Just fix

.codespellrc

@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
 ignore-words-list = ratatui,ser

.github/ISSUE_TEMPLATE/2-bug-report.yml

@@ -20,14 +20,6 @@ body:
     attributes:
       label: What version of Codex is running?
       description: Copy the output of `codex --version`
-    validations:
-      required: true
-  - type: input
-    id: plan
-    attributes:
-      label: What subscription do you have?
-    validations:
-      required: true
   - type: input
     id: model
     attributes:
@@ -40,18 +32,11 @@ body:
       description: |
         For MacOS and Linux: copy the output of `uname -mprs`
         For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
-  - type: textarea
-    id: actual
-    attributes:
-      label: What issue are you seeing?
-      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot. 
-    validations:
-      required: true
   - type: textarea
     id: steps
     attributes:
       label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it. Please include session id, token limit usage, context window usage if applicable.
+      description: Explain the bug and provide a code snippet that can reproduce it.
     validations:
       required: true
   - type: textarea
@@ -59,6 +44,11 @@ body:
     attributes:
       label: What is the expected behavior?
       description: If possible, please provide text instead of a screenshot.
+  - type: textarea
+    id: actual
+    attributes:
+      label: What do you see instead?
+      description: If possible, please provide text instead of a screenshot.
   - type: textarea
     id: notes
     attributes:

.github/ISSUE_TEMPLATE/4-feature-request.yml

@@ -2,6 +2,7 @@ name: 🎁 Feature Request
 description: Propose a new feature for Codex
 labels:
   - enhancement
+  - needs triage
 body:
   - type: markdown
     attributes:
@@ -18,6 +19,11 @@ body:
       label: What feature would you like to see?
     validations:
       required: true
+  - type: textarea
+    id: author
+    attributes:
+      label: Are you interested in implementing this feature?
+      description: Please wait for acknowledgement before implementing or opening a PR.
   - type: textarea
     id: notes
     attributes:

.github/ISSUE_TEMPLATE/5-vs-code-extension.yml

@@ -14,21 +14,11 @@ body:
     id: version
     attributes:
       label: What version of the VS Code extension are you using?
-    validations:
-      required: true
-  - type: input
-    id: plan
-    attributes:
-      label: What subscription do you have?
-    validations:
-      required: true
   - type: input
     id: ide
     attributes:
       label: Which IDE are you using?
       description: Like `VS Code`, `Cursor`, `Windsurf`, etc.
-    validations:
-      required: true
   - type: input
     id: platform
     attributes:
@@ -36,18 +26,11 @@ body:
       description: |
         For MacOS and Linux: copy the output of `uname -mprs`
         For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
-  - type: textarea
-    id: actual
-    attributes:
-      label: What issue are you seeing?
-      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot. 
-    validations:
-      required: true
   - type: textarea
     id: steps
     attributes:
       label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it. Please include session id, token limit usage, context window usage if applicable.
+      description: Explain the bug and provide a code snippet that can reproduce it.
     validations:
       required: true
   - type: textarea
@@ -55,6 +38,11 @@ body:
     attributes:
       label: What is the expected behavior?
       description: If possible, please provide text instead of a screenshot.
+  - type: textarea
+    id: actual
+    attributes:
+      label: What do you see instead?
+      description: If possible, please provide text instead of a screenshot.
   - type: textarea
     id: notes
     attributes:

.github/dotslash-config.json

@@ -27,34 +27,6 @@
           "path": "codex.exe"
         }
       }
-    },
-    "codex-responses-api-proxy": {
-      "platforms": {
-        "macos-aarch64": {
-          "regex": "^codex-responses-api-proxy-aarch64-apple-darwin\\.zst$",
-          "path": "codex-responses-api-proxy"
-        },
-        "macos-x86_64": {
-          "regex": "^codex-responses-api-proxy-x86_64-apple-darwin\\.zst$",
-          "path": "codex-responses-api-proxy"
-        },
-        "linux-x86_64": {
-          "regex": "^codex-responses-api-proxy-x86_64-unknown-linux-musl\\.zst$",
-          "path": "codex-responses-api-proxy"
-        },
-        "linux-aarch64": {
-          "regex": "^codex-responses-api-proxy-aarch64-unknown-linux-musl\\.zst$",
-          "path": "codex-responses-api-proxy"
-        },
-        "windows-x86_64": {
-          "regex": "^codex-responses-api-proxy-x86_64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-responses-api-proxy.exe"
-        },
-        "windows-aarch64": {
-          "regex": "^codex-responses-api-proxy-aarch64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-responses-api-proxy.exe"
-        }
-      }
     }
   }
 }

.github/prompts/issue-deduplicator.txt

@@ -1,18 +0,0 @@
-You are an assistant that triages new GitHub issues by identifying potential duplicates.
-
-You will receive the following JSON files located in the current working directory:
-- `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
-- `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
-
-Instructions:
-- Load both files as JSON and review their contents carefully. The codex-existing-issues.json file is large, ensure you explore all of it.
-- Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
-- Only consider an issue a potential duplicate if there is a clear overlap in symptoms, feature requests, reproduction steps, or error messages.
-- Prioritize newer issues when similarity is comparable.
-- Ignore pull requests and issues whose similarity is tenuous.
-- When unsure, prefer returning fewer matches.
-
-Output requirements:
-- Respond with a JSON array of issue numbers (integers), ordered from most likely duplicate to least.
-- Include at most five numbers.
-- If you find no plausible duplicates, respond with `[]`.

.github/prompts/issue-labeler.txt

@@ -1,26 +0,0 @@
-You are an assistant that reviews GitHub issues for the repository.
-
-Your job is to choose the most appropriate existing labels for the issue described later in this prompt.
-Follow these rules:
-- Only pick labels out of the list below.
-- Prefer a small set of precise labels over many broad ones.
-- If none of the labels fit, respond with an empty JSON array: []
-- Output must be a JSON array of label names (strings) with no additional commentary.
-
-Labels to apply:
-1. bug — Reproducible defects in Codex products (CLI, VS Code extension, web, auth).
-2. enhancement — Feature requests or usability improvements that ask for new capabilities, better ergonomics, or quality-of-life tweaks.
-3. extension — VS Code (or other IDE) extension-specific issues.
-4. windows-os — Bugs or friction specific to Windows environments (PowerShell behavior, path handling, copy/paste, OS-specific auth or tooling failures).
-5. mcp — Topics involving Model Context Protocol servers/clients.
-6. codex-web — Issues targeting the Codex web UI/Cloud experience.
-8. azure — Problems or requests tied to Azure OpenAI deployments.
-9. documentation — Updates or corrections needed in docs/README/config references (broken links, missing examples, outdated keys, clarification requests).
-10. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
-
-Issue information is available in environment variables:
-
-ISSUE_NUMBER
-ISSUE_TITLE
-ISSUE_BODY
-REPO_FULL_NAME

.github/workflows/ci.yml

@@ -1,7 +1,7 @@
 name: ci
 
 on:
-  pull_request: {}
+  pull_request: { branches: [main] }
   push: { branches: [main] }
 
 jobs:
@@ -27,29 +27,26 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      # stage_npm_packages.py requires DotSlash when staging releases.
+      # build_npm_package.py requires DotSlash when staging releases.
       - uses: facebook/install-dotslash@v2
 
       - name: Stage npm package
-        id: stage_npm_package
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
           CODEX_VERSION=0.40.0
-          OUTPUT_DIR="${RUNNER_TEMP}"
-          python3 ./scripts/stage_npm_packages.py \
+          PACK_OUTPUT="${RUNNER_TEMP}/codex-npm.tgz"
+          python3 ./codex-cli/scripts/build_npm_package.py \
             --release-version "$CODEX_VERSION" \
-            --package codex \
-            --output-dir "$OUTPUT_DIR"
-          PACK_OUTPUT="${OUTPUT_DIR}/codex-npm-${CODEX_VERSION}.tgz"
-          echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"
+            --pack-output "$PACK_OUTPUT"
+          echo "PACK_OUTPUT=$PACK_OUTPUT" >> "$GITHUB_ENV"
 
       - name: Upload staged npm package artifact
         uses: actions/upload-artifact@v4
         with:
           name: codex-npm-staging
-          path: ${{ steps.stage_npm_package.outputs.pack_output }}
+          path: ${{ env.PACK_OUTPUT }}
 
       - name: Ensure root README.md contains only ASCII and certain Unicode code points
         run: ./scripts/asciicheck.py README.md
@@ -60,6 +57,3 @@ jobs:
         run: ./scripts/asciicheck.py codex-cli/README.md
       - name: Check codex-cli/README ToC
         run: python3 scripts/readme_toc.py codex-cli/README.md
-
-      - name: Prettier (run `pnpm run format:fix` to fix)
-        run: pnpm run format

.github/workflows/codespell.yml

@@ -25,3 +25,4 @@ jobs:
         uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1
         with:
           ignore_words_file: .codespellignore
+          skip: frame*.txt

