mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
dev
273 Commits
-
cli: add package path from install context (#26189)
## Why Codex package installs include helper binaries in `codex-path`, such as the bundled `rg`. Package-layout launches should add that directory before user commands run, but standalone launches were missing it while npm launches only worked because `codex.js` had its own legacy `PATH` rewrite. That made npm and standalone package behavior diverge. Shell snapshot restoration can also reset `PATH` after runtime setup. Any package-owned `PATH` prepend has to be recorded as an explicit runtime override so shells, unified exec, and user-shell commands keep access to `codex-path` after a snapshot is sourced. ## Repro Before this change, a curl-installed package could contain `rg` under `codex-path` but still fail to put it on `PATH`: ```shell mkdir /tmp/test-codex-curl curl -fsSL https://chatgpt.com/codex/install.sh \ | CODEX_HOME=/tmp/test-codex-curl CODEX_NON_INTERACTIVE=1 sh /tmp/test-codex-curl/packages/standalone/current/bin/codex exec \ --skip-git-repo-check 'print `which -a rg`' find /tmp/test-codex-curl -name rg ``` The `which -a rg` output omitted the packaged helper even though `find` showed it under `/tmp/test-codex-curl/packages/standalone/releases/.../codex-path/rg`. The npm install path behaved differently only because `codex-cli/bin/codex.js` had legacy `PATH` rewriting: ```shell mkdir /tmp/test-codex-npm cd /tmp/test-codex-npm npm install @openai/codex ./node_modules/.bin/codex exec --skip-git-repo-check 'print `which -a rg`' ``` That printed the npm package's `vendor/<target>/codex-path/rg` first. This PR moves that behavior into Rust-side package launch setup so curl/standalone and npm/bun launches agree without JS rewriting `PATH`. ## What Changed - `codex-rs/arg0` now uses `InstallContext::current().package_layout.path_dir` to prepend the package helper directory before any threads are created. - Package helper `PATH` setup is independent from the temporary arg0 alias setup, so `codex-path` is still added even if CODEX_HOME tempdir, lock, or symlink setup fails. - `codex-rs/install-context` detects the canonical package layout we ship: `bin/`, `codex-resources/`, and `codex-path/` next to `codex-package.json`. - Shell, local unified exec, and user-shell runtimes now record package `codex-path` prepends in `explicit_env_overrides`, matching the existing zsh-fork behavior so shell snapshots cannot restore over the package helper path. - Remote unified exec requests do not receive the local app-server package path overlay. - `codex-cli/bin/codex.js` no longer computes or overrides `PATH`; it only locates the native binary in the canonical package layout and passes npm/bun management metadata. - Added regression tests for `PATH` ordering, package layout detection, and shell snapshot preservation of package path prepends. ## Verification - `node --check codex-cli/bin/codex.js` - `just test -p codex-install-context -p codex-arg0` - `just test -p codex-core user_shell_snapshot_preserves_package_path_prepend` - `just test -p codex-core tools::runtimes::tests` - `just bazel-lock-update` - `just bazel-lock-check` - `just fix -p codex-install-context -p codex-arg0 -p codex-core`
Michael Bolin ·
2026-06-03 19:08:19 -07:00 -
npm: remove legacy package artifact synthesis (#23836)
## Why `rust-release` now publishes `codex-package-<target>.tar.gz` as the canonical native package payload. npm staging should consume those archives directly instead of keeping legacy synthesis code that fetched `rg`, copied standalone binaries, and rebuilt an approximate package layout. That also means the package builder should not know the internal shape of `codex-package`. It should extract and copy the target payload wholesale so future layout changes stay localized to the archive producer. The release job stages `codex`, `codex-responses-api-proxy`, and `codex-sdk` together, so native artifact download should be filtered, observable, and shared across component installs. Since that native hydration is now only used by release staging, keeping a separate `install_native_deps.py` CLI adds an extra wrapper without a real caller. ## What Changed - Removed legacy `codex-package` synthesis and related compatibility flags from npm staging. - Folded the remaining native artifact hydration code into `scripts/stage_npm_packages.py` and deleted `codex-cli/scripts/install_native_deps.py`. - Made platform package staging copy the full extracted target directory instead of enumerating package entries. - Kept non-`codex-package` native components under their component directory name instead of using a legacy destination map. - Split native staging by component set while sharing one workflow-artifact cache across the invocation. - Changed workflow artifact download to select target artifacts by name, print sizes/progress, and reuse cached artifacts. - Removed the implicit `CI=true` default from `build_npm_package.py`; local CI-shaped runs should set that environment explicitly. - Kept `npm pack` cache/log output in its temporary directory so packing does not write to the user npm cache. ## Verification - `python3 -m py_compile scripts/stage_npm_packages.py codex-cli/scripts/build_npm_package.py` - `python3 -m unittest discover -s scripts/codex_package -p "test_*.py"` - `scripts/stage_npm_packages.py --help` - `codex-cli/scripts/build_npm_package.py --help` - Ran the release-shaped staging command from `rust-release.yml` against workflow run https://github.com/openai/codex/actions/runs/26240748758 with `CI=true` set locally to match GitHub Actions: ```sh CI=true python3 ./scripts/stage_npm_packages.py \ --release-version 0.133.0 \ --workflow-url https://github.com/openai/codex/actions/runs/26240748758 \ --package codex \ --package codex-responses-api-proxy \ --package codex-sdk ``` That completed successfully, downloaded only the six target artifacts once, reused the cache for `codex-responses-api-proxy`, and produced all nine npm tarballs. Generated tarballs and staging/artifact temp dirs were cleaned afterward.
