v1.3.0.md

June 3, 2026 ยท View on GitHub

Diagnostics

Features

  • Added codex auth why-selected and codex auth verify --paths diagnostics for account-selection and path-safety inspection. (#410)

Runtime Rotation

Features

  • Added a feature-flagged routing mutex and SelectionRecord plumbing for safer concurrent account selection while keeping the legacy default. (#412)

Core

Bugfixes

  • Closed the Phase 1 post-audit hardening set across OAuth URL redaction, redirect URI single source of truth, hybrid-selector null handling, short-429 retry ordering, active-pointer normalization, recovery atomic writes, storage reset ordering, config-conflict surfacing, malformed SSE warnings, and account pointer cleanup. (#394, #395, #396, #397, #398, #399, #401, #402, #403, #404, #413)

Release Hygiene

Bugfixes

  • Fixed release hygiene so pack:check builds first and tests use os.tmpdir. (#400)

Improvements

  • Bumped security-sensitive dependency overrides, added audit-invariant regression coverage, moved storage JSON boundaries to Zod safeParseJson, split the settings hub into focused modules, and validated staging with 3529 passing tests plus real-install smoke. (#392, #407, #409, #411)

Documentation

Improvements

  • Added the 2026-04-17 master repository audit report/evidence and refreshed AGENTS, health, config, and command documentation for the post-audit state. (#393, #405, #406, #408)