Codex Release Notes

New Features

• Windows sandbox runs can now enforce proxy-only networking with OS-level egress rules, instead of relying on environment variables alone. (#12220)
• App-server clients can now start ChatGPT sign-in with a device code flow, which helps when browser callback login is unreliable or unavailable. (#15525)
• codex exec now supports the prompt-plus-stdin workflow, so you can pipe input and still pass a separate prompt on the command line. (#15917)
• Custom model providers can now fetch and refresh short-lived bearer tokens dynamically, instead of being limited to static credentials from config or environment variables. (#16286, #16287, #16288)

Bug Fixes

• Project-local .codex files are now protected even on first creation, closing a gap where the initial write could bypass normal approval checks. (#15067)
• Linux sandbox launches are more reliable because Codex once again finds a trusted system bwrap on normal multi-entry PATHs. (#15791, #15973)
• The app-server-backed TUI regained several missing workflows: hook notifications replay correctly, /copy and /resume work again, /agent no longer shows stale threads, and the skills picker scrolls past the first page. (#16013, #16021, #16050, #16014, #16109, #16110)
• MCP startup is more robust: local servers get a longer startup window, and failed handshakes surface warnings in the TUI again instead of looking like clean startups. (#16080, #16041)
• On Windows, apply_patch is less likely to fail because it no longer adds redundant writable roots that could trigger unnecessary ACL churn. (#16030)

