--- title: "OpenAI Codex 0.141 Adds Noise-Encrypted Remote Executors, Cross-OS `PathUri`, a Plugin Marketplace, and a SQLite WAL-Reset Pin" description: "Codex 0.141.0 (June 18, 2026) makes Noise IK the default transport between orchestrator and exec-server, ships a PathUri / NativePathString layer that round-trips POSIX, Windows-drive, and UNC paths without leaking the URI encoding, opens a `created-by-me-remote` plugin marketplace, raises the MCP tool timeout to 300 seconds, and pins the bundled SQLite to 3.51.3 to keep the WAL-reset corruption fix in place after dependency refreshes." date: 2026-06-18 image: "/images/heroes/2026-06-18--openai-codex-0-141-noise-relay-cross-platform-exec.png" author: lschvn tags: ["ai", "security", "tooling"] tldr: - "Codex 0.141.0, published June 18, 2026 at 04:43 UTC, makes a hybrid Noise IK channel (X25519 + ML-KEM-768, AES-256-GCM, SHA-256) the default transport between the Codex app and a remote exec-server. The relay only sees ciphertext; each handshake is bound to the `environment_id`, the `executor_registration_id`, and the per-stream `stream_id`, and the executor's Noise public key is pinned from the registry before the handshake completes." - "A new `PathUri` / `NativePathString` layer replaces hand-rolled `String` paths in the app-server / exec-server boundary. It can render the same logical path as POSIX, a Windows drive letter, or a UNC path depending on the host that consumes it, which is the prerequisite for letting a Mac or Linux orchestrator drive a Windows executor without mangling paths at the wire format. Cross-OS rendering, encoding, Unicode, and invalid components are covered by the new `path-uri` test suite." - "Codex gets a `created-by-me-remote` plugin marketplace backed by the paginated USER-scope plugin directory, auth-specific curated catalogs, and a selected-plugin precedence tier in the MCP catalog. Selected executor plugins can now activate their stdio MCP servers per thread, and the MCP default tool timeout is raised from 60 to 300 seconds. The release also pins the bundled SQLite to 3.51.3 so that an unrelated `libsqlite3-sys` lock refresh cannot silently downgrade Codex back onto the WAL-reset corruption release." faq: - question: "What is new in OpenAI Codex 0.141.0?" answer: "Codex 0.141.0 (June 18, 2026) makes a Noise-encrypted relay the default transport between the Codex app-server and remote exec-servers, ships a `PathUri` / `NativePathString` layer for cross-OS path handling, opens a `created-by-me-remote` plugin marketplace plus a selected-plugin precedence tier in the MCP catalog, raises the MCP tool timeout to 300 seconds, and pins the bundled SQLite to 3.51.3 to keep the WAL-reset fix. It also fixes several Windows sandbox bugs and a class of `codex exec` thread-resume hook-trust bypasses." - question: "Why does the Noise relay matter for Codex users?" answer: "Before 0.141.0, traffic between the orchestrator and a remote exec-server was relayed through a Rendezvous service that could see plaintext tool calls and responses. The new Noise IK channel authenticates both endpoints with X25519, adds post-quantum resistance through ML-KEM-768, and encrypts every byte with AES-256-GCM, so the relay only ever sees ciphertext. Each handshake is bound to the `environment_id`, the `executor_registration_id`, and the per-stream `stream_id`, and the registry-provided executor key is pinned before the handshake completes. For teams running Codex against a self-hosted or third-party remote executor, this is the difference between trusting the relay and not having to." - question: "What does `PathUri` actually fix?" answer: "Codex has historically hand-formatted paths as `String`, which breaks the moment a Mac or Linux orchestrator hands a working directory to a Windows executor (or vice versa). `PathUri` is a new internal type that can render the same logical path as POSIX (`/home/lou/repo`), a Windows drive letter (`C:\\Users\\lou\\repo`), or a UNC path (`\\\\share\\repo`) depending on the host that consumes it, and exposes the conversion through `NativePathString` and `PathConvention` helpers. The app-server API boundary still hands clients OS-native paths, so the URI encoding is an internal wire format, not a public API change. The PR is the prerequisite for cross-OS orchestrator-to-executor flows that don't mangle paths at the seam." - question: "What is the new plugin marketplace and selected-plugin tier?" answer: "0.141.0 adds a `created-by-me-remote` marketplace that surfaces the USER-scope plugin directory in the app-server, a `Load API curated marketplace by auth` flow that returns different catalogs depending on the auth mode, and a new selected-plugin precedence tier in the MCP catalog. The result: when a thread selects a plugin, that plugin's stdio MCP servers are activated for the thread, get a distinct precedence slot above auto-discovered plugins, and are attributed in the MCP catalog UI. A disabled lower-precedence winner can no longer leave stale name-level state behind. Approval policy for selected plugins is remembered session-scoped, not written back to an unrelated local plugin." - question: "Did 0.141.0 fix any real bugs?" answer: "Yes. The release pins the bundled SQLite to 3.51.3 to keep the WAL-reset corruption fix in place, because an earlier `libsqlite3-sys` lock refresh had moved Codex from 0.37.0 back to 0.35.0 (SQLite 3.50.2), reintroducing the WAL-reset bug. It also repairs stale Windows sandbox credentials automatically and gives PowerShell commands more time before backgrounding, fixes a `codex exec` thread-resume case that lost hook-trust bypass and a `PostToolUse` hook that was missing code-mode tool calls, deduplicates conflicting plugin App and MCP declarations, and lets a steered user input immediately interrupt `wait_agent` instead of getting stuck behind it." - question: "What changes for a developer who runs Codex locally with no remote executor?" answer: "For a default local install, the user-visible changes are the MCP tool timeout going from 60 to 300 seconds, the new `created-by-me-remote` plugin marketplace showing up in the plugin browser, the realtime API's new speech-append and response-entry controls, and the TUI's optional 60 + 60 second auto-resolution for `request_user_input` prompts. The Noise relay and `PathUri` work is invisible because the local code path doesn't traverse a relay, but the same PathUri plumbing means a future cross-OS Codex (Mac orchestrator + Windows executor) can ship without a path-mangling regression." --- [OpenAI Codex 0.141.0](https://github.com/openai/codex/releases/tag/rust-v0.141.0) shipped on June 18, 2026 at 04:43 UTC, a day after [0.140](https://github.com/openai/codex/releases/tag/rust-v0.140.0) and roughly six weeks after the 0.139 line opened the new exec-server architecture. The release is the largest single Codex drop in the 0.13x series: it lands a default Noise-encrypted transport between the orchestrator and remote executors, a new internal `PathUri` layer that makes cross-OS orchestration tractable, a `created-by-me-remote` plugin marketplace, and a real bug fix for a SQLite regression that had silently slipped back in. There is also meaningful housekeeping in the Windows sandbox and the realtime/TUI surfaces. ## Noise IK is the default transport The headline change is that the [`exec-server` transport is now Noise](https://github.com/openai/codex/pull/26245) end-to-end. The previous architecture forwarded JSON-RPC traffic between the orchestrator and the remote executor through a "Rendezvous" service that could see plaintext tool calls and responses. The new transport is a hybrid Noise IK channel built on [Clatter](https://github.com/openai/clatter), with X25519 for the key agreement, ML-KEM-768 for post-quantum resistance, AES-256-GCM for the symmetric encryption, and SHA-256 for the handshake transcript. The relay only sees encrypted frames. The handshake is bound to three identifiers: the `environment_id` of the remote executor, its `executor_registration_id`, and the per-stream `stream_id`. The executor's Noise public key is fetched from a registry bundle and pinned before the handshake completes, which closes the obvious "swap the key during reconnect" attack. The harness authorization is carried inside the encrypted handshake, not in a header the relay can rewrite. Frames are ordered against Noise nonces, large JSON-RPC messages are fragmented into bounded records, and handshake payloads, frames, streams, and message reassembly are all size-bounded so a malicious relay cannot exhaust memory by sending oversize frames. For teams running Codex against self-hosted or third-party remote executors, the practical effect is that the relay is now untrusted by construction. The follow-up commits in the same release add signed-URL refresh on reconnect, a Noise rendezvous environment, session resumption after disconnect, and bounded retry backoff on registry recovery, so the encrypted transport is also durable across network blips rather than just encrypted. [Bun joining Anthropic's AI coding infrastructure](/articles/2026-04-19-bun-joins-anthropic-ai-coding-infrastructure) earlier this year was the moment "the runtime is the agent"; 0.141 is the moment "the relay is just a wire". ## `PathUri` and the cross-OS orchestrator seam The second piece of plumbing is [`path-uri: render native paths across platforms`](https://github.com/openai/codex/pull/27819) and its sibling [`PathUri` in filesystem permission paths for exec-server](https://github.com/openai/codex/pull/28367). The previous code path formatted paths as `String` on both sides of the orchestrator/exec-server seam, which broke the moment a Mac orchestrator handed a working directory like `/Users/lou/repo` to a Windows executor, or vice versa. `PathUri` is a new internal type that can render the same logical path as POSIX (`/home/lou/repo`), a Windows drive letter (`C:\Users\lou\repo`), or a UNC path (`\\share\repo`) depending on the host that consumes it, with explicit `PathConvention` and `NativePathString` helpers for the three personalities. The migration is gradual and deliberately invisible at the public app-server API. The `PathConvention` renders the path correctly for the host that owns the environment, the `app-server` boundary translates to OS-native `String` paths for clients, and the URI encoding stays an internal wire