OpenAI Codex CLI 0.134.0 in Production: A PSF Domain Assessment

CLI 0.134.0 makes --profile the primary permission selector and rejects legacy profile configs, but untrusted repo content and MCP payloads still need explicit scoping before execution.

The May 26, 2026 release promotes --profile across CLI, TUI permissions, and sandbox flows, with migration guidance when legacy profile configs are detected. Managed requirements.toml permission profiles (shipped in 0.133.0) let enterprises define inherited deny-read globs and approval requirements. Connector tool schemas preserve local $ref structures and compact oversized schemas before exposure, which reduces accidental over-broad tool surfaces. None of this classifies inbound prompts or repository files as trusted versus untrusted by default: AGENTS.md and skills still load from the workspace unless profiles block paths.

Structured output-schema on exec resume and schema-stable MCP tools help contract-bound automations; semantic validation of agent actions remains external.

Codex 0.132.0 added --output-schema support on exec resume so long-running sessions can enforce JSON contracts on resumed automations. Version 0.134.0 improves connector schema fidelity for MCP tools. OpenAI's May 27, 2026 Tax AI case study describes eval-backed validation gates before production promotion, but those harnesses are application patterns, not defaults in the CLI. For PSF Domain 2, format compliance is achievable; content safety and business-rule validation still require practitioner-defined graders.

Local conversation history search keeps more context on disk; enterprise gates and workspace usage-limit messaging improve policy visibility but do not replace data-classification controls.

Version 0.134.0 introduces searchable local conversation history with case-insensitive previews, which aids incident review but increases the sensitivity of disk artifacts on developer machines. Enterprise requirement gates and workspace-specific usage-limit copy help operators explain credit and spend-cap failures without exposing raw prompts in logs. Cloud and ChatGPT-authenticated flows still process prompts on OpenAI infrastructure unless you deploy air-gapped or contractually restricted configurations. Practitioners in regulated sectors should map which turns are local-only versus cloud-backed before enabling remote-control or shared threads.

Improved websocket tracing, turn-start analytics, and history search strengthen operator visibility; SIEM-ready export still requires your pipeline.

The 0.134.0 changelog cites tracing and analytics for websocket requests, turn starts, and remote compaction v2. Goals (default since 0.133.0) expose progress across turns, which helps humans see multi-step agent state. Production teams still need correlation IDs into CI systems, cost dashboards tied to profile and model version, and retention aligned to compliance schedules. Compare with our OpenAI Agents SDK assessment: Codex is stronger for interactive developer observability than for unattended fleet telemetry.

Sandbox profiles, codex doctor diagnostics, managed network proxy for Node tools, and explicit profile migration reduce unsafe default deployments relative to earlier CLI generations.

Codex ships sandbox execution with profile-aware permissions on macOS, Linux, and Windows (including VT fixes in 0.134.0 for Windows TUI). The codex doctor command surfaces runtime, auth, terminal, network, and config health. Managed requirements.toml profiles let security teams publish one policy artifact developers must consume. Remote-control reconnect and compaction retries improve reliability of long-running operational agents without silently widening permissions. Teams should still stage profile changes and test sandbox denials before wide rollout.

Goals, plan-mode question flows, and approval modes support human checkpoints; autonomous goal continuation can still burn tokens unless usage limits are configured.

Goals became default in 0.133.0 with dedicated storage and progress tracking. Plan-mode fixes in recent releases prevent accidental submission on modified Enter keys. OpenAI documents pausing goal continuation on usage limits and repeated blockers. For high-consequence repos, combine approval modes with manual PR review rather than trusting goal completion alone. The May 27 Tax AI post emphasizes practitioner corrections as structured training signals: that is an oversight pattern, not an automatic gate.

Permission profiles with inheritance, read-only concurrent MCP tools, per-server MCP environments, and OAuth options for streamable HTTP servers materially improve supply-chain containment for agent tooling.

Version 0.134.0 routes MCP servers through explicit environments, supports OAuth on streamable HTTP MCP servers, and allows parallel execution only when tools advertise readOnlyHint. MITM hook configuration and runtime enforcement landed in the 0.131.x series. Windows sandbox integration tightened deny-read and write-root resolution. These controls align with PSF Domain 7 expectations for least-privilege tool access better than most coding agents in our comparison set, provided teams actually publish restrictive profiles instead of running default-allow locally.

Codex documents eval and harness patterns in engineering posts but does not ship repository-integrated regression suites or policy snapshots in the CLI itself.

OpenAI's self-improving agent narrative depends on targeted eval YAML, regression suites, and bounded Codex task environments in customer repos. Those are conventions practitioners must build. The CLI does not fail CI when behaviour drifts after a model or profile upgrade. PSF Domain 8 maturity requires golden-set runs on every release channel bump (0.134.0 today, 0.133.0 last week).