The OpenAI Codex 0.142 line shipped across the week of June 22 to June 26, 2026: 0.142.0 on June 22, 0.142.1 and 0.142.2 on June 25, and 0.142.3 on June 26. It lands one week after the 0.141 Noise relay and cross-OS exec release, and the contrast between the two is telling. Where 0.141 was a security release whose headline was a default end-to-end encrypted transport between the orchestrator and remote executors, 0.142 is a governance and orchestration release. The question it answers is no longer "is the wire safe" but "can a team run many of these agents and stay in control of cost, delegation, and tool sprawl."
Rollout token budgets: cost control at the agent layer
The most consequential feature is the rollout token budget, implemented across #28746, #28494, #28707, and #29423. A rollout is a single agent run. The budget is a configurable token cap that Codex tracks across threads as the rollout progresses. At a configurable threshold it emits a remaining-budget reminder, and when the budget is exhausted it aborts the turn cleanly instead of letting a runaway task keep sampling. Turn-scoped context contributions (#28911) keep the accounting honest, and the budget window context is wrapped separately (#29494) so the model sees what it has left.
This is the first built-in cost-control primitive at the Codex agent layer. Before 0.142, bounding what a background task or a delegation could spend meant an external wrapper script or a hard model-side limit. Now a team can hand an agent a budget and trust that a stuck loop will stop on its own. For anyone running Codex against paid models, or running it unattended inside a CI or a multi-agent orchestration setup, that is the difference between an agent that is safe to leave running and one that is not.
Multi-agent delegation and indexed web search
Two orchestration capabilities build on the new budget. Multi-agent delegation lets a parent thread hand work to a subagent, and 0.142 makes the behavior configurable at both the thread and the turn level as disabled, explicit-request-only, or proactive (#28685, #28792, #29324). The "explicit-request-only" mode is the conservative default a team wants when it is evaluating delegation: the parent has to ask before spawning a child. Proactive mode hands the parent the discretion to delegate when it judges a subagent fits the work. A companion fix (#28375) surfaces terminal subagent errors back to the parent, so a child that crashed no longer reports as an empty successful completion and leaves the parent continuing on a false premise.
The indexed web-search mode (#28489) gives the agent live web access without unrestricted browsing. Codex can run live searches, but direct page retrieval is restricted to server-approved URLs. The model gathers fresh information from the web but cannot follow arbitrary links off the approved set. Codex distinguishes cached and live web-access terminology in the config (#29095), and the mode sits alongside the existing filesystem and network approval scopes rather than replacing them. The shape is deliberate: trust the search aggregation, do not trust the open browser.
MCP tool search by default, and a reorganized plugin marketplace
MCP tooling gets two changes that matter for installs that have grown past a handful of servers. MCP tools now use tool search by default when the provider supports it (#29486). Instead of dumping every tool from every connected MCP server into the model's context up front, Codex searches for the relevant tool on demand. That preserves compatibility with older models and providers that do not advertise tool search, but for a mature install it is the difference between a tool list that fits the context window and one that does not.
The /plugins view reorganizes remote plugins into three sections, OpenAI Curated, Workspace, and Shared with me (#26703), and a turn can now recommend and install a relevant plugin mid-run (#28399, #28400, #27704, #28403). 0.142.2 adds dedicated dark-mode logos for plugins (#29488) and curated featured-plugin rankings from remote catalogs (#29485). The reorganization turns the plugin browser from a flat list into something a team can actually navigate, and the in-turn recommendation closes the loop between "I have a plugin for that" and the agent actually using it.
System proxy, time awareness, and remote-executor reliability
The remaining work is the kind that does not make a headline but decides whether Codex runs on a given network. 0.142.1 adds opt-in Windows system proxy support for authentication, including PAC, WPAD, static proxies, and bypass rules (#26708). 0.142.2 adds the macOS equivalent: authentication clients honor system proxy, PAC, and WPAD when respect_system_proxy is enabled (#26709). 0.142.0 also honors startup custom CA bundles with the managed MITM path (#29014), which matters on corporate networks that intercept TLS. Together these cover the proxy-and-CA matrix that previously broke the auth handshake for a large class of enterprise users.
Codex also gains real time awareness: scheduled UTC time reminders and the ability to query the current time directly, including through client-provided app-server clocks (#28822, #28824, #28835, #29011). The /usage command can now show and redeem earned usage-limit reset credits (#28154, #28793).
The reliability fixes target the remote-executor path that 0.141 made the default. Exec-server processes and stdio MCP sessions now survive transient disconnects, with signed-URL refresh on reconnect and retry-safe stdin writes (#28512, #28374, #28546, #28895). The Linux TUI no longer breaks after a Ctrl+Z suspend and fg resume (#28342). Remote environments now preserve executor-native paths, shells, AGENTS.md discovery, and sandbox behavior across operating systems, which is the payoff from the PathUri layer 0.141 introduced.
Security hardening and what to watch
0.142.2 hardens a few spots worth noting. PowerShell commands containing executable AST regions the safety classifier cannot inspect now require approval (#24092). Remote HTTP(S) image inputs return clear, model-visible validation errors instead of failing silently, while inline data URLs and local images keep working (#29417, #29419). Expired Amazon Bedrock credentials now produce actionable recovery guidance instead of a generic authorization error (#28992). The release also refreshes the bundled OpenSSL to 3.6.3 (#29487) and esbuild to 0.28.1, the latter being the same version that shipped the Deno RCE and Windows path-traversal fixes we covered earlier this month.
Read alongside the 0.141 Noise relay release and the broader move of runtimes into Anthropic's AI coding infrastructure, the 0.142 cycle is the moment Codex stops being a single-agent coding tool and starts being an agent platform you can govern: budgets to bound cost, delegation modes to control who spawns whom, a web-search mode that trades reach for safety, and tool search that scales to a real MCP estate. The full changelog between 0.141 and 0.142.0 is on the compare view, and the 0.143.0 alpha line is already on its twenty-sixth pre-release at time of writing, which is the signal that the cadence is not slowing down.
