Codex WebSocket Trace Fix: API Security Guide (2026)

AI coding agent trace security diagram

On July 1, 2026, OpenAI released Codex CLI 0.142.5 with a small-looking but important fix: it prevented full Responses WebSocket request payloads from being written to trace logs. That is not a shiny model launch. It is more useful than that. It is a reminder that AI coding agents don't just generate code; they also create a new layer of operational data that can leak prompts, source files, tool calls, and customer context if you treat logs like a dumping ground.

If your team runs Codex, Claude Code, Gemini CLI, or a custom agent through an OpenAI-compatible API, this is the moment to audit how you handle traces. The best time was before you connected an agent to a repo. The second-best time is today.

TL;DR / Key Takeaways

  • OpenAI Codex CLI 0.142.5 was released on July 1, 2026 and fixed full Responses WebSocket request payloads being written to trace logs.
  • GPT-5.3-Codex costs $1.75 per million input tokens and $14.00 per million output tokens, with a 400,000-token context window.
  • GPT-5.5 costs $5.00 per million input tokens and $30.00 per million output tokens for short-context sessions, with a 1,050,000-token context window.
  • OpenAI hosted shell containers cost $0.03 for 1 GB, $0.12 for 4 GB, $0.48 for 16 GB, or $1.92 for 64 GB per 20-minute session.
  • AI coding agent traces should redact API keys, authorization headers, source-code payloads, customer data, and full WebSocket request bodies by default.

Pricing Reference for the Models and Tools Discussed

Model or toolInput priceOutput priceContext window
GPT-5.3-Codex$1.75 per 1M tokens; $0.175 cached input$14.00 per 1M tokens400,000 tokens
GPT-5.5 short context$5.00 per 1M tokens; $0.50 cached input$30.00 per 1M tokens1,050,000 tokens
GPT-5.4 mini$0.75 per 1M tokens; $0.075 cached input$4.50 per 1M tokens400,000 tokens
Hosted shell container$0.03 per 20-minute 1 GB container sessionNot token-pricedContainer runtime, not a model context window

Model and Option Comparison

OptionBest forPricingKey limitation
GPT-5.3-CodexAgentic coding tasks, repo edits, PR fixes, and coding CLI workflows$1.75 input and $14.00 output per 1M tokens400,000-token context is smaller than GPT-5.5
GPT-5.5Complex professional reasoning, large mixed-context tasks, and broad tool use$5.00 input and $30.00 output per 1M tokens for short contextPrompts above 272,000 input tokens are priced at 2x input and 1.5x output for the full session
GPT-5.4 miniHigh-volume subagents, lint-style review, and cheaper parallel coding checks$0.75 input and $4.50 output per 1M tokensLower capability ceiling than GPT-5.5 for hard reasoning

Why This Bug Class Matters

Trace logs are supposed to help you debug. In agent systems, they can also become a copy of everything sensitive. A single coding-agent request may include a system prompt, the user task, snippets of proprietary source, shell commands, tool results, branch names, repository paths, environment variables, and API metadata. If the transport is WebSocket, a naive trace layer may capture full frames instead of a safe summary.

That is why the Codex fix matters. It points to a boring security rule that teams often ignore: debuggability must not require full payload retention. You need enough evidence to investigate latency, 429s, tool failures, and bad outputs. You do not need to store every prompt and request body forever.

A Safer Logging Pattern for Agent APIs

Start by splitting logs into three classes:

  1. Operational logs: status code, model, latency, retry count, token usage, route, request ID.
  2. Security logs: policy decisions, approval prompts, denied commands, tool categories.
  3. Payload samples: short redacted snippets used only when debugging, with tight retention.

Most production systems need the first two. The third should be off by default or restricted to a safe sampling mode. If you run a multi-model gateway, KissAPI or otherwise, keep the same rule across providers. A clean OpenAI-compatible interface is useful, but it does not magically make payload logging safe.

Node.js Redaction Middleware

Here is a small Express middleware you can put in front of an AI endpoint. It logs the shape of the request without storing raw messages or headers.

import crypto from "node:crypto";

function hash(value = "") {
  return crypto.createHash("sha256").update(value).digest("hex").slice(0, 12);
}

export function aiAuditLogger(req, res, next) {
  const started = Date.now();
  const requestId = req.headers["x-request-id"] || crypto.randomUUID();

  res.on("finish", () => {
    const body = req.body || {};
    const messages = Array.isArray(body.messages) ? body.messages : [];

    console.info(JSON.stringify({
      event: "ai_request",
      request_id: requestId,
      status: res.statusCode,
      duration_ms: Date.now() - started,
      model: body.model,
      message_count: messages.length,
      prompt_hash: hash(JSON.stringify(messages).slice(0, 8000)),
      has_tools: Array.isArray(body.tools) && body.tools.length > 0,
      auth_present: Boolean(req.headers.authorization)
    }));
  });

  next();
}

Notice the tradeoff: you can correlate incidents with a prompt hash, but you are not saving the prompt itself. That is usually enough.

Python Scrubber for Trace Events

If you already have trace events flowing into a log pipeline, scrub before shipping:

SENSITIVE_KEYS = {
    "authorization", "api_key", "x-api-key", "cookie",
    "messages", "input", "prompt", "content", "websocket_payload"
}


def scrub(obj):
    if isinstance(obj, dict):
        clean = {}
        for key, value in obj.items():
            if key.lower() in SENSITIVE_KEYS:
                clean[key] = "[REDACTED]"
            else:
                clean[key] = scrub(value)
        return clean
    if isinstance(obj, list):
        return [scrub(item) for item in obj]
    return obj


def emit_trace(event):
    safe_event = scrub(event)
    print(safe_event)

This is not a full data-loss prevention system. It is a seatbelt. Add allowlists for the fields you truly need, then deny everything else.

curl: Responses API with Minimal Debug Output

When testing manually, avoid dumping verbose traces into shared terminals or CI logs:

curl https://api.openai.com/v1/responses \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -o response.json \
  -w 'status=%{http_code} time=%{time_total}\n' \
  -d '{
    "model": "gpt-5.3-codex",
    "input": "Review this patch for security bugs. Return only findings."
  }'

The -w output gives you the status and timing without spraying the full request or response into logs. In CI, that difference matters.

What to Audit This Week

If you use KissAPI as a unified endpoint, keep your own request IDs and redact logs before sending traffic. The gateway can simplify routing across models, but your application still owns what it records.

Need an OpenAI-Compatible Backup Route?

Use KissAPI to route coding-agent workloads across Claude, GPT, and Gemini-style models with one API shape. Start with a free account and wire it in before your next incident.

Start Free

FAQ

What changed in Codex CLI 0.142.5?

OpenAI Codex CLI 0.142.5, released on July 1, 2026, fixed a bug where full Responses WebSocket request payloads could be written to trace logs.

Should I disable all AI request logging?

No. Keep operational logs such as request ID, model, latency, status code, retry count, and token usage. Avoid storing raw prompts, full source-code payloads, authorization headers, and WebSocket bodies.

Is GPT-5.3-Codex always better than GPT-5.5 for coding?

No. GPT-5.3-Codex is the better default for agentic coding workflows at $1.75 input and $14.00 output per million tokens. GPT-5.5 is better when the task needs broader reasoning or a larger 1,050,000-token context window.