OpenAI Codex CLI 0.119.0 Ships: Windows Proxy Sandbox, Device Code Sign-In, and MCP Hardening
OpenAI shipped Codex CLI v0.119.0 on March 31, and the release is packed with improvements across security, usability, and developer workflow integration. The headline security change is proxy-only networking enforcement for Windows sandbox runs — instead of relying on environment variables alone, egress is now restricted at the OS level, making network isolation significantly more reliable for team and enterprise deployments. Alongside that, the .codex project file is now protected on first write, closing a gap where the initial file creation could bypass approval checks entirely.
For day-to-day productivity, codex exec now supports prompt-plus-stdin simultaneously, meaning you can pipe input into the command while passing a separate prompt on the command line — a clean quality-of-life win for scripted workflows and CI pipelines. Custom model providers also gained the ability to fetch and refresh short-lived bearer tokens dynamically, removing the limitation of static credentials. On authentication, app-server clients gained a device code sign-in flow for ChatGPT when browser callback login isn't available.
The MCP fixes deserve attention too. Local servers now get a longer startup window, and failed handshakes surface warnings rather than silently appearing as clean connections — a meaningful diagnostic improvement as MCP integrations become central to how teams wire Codex into their tool stacks. The app-server TUI also restored several broken workflows including hook notification replay, /copy, /resume, and the skills picker scroll, plus a Linux sandbox fix resolving a bwrap path resolution issue.