Commit Graph

229 Commits

  • chore: create a release script for the Rust CLI (#1479)
    This is a stopgap solution before migrating the build for the npm
    release to GitHub Actions (which is ultimately what should be done to
    ensure hermetic builds).
    
    The idea is that instead of continuing to create PRs like
    https://github.com/openai/codex/pull/1472 where I have to check in a
    change to the `WORKFLOW_URL`, this script uses `gh run list` to get the
    `WORKFLOW_URL` dynamically and then threads the value through to
    `install_native_deps.sh`.
    
    To create the 0.3.0 release on npm, I ran:
    
    ```shell
    ./codex-cli/scripts/stage_rust_release.py --release-version 0.3.0
    ```
    
    and then did `npm publish --dry-run` followed by `npm publish` in the
    temp directory created by `stage_rust_release.py`.
  • chore: normalize repository.url in package.json (#1474)
    I got this as a warning when doing `npm publish --dry-run`, so I ran
    `npm pkg fix` to create this PR, as instructed.
  • chore: update release scripts for the TypeScript CLI (#1472)
    This introduces two changes to make a quick fix so we can deploy the
    Rust CLI for `0.2.0` of `@openai/codex` on npm:
    
    - Updates `WORKFLOW_URL` to point to
    https://github.com/openai/codex/actions/runs/15981617627, which is the
    GitHub workflow run used to create the binaries for the `0.2.0` release
    we published to Homebrew.
    - Adds a `--version` option to `stage_release.sh` to specify what the
    `version` field in the `package.json` will be.
    
    Locally, I ran the following:
    
    ```
    ./codex-cli/scripts/stage_release.sh --native --version 0.2.0
    ```
    
    Previously, we only used the `--native` flag to publish to the `native`
    tag of `@openai/codex` (e.g., `npm publish --tag native`), but we should
    just publish this as the default tag for `0.2.0` to be consistent with
    what is in Homebrew.
    
    We can still publish one "final" version of the TypeScript CLI as 0.1.x
    later.
    
    Under the hood, this release will still contain `dist/cli.js`,
    `bin/codex-linux-sandbox-x64`, and `bin/codex-x86_64-apple-darwin`,
    which are not strictly necessary, but we'll fix that in `0.3.0`.
  • docs: update documentation to reflect Rust CLI release (#1440)
    As promised on https://github.com/openai/codex/discussions/1405, we are
    making the first official release of the Rust CLI as v0.2.0. As part of
    this move, we are making it available in Homebrew:
    
    https://github.com/Homebrew/homebrew-core/pull/228615
    
    Ultimately, we also plan to continue to make the CLI available in npm,
    as well, though brew is a bit nicer in that `brew install` will download
    only the binary for your platform whereas an npm module is expected to
    contain the binaries for _all_ supported platforms, so it is a bit more
    heavyweight.
    
    A big part of this change is updating the root `README.md` to document
    the behavior of the Rust CLI, which differs in a number of ways from the
    TypeScript CLI. The existing `README.md` is moved to
    `codex-cli/README.md` as part of this PR, as it is still applicable to
    that folder.
    
    As this is still early days for the Rust CLI, I encourage folks to
    provide feedback on the command line flags and configuration options.
  • add: responses api support for azure (#1321)
    - Use Responses API for Azure provider endpoints
    - Added a unit test to catch regression on the change from
    `/chat/completions` to `/responses`
    - Updated the default AOAI api version from `2025-03-01-preview` to
    `2025-04-01-preview` to avoid user/400 errors due to missing summary
    support in the March API version.
    - Changes have been tested locally on AOAI endpoints
  • feat(ts): provider‑specific API‑key discovery and clearer Azure guidance (#1324)
    ## Summary
    
    This PR refactors the Codex CLI authentication flow so that
    **non-OpenAI** providers (for example **azure**, or any future addition)
    can supply their API key through a dedicated environment variable
    without triggering the OpenAI login flow.
    
