codex

New Features

• Added codex marketplace add and app-server support for installing plugin marketplaces from GitHub, git URLs, local directories, and direct marketplace.json URLs (#17087, #17717, #17756).
• Added TUI prompt history improvements, including Ctrl+R reverse search and local recall for accepted slash commands (#17550, #17336).
• Added TUI and app-server controls for memory mode, memory reset/deletion, and memory-extension cleanup (#17632, #17626, #17913, #17937, #17844).
• Expanded MCP/plugin support with MCP Apps tool calls, namespaced MCP registration, parallel-call opt-in, and sandbox-state metadata for MCP servers (#17364, #17404, #17667, #17763).
• Added realtime and app-server APIs for output modality, transcript completion events, raw turn item injection, and symlink-aware filesystem metadata (#17701, #17703, #17719).
• Added a secure devcontainer profile with bubblewrap support, plus macOS sandbox allowlists for Unix sockets (#10431, #17547, #17654).

Bug Fixes

• Fixed macOS sandbox/proxy handling for private DNS and removed the danger-full-access denylist-only network mode (#17370, #17732).
• Fixed Windows cwd/session matching so resume --last and thread/list work when paths use verbatim prefixes (#17414).
• Fixed rate-limit/account handling for prolite plans and made unknown WHAM plan values decodable (#17419).
• Made Guardian timeouts distinct from policy denials, with timeout-specific guidance and visible TUI history entries (#17381, #17486, #17521, #17557).
• Stabilized app-server behavior by avoiding premature thread unloads, tolerating failed trust persistence on startup, and skipping broken symlinks in fs/readDirectory (#17398, #17595, #17907).
• Fixed MCP/tool-call edge cases including flattened deferred tool names, elicitation timeout accounting, and empty namespace descriptions (#17556, #17566, #17946).

Documentation

• Documented the secure devcontainer profile and its bubblewrap requirements (#10431, #17547).
• Added TUI composer documentation for history search behavior (#17550).
• Updated app-server docs for new MCP, marketplace, turn injection, memory reset, filesystem metadata, external-agent migration, and websocket token-hash APIs (#17364, #17717, #17703, #17913, #17719, #17855, #17871).
• Documented WSL1 bubblewrap limitations and WSL2 behavior (#17559).
• Added memory pipeline documentation for extension cleanup (#17844).

Chores

• Hardened supply-chain and CI inputs by pinning GitHub Actions, cargo installs, git dependencies, V8 checksums, and cargo-deny source allowlists (#17471).
• Added Bazel release-build verification so release-only Rust code is compiled in PR CI (#17704, #17705).
• Introduced the codex-thread-store crate/interface and moved local thread listing behind it (#17659, #17824).
• Required reviewed pnpm dependency build scripts for workspace installs (#17558).
• Reduced Rust maintenance surface with broader absolute-path types and removal of unused helper APIs (#17407, #17792, #17146).

Changelog

Full Changelog: https://github.com/openai/codex/compare/rust-v0.120.0...rust-v0.121.0