.github/workflows/issue-deduplicator.yml

@@ -1,140 +0,0 @@
-name: Issue Deduplicator
-
-on:
-  issues:
-    types:
-      - opened
-      - labeled
-
-jobs:
-  gather-duplicates:
-    name: Identify potential duplicates
-    if: ${{ github.event.action == 'opened' || (github.event.action == 'labeled' && github.event.label.name == 'codex-deduplicate') }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      codex_output: ${{ steps.codex.outputs.final-message }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Prepare Codex inputs
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -eo pipefail
-
-          CURRENT_ISSUE_FILE=codex-current-issue.json
-          EXISTING_ISSUES_FILE=codex-existing-issues.json
-
-          gh issue list --repo "${{ github.repository }}" \
-            --json number,title,body,createdAt \
-            --limit 1000 \
-            --state all \
-            --search "sort:created-desc" \
-            | jq '.' \
-            > "$EXISTING_ISSUES_FILE"
-
-          gh issue view "${{ github.event.issue.number }}" \
-            --repo "${{ github.repository }}" \
-            --json number,title,body \
-            | jq '.' \
-            > "$CURRENT_ISSUE_FILE"
-
-      - id: codex
-        uses: openai/codex-action@main
-        with:
-          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
-          allow-users: "*"
-          model: gpt-5
-          prompt: |
-            You are an assistant that triages new GitHub issues by identifying potential duplicates.
-
-            You will receive the following JSON files located in the current working directory:
-            - `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
-            - `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
-
-            Instructions:
-            - Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
-            - Focus on the underlying intent and context of each issue—such as reported symptoms, feature requests, reproduction steps, or error messages—rather than relying solely on string similarity or synthetic metrics.
-            - After your analysis, validate your results in 1-2 lines explaining your decision to return the selected matches.
-            - When unsure, prefer returning fewer matches.
-            - Include at most five numbers.
-
-          output-schema: |
-            {
-              "type": "object",
-              "properties": {
-                "issues": {
-                  "type": "array",
-                  "items": {
-                    "type": "string"
-                  }
-                },
-                "reason": { "type": "string" }
-              },
-              "required": ["issues", "reason"],
-              "additionalProperties": false
-            }
-
-  comment-on-issue:
-    name: Comment with potential duplicates
-    needs: gather-duplicates
-    if: ${{ needs.gather-duplicates.result != 'skipped' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: write
-    steps:
-      - name: Comment on issue
-        uses: actions/github-script@v7
-        env:
-          CODEX_OUTPUT: ${{ needs.gather-duplicates.outputs.codex_output }}
-        with:
-          github-token: ${{ github.token }}
-          script: |
-            const raw = process.env.CODEX_OUTPUT ?? '';
-            let parsed;
-            try {
-              parsed = JSON.parse(raw);
-            } catch (error) {
-              core.info(`Codex output was not valid JSON. Raw output: ${raw}`);
-              core.info(`Parse error: ${error.message}`);
-              return;
-            }
-
-            const issues = Array.isArray(parsed?.issues) ? parsed.issues : [];
-            const currentIssueNumber = String(context.payload.issue.number);
-
-            console.log(`Current issue number: ${currentIssueNumber}`);
-            console.log(issues);
-
-            const filteredIssues = issues.filter((value) => String(value) !== currentIssueNumber);
-
-            if (filteredIssues.length === 0) {
-              core.info('Codex reported no potential duplicates.');
-              return;
-            }
-
-            const lines = [
-              'Potential duplicates detected. Please review them and close your issue if it is a duplicate.',
-              '',
-              ...filteredIssues.map((value) => `- #${String(value)}`),
-              '',
-              '*Powered by [Codex Action](https://github.com/openai/codex-action)*'];
-
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.issue.number,
-              body: lines.join("\n"),
-            });
-
-      - name: Remove codex-deduplicate label
-        if: ${{ always() && github.event.action == 'labeled' && github.event.label.name == 'codex-deduplicate' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          GH_REPO: ${{ github.repository }}
-        run: |
-          gh issue edit "${{ github.event.issue.number }}" --remove-label codex-deduplicate || true
-          echo "Attempted to remove label: codex-deduplicate"

.github/workflows/issue-labeler.yml

@@ -1,115 +0,0 @@
-name: Issue Labeler
-
-on:
-  issues:
-    types:
-      - opened
-      - labeled
-
-jobs:
-  gather-labels:
-    name: Generate label suggestions
-    if: ${{ github.event.action == 'opened' || (github.event.action == 'labeled' && github.event.label.name == 'codex-label') }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      codex_output: ${{ steps.codex.outputs.final-message }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - id: codex
-        uses: openai/codex-action@main
-        with:
-          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
-          allow-users: "*"
-          prompt: |
-            You are an assistant that reviews GitHub issues for the repository.
-
-            Your job is to choose the most appropriate existing labels for the issue described later in this prompt.
-            Follow these rules:
-            - Only pick labels out of the list below.
-            - Prefer a small set of precise labels over many broad ones.
-
-            Labels to apply:
-            1. bug — Reproducible defects in Codex products (CLI, VS Code extension, web, auth).
-            2. enhancement — Feature requests or usability improvements that ask for new capabilities, better ergonomics, or quality-of-life tweaks.
-            3. extension — VS Code (or other IDE) extension-specific issues.
-            4. windows-os — Bugs or friction specific to Windows environments (always when PowerShell is mentioned, path handling, copy/paste, OS-specific auth or tooling failures).
-            5. mcp — Topics involving Model Context Protocol servers/clients.
-            6. codex-web — Issues targeting the Codex web UI/Cloud experience.
-            8. azure — Problems or requests tied to Azure OpenAI deployments.
-            9. documentation — Updates or corrections needed in docs/README/config references (broken links, missing examples, outdated keys, clarification requests).
-            10. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
-
-            Issue number: ${{ github.event.issue.number }}
-
-            Issue title:
-            ${{ github.event.issue.title }}
-
-            Issue body:
-            ${{ github.event.issue.body }}
-
-            Repository full name:
-            ${{ github.repository }}
-
-          output-schema: |
-            {
-              "type": "object",
-              "properties": {
-                "labels": {
-                  "type": "array",
-                  "items": {
-                    "type": "string"
-                  }
-                }
-              },
-              "required": ["labels"],
-              "additionalProperties": false
-            }
-
-  apply-labels:
-    name: Apply labels from Codex output
-    needs: gather-labels
-    if: ${{ needs.gather-labels.result != 'skipped' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: write
-    env:
-      GH_TOKEN: ${{ github.token }}
-      GH_REPO: ${{ github.repository }}
-      ISSUE_NUMBER: ${{ github.event.issue.number }}
-      CODEX_OUTPUT: ${{ needs.gather-labels.outputs.codex_output }}
-    steps:
-      - name: Apply labels
-        run: |
-          json=${CODEX_OUTPUT//$'\r'/}
-          if [ -z "$json" ]; then
-            echo "Codex produced no output. Skipping label application."
-            exit 0
-          fi
-
-          if ! printf '%s' "$json" | jq -e 'type == "object" and (.labels | type == "array")' >/dev/null 2>&1; then
-            echo "Codex output did not include a labels array. Raw output: $json"
-            exit 0
-          fi
-
-          labels=$(printf '%s' "$json" | jq -r '.labels[] | tostring')
-          if [ -z "$labels" ]; then
-            echo "Codex returned an empty array. Nothing to do."
-            exit 0
-          fi
-
-          cmd=(gh issue edit "$ISSUE_NUMBER")
-          while IFS= read -r label; do
-            cmd+=(--add-label "$label")
-          done <<< "$labels"
-
-          "${cmd[@]}" || true
-
-      - name: Remove codex-label trigger
-        if: ${{ always() && github.event.action == 'labeled' && github.event.label.name == 'codex-label' }}
-        run: |
-          gh issue edit "$ISSUE_NUMBER" --remove-label codex-label || true
-          echo "Attempted to remove label: codex-label"

.github/workflows/rust-ci.yml

@@ -148,26 +148,15 @@ jobs:
           targets: ${{ matrix.target }}
           components: clippy
 
-      # Explicit cache restore: split cargo home vs target, so we can
-      # avoid caching the large target dir on the gnu-dev job.
-      - name: Restore cargo home cache
-        id: cache_cargo_home_restore
-        uses: actions/cache/restore@v4
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
-
-      - name: Restore target cache (except gnu-dev)
-        id: cache_target_restore
-        if: ${{ !(matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release') }}
-        uses: actions/cache/restore@v4
-        with:
-          path: ${{ github.workspace }}/codex-rs/target/
-          key: cargo-target-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
+            ${{ github.workspace }}/codex-rs/target/
+          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
 
       - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
         name: Install musl build tools
@@ -201,35 +190,10 @@ jobs:
         # Tests take too long for release builds to run them on every PR.
         if: ${{ matrix.profile != 'release' }}
         continue-on-error: true
-        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
+        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }}
         env:
           RUST_BACKTRACE: 1
 
-      # Save caches explicitly; make non-fatal so cache packaging
-      # never fails the overall job. Only save when key wasn't hit.
-      - name: Save cargo home cache
-        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@v4
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
-
-      - name: Save target cache (except gnu-dev)
-        if: >-
-          always() && !cancelled() &&
-          (steps.cache_target_restore.outputs.cache-hit != 'true') &&
-          !(matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release')
-        continue-on-error: true
-        uses: actions/cache/save@v4
-        with:
-          path: ${{ github.workspace }}/codex-rs/target/
-          key: cargo-target-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
-
       # Fail the job if any of the previous steps failed.
       - name: verify all steps passed
         if: |