Michael Bolin ·
2026-05-21 20:43:48 +00:00 -
packaging: move rg manifest out of npm bin (#23833)
## Why Installing `@openai/codex` currently places a Dotslash `rg` manifest at `node_modules/@openai/codex/bin/rg`, even though the native optional dependency already ships the actual helper under `vendor/<target>/codex-path/rg`. The launcher prepends that `codex-path` directory, so the top-level `bin/rg` file is redundant in the npm install. The remaining direct consumers of the manifest are package-building paths: `scripts/codex_package/ripgrep.py` and `codex-cli/scripts/install_native_deps.py`. Keeping the manifest under `codex-cli/bin` makes it look like a shipped npm binary, so this moves it next to the package-builder code that owns it. The checked-in `@openai/codex` package metadata should likewise describe only the meta package payload; generated platform packages continue to publish `vendor`. ## What Changed - Moved the Dotslash ripgrep manifest from `codex-cli/bin/rg` to `scripts/codex_package/rg`. - Updated the package builder, npm native-artifact hydrator, README, and CLI help text to reference the new manifest location. - Stopped `codex-cli/scripts/build_npm_package.py` from copying `rg` into the `@openai/codex` meta package. - Narrowed the checked-in meta package `files` whitelist to `bin/codex.js`. ## Verification - `python3 -m unittest discover -s scripts/codex_package -p "test_*.py"` - `python3 -m unittest discover -s codex-cli/scripts -p "test_*.py"` - `python3 -m py_compile codex-cli/scripts/build_npm_package.py codex-cli/scripts/install_native_deps.py scripts/codex_package/ripgrep.py scripts/codex_package/cli.py scripts/stage_npm_packages.py` - `codex-cli/scripts/build_npm_package.py --package codex --version 0.0.0-test --pack-output <tmp>/codex-meta-no-vendor.tgz` - `tar -tf <tmp>/codex-meta-no-vendor.tgz` showed only `package/bin/codex.js`, `package/package.json`, and `package/README.md`. - Direct staging check showed `codex` uses `files: ["bin/codex.js"]` while `codex-darwin-arm64` still uses `files: ["vendor"]`. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/23833). * #23836 * __->__ #23833
Michael Bolin ·
2026-05-21 15:48:42 +00:00 -
docs: add description to codex-cli/package.json (#23835)
Fix this eyesore where our lack of a `"description"` was causing our `README.md` to be used for previews on npm. <img width="1291" height="178" alt="image" src="https://github.com/user-attachments/assets/a9bc08c5-0def-4755-8bcc-0c90e096b9c2" />
Michael Bolin ·
2026-05-21 08:19:50 -07:00 -
npm: ship platform packages in Codex package layout (#23637)
## Summary The npm platform packages should stop carrying a bespoke native layout now that the release workflow builds canonical Codex package archives. Keeping npm on the same `bin/`, `codex-resources/`, and `codex-path/` structure lets the Rust package-layout detection behave consistently across standalone, npm, and future DotSlash installs. This changes platform npm packages to stage the `codex-package` artifact for each target under `vendor/<target>`. The Node launcher now resolves `bin/codex` and prepends `codex-path`, while retaining legacy `vendor/<target>/codex` and `vendor/<target>/path` fallback support for local development and migration. The npm staging helper downloads `codex-package` archives instead of rebuilding the CLI payload from individual `codex`, `rg`, `bwrap`, and sandbox helper artifacts. CI still needs to stage npm packages from historical rust-release workflow artifacts that predate package archives, so the staging scripts expose an explicit `--allow-legacy-codex-package` fallback. That fallback synthesizes the canonical package layout from legacy per-binary artifacts and is wired only into the CI smoke path; release staging remains strict and continues to require real package archives. For direct local use, `install_native_deps.py` now points its built-in default workflow at the same recent artifact run used by CI and automatically enables legacy package synthesis only when `--workflow-url` is omitted. Explicit workflow URLs remain strict unless callers opt in with `--allow-legacy-codex-package`. ## Test plan - `python3 -m py_compile codex-cli/scripts/build_npm_package.py codex-cli/scripts/install_native_deps.py scripts/stage_npm_packages.py scripts/codex_package/cli.py` - `node --check codex-cli/bin/codex.js` - `ruby -e 'require "yaml"; YAML.load_file(".github/workflows/rust-release.yml"); YAML.load_file(".github/workflows/ci.yml"); puts "ok"'` - Staged a synthetic `codex-linux-x64` platform package from a canonical vendor tree and verified it copied only `bin/`, `codex-path/`, `codex-resources/`, and `codex-package.json`. - Imported `install_native_deps.py` and extracted a synthetic `codex-package-x86_64-unknown-linux-musl.tar.gz` into `vendor/<target>`. - Ran legacy-layout conversion smokes for Linux, Windows, and unsigned macOS artifact naming. - Ran a synthetic `install_native_deps.py` default-workflow smoke that verifies legacy package synthesis is automatic only when `--workflow-url` is omitted. - `NPM_CONFIG_CACHE="$tmp_dir/npm-cache" python3 ./scripts/stage_npm_packages.py --release-version 0.125.0 --workflow-url https://github.com/openai/codex/actions/runs/26131514935 --package codex --allow-legacy-codex-package --output-dir "$tmp_dir"` - `node codex-cli/bin/codex.js --version` --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/23637). * #23638 * __->__ #23637Michael Bolin ·
2026-05-20 12:02:32 -07:00 -
feat(cli): add codex doctor diagnostics (#22336)
## Why Users and support need a single command that captures the local Codex runtime, configuration, auth, terminal, network, and state shape without asking the user to know which diagnostic depth to choose first. `codex doctor` now runs the useful checks by default and makes the detailed human output the default because the command is usually run when someone already needs context. The command also targets concrete support failure modes we have seen while iterating on the design: - update-target mismatches like #21956, where the installed package manager target can differ from the running executable - terminal and multiplexer issues that depend on `TERM`, tmux/zellij state, color handling, and TTY metadata - provider-specific HTTP/WebSocket connectivity, including ChatGPT WebSocket handshakes and API-key/provider endpoint reachability - local state/log SQLite integrity problems and large rollout directories - feedback reports that need an attached, redacted diagnostic snapshot without asking the user to run a second command ## What Changed - Adds `codex doctor` as a grouped CLI diagnostic report with default detailed output and `--summary` for the compact view. - Adds stable report sections for Environment, Configuration, Updates, Connectivity, and Background Server, plus a top Notes block that promotes anomalies such as available updates, large rollout directories, optional MCP issues, and mixed auth signals. - Adds runtime provenance, install consistency, bundled/system search readiness, terminal/multiplexer metadata, `config.toml` parse status, auth mode details, sandbox details, feature flag summaries, update cache/latest-version state, app-server daemon state, SQLite integrity checks, rollout statistics, and provider-aware network diagnostics. - Adds ChatGPT WebSocket diagnostics that report the negotiated HTTP upgrade as `HTTP 101 Switching Protocols` and include timeout, DNS, auth, and provider context in detailed output. - Makes reachability provider-aware: API-key OpenAI setups check the API endpoint, ChatGPT auth checks the ChatGPT path, and custom/AWS/local providers check configured HTTP endpoints when available. - Adds structured, redacted JSON output where `checks` is keyed by check id and `details` is a key/value object for support tooling. - Integrates doctor with feedback uploads by attaching a best-effort `codex-doctor-report.json` report and adding derived Sentry tags for overall status and failing/warning checks. - Updates the TUI feedback consent copy so users can see that the doctor report is included when logs/diagnostics are uploaded. - Updates the CLI bug issue template to ask reporters for `codex doctor --json` and render pasted reports as JSON. ## Example Output The examples below are sanitized from local smoke runs with `--no-color` so the structure is reviewable in plain text. ### `codex doctor` ```text Codex Doctor v0.0.0 · macos-aarch64 Notes ↑ updates 0.130.0 available (current 0.0.0, dismissed 0.128.0) ⚠ rollouts 1,526 active files · 2.53 GB on disk ⚠ mcp MCP configuration has optional issues ⚠ auth mixed auth signals: ChatGPT login plus API key env var; HTTP reachability uses API-key mode ───────────────────────────────────────────────────────────── Environment ✓ runtime local debug build version 0.0.0 install method other commit unknown executable ~/code/codex.fcoury-doct…x-rs/target/debug/codex ✓ install consistent context other managed by npm: no · bun: no · package root — PATH entries (2) ~/.local/share/mise/installs/node/24/bin/codex ~/.local/share/mise/shims/codex ✓ search ripgrep 15.1.0 (system, `rg`) ✓ terminal Ghostty 1.3.2-main-+b0f827665 · tmux 3.6a · TERM=xterm-256color terminal Ghostty TERM_PROGRAM ghostty terminal version 1.3.2-main-+b0f827665 TERM xterm-256color multiplexer tmux 3.6a tmux extended-keys on tmux allow-passthrough on tmux set-clipboard on ✓ state databases healthy CODEX_HOME ~/.codex (dir) state DB ~/.codex/state_5.sqlite (file) · integrity ok log DB ~/.codex/logs_2.sqlite (file) · integrity ok active rollouts 1,526 files · 