v1.3.0.md
June 3, 2026 ยท View on GitHub
Diagnostics
Features
- Added
codex auth why-selectedandcodex auth verify --pathsdiagnostics for account-selection and path-safety inspection. (#410)
Runtime Rotation
Features
- Added a feature-flagged routing mutex and
SelectionRecordplumbing for safer concurrent account selection while keeping the legacy default. (#412)
Core
Bugfixes
- Closed the Phase 1 post-audit hardening set across OAuth URL redaction, redirect URI single source of truth, hybrid-selector null handling, short-429 retry ordering, active-pointer normalization, recovery atomic writes, storage reset ordering, config-conflict surfacing, malformed SSE warnings, and account pointer cleanup. (#394, #395, #396, #397, #398, #399, #401, #402, #403, #404, #413)
Release Hygiene
Bugfixes
- Fixed release hygiene so
pack:checkbuilds first and tests useos.tmpdir. (#400)
Improvements
- Bumped security-sensitive dependency overrides, added audit-invariant regression coverage, moved storage JSON boundaries to Zod
safeParseJson, split the settings hub into focused modules, and validated staging with 3529 passing tests plus real-install smoke. (#392, #407, #409, #411)
Documentation
Improvements
- Added the 2026-04-17 master repository audit report/evidence and refreshed AGENTS, health, config, and command documentation for the post-audit state. (#393, #405, #406, #408)