.github/workflows/rust-release.yml

@@ -47,7 +47,7 @@ jobs:
 
   build:
     needs: tag-check
-    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
+    name: ${{ matrix.runner }} - ${{ matrix.target }}
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 30
     defaults:
@@ -58,9 +58,9 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - runner: macos-15-xlarge
+          - runner: macos-14
             target: aarch64-apple-darwin
-          - runner: macos-15-xlarge
+          - runner: macos-14
             target: x86_64-apple-darwin
           - runner: ubuntu-24.04
             target: x86_64-unknown-linux-musl
@@ -94,180 +94,10 @@ jobs:
       - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
         name: Install musl build tools
         run: |
-          sudo apt-get update
-          sudo apt-get install -y musl-tools pkg-config
+          sudo apt install -y musl-tools pkg-config
 
       - name: Cargo build
-        run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
-
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
-        name: Configure Apple code signing
-        shell: bash
-        env:
-          KEYCHAIN_PASSWORD: actions
-          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12 }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
-            echo "APPLE_CERTIFICATE is required for macOS signing"
-            exit 1
-          fi
-
-          if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
-            echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
-            exit 1
-          fi
-
-          cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
-          echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
-
-          keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
-          security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
-          security set-keychain-settings -lut 21600 "$keychain_path"
-          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
-
-          keychain_args=()
-          cleanup_keychain() {
-            if ((${#keychain_args[@]} > 0)); then
-              security list-keychains -s "${keychain_args[@]}" || true
-              security default-keychain -s "${keychain_args[0]}" || true
-            else
-              security list-keychains -s || true
-            fi
-            if [[ -f "$keychain_path" ]]; then
-              security delete-keychain "$keychain_path" || true
-            fi
-          }
-
-          while IFS= read -r keychain; do
-            [[ -n "$keychain" ]] && keychain_args+=("$keychain")
-          done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
-
-          if ((${#keychain_args[@]} > 0)); then
-            security list-keychains -s "$keychain_path" "${keychain_args[@]}"
-          else
-            security list-keychains -s "$keychain_path"
-          fi
-
-          security default-keychain -s "$keychain_path"
-          security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
-          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
-
-          codesign_hashes=()
-          while IFS= read -r hash; do
-            [[ -n "$hash" ]] && codesign_hashes+=("$hash")
-          done < <(security find-identity -v -p codesigning "$keychain_path" \
-            | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \
-            | sort -u)
-
-          if ((${#codesign_hashes[@]} == 0)); then
-            echo "No signing identities found in $keychain_path"
-            cleanup_keychain
-            rm -f "$cert_path"
-            exit 1
-          fi
-
-          if ((${#codesign_hashes[@]} > 1)); then
-            echo "Multiple signing identities found in $keychain_path:"
-            printf '  %s\n' "${codesign_hashes[@]}"
-            cleanup_keychain
-            rm -f "$cert_path"
-            exit 1
-          fi
-
-          APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
-
-          rm -f "$cert_path"
-
-          echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV"
-          echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
-          echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
-
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
-        name: Sign macOS binaries
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
-            echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
-            exit 1
-          fi
-
-          keychain_args=()
-          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
-            keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
-          fi
-
-          for binary in codex codex-responses-api-proxy; do
-            path="target/${{ matrix.target }}/release/${binary}"
-            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
-          done
-
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
-        name: Notarize macOS binaries
-        shell: bash
-        env:
-          APPLE_NOTARIZATION_KEY_P8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
-          APPLE_NOTARIZATION_KEY_ID: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
-          APPLE_NOTARIZATION_ISSUER_ID: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
-        run: |
-          set -euo pipefail
-
-          for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
-            if [[ -z "${!var:-}" ]]; then
-              echo "$var is required for notarization"
-              exit 1
-            fi
-          done
-
-          notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
-          echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
-          cleanup_notary() {
-            rm -f "$notary_key_path"
-          }
-          trap cleanup_notary EXIT
-
-          notarize_binary() {
-            local binary="$1"
-            local source_path="target/${{ matrix.target }}/release/${binary}"
-            local archive_path="${RUNNER_TEMP}/${binary}.zip"
-
-            if [[ ! -f "$source_path" ]]; then
-              echo "Binary $source_path not found"
-              exit 1
-            fi
-
-            rm -f "$archive_path"
-            ditto -c -k --keepParent "$source_path" "$archive_path"
-
-            submission_json=$(xcrun notarytool submit "$archive_path" \
-              --key "$notary_key_path" \
-              --key-id "$APPLE_NOTARIZATION_KEY_ID" \
-              --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
-              --output-format json \
-              --wait)
-
-            status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
-            submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
-
-            if [[ -z "$submission_id" ]]; then
-              echo "Failed to retrieve submission ID for $binary"
-              exit 1
-            fi
-
-            echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}"
-
-            if [[ "$status" != "Accepted" ]]; then
-              echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})"
-              exit 1
-            fi
-          }
-
-          notarize_binary "codex"
-          notarize_binary "codex-responses-api-proxy"
+        run: cargo build --target ${{ matrix.target }} --release --bin codex
 
       - name: Stage artifacts
         shell: bash
@@ -277,10 +107,8 @@ jobs:
 
           if [[ "${{ matrix.runner }}" == windows* ]]; then
             cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
           else
             cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
           fi
 
       - if: ${{ matrix.runner == 'windows-11-arm' }}
@@ -327,29 +155,6 @@ jobs:
             zstd -T0 -19 --rm "$dest/$base"
           done
 
-      - name: Remove signing keychain
-        if: ${{ always() && matrix.runner == 'macos-15-xlarge' }}
-        shell: bash
-        env:
-          APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
-        run: |
-          set -euo pipefail
-          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
-            keychain_args=()
-            while IFS= read -r keychain; do
-              [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
-              [[ -n "$keychain" ]] && keychain_args+=("$keychain")
-            done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
-            if ((${#keychain_args[@]} > 0)); then
-              security list-keychains -s "${keychain_args[@]}"
-              security default-keychain -s "${keychain_args[0]}"
-            fi
-
-            if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
-              security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
-            fi
-          fi
-
       - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.target }}
@@ -409,30 +214,18 @@ jobs:
             echo "npm_tag=" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
-      - name: Setup Node.js for npm packaging
-        uses: actions/setup-node@v5
-        with:
-          node-version: 22
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      # stage_npm_packages.py requires DotSlash when staging releases.
+      # build_npm_package.py requires DotSlash when staging releases.
       - uses: facebook/install-dotslash@v2
-      - name: Stage npm packages
+      - name: Stage npm package
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          ./scripts/stage_npm_packages.py \
+          set -euo pipefail
+          TMP_DIR="${RUNNER_TEMP}/npm-stage"
+          ./codex-cli/scripts/build_npm_package.py \
             --release-version "${{ steps.release_name.outputs.name }}" \
-            --package codex \
-            --package codex-responses-api-proxy \
-            --package codex-sdk
+            --staging-dir "${TMP_DIR}" \
+            --pack-output "${GITHUB_WORKSPACE}/dist/npm/codex-npm-${{ steps.release_name.outputs.name }}.tgz"
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
@@ -476,7 +269,7 @@ jobs:
       - name: Update npm
         run: npm install -g npm@latest
 
-      - name: Download npm tarballs from release
+      - name: Download npm tarball from release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -488,14 +281,6 @@ jobs:
             --repo "${GITHUB_REPOSITORY}" \
             --pattern "codex-npm-${version}.tgz" \
             --dir dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-responses-api-proxy-npm-${version}.tgz" \
-            --dir dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-sdk-npm-${version}.tgz" \
-            --dir dist/npm
 
       # No NODE_AUTH_TOKEN needed because we use OIDC.
       - name: Publish to npm
@@ -509,15 +294,7 @@ jobs:
             tag_args+=(--tag "${NPM_TAG}")
           fi
 
-          tarballs=(
-            "codex-npm-${VERSION}.tgz"
-            "codex-responses-api-proxy-npm-${VERSION}.tgz"
-            "codex-sdk-npm-${VERSION}.tgz"
-          )
-
-          for tarball in "${tarballs[@]}"; do
-            npm publish "${GITHUB_WORKSPACE}/dist/npm/${tarball}" "${tag_args[@]}"
-          done
+          npm publish "${GITHUB_WORKSPACE}/dist/npm/codex-npm-${VERSION}.tgz" "${tag_args[@]}"
 
   update-branch:
     name: Update latest-alpha-cli branch

.github/workflows/sdk.yml

@@ -1,43 +0,0 @@
-name: sdk
-
-on:
-  push:
-    branches: [main]
-  pull_request: {}
-
-jobs:
-  sdks:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version: 22
-          cache: pnpm
-
-      - uses: dtolnay/rust-toolchain@1.90
-
-      - name: build codex
-        run: cargo build --bin codex
-        working-directory: codex-rs
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Build SDK packages
-        run: pnpm -r --filter ./sdk/typescript run build
-
-      - name: Lint SDK packages
-        run: pnpm -r --filter ./sdk/typescript run lint
-
-      - name: Test SDK packages
-        run: pnpm -r --filter ./sdk/typescript run test