Changelog

Full Changelog: rust-v0.117.0...rust-v0.118.0

• #15891 [plugins] Polish tool suggest prompts. (@mzeng-openai)
• #15791 fix: resolve bwrap from trusted PATH entry (@viyatb-oai)
• #15900 skills: remove unused skill permission metadata (@bolinfest)
• #15811 app-server: Split transport module (@euroelessar)
• #15067 Protect first-time project .codex creation across Linux and macOS sandboxes (@rreichel3-oai)
• #15903 [codex] import token_data from codex-login directly (@bolinfest)
• #15897 sandboxing: use OsString for SandboxCommand.program (@bolinfest)
• #15910 docs: update AGENTS.md to discourage adding code to codex-core (@bolinfest)
• #15898 chore: move bwrap config helpers into dedicated module (@viyatb-oai)
• #15906 chore: remove skill metadata from command approval payloads (@bolinfest)
• #15909 fix(network-proxy): fail closed on network-proxy DNS lookup errors (@viyatb-oai)
• #14495 Preserve bazel repository cache in github actions (@siggisim)
• #15522 bazel: re-organize bazelrc (@sluongng)
• #15923 codex-tools: extract shared tool schema parsing (@bolinfest)
• #15918 permissions: remove macOS seatbelt extension profiles (@bolinfest)
• #12220 feat(windows-sandbox): add network proxy support (@viyatb-oai)
• #15931 fix: make MACOS_DEFAULT_PREFERENCES_POLICY part of MACOS_SEATBELT_BASE_POLICY (@bolinfest)
• #15933 fix: use matrix.target instead of matrix.os for actions/cache build action (@bolinfest)
• #15928 codex-tools: extract MCP schema adapters (@bolinfest)
• #15948 fix: increase timeout for rust-ci to 45 minutes for now (@bolinfest)
• #15921 [app-server-protocol] introduce generic ClientResponse for app-server-protocol (@rhan-oai)
• #15120 chore: refactor network permissions to use explicit domain and unix socket rule maps (@celia-oai)
• #15525 Add ChatGPT device-code login to app server (@daniel-oai)
• #15876 chore: drop useless stuff (@jif-oai)
• #15954 chore: move pty and windows sandbox to Rust 2024 (@bolinfest)
• #15986 feat: spawn v2 make task name as mandatory (@jif-oai)
• #16000 Use codex-utils-template for login error page (@jif-oai)
• #16001 Use codex-utils-template for review prompts (@jif-oai)
• #15998 Use codex-utils-template for sandbox mode prompts (@jif-oai)
• #15995 Use codex-utils-template for collaboration mode presets (@jif-oai)
• #15996 Use codex-utils-template for search tool descriptions (@jif-oai)
• #15999 Use codex-utils-template for review exit XML (@jif-oai)
• #15985 feat: spawn v2 as inter agent communication (@jif-oai)
• #15973 fix(sandbox): fix bwrap lookup for multi-entry PATH (@viyatb-oai)
• #15944 codex-tools: extract dynamic tool adapters (@bolinfest)
• #15955 ci: add Bazel clippy workflow for codex-rs (@bolinfest)
• #15953 codex-tools: introduce named tool definitions (@bolinfest)
• #16027 fix: fix Windows CI regression introduced in #15999 (@bolinfest)
• #16036 fix: disable plugins in SDK integration tests (@bolinfest)
• #15946 Normalize /mcp tool grouping for hyphenated server names (@pakrym-oai)
• #16035 plugins: Clean up stale curated plugin sync temp dirs and add sync metrics (@xl-openai)
• #15934 Add usage-based business plan types (@bwanner-oai)
• #16031 codex-tools: extract responses API tool models (@bolinfest)
• #16013 Fix tui_app_server hook notification rendering and replay (@etraut-openai)
• #16021 Fix /copy regression in tui_app_server turn completion (@etraut-openai)
• #16044 [mcp] Bypass read-only tool checks. (@mzeng-openai)
• #16030 don't include redundant write roots in apply_patch (@iceweasel-oai)
• #15922 Remove the legacy TUI split (@etraut-openai)
• #15828 [codex] Pin GitHub Actions workflow references (@hintz-openai)
• #16046 ci: run SDK tests with a Bazel-built codex (@bolinfest)
• #16050 Fix tui_app_server resume-by-name lookup regression (@etraut-openai)
• #16014 Fix tui_app_server agent picker closed-state regression (@etraut-openai)
• #16054 chore: clean up argument-comment lint and roll out all-target CI on macOS (@bolinfest)
• #15917 Support Codex CLI stdin piping for codex exec (@jliccini)
• #16057 shell-command: reuse a PowerShell parser process on Windows (@bolinfest)
• #16063 refactor: rewrite argument-comment lint wrappers in Python (@bolinfest)
• #15952 bazel: enable the full Windows gnullvm CI path (@bolinfest)
• #16067 ci: run Bazel clippy on Windows gnullvm (@bolinfest)
• #16071 fix: clean up remaining Windows argument-comment-lint violations (@bolinfest)
• #16072 ci: split fast PR Rust CI from full post-merge Cargo CI (@bolinfest)
• #16074 bazel: add Windows gnullvm stack flags to unit test binaries (@bolinfest)
• #16026 fix(tui): refresh footer on collaboration mode changes (@fcoury)
• #16112 Update PR babysitter skill for review replies and resolution (@etraut-openai)
• #16104 Rename tui_app_server to tui (@etraut-openai)
• #16118 fix: fix comment linter lint violations in Linux-only code (@bolinfest)
• #16106 build: migrate argument-comment-lint to a native Bazel aspect (@bolinfest)
• #16115 Remove remaining custom prompt support (@etraut-openai)
• #16116 Remove the codex-tui app-server originator workaround (@etraut-openai)
• #16047 codex-tools: extract tool spec models (@bolinfest)
• #16128 bazel: refresh the expired macOS SDK pin (@bolinfest)
• #16129 codex-tools: extract configured tool specs (@bolinfest)
• #16130 ci: keep rust-ci-full Windows argument-comment-lint on packaged wrapper (@bolinfest)
• #16126 core: fix stale curated plugin cache refresh races (@bolinfest)
• #16132 codex-tools: extract code mode tool spec adapters (@bolinfest)
• #16136 ci: use BuildBuddy for rust-ci-full non-Windows argument-comment-lint (@bolinfest)
• #16137 exec: make review-policy tests hermetic (@bolinfest)
• #16109 Fix skills picker scrolling in tui app server (@etraut-openai)
• #16138 codex-tools: extract local host tool specs (@bolinfest)
• #16114 Remove TUI voice transcription feature (@etraut-openai)
• #16080 [mcp] Increase MCP startup timeout. (@mzeng-openai)
• #16141 codex-tools: extract collaboration tool specs (@bolinfest)
• #16041 Fix app-server TUI MCP startup warnings regression (@etraut-openai)
• #16110 Fix tui_app_server ghost subagent entries in /agent (@etraut-openai)
• #16154 codex-tools: extract utility tool specs (@bolinfest)
• #16204 [codex] Normalize Windows path in MCP startup snapshot test (@etraut-openai)
• #16010 feat: add mailbox concept for wait (@jif-oai)
• #16237 fix: ma1 (@jif-oai)
• #16193 codex-tools: extract discovery tool specs (@bolinfest)
• #16254 codex-tools: extract discoverable tool models (@bolinfest)
• #16253 fix: close Bazel argument-comment-lint CI gaps (@bolinfest)
• #16225 [codex-analytics] refactor analytics to use reducer architecture (@rhan-oai)
• #16279 Update code mode exec() instructions (@andmis)
• #16120 ci: run Windows argument-comment-lint via native Bazel (@bolinfest)
• #16286 auth: generalize external auth tokens for bearer-only sources (@bolinfest)
• #16287 auth: let AuthManager own external bearer auth (@bolinfest)
• #16288 core: support dynamic auth tokens for model providers (@bolinfest)