    Key behaviours introduced:
    
    * When `provider !== "openai"` the CLI consults `src/utils/providers.ts`
    to locate the correct environment variable (`AZURE_OPENAI_API_KEY`,
    `GEMINI_API_KEY`, and so on) before considering any interactive login.
    * Credit redemption (`--free`) and PKCE login now run **only** when the
    provider is OpenAI, eliminating unwanted browser prompts for Azure and
    others.
    * User-facing error messages are revamped to guide Azure users to
    **[https://ai.azure.com/](https://ai.azure.com)** and show the exact
    variable name they must set.
    * All code paths still export `OPENAI_API_KEY` so legacy scripts
    continue to operate unchanged.
    
    ---
    
    ## Example `config.json`
    
    ```jsonc
    {
      "model": "codex-mini",
      "provider": "azure",
      "providers": {
        "azure": {
          "name": "AzureOpenAI",
          "baseURL": "https://ai-<project-name>.openai.azure.com/openai",
          "envKey": "AZURE_OPENAI_API_KEY"
        }
      },
      "history": {
        "maxSize": 1000,
        "saveHistory": true,
        "sensitivePatterns": []
      }
    }
    ```
    
    With this file in `~/.codex/config.json`, a single command line is
    enough:
    
    ```bash
    export AZURE_OPENAI_API_KEY="<your-key>"
    codex "Hello from Azure"
    ```
    
    No browser window opens, and the CLI works in entirely non-interactive
    mode.
    
    ---
    
    ## Rationale
    
    The new flow enables Codex to run **asynchronously** in sandboxed
    environments such as GitHub Actions pipelines. By passing `--provider
    azure` (or setting it in `config.json`) and exporting the correct key,
    CI/CD jobs can invoke Codex without any ChatGPT-style login or PKCE
    round-trip. This unlocks fully automated testing and deployment
    scenarios.
    
    ---
    
    ## What’s changed
    
    | File | Type | Description |
    | ------------------------ | ------------------- |
    -----------------------------------------------------------------------------------------------------------------------------
    |
    | `codex-cli/src/cli.tsx` | **feat / refactor** | +43 / -20 lines.
    Imports `providers`, adds early provider-specific key lookup, gates
    `--free` redemption, rewrites help text. |
    | `src/utils/providers.ts` | **chore** | Now consumed by CLI for env-var
    discovery. |
    
    ---
    
    ## How to test
    
    ```bash
    # Azure example
    export AZURE_OPENAI_API_KEY="<your-key>"
    codex --provider azure "Automated run in CI"
    
    # OpenAI example (unchanged behaviour)
    codex --provider openai --login "Standard OpenAI flow"
    ```
    
    Expected outcomes:
    
    * Azure and other provider paths are non-interactive when provider flag
    is passed.
    * The CLI always sets `OPENAI_API_KEY` for backward compatibility.
    
    ---
    
    ## Checklist
    
    * [x] Logic behind provider-specific env-var lookup added.
    * [x] Redundant OpenAI login steps removed for other providers.
    * [x] Unit tests cover new branches.
    * [x] README and sample config updated.
    * [x] CI passes on all supported Node versions.
    
    ---
    
    **Related work**
    
    * #92
    * #769 
    * #1321
    
    
    
    I have read the CLA Document and I hereby sign the CLA.
  • chore: ensure next Node.js release includes musl binaries for arm64 Linux (#1232)
    Target a workflow with more recent binary artifacts.
  • fix: use aarch64-unknown-linux-musl instead of aarch64-unknown-linux-gnu (#1228)
    Now that we have published a GitHub Release that contains arm64 musl
    artifacts for Linux, update the following scripts to take advantage of
    them:
    
    - `dotslash-config.json` now uses musl artifacts for the `linux-aarch64`
    target
    - `install_native_deps.sh` for the TypeScript CLI now includes
    `codex-linux-sandbox-aarch64-unknown-linux-musl` instead of
    `codex-linux-sandbox-aarch64-unknown-linux-gnu` for sandboxing
    - `codex-cli/bin/codex.js` now checks for `aarch64-unknown-linux-musl`
    artifacts instead of `aarch64-unknown-linux-gnu` ones
  • feat: add support for login with ChatGPT (#1212)
    This does not implement the full Login with ChatGPT experience, but it
    should unblock people.
    
