48 Commits

  • packaging: move rg manifest out of npm bin (#23833)
    ## Why
    
    Installing `@openai/codex` currently places a Dotslash `rg` manifest at
    `node_modules/@openai/codex/bin/rg`, even though the native optional
    dependency already ships the actual helper under
    `vendor/<target>/codex-path/rg`. The launcher prepends that `codex-path`
    directory, so the top-level `bin/rg` file is redundant in the npm
    install.
    
    The remaining direct consumers of the manifest are package-building
    paths: `scripts/codex_package/ripgrep.py` and
    `codex-cli/scripts/install_native_deps.py`. Keeping the manifest under
    `codex-cli/bin` makes it look like a shipped npm binary, so this moves
    it next to the package-builder code that owns it. The checked-in
    `@openai/codex` package metadata should likewise describe only the meta
    package payload; generated platform packages continue to publish
    `vendor`.
    
    ## What Changed
    
    - Moved the Dotslash ripgrep manifest from `codex-cli/bin/rg` to
    `scripts/codex_package/rg`.
    - Updated the package builder, npm native-artifact hydrator, README, and
    CLI help text to reference the new manifest location.
    - Stopped `codex-cli/scripts/build_npm_package.py` from copying `rg`
    into the `@openai/codex` meta package.
    - Narrowed the checked-in meta package `files` whitelist to
    `bin/codex.js`.
    
    ## Verification
    
    - `python3 -m unittest discover -s scripts/codex_package -p "test_*.py"`
    - `python3 -m unittest discover -s codex-cli/scripts -p "test_*.py"`
    - `python3 -m py_compile codex-cli/scripts/build_npm_package.py
    codex-cli/scripts/install_native_deps.py
    scripts/codex_package/ripgrep.py scripts/codex_package/cli.py
    scripts/stage_npm_packages.py`
    - `codex-cli/scripts/build_npm_package.py --package codex --version
    0.0.0-test --pack-output <tmp>/codex-meta-no-vendor.tgz`
    - `tar -tf <tmp>/codex-meta-no-vendor.tgz` showed only
    `package/bin/codex.js`, `package/package.json`, and `package/README.md`.
    - Direct staging check showed `codex` uses `files: ["bin/codex.js"]`
    while `codex-darwin-arm64` still uses `files: ["vendor"]`.
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/23833).
    * #23836
    * __->__ #23833
  • docs: add description to codex-cli/package.json (#23835)
    Fix this eyesore where our lack of a `"description"` was causing our
    `README.md` to be used for previews on npm.
    
    <img width="1291" height="178" alt="image"
    src="https://github.com/user-attachments/assets/a9bc08c5-0def-4755-8bcc-0c90e096b9c2"
    />
  • Harden package-manager install policy (#19163)
    ## Summary
    
    This PR hardens package-manager usage across the repo to reduce
    dependency supply-chain risk. It also removes the stale `codex-cli`
    Docker path, which was already broken on `main`, instead of keeping a
    bitrotted container workflow alive.
    
    ## What changed
    
    - Updated pnpm package manager pins and workspace install settings.
    - Removed stale `codex-cli` Docker assets instead of trying to keep a
    broken local container path alive.
    - Added uv settings and lockfiles for the Python SDK packages.
    - Updated Python SDK setup docs to use `uv sync`.
    
    ## Why
    
    This is primarily a security hardening change. It reduces
    package-install and supply-chain risk by ensuring dependency installs go
    through pinned package managers, committed lockfiles, release-age
    settings, and reviewed build-script controls.
    
    For `codex-cli`, the right follow-up was to remove the local Docker path
    rather than keep patching it:
    
    - `codex-cli/Dockerfile` installed `codex.tgz` with `npm install -g`,
    which bypassed the repo lockfile and age-gated pnpm settings.
    - The local `codex-cli/scripts/build_container.sh` helper was already
    broken on `main`: it called `pnpm run build`, but
    `codex-cli/package.json` does not define a `build` script.
    - The container path itself had bitrotted enough that keeping it would
    require extra packaging-specific behavior that was not otherwise needed
    by the repo.
    
    ## Gaps addressed
    
    - Global npm installs bypassed the repo lockfile in Docker and CLI
    reinstall paths, including `codex-cli/Dockerfile` and
    `codex-cli/bin/codex.js`.
    - CI and Docker pnpm installs used `--frozen-lockfile`, but the repo was
    missing stricter pnpm workspace settings for dependency build scripts.
    - Python SDK projects had `pyproject.toml` metadata but no committed
    `uv.lock` coverage or uv age/index settings in `sdk/python` and
    `sdk/python-runtime`.
    - The secure devcontainer install path used npm/global install behavior
    without a local locked package-manager boundary.
    - The local `codex-cli` Docker helper was already broken on `main`, so
    this PR removes that stale Docker path instead of preserving a broken
    surface.
    - pnpm was already pinned, but not to the current repo-wide pnpm version
    target.
    