.gitignore

@@ -30,7 +30,6 @@ result
 # cli tools
 CLAUDE.md
 .claude/
-AGENTS.override.md
 
 # caches
 .cache/

.vscode/settings.json

@@ -3,7 +3,6 @@
     "rust-analyzer.check.command": "clippy",
     "rust-analyzer.check.extraArgs": ["--all-features", "--tests"],
     "rust-analyzer.rustfmt.extraArgs": ["--config", "imports_granularity=Item"],
-    "rust-analyzer.cargo.targetDir": "${workspaceFolder}/codex-rs/target/rust-analyzer",
     "[rust]": {
         "editor.defaultFormatter": "rust-lang.rust-analyzer",
         "editor.formatOnSave": true,

AGENTS.md

@@ -8,18 +8,11 @@ In the codex-rs folder where the rust code lives:
 - Never add or modify any code related to `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` or `CODEX_SANDBOX_ENV_VAR`.
   - You operate in a sandbox where `CODEX_SANDBOX_NETWORK_DISABLED=1` will be set whenever you use the `shell` tool. Any existing code that uses `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` was authored with this fact in mind. It is often used to early exit out of tests that the author knew you would not be able to run given your sandbox limitations.
   - Similarly, when you spawn a process using Seatbelt (`/usr/bin/sandbox-exec`), `CODEX_SANDBOX=seatbelt` will be set on the child process. Integration tests that want to run Seatbelt themselves cannot be run under Seatbelt, so checks for `CODEX_SANDBOX=seatbelt` are also often used to early exit out of tests, as appropriate.
-- Always collapse if statements per https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
-- Always inline format! args when possible per https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
-- Use method references over closures when possible per https://rust-lang.github.io/rust-clippy/master/index.html#redundant_closure_for_method_calls
-- Do not use unsigned integer even if the number cannot be negative.
-- When writing tests, prefer comparing the equality of entire objects over fields one by one.
-- When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
 
 Run `just fmt` (in `codex-rs` directory) automatically after making Rust code changes; do not ask for approval to run it. Before finalizing a change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates. Additionally, run the tests:
-
 1. Run the test for the specific project that was changed. For example, if changes were made in `codex-rs/tui`, run `cargo test -p codex-tui`.
 2. Once those pass, if any changes were made in common, core, or protocol, run the complete test suite with `cargo test --all-features`.
-   When running interactively, ask the user before running `just fix` to finalize. `just fmt` does not require approval. project-specific or individual tests can be run without asking the user, but do ask the user before running the complete test suite.
+When running interactively, ask the user before running `just fix` to finalize. `just fmt` does not require approval. project-specific or individual tests can be run without asking the user, but do ask the user before running the complete test suite.
 
 ## TUI style conventions
 
@@ -35,7 +28,6 @@ See `codex-rs/tui/styles.md`.
     - Desired: vec!["  └ ".into(), "M".red(), " ".dim(), "tui/src/app.rs".dim()]
 
 ### TUI Styling (ratatui)
-
 - Prefer Stylize helpers: use "text".dim(), .bold(), .cyan(), .italic(), .underlined() instead of manual Style where possible.
 - Prefer simple conversions: use "text".into() for spans and vec![…].into() for lines; when inference is ambiguous (e.g., Paragraph::new/Cell::from), use Line::from(spans) or Span::from(text).
 - Computed styles: if the Style is computed at runtime, using `Span::styled` is OK (`Span::from(text).set_style(style)` is also acceptable).
@@ -47,7 +39,6 @@ See `codex-rs/tui/styles.md`.
 - Compactness: prefer the form that stays on one line after rustfmt; if only one of Line::from(vec![…]) or vec![…].into() avoids wrapping, choose that. If both wrap, pick the one with fewer wrapped lines.
 
 ### Text wrapping
-
 - Always use textwrap::wrap to wrap plain strings.
 - If you have a ratatui Line and you want to wrap it, use the helpers in tui/src/wrapping.rs, e.g. word_wrap_lines / word_wrap_line.
 - If you need to indent wrapped lines, use the initial_indent / subsequent_indent options from RtOptions if you can, rather than writing custom logic.
@@ -69,34 +60,8 @@ This repo uses snapshot tests (via `insta`), especially in `codex-rs/tui`, to va
   - `cargo insta accept -p codex-tui`
 
 If you don’t have the tool:
-
 - `cargo install cargo-insta`
 
 ### Test assertions
 
 - Tests should use pretty_assertions::assert_eq for clearer diffs. Import this at the top of the test module if it isn't already.
-
-### Integration tests (core)
-
-- Prefer the utilities in `core_test_support::responses` when writing end-to-end Codex tests.
-
-- All `mount_sse*` helpers return a `ResponseMock`; hold onto it so you can assert against outbound `/responses` POST bodies.
-- Use `ResponseMock::single_request()` when a test should only issue one POST, or `ResponseMock::requests()` to inspect every captured `ResponsesRequest`.
-- `ResponsesRequest` exposes helpers (`body_json`, `input`, `function_call_output`, `custom_tool_call_output`, `call_output`, `header`, `path`, `query_param`) so assertions can target structured payloads instead of manual JSON digging.
-- Build SSE payloads with the provided `ev_*` constructors and the `sse(...)`.
-
-- Typical pattern:
-
-  ```rust
-  let mock = responses::mount_sse_once(&server, responses::sse(vec![
-      responses::ev_response_created("resp-1"),
-      responses::ev_function_call(call_id, "shell", &serde_json::to_string(&args)?),
-      responses::ev_completed("resp-1"),
-  ])).await;
-
-  codex.submit(Op::UserTurn { ... }).await?;
-
-  // Assert request body if needed.
-  let request = mock.single_request();
-  // assert using request.function_call_output(call_id) or request.json_body() or other helpers.
-  ```

README.md

@@ -1,4 +1,6 @@
-<p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install --cask codex</code></p>
+<h1 align="center">OpenAI Codex CLI</h1>
+
+<p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install codex</code></p>
 
 <p align="center"><strong>Codex CLI</strong> is a coding agent from OpenAI that runs locally on your computer.
 </br>
@@ -24,7 +26,7 @@ npm install -g @openai/codex
 Alternatively, if you use Homebrew:
 
 ```shell
-brew install --cask codex
+brew install codex
 ```
 
 Then simply run `codex` to get started:
@@ -61,7 +63,8 @@ You can also use Codex with an API key, but this requires [additional setup](./d
 
 ### Model Context Protocol (MCP)
 
-Codex can access MCP servers. To configure them, refer to the [config docs](./docs/config.md#mcp_servers).
+Codex CLI supports [MCP servers](./docs/advanced.md#model-context-protocol-mcp). Enable by adding an `mcp_servers` section to your `~/.codex/config.toml`.
+
 
 ### Configuration
 
@@ -75,18 +78,14 @@ Codex CLI supports a rich set of configuration options, with preferences stored
   - [CLI usage](./docs/getting-started.md#cli-usage)
   - [Running with a prompt as input](./docs/getting-started.md#running-with-a-prompt-as-input)
   - [Example prompts](./docs/getting-started.md#example-prompts)
-  - [Custom prompts](./docs/prompts.md)
   - [Memory with AGENTS.md](./docs/getting-started.md#memory-with-agentsmd)
   - [Configuration](./docs/config.md)
 - [**Sandbox & approvals**](./docs/sandbox.md)
 - [**Authentication**](./docs/authentication.md)
   - [Auth methods](./docs/authentication.md#forcing-a-specific-auth-method-advanced)
   - [Login on a "Headless" machine](./docs/authentication.md#connecting-on-a-headless-machine)
-- **Automating Codex**
-  - [GitHub Action](https://github.com/openai/codex-action)
-  - [TypeScript SDK](./sdk/typescript/README.md)
-  - [Non-interactive mode (`codex exec`)](./docs/exec.md)
 - [**Advanced**](./docs/advanced.md)
+  - [Non-interactive / CI mode](./docs/advanced.md#non-interactive--ci-mode)
   - [Tracing / verbose logging](./docs/advanced.md#tracing--verbose-logging)
   - [Model Context Protocol (MCP)](./docs/advanced.md#model-context-protocol-mcp)
 - [**Zero data retention (ZDR)**](./docs/zdr.md)
@@ -103,3 +102,4 @@ Codex CLI supports a rich set of configuration options, with preferences stored
 ## License
 
 This repository is licensed under the [Apache-2.0 License](LICENSE).
+

cliff.toml

@@ -4,7 +4,7 @@
 header = """
 # Changelog
 
-You can install any of these versions: `npm install -g @openai/codex@<version>`
+You can install any of these versions: `npm install -g codex@version`
 """
 
 body = """

codex-cli/README.md

@@ -208,7 +208,7 @@ The hardening mechanism Codex uses depends on your OS:
 | Requirement                 | Details                                                         |
 | --------------------------- | --------------------------------------------------------------- |
 | Operating systems           | macOS 12+, Ubuntu 20.04+/Debian 10+, or Windows 11 **via WSL2** |
-| Node.js                     | **16 or newer** (Node 20 LTS recommended)                       |
+| Node.js                     | **22 or newer** (LTS recommended)                               |
 | Git (optional, recommended) | 2.23+ for built-in PR helpers                                   |
 | RAM                         | 4-GB minimum (8-GB recommended)                                 |
 
@@ -513,7 +513,7 @@ Codex runs model-generated commands in a sandbox. If a proposed command or file
 <details>
 <summary>Does it work on Windows?</summary>
 
-Not directly. It requires [Windows Subsystem for Linux (WSL2)](https://learn.microsoft.com/en-us/windows/wsl/install) - Codex is regularly tested on macOS and Linux with Node 20+, and also supports Node 16.
+Not directly. It requires [Windows Subsystem for Linux (WSL2)](https://learn.microsoft.com/en-us/windows/wsl/install) - Codex has been tested on macOS and Linux with Node 22.
 