2.53 GB (avg 1.70 MB) archived rollouts 8 files · 3.84 MB (avg 491.11 KB) Configuration ✓ config loaded model gpt-5.5 · openai cwd ~/code/codex.fcoury-doctor/codex-rs config.toml ~/.codex/config.toml config.toml parse ok MCP servers 1 feature flags 36 enabled · 7 overridden (full list with --all) overrides code_mode, code_mode_only, memories, chronicle, goals, remote_control, prevent_idle_sleep ✓ auth auth is configured auth storage mode File auth file ~/.codex/auth.json auth env vars present OPENAI_API_KEY stored auth mode chatgpt stored API key false stored ChatGPT tokens true stored agent identity false ⚠ mcp MCP configuration has optional issues — Set the missing MCP env vars or disable the affected server. configured servers 1 disabled servers 0 streamable_http servers 1 optional reachability openaiDeveloperDocs: https://developers.openai.com/mcp (HEAD connect failed; GET connect failed) ✓ sandbox restricted fs + restricted network · approval OnRequest approval policy OnRequest filesystem sandbox restricted network sandbox restricted Connectivity ✓ network network-related environment looks readable ✓ websocket connected (HTTP 101 Switching Protocols) · 15s timeout model provider openai provider name OpenAI wire API responses supports websockets true connect timeout 15000 ms auth mode chatgpt endpoint wss://chatgpt.com/backend-api/<redacted> DNS 2 IPv4, 2 IPv6, first IPv6 handshake result HTTP 101 Switching Protocols ✗ reachability one or more required provider endpoints are unreachable over HTTP — Check proxy, VPN, firewall, DNS, and custom CA configuration. reachability mode API key auth openai API https://api.openai.com/v1 connect failed (required) Background Server ○ app-server not running (ephemeral mode) ───────────────────────────────────────────────────────────── 11 ok · 1 idle · 4 notes · 1 warn · 1 fail failed --summary compact output --all expand truncated lists --json redacted report ``` ### `codex doctor --summary` ```text Codex Doctor v0.0.0 · macos-aarch64 Notes ↑ updates 0.130.0 available (current 0.0.0, dismissed 0.128.0) ⚠ rollouts 1,526 active files · 2.53 GB on disk ⚠ mcp MCP configuration has optional issues ⚠ auth mixed auth signals: ChatGPT login plus API key env var; HTTP reachability uses API-key mode ───────────────────────────────────────────────────────────── Environment ✓ runtime local debug build ✓ install consistent ✓ search ripgrep 15.1.0 (system, `rg`) ✓ terminal Ghostty 1.3.2-main-+b0f827665 · tmux 3.6a · TERM=xterm-256color ✓ state databases healthy Configuration ✓ config loaded ✓ auth auth is configured ⚠ mcp MCP configuration has optional issues — Set the missing MCP env vars or disable the affected server. ✓ sandbox restricted fs + restricted network · approval OnRequest Updates ✓ updates update configuration is locally consistent Connectivity ✓ network network-related environment looks readable ✓ websocket connected (HTTP 101 Switching Protocols) · 15s timeout ✗ reachability one or more required provider endpoints are unreachable over HTTP — Check proxy, VPN, firewall, DNS, and custom CA configuration. Background Server ○ app-server not running (ephemeral mode) ───────────────────────────────────────────────────────────── 11 ok · 1 idle · 4 notes · 1 warn · 1 fail failed Run codex doctor without --summary for detailed diagnostics. --all expand truncated lists --json redacted report ``` ### `codex doctor --json` shape ```json { "schema_version": 1, "overall_status": "fail", "checks": { "runtime.provenance": { "id": "runtime.provenance", "category": "Environment", "status": "ok", "summary": "local debug build", "details": { "version": "0.0.0", "install method": "other", "commit": "unknown" } }, "sandbox.helpers": { "id": "sandbox.helpers", "category": "Configuration", "status": "ok", "summary": "restricted fs + restricted network · approval OnRequest", "details": { "approval policy": "OnRequest", "filesystem sandbox": "restricted", "network sandbox": "restricted" } } } } ``` ### `/feedback` new sentry attachment <img width="938" height="798" alt="CleanShot 2026-05-13 at 15 36 14" src="https://github.com/user-attachments/assets/715e62e0-d7b4-4fea-a35a-fd5d5d33c4c0" /> ### New section in CLI issue template <img width="1164" height="435" alt="CleanShot 2026-05-13 at 15 47 24" src="https://github.com/user-attachments/assets/9081dc25-a28c-4afa-8ba1-e299c2b4031d" /> ## How to Test 1. Run `cargo run --bin codex -- doctor --no-color`. 2. Confirm the detailed report is the default and includes promoted Notes, grouped sections, terminal details, state DB integrity, rollout stats, provider reachability, WebSocket diagnostics, and app-server status. 3. Run `cargo run --bin codex -- doctor --summary --no-color`. 4. Confirm the compact view keeps the same sections and summary counts but omits detailed key/value rows. 5. Run `cargo run --bin codex -- doctor --json`. 6. Confirm the output is redacted JSON, `checks` is an object keyed by check id, and each check's `details` is a key/value object. 7. Preview the CLI bug issue template and confirm the `Codex doctor report` field appears after the terminal field, asks for `codex doctor --json`, and renders pasted output as JSON. 8. Start a feedback flow that includes logs. 9. Confirm the upload consent copy lists `codex-doctor-report.json` alongside the log attachments. Targeted tests: - `cargo test -p codex-cli doctor` - `cargo test -p codex-app-server doctor_report_tags_summarize_status_counts` - `cargo test -p codex-feedback` - `cargo test -p codex-tui feedback_view` - `just argument-comment-lint` - `git diff --check`
Felipe Coury ·
2026-05-13 21:23:19 +00:00 -
Michael Bolin ·
2026-05-05 18:21:52 -07:00 -
chore(cli) deprecate --full-auto (#20133)
## Summary Starts the process of getting rid of `--full-auto`, with some concessions: 1. Fully removes the command from the tui, since it just resolves to the default permissions there, and encourages users to use the one-time trust flow if they're not in a trusted repo. 2. Marks the command as deprecated in `codex exec`, in case users are actively relying on this. We'll remove in an upcoming n+X release. 3. Cleans up some of the `codex sandbox` cli logic, to keep supporting legacy sandbox policies for now. This isn't the cleanest setup, but I think it is worthwhile to warn users for one release before hard-removing it. ## Testing - [x] Updated unit tests
Dylan Hurd ·
2026-04-29 04:41:30 +00:00 -
Harden package-manager install policy (#19163)
## Summary This PR hardens package-manager usage across the repo to reduce dependency supply-chain risk. It also removes the stale `codex-cli` Docker path, which was already broken on `main`, instead of keeping a bitrotted container workflow alive. ## What changed - Updated pnpm package manager pins and workspace install settings. - Removed stale `codex-cli` Docker assets instead of trying to keep a broken local container path alive. - Added uv settings and lockfiles for the Python SDK packages. - Updated Python SDK setup docs to use `uv sync`. ## Why This is primarily a security hardening change. It reduces package-install and supply-chain risk by ensuring dependency installs go through pinned package managers, committed lockfiles, release-age settings, and reviewed build-script controls. For `codex-cli`, the right follow-up was to remove the local Docker path rather than keep patching it: - `codex-cli/Dockerfile` installed `codex.tgz` with `npm install -g`, which bypassed the repo lockfile and age-gated pnpm settings. - The local `codex-cli/scripts/build_container.sh` helper was already broken on `main`: it called `pnpm run build`, but `codex-cli/package.json` does not define a `build` script. - The container path itself had bitrotted enough that keeping it would require extra packaging-specific behavior that was not otherwise needed by the repo. ## Gaps addressed - Global npm installs bypassed the repo lockfile in Docker and CLI reinstall paths, including `codex-cli/Dockerfile` and `codex-cli/bin/codex.js`. - CI and Docker pnpm installs used `--frozen-lockfile`, but the repo was missing stricter pnpm workspace settings for dependency build scripts. - Python SDK projects had `pyproject.toml` metadata but no committed `uv.lock` coverage or uv age/index settings in `sdk/python` and `sdk/python-runtime`. - The secure devcontainer install path used npm/global install behavior without a local locked package-manager boundary. - The local `codex-cli` Docker helper was already broken on `main`, so this PR removes that stale Docker path instead of preserving a broken surface. - pnpm was already pinned, but not to the current repo-wide pnpm version target. ## Verification - `pnpm install --frozen-lockfile` - `.devcontainer/codex-install`: `pnpm install --prod --frozen-lockfile` - `.devcontainer/codex-install`: `./node_modules/.bin/codex --version` - `sdk/python`: `uv lock --check`, `uv sync --locked --all-extras --dry-run`, `uv build` - `sdk/python-runtime`: `uv lock --check`, `uv sync --locked --dry-run`, `uv build --wheel` - `pnpm -r --filter ./sdk/typescript run build` - `pnpm -r --filter ./sdk/typescript run lint` - `pnpm -r --filter ./sdk/typescript run test` - `node --check codex-cli/bin/codex.js` - `docker build -f .devcontainer/Dockerfile.secure -t codex-secure-test .` - `cargo build -p codex-cli` - repo-wide package-manager audit
mcgrew-oai ·
2026-04-24 14:36:19 -04:00 -
Remove obsolete codex-cli README (#17096)
Problem: codex-cli/README.md is obsolete and confusing to keep around. Solution: Delete codex-cli/README.md so the stale README is no longer present in the repository.