    ## Verification
    
    - `pnpm install --frozen-lockfile`
    - `.devcontainer/codex-install`: `pnpm install --prod --frozen-lockfile`
    - `.devcontainer/codex-install`: `./node_modules/.bin/codex --version`
    - `sdk/python`: `uv lock --check`, `uv sync --locked --all-extras
    --dry-run`, `uv build`
    - `sdk/python-runtime`: `uv lock --check`, `uv sync --locked --dry-run`,
    `uv build --wheel`
    - `pnpm -r --filter ./sdk/typescript run build`
    - `pnpm -r --filter ./sdk/typescript run lint`
    - `pnpm -r --filter ./sdk/typescript run test`
    - `node --check codex-cli/bin/codex.js`
    - `docker build -f .devcontainer/Dockerfile.secure -t codex-secure-test
    .`
    - `cargo build -p codex-cli`
    - repo-wide package-manager audit
  • Update pnpm versions to fix cve-2026-24842 (#12009)
    Update pnpm versions to resolve CVE-2026-24842
  • fix: remove references to corepack (#10138)
    Currently, our `npm publish` logic is failing.
    
    There were a number of things that were merged recently that seemed to
    contribute to this situation, though I think we have fixed most of them,
    but this one stands out:
    
    https://github.com/openai/codex/pull/10115
    
    As best I can tell, we tried to fix the pnpm version to a specific hash,
    but we did not do it consistently (though `shell-tool-mcp/package.json`
    had it specified twice...), so for this PR, I ran:
    
    ```
    $ git ls-files | grep package.json
    codex-cli/package.json
    codex-rs/responses-api-proxy/npm/package.json
    package.json
    sdk/typescript/package.json
    shell-tool-mcp/package.json
    ```
    
    and ensured that all of them now have this line:
    
    ```json
      "packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264"
    ```
    
    I also went and deleted all of the `corepack` stuff that was added by
    https://github.com/openai/codex/pull/10115.
    
    If someone can explain why we need it and verify it does not break `npm
    publish`, then we can bring it back.
  • feat: introduce npm module for codex-responses-api-proxy (#4417)
    This PR expands `.github/workflows/rust-release.yml` so that it also
    builds and publishes the `npm` module for
    `@openai/codex-responses-api-proxy` in addition to `@openai/codex`. Note
    both `npm` modules are similar, in that they each contain a single `.js`
    file that is a thin launcher around the appropriate native executable.
    (Since we have a minimal dependency on Node.js, I also lowered the
    minimum version from 20 to 16 and verified that works on my machine.)
    
    As part of this change, we tighten up some of the docs around
    `codex-responses-api-proxy` and ensure the details regarding protecting
    the `OPENAI_API_KEY` in memory match the implementation.
    
    To test the `npm` build process, I ran:
    
    ```
    ./codex-cli/scripts/build_npm_package.py --package codex-responses-api-proxy --version 0.43.0-alpha.3
    ```
    
    which stages the `npm` module for `@openai/codex-responses-api-proxy` in
    a temp directory, using the binary artifacts from
    https://github.com/openai/codex/releases/tag/rust-v0.43.0-alpha.3.
  • fix: vendor ripgrep in the npm module (#3660)
    We try to ensure ripgrep (`rg`) is provided with Codex.
    
    - For `brew`, we declare it as a dependency of our formula:
    
    https://github.com/Homebrew/homebrew-core/blob/08d82d8b006a19efbe234477bc8b18d35b5fef50/Formula/c/codex.rb#L24
    - For `npm`, we declare `@vscode/ripgrep` as a dependency, which
    installs the platform-specific binary as part of a `postinstall` script:
    
    https://github.com/openai/codex/blob/fdb8dadcae9f8eec91bc3eb5a17b3f9b19e28505/codex-cli/package.json#L22
    - Users who download the CLI directly from GitHub Releases are on their
    own.
    
    In practice, I have seen `@vscode/ripgrep` fail on occasion. Here is a
    trace from a GitHub workflow:
    
    ```
    npm error code 1
    npm error path /Users/runner/hostedtoolcache/node/20.19.5/arm64/lib/node_modules/@openai/codex/node_modules/@vscode/ripgrep
    npm error command failed
    npm error command sh -c node ./lib/postinstall.js
    npm error Finding release for v13.0.0-13
    npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13
    npm error Deleting invalid download cache
    npm error Download attempt 1 failed, retrying in 2 seconds...
    npm error Finding release for v13.0.0-13
    npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13
    npm error Deleting invalid download cache
    npm error Download attempt 2 failed, retrying in 4 seconds...
    npm error Finding release for v13.0.0-13
    npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13
    npm error Deleting invalid download cache
    npm error Download attempt 3 failed, retrying in 8 seconds...
    npm error Finding release for v13.0.0-13
    npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13
    npm error Deleting invalid download cache
    npm error Download attempt 4 failed, retrying in 16 seconds...
    npm error Finding release for v13.0.0-13
    npm error GET https://api.github.com/repos/microsoft/ripgrep-prebuilt/releases/tags/v13.0.0-13
    npm error Deleting invalid download cache
    npm error Error: Request failed: 403
    ```
    
    To eliminate this error, this PR changes things so that we vendor the
    `rg` binary into https://www.npmjs.com/package/@openai/codex so it is
    guaranteed to be included when a user runs `npm i -g @openai/codex`.
    