 </details>
 

codex-cli/bin/codex.js

@@ -1,7 +1,6 @@
 #!/usr/bin/env node
 // Unified entry point for the Codex CLI.
 
-import { spawn } from "node:child_process";
 import { existsSync } from "fs";
 import path from "path";
 import { fileURLToPath } from "url";
@@ -69,6 +68,7 @@ const binaryPath = path.join(archRoot, "codex", codexBinaryName);
 // executing. This allows us to forward those signals to the child process
 // and guarantees that when either the child terminates or the parent
 // receives a fatal signal, both processes exit in a predictable manner.
+const { spawn } = await import("child_process");
 
 function getUpdatedPath(newDirs) {
   const pathSep = process.platform === "win32" ? ";" : ":";
@@ -80,32 +80,6 @@ function getUpdatedPath(newDirs) {
   return updatedPath;
 }
 
-/**
- * Use heuristics to detect the package manager that was used to install Codex
- * in order to give the user a hint about how to update it.
- */
-function detectPackageManager() {
-  const userAgent = process.env.npm_config_user_agent || "";
-  if (/\bbun\//.test(userAgent)) {
-    return "bun";
-  }
-
-  const execPath = process.env.npm_execpath || "";
-  if (execPath.includes("bun")) {
-    return "bun";
-  }
-
-  if (
-    process.env.BUN_INSTALL ||
-    process.env.BUN_INSTALL_GLOBAL_DIR ||
-    process.env.BUN_INSTALL_BIN_DIR
-  ) {
-    return "bun";
-  }
-
-  return userAgent ? "npm" : null;
-}
-
 const additionalDirs = [];
 const pathDir = path.join(archRoot, "path");
 if (existsSync(pathDir)) {
@@ -113,16 +87,9 @@ if (existsSync(pathDir)) {
 }
 const updatedPath = getUpdatedPath(additionalDirs);
 
-const env = { ...process.env, PATH: updatedPath };
-const packageManagerEnvVar =
-  detectPackageManager() === "bun"
-    ? "CODEX_MANAGED_BY_BUN"
-    : "CODEX_MANAGED_BY_NPM";
-env[packageManagerEnvVar] = "1";
-
 const child = spawn(binaryPath, process.argv.slice(2), {
   stdio: "inherit",
-  env,
+  env: { ...process.env, PATH: updatedPath, CODEX_MANAGED_BY_NPM: "1" },
 });
 
 child.on("error", (err) => {

codex-cli/package-lock.json

@@ -11,7 +11,7 @@
         "codex": "bin/codex.js"
       },
       "engines": {
-        "node": ">=16"
+        "node": ">=20"
       }
     }
   }

codex-cli/package.json

@@ -7,7 +7,7 @@
   },
   "type": "module",
   "engines": {
-    "node": ">=16"
+    "node": ">=20"
   },
   "files": [
     "bin",

codex-cli/scripts/README.md

@@ -1,19 +1,11 @@
 # npm releases
 
-Use the staging helper in the repo root to generate npm tarballs for a release. For
-example, to stage the CLI, responses proxy, and SDK packages for version `0.6.0`:
+Run the following:
+
+To build the 0.2.x or later version of the npm module, which runs the Rust version of the CLI, build it as follows:
 
 ```bash
-./scripts/stage_npm_packages.py \
-  --release-version 0.6.0 \
-  --package codex \
-  --package codex-responses-api-proxy \
-  --package codex-sdk
+./codex-cli/scripts/build_npm_package.py --release-version 0.6.0
 ```
 
-This downloads the native artifacts once, hydrates `vendor/` for each package, and writes
-tarballs to `dist/npm/`.
-
-If you need to invoke `build_npm_package.py` directly, run
-`codex-cli/scripts/install_native_deps.py` first and pass `--vendor-src` pointing to the
-directory that contains the populated `vendor/` tree.
+Note this will create `./codex-cli/vendor/` as a side-effect.

codex-cli/scripts/build_npm_package.py

@@ -3,6 +3,7 @@
 
 import argparse
 import json
+import re
 import shutil
 import subprocess
 import sys
@@ -12,29 +13,16 @@ from pathlib import Path
 SCRIPT_DIR = Path(__file__).resolve().parent
 CODEX_CLI_ROOT = SCRIPT_DIR.parent
 REPO_ROOT = CODEX_CLI_ROOT.parent
-RESPONSES_API_PROXY_NPM_ROOT = REPO_ROOT / "codex-rs" / "responses-api-proxy" / "npm"
-CODEX_SDK_ROOT = REPO_ROOT / "sdk" / "typescript"
+GITHUB_REPO = "openai/codex"
 
-PACKAGE_NATIVE_COMPONENTS: dict[str, list[str]] = {
-    "codex": ["codex", "rg"],
-    "codex-responses-api-proxy": ["codex-responses-api-proxy"],
-    "codex-sdk": ["codex"],
-}
-COMPONENT_DEST_DIR: dict[str, str] = {
-    "codex": "codex",
-    "codex-responses-api-proxy": "codex-responses-api-proxy",
-    "rg": "path",
-}
+# The docs are not clear on what the expected value/format of
+# workflow/workflowName is:
+# https://cli.github.com/manual/gh_run_list
+WORKFLOW_NAME = ".github/workflows/rust-release.yml"
 
 
 def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(description="Build or stage the Codex CLI npm package.")
-    parser.add_argument(
-        "--package",
-        choices=("codex", "codex-responses-api-proxy", "codex-sdk"),
-        default="codex",
-        help="Which npm package to stage (default: codex).",
-    )
     parser.add_argument(
         "--version",
         help="Version number to write to package.json inside the staged package.",
@@ -42,9 +30,14 @@ def parse_args() -> argparse.Namespace:
     parser.add_argument(
         "--release-version",
         help=(
-            "Version to stage for npm release."
+            "Version to stage for npm release. When provided, the script also resolves the "
+            "matching rust-release workflow unless --workflow-url is supplied."
         ),
     )
+    parser.add_argument(
+        "--workflow-url",
+        help="Optional GitHub Actions workflow run URL used to download native binaries.",
+    )
     parser.add_argument(
         "--staging-dir",
         type=Path,
@@ -64,18 +57,12 @@ def parse_args() -> argparse.Namespace:
         type=Path,
         help="Path where the generated npm tarball should be written.",
     )
-    parser.add_argument(
-        "--vendor-src",
-        type=Path,
-        help="Directory containing pre-installed native binaries to bundle (vendor root).",
-    )
     return parser.parse_args()
 
 
 def main() -> int:
     args = parse_args()
 
-    package = args.package
     version = args.version
     release_version = args.release_version
     if release_version:
@@ -89,45 +76,40 @@ def main() -> int:
     staging_dir, created_temp = prepare_staging_dir(args.staging_dir)
 
     try:
-        stage_sources(staging_dir, version, package)
+        stage_sources(staging_dir, version)
 
-        vendor_src = args.vendor_src.resolve() if args.vendor_src else None
-        native_components = PACKAGE_NATIVE_COMPONENTS.get(package, [])
+        workflow_url = args.workflow_url
+        resolved_head_sha: str | None = None
+        if not workflow_url:
+            if release_version:
+                workflow = resolve_release_workflow(version)
+                workflow_url = workflow["url"]
+                resolved_head_sha = workflow.get("headSha")
+            else:
+                workflow_url = resolve_latest_alpha_workflow_url()
+        elif release_version:
+            try:
+                workflow = resolve_release_workflow(version)
+                resolved_head_sha = workflow.get("headSha")
+            except Exception:
+                resolved_head_sha = None
 
-        if native_components:
-            if vendor_src is None:
-                components_str = ", ".join(native_components)
-                raise RuntimeError(
-                    "Native components "
-                    f"({components_str}) required for package '{package}'. Provide --vendor-src "
-                    "pointing to a directory containing pre-installed binaries."
-                )
+        if release_version and resolved_head_sha:
+            print(f"should `git checkout {resolved_head_sha}`")
 
-            copy_native_binaries(vendor_src, staging_dir, native_components)
+        if not workflow_url:
+            raise RuntimeError("Unable to determine workflow URL for native binaries.")
+
+        install_native_binaries(staging_dir, workflow_url)
 
         if release_version:
             staging_dir_str = str(staging_dir)
-            if package == "codex":
-                print(
-                    f"Staged version {version} for release in {staging_dir_str}\n\n"
-                    "Verify the CLI:\n"
-                    f"    node {staging_dir_str}/bin/codex.js --version\n"
-                    f"    node {staging_dir_str}/bin/codex.js --help\n\n"
-                )
-            elif package == "codex-responses-api-proxy":
-                print(
-                    f"Staged version {version} for release in {staging_dir_str}\n\n"
-                    "Verify the responses API proxy:\n"
-                    f"    node {staging_dir_str}/bin/codex-responses-api-proxy.js --help\n\n"
-                )
-            else:
-                print(
-                    f"Staged version {version} for release in {staging_dir_str}\n\n"
-                    "Verify the SDK contents:\n"
-                    f"    ls {staging_dir_str}/dist\n"
-                    f"    ls {staging_dir_str}/vendor\n"
-                    "    node -e \"import('./dist/index.js').then(() => console.log('ok'))\"\n\n"
-                )
+            print(
+                f"Staged version {version} for release in {staging_dir_str}\n\n"
+                "Verify the CLI:\n"
+                f"    node {staging_dir_str}/bin/codex.js --version\n"
+                f"    node {staging_dir_str}/bin/codex.js --help\n\n"
+            )
         else:
             print(f"Staged package in {staging_dir}")
 