Eric Traut ·
2026-04-08 00:18:23 -07:00 -
Update pnpm versions to fix cve-2026-24842 (#12009)
Update pnpm versions to resolve CVE-2026-24842
mjr-openai ·
2026-02-19 14:27:55 -08:00 -
Eric Traut ·
2026-02-17 09:40:10 -08:00 -
Make codex-sdk depend on openai/codex (#11503)
Do not bundle all binaries inside the SDK as it makes the package huge. Instead depend on openai/codex
pakrym-oai ·
2026-02-11 16:20:10 -08:00 -
# Use
@openai/codexdist-tags for platform binaries instead of separate package names (#11339)https://github.com/openai/codex/pull/11318 introduced logic to publish platform artifacts as separate npm packages (for example, `@openai/codex-darwin-arm64`, `@openai/codex-linux-x64`, etc.). That requires provisioning and maintaining multiple package entries in npm, which we want to avoid. We still need to keep the package-size mitigation (platform-specific payloads), but we want that layout to live under a single npm package namespace (`@openai/codex`) using dist-tags. We also need to preserve pre-release workflows where users install `@openai/codex@alpha` and get platform-appropriate binaries. Additionally, we want GitHub Release assets to group Codex npm tarballs together, so platform tarballs should follow the same `codex-npm-*` filename prefix as the main Codex tarball. ## Release Strategy (New Scheme) We publish **one npm package name for Codex binaries** (`@openai/codex`) and use **dist-tags** to select platform-specific payloads. This avoids creating separate platform package names while keeping the package size split by platform. ### What gets published #### Mainline release (`x.y.z`) - `@openai/codex@latest` (meta package) - `@openai/codex@darwin-arm64` - `@openai/codex@darwin-x64` - `@openai/codex@linux-arm64` - `@openai/codex@linux-x64` - `@openai/codex@win32-arm64` - `@openai/codex@win32-x64` - `@openai/codex-responses-api-proxy@latest` - `@openai/codex-sdk@latest` #### Alpha release (`x.y.z-alpha.N`) - `@openai/codex@alpha` (meta package) - `@openai/codex@alpha-darwin-arm64` - `@openai/codex@alpha-darwin-x64` - `@openai/codex@alpha-linux-arm64` - `@openai/codex@alpha-linux-x64` - `@openai/codex@alpha-win32-arm64` - `@openai/codex@alpha-win32-x64` - `@openai/codex-responses-api-proxy@alpha` - `@openai/codex-sdk@alpha` As an example, the `package.json` for `@openai/codex@alpha` (using `0.99.0-alpha.17` as the `version`) would be: ``` { "name": "@openai/codex", "version": "0.99.0-alpha.17", "license": "Apache-2.0", "bin": { "codex": "bin/codex.js" }, "type": "module", "engines": { "node": ">=16" }, "files": [ "bin" ], "repository": { "type": "git", "url": "git+https://github.com/openai/codex.git", "directory": "codex-cli" }, "packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264", "optionalDependencies": { "@openai/codex-linux-x64": "npm:@openai/codex@0.99.0-alpha.17-linux-x64", "@openai/codex-linux-arm64": "npm:@openai/codex@0.99.0-alpha.17-linux-arm64", "@openai/codex-darwin-x64": "npm:@openai/codex@0.99.0-alpha.17-darwin-x64", "@openai/codex-darwin-arm64": "npm:@openai/codex@0.99.0-alpha.17-darwin-arm64", "@openai/codex-win32-x64": "npm:@openai/codex@0.99.0-alpha.17-win32-x64", "@openai/codex-win32-arm64": "npm:@openai/codex@0.99.0-alpha.17-win32-arm64" } } ``` Note that the keys in `optionalDependencies` have "clean" names, but the values have the tag embedded. ### Important note **Note:** Because we never created the new platform package names on npm (for example, `@openai/codex-darwin-arm64`) since #11318 landed, there are no extra npm packages to clean up. ## What changed ### 1. Stage platform tarballs as `@openai/codex` with platform-specific versions File: `codex-cli/scripts/build_npm_package.py` - Added `CODEX_NPM_NAME = "@openai/codex"` and platform metadata `npm_tag` values: - `darwin-arm64`, `darwin-x64`, `linux-arm64`, `linux-x64`, `win32-arm64`, `win32-x64` - For platform package staging (`codex-<platform>` inputs), switched generated `package.json` from: - `name = @openai/codex-<platform>` to: - `name = @openai/codex` - Added `compute_platform_package_version(version, platform_tag)` so platform tarballs have unique versions (`<release-version>-<platform-tag>`), which is required because npm forbids re-publishing the same `name@version`. ### 2. Point meta package optional dependencies at dist-tags on `@openai/codex` File: `codex-cli/scripts/build_npm_package.py` - Updated `optionalDependencies` generation for the main `codex` package to use npm alias syntax: - key remains alias package name (for example, `@openai/codex-darwin-arm64`) so runtime lookup behavior is unchanged - value now resolves to `@openai/codex` by dist-tag - Stable releases emit tags like `npm:@openai/codex@darwin-arm64`. - Alpha releases (`x.y.z-alpha.N`) emit tags like `npm:@openai/codex@alpha-darwin-arm64`. ### 3. Publish with per-tarball dist-tags in release CI File: `.github/workflows/rust-release.yml` - Reworked npm publish logic to derive the publish tag per tarball filename: - platform tarballs publish with `<platform>` tags for stable releases - platform tarballs publish with `alpha-<platform>` tags for alpha releases - top-level tarballs (`codex`, `codex-responses-api-proxy`, `codex-sdk`) continue using the existing channel tag policy (`latest` implicit for stable, `alpha` for alpha) - Added fail-fast behavior for unexpected tarball names to avoid silent mispublishes. ### 4. Normalize Codex platform tarball filenames for GitHub Release grouping Files: `scripts/stage_npm_packages.py`, `.github/workflows/rust-release.yml` - Renamed staged platform tarball filenames from: - `codex-linux-<arch>-npm-<version>.tgz` - `codex-darwin-<arch>-npm-<version>.tgz` - `codex-win32-<arch>-npm-<version>.tgz` - To: - `codex-npm-linux-<arch>-<version>.tgz` - `codex-npm-darwin-<arch>-<version>.tgz` - `codex-npm-win32-<arch>-<version>.tgz` This keeps all Codex npm artifacts grouped under a common `codex-npm-` prefix in GitHub Releases. ### 5. Documentation update File: `codex-cli/scripts/README.md` - Updated staging docs to clarify that platform-native variants are published as dist-tagged `@openai/codex` artifacts rather than separate npm package names. ## Resulting behavior - Mainline release: - `@openai/codex@latest` resolves the meta package - meta package optional dependencies resolve `@openai/codex@<platform-tag>` - Alpha release: - users can continue installing `@openai/codex@alpha` - alpha meta package optional dependencies resolve `@openai/codex@alpha-<platform-tag>` - Release assets: - Codex npm tarballs share `codex-npm-` prefix for cleaner grouping in GitHub Releases This preserves platform-specific payload distribution while avoiding separate npm package names and improves release-asset discoverability. ## Validation notes - Verified staged `package.json` output for stable and alpha meta packages includes expected alias targets. - Verified staged platform package manifests are `name=@openai/codex` with unique platform-suffixed versions. - Verified publish tag derivation maps renamed platform tarballs to expected stable and alpha dist-tags.