    The downside of this approach is the increase in package size: we
    include the `rg` executable for six architectures (in addition to the
    six copies of `codex` we already include). In a follow-up, I plan to add
    support for "slices" of our npm module, so that soon users will be able
    to do:
    
    ```
    npm install -g @openai/codex@aarch64-apple-darwin
    ```
    
    Admittedly, this is a sizable change and I tried to clean some things up
    in the process:
    
    - `install_native_deps.sh` has been replaced by `install_native_deps.py`
    - `stage_release.sh` and `stage_rust_release.py` has been replaced by
    `build_npm_package.py`
    
    We now vendor in a DotSlash file for ripgrep (as a modest attempt to
    facilitate local testing) and then build up the extension by:
    
    - creating a temp directory and copying `package.json` over to it with
    the target value for `"version"`
    - finding the GitHub workflow that corresponds to the
    `--release-version` and copying the various `codex` artifacts to
    respective `vendor/TARGET_TRIPLE/codex` folder
    - downloading the `rg` artifacts specified in the DotSlash file and
    copying them over to the respective `vendor/TARGET_TRIPLE/path` folder
    - if `--pack-output` is specified, runs `npm pack` on the temp directory
    
    To test, I downloaded the artifact produced by this CI job:
    
    
    https://github.com/openai/codex/actions/runs/17961595388/job/51085840022?pr=3660
    
    and verified that `node ./bin/codex.js 'which -a rg'` worked as
    intended.
  • [codex-cli] Add ripgrep as a dependency for node environment (#2237)
    ## Summary
    Ripgrep is our preferred tool for file search. When users install via
    `brew install codex`, it's automatically installed as a dependency. We
    want to ensure that users running via an npm install also have this
    tool! Microsoft has already solved this problem for VS Code - let's not
    reinvent the wheel.
    
    This approach of appending to the PATH directly might be a bit
    heavy-handed, but feels reasonably robust to a variety of environment
    concerns. Open to thoughts on better approaches here!
    
    ## Testing
    - [x] confirmed this import approach works with `node -e "const { rgPath
    } = require('@vscode/ripgrep'); require('child_process').spawn(rgPath,
    ['--version'], { stdio: 'inherit' })"`
    - [x] Ran codex.js locally with `rg` uninstalled, asked it to run `which
    rg`. Output below:
    
    ```
     Ran command which rg; echo $?
      ⎿ /Users/dylan.hurd/code/dh--npm-rg/node_modules/@vscode/ripgrep/bin/rg
        0
    
    codex
    Re-running to confirm the path and exit code.
    
    - Path: `/Users/dylan.hurd/code/dh--npm-rg/node_modules/@vscode/ripgrep/bin/rg`
    - Exit code: `0`
    ```
  • chore: remove the TypeScript code from the repository (#2048)
    This deletes the bulk of the `codex-cli` folder and eliminates the logic
    that builds the TypeScript code and bundles it into the release.
    
    Since this PR modifies `.github/workflows/rust-release.yml`, to test
    changes to the release process, I locally commented out all of the "is
    this commit on upstream `main`" checks in
    `scripts/create_github_release.sh` and ran:
    
    ```
    ./codex-rs/scripts/create_github_release.sh 0.20.0-alpha.4
    ```
    
    Which kicked off:
    
    https://github.com/openai/codex/actions/runs/16842085113
    
    And the release artifacts appear legit!
    
    https://github.com/openai/codex/releases/tag/rust-v0.20.0-alpha.4
  • chore: normalize repository.url in package.json (#1474)
    I got this as a warning when doing `npm publish --dry-run`, so I ran
    `npm pkg fix` to create this PR, as instructed.
  • bump(version): 0.1.2505171619 (#1001)
    ## `0.1.2505171619`
    
    - `codex --login` + `codex --free` (#998)
  • add: sign in with chatgpt (#963)
    Sign in with ChatGPT to get an API key (flow to grant API credits for Plus/Pro coming later today!)
  • chore: introduce new --native flag to Node module release process (#844)
    This PR introduces an optional build flag, `--native`, that will build a
    version of the Codex npm module that:
    
    - Includes both the Node.js and native Rust versions (for Mac and Linux)
    - Will run the native version if `CODEX_RUST=1` is set
    - Runs the TypeScript version otherwise
    
    Note this PR also updates the workflow URL to
    https://github.com/openai/codex/actions/runs/14872557396, as that is a
    build from today that includes everything up through
    https://github.com/openai/codex/pull/843.
    