@@ -154,120 +136,99 @@ def prepare_staging_dir(staging_dir: Path | None) -> tuple[Path, bool]:
     return temp_dir, True
 
 
-def stage_sources(staging_dir: Path, version: str, package: str) -> None:
-    if package == "codex":
-        bin_dir = staging_dir / "bin"
-        bin_dir.mkdir(parents=True, exist_ok=True)
-        shutil.copy2(CODEX_CLI_ROOT / "bin" / "codex.js", bin_dir / "codex.js")
-        rg_manifest = CODEX_CLI_ROOT / "bin" / "rg"
-        if rg_manifest.exists():
-            shutil.copy2(rg_manifest, bin_dir / "rg")
+def stage_sources(staging_dir: Path, version: str) -> None:
+    bin_dir = staging_dir / "bin"
+    bin_dir.mkdir(parents=True, exist_ok=True)
 
-        readme_src = REPO_ROOT / "README.md"
-        if readme_src.exists():
-            shutil.copy2(readme_src, staging_dir / "README.md")
+    shutil.copy2(CODEX_CLI_ROOT / "bin" / "codex.js", bin_dir / "codex.js")
+    rg_manifest = CODEX_CLI_ROOT / "bin" / "rg"
+    if rg_manifest.exists():
+        shutil.copy2(rg_manifest, bin_dir / "rg")
 
-        package_json_path = CODEX_CLI_ROOT / "package.json"
-    elif package == "codex-responses-api-proxy":
-        bin_dir = staging_dir / "bin"
-        bin_dir.mkdir(parents=True, exist_ok=True)
-        launcher_src = RESPONSES_API_PROXY_NPM_ROOT / "bin" / "codex-responses-api-proxy.js"
-        shutil.copy2(launcher_src, bin_dir / "codex-responses-api-proxy.js")
+    readme_src = REPO_ROOT / "README.md"
+    if readme_src.exists():
+        shutil.copy2(readme_src, staging_dir / "README.md")
 
-        readme_src = RESPONSES_API_PROXY_NPM_ROOT / "README.md"
-        if readme_src.exists():
-            shutil.copy2(readme_src, staging_dir / "README.md")
-
-        package_json_path = RESPONSES_API_PROXY_NPM_ROOT / "package.json"
-    elif package == "codex-sdk":
-        package_json_path = CODEX_SDK_ROOT / "package.json"
-        stage_codex_sdk_sources(staging_dir)
-    else:
-        raise RuntimeError(f"Unknown package '{package}'.")
-
-    with open(package_json_path, "r", encoding="utf-8") as fh:
+    with open(CODEX_CLI_ROOT / "package.json", "r", encoding="utf-8") as fh:
         package_json = json.load(fh)
     package_json["version"] = version
 
-    if package == "codex-sdk":
-        scripts = package_json.get("scripts")
-        if isinstance(scripts, dict):
-            scripts.pop("prepare", None)
-
-        files = package_json.get("files")
-        if isinstance(files, list):
-            if "vendor" not in files:
-                files.append("vendor")
-        else:
-            package_json["files"] = ["dist", "vendor"]
-
     with open(staging_dir / "package.json", "w", encoding="utf-8") as out:
         json.dump(package_json, out, indent=2)
         out.write("\n")
 
 
-def run_command(cmd: list[str], cwd: Path | None = None) -> None:
-    print("+", " ".join(cmd))
-    subprocess.run(cmd, cwd=cwd, check=True)
+def install_native_binaries(staging_dir: Path, workflow_url: str | None) -> None:
+    cmd = ["./scripts/install_native_deps.py"]
+    if workflow_url:
+        cmd.extend(["--workflow-url", workflow_url])
+    cmd.append(str(staging_dir))
+    subprocess.check_call(cmd, cwd=CODEX_CLI_ROOT)
 
 
-def stage_codex_sdk_sources(staging_dir: Path) -> None:
-    package_root = CODEX_SDK_ROOT
-
-    run_command(["pnpm", "install", "--frozen-lockfile"], cwd=package_root)
-    run_command(["pnpm", "run", "build"], cwd=package_root)
-
-    dist_src = package_root / "dist"
-    if not dist_src.exists():
-        raise RuntimeError("codex-sdk build did not produce a dist directory.")
-
-    shutil.copytree(dist_src, staging_dir / "dist")
-
-    readme_src = package_root / "README.md"
-    if readme_src.exists():
-        shutil.copy2(readme_src, staging_dir / "README.md")
-
-    license_src = REPO_ROOT / "LICENSE"
-    if license_src.exists():
-        shutil.copy2(license_src, staging_dir / "LICENSE")
+def resolve_latest_alpha_workflow_url() -> str:
+    version = determine_latest_alpha_version()
+    workflow = resolve_release_workflow(version)
+    return workflow["url"]
 
 
-def copy_native_binaries(vendor_src: Path, staging_dir: Path, components: list[str]) -> None:
-    vendor_src = vendor_src.resolve()
-    if not vendor_src.exists():
-        raise RuntimeError(f"Vendor source directory not found: {vendor_src}")
-
-    components_set = {component for component in components if component in COMPONENT_DEST_DIR}
-    if not components_set:
-        return
-
-    vendor_dest = staging_dir / "vendor"
-    if vendor_dest.exists():
-        shutil.rmtree(vendor_dest)
-    vendor_dest.mkdir(parents=True, exist_ok=True)
-
-    for target_dir in vendor_src.iterdir():
-        if not target_dir.is_dir():
+def determine_latest_alpha_version() -> str:
+    releases = list_releases()
+    best_key: tuple[int, int, int, int] | None = None
+    best_version: str | None = None
+    pattern = re.compile(r"^rust-v(\d+)\.(\d+)\.(\d+)-alpha\.(\d+)$")
+    for release in releases:
+        tag = release.get("tag_name", "")
+        match = pattern.match(tag)
+        if not match:
             continue
+        key = tuple(int(match.group(i)) for i in range(1, 5))
+        if best_key is None or key > best_key:
+            best_key = key
+            best_version = (
+                f"{match.group(1)}.{match.group(2)}.{match.group(3)}-alpha.{match.group(4)}"
+            )
 
-        dest_target_dir = vendor_dest / target_dir.name
-        dest_target_dir.mkdir(parents=True, exist_ok=True)
+    if best_version is None:
+        raise RuntimeError("No alpha releases found when resolving workflow URL.")
+    return best_version
 
-        for component in components_set:
-            dest_dir_name = COMPONENT_DEST_DIR.get(component)
-            if dest_dir_name is None:
-                continue
 
-            src_component_dir = target_dir / dest_dir_name
-            if not src_component_dir.exists():
-                raise RuntimeError(
-                    f"Missing native component '{component}' in vendor source: {src_component_dir}"
-                )
+def list_releases() -> list[dict]:
+    stdout = subprocess.check_output(
+        ["gh", "api", f"/repos/{GITHUB_REPO}/releases?per_page=100"],
+        text=True,
+    )
+    try:
+        releases = json.loads(stdout or "[]")
+    except json.JSONDecodeError as exc:
+        raise RuntimeError("Unable to parse releases JSON.") from exc
+    if not isinstance(releases, list):
+        raise RuntimeError("Unexpected response when listing releases.")
+    return releases
 
-            dest_component_dir = dest_target_dir / dest_dir_name
-            if dest_component_dir.exists():
-                shutil.rmtree(dest_component_dir)
-            shutil.copytree(src_component_dir, dest_component_dir)
+
+def resolve_release_workflow(version: str) -> dict:
+    stdout = subprocess.check_output(
+        [
+            "gh",
+            "run",
+            "list",
+            "--branch",
+            f"rust-v{version}",
+            "--json",
+            "workflowName,url,headSha",
+            "--workflow",
+            WORKFLOW_NAME,
+            "--jq",
+            "first(.[])",
+        ],
+        text=True,
+    )
+    workflow = json.loads(stdout or "[]")
+    if not workflow:
+        raise RuntimeError(f"Unable to find rust-release workflow for version {version}.")
+    return workflow
 
 
 def run_npm_pack(staging_dir: Path, output_path: Path) -> Path:

codex-cli/scripts/install_native_deps.py

@@ -9,7 +9,6 @@ import subprocess
 import tarfile
 import tempfile
 import zipfile
-from dataclasses import dataclass
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from pathlib import Path
 from typing import Iterable, Sequence
@@ -21,7 +20,7 @@ CODEX_CLI_ROOT = SCRIPT_DIR.parent
 DEFAULT_WORKFLOW_URL = "https://github.com/openai/codex/actions/runs/17952349351"  # rust-v0.40.0
 VENDOR_DIR_NAME = "vendor"
 RG_MANIFEST = CODEX_CLI_ROOT / "bin" / "rg"
-BINARY_TARGETS = (
+CODEX_TARGETS = (
     "x86_64-unknown-linux-musl",
     "aarch64-unknown-linux-musl",
     "x86_64-apple-darwin",
@@ -30,27 +29,6 @@ BINARY_TARGETS = (
     "aarch64-pc-windows-msvc",
 )
 