Michael Bolin ·
2026-02-10 10:33:47 -08:00 -
jif-oai ·
2026-02-10 14:49:53 +00:00 -
chore: ensure pnpm-workspace.yaml is up-to-date (#10140)
On the back of: https://github.com/openai/codex/pull/10138 Let's ensure that every folder with a `package.json` is listed in `pnpm-workspace.yaml` (not sure why `docs` was in there...) and that we are using `pnpm` over `npm` consistently (which is why this PR deletes `codex-cli/package-lock.json`).
Michael Bolin ·
2026-01-29 10:49:03 -08:00 -
fix: remove references to corepack (#10138)
Currently, our `npm publish` logic is failing. There were a number of things that were merged recently that seemed to contribute to this situation, though I think we have fixed most of them, but this one stands out: https://github.com/openai/codex/pull/10115 As best I can tell, we tried to fix the pnpm version to a specific hash, but we did not do it consistently (though `shell-tool-mcp/package.json` had it specified twice...), so for this PR, I ran: ``` $ git ls-files | grep package.json codex-cli/package.json codex-rs/responses-api-proxy/npm/package.json package.json sdk/typescript/package.json shell-tool-mcp/package.json ``` and ensured that all of them now have this line: ```json "packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264" ``` I also went and deleted all of the `corepack` stuff that was added by https://github.com/openai/codex/pull/10115. If someone can explain why we need it and verify it does not break `npm publish`, then we can bring it back.
Michael Bolin ·
2026-01-28 23:31:25 -08:00 -
fix(cli): add execute permission to bin/codex.js (#9532)
## Summary Fixes #9520 The `bin/codex.js` file was missing execute permissions (`644` instead of `755`), causing the `codex` command to fail after npm global installation. ## Changes - Added execute permission (`+x`) to `codex-cli/bin/codex.js` ## Verification After this fix, npm tarballs will include the correct file permissions: ```bash # Before: -rw-r--r-- (644) # After: -rwxr-xr-x (755) ``` --- 🤖 Generated with Claude Code Co-authored-by: Claude <noreply@anthropic.com>
zerone0x ·
2026-01-20 14:53:14 -08:00 -
fix: add tui.alternate_screen config and --no-alt-screen CLI flag for Zellij scrollback (#8555)
Fixes #2558 Codex uses alternate screen mode (CSI 1049) which, per xterm spec, doesn't support scrollback. Zellij follows this strictly, so users can't scroll back through output. **Changes:** - Add `tui.alternate_screen` config: `auto` (default), `always`, `never` - Add `--no-alt-screen` CLI flag - Auto-detect Zellij and skip alt screen (uses existing `ZELLIJ` env var detection) **Usage:** ```bash # CLI flag codex --no-alt-screen # Or in config.toml [tui] alternate_screen = "never" ``` With default `auto` mode, Zellij users get working scrollback without any config changes. --------- Co-authored-by: Josh McKinney <joshka@openai.com>
Helmut Januschka ·
2026-01-09 18:38:26 +00:00 -
fix(codex-cli): improve ripgrep download diagnostics (#8486)
When rg download fails during npm package staging, log the target/platform/url and preserve the original exception as the cause. Emit GitHub Actions log groups and error annotations so the failure is easier to spot. Document why a urlopen timeout is set (the default can hang indefinitely). This is to make failures in the specific build step easier to understand / work out what's failing rather than having a big wall of text (or at least having an obvious part of it that helps narrow that wall) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Josh McKinney ·
2025-12-23 21:18:35 +00:00 -
include new windows binaries in npm package. (#8140)
The Windows Elevated Sandbox uses two new binaries: codex-windows-sandbox-setup.exe codex-command-runner.exe This PR includes them when installing native deps and packaging for npm
iceweasel-oai ·
2025-12-16 16:14:33 -08:00 -
Fix: Detect Bun global install via path check (#8004)
## Summary Restores ability to detect when Codex is installed globally via **Bun**, which was broken by
c3e4f920b4. Fixes #8003. Instead of relying on `npm_config_user_agent` (which is only set when running via `bunx` or `bun run`), this adds a path-based check to see if the CLI wrapper is located in Bun's global installation directory. ## Regression Context Commit `c3e4f920b4e965085164d6ee0249a873ef96da77` removed the `BUN_INSTALL` environment variable checks to prevent false positives. However, this caused false negatives for genuine Bun global installs because `detectPackageManager()` defaults to NPM when no signal is found. ## Changes - Updated `codex-cli/bin/codex.js` to check if `__dirname` contains `.bun/install/global` (handles both POSIX and Windows paths). ## Verification Verified by performing a global install of the patched CLI (v0.69.0 to trigger the update prompt): 1. Packed the CLI using `npm pack` in `codex-cli/` to create a release tarball. 2. Installed globally via Bun: `bun install -g $(pwd)/openai-codex-0.0.0-dev.tgz`. 3. Ran `codex`, confirmed it detected Bun (banner showed `bun install -g @openai/codex`), selected "Update now", and verified it correctly spawned `bun install -g` instead of `npm`. 4. Confirmed the upgrade completed successfully using Bun. <img width="1038" height="813" alt="verifying installation via bun" src="https://github.com/user-attachments/assets/00c9301a-18f1-4440-aa95-82ccffba896c" /> 5. Verified installations via npm are unaffected. <img width="2090" height="842" alt="verifying installation via npm" src="https://github.com/user-attachments/assets/ccb3e031-b85c-4bbe-bac7-23b087c5b844" />miraclebakelaser ·
2025-12-15 15:30:06 -08:00 -
chore: remove bun env var detect (#7534)
### Summary [Thread](https://openai.slack.com/archives/C08JZTV654K/p1764780129457519) We were a bit aggressive on assuming package installer based on env variables for BUN. Here we are removing those checks.