    Test Plan:
    
    In `~/code/codex/codex-cli`, I ran:
    
    ```
    pnpm stage-release --native
    ```
    
    The end of the output was:
    
    ```
    Staged version 0.1.2505121317 for release in /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN
    Test Node:
        node /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN/bin/codex.js --help
    Test Rust:
        CODEX_RUST=1 node /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN/bin/codex.js --help
    Next:  cd "/var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN" && npm publish --tag native
    ```
    
    I verified that running each of these commands ran the expected version
    of Codex.
    
    While here, I also added `bin` to the `files` list in `package.json`,
    which should have been done as part of
    https://github.com/openai/codex/pull/757, as that added new entries to
    `bin` that were matched by `.gitignore` but should have been included in
    a release.
  • Configure HTTPS agent for proxies (#775)
    - Some workflows require you to route openAI API traffic through a proxy
    - See
    https://github.com/openai/openai-node/tree/v4?tab=readme-ov-file#configuring-an-https-agent-eg-for-proxies
    for more details
    
    ---------
    
    Co-authored-by: Thibault Sottiaux <tibo@openai.com>
    Co-authored-by: Fouad Matin <fouad@openai.com>
  • chore: make build process a single script to run (#757)
    This introduces `./codex-cli/scripts/stage_release.sh`, which is a shell
    script that stages a release for the Node.js module in a temp directory.
    It updates the release to include these native binaries:
    
    ```
    bin/codex-linux-sandbox-arm64
    bin/codex-linux-sandbox-x64
    ```
    
    though this PR does not update Codex CLI to use them yet.
    
    When doing local development, run
    `./codex-cli/scripts/install_native_deps.sh` to install these in your
    own `bin/` folder.
    
    This PR also updates `README.md` to document the new workflow.
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/757).
    * #763
    * __->__ #757
  • bump(version): 0.1.2504301751 (#768)
    ## `0.1.2504301751`
    
    ### 🚀 Features
    
    - User config api key (#569)
    - `@mention` files in codex (#701)
    - Add `--reasoning` CLI flag (#314)
    - Lower default retry wait time and increase number of tries (#720)
    - Add common package registries domains to allowed-domains list (#414)
    
    ### 🪲 Bug Fixes
    
    - Insufficient quota message (#758)
    - Input keyboard shortcut opt+delete (#685)
    - `/diff` should include untracked files (#686)
    - Only allow running without sandbox if explicitly marked in safe
    container (#699)
    - Tighten up check for /usr/bin/sandbox-exec (#710)
    - Check if sandbox-exec is available (#696)
    - Duplicate messages in quiet mode (#680)
  • fix: read version from package.json instead of modifying session.ts (#753)
    I am working to simplify the build process. As a first step, update
    `session.ts` so it reads the `version` from `package.json` at runtime so
    we no longer have to modify it during the build process. I want to get
    to a place where the build looks like:
    
    ```
    cd codex-cli
    pnpm i
    pnpm build
    RELEASE_DIR=$(mktemp -d)
    cp -r bin "$RELEASE_DIR/bin"
    cp -r dist "$RELEASE_DIR/dist"
    cp -r src "$RELEASE_DIR/src" # important if we want sourcemaps to continue to work
    cp ../README.md "$RELEASE_DIR"
    VERSION=$(printf '0.1.%d' $(date +%y%m%d%H%M))
    jq --arg version "$VERSION" '.version = $version' package.json > "$RELEASE_DIR/package.json"
    ```
    
    Then the contents of `$RELEASE_DIR` should be good to `npm publish`, no?
  • bump(version): 0.1.2504251709 (#660)
    ## `0.1.2504251709`
    
    ### 🚀 Features
    
    - Add openai model info configuration (#551)
    - Added provider to run quiet mode function (#571)
    - Create parent directories when creating new files (#552)
    - Print bug report URL in terminal instead of opening browser (#510)
    (#528)
    - Add support for custom provider configuration in the user config
    (#537)
    - Add support for OpenAI-Organization and OpenAI-Project headers (#626)
    - Add specific instructions for creating API keys in error msg (#581)
    - Enhance toCodePoints to prevent potential unicode 14 errors (#615)
    - More native keyboard navigation in multiline editor (#655)
    - Display error on selection of invalid model (#594)
    
    ### 🪲 Bug Fixes
    
    - Model selection (#643)
    - Nits in apply patch (#640)
    - Input keyboard shortcuts (#676)
    - `apply_patch` unicode characters (#625)
    - Don't clear turn input before retries (#611)
    - More loosely match context for apply_patch (#610)
    - Update bug report template - there is no --revision flag (#614)
    - Remove outdated copy of text input and external editor feature (#670)
    - Remove unreachable "disableResponseStorage" logic flow introduced in
    #543 (#573)
    - Non-openai mode - fix for gemini content: null, fix 429 to throw
    before stream (#563)
    - Only allow going up in history when not already in history if input is
    empty (#654)
    - Do not grant "node" user sudo access when using run_in_container.sh
    (#627)
    - Update scripts/build_container.sh to use pnpm instead of npm (#631)
    - Update lint-staged config to use pnpm --filter (#582)
    - Non-openai mode - don't default temp and top_p (#572)
    - Fix error catching when checking for updates (#597)
    - Close stdin when running an exec tool call (#636)
  • chore: upgrade prettier to v3 (#644)
    ## Description
    
    This PR addresses the following improvements:
    
    **Unify Prettier Version**: Currently, the Prettier version used in
    `/package.json` and `/codex-cli/package.json` are different. In this PR,
    we're updating both to use Prettier v3.
    