-
-@dataclass(frozen=True)
-class BinaryComponent:
-    artifact_prefix: str  # matches the artifact filename prefix (e.g. codex-<target>.zst)
-    dest_dir: str  # directory under vendor/<target>/ where the binary is installed
-    binary_basename: str  # executable name inside dest_dir (before optional .exe)
-
-
-BINARY_COMPONENTS = {
-    "codex": BinaryComponent(
-        artifact_prefix="codex",
-        dest_dir="codex",
-        binary_basename="codex",
-    ),
-    "codex-responses-api-proxy": BinaryComponent(
-        artifact_prefix="codex-responses-api-proxy",
-        dest_dir="codex-responses-api-proxy",
-        binary_basename="codex-responses-api-proxy",
-    ),
-}
-
 RG_TARGET_PLATFORM_PAIRS: list[tuple[str, str]] = [
     ("x86_64-unknown-linux-musl", "linux-x86_64"),
     ("aarch64-unknown-linux-musl", "linux-aarch64"),
@@ -72,16 +50,6 @@ def parse_args() -> argparse.Namespace:
             "known good run when omitted."
         ),
     )
-    parser.add_argument(
-        "--component",
-        dest="components",
-        action="append",
-        choices=tuple(list(BINARY_COMPONENTS) + ["rg"]),
-        help=(
-            "Limit installation to the specified components."
-            " May be repeated. Defaults to 'codex' and 'rg'."
-        ),
-    )
     parser.add_argument(
         "root",
         nargs="?",
@@ -101,28 +69,18 @@ def main() -> int:
     vendor_dir = codex_cli_root / VENDOR_DIR_NAME
     vendor_dir.mkdir(parents=True, exist_ok=True)
 
-    components = args.components or ["codex", "rg"]
-
     workflow_url = (args.workflow_url or DEFAULT_WORKFLOW_URL).strip()
     if not workflow_url:
         workflow_url = DEFAULT_WORKFLOW_URL
 
     workflow_id = workflow_url.rstrip("/").split("/")[-1]
-    print(f"Downloading native artifacts from workflow {workflow_id}...")
 
     with tempfile.TemporaryDirectory(prefix="codex-native-artifacts-") as artifacts_dir_str:
         artifacts_dir = Path(artifacts_dir_str)
         _download_artifacts(workflow_id, artifacts_dir)
-        install_binary_components(
-            artifacts_dir,
-            vendor_dir,
-            BINARY_TARGETS,
-            [name for name in components if name in BINARY_COMPONENTS],
-        )
+        install_codex_binaries(artifacts_dir, vendor_dir, CODEX_TARGETS)
 
-    if "rg" in components:
-        print("Fetching ripgrep binaries...")
-        fetch_rg(vendor_dir, DEFAULT_RG_TARGETS, manifest_path=RG_MANIFEST)
+    fetch_rg(vendor_dir, DEFAULT_RG_TARGETS, manifest_path=RG_MANIFEST)
 
     print(f"Installed native dependencies into {vendor_dir}")
     return 0
@@ -166,8 +124,6 @@ def fetch_rg(
     results: dict[str, Path] = {}
     max_workers = min(len(task_configs), max(1, (os.cpu_count() or 1)))
 
-    print("Installing ripgrep binaries for targets: " + ", ".join(targets))
-
     with ThreadPoolExecutor(max_workers=max_workers) as executor:
         future_map = {
             executor.submit(
@@ -184,7 +140,6 @@ def fetch_rg(
         for future in as_completed(future_map):
             target = future_map[future]
             results[target] = future.result()
-            print(f"  installed ripgrep for {target}")
 
     return [results[target] for target in targets]
 
@@ -203,60 +158,40 @@ def _download_artifacts(workflow_id: str, dest_dir: Path) -> None:
     subprocess.check_call(cmd)
 
 
-def install_binary_components(
-    artifacts_dir: Path,
-    vendor_dir: Path,
-    targets: Iterable[str],
-    component_names: Sequence[str],
-) -> None:
-    selected_components = [BINARY_COMPONENTS[name] for name in component_names if name in BINARY_COMPONENTS]
-    if not selected_components:
-        return
-
+def install_codex_binaries(
+    artifacts_dir: Path, vendor_dir: Path, targets: Iterable[str]
+) -> list[Path]:
     targets = list(targets)
     if not targets:
-        return
+        return []
 
-    for component in selected_components:
-        print(
-            f"Installing {component.binary_basename} binaries for targets: "
-            + ", ".join(targets)
-        )
-        max_workers = min(len(targets), max(1, (os.cpu_count() or 1)))
-        with ThreadPoolExecutor(max_workers=max_workers) as executor:
-            futures = {
-                executor.submit(
-                    _install_single_binary,
-                    artifacts_dir,
-                    vendor_dir,
-                    target,
-                    component,
-                ): target
-                for target in targets
-            }
-            for future in as_completed(futures):
-                installed_path = future.result()
-                print(f"  installed {installed_path}")
+    results: dict[str, Path] = {}
+    max_workers = min(len(targets), max(1, (os.cpu_count() or 1)))
+
+    with ThreadPoolExecutor(max_workers=max_workers) as executor:
+        future_map = {
+            executor.submit(_install_single_codex_binary, artifacts_dir, vendor_dir, target): target
+            for target in targets
+        }
+
+        for future in as_completed(future_map):
+            target = future_map[future]
+            results[target] = future.result()
+
+    return [results[target] for target in targets]
 
 
-def _install_single_binary(
-    artifacts_dir: Path,
-    vendor_dir: Path,
-    target: str,
-    component: BinaryComponent,
-) -> Path:
+def _install_single_codex_binary(artifacts_dir: Path, vendor_dir: Path, target: str) -> Path:
     artifact_subdir = artifacts_dir / target
-    archive_name = _archive_name_for_target(component.artifact_prefix, target)
+    archive_name = _archive_name_for_target(target)
     archive_path = artifact_subdir / archive_name
     if not archive_path.exists():
         raise FileNotFoundError(f"Expected artifact not found: {archive_path}")
 
-    dest_dir = vendor_dir / target / component.dest_dir
+    dest_dir = vendor_dir / target / "codex"
     dest_dir.mkdir(parents=True, exist_ok=True)
 
-    binary_name = (
-        f"{component.binary_basename}.exe" if "windows" in target else component.binary_basename
-    )
+    binary_name = "codex.exe" if "windows" in target else "codex"
     dest = dest_dir / binary_name
     dest.unlink(missing_ok=True)
     extract_archive(archive_path, "zst", None, dest)
@@ -265,10 +200,10 @@ def _install_single_binary(
     return dest
 
 
-def _archive_name_for_target(artifact_prefix: str, target: str) -> str:
+def _archive_name_for_target(target: str) -> str:
     if "windows" in target:
-        return f"{artifact_prefix}-{target}.exe.zst"
-    return f"{artifact_prefix}-{target}.zst"
+        return f"codex-{target}.exe.zst"
+    return f"codex-{target}.zst"
 
 
 def _fetch_single_rg(

codex-rs/.gitignore

@@ -1,5 +1,4 @@
 /target/
-/target-*/
 
 # Recommended value of CARGO_TARGET_DIR when using Docker as explained in .devcontainer/README.md.
 /target-amd64/

codex-rs/Cargo.toml

@@ -1,16 +1,9 @@
 [workspace]
 members = [
-    "backend-client",
+    "agent",
     "ansi-escape",
-    "async-utils",
-    "app-server",
-    "app-server-protocol",
     "apply-patch",
     "arg0",
-    "feedback",
-    "codex-backend-openapi-models",
-    "cloud-tasks",
-    "cloud-tasks-client",
     "cli",
     "common",
     "core",
@@ -20,23 +13,14 @@ members = [
     "git-tooling",
     "linux-sandbox",
     "login",
+    "mcp-client",
     "mcp-server",
     "mcp-types",
     "ollama",
-    "process-hardening",
     "protocol",
     "protocol-ts",
-    "rmcp-client",
-    "responses-api-proxy",
-    "stdio-to-uds",
-    "otel",
     "tui",
-    "git-apply",
-    "utils/json-to-toml",
     "utils/readiness",
-    "utils/pty",
-    "utils/string",
-    "utils/tokenizer",
 ]
 resolver = "2"
 
@@ -50,38 +34,25 @@ edition = "2024"
 