• #17087 Add marketplace command @xli-oai
• #17409 Fix Windows exec-server output test flake @etraut-openai
• #17381 representing guardian review timeouts in protocol types @won-openai
• #17399 TUI: enforce core boundary @etraut-openai
• #17370 fix: unblock private DNS in macOS sandbox @viyatb-oai
• #17396 update cloud requirements parse failure msg @alexsong-oai
• #17364 [mcp] Support MCP Apps part 3 - Add mcp tool call support. @mzeng-openai
• #17424 Stabilize marketplace add local source test @ningyi-oai
• #17414 Fix thread/list cwd filtering for Windows verbatim paths @etraut-openai
• #10431 feat(devcontainer): add separate secure customer profile @viyatb-oai
• #17314 Pass turn id with feedback uploads @ningyi-oai
• #17336 fix(tui): recall accepted slash commands locally @fcoury-oai
• #17430 Handle closed TUI input stream as shutdown @etraut-openai
• #17385 Add use_agent_identity feature flag @adrian-openai
• #17483 Update issue labeler agent labels @etraut-openai
• #17493 fix @aibrahim-oai
• #17419 Support prolite plan type @etraut-openai
• #17416 Clear /ps after /stop @etraut-openai
• #17415 Restore codex-tui resume hint on exit @etraut-openai
• #17402 chore: refactor name and namespace to single type @sayan-oai
• #17486 changing decision semantics after guardian timeout @won-openai
• #17521 Clarify guardian timeout guidance @won-openai
• #17547 [codex] Support bubblewrap in secure Docker devcontainer @viyatb-oai
• #17519 Budget realtime current thread context @aibrahim-oai
• #17556 [codex] Support flattened deferred MCP tool calls @fc-oai
• #17558 build(pnpm): require reviewed dependency build scripts @mcgrew-oai
• #17559 fix(sandboxing): reject WSL1 bubblewrap sandboxing @viyatb-oai
• #17520 Mirror user text into realtime @aibrahim-oai
• #17550 feat(tui): add reverse history search to composer @fcoury-oai
• #17420 Remove context status-line meter @etraut-openai
• #17506 Expose instruction sources (AGENTS.md) via app server @etraut-openai
• #17566 fix(mcp) pause timer for elicitations @dylan-hurd-oai
• #17406 Add MCP tool wall time to model output @pakrym-oai
• #17294 Run exec-server fs operations through sandbox helper @starr-openai
• #17605 Stabilize exec-server process tests @etraut-openai
• #17221 feat: ignore keyring on 0.0.0 @jif-oai
• #17216 Build remote exec env from exec-server policy @jif-oai
• #17633 nit: change consolidation model @jif-oai
• #17640 fix: stability exec server @jif-oai
• #17643 fix: dedup compact @jif-oai
• #17247 Make forked agent spawns keep parent model config @friel-openai
• #17470 Fix custom tool output cleanup on stream failure @etraut-openai
• #17417 Emit plan-mode prompt notifications for questionnaires @etraut-openai
• #17481 Wrap status reset timestamps in narrow layouts @etraut-openai
• #17601 Suppress duplicate compaction and terminal wait events @etraut-openai
• #17657 Fix TUI compaction item replay @etraut-openai
• #17595 Do not fail thread start when trust persistence fails @etraut-openai
• #17407 Use AbsolutePathBuf in skill loading and codex_home @pakrym-oai
• #17626 feat: disable memory endpoint @jif-oai
• #17365 Include legacy deny paths in elevated Windows sandbox setup @iceweasel-oai
• #17638 feat: Avoid reloading curated marketplaces for tool-suggest discovera… @jif-oai
• #17398 app-server: Only unload threads which were unused for some time @euroelessar
• #17669 only specify remote ports when the rule needs them @iceweasel-oai
• #17691 Fix tui compilation @davidhao3300
• #17384 Update phase 2 memory model to gpt-5.4 @kliu128
• #17395 Remove unnecessary tests @kliu128
• #17685 Cap realtime mirrored user turns @aibrahim-oai
• #17699 change realtime tool description @aibrahim-oai
• #17667 Add supports_parallel_tool_calls flag to included mcps @josiah-openai
• #17703 Add turn item injection API @pakrym-oai
• #17671 Stabilize exec-server filesystem tests in CI @starr-openai
• #17557 guardian timeout fix pr 3 - ux touch for timeouts @won-openai
• #17719 [codex] Add symlink flag to fs metadata @pakrym-oai
• #17146 [codex] Remove unused Rust helpers @pakrym-oai
• #17471 fix: pin inputs @viyatb-oai