New Features

• Plugins are now a first-class workflow: Codex can sync product-scoped plugins at startup, browse them in /plugins, and install or remove them with clearer auth/setup handling. (#15041, #15042, #15195, #15215, #15217, #15264, #15275, #15342, #15580, #15606, #15802)
• Sub-agents now use readable path-based addresses like /root/agent_a, with structured inter-agent messaging and agent listing for multi-agent v2 workflows. (#15313, #15515, #15556, #15570, #15621, #15647)
• The /title terminal-title picker now works in both the classic TUI and the app-server TUI, making parallel sessions easier to tell apart. (#12334, #15860)
• App-server clients can now send ! shell commands, watch filesystem changes, and connect to remote websocket servers with bearer-token auth. (#14988, #14533, #14847, #14853)
• Image workflows got smoother: view_image now returns image URLs for code mode, generated images are reopenable from the TUI, and image-generation history survives resume. (#15072, #15154, #15223)
• Prompt history recall now works in the app-server TUI, including across sessions. (#14945)

Bug Fixes

• tui_app_server no longer duplicates live reasoning summaries or /review output, and it preserves transcript text instead of dropping it under backpressure. (#15758, #15839, #15759)
• ChatGPT login in tui_app_server now opens the local browser again, cancels cleanly on Ctrl+C, and no longer fails startup when you're logged out. (#15672, #15673, #15670)
• Early exits now restore terminal state reliably, avoiding broken shell state after quitting; tmux users also get a working queued-message edit shortcut on Shift+Left. (#15671, #15480)
• Linux sandboxed tool calls are more reliable on older distributions with older bubblewrap, and Windows restricted-token sandboxing now supports more split-policy carveout layouts. (#15693, #14172)
• Fixed an agent job finalization race and reduced status polling churn for worker threads. (#14843)
• Remote multi-agent sessions now show agent names instead of raw IDs and recover more gracefully from stale turn-steering races. (#15513, #15714, #15163)
• Plugin-backed mentions and product gating now behave more predictably, fixing cases where explicit mentions lost context or plugins were filtered incorrectly. (#15372, #15263, #15279)

Documentation

• Expanded the app-server and exec-server docs/schema fixtures to cover exec-server setup, filesystem watch RPCs, realtime transcript notifications, and the new Python thread.run(...) quickstart flow. (#15089, #14533, #15344, #15088)

Chores

• The app-server-backed TUI is now enabled by default, and the plugin/app rollout flags have been flipped on in normal builds. (#15661, #15713, #15719, #15820)
• Removed the legacy artifact tool and retired the old read_file and grep_files handlers as part of ongoing tool-surface cleanup. (#15851, #15864, #15773, #15775)

Changelog

Full Changelog:

rust-v0.116.0...rust-v0.117.0

New Features

• App-server TUI now supports device-code ChatGPT sign-in during onboarding and can refresh existing ChatGPT tokens. (#14952)
• Plugin setup is smoother: Codex can prompt to install missing plugins or connectors, honor a configured suggestion allowlist, and sync install/uninstall state remotely. (#14896, #15022, #14878)
• Added a userpromptsubmit hook so prompts can be blocked or augmented before execution and before they enter history. (#14626)
• Realtime sessions now start with recent thread context and are less likely to self-interrupt during audio playback. (#14829, #14827)

Bug Fixes

• Fixed a first-turn stall where websocket prewarm could delay turn/start; startup now times out and falls back cleanly. (#14838)
• Restored conversation history for remote resume/fork in the app-server TUI and stopped duplicate live transcript output from legacy stream events. (#14930, #14892)
• Improved Linux sandbox startup on symlinked checkouts, missing writable roots, and Ubuntu/AppArmor hosts by preferring system bwrap when available. (#14849, #14890, #14963)
• Fixed an agent job finalization race and reduced status polling churn for worker threads. (#14843)

Documentation

• Refreshed the Python SDK public API docs, examples, and walkthrough around the generated app-server models. (#14446)

Chores

• Pinned the setup-zig GitHub Action to an immutable SHA for more reproducible CI. (#14858)

Changelog

Full Changelog: rust-v0.115.0...rust-v0.116.0

New features

• You can now fork a conversation from an earlier message, not just the latest turn.
• Added slash commands for switching models and reasoning levels, and made slash commands work in the middle of a draft prompt.
• Added notifications for plan mode questions so it’s easier to notice when Codex needs input.