format. The new `path-uri` test suite covers cross-host rendering, encoding, Unicode, and invalid component rejection. The same plumbing is what allows the exec-server to honor the remote environment's `cwd` and shell ([#28122](https://github.com/openai/codex/pull/28122)) and to carry `PathUri` through the unified-exec layer, so a Mac orchestrator can drive a Windows executor without a path-mangling regression at the seam. This is the kind of work that does not show up in a benchmark table, but is the reason a future cross-OS Codex (Linux server orchestrator, Windows workstation executor) can ship at all. The [Vite 8.1 beta importmap work](/articles/2026-06-15-vite-8-1-beta-wasm-esm-chunk-importmap) and the recent [esbuild 0.28.1 Windows path-traversal fix](/articles/2026-06-14-esbuild-0-28-1-deno-rce-windows-path-traversal) both sit in the same cross-OS plumbing category; the difference is that Codex's seam is on the wire, not on disk. ## A plugin marketplace and a real MCP catalog tier The third batch of changes builds out the plugin story. Codex 0.141.0 adds a [`created-by-me-remote` plugin marketplace](https://github.com/openai/codex/pull/28203) backed by the paginated USER-scope plugin directory, surfaces it through the app-server v2 protocol with regenerated schemas, and adds a [`Load API curated marketplace by auth`](https://github.com/openai/codex/pull/28383) flow that returns different catalogs depending on the auth mode (user, org, enterprise). Selected executor plugins can now [activate their stdio MCP servers per thread](https://github.com/openai/codex/pull/27870), and the [selected-plugin precedence tier](https://github.com/openai/codex/pull/27884) in the MCP catalog gives a selected plugin a distinct slot above auto-discovered plugins, with attribution carried directly on the catalog registration. The catalogue change matters because the previous resolution order silently let a disabled lower-precedence winner leave stale name-level state behind, and a winning MCP tool could not be attributed to the selected package reliably. The new tier fixes both, and the connection manager retains the winning selected server's tool approval policy so a selected registration cannot inherit approval behavior from a losing local plugin. The [`MCP tool timeout default is raised from 60 to 300 seconds`](https://github.com/openai/codex/pull/28234), which is the right shape for long-running MCP tools (CI runs, image generation, headless browser jobs) and removes a class of "tool timed out before it could finish" reports. The plugin work is the second half of the same story [the Anthropic Project Glasswing piece](articles/2026-04-07-anthropic-project-glasswing-ai-finds-zero-days-faster-than-humans) and the [GLM-5.2 long-horizon coding agent coverage](/articles/2026-06-16-glm-5-2-long-horizon-deep-dive) keep circling: the agent's tool surface is the product, and the marketplace is what makes the surface composable. ## The SQLite WAL-reset fix and other bug fixes The most important bug fix in 0.141.0 is a quiet one: [`Pin bundled SQLite to fixed WAL-reset version`](https://github.com/openai/codex/pull/27992). SQLite documented a WAL reset corruption bug in 3.51.3's release notes, and SQLx 0.9 accepts a broad `libsqlite3-sys` range. An unrelated dependency refresh had moved Codex from `libsqlite3-sys 0.37.0` (SQLite 3.51.3) back to 0.35.0 (SQLite 3.50.2), silently reintroducing the bug. 0.141.0 pins the bundle so a future lock refresh cannot repeat the downgrade. This is exactly the class of "your dependency manager quietly downgraded you" failure that the [pnpm 11.7 frozenStore + lockfile verification work](/articles/2026-06-17-pnpm-11-7-frozen-store-publish-batch) was designed to surface. The release also fixes several Windows sandbox regressions: a [stale Windows sandbox credentials](https://github.com/openai/codex/pull/27944) auto-recovery, a [unified exec yield floor](https://github.com/openai/codex/pull/27086) that gives PowerShell commands more time before backgrounding, a shared Windows sandbox session runner extracted from the inline path, and a hidden Windows sandbox wrapper entrypoint. The `codex exec` thread-start path now preserves hook-trust bypass on resume and `PostToolUse` hooks correctly reject code-mode tool calls. A steered user input can immediately interrupt `wait_agent` instead of getting stuck behind it. The realtime API gains a speech-append control, a toggle for realtime startup context, and a TUI auto-resolution timer for `request_user_input` prompts that runs a 60-second hidden grace period, then a 60-second visible countdown, then submits an empty answer response if the user does not interact. 0.141.0 is the kind of release that looks routine from the outside and is structurally a milestone from the inside. The Noise relay and the `PathUri` layer are the two pieces of plumbing that have to be in place for cross-host Codex to ship, the plugin marketplace is what makes the tool surface composable, and the SQLite pin is the kind of quiet bug fix that prevents the next outage from being a regression of the last one. None of it requires user action; the upgrade is safe to take as soon as your CI is ready.