How OpenAI built Codex: inside the agent loop and harness

Codex ships as a CLI, a web app, a VS Code extension, and a macOS desktop app. Despite looking different, they all run the same "Codex harness" — a shared Rust library called Codex core that contains the agent loop, thread lifecycle (create/resume/fork/archive), config and auth management, and sandboxed tool execution.

The harness is not just a module you call once; it's a runtime you spin up, and it manages the full lifecycle of one conversation thread, including persisting the event history so clients can reconnect and render a consistent timeline.

The App Server is the stable protocol that exposes this runtime to any client, regardless of language or platform.

At the core of every AI agent is the agent loop. In Codex, it works like this: (1) build a prompt from the current conversation state; (2) send it to the Responses API and receive a stream of Server-Sent Events; (3) if the model requests a tool call (e.g., "run ls"), execute it and append the result to the prompt; (4) re-query the model with the updated prompt; (5) repeat until the model emits an assistant message instead of a tool call.

That final assistant message — something like "I added architecture.md" — signals the end of one turn. Each loop iteration can involve many inference/tool-call cycles.

The prompt grows with each round trip because the full conversation history must be included in every request for the model to have context. This makes the loop technically O(n²) in bytes sent over the course of a conversation, which is why caching and compaction are non-negotiable.

When Codex starts a conversation, it constructs a structured JSON payload for the Responses API with three fields: instructions (a system/developer message with model-specific guidance, e.g., gpt-5.2-codex_prompt.md), tools (a list of tool definitions including the shell tool, the update_plan tool, web search, and any MCP tools the user configured), and input (an ordered list of messages).

The input is built in a specific order: first a developer message describing sandbox permissions and which folders Codex can write to; optionally a developer message with the user's personal config from ~/.codex/config.toml; optionally a user message aggregating AGENTS.md files found from the git root up to the current working directory; a user message with the current environment context (cwd and shell); and finally the actual user message.

The role hierarchy — system > developer > user > assistant — determines how the model weights each piece of content. Critically, static content (instructions, tools) comes first so prompt caching can work.

LLM inference is expensive because the model must process every input token on every call. Prompt caching lets the server reuse computation from a previous call when the new prompt shares an exact prefix with a cached one.

Because Codex appends to the prompt rather than rebuilding it, each new turn automatically shares a prefix with the previous call — so caching delivers near-linear cost instead of quadratic. But cache hits only happen for exact prefix matches, so anything that changes earlier in the prompt poisons the cache for everything after it.

Codex guards against this carefully: if the sandbox configuration changes mid-conversation, a new developer message is appended at the end (not inserted earlier). If the cwd changes, a new environment_context message is appended. The team also found that MCP tools had a subtle bug where tool definitions were emitted in non-deterministic order, causing cache misses on every turn until fixed.

Every model has a finite context window — the maximum number of tokens for one inference call, counting both input and output. In a long agentic session with many tool calls, the conversation history can easily exhaust this limit. Codex solves this with compaction.

Originally, users had to manually run /compact, which summarized the conversation into a short text. Now Codex calls a dedicated /responses/compact endpoint when the token count exceeds auto_compact_limit.

This endpoint returns a new, smaller list of input items that represents the conversation. Crucially, this list includes a special type=compaction item containing an opaque encrypted_content blob that encodes the model's latent understanding of everything that happened — richer than any text summary. For Zero Data Retention customers, OpenAI keeps the decryption key (not the data), so the model's reasoning is preserved without storing conversation content in plain text.

The App Server is a long-lived process that hosts Codex core threads and exposes them over a bidirectional JSON-RPC protocol (JSONL over stdio). It has four internal components: a stdio reader (transport layer), a Codex message processor (translates JSON-RPC requests into Codex core operations and transforms low-level internal events into stable UI-ready notifications), a thread manager (one core session per thread), and the core threads themselves.

The protocol was born out of necessity: when the VS Code extension was built, the team tried using MCP to expose the agent but found MCP semantics couldn't represent rich session state like diffs and streaming progress. They designed a custom JSON-RPC protocol instead.

As internal teams and partners (JetBrains, Xcode) wanted to embed Codex, it became the official surface. The design goal was backward compatibility — older clients can talk to newer App Server binaries safely, so partners can update server-side without waiting for a client release.

The App Server protocol is built on three primitives.

An Item is the atomic unit of input/output — typed (user message, agent message, tool execution, approval request, diff) with an explicit lifecycle: item/started fires when the item begins, optional item/*/delta events stream in content incrementally, and item/completed fires with the terminal payload. This lets clients render UI immediately on started without waiting for the full content.

A Turn is one unit of agent work: it begins when the client submits input and ends when the agent finishes all outputs for that input. A Turn contains a sequence of Items representing intermediate steps.

A Thread is the durable container for an ongoing session: it holds multiple turns, persists event history to disk, and can be resumed after a disconnect. The server can also pause a turn mid-execution by sending an approval request to the client — the agent waits until the client responds allow or deny before continuing.

Different surfaces integrate with the App Server in different ways. Local clients (VS Code, macOS desktop) bundle a platform-specific App Server binary, launch it as a child process, and keep a bidirectional stdio channel open. The shipped binary is pinned to a tested version, but partners like Xcode can decouple their release cycle by pointing to a newer binary when needed.

Codex Web runs the App Server inside a provisioned container — a worker checks out the workspace, launches the App Server binary, and maintains a JSON-RPC channel; the browser talks to the backend over HTTP+SSE. This means the agent keeps running even if the browser tab closes, and a reconnecting session can catch up from the persisted thread history.

The CLI's TUI historically ran in the same process as the agent loop (no protocol layer), but the team plans to refactor it to use the App Server too, which would enable connecting the TUI to a remote agent session.