Shijie Rao ·
2025-12-03 10:23:45 -08:00 -
detect Bun installs in CLI update banner (#5074)
## Summary - detect Bun-managed installs in the JavaScript launcher and set a dedicated environment flag - show a Bun-specific upgrade command in the update banner when that flag is present Fixes #5012 ------ https://chatgpt.com/codex/tasks/task_i_68e95c439494832c835bdf34b3b1774e --------- Co-authored-by: Michael Bolin <mbolin@openai.com>
Jeremy Rose ·
2025-10-14 17:49:44 +00:00 -
chore: introduce publishing logic for @openai/codex-sdk (#4543)
There was a bit of copypasta I put up with when were publishing two packages to npm, but now that it's three, I created some more scripts to consolidate things. With this change, I ran: ```shell ./scripts/stage_npm_packages.py --release-version 0.43.0-alpha.8 --package codex --package codex-responses-api-proxy --package codex-sdk ``` Indeed when it finished, I ended up with: ```shell $ tree dist dist └── npm ├── codex-npm-0.43.0-alpha.8.tgz ├── codex-responses-api-proxy-npm-0.43.0-alpha.8.tgz └── codex-sdk-npm-0.43.0-alpha.8.tgz $ tar tzvf dist/npm/codex-sdk-npm-0.43.0-alpha.8.tgz -rwxr-xr-x 0 0 0 25476720 Oct 26 1985 package/vendor/aarch64-apple-darwin/codex/codex -rwxr-xr-x 0 0 0 29871400 Oct 26 1985 package/vendor/aarch64-unknown-linux-musl/codex/codex -rwxr-xr-x 0 0 0 28368096 Oct 26 1985 package/vendor/x86_64-apple-darwin/codex/codex -rwxr-xr-x 0 0 0 36029472 Oct 26 1985 package/vendor/x86_64-unknown-linux-musl/codex/codex -rw-r--r-- 0 0 0 10926 Oct 26 1985 package/LICENSE -rw-r--r-- 0 0 0 30187520 Oct 26 1985 package/vendor/aarch64-pc-windows-msvc/codex/codex.exe -rw-r--r-- 0 0 0 35277824 Oct 26 1985 package/vendor/x86_64-pc-windows-msvc/codex/codex.exe -rw-r--r-- 0 0 0 4842 Oct 26 1985 package/dist/index.js -rw-r--r-- 0 0 0 1347 Oct 26 1985 package/package.json -rw-r--r-- 0 0 0 9867 Oct 26 1985 package/dist/index.js.map -rw-r--r-- 0 0 0 12 Oct 26 1985 package/README.md -rw-r--r-- 0 0 0 4287 Oct 26 1985 package/dist/index.d.ts ```Michael Bolin ·
2025-10-01 08:29:59 -07:00 -
feat: introduce npm module for codex-responses-api-proxy (#4417)
This PR expands `.github/workflows/rust-release.yml` so that it also builds and publishes the `npm` module for `@openai/codex-responses-api-proxy` in addition to `@openai/codex`. Note both `npm` modules are similar, in that they each contain a single `.js` file that is a thin launcher around the appropriate native executable. (Since we have a minimal dependency on Node.js, I also lowered the minimum version from 20 to 16 and verified that works on my machine.) As part of this change, we tighten up some of the docs around `codex-responses-api-proxy` and ensure the details regarding protecting the `OPENAI_API_KEY` in memory match the implementation. To test the `npm` build process, I ran: ``` ./codex-cli/scripts/build_npm_package.py --package codex-responses-api-proxy --version 0.43.0-alpha.3 ``` which stages the `npm` module for `@openai/codex-responses-api-proxy` in a temp directory, using the binary artifacts from https://github.com/openai/codex/releases/tag/rust-v0.43.0-alpha.3.
Michael Bolin ·
2025-09-28 19:34:06 -07:00 -
feat: build codex-responses-api-proxy for all platforms as part of the GitHub Release (#4406)
This should make the `codex-responses-api-proxy` binaries available for all platforms in a GitHub Release as well as a corresponding DotSlash file. Making `codex-responses-api-proxy` available as an `npm` module will be done in a follow-up PR. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/4404). * __->__ #4406 * #4404 * #4403
Michael Bolin ·
2025-09-28 15:25:15 -07:00 -
fix: add tolerance for ambiguous behavior in
gh run list(#4162)I am not sure what is going on, as https://github.com/openai/codex/pull/3660 introduced this new logic and I swear that CI was green before I merged that PR, but I am seeing failures in this CI job this morning. This feels like a non-backwards-compatible change in `gh`, but that feels unlikely... Nevertheless, this is what I currently see on my laptop: ``` $ gh --version gh version 2.76.2 (2025-07-30) https://github.com/cli/cli/releases/tag/v2.76.2 $ gh run list --workflow .github/workflows/rust-release.yml --branch rust-v0.40.0 --json workflowName,url,headSha --jq 'first(.[])' { "headSha": "5268705a69713752adcbd8416ef9e84a683f7aa3", "url": "https://github.com/openai/codex/actions/runs/17952349351", "workflowName": ".github/workflows/rust-release.yml" } ``` Looking at sample output from an old GitHub issue (https://github.com/cli/cli/issues/6678), it appears that, at least at one point in time, the `workflowName` was _not_ the path to the workflow.
Michael Bolin ·
2025-09-24 09:15:03 -07:00 -
fix: vendor ripgrep in the npm module (#3660)
We try to ensure ripgrep (`rg`) is provided with Codex. - For `brew`, we declare it as a dependency of our formula: https://github.com/Homebrew/homebrew-core/blob/08d82d8b006a19efbe234477bc8b18d35b5fef50/Formula/c/codex.rb#L24 - For `npm`, we declare `@vscode/ripgrep` as a dependency, which installs the platform-specific binary as part of a `postinstall` script: https://github.com/openai/codex/blob/fdb8dadcae9f8eec91bc3eb5a17b3f9b19e28505/codex-cli/package.json#L22 - Users who download the CLI directly from GitHub Releases are on their own. In practice, I have seen `@vscode/ripgrep` fail on occasion. Here is a trace from a GitHub workflow: ``` npm error code 1 npm error path /Users/runner/hostedtoolcache/node/20.19.5/arm64/lib/node_modules/@openai/codex/node_modules/@vscode/ripgrep npm error command failed npm error command sh -c node ./lib/postinstall.js npm error Finding release for v13.0.0-13 npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13 npm error Deleting invalid download cache npm error Download attempt 1 failed, retrying in 2 seconds... npm error Finding release for v13.0.0-13 npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13 npm error Deleting invalid download cache npm error Download attempt 2 failed, retrying in 4 seconds... npm error Finding release for v13.0.0-13 npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13 npm error Deleting invalid download cache npm error Download attempt 3 failed, retrying in 8 seconds... npm error Finding release for v13.0.0-13 npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13 npm error Deleting invalid download cache npm error Download attempt 4 failed, retrying in 16 seconds... npm error Finding release for v13.0.0-13 npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13 npm error Deleting invalid download cache npm error Error: Request failed: 403 ``` To eliminate this error, this PR changes things so that we vendor the `rg` binary into https://www.npmjs.com/package/@openai/codex so it is guaranteed to be included when a user runs `npm i -g @openai/codex`. The downside of this approach is the increase in package size: we include the `rg` executable for six architectures (in addition to the six copies of `codex` we already include). In a follow-up, I plan to add support for "slices" of our npm module, so that soon users will be able to do: ``` npm install -g @openai/codex@aarch64-apple-darwin ``` Admittedly, this is a sizable change and I tried to clean some things up in the process: - `install_native_deps.sh` has been replaced by `install_native_deps.py` - `stage_release.sh` and `stage_rust_release.py` has been replaced by `build_npm_package.py` We now vendor in a DotSlash file for ripgrep (as a modest attempt to facilitate local testing) and then build up the extension by: - creating a temp directory and copying `package.json` over to it with the target value for `"version"` - finding the GitHub workflow that corresponds to the `--release-version` and copying the various `codex` artifacts to respective `vendor/TARGET_TRIPLE/codex` folder - downloading the `rg` artifacts specified in the DotSlash file and copying them over to the respective `vendor/TARGET_TRIPLE/path` folder - if `--pack-output` is specified, runs `npm pack` on the temp directory To test, I downloaded the artifact produced by this CI job: https://github.com/openai/codex/actions/runs/17961595388/job/51085840022?pr=3660 and verified that `node ./bin/codex.js 'which -a rg'` worked as intended.
