Codex CLI: Plugin Mentions in Chat & Sandbox Policy Unification

Plugin Mentions: Reference Tools Directly in Chat

Codex CLI 0.112.0 introduces @plugin mentions, a new interaction primitive that lets users reference installed plugins directly within the chat interface. By typing @ followed by a plugin name, Codex automatically includes the associated MCP server, skill, or app connector context in the conversation — without requiring users to manually configure context windows or restructure their prompts.

This matters most in sessions where multiple plugins are active. Previously, users had to rely on Codex discovering relevant plugins through session initialization. With @plugin mentions, the reference is explicit and immediate: the developer states which plugin's context should inform the response, and Codex incorporates it directly. This is analogous to how @file references already work for source code — extending the same ergonomic pattern to the full plugin ecosystem.

Combined with the plugin disclosure feature shipped in 0.111.0 (which announces installed plugins at session start), plugin mentions complete the discoverability loop: Codex tells you what's available, and you can now explicitly call on any of it.

Sandbox Policy Unification for Skill Execution

The release merges executable permission profiles into a single per-turn sandbox policy for zsh-fork skill execution. Previously, permission profiles and the per-turn sandbox policy operated as separate control surfaces that could produce unexpected interactions during skill runs. Unifying them into a single additive policy simplifies the mental model: privileges are granted incrementally as needed per turn, without needing to reconcile two separate systems.

This is a developer-facing improvement that reduces friction when building or running skills that require elevated permissions during specific tool invocations.

Bug Fixes and Security Hardening

JavaScript REPL Stability

Previously-initialized variable bindings in the JavaScript REPL were lost after a cell execution failure, forcing developers to reinitialize state from scratch. 0.112.0 fixes this so bindings persist across failed cells — a meaningful quality-of-life improvement for iterative REPL sessions.

Image emission in the JS REPL is also tightened: the runtime now accepts only data: URLs for emitted images, preventing the REPL from forwarding external URLs and closing a potential data exfiltration path.

Graceful Shutdown

SIGTERM signals are now handled identically to Ctrl-C for app-server websocket connections, enabling graceful shutdown rather than abrupt termination. This is particularly relevant in process-managed environments (e.g., Docker, systemd) where SIGTERM is the standard termination signal.

Linux and macOS Sandbox Hardening

On Linux, the bubblewrap sandbox now consistently unshares the user namespace for all invocations, including those run as root. This closes an inconsistency that could allow elevated processes to bypass namespace isolation.

On macOS, the Seatbelt sandbox receives improved network and unix-socket handling for constrained subprocess environments, addressing reliability issues when Codex operates within restricted execution contexts.

Workflow Diagnostics

Connectivity and diagnostic information now surfaces earlier in the workflow, before later steps where issues were previously only detected. This improves debuggability when Codex sessions fail to establish properly.

Full Changelog

• Plugin Mentions (@plugin in chat) — automatic MCP/skill/app context inclusion
• Sandbox policy unification — merged permission profiles into per-turn policy for zsh-fork
• JS REPL binding persistence — bindings survive failed cell executions
• JS REPL image hardening — data: URLs only, no external URL forwarding
• SIGTERM graceful shutdown — app-server websocket shutdown now mirrors Ctrl-C behavior
• Linux bubblewrap — always unshares user namespace, including root invocations
• macOS Seatbelt — improved network and unix-socket handling in constrained subprocesses
• Workflow diagnostics — connectivity info surfaces earlier in the session lifecycle