OpenAI Codex 0.141.0 shipped on June 18, 2026 at 04:43 UTC, a day after 0.140 and roughly six weeks after the 0.139 line opened the new exec-server architecture. The release is the largest single Codex drop in the 0.13x series: it lands a default Noise-encrypted transport between the orchestrator and remote executors, a new internal PathUri layer that makes cross-OS orchestration tractable, a created-by-me-remote plugin marketplace, and a real bug fix for a SQLite regression that had silently slipped back in. There is also meaningful housekeeping in the Windows sandbox and the realtime/TUI surfaces.
Noise IK is the default transport
The headline change is that the exec-server transport is now Noise end-to-end. The previous architecture forwarded JSON-RPC traffic between the orchestrator and the remote executor through a "Rendezvous" service that could see plaintext tool calls and responses. The new transport is a hybrid Noise IK channel built on Clatter, with X25519 for the key agreement, ML-KEM-768 for post-quantum resistance, AES-256-GCM for the symmetric encryption, and SHA-256 for the handshake transcript. The relay only sees encrypted frames.
The handshake is bound to three identifiers: the environment_id of the remote executor, its executor_registration_id, and the per-stream stream_id. The executor's Noise public key is fetched from a registry bundle and pinned before the handshake completes, which closes the obvious "swap the key during reconnect" attack. The harness authorization is carried inside the encrypted handshake, not in a header the relay can rewrite. Frames are ordered against Noise nonces, large JSON-RPC messages are fragmented into bounded records, and handshake payloads, frames, streams, and message reassembly are all size-bounded so a malicious relay cannot exhaust memory by sending oversize frames.
For teams running Codex against self-hosted or third-party remote executors, the practical effect is that the relay is now untrusted by construction. The follow-up commits in the same release add signed-URL refresh on reconnect, a Noise rendezvous environment, session resumption after disconnect, and bounded retry backoff on registry recovery, so the encrypted transport is also durable across network blips rather than just encrypted. Bun joining Anthropic's AI coding infrastructure earlier this year was the moment "the runtime is the agent"; 0.141 is the moment "the relay is just a wire".
PathUri and the cross-OS orchestrator seam
The second piece of plumbing is path-uri: render native paths across platforms and its sibling PathUri in filesystem permission paths for exec-server. The previous code path formatted paths as String on both sides of the orchestrator/exec-server seam, which broke the moment a Mac orchestrator handed a working directory like /Users/lou/repo to a Windows executor, or vice versa. PathUri is a new internal type that can render the same logical path as POSIX (/home/lou/repo), a Windows drive letter (C:\Users\lou\repo), or a UNC path (\\share\repo) depending on the host that consumes it, with explicit PathConvention and NativePathString helpers for the three personalities.
The migration is gradual and deliberately invisible at the public app-server API. The PathConvention renders the path correctly for the host that owns the environment, the app-server boundary translates to OS-native String paths for clients, and the URI encoding stays an internal wire format. The new path-uri test suite covers cross-host rendering, encoding, Unicode, and invalid component rejection. The same plumbing is what allows the exec-server to honor the remote environment's cwd and shell (#28122) and to carry PathUri through the unified-exec layer, so a Mac orchestrator can drive a Windows executor without a path-mangling regression at the seam.
This is the kind of work that does not show up in a benchmark table, but is the reason a future cross-OS Codex (Linux server orchestrator, Windows workstation executor) can ship at all. The Vite 8.1 beta importmap work and the recent esbuild 0.28.1 Windows path-traversal fix both sit in the same cross-OS plumbing category; the difference is that Codex's seam is on the wire, not on disk.
A plugin marketplace and a real MCP catalog tier
The third batch of changes builds out the plugin story. Codex 0.141.0 adds a created-by-me-remote plugin marketplace backed by the paginated USER-scope plugin directory, surfaces it through the app-server v2 protocol with regenerated schemas, and adds a Load API curated marketplace by auth flow that returns different catalogs depending on the auth mode (user, org, enterprise). Selected executor plugins can now activate their stdio MCP servers per thread, and the selected-plugin precedence tier in the MCP catalog gives a selected plugin a distinct slot above auto-discovered plugins, with attribution carried directly on the catalog registration.
The catalogue change matters because the previous resolution order silently let a disabled lower-precedence winner leave stale name-level state behind, and a winning MCP tool could not be attributed to the selected package reliably. The new tier fixes both, and the connection manager retains the winning selected server's tool approval policy so a selected registration cannot inherit approval behavior from a losing local plugin. The MCP tool timeout default is raised from 60 to 300 seconds, which is the right shape for long-running MCP tools (CI runs, image generation, headless browser jobs) and removes a class of "tool timed out before it could finish" reports.
The plugin work is the second half of the same story the Anthropic Project Glasswing piece and the GLM-5.2 long-horizon coding agent coverage keep circling: the agent's tool surface is the product, and the marketplace is what makes the surface composable.
The SQLite WAL-reset fix and other bug fixes
The most important bug fix in 0.141.0 is a quiet one: Pin bundled SQLite to fixed WAL-reset version. SQLite documented a WAL reset corruption bug in 3.51.3's release notes, and SQLx 0.9 accepts a broad libsqlite3-sys range. An unrelated dependency refresh had moved Codex from libsqlite3-sys 0.37.0 (SQLite 3.51.3) back to 0.35.0 (SQLite 3.50.2), silently reintroducing the bug. 0.141.0 pins the bundle so a future lock refresh cannot repeat the downgrade. This is exactly the class of "your dependency manager quietly downgraded you" failure that the pnpm 11.7 frozenStore + lockfile verification work was designed to surface.
The release also fixes several Windows sandbox regressions: a stale Windows sandbox credentials auto-recovery, a unified exec yield floor that gives PowerShell commands more time before backgrounding, a shared Windows sandbox session runner extracted from the inline path, and a hidden Windows sandbox wrapper entrypoint. The codex exec thread-start path now preserves hook-trust bypass on resume and PostToolUse hooks correctly reject code-mode tool calls. A steered user input can immediately interrupt wait_agent instead of getting stuck behind it. The realtime API gains a speech-append control, a toggle for realtime startup context, and a TUI auto-resolution timer for request_user_input prompts that runs a 60-second hidden grace period, then a 60-second visible countdown, then submits an empty answer response if the user does not interact.
0.141.0 is the kind of release that looks routine from the outside and is structurally a milestone from the inside. The Noise relay and the PathUri layer are the two pieces of plumbing that have to be in place for cross-host Codex to ship, the plugin marketplace is what makes the tool surface composable, and the SQLite pin is the kind of quiet bug fix that prevents the next outage from being a regression of the last one. None of it requires user action; the upgrade is safe to take as soon as your CI is ready.