Michael Bolin ·
2025-09-23 23:00:33 -07:00 -
Michael Bolin ·
2025-09-16 20:33:59 -07:00 -
fix: include arm64 Windows executable in npm module (#3067)
This is in support of https://github.com/openai/codex/issues/2979. Tested by running: ``` ./codex-cli/scripts/install_native_deps.sh --workflow-url https://github.com/openai/codex/actions/runs/17416421450 ```
Michael Bolin ·
2025-09-02 15:43:42 -07:00 -
[codex-cli] Add ripgrep as a dependency for node environment (#2237)
## Summary Ripgrep is our preferred tool for file search. When users install via `brew install codex`, it's automatically installed as a dependency. We want to ensure that users running via an npm install also have this tool! Microsoft has already solved this problem for VS Code - let's not reinvent the wheel. This approach of appending to the PATH directly might be a bit heavy-handed, but feels reasonably robust to a variety of environment concerns. Open to thoughts on better approaches here! ## Testing - [x] confirmed this import approach works with `node -e "const { rgPath } = require('@vscode/ripgrep'); require('child_process').spawn(rgPath, ['--version'], { stdio: 'inherit' })"` - [x] Ran codex.js locally with `rg` uninstalled, asked it to run `which rg`. Output below: ``` ⚡ Ran command which rg; echo $? ⎿ /Users/dylan.hurd/code/dh--npm-rg/node_modules/@vscode/ripgrep/bin/rg 0 codex Re-running to confirm the path and exit code. - Path: `/Users/dylan.hurd/code/dh--npm-rg/node_modules/@vscode/ripgrep/bin/rg` - Exit code: `0` ```Dylan ·
2025-08-13 13:49:27 -07:00 -
chore: remove the TypeScript code from the repository (#2048)
This deletes the bulk of the `codex-cli` folder and eliminates the logic that builds the TypeScript code and bundles it into the release. Since this PR modifies `.github/workflows/rust-release.yml`, to test changes to the release process, I locally commented out all of the "is this commit on upstream `main`" checks in `scripts/create_github_release.sh` and ran: ``` ./codex-rs/scripts/create_github_release.sh 0.20.0-alpha.4 ``` Which kicked off: https://github.com/openai/codex/actions/runs/16842085113 And the release artifacts appear legit! https://github.com/openai/codex/releases/tag/rust-v0.20.0-alpha.4
Michael Bolin ·
2025-08-08 16:09:39 -07:00 -
fix: try building the npm package in CI (#2043)
Historically, the release process for the npm module has been: - I run `codex-rs/scripts/create_github_release.sh` to kick off a release for the native artifacts. - I wait until it is done. - I run `codex-cli/scripts/stage_rust_release.py` to build the npm release locally - I run `npm publish` from my laptop It has been a longstanding issue to move the npm build to CI. I may still have to do the `npm publish` manually because it requires 2fac with `npm`, though I assume we can work that out later. Note I asked Codex to make these updates, and while they look pretty good to me, I'm not 100% certain, but let's just merge this and I'll kick off another alpha build and we'll see what happens?
Michael Bolin ·
2025-08-08 15:17:54 -07:00 -
feat: include Windows binary of the CLI in the npm release (#2040)
To date, the build scripts in `codex-cli` still supported building the old TypeScript version of the Codex CLI to give Windows users something they can run, but we are just going to have them use the Rust version like everyone else, so: - updates `codex-cli/bin/codex.js` so that we run the native binary or throw if the target platform/arch is not supported (no more conditional usage based on `CODEX_RUST`, `use-native` file, etc.) - drops the `--native` flag from `codex-cli/scripts/stage_release.sh` and updates all the code paths to behave as if `--native` were passed (i.e., it is the only way to run it now) Tested this by running: ``` ./codex-cli/scripts/stage_rust_release.py --release-version 0.20.0-alpha.2 ```
Michael Bolin ·
2025-08-08 14:44:35 -07:00 -
Update copy (#1935)
Updated copy --------- Co-authored-by: pap-openai <pap@openai.com>
Ed Bayes ·
2025-08-07 03:29:33 -07:00 -
Fix MacOS multiprocessing by relaxing sandbox (#1808)
The following test script fails in the codex sandbox: ``` import multiprocessing from multiprocessing import Lock, Process def f(lock): with lock: print("Lock acquired in child process") if __name__ == '__main__': lock = Lock() p = Process(target=f, args=(lock,)) p.start() p.join() ``` with ``` Traceback (most recent call last): File "/Users/david.hao/code/codex/codex-rs/cli/test.py", line 9, in <module> lock = Lock() ^^^^^^ File "/Users/david.hao/.local/share/uv/python/cpython-3.12.9-macos-aarch64-none/lib/python3.12/multiprocessing/context.py", line 68, in Lock return Lock(ctx=self.get_context()) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/Users/david.hao/.local/share/uv/python/cpython-3.12.9-macos-aarch64-none/lib/python3.12/multiprocessing/synchronize.py", line 169, in __init__ SemLock.__init__(self, SEMAPHORE, 1, 1, ctx=ctx) File "/Users/david.hao/.local/share/uv/python/cpython-3.12.9-macos-aarch64-none/lib/python3.12/multiprocessing/synchronize.py", line 57, in __init__ sl = self._semlock = _multiprocessing.SemLock( ^^^^^^^^^^^^^^^^^^^^^^^^^ PermissionError: [Errno 1] Operation not permitted ``` After reading, adding this line to the sandbox configs fixes things - MacOS multiprocessing appears to use sem_lock(), which opens an IPC which is considered a disk write even though no file is created. I interrogated ChatGPT about whether it's okay to loosen, and my impression after reading is that it is, although would appreciate a close look Breadcrumb: You can run `cargo run -- debug seatbelt --full-auto <cmd>` to test the sandboxDavid Z Hao ·
2025-08-03 06:59:26 -07:00 -
check for updates (#1764)
1. Ping https://api.github.com/repos/openai/codex/releases/latest (at most once every 20 hrs) 2. Store the result in ~/.codex/version.jsonl 3. If CARGO_PKG_VERSION < latest_version, print a message at boot. --------- Co-authored-by: easong-openai <easong@openai.com>
Jeremy Rose ·
2025-08-02 00:31:38 +00:00 -
fix: check flags to ripgrep when deciding whether the invocation is "trusted" (#1644)
With this change, if any of `--pre`, `--hostname-bin`, `--search-zip`, or `-z` are used with a proposed invocation of `rg`, do not auto-approve.
Michael Bolin ·
2025-07-21 22:38:50 -07:00 -
fix: update bin/codex.js so it listens for exit on the child process (#1590)
When Codex CLI is installed via `npm`, we use a `.js` wrapper script to launch the Rust binary. - Previously, we were not listening for signals to ensure that killing the Node.js process would also kill the underlying Rust process. - We also did not have a proper `exit` handler in place on the child process to ensure we exited from the Node.js process. This PR fixes these things and hopefully addresses https://github.com/openai/codex/issues/1570. This also adds logic so that Windows falls back to the TypeScript CLI again, which should address https://github.com/openai/codex/issues/1573.
Michael Bolin ·
2025-07-16 16:35:29 -07:00 -
docs: clarify the build process for the npm release (#1568)
It appears that `0.5.0` was built with `stage_release.sh` instead of `stage_rust_release.py`, so add docs to clarify this and recommend running `--version` on the release candidate to verify the right thing was built.
