Codex CLI 0.129.0 Is a Maintenance Release With a Strategy: Agents, Hooks, Plugins, and Less Terminal Friction

Codex CLI 0.129.0 is the kind of release that will not win a keynote slide and absolutely should make daily users pay attention. The easy headline is modal Vim editing in the TUI. The real headline is less glamorous: OpenAI is hardening the control plane around agents — hooks, plugins, skills, subagents, sandbox behavior, resume flows, diagnostics, and all the tiny terminal papercuts that decide whether a tool becomes part of the workday or gets abandoned after the demo.

That is where the AI coding market has moved. The old question was whether an agent could write a plausible patch. The current question is whether a team can configure it, constrain it, resume it, audit it, share its workflows, and understand what happened when it touched the wrong thing. Version 0.129.0 reads like OpenAI knows that battle is now being fought in config files and runtime edges, not just model benchmarks.

The release adds modal Vim editing, including /vim, default-mode configuration, and Vim-specific keymap contexts. That matters because terminal users are picky for good reasons: if the input surface fights muscle memory, the agent loses before it starts. But the more consequential usability work is around continuity. The release redesigns resume and fork workflows, adds raw scrollback mode, improves /ide context injection, and makes /diff workspace-aware. Those features are not decoration. They are how a developer re-enters a long-running agent conversation without losing the plot.

The boring features are the product strategy

Look at the plugin and hook changes as one cluster. Plugin management now supports workspace sharing, share access controls, source filtering, local share path tracking, marketplace removal and upgrades, remote bundle sync, and admin-disabled status handling. Hooks can be browsed and toggled from /hooks, can run before and after compaction, and can add PreToolUse context. Codex Apps authentication and eligible MCP elicitations now surface through TUI and Guardian flows.

That is not a random grab bag. It is OpenAI building the machinery for repeatable team behavior. A solo developer can get by with local habits and vibes. A team needs installable workflows, visible lifecycle automation, admin controls, and policy surfaces that do not require spelunking through dotfiles every time something changes. Hooks are where observability and policy enter the loop. Plugins are how workflows become shareable. MCP surfaces are how the agent reaches external systems. Once those pieces exist, governance is not optional anymore; it is part of the product.

The official Skills documentation makes the same direction explicit. Skills package instructions, resources, and optional scripts so Codex can follow a workflow reliably. They are available in the CLI, IDE extension, and Codex app. Codex uses progressive disclosure: it starts with each skill’s name, description, and path, then loads the full SKILL.md only when it decides to use that skill. The initial skills list is capped at roughly 2% of the model context window, or 8,000 characters when the window is unknown.

That is a smart context-management design with a security tradeoff attached. The skill description becomes both a trigger and a trust boundary. If a team installs too many skills, descriptions may be shortened and some skills may be omitted from the initial list. If descriptions are vague, the agent can invoke the wrong workflow. If a shared skill includes optional scripts, you are no longer reviewing prose; you are reviewing executable process. Treat SKILL.md changes like code changes. Require clear trigger boundaries. Prefer narrow skills over Swiss Army knives with marketing-copy descriptions.

Subagents are useful, expensive, and easy to overuse

OpenAI’s subagents documentation says current Codex releases enable subagent workflows by default, but Codex only spawns subagents when explicitly asked. Built-in agents include default, worker, and explorer. Subagents inherit the current sandbox policy, and approval requests can surface from inactive agent threads. That is the right model: powerful, explicit, and tied to the parent’s trust boundary.

The cost and complexity warning should be louder. Each subagent does its own model and tool work. Parallel review across security, code quality, bugs, race conditions, tests, and maintainability sounds great until six workers each wander through the repo, call tools, and produce overlapping conclusions. The practical move is to use subagents where parallelism is real — independent codebase exploration, test triage, review dimensions with clear scopes — not as a reflexive “make it more agentic” button. Keep agents.max_depth conservative unless you have a concrete reason for recursive delegation. Recursive agents are how you turn a useful workflow into a token bonfire with a stack trace.

The sandbox fixes in 0.129.0 are another signal that OpenAI is taking the runtime seriously. Linux startup is more reliable across older Bubblewrap, slow mount probes, symlink-protected paths, and shared /tmp setups. Windows sandbox and exec policy handling now covers named pipes, ConPTY teardown, PowerShell-wrapped allow rules, worktree safe.directory, and unsafe Git options more reliably. OpenAI also fixed custom CA login behind TLS-inspecting proxies, dangerous project config keys, heredoc redirect approval matching, and unbounded MCP/hook output growth. Vendored Bubblewrap moved to 0.11.2, including upstream security changes around setuid support.

None of that sounds exciting until it is the thing that decides whether containment actually means containment. Symlink-protected paths, shared temp directories, heredoc approval matching, and unbounded hook output are exactly the kinds of edge cases that become real incidents in agent systems. A coding assistant with shell access, MCP tools, hooks, plugins, and subagents is not just a smarter REPL. It is an execution environment with a language model in the loop. Runtime hardening is feature work.

There is also a migration story hiding here. Codex, Claude Code, Cursor, Copilot, and OpenCode are all converging on repo-level instructions, reusable skills or rules, hooks, MCP servers, subagents, and policy files. The vendor-specific names differ, but the shape is becoming familiar: durable instructions plus controlled tool access plus shareable workflow packages. That means teams should stop treating agent configuration as personal preference. It is now part of the software supply chain. Review it. Version it. Keep it boring.

For teams already using Codex, the recommendation is straightforward: upgrade 0.129.0 in a controlled development environment, then audit the surrounding surface. Review .codex/config.toml, .agents/skills, MCP servers, hooks, and plugin sources. Decide what belongs at repo scope, user scope, and admin scope. Document when subagents are allowed. Keep broad permissions out of project config. Prefer workspace plugin sharing and admin controls over one-off local installs. If you cannot explain why a hook runs before a tool call, it probably should not be there.

Codex 0.129.0 is not flashy. That is the point. The serious work now is making agents boring enough to trust: visible hooks, shareable plugins, safer sandboxes, better resumes, and instructions teams can actually maintain. The demo era rewarded clever output. The infrastructure era rewards predictable behavior. This release is OpenAI choosing the latter, which is exactly where the product needed to go.

Sources: OpenAI Developers changelog, GitHub release 0.129.0, OpenAI Developers — Agent Skills, OpenAI Developers — Subagents, OpenAI Developers — best practices