Codex 0.137.0: JSON Plugin Audits, Remote Grants, Better TUI

Ethan Park

Right into the terminal today. We are looking at Codex CLI version 0.137.0, which dropped on June 4, 2026, and it has some massive changes for anyone managing developer environments at scale -- and thanks to Jellypod to help make this daily show a reality. Maya, the headline for me is [excited] programmatic auditing. They finally gave us `codex plugin list --json`.

Maya

Finally! [laughs] I mean, parsing plain text tables with `awk` or `grep` just to see what plugins are active in a CI/CD pipeline is always a nightmare. Moving to structured JSON is huge for automation. What does the payload actually look like?

Ethan Park

It is super clean. You get a root-level array of objects, and each object contains the plugin name, version, status, and, crucially, a list of declared skills and permissions. This means you can run a bash pipeline like `codex plugin list --json | jq '[.[] | select(.status == "active")]'` to quickly grab only your live integrations.

Maya

Oh, that's slick. And because it's JSON, you can also audit permissions programmatically. Like, if you want to make sure no local plugin has unauthorized network access before running an integration test, you can write a pre-commit hook to parse those permission fields. But what happens if you have duplicate plugins? Say, a local dev copy and a remote global one with the same identifier?

Ethan Park

That is where the new loader updates come in. Codex 0.137.0 implements a strict deduplication strategy. If it detects duplicates between your local workspace and the global remote registry, it defaults to the local path first but flags the duplicate in the standard error stream.

Maya

So it doesn't just crash the execution? [curious] It actually lets the process complete but keeps you informed?

Ethan Park

Exactly. And they applied that same philosophy to malformed skills parsing. In previous versions, if a plugin had a corrupt or poorly formatted skills schema, the entire CLI runtime would crash on startup. Now, it generates a non-breaking warning, skips the malformed skill, and loads the rest of the CLI.

Maya

That is a massive relief for anyone building custom internal tools. [matter-of-fact] There is nothing worse than one developer typo on a custom schema breaking the terminal for the entire engineering team.

Ethan Park

Absolutely. Now, speaking of infrastructure, let's talk about the remote pairing updates. Codex has rolled out app-server v2 RPCs, specifically targetting remote controller grants.

Maya

Wait, [questioning tone] app-server v2 RPCs? What are we talking about here -- managing local Codex instances from a remote dashboard or CI controller?

Ethan Park

Precisely. It lets you programmatically pair a remote controller with your local running daemon. Using the new JSON-RPC endpoints, you can request a controller grant, list existing active grants, and revoke them instantly if a session is compromised.

Maya

Okay, so if I'm pairing my local dev machine with a remote pair-programming server, I can issue a grant via the CLI, and then revoke it immediately after the session. [thoughtfully] That is a lot tighter than leaving open SSH keys or static tokens lying around.

Ethan Park

Right, and it uses a challenge-response handshake to establish that secure channel. On the user interface side, they also updated the terminal UI, or TUI, ergonomics. They added keybinding support for F13 all the way through F24.

Maya

F13 to F24? [laughs] Who actually has those physical keys on their keyboard anymore?

Ethan Park

[chuckles] Physical keys? Almost nobody. But power users mapping complex layouts inside terminal emulators like Kitty or Alacritty use them constantly. It allows you to bind highly specific Codex macros to virtual keys without conflicting with standard system hotkeys like F1 or F5.

Maya

Ah, that makes sense. It gives you a clean slate of hotkeys that won't accidentally trigger a browser refresh or close your terminal window. What about text input in the TUI?

Ethan Park

They finally added paste support in searchable menus! If you are deep in a TUI menu trying to paste a 40-character commit hash or a complex configuration value, you can now use standard system paste shortcuts. Before, you had to manually type those values out, which was just asking for typos.

Maya

Oh, thank goodness. [sighs] Typo-ing a long SHA hash inside a terminal menu is a special kind of developer frustration. This makes the TUI feel much more like a modern interface.

Ethan Park

It really does. That is version 0.137.0 -- robust JSON auditing for stability under the hood, and some really smart quality-of-life updates for power users in the terminal.

Maya

Definitely a release to deploy sooner rather than later. See you next time! [warmly]