    - Prettier v3 introduces improved support for JavaScript and TypeScript.
    (e.g. the formatting scenario shown in the image below. This is more
    aligned with the TypeScript indentation standard).
    
    <img width="1126" alt="image"
    src="https://github.com/user-attachments/assets/6e237eb8-4553-4574-b336-ed9561c55370"
    />
    
    **Add Prettier Auto-Formatting in lint-staged**: We've added a step to
    automatically run prettier --write on JavaScript and TypeScript files as
    part of the lint-staged process, before the ESLint checks.
    
    - This will help ensure that all committed code is properly formatted
    according to the project's Prettier configuration.
  • bump(version): 0.1.2504221401 (#559)
    ## `0.1.2504221401`
    
    ### 🚀 Features
    
    - Show actionable errors when api keys are missing (#523)
    - Add CLI `--version` flag (#492)
    
    ### 🐛 Bug Fixes
    
    - Agent loop for ZDR (`disableResponseStorage`) (#543)
    - Fix relative `workdir` check for `apply_patch` (#556)
    - Minimal mid-stream #429 retry loop using existing back-off (#506)
    - Inconsistent usage of base URL and API key (#507)
    - Remove requirement for api key for ollama (#546)
    - Support `[provider]_BASE_URL` (#542)
  • bump(version): 0.1.2504220136 (#518)
    ## `0.1.2504220136`
    
    ### 🚀 Features
    
    - Add support for ZDR orgs (#481)
    - Include fractional portion of chunk that exceeds stdout/stderr limit
    (#497)
  • bump(version): 0.1.2504211509 (#493)
    ## `0.1.2504211509`
    
    ### 🚀 Features
    
    - Support multiple providers via Responses-Completion transformation
    (#247)
    - Add user-defined safe commands configuration and approval logic #380
    (#386)
    - Allow switching approval modes when prompted to approve an
    edit/command (#400)
    - Add support for `/diff` command autocomplete in TerminalChatInput
    (#431)
    - Auto-open model selector if user selects deprecated model (#427)
    - Read approvalMode from config file (#298)
    - `/diff` command to view git diff (#426)
    - Tab completions for file paths (#279)
    - Add /command autocomplete (#317)
    - Allow multi-line input (#438)
    
    ### 🐛 Bug Fixes
    
    - `full-auto` support in quiet mode (#374)
    - Enable shell option for child process execution (#391)
    - Configure husky and lint-staged for pnpm monorepo (#384)
    - Command pipe execution by improving shell detection (#437)
    - Name of the file not matching the name of the component (#354)
    - Allow proper exit from new Switch approval mode dialog (#453)
    - Ensure /clear resets context and exclude system messages from
    approximateTokenUsed count (#443)
    - `/clear` now clears terminal screen and resets context left indicator
    (#425)
    - Correct fish completion function name in CLI script (#485)
    - Auto-open model-selector when model is not found (#448)
    - Remove unnecessary isLoggingEnabled() checks (#420)
    - Improve test reliability for `raw-exec` (#434)
    - Unintended tear down of agent loop (#483)
    - Remove extraneous type casts (#462)
  • chore: drop src from publish (#474)
    Publish shouldn't need the source files published along with the
    distributable bin.
    
    `src` is being shipped to the registry rn:
    https://www.npmjs.com/package/@openai/codex?activeTab=code
    
    You can verify that the src is not needed by packing the project
    manually after removing src from the files:
    
    ```sh
    # from the codex-cli dir
    rm -rf dist # just for hygiene
    pnpm run build
    pnpm pack
    
    mkdir /tmp/codex-tar-test
    mv openai-codex-0.1.2504181820.tgz /tmp/codex-tar-test
    cd /tmp/codex-tar-test
    
    pnpm init
    pnpm add ./openai-codex-0.1.2504181820.tgz /tmp/codex-tar-test
    pnpm exec codex --full-auto "run a bash -c command to echo hello world"
    ```
    
    The cli is operational
    
    > noticed this when checking the screenshot included in
    https://github.com/openai/codex/pull/461
  • refactor(updates): fetch version from registry instead of npm CLI to support multiple managers (#446)
    ## Background  
    Addressing feedback from
    https://github.com/openai/codex/pull/333#discussion_r2050893224, this PR
    adds support for Bun alongside npm, pnpm while keeping the code simple.
    
