Codex CLI 0.122.0: workflows, permissions, MCP

A Codex CLI 0.122.0 workflow is the operating contract you write around the release: the AGENTS.md instructions it reads, the permissions it runs under, the MCP connectors it can touch, and the verification a reviewer can replay later. A workflow is the set of rules that turns a capable agent into a teammate you can trust at 5pm on a Friday. Codex CLI, OpenAI's coding agent, ships the capability. The contract is the part you own, and it lives in the repo, not in a chat window someone forgot to save.

The hard part of a Codex rollout is rarely the model. It is whether your review can keep pace with how fast the agent writes. When summaries shrink to bullets and the merge queue backs up, the fix is not another connector. It is making verification something the team does every time, the same way, on purpose.

Pin your rules in AGENTS.md

AGENTS.md is the file Codex reads to learn how your repo works, and it is where your defaults belong. Pin two things at minimum: the model you expect runs to use, and the escalation rule for when a run should ask before doing something bigger.

Different models carry different risk appetite, so a casual swap quietly moves the line on what a reviewer should worry about. When the default is written down, a lead can reason about blast radius before approving anything, instead of guessing what the agent was actually running.

Pin the verification step in the same file so every run ends the same way. Here is a snippet you can paste into your AGENTS.md today.

# AGENTS.md verification snippet

- Every Codex CLI run ends with the transcript snippet reviewers can replay.
- Pair browser evidence with the project's normal CLI checks before merge.
- If MCP servers are enabled, list allowed actions beside each connector name.

Make verification a ritual, not a mood

Require a transcript snippet that shows the tests ran after codegen. This is the one rule that keeps a green merge meaningful. Exec shortcuts that skip tests let regressions slip back in quietly, and a passing check stops measuring safety the moment the team starts optimizing for the check instead of the review.

Speed wins once. Discipline wins every week. When the snippet is mandatory, a green merge actually correlates with the work being verified, which is the only correlation worth defending.

Browser tasks need their own note. Chrome workflows that drift from your CLI habits hand reviewers two versions of the truth, so write the handoff down. Document staging URLs and credential boundaries right beside the browser task, and your demos stop contradicting what CI produced.

Keep MCP connectors reviewable

Keep a Markdown connector roster checked into the repo root, with the allowed actions listed beside each server name. Connectors pile up quietly and least-privilege erodes a little with each one, so the roster gives a security review a real starting point instead of a memory test.

List allowed actions in line with the MCP specification so the roster reads the same way to everyone. When a reviewer asks which servers fired during a run, the answer should be a file they can open, not a Slack thread they have to reconstruct.

Require the same evidence every time

Give reviewers a fixed set of questions so an agent run is never a mystery. The table below is the gate; the checklist is what the PR body has to satisfy.

A scope receipt turns those gates into boxes a reviewer can tick.

• Primary-doc links were smoke-checked after publishing edits.
• MCP connectors mentioned (if any) list owners.
• Verification command output is pasted or linked.
• Forked agent work lists parent and child responsibilities.

The Codex CLI docs, features page, and slash commands reference tell you what 0.122.0 can do, the quickstart installs it, and the openai/codex repository carries the changelog. The contract above is the part they leave to you. A repo that cannot state its boundaries plainly leaves agents guessing, and guessing scales badly.

Common questions

• Does Codex CLI 0.122.0 make verification automatic?

  No. The release ships capability, but the verification step is a team rule: every codegen run ends with a transcript snippet showing the tests ran. Without that habit, exec shortcuts skip tests and regressions return quietly, whatever the version number on the box says. The version number does not enforce your review.

• What should AGENTS.md pin for a Codex CLI 0.122.0 rollout?

  Two things at minimum: the default model with its escalation rule, and the verification snippet every run must end with. Different models imply different risk appetite, so pinning the default is what lets a lead reason about blast radius before they approve an agent's output.

• How do permissions and MCP scope stay reviewable?

  Keep a Markdown connector roster checked into the repo root, with allowed actions listed beside each server name. Connectors accumulate quietly and least-privilege erodes, so the roster gives a security review a grounded starting point instead of a memory test. Update it the moment you add a server.

• What evidence should a reviewer require from an agent run?

  Four things: which rules file governed behavior, which MCP servers fired and whether they were expected, whether someone unfamiliar can trace intent without chat replay, and whether any red folders were touched and who approved. The scope receipt turns those gates into checkboxes the PR body has to clear before merge.

Start with one rule

Pick a single named fix, turn it into an AGENTS.md rule this week, and run the evidence gates against your next agent-assisted merge. The practice drills live under CLI workflows when you want to go deeper.