• #17717 [codex] Refactor marketplace add into shared core flow @xli-oai
• #17747 Refactor plugin loading to async @pakrym-oai
• #17709 [codex] Initialize ICU data for code mode V8 @pakrym-oai
• #17749 [codex] drain mailbox only at request boundaries @tibo-openai
• #16640 [codex-analytics] feature plumbing and emittance @rhan-oai
• #17761 Tighten realtime handoff finalization @aibrahim-oai
• #17701 Add realtime output modality and transcript events @aibrahim-oai
• #17777 nit: feature flag @jif-oai
• #17637 feat: add context percent to status line @jif-oai
• #17665 Always enable original image detail on supported models @fjord-oai
• #17374 [codex-analytics] add session source to client metadata @marksteinbrick-oai
• #17489 Moving updated-at timestamps to unique millisecond times @ddr-oai
• #17784 feat: codex sampler @jif-oai
• #17732 fix: Revert danger-full-access denylist-only mode @viyatb-oai
• #17234 Redirect debug client output to a file @rasmusrygaard
• #17803 Keep image_detail_original as a removed feature flag @fjord-oai
• #17372 app-server: prepare to run initialized rpcs concurrently @euroelessar
• #17704 Refactor Bazel CI job setup @bolinfest
• #17674 Route apply_patch through the environment filesystem @starr-openai
• #17702 Fix remote skill popup loading @starr-openai
• #17830 [codex] Fix app-server initialized request analytics build @etraut-openai
• #17389 [codex-analytics] enable general analytics by default @rhan-oai
• #17659 thread store interface @wiltzius-openai
• #17792 Spread AbsolutePathBuf @pakrym-oai
• #17808 fix: apply patch bin refresh @jif-oai
• #17838 Add realtime wire trace logs @aibrahim-oai
• #17684 Adjust default tool search result caps @malone-oai
• #17705 Add Bazel verify-release-build job @bolinfest
• #17720 Make skill loading filesystem-aware @pakrym-oai
• #17756 [codex] Support local marketplace sources @xli-oai
• #17846 Fix for Guardian CI Tests stack overflow, applying Box to reduce stack pressure @won-openai
• #17855 support plugins in external agent config migration @alexsong-oai
• #17872 Disable hooks in guardian review sessions @abhinav-oai
• #17868 Wrap delegated input text @guinness-oai
• #17884 Fix clippy warnings in external agent config migration @canvrno-oai
• #17837 Reuse remote exec-server in core tests @starr-openai
• #17859 sandbox: remove dead seatbelt helper and update tests @bolinfest
• #17870 fix: cleanup the contract of the general-purpose exec() function @bolinfest
• #17871 fix: add websocket capability token hash support @viyatb-oai
• #17763 Send sandbox state through MCP tool metadata @aaronl-openai
• #17654 Support Unix socket allowlists in macOS sandbox @aaronl-openai
• #17915 fix: cargo deny @jif-oai
• #17913 feat: add endpoint to delete memories @jif-oai
• #17844 feat: cleaning of memories extension @jif-oai
• #17921 chore: exp flag @jif-oai
• #17917 [codex] Fix current main CI blockers @sayan-oai
• #17919 chore: do not disable memories for past rollouts on reset @jif-oai
• #17924 nit: stable test @jif-oai
• #17632 feat: memories menu @jif-oai
• #17404 register all mcp tools with namespace @sayan-oai
• #17941 nit: doc @jif-oai
• #17938 feat: sanitize rollouts before phase 1 @jif-oai
• #17937 feat: reset memories button @jif-oai
• #17883 Remove exec-server fs sandbox request preflight @pakrym-oai
• #17386 Register agent identities behind use_agent_identity @adrian-openai
• #17907 Fix fs/readDirectory to skip broken symlinks @willwang-openai
• #17960 chore(features) codex dependencies feat @dylan-hurd-oai
• #17965 fix: rename is_azure_responses_wire_base_url to is_azure_responses_provider @bolinfest
• #17946 Fix empty tool descriptions @shijie-oai
• #17824 [codex] Add local thread store listing @wiltzius-openai
• #17942 Add CLI update announcement @shijie-oai
• #17866 Refactor auth providers to mutate request headers @pakrym-oai
• #17902 app-server: track remote-control seq IDs per stream @euroelessar
• #17957 mcp: remove codex/sandbox-state custom request support @bolinfest
• #17953 fix: propagate log db @jif-oai
• #17920 chore(tui) cleanup @dylan-hurd-oai
• #17981 chore: tmp disable @jif-oai