    **What works**
    
    * The `codex` multitool now has a `login` subcommand, so you can run
    `codex login`, which should write `CODEX_HOME/auth.json` if you complete
    the flow successfully. The TUI will now read the `OPENAI_API_KEY` from
    `auth.json`.
    * The TUI should refresh the token if it has expired and the necessary
    information is in `auth.json`.
    * There is a `LoginScreen` in the TUI that tells you to run `codex
    login` if both (1) your model provider expects to use `OPENAI_API_KEY`
    as its env var, and (2) `OPENAI_API_KEY` is not set.
    
    **What does not work**
    
    * The `LoginScreen` does not support the login flow from within the TUI.
    Instead, it tells you to quit, run `codex login`, and then run `codex`
    again.
    * `codex exec` does read from `auth.json` yet, nor does it direct the
    user to go through the login flow if `OPENAI_API_KEY` is not be found.
    * The `maybeRedeemCredits()` function from `get-api-key.tsx` has not
    been ported from TypeScript to `login_with_chatgpt.py` yet:
    
    
    https://github.com/openai/codex/blob/a67a67f3258fc21e147b6786a143fe3e15e6d5ba/codex-cli/src/utils/get-api-key.tsx#L84-L89
    
    **Implementation**
    
    Currently, the OAuth flow requires running a local webserver on
    `127.0.0.1:1455`. It seemed wasteful to incur the additional binary cost
    of a webserver dependency in the Rust CLI just to support login, so
    instead we implement this logic in Python, as Python has a `http.server`
    module as part of its standard library. Specifically, we bundle the
    contents of a single Python file as a string in the Rust CLI and then
    use it to spawn a subprocess as `python3 -c
    {{SOURCE_FOR_PYTHON_SERVER}}`.
    
    As such, the most significant files in this PR are:
    
    ```
    codex-rs/login/src/login_with_chatgpt.py
    codex-rs/login/src/lib.rs
    ```
    
    Now that the CLI may load `OPENAI_API_KEY` from the environment _or_
    `CODEX_HOME/auth.json`, we need a new abstraction for reading/writing
    this variable, so we introduce:
    
    ```
    codex-rs/core/src/openai_api_key.rs
    ```
    
    Note that `std::env::set_var()` is [rightfully] `unsafe` in Rust 2024,
    so we use a LazyLock<RwLock<Option<String>>> to store `OPENAI_API_KEY`
    so it is read in a thread-safe manner.
    
    Ultimately, it should be possible to go through the entire login flow
    from the TUI. This PR introduces a placeholder `LoginScreen` UI for that
    right now, though the new `codex login` subcommand introduced in this PR
    should be a viable workaround until the UI is ready.
    
    **Testing**
    
    Because the login flow is currently implemented in a standalone Python
    file, you can test it without building any Rust code as follows:
    
    ```
    rm -rf /tmp/codex_home && mkdir /tmp/codex_home
    CODEX_HOME=/tmp/codex_home python3 codex-rs/login/src/login_with_chatgpt.py
    ```
    
    For reference:
    
    * the original TypeScript implementation was introduced in
    https://github.com/openai/codex/pull/963
    * support for redeeming credits was later added in
    https://github.com/openai/codex/pull/974
  • fix: for the @native release of the Node module, use the Rust version by default (#1084)
    Added logic so that when we run `./scripts/stage_release.sh --native`
    (for the `@native` version of the Node module), we drop a `use-native`
    file next to `codex.js`. If present, `codex.js` will now run the Rust
    CLI.
    
    Ran `./scripts/stage_release.sh --native` and verified that when the
    running `codex.js` in the staged folder:
    
    ```
    $ /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.efvEvBlSN6/bin/codex.js --version
    codex-cli 0.0.2505220956
    ```
    
    it ran the expected Rust version of the CLI, as desired.
    