Performance improvements and bug fixes

• Fixed thread handoff and subagent navigation issues across worktrees and the VS Code extension.
• Additional performance improvements and bug fixes.

New Features

• Supported models can now request full-resolution image inspection through both view_image and codex.emitImage(..., detail: "original"), which helps with precision visual tasks. (#14175)
• js_repl now exposes codex.cwd and codex.homeDir, and saved codex.tool(...) / codex.emitImage(...) references keep working across cells. (#14385, #14503)
• Realtime websocket sessions gained a dedicated transcription mode, plus v2 handoff support through the codex tool, with a unified [realtime] session config. (#14554, #14556, #14606)
• The v2 app-server now exposes filesystem RPCs for file reads, writes, copies, directory operations, and path watching, and there is a new Python SDK for integrating with that API. (#14245, #14435)
• Smart Approvals can now route review requests through a guardian subagent in core, app-server, and TUI, reducing repeated setup work on follow-up approvals. (#13860, #14668)
• App integrations now use the Responses API tool-search flow, can suggest missing tools, and fall back cleanly when the active model does not support search-based lookup. (#14274, #14287, #14732)

Bug Fixes

• Spawned subagents now inherit sandbox and network rules more reliably, including project-profile layering, persisted host approvals, and symlinked writable roots. (#14619, #14650, #14674, #14807)
• js_repl no longer hangs when dynamic tool responses contain literal U+2028 or U+2029 characters. (#14421)
• The TUI no longer stalls on exit after creating subagents, and interrupting a turn no longer tears down background terminals by default. (#14816, #14602)
• codex exec --profile once again preserves profile-scoped settings when starting or resuming a thread. (#14524)
• MCP and elicitation flows are more robust, with safer tool-name normalization and preserved tool_params in approval prompts. (#14491, #14605, #14769)
• The local network proxy now serves CONNECT traffic as explicit HTTP/1, improving compatibility with HTTP proxy clients. (#14395)

Chores

• The subagent wait tool is now consistently named wait_agent, aligning it with spawn_agent and send_input. (#14631)

Changelog

Full Changelog:

rust-v0.114.0...rust-v0.115.0

New Features

• Added an experimental code mode for more isolated coding workflows. (#13418)
• Added an experimental hooks engine with SessionStart and Stop hook events. (#13276)
• WebSocket app-server deployments now expose GET /readyz and GET /healthz on the same listener for easier health checks. (#13782)
• Added a config switch to disable bundled system skills entirely. (#13792)
• Handoffs now carry realtime transcript context, which improves continuity when work is transferred between turns. (#14132)
• Improved the $ mention picker by clearly labeling Skills, Apps, and Plugins, and by surfacing plugins first. (#14147, #14163)

Bug Fixes

• Fixed a Linux tmux crash caused by concurrent user-shell lookups. (#13900)
• Fixed apps being enabled in unsupported sessions by tightening the enablement check. (#14011)
• Fixed reopened threads getting stuck as in-progress after quitting mid-run and then resuming later. (#14125)
• Fixed permission handling so legacy workspace-write behavior is preserved and newer permission profiles degrade more safely on older builds. (#13957, #14107)
• Fixed approval flows so granted permissions persist across turns, work with reject-style configs, and are honored by apply_patch. (#14009, #14055, #14118, #14165)

Chores

• Laid the groundwork for the Python SDK’s generated v2 schema types and pinned platform-specific runtime binaries. (#13953)

Changelog

Full Changelog:

rust-v0.113.0...rust-v0.114.0

Themes

Change the Codex app appearance in Settings by choosing a base theme, adjusting accent, background, and foreground colors, and changing the UI and code fonts. You can also share your custom theme with friends.

Revamped Automations

You can now choose whether automations run locally or on a worktree, define custom reasoning levels and models, and use templates to find inspiration for new automations.

Performance improvements and bug fixes

Various bug fixes and performance improvements.