    ## Summary  
    The update‑check flow is refactored to use a direct registry lookup
    (`fast-npm-meta` + `semver`) instead of shelling out to `npm outdated`,
    and adds a lightweight installer‑detection mechanism that:
    
    1. Checks if the invoked script lives under a known global‑bin directory
    (npm, pnpm, or bun)
    2. If not, falls back to local detection via `getUserAgent()` (the
    `package‑manager‑detector` library)
    
    ## What’s Changed  
    - **Registry‑based version check**  
    - Replace `execFile("npm", ["outdated"])` with `getLatestVersion()` and
    `semver.gt()`
    - **Multi‑manager support**  
    - New `renderUpdateCommand` handles update commands for `npm`, `pnpm`,
    and `bun`.
      - Detect global installer first via `detectInstallerByPath()`  
      - Fallback to local detection via `getUserAgent()`  
    - **Module cleanup**  
    - Extract `detectInstallerByPath` into
    `utils/package-manager-detector.ts`
    - Remove legacy `checkOutdated`, `getNPMCommandPath`, and child‑process
    JSON parsing
    - **Flow improvements in `checkForUpdates`**  
      1. Short‑circuit by `UPDATE_CHECK_FREQUENCY`  
      3. Fetch & compare versions  
      4. Persist new timestamp immediately  
      5. Render & display styled box only when an update exists  
    - **Maintain simplicity**
    - All multi‑manager logic lives in one small helper and a concise lookup
    rather than a complex adapter hierarchy
    - Core `checkForUpdates` remains a single, easy‑to‑follow async function
    - **Dependencies added**  
    - `fast-npm-meta`, `semver`, `package-manager-detector`, `@types/semver`
    
    ## Considerations
    If we decide to drop the interactive update‑message (`npm install -g
    @openai/codex`) rendering altogether, we could remove most of the
    installer‑detection code and dependencies, which would simplify the
    codebase further but result in a less friendly UX.
    
    ## Preview
    
    * npm
    
    ![refactor-update-check-flow-npm](https://github.com/user-attachments/assets/57320114-3fb6-4985-8780-3388a1d1ec85)
    
    * bun
    
    ![refactor-update-check-flow-bun](https://github.com/user-attachments/assets/d93bf0ae-a687-412a-ab92-581b4f967307)
    
    ## Simple Flow Chart
    
    ```mermaid
    flowchart TD
      A(Start) --> B[Read state]
      B --> C{Recent check?}
      C -- Yes --> Z[End]
      C -- No --> D[Fetch latest version]
      D --> E[Save check time]
      E --> F{Version data OK?}
      F -- No --> Z
      F -- Yes --> G{Update available?}
      G -- No --> Z
      G -- Yes --> H{Global install?}
      H -- Yes --> I[Select global manager]
      H -- No --> K{Local install?}
      K -- No --> Z
      K -- Yes --> L[Select local manager]
      I & L --> M[Render update message]
      M --> N[Format with boxen]
      N --> O[Print update]
      O --> Z
    ```
  • Remove README.md and bin from package.json#files field (#461)
    This PR removes always included files and folders from the
    [`package.json#files`
    field](https://docs.npmjs.com/cli/v11/configuring-npm/package-json#files):
    
    > Certain files are always included, regardless of settings:
    > - package.json
    > - README
    > - LICENSE / LICENCE
    > - The file in the "main" field
    > - The file(s) in the "bin" field
    
    Validated by running `pnpm i && cd codex-cli && pnpm build && pnpm
    release:readme && pnpm pack` and confirming both the `README.md` file
    and `bin` directory are still included in the tarball:
    
    <img width="227" alt="image"
    src="https://github.com/user-attachments/assets/ecd90a07-73c7-4940-8c83-cb1d51dfcf96"
    />
  • fix: configure husky and lint-staged for pnpm monorepo (#384)
    # Improve Developer Experience with Husky and lint-staged for pnpm
    Monorepo
    
    ## Summary
    This PR enhances the developer experience by configuring Husky and
    lint-staged to work properly with our pnpm monorepo structure. It
    centralizes Git hooks at the root level and ensures consistent code
    quality across the project.
    
    ## Changes
    - Centralized Husky and lint-staged configuration at the monorepo root
    - Added pre-commit hook that runs lint-staged to enforce code quality
    - Configured lint-staged to:
      - Format JSON, MD, and YAML files with Prettier
      - Lint and typecheck TypeScript files before commits
    - Fixed release script in codex-cli package.json (changed "pmpm" to "npm
    publish")
    - Removed duplicate Husky and lint-staged configurations from codex-cli
    package.json
    
    ## Benefits
    - **Consistent Code Quality**: Ensures all committed code meets project
    standards
    - **Automated Formatting**: Automatically formats code during commits
    - **Early Error Detection**: Catches type errors and lint issues before
    they're committed
    - **Centralized Configuration**: Easier to maintain and update in one
    place
    - **Improved Collaboration**: Ensures consistent code style across the
    team
    
    ## Future Improvements
    We could further enhance this setup by
    **Commit Message Validation**: Add commitlint to enforce conventional
    commit messages
    
    ---------
    
    Co-authored-by: Thibault Sottiaux <tibo@openai.com>
  • fix: /bug report command, thinking indicator (#381)
    - Fix `/bug` report command
    - Fix thinking indicator
  • feat: notify when a newer version is available (#333)
    **Summary**  
    This change introduces a new startup check that notifies users if a
    newer `@openai/codex` version is available. To avoid spamming, it writes
    a small state file recording the last check time and will only re‑check
    once every 24 hours.
    
