Sign in Subscribe
agentic-coding

Codex 0.135 Makes Diagnostics and Permission Profiles First-Class Agent Infrastructure

Anatoliy Kolodkin

5 min read
Codex 0.135 Makes Diagnostics and Permission Profiles First-Class Agent Infrastructure

Codex 0.135.0 is the kind of release that looks dull until you have to support real developers using real agents against real repositories. There is no single cinematic demo here. There is codex doctor, remote status detail, named permission profiles, sandbox presets, resume-flow fixes, TUI correctness, and app-server-owned configuration cleanup. In other words: the agent is getting the diagnostic plumbing software needs after the demo ends.

That matters because coding-agent failures are rarely clean. When a run goes sideways, the culprit might be Git state, the terminal, a stale app server, a remote transport, a sandbox profile, a resumed thread, an MCP connector, a permission rule, a broken shell session, or the model itself. Without inspectable runtime state, every bug report turns into folklore: restart it, clear the thread, maybe tmux ate the control sequence, maybe the sandbox changed, maybe the model got confused. The May 28 Codex release is about replacing that folklore with surfaces an operator can actually read.

The release landed at 17:31 UTC, following the previous day’s 0.134.0 governance-heavy update around MCP environments, profiles, OAuth, schema handling, and usage limits. That sequence is important. First Codex makes more of the runtime explicit; then it immediately adds better ways to inspect it. Agent infrastructure without diagnostics is just a larger mystery box.

codex doctor is not a nice-to-have

The headline feature should be codex doctor. The command now reports richer environment, Git, terminal, app-server, and thread-inventory diagnostics. That sounds like support tooling, and it is. But support tooling is product strategy when your product is a local/cloud hybrid agent that can mutate a repository.

A useful doctor command changes how teams debug agent failures. Instead of asking a developer to reconstruct twenty minutes of session state from memory, support can ask for a diagnostic snapshot. Instead of guessing whether the app server, terminal, or thread inventory is stale, the tool can say what it sees. Instead of treating “the model failed” as a universal bucket, teams can separate runtime failures from reasoning failures from policy failures.

This is also the right moment for Codex to invest here because agent sessions are getting more distributed. The TUI may be local. The app server may own configuration. Threads may be cached or resumed. Remote transports may sit between the user and the worker. Tools may run through MCP environments. A diagnostic command is not optional in that architecture. It is the difference between software and séance.

Remote details in /status push the same idea into the live UI. When the TUI connects over a remote transport, /status can now show remote connection details and server version. That is the kind of information developers only appreciate when it is missing. If a cloud worker is running an older server, if a remote session is attached differently than expected, or if a support case depends on transport behavior, “which thing am I actually connected to?” should not require spelunking logs.

Permission profiles become team vocabulary

The other important change is named permission profiles in /permissions. Permission settings are not mere preferences anymore. They are risk postures. A team may need “read-only investigation,” “local edit with approval,” “sandboxed CI fixer,” “docs-only maintenance,” and “trusted repo chores.” Naming those modes makes them easier to teach, review, and select intentionally.

This is where agent UX and governance meet. If profiles are unnamed blobs of settings, developers will select whatever makes the prompt go away. If profiles map to workflow language, the UI can nudge better decisions: this task needs a read-only profile, that task should run sandboxed, this repository should not allow bypass mode. The profile name becomes a small piece of operational documentation.

Named profiles also make misuse easier to spot. “Why did the agent run this migration under the trusted-maintenance profile?” is a much better incident question than “what were your permissions set to?” Teams should version their intended profiles, document when each is appropriate, and keep local overrides from quietly becoming shadow policy. Personal convenience should not outrank project risk.

The Python SDK’s friendly Sandbox presets matter for the same reason. Once Codex is driven by scripts, background jobs, internal tools, and CI-like workflows, sandbox configuration cannot be a pile of almost-correct hand-rolled options. Presets reduce drift. They give platform teams a smaller set of known behaviors to test and document. That is not glamorous API design, but it is exactly how safety features survive contact with wrapper scripts.

Resume bugs are where agents start lying by accident

The resume fixes deserve attention because interrupted sessions are where coding agents often feel haunted. This release improves handling for non-interactive exec sessions when requested and honors cwd overrides for idle cached threads. That sounds minor until an agent resumes into the wrong directory, loses track of a background command, or continues a plan with stale assumptions. The model may then confidently explain a world that no longer exists.

Agent reliability is partly model behavior and partly state accounting. If the runtime tells the model the wrong current working directory, omits a still-relevant exec session, or replays an incomplete thread, the model’s next move can be wrong for perfectly deterministic reasons. Users experience that as “AI hallucination.” Engineers should often read it as “runtime state bug.” Codex tightening resume behavior is therefore not polish; it is input hygiene.

The release also moves memory runtime state into a dedicated SQLite database and continues routing TUI config and plugin state through app-server-owned APIs. That is another sign of the product maturing from CLI utility to agent platform. State needs owners. Configuration needs consistent APIs. Memory needs storage boundaries. Otherwise every surface invents its own truth and the agent becomes inconsistent across TUI, SDK, app server, and remote paths.

The TUI fixes reinforce the same point from the human side: Markdown table rendering, multiline lists, macOS and Zellij raw-output corruption, slash-command completion preserving draft text, tmux/iTerm Ctrl-C handling, and inaccessible app mentions are not headline features. But terminal correctness affects trust. If a prompt eats a draft, corrupts output, or handles interrupts poorly, users do not think “small rendering bug.” They think “I should not let this touch my repo.”

For teams using Codex, the upgrade checklist is practical. Run codex doctor before filing support tickets or blaming the model. Define named permission profiles that correspond to real workflows. Use SDK sandbox presets instead of copying bespoke config between scripts. Check remote /status in any workflow that crosses local/cloud boundaries. Test resume behavior in repositories where long-running exec sessions and cwd overrides matter. And treat TUI/app-server version mismatches as operational facts, not vibes.

Codex 0.135.0 will not win a benchmark slide. Good. Benchmarks do not help when a resumed agent is in the wrong directory or a remote TUI is connected to the wrong server. The agent that wins inside teams will be the one that can explain its environment, permissions, remote state, and session history when the run goes sideways. This release moves Codex in that direction.

Sources: OpenAI Codex rust-v0.135.0, PR #24261, PR #24305, PR #24420, PR #21559

Sign up for more like this.

Enter your email
Subscribe