    While here, I also updated the Rust version to one that I cut today,
    which includes the new shell environment policy config option:
    https://github.com/openai/codex/pull/1061. Note this may "break" some
    users if the processes spawned by Codex need extra environment
    variables. (We are still working to determine what the right defaults
    should be for this option.)
  • fix: persist token after refresh (#1006)
    After a token refresh/exchange, persist the new refresh and id token
  • bump(version): 0.1.2505171619 (#1001)
    ## `0.1.2505171619`
    
    - `codex --login` + `codex --free` (#998)
  • add: codex --login + codex --free (#998)
    ## Summary
    - add `--login` and `--free` flags to cli help
    - handle `--login` and `--free` logic in cli
    - factor out redeem flow into `maybeRedeemCredits`
    - call new helper from login callback
  • chore: update install_native_deps.sh to use rust-v0.0.2505171051 (#995)
    Use a more recent built of the Rust binaries to include with the Node
    module.
  • Remove unnecessary console log from test (#970)
    When running `npm test` on `codex-cli`, the test
    `agent-cancel-prev-response.test.ts` logs a significant body of text to
    console for no obvious reason.
    
    This is not helpful, as it makes test logs messy and far longer.
    
    This change deletes the `console.log(...)` that produces the behavior.
  • fix: remove file named ">" in the codex-cli folder (#968)
    This file appears to have been accidentally added in
    https://github.com/openai/codex/pull/912. Its presence makes the repo
    impossible to clone on Windows.
  • add: sign in with chatgpt (#963)
    Sign in with ChatGPT to get an API key (flow to grant API credits for Plus/Pro coming later today!)
  • add: session history viewer (#912)
    - A new “/sessions” command is available for browsing previous sessions,
    as shown in the updated slash command list
    
    - The CLI now documents and parses a new “--history” flag to browse past
    sessions from the command line
    
    - A dedicated `SessionsOverlay` component loads session metadata and
    allows toggling between viewing and resuming sessions
    
    - When the sessions overlay is opened during a chat, selecting a session
    can either show the saved rollout or resume it
  • fix: diff command for filenames with special characters (#954)
    ## Summary
    - fix quoting issues in `/diff` to correctly handle files with special
    characters
    - add regression test for `getGitDiff` when filenames contain `$`
    - relax timeout in raw-exec-process-group test
    
    Fixes https://github.com/openai/codex/issues/943
    
    ## Testing
    - `pnpm test`
  • add: codex-mini-latest (#951)
    💽
    
    ---------
    
    Co-authored-by: Trevor Creech <tcreech@openai.com>
  • Add codespell support (config, workflow to detect/not fix) and make it fix some typos (#903)
    More about codespell: https://github.com/codespell-project/codespell .
    
    I personally introduced it to dozens if not hundreds of projects already
    and so far only positive feedback.
    
    CI workflow has 'permissions' set only to 'read' so also should be safe.
    
    Let me know if just want to take typo fixes in and get rid of the CI
    
    ---------
    
    Signed-off-by: Yaroslav O. Halchenko <debian@onerussian.com>
  • restructure flake for codex-rs (#888)
    Right now since the repo is having two different implementations of
    codex, flake was updated to work with both typescript implementation and
    rust implementation
  • feat: auto-approve nl and support piping to sed (#920)
    Auto-approved:
    
    ```
    ["nl", "-ba", "README.md"]
    ["sed", "-n", "1,200p", "filename.txt"]
    ["bash", "-lc", "sed -n '1,200p' filename.txt"]
    ["bash", "-lc", "nl -ba README.md | sed -n '1,200p'"]
    ```
    
    Not auto approved:
    
    ```
    ["sed", "-n", "'1,200p'", "filename.txt"]
    ["sed", "-n", "1,200p", "file1.txt", "file2.txt"]
    ```
  • fix: tweak the label for citations for better rendering (#919)
    Adds a space so that sequential citations have some more breathing room.
    
    As I had to update the tests for this change, I also introduced a
    `toDiffableString()` helper to make the test easier to update as we make
    formatting changes to the output.
  • fix: patch in #366 and #367 for marked-terminal (#916)
    This PR uses [`pnpm
    patch`](https://www.petermekhaeil.com/til/pnpm-patch/) to pull in the
    following proposed fixes for `marked-terminal`:
    
    * https://github.com/mikaelbr/marked-terminal/pull/366
    * https://github.com/mikaelbr/marked-terminal/pull/367
    
    This adds a substantial test to `codex-cli/tests/markdown.test.tsx` to
    verify the new behavior.
    