Michael Bolin ·
2025-07-14 09:41:11 -07:00 -
chore(deps): bump node from 22-slim to 24-slim in /codex-cli (#1505)
Bumps node from 22-slim to 24-slim. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
dependabot[bot] ·
2025-07-10 12:11:44 -07:00 -
chore(rs): update dependencies (#1494)
### Chores - Update cargo dependencies - Remove unused cargo dependencies - Fix clippy warnings - Update Dockerfile (package.json requires node 22) - Let Dependabot update bun, cargo, devcontainers, docker, github-actions, npm (nix still not supported) ### TODO - Upgrade dependencies with breaking changes ```shell $ cargo update --verbose Unchanged crossterm v0.28.1 (available: v0.29.0) Unchanged schemars v0.8.22 (available: v1.0.4) ```
Rene Leonhardt ·
2025-07-10 11:08:16 -07:00 -
Add Android platform support for Codex CLI (#1488)
## Summary Add Android platform support to Codex CLI ## What? - Added `android` to the list of supported platforms in `codex-cli/bin/codex.js` - Treats Android as Linux for binary compatibility ## Why? - Fixes "Unsupported platform: android (arm64)" error on Termux - Enables Codex CLI usage on Android devices via Termux - Improves platform compatibility without affecting other platforms ## How? - Modified the platform detection switch statement to include `case "android":` - Android falls through to the same logic as Linux, using appropriate ARM64 binaries - Minimal change with no breaking effects on existing functionality ## Testing - Tested on Android/Termux environment - Verified the fix resolves the platform detection error - Confirmed no impact on other platforms ## Related Issues Fixes the "Unsupported platform: android (arm64)" error reported by Termux users
pchuri ·
2025-07-09 22:06:55 -07:00 -
chore: create a release script for the Rust CLI (#1479)
This is a stopgap solution before migrating the build for the npm release to GitHub Actions (which is ultimately what should be done to ensure hermetic builds). The idea is that instead of continuing to create PRs like https://github.com/openai/codex/pull/1472 where I have to check in a change to the `WORKFLOW_URL`, this script uses `gh run list` to get the `WORKFLOW_URL` dynamically and then threads the value through to `install_native_deps.sh`. To create the 0.3.0 release on npm, I ran: ```shell ./codex-cli/scripts/stage_rust_release.py --release-version 0.3.0 ``` and then did `npm publish --dry-run` followed by `npm publish` in the temp directory created by `stage_rust_release.py`.
Michael Bolin ·
2025-07-07 23:51:34 -07:00 -
chore: normalize repository.url in package.json (#1474)
I got this as a warning when doing `npm publish --dry-run`, so I ran `npm pkg fix` to create this PR, as instructed.
Michael Bolin ·
2025-07-07 16:33:06 -07:00 -
chore: update release scripts for the TypeScript CLI (#1472)
This introduces two changes to make a quick fix so we can deploy the Rust CLI for `0.2.0` of `@openai/codex` on npm: - Updates `WORKFLOW_URL` to point to https://github.com/openai/codex/actions/runs/15981617627, which is the GitHub workflow run used to create the binaries for the `0.2.0` release we published to Homebrew. - Adds a `--version` option to `stage_release.sh` to specify what the `version` field in the `package.json` will be. Locally, I ran the following: ``` ./codex-cli/scripts/stage_release.sh --native --version 0.2.0 ``` Previously, we only used the `--native` flag to publish to the `native` tag of `@openai/codex` (e.g., `npm publish --tag native`), but we should just publish this as the default tag for `0.2.0` to be consistent with what is in Homebrew. We can still publish one "final" version of the TypeScript CLI as 0.1.x later. Under the hood, this release will still contain `dist/cli.js`, `bin/codex-linux-sandbox-x64`, and `bin/codex-x86_64-apple-darwin`, which are not strictly necessary, but we'll fix that in `0.3.0`.
Michael Bolin ·
2025-07-07 09:43:03 -07:00 -
docs: update documentation to reflect Rust CLI release (#1440)
As promised on https://github.com/openai/codex/discussions/1405, we are making the first official release of the Rust CLI as v0.2.0. As part of this move, we are making it available in Homebrew: https://github.com/Homebrew/homebrew-core/pull/228615 Ultimately, we also plan to continue to make the CLI available in npm, as well, though brew is a bit nicer in that `brew install` will download only the binary for your platform whereas an npm module is expected to contain the binaries for _all_ supported platforms, so it is a bit more heavyweight. A big part of this change is updating the root `README.md` to document the behavior of the Rust CLI, which differs in a number of ways from the TypeScript CLI. The existing `README.md` is moved to `codex-cli/README.md` as part of this PR, as it is still applicable to that folder. As this is still early days for the Rust CLI, I encourage folks to provide feedback on the command line flags and configuration options.
Michael Bolin ·
2025-07-01 15:00:31 -07:00 -
add: responses api support for azure (#1321)
- Use Responses API for Azure provider endpoints - Added a unit test to catch regression on the change from `/chat/completions` to `/responses` - Updated the default AOAI api version from `2025-03-01-preview` to `2025-04-01-preview` to avoid user/400 errors due to missing summary support in the March API version. - Changes have been tested locally on AOAI endpoints
Eric Wright ·
2025-06-22 18:01:13 -07:00 -
feat(ts): provider‑specific API‑key discovery and clearer Azure guidance (#1324)
## Summary This PR refactors the Codex CLI authentication flow so that **non-OpenAI** providers (for example **azure**, or any future addition) can supply their API key through a dedicated environment variable without triggering the OpenAI login flow. Key behaviours introduced: * When `provider !== "openai"` the CLI consults `src/utils/providers.ts` to locate the correct environment variable (`AZURE_OPENAI_API_KEY`, `GEMINI_API_KEY`, and so on) before considering any interactive login. * Credit redemption (`--free`) and PKCE login now run **only** when the provider is OpenAI, eliminating unwanted browser prompts for Azure and others. * User-facing error messages are revamped to guide Azure users to **[https://ai.azure.com/](https://ai.azure.com)** and show the exact variable name they must set. * All code paths still export `OPENAI_API_KEY` so legacy scripts continue to operate unchanged. --- ## Example `config.json` ```jsonc { "model": "codex-mini", "provider": "azure", "providers": { "azure": { "name": "AzureOpenAI", "baseURL": "https://ai-<project-name>.openai.azure.com/openai", "envKey": "AZURE_OPENAI_API_KEY" } }, "history": { "maxSize": 1000, "saveHistory": true, "sensitivePatterns": [] } } ``` With this file in `~/.codex/config.json`, a single command line is enough: ```bash export AZURE_OPENAI_API_KEY="<your-key>" codex "Hello from Azure" ``` No browser window opens, and the CLI works in entirely non-interactive mode. --- ## Rationale The new flow enables Codex to run **asynchronously** in sandboxed environments such as GitHub Actions pipelines. By passing `--provider azure` (or setting it in `config.json`) and exporting the correct key, CI/CD jobs can invoke Codex without any ChatGPT-style login or PKCE round-trip. This unlocks fully automated testing and deployment scenarios. --- ## What’s changed | File | Type | Description | | ------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | `codex-cli/src/cli.tsx` | **feat / refactor** | +43 / -20 lines. Imports `providers`, adds early provider-specific key lookup, gates `--free` redemption, rewrites help text. | | `src/utils/providers.ts` | **chore** | Now consumed by CLI for env-var discovery. | --- ## How to test ```bash # Azure example export AZURE_OPENAI_API_KEY="<your-key>" codex --provider azure "Automated run in CI" # OpenAI example (unchanged behaviour) codex --provider openai --login "Standard OpenAI flow" ``` Expected outcomes: * Azure and other provider paths are non-interactive when provider flag is passed. * The CLI always sets `OPENAI_API_KEY` for backward compatibility. --- ## Checklist * [x] Logic behind provider-specific env-var lookup added. * [x] Redundant OpenAI login steps removed for other providers. * [x] Unit tests cover new branches. * [x] README and sample config updated. * [x] CI passes on all supported Node versions. --- **Related work** * #92 * #769 * #1321 I have read the CLA Document and I hereby sign the CLA.
Govind Kamtamneni ·
2025-06-22 17:56:36 -07:00