Codex CLI 0.118.0: Sandbox Hardening & Device Code Auth

TL;DR

• Windows sandbox now enforces proxy-only networking at the OS level instead of relying on env vars
• Device code flow for ChatGPT sign-in when browser callbacks fail
• codex exec now supports piping stdin while passing a separate prompt
• Custom model providers can dynamically fetch short-lived bearer tokens

New

• Windows sandbox proxy enforcement — OS-level egress rules replace environment variable-only networking, closing a security gap.
• Device code ChatGPT login — App-server clients can now initiate sign-in via device code flow when browser callbacks are unreliable or unavailable.
• codex exec stdin + prompt support — Pipe input and pass a separate prompt on the command line simultaneously.
• Dynamic bearer token refresh — Custom model providers can fetch and refresh short-lived tokens instead of being locked to static credentials.

Fixed

• Project .codex file protection — First-time creation now respects approval checks instead of bypassing them on initial write.
• Linux sandbox reliability — bwrap lookup now works correctly on multi-entry PATHs.
• App-server TUI regressions — Hook notifications replay, /copy and /resume <name> work again, /agent no longer shows stale threads, skills picker scrolls past first page.
• MCP startup robustness — Local servers get longer startup window; failed handshakes now surface warnings in TUI instead of appearing as clean startups.
• Windows apply_patch stability — Removed redundant writable roots that triggered unnecessary ACL churn.

Update via: codex upgrade or download from GitHub releases.

Source: Codex