    Note that one of the tests shows two citations being split across a line
    even though the rendered version would fit comfortably on one line.
    Changing this likely requires a subtle fix to `marked-terminal` to
    account for "rendered length" when determining line breaks.
  • fix: remember to set lastIndex = 0 on shared RegExp (#918)
    I had not observed an issue in the wild because of this yet, but it
    feels like it was only a matter of time...
  • fix: add support for fileOpener in config.json (#911)
    This PR introduces the following type:
    
    ```typescript
    export type FileOpenerScheme = "vscode" | "cursor" | "windsurf";
    ```
    
    and uses it as the new type for a `fileOpener` option in `config.json`.
    If set, this will be used to linkify file annotations in the output
    using the URI-based file opener supported in VS Code-based IDEs.
    
    Currently, this does not pass:
    
    Updated `codex-cli/tests/markdown.test.tsx` to verify the new behavior.
    Note it required mocking `supports-hyperlinks` and temporarily modifying
    `chalk.level` to yield the desired output.
  • fix: always load version from package.json at runtime (#909)
    Note the high-level motivation behind this change is to avoid the need
    to make temporary changes in the source tree in order to cut a release
    build since that runs the risk of leaving things in an inconsistent
    state in the event of a failure. The existing code:
    
    ```
    import pkg from "../../package.json" assert { type: "json" };
    ```
    
    did not work as intended because, as written, ESBuild would bake the
    contents of the local `package.json` into the release build at build
    time whereas we want it to read the contents at runtime so we can use
    the `package.json` in the tree to build the code and later inject a
    modified version into the release package with a timestamped build
    version.
    
    Changes:
    
    * move `CLI_VERSION` out of `src/utils/session.ts` and into
    `src/version.ts` so `../package.json` is a correct relative path both
    from `src/version.ts` in the source tree and also in the final
    `dist/cli.js` build output
    * change `assert` to `with` in `import pkg` as apparently `with` became
    standard in Node 22
    * mark `"../package.json"` as external in `build.mjs` so the version is
    not baked into the `.js` at build time
    
    After using `pnpm stage-release` to build a release version, if I use
    Node 22.0 to run Codex, I see the following printed to stderr at
    startup:
    
    ```
    (node:71308) ExperimentalWarning: Importing JSON modules is an experimental feature and might change at any time
    (Use `node --trace-warnings ...` to show where the warning was created)
    ```
    
    Note it is a warning and does not prevent Codex from running.
    
    In Node 22.12, the warning goes away, but the warning still appears in
    Node 22.11. For Node 22, 22.15.0 is the current LTS version, so LTS
    users will not see this.
    
    Also, something about moving the definition of `CLI_VERSION` caused a
    problem with the mocks in `check-updates.test.ts`. I asked Codex to fix
    it, and it came up with the change to the test configs. I don't know
    enough about vitest to understand what it did, but the tests seem
    healthy again, so I'm going with it.
  • fix: Normalize paths in resolvePathAgainstWorkdir to prevent path traversal vulnerability (#895)
    This PR fixes a potential path traversal vulnerability by ensuring all
    paths are properly normalized in the `resolvePathAgainstWorkdir`
    function.
    
    ## Changes
    - Added path normalization for both absolute and relative paths
    - Ensures normalized paths are used in all subsequent operations
    - Prevents potential path traversal attacks through non-normalized paths
    
    This minimal change addresses the security concern without adding
    unnecessary complexity, while maintaining compatibility with existing
    code.
  • chore: introduce new --native flag to Node module release process (#844)
    This PR introduces an optional build flag, `--native`, that will build a
    version of the Codex npm module that:
    
    - Includes both the Node.js and native Rust versions (for Mac and Linux)
    - Will run the native version if `CODEX_RUST=1` is set
    - Runs the TypeScript version otherwise
    
    Note this PR also updates the workflow URL to
    https://github.com/openai/codex/actions/runs/14872557396, as that is a
    build from today that includes everything up through
    https://github.com/openai/codex/pull/843.
    
    Test Plan:
    
    In `~/code/codex/codex-cli`, I ran:
    
    ```
    pnpm stage-release --native
    ```
    
    The end of the output was:
    
    ```
    Staged version 0.1.2505121317 for release in /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN
    Test Node:
        node /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN/bin/codex.js --help
    Test Rust:
        CODEX_RUST=1 node /var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN/bin/codex.js --help
    Next:  cd "/var/folders/wm/f209bc1n2bd_r0jncn9s6j_00000gp/T/tmp.xd2p5ETYGN" && npm publish --tag native
    ```
    
    I verified that running each of these commands ran the expected version
    of Codex.
    