 [workspace.dependencies]
 # Internal
-app_test_support = { path = "app-server/tests/common" }
+codex-agent = { path = "agent" }
 codex-ansi-escape = { path = "ansi-escape" }
-codex-app-server = { path = "app-server" }
-codex-app-server-protocol = { path = "app-server-protocol" }
 codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
-codex-async-utils = { path = "async-utils" }
-codex-backend-client = { path = "backend-client" }
 codex-chatgpt = { path = "chatgpt" }
 codex-common = { path = "common" }
 codex-core = { path = "core" }
 codex-exec = { path = "exec" }
-codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
 codex-git-tooling = { path = "git-tooling" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-login = { path = "login" }
+codex-mcp-client = { path = "mcp-client" }
 codex-mcp-server = { path = "mcp-server" }
 codex-ollama = { path = "ollama" }
-codex-otel = { path = "otel" }
-codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
 codex-protocol-ts = { path = "protocol-ts" }
-codex-responses-api-proxy = { path = "responses-api-proxy" }
-codex-rmcp-client = { path = "rmcp-client" }
-codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
-codex-utils-json-to-toml = { path = "utils/json-to-toml" }
-codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
-codex-utils-string = { path = "utils/string" }
-codex-utils-tokenizer = { path = "utils/tokenizer" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
@@ -93,11 +64,9 @@ anyhow = "1"
 arboard = "3"
 askama = "0.12"
 assert_cmd = "2"
-assert_matches = "1.5.0"
 async-channel = "2.3.1"
 async-stream = "0.3.6"
 async-trait = "0.1.89"
-axum = { version = "0.8", default-features = false }
 base64 = "0.22.1"
 bytes = "1.10.1"
 chrono = "0.4.42"
@@ -110,12 +79,10 @@ derive_more = "2"
 diffy = "0.4.2"
 dirs = "6"
 dotenvy = "0.15.7"
-dunce = "1.0.4"
 env-flags = "0.1.1"
 env_logger = "0.11.5"
-escargot = "0.5"
 eventsource-stream = "0.2.3"
-futures = { version = "0.3", default-features = false }
+futures = "0.3"
 icu_decimal = "2.0.0"
 icu_locale_core = "2.0.0"
 ignore = "0.4.23"
@@ -123,7 +90,6 @@ image = { version = "^0.25.8", default-features = false }
 indexmap = "2.6.0"
 insta = "1.43.2"
 itertools = "0.14.0"
-keyring = "3.6"
 landlock = "0.4.1"
 lazy_static = "1"
 libc = "0.2.175"
@@ -131,18 +97,12 @@ log = "0.4"
 maplit = "1.0.2"
 mime_guess = "2.0.5"
 multimap = "0.10.0"
-notify = "8.2.0"
 nucleo-matcher = "0.3.1"
 openssl-sys = "*"
-opentelemetry = "0.30.0"
-opentelemetry-appender-tracing = "0.30.0"
-opentelemetry-otlp = "0.30.0"
-opentelemetry-semantic-conventions = "0.30.0"
-opentelemetry_sdk = "0.30.0"
 os_info = "3.12.0"
 owo-colors = "4.2.0"
-paste = "1.0.15"
 path-absolutize = "3.1.1"
+path-clean = "1.0.1"
 pathdiff = "0.2"
 portable-pty = "0.9.0"
 predicates = "3"
@@ -150,17 +110,13 @@ pretty_assertions = "1.4.1"
 pulldown-cmark = "0.10"
 rand = "0.9"
 ratatui = "0.29.0"
-ratatui-macros = "0.6.0"
 regex-lite = "0.1.7"
 reqwest = "0.12"
-rmcp = { version = "0.8.2", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
-sentry = "0.34.0"
 serde = "1"
 serde_json = "1"
 serde_with = "3.14"
-serial_test = "3.2.0"
 sha1 = "0.10.6"
 sha2 = "0.10"
 shlex = "1.3.0"
@@ -171,7 +127,6 @@ strum_macros = "0.27.2"
 supports-color = "3.0.2"
 sys-locale = "0.3.2"
 tempfile = "3.23.0"
-test-log = "0.2.18"
 textwrap = "0.16.2"
 thiserror = "2.0.16"
 time = "0.3"
@@ -182,16 +137,12 @@ tokio-test = "0.4"
 tokio-util = "0.7.16"
 toml = "0.9.5"
 toml_edit = "0.23.4"
-tonic = "0.13.1"
 tracing = "0.1.41"
 tracing-appender = "0.2.3"
 tracing-subscriber = "0.3.20"
-tracing-test = "0.2.5"
-tree-sitter = "0.25.10"
-tree-sitter-bash = "0.25"
-tree-sitter-highlight = "0.25.10"
+tree-sitter = "0.25.9"
+tree-sitter-bash = "0.25.0"
 ts-rs = "11"
-uds_windows = "1.1.0"
 unicode-segmentation = "1.12.0"
 unicode-width = "0.2"
 url = "2"
@@ -203,7 +154,6 @@ webbrowser = "1.0"
 which = "6"
 wildmatch = "2.5.0"
 wiremock = "0.6"
-zeroize = "1.8.1"
 
 [workspace.lints]
 rust = {}
@@ -246,7 +196,7 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["openssl-sys", "codex-utils-readiness", "codex-utils-tokenizer"]
+ignored = ["openssl-sys", "codex-utils-readiness"]
 
 [profile.release]
 lto = "fat"
@@ -257,15 +207,6 @@ strip = "symbols"
 # See https://github.com/openai/codex/issues/1411 for details.
 codegen-units = 1
 
-[profile.ci-test]
-debug = 1         # Reduce debug symbol size
-inherits = "test"
-opt-level = 0
-
 [patch.crates-io]
-# Uncomment to debug local changes.
 # ratatui = { path = "../../ratatui" }
 ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
-
-# Uncomment to debug local changes.
-# rmcp = { path = "../../rust-sdk/crates/rmcp" }

codex-rs/README.md

@@ -4,23 +4,18 @@ We provide Codex CLI as a standalone, native executable to ensure a zero-depende
 
 ## Installing Codex
 
-Today, the easiest way to install Codex is via `npm`:
+Today, the easiest way to install Codex is via `npm`, though we plan to publish Codex to other package managers soon.
 
 ```shell
-npm i -g @openai/codex
+npm i -g @openai/codex@native
 codex
 ```
 
-You can also install via Homebrew (`brew install --cask codex`) or download a platform-specific release directly from our [GitHub Releases](https://github.com/openai/codex/releases).
-
-## Documentation quickstart
-
-- First run with Codex? Follow the walkthrough in [`docs/getting-started.md`](../docs/getting-started.md) for prompts, keyboard shortcuts, and session management.
-- Already shipping with Codex and want deeper control? Jump to [`docs/advanced.md`](../docs/advanced.md) and the configuration reference at [`docs/config.md`](../docs/config.md).
+You can also download a platform-specific release directly from our [GitHub Releases](https://github.com/openai/codex/releases).
 
 ## What's new in the Rust CLI
 
-The Rust implementation is now the maintained Codex CLI and serves as the default experience. It includes a number of features that the legacy TypeScript CLI never supported.
+While we are [working to close the gap between the TypeScript and Rust implementations of Codex CLI](https://github.com/openai/codex/issues/1262), note that the Rust CLI has a number of features that the TypeScript CLI does not!
 
 ### Config
 
@@ -28,22 +23,14 @@ Codex supports a rich set of configuration options. Note that the Rust CLI uses
 
 ### Model Context Protocol Support
 
-#### MCP client
+Codex CLI functions as an MCP client that can connect to MCP servers on startup. See the [`mcp_servers`](../docs/config.md#mcp_servers) section in the configuration documentation for details.
 
-Codex CLI functions as an MCP client that allows the Codex CLI and IDE extension to connect to MCP servers on startup. See the [`configuration documentation`](../docs/config.md#mcp_servers) for details.
-
-#### MCP server (experimental)
-
-Codex can be launched as an MCP _server_ by running `codex mcp-server`. This allows _other_ MCP clients to use Codex as a tool for another agent.
-
-Use the [`@modelcontextprotocol/inspector`](https://github.com/modelcontextprotocol/inspector) to try it out:
+It is still experimental, but you can also launch Codex as an MCP _server_ by running `codex mcp`. Use the [`@modelcontextprotocol/inspector`](https://github.com/modelcontextprotocol/inspector) to try it out:
 
 ```shell
-npx @modelcontextprotocol/inspector codex mcp-server
+npx @modelcontextprotocol/inspector codex mcp
 ```
 
-Use `codex mcp` to add/list/get/remove MCP server launchers defined in `config.toml`, and `codex mcp-server` to run the MCP server directly.
-
 ### Notifications
 
 You can enable notifications by configuring a script that is run whenever the agent finishes a turn. The [notify documentation](../docs/config.md#notify) includes a detailed example that explains how to get desktop notifications via [terminal-notifier](https://github.com/julienXX/terminal-notifier) on macOS.
@@ -52,19 +39,39 @@ You can enable notifications by configuring a script that is run whenever the ag
 
 To run Codex non-interactively, run `codex exec PROMPT` (you can also pass the prompt via `stdin`) and Codex will work on your task until it decides that it is done and exits. Output is printed to the terminal directly. You can set the `RUST_LOG` environment variable to see more about what's going on.
 
+### Use `@` for file search
+
+Typing `@` triggers a fuzzy-filename search over the workspace root. Use up/down to select among the results and Tab or Enter to replace the `@` with the selected path. You can use Esc to cancel the search.
+
+### Esc–Esc to edit a previous message
+
+When the chat composer is empty, press Esc to prime “backtrack” mode. Press Esc again to open a transcript preview highlighting the last user message; press Esc repeatedly to step to older user messages. