
• Fixed permission-mode drift so /permissions changes survive side conversations and updated Full Access state is correctly reflected in MCP approval handling. (#18924, #19033)
• Fixed wait_agent so it returns promptly when mailbox work is already queued instead of waiting for a fresh notification or timing out. (#18968)
• Fixed local stdio MCP launches for relative commands without an explicit cwd, bringing fallback path resolution in line with CLI behavior. (#19031)
• Startup now fails less often on managed config edge cases: unknown feature requirements warn instead of aborting, and cloud-requirements errors are clearer about what failed. (#19038, #19078)

Documentation

• Added a security-boundaries reference to SECURITY.md for sandboxing, approvals, and network controls (#17848, #18004)
• Documented custom MCP server approval defaults and exec-server stdin behavior (#17843, #18086)
• Updated app-server docs for plugin API changes, marketplace removal, resume/fork token-usage replay, and warning notifications (#17277, #17751, #18023, #18298)
• Added a short guide for the responses API proxy (#18604)

Chores

• Split plugin and marketplace code into codex-core-plugins, moved more connector code into connectors, and continued breaking up the large core session/turn modules (#18070, #18158, #18200, #18206, #18244, #18249)
• Refactored config loading and AGENTS.md discovery behind narrower filesystem and manager abstractions (#18209, #18035)
• Stabilized Bazel and CI with flake fixes, native Rust test sharding, scoped repository caches, stronger Windows clippy coverage, and updated rules_rs/LLVM pins (#18362, #18612)
• Added core CODEOWNERS and a smaller development build profile (#18362, #18612)
• Removed the stale core models.json and updated release preparation to refresh the active model catalog (#18585)

Changelog

Full Changelog:

rust-v0.123.0...rust-v0.124.0

New Features

• Standalone installs are more self-contained, and codex app now opens or installs Desktop correctly on Windows and Intel Macs (#17022, #18500).
• The TUI can open /side conversations for quick side questions, and queued input now supports slash commands and ! shell prompts while work is running (#18190, #18542).
• Plan Mode can start implementation in a fresh context, with context-usage shown before deciding whether to carry the planning thread forward (#17499, #18573).
• Plugin workflows now include tabbed browsing, inline enable/disable toggles, marketplace removal, and remote, cross-repo, or local marketplace sources (#18222, #18395, #17752, #17751, #17277, #18017, #18246).
• Filesystem permissions now support deny-read glob policies, managed deny-read requirements, platform sandbox enforcement, and isolated codex exec runs that ignore user config or rules (#15979, #17740, #18096, #18646).
• Tool discovery and image generation are now enabled by default, with higher-detail image handling and original-detail metadata support for MCP and js_repl image outputs (#17854, #17153, #17714, #18386).

Bug Fixes

• App-server approvals, user-input prompts, and MCP elicitations now disappear from the TUI when another client resolves them, instead of leaving stale prompts behind (#15134).
• Remote-control startup now tolerates missing ChatGPT auth, and MCP startup cancellation works again through app-server sessions (#18117, #18078).
• Resumed and forked app-server threads now replay token usage immediately so context/status UI starts with the restored state (#18023).
• Security-sensitive flows were tightened: logout revokes managed ChatGPT tokens, project hooks and exec policies require trusted workspaces, and Windows sandbox setup avoids broad user-profile and SSH-root grants (#17825, #14718, #18443, #18493).
• Sandboxed apply_patch writes work correctly with split filesystem policies, and file watchers now notice files created after watching begins (#18296, #18492).
• Several TUI rough edges were fixed, including fatal skills-list failures, invalid resume hints, duplicate context statusline entries, /model menu loops, redundant memory notices, and terminal title quoting in iTerm2 (#18061, #18059, #18054, #18154, #18580, #18261).

Documentation

• Added a security-boundaries reference to SECURITY.md for sandboxing, approvals, and network controls (#17848, #18004).
• Documented custom MCP server approval defaults and exec-server stdin behavior (#17843, #18086).
• Updated app-server docs for plugin API changes, marketplace removal, resume/fork token-usage replay, and warning notifications (#17277, #17751, #18023, #18298).
• Added a short guide for the responses API proxy (#18604).

Chores

• Split plugin and marketplace code into codex-core-plugins, moved more connector code into connectors, and continued breaking up the large core session/turn modules (#18070, #18158, #18200, #18206, #18244, #18249).
• Refactored config loading and AGENTS.md discovery behind narrower filesystem and manager abstractions (#18209, #18035).
• Stabilized Bazel and CI with flake fixes, native Rust test sharding, scoped repository caches, stronger Windows clippy coverage, and updated rules_rs/LLVM pins (#18362, #18612).
• Added core CODEOWNERS and a smaller development build profile (#18362, #18612).
• Removed the stale core models.json and updated release preparation to refresh the active model catalog (#18585).

Changelog

Full Changelog:

rust-v0.121.0...rust-v0.122.0