    **What’s Changed**  
    - **New file** `src/utils/check-updates.ts`  
      - Runs `npm outdated --global @openai/codex`  
      - Reads/writes `codex-state.json` under `CONFIG_DIR`  
      - Limits checks to once per day (`UPDATE_CHECK_FREQUENCY = 24h`)  
    - Uses `boxen` for a styled alert and `which` to locate the npm binary
    - **Hooked into** `src/cli.tsx` entrypoint:
      ```ts
      import { checkForUpdates } from "./utils/check-updates";
      // …
      // after loading config
      await checkForUpdates().catch();
      ```
    - **Dependencies**  
      - Added `boxen@^8.0.1`, `which@^5.0.0`, `@types/which@^3.0.4`  
    - **Tests**  
      - Vitest suite under `tests/check-updates.test.ts`  
      - Snapshot in `__snapshots__/check-updates.test.ts.snap`  
    
    **Motivation**  
    Addresses issue #244. Users running a stale global install will now see
    a friendly reminder—at most once per day—to upgrade and enjoy the latest
    features.
    
    **Test Plan**  
    - `getNPMCommandPath()` resolves npm correctly  
    - `checkOutdated()` parses `npm outdated` JSON  
    - State file prevents repeat alerts within 24h  
    - Boxen snapshot matches expected output  
    - No console output when state indicates a recent check  
    
    **Related Issue**  
    try resolves #244
    
    
    **Preview**
    Prompt a pnpm‑style alert when outdated  
    
    ![outdated‑alert](https://github.com/user-attachments/assets/294dad45-d858-45d1-bf34-55e672ab883a)
    
    Let me know if you’d tweak any of the messaging, throttle frequency,
    placement in the startup flow, or anything else.
    
    ---------
    
    Co-authored-by: Thibault Sottiaux <tibo@openai.com>
  • chore: migrate to pnpm for improved monorepo management (#287)
    # Migrate to pnpm for improved monorepo management
    
    ## Summary
    This PR migrates the Codex repository from npm to pnpm, providing faster
    dependency installation, better disk space usage, and improved monorepo
    management.
    
    ## Changes
    - Added `pnpm-workspace.yaml` to define workspace packages
    - Added `.npmrc` with optimal pnpm configuration
    - Updated root package.json with workspace scripts
    - Moved resolutions and overrides to the root package.json
    - Updated scripts to use pnpm instead of npm
    - Added documentation for the migration
    - Updated GitHub Actions workflow for pnpm
    
    ## Benefits
    - **Faster installations**: pnpm is significantly faster than npm
    - **Disk space savings**: pnpm's content-addressable store avoids
    duplication
    - **Strict dependency management**: prevents phantom dependencies
    - **Simplified monorepo management**: better workspace coordination
    - **Preparation for Turborepo**: as discussed, this is the first step
    before adding Turborepo
    
    ## Testing
    - Verified that `pnpm install` works correctly
    - Verified that `pnpm run build` completes successfully
    - Ensured all existing functionality is preserved
    
    ## Documentation
    Added a detailed migration guide in `PNPM_MIGRATION.md` explaining:
    - Why we're migrating to pnpm
    - How to use pnpm with this repository
    - Common commands and workspace-specific commands
    - Monorepo structure and configuration
    
    ## Next Steps
    As discussed, once this change is stable, we can consider adding
    Turborepo as a follow-up enhancement.
  • fix: Improper spawn of sh on Windows Powershell (#318)
    # Fix CLI launcher on Windows by replacing `sh`-based entrypoint with
    cross-platform Node script
    
    ## What's changed
    
    * This PR attempts to replace the sh-based entry point with a node
    script that works on all platforms including Windows Powershell and CMD
    
    ## Why 
    
    * Previously, when installing Codex globally via `npm i -g
    @openai/codex`, Windows resulted in a broken CLI issue due to the `ps1`
    launcher trying to execute `sh.exe`.
    
    * If users don't have Unix-style shell, running the command will fail as
    seen below since `sh.exe` can't be found
    
    * Output:
     ``` 
    & : The term 'sh.exe' is not recognized as the name of a cmdlet,
    function, script file, or operable program. Check the
    spelling of the name, or if a path was included, verify that the path is
    correct and try again.
    At C:\Users\{user}\AppData\Roaming\npm\codex.ps1:24 char:7
    +     & "sh$exe"  "$basedir/node_modules/@openai/codex/bin/codex" $args
    +       ~~~~~~~~
    + CategoryInfo : ObjectNotFound: (sh.exe:String) [],
    CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
    ```
    
    
    
    ## How
    * By using a Node based entry point that resolves the path to the compiled ESM bundle and dynamically loads it using native ESM
    
    * Removed dependency on platform-specific launchers allowing a single entrypoint to work everywhere Node.js runs.
    
