Codex CLI 0.125.0: Persistent Permissions & Token Reporting
CodexCodex CLI 0.125.0 introduces two developer-quality-of-life improvements. Permission profiles now persist end-to-end across TUI sessions, user turns, MCP sandbox state, shell escalation, and app-server APIs β meaning configured approval policies survive restarts and environment switches without re-entry. The codex exec --json command now also reports reasoning-token usage, giving programmatic consumers full visibility into token spend for automation and cost-tracking workflows. Several reliability fixes address output-buffering drops and WebSocket disconnection under burst load.
Sources & Mentions
3 external resources covering this update
Persistent Permission Profiles Across the Full Session Stack
One of the most frequently reported friction points in Codex CLI has been the need to re-approve tools and re-configure permission policies at the start of each new session. With version 0.125.0, OpenAI has resolved this: permission profiles now persist across the entire session lifecycle β including TUI sessions, individual user turns, MCP sandbox state, shell escalation events, and app-server APIs.
In practice, this means a developer who has configured a permission profile β for example, allowing a specific set of shell commands or MCP tools to execute without prompting β no longer needs to re-establish that policy after restarting the CLI, switching between environments, or connecting through the app-server. The profile follows the session context faithfully, which is especially valuable in long-running multi-agent workflows where approval interruptions create costly bottlenecks.
How It Works
Permission profiles now round-trip through all layers of the Codex execution stack. When a profile is set in a TUI session, it is serialised and carried forward through MCP sandbox creation, shell escalation events, and app-server RPC calls. This unification eliminates the previous inconsistency where a profile applied in one context would silently reset in another.
Reasoning-Token Visibility in codex exec --json
The codex exec --json command, which allows developers to run Codex tasks programmatically and consume structured output, now includes reasoning-token counts in its reported usage data. Previously, only standard input and output token counts were surfaced.
For teams running Codex in CI pipelines, automated workflows, or cost-monitoring dashboards, this addition provides the missing piece of the token accounting puzzle. Reasoning tokens β consumed during chain-of-thought processing β can represent a meaningful share of total spend when using high-reasoning models, and their absence from programmatic output made accurate cost attribution difficult.
Example Use Cases
- Cost attribution in CI pipelines: Teams running
codex execas part of automated code-review or test-generation workflows can now accurately track per-run token costs including reasoning overhead. - Optimisation decisions: By observing reasoning-token counts across different task types, developers can calibrate reasoning level settings (introduced via the TUI Alt+comma / Alt+period controls in 0.124.0) for cost-efficiency.
Reliability Improvements
Beyond the two headline developer features, 0.125.0 addresses several reliability gaps in the app-server layer:
- The exec-server no longer drops buffered output after a process exits, ensuring that final output lines are always captured in programmatic invocations.
- WebSocket app-server clients are now less likely to disconnect during burst notification periods.
- Windows sandbox startup has been improved to handle multiple concurrent CLI versions and installed app directories more gracefully, with background PowerShell processes no longer spawning visible windows.
- The
/reviewinterrupt flow was fixed β exiting the TUI during a/reviewsession no longer leaves the interface wedged at delegate startup.