Codex ships goal mode, appshots, and remote computer use
May 18–24, 2026
Codex exited goal mode from experimental and launched appshots for macOS, while Claude Code fixed a series of sandbox permission escapes and added a Workflow tool for multi-agent orchestration. Anthropic also opened MCP tunnels as a research preview.
Goal mode, appshots, and remote Mac access dominate Codex
Codex had its most consequential week since launch. Goal mode — where you define an outcome and success criteria and let Codex work toward it — is no longer experimental and is now available across the Codex app, IDE extension, and CLI. The Codex CLI v0.133.0 enables goals by default with dedicated storage and progress tracking across active turns. On macOS, appshots let you press both Command keys to send the frontmost app window — screenshot and available text — directly into a Codex thread without copying or describing it. Remote computer use goes live alongside it: Codex can now use desktop apps after your Mac locks, with short-lived authorization and covered display safeguards, accessible even through the Codex Chatbot for iOS via its new Spotlight and Shortcuts support. Browser-use improvements land across all tiers, including advanced annotation mode, faster image asset downloading, and more effective structured data extraction.
For teams, Codex updates for ChatGPT Business and Enterprise add plugin sharing (disabled by default for Enterprise), global admin analytics, and locked computer use that keeps Codex working remotely after the Mac locks. Meanwhile, workspace agents reached general availability across Business, Enterprise, and Edu — teams can build agents that own entire workflows, follow team processes, and be shared across the org, with admin visibility into activity and usage.
Claude Code hardens sandbox security and introduces Workflow
Claude Code v2.1.147 is this week's landmark: the new Workflow tool enables deterministic multi-agent orchestration (disabled by default; set CLAUDE_CODE_WORKFLOWS=1 to try it). More critically, this release hardens the REPL and Workflow tool sandboxes against prototype-pollution and thenable-based escapes — following last week's pattern of tightening sandbox boundaries. v2.1.149 fixed a PowerShell permission bypass where built-in cd functions changed the working directory undetected, and corrected the sandbox write allowlist in git worktrees. v2.1.145 closed a permission-prompt bypass involving bare variable assignments to non-allowlisted environment variables in Bash commands.
On the quality side, v2.1.148 fixed an exit code 127 regression in the Bash tool, v2.1.146 resolved PowerShell tool failures on Windows and MCP pagination issues, and v2.1.144 fixed background session crashes under Full Disk Access–protected folders and progressive terminal display corruption. Across these releases, the /simplify command was renamed to /code-review with configurable effort levels, pinned background sessions now persist when idle, and /usage shows per-category breakdowns.
Anthropic opens MCP tunnels and self-hosted sandboxes
Claude Platform shipped two infrastructure pieces with long tails: MCP tunnels as a research preview, letting you connect to MCP servers in your private network, and self-hosted sandboxes for Claude Managed Agents as an alternative to running tool execution in Anthropic's infrastructure. Managed Agents also gained the ability to update MCP server and tool configurations during active sessions, and large outputs exceeding 100K tokens are now automatically spilled to a file.
SDK updates
OpenAI's Go SDK v3.37.0 optimized the JSON encoder for internal types and fixed admin permission path formatting, while the Node SDK v6.39.0 now allows runtime fetch options through the SDK and upgraded tsc-multi for Node 26. The Python SDK v2.38.0 is a dependency update with API spec refresh. Claude Compliance API integrations were introduced for security and compliance tool governance.
Releases covered
- Claude Code v2.1.147 adds Workflow tool and hardens sandbox security
- Claude Code v2.1.149 fixes PowerShell permission bypass and sandbox allowlist
- Claude Code v2.1.145 fixes permission-prompt bypass and permission header encoding
- Claude Code v2.1.148 fixes Bash tool exit code 127 regression
- Claude Code v2.1.146 fixes PowerShell tool and MCP pagination issues
- Claude Code v2.1.144 fixes background session crashes and terminal rendering corruption
- MCP tunnels and self-hosted sandboxes launched for Claude Managed Agents
- Claude now works with more security and compliance tools
- Codex adds appshots, promotes goal mode to general availability, and enables remote computer use
- Codex CLI v0.133.0 enables goals by default and extends plugin discovery
- Codex Chatbot for iOS adds Spotlight and Shortcuts support
- Codex updates: richer context, shared plugins, goal mode, browser improvements, remote locked use, and analytics
- Codex updates: goal mode, browser improvements, remote locked use, admin analytics, and plugin sharing status
- Workspace agents are now generally available in ChatGPT Business, Enterprise, and Edu
- OpenAI Go SDK v3.37.0 optimizes JSON encoder and updates API
- OpenAI Node SDK v6.39.0 allows runtime fetch options and upgrades TypeScript support
- OpenAI Python SDK v2.38.0 dependency update