    While here, I also added `bin` to the `files` list in `package.json`,
    which should have been done as part of
    https://github.com/openai/codex/pull/757, as that added new entries to
    `bin` that were matched by `.gitignore` but should have been included in
    a release.
  • fix: flex-mode via config/flag (#813)
    * Add flexMode to stored config, and use it during config loading unless
    the flag is explicitly passed.
    * If the config asks for flexMode and the model doesn't support it,
    silently disable flexMode.
    
    Resolves #803
  • feat: added arceeai as a provider (#818)
    - Added ArceeAI as a provider  - https://conductor.arcee.ai/v1
    - Compatible with ArceeAI SLMs (Virtuoso, Maestro)
    - Works with ArceeAI's Conductor auto‑router models (auto, auto‑tool),
    once #817 is merged
  • fix: guard against missing choices (#817)
    - Fixes guard by using optional chaining to safely check
    chunk.choices?.[0] before accessing.
    - Currently, accessing chunk.choices[0] without checking could throw if
    choices was missing from the chunk.
  • Add reasoning effort option to CLI help text (#815)
    Reasoning effort was already available, but not expressed into the help
    text, so it was non-discoverable.
    
    Other issues discovered, but will fix in separate PR since they are
    larger:
    * #816 reasoningEffort isn't displayed in the terminal-header, making it
    rather hard to see the state of configuration
    * I don't think the config file setting works, as the CLI option always
    "wins" and overwrites it
  • fix: migrate to AGENTS.md (#764)
    Migrate from `codex.md` to `AGENTS.md`
  • fix: retry on OpenAI server_error even without status code (#814)
    Fix: retry on server_error responses that lack an HTTP status code
    
    ### What happened
    
    1. An OpenAI endpoint returned a **5xx** (transient server-side
    failure).
    2. The SDK surfaced it as an `APIError` with
    
    { "type": "server_error", "message": "...", "status": undefined }
    
               (The SDK does not always populate `status` for these cases.)
    3. Our retry logic in `src/utils/agent/agent-loop.ts` determined
    
    isServerError = typeof status === "number" && status >= 500;
    
    Because `status` was *undefined*, the error was **not** recognised as
    retriable, the exception bubbled out, and the CLI crashed with a stack
               trace similar to:
    
                   Error: An error occurred while processing the request.
                       at .../cli.js:474:1514
    
    ### Root cause
    
    The transient-error detector ignored the semantic flag type ===
    "server_error" that the SDK provides when the numeric status is missing.
    
    #### Fix (1 loc + comment)
    
    Extend the check:
    
    const status = errCtx?.status ?? errCtx?.httpStatus ??
    errCtx?.statusCode;
    
    const isServerError = (typeof status === "number" && status >= 500) ||
    // classic 5xx
    errCtx?.type === "server_error";                   // <-- NEW
    
    Now the agent:
    
    * Retries up to **5** times (existing logic) when the backend reports a
    transient failure, even if `status` is absent.
    * If all retries fail, surfaces the existing friendly system message
    instead of an uncaught exception.
    
    ### Tests & validation
    
    pnpm test # all suites green (17 agent-level tests now include this
    path)
    pnpm run lint    # 0 errors / warnings
    pnpm run typecheck
    
    A new unit-test file isn’t required—the behaviour is already covered by
    tests/agent-server-retry.test.ts, which stubs type: "server_error" and
    now passes with the updated logic.
    
    ### Impact
    
    * No API-surface changes.
    * Prevents CLI crashes on intermittent OpenAI outages.
    * Adds robust handling for other providers that may follow the same
    error-shape.
  • Adds Azure OpenAI support (#769)
    ## Summary
    
    This PR introduces support for Azure OpenAI as a provider within the
    Codex CLI. Users can now configure the tool to leverage their Azure
    OpenAI deployments by specifying `"azure"` as the provider in
    `config.json` and setting the corresponding `AZURE_OPENAI_API_KEY` and
    `AZURE_OPENAI_API_VERSION` environment variables. This functionality is
    added alongside the existing provider options (OpenAI, OpenRouter,
    etc.).
    
    Related to #92
    
    **Note:** This PR is currently in **Draft** status because tests on the
    `main` branch are failing. It will be marked as ready for review once
    the `main` branch is stable and tests are passing.
    
    ---
    
    ## What’s Changed
    
    -   **Configuration (`config.ts`, `providers.ts`, `README.md`):**
    - Added `"azure"` to the supported `providers` list in `providers.ts`,
    specifying its name, default base URL structure, and environment
    variable key (`AZURE_OPENAI_API_KEY`).
    - Defined the `AZURE_OPENAI_API_VERSION` environment variable in
    `config.ts` with a default value (`2025-03-01-preview`).
        -   Updated `README.md` to:
            -   Include "azure" in the list of providers.
    - Add a configuration section for Azure OpenAI, detailing the required
    environment variables (`AZURE_OPENAI_API_KEY`,
    `AZURE_OPENAI_API_VERSION`) with examples.
    - **Client Instantiation (`terminal-chat.tsx`, `singlepass-cli-app.tsx`,
    `agent-loop.ts`, `compact-summary.ts`, `model-utils.ts`):**
    - Modified various components and utility functions where the OpenAI
    client is initialized.
    - Added conditional logic to check if the configured `provider` is
    `"azure"`.
    - If the provider is Azure, the `AzureOpenAI` client from the `openai`
    package is instantiated, using the configured `baseURL`, `apiKey` (from
    `AZURE_OPENAI_API_KEY`), and `apiVersion` (from
    `AZURE_OPENAI_API_VERSION`).
    - Otherwise, the standard `OpenAI` client is instantiated as before.
    -   **Dependencies:**
    - Relies on the `openai` package's built-in support for `AzureOpenAI`.
    No *new* external dependencies were added specifically for this Azure
    implementation beyond the `openai` package itself.
    
    ---
    
    ## How to Test
    
    *This has been tested locally and confirmed working with Azure OpenAI.*
    
    1.  **Configure `config.json`:**
    Ensure your `~/.codex/config.json` (or project-specific config) includes
    Azure and sets it as the active provider:
        ```json
        {
          "providers": {
            // ... other providers
            "azure": {
              "name": "AzureOpenAI",
    "baseURL": "https://YOUR_RESOURCE_NAME.openai.azure.com", // Replace
    with your Azure endpoint
              "envKey": "AZURE_OPENAI_API_KEY"
            }
          },
          "provider": "azure", // Set Azure as the active provider
          "model": "o4-mini" // Use your Azure deployment name here
          // ... other config settings
        }
        ```
    2.  **Set up Environment Variables:**
        ```bash
        # Set the API Key for your Azure OpenAI resource
        export AZURE_OPENAI_API_KEY="your-azure-api-key-here"
    
    # Set the API Version (Optional - defaults to `2025-03-01-preview` if
    not set)
    # Ensure this version is supported by your Azure deployment and endpoint
        export AZURE_OPENAI_API_VERSION="2025-03-01-preview"
        ```
    3.  **Get the Codex CLI by building from this PR branch:**
    Clone your fork, checkout this branch (`feat/azure-openai`), navigate to
    `codex-cli`, and build:
        ```bash
        # cd /path/to/your/fork/codex
        git checkout feat/azure-openai # Or your branch name
        cd codex-cli
        corepack enable
        pnpm install
        pnpm build
        ```
    4.  **Invoke Codex:**
    Run the locally built CLI using `node` from the `codex-cli` directory:
        ```bash
        node ./dist/cli.js "Explain the purpose of this PR"
        ```
    *(Alternatively, if you ran `pnpm link` after building, you can use
    `codex "Explain the purpose of this PR"` from anywhere)*.
    5. **Verify:** Confirm that the command executes successfully and
    interacts with your configured Azure OpenAI deployment.
    
    ---
    
    ## Tests
    
    - [x] Tested locally against an Azure OpenAI deployment using API Key
    authentication. Basic commands and interactions confirmed working.
    