    
    ## Result
    
    Codex CLI now supports cross-platform and launches correctly via:
    * macOS / Linux
    * Windows PowerShell
    * GitBash
    * CMD
    * WSL
    
    Directly addresses #316 
    
    ![image](https://github.com/user-attachments/assets/85faaca4-24bc-47c9-8160-4e30df6da4c3)
    
    
    ![image](https://github.com/user-attachments/assets/a13f7adc-52c1-4c0e-af02-e35a35dc45d4)
  • bump(version): 0.1.2504172351 (#310)
    Release `@openai/codex@0.1.2504172351`
  • add: changelog (#308)
    - Release `@openai/codex@0.1.2504172304`
    - Add changelog
  • bump(version): 0.1.2504161551 (#254)
    Bump version
    
    ---------
    
    Signed-off-by: Fouad Matin <fouad@openai.com>
    Co-authored-by: Jon Church <me@jonchurch.com>
  • feat(bin): support bun fallback runtime for codex CLI (#282)
    This PR adds a shell wrapper in `codex-cli/bin/codex` to detect node or
    bun as the runtime.
    
    It updates:
    - `package.json` bin entry
    - published files list to include bin/
    - README install instructions to include `bun install -g @openai/codex`
  • feat: shell command explanation option (#173)
    # Shell Command Explanation Option
    
    ## Description
    This PR adds an option to explain shell commands when the user is
    prompted to approve them (Fixes #110). When reviewing a shell command,
    users can now select "Explain this command" to get a detailed
    explanation of what the command does before deciding whether to approve
    or reject it.
    
    ## Changes
    - Added a new "EXPLAIN" option to the `ReviewDecision` enum
    - Updated the command review UI to include an "Explain this command (x)"
    option
    - Implemented the logic to send the command to the LLM for explanation
    using the same model as the agent
    - Added a display for the explanation in the command review UI
    - Updated all relevant components to pass the explanation through the
    component tree
    
    ## Benefits
    - Improves user understanding of shell commands before approving them
    - Reduces the risk of approving potentially harmful commands
    - Enhances the educational aspect of the tool, helping users learn about
    shell commands
    - Maintains the same workflow with minimal UI changes
    
    ## Testing
    - Manually tested the explanation feature with various shell commands
    - Verified that the explanation is displayed correctly in the UI
    - Confirmed that the user can still approve or reject the command after
    viewing the explanation
    
    ## Screenshots
    
    ![improved_shell_explanation_demo](https://github.com/user-attachments/assets/05923481-29db-4eba-9cc6-5e92301d2be0)
    
    
    ## Additional Notes
    The explanation is generated using the same model as the agent, ensuring
    consistency in the quality and style of explanations.
    
    ---------
    
    Signed-off-by: crazywolf132 <crazywolf132@gmail.com>
  • Feat/add husky (#223)
    # Add Husky and lint-staged for automated code quality checks
    
    ## Description
    This PR adds Husky Git hooks and lint-staged to automate code quality
    checks during the development workflow.
    
    ## Features Added
    - Pre-commit hook that runs lint-staged to check files before committing
    - Pre-push hook that runs tests and type checking before pushing
    - Configuration for lint-staged to format and lint different file types
    - Documentation explaining the Husky setup and usage
    - Updated README.md with information about Git hooks
    
    ## Benefits
    - Ensures consistent code style across the project
    - Prevents pushing code with failing tests or type errors
    - Reduces the need for style-related code review comments
    - Improves overall code quality
    
    ## Implementation Details
    - Added Husky and lint-staged as dev dependencies
    - Created pre-commit and pre-push hooks
    - Added configuration for lint-staged
    - Added documentation in HUSKY.md
    - Updated README.md with a new section on Git hooks
    
    ## Testing
    The hooks have been tested locally and work as expected:
    - Pre-commit hook runs ESLint and Prettier on staged files
    - Pre-push hook runs tests and type checking
    
    I have read the CLA Document and I hereby sign the CLA
    
    ---------
    
    Signed-off-by: Alpha Diop <alphakhoss@gmail.com>
  • dotenv support (#122)
    Signed-off-by: Aron Jones <aron.jones@gmail.com>
  • update: release (#109)
    Signed-off-by: Fouad Matin <fouad@openai.com>
  • add: release script (#96)
    * add: release script
    
    * add: src to npm module
    
    * fix: readme
    
    Signed-off-by: Fouad Matin <fouad@openai.com>
    
    ---------
    
    Signed-off-by: Fouad Matin <fouad@openai.com>
  • (cleanup) remove unused express dep (#20)
    * remove unused express dep
    * update package-lock.json
  • Initial commit
    Signed-off-by: Ilan Bigio <ilan@openai.com>
  • Initial commit
    Signed-off-by: Ilan Bigio <ilan@openai.com>