    ---
    
    ## Checklist
    
    - [x] Added Azure provider details to configuration files
    (`providers.ts`, `config.ts`).
    - [x] Implemented conditional `AzureOpenAI` client initialization based
    on provider setting.
    -   [x] Ensured `apiVersion` is passed correctly to the Azure client.
    -   [x] Updated `README.md` with Azure OpenAI setup instructions.
    - [x] Manually tested core functionality against a live Azure OpenAI
    endpoint.
    - [x] Add/update automated tests for the Azure code path (pending `main`
    stability).
    
    cc @theabhinavdas @nikodem-wrona @fouad-openai @tibo-openai (adjust as
    needed)
    
    ---
    
    I have read the CLA Document and I hereby sign the CLA
  • fix: increase output limits for truncating collector (#575)
    This Pull Request addresses an issue where the output of commands
    executed in the raw-exec utility was being truncated due to restrictive
    limits on the number of lines and bytes collected. The truncation caused
    the message [Output truncated: too many lines or bytes] to appear when
    processing large outputs, which could hinder the functionality of the
    CLI.
    
    Changes Made
    
    Increased the maximum output limits in the
    [createTruncatingCollector](https://github.com/openai/codex/pull/575)
    utility:
    Bytes: Increased from 10 KB to 100 KB.
    Lines: Increased from 256 lines to 1024 lines.
    Installed the @types/node package to resolve missing type definitions
    for [NodeJS](https://github.com/openai/codex/pull/575) and
    [Buffer](https://github.com/openai/codex/pull/575).
    Verified and fixed any related errors in the
    [createTruncatingCollector](https://github.com/openai/codex/pull/575)
    implementation.
    
    Issue Solved: 
    
    This PR ensures that larger outputs can be processed without truncation,
    improving the usability of the CLI for commands that generate extensive
    output. https://github.com/openai/codex/issues/509
    
    ---------
    
    Co-authored-by: Michael Bolin <bolinfest@gmail.com>
  • Configure HTTPS agent for proxies (#775)
    - Some workflows require you to route openAI API traffic through a proxy
    - See
    https://github.com/openai/openai-node/tree/v4?tab=readme-ov-file#configuring-an-https-agent-eg-for-proxies
    for more details
    
    ---------
    
    Co-authored-by: Thibault Sottiaux <tibo@openai.com>
    Co-authored-by: Fouad Matin <fouad@openai.com>
  • feat: use Landlock for sandboxing on Linux in TypeScript CLI (#763)
    Building on top of https://github.com/openai/codex/pull/757, this PR
    updates Codex to use the Landlock executor binary for sandboxing in the
    Node.js CLI. Note that Codex has to be invoked with either `--full-auto`
    or `--auto-edit` to activate sandboxing. (Using `--suggest` or
    `--dangerously-auto-approve-everything` ensures the sandboxing codepath
    will not be exercised.)
    
    When I tested this on a Linux host (specifically, `Ubuntu 24.04.1 LTS`),
    things worked as expected: I ran Codex CLI with `--full-auto` and then
    asked it to do `echo 'hello mbolin' into hello_world.txt` and it
    succeeded without prompting me.
    
    However, in my testing, I discovered that the sandboxing did *not* work
    when using `--full-auto` in a Linux Docker container from a macOS host.
    I updated the code to throw a detailed error message when this happens:
    
    
    ![image](https://github.com/user-attachments/assets/e5b99def-f00e-4ade-a0c5-2394d30df52e)
  • chore: make build process a single script to run (#757)
    This introduces `./codex-cli/scripts/stage_release.sh`, which is a shell
    script that stages a release for the Node.js module in a temp directory.
    It updates the release to include these native binaries:
    
    ```
    bin/codex-linux-sandbox-arm64
    bin/codex-linux-sandbox-x64
    ```
    
    though this PR does not update Codex CLI to use them yet.
    
    When doing local development, run
    `./codex-cli/scripts/install_native_deps.sh` to install these in your
    own `bin/` folder.
    
    This PR also updates `README.md` to document the new workflow.
    
    ---
    [//]: # (BEGIN SAPLING FOOTER)
    Stack created with [Sapling](https://sapling-scm.com). Best reviewed
    with [ReviewStack](https://reviewstack.dev/openai/codex/pull/757).
    * #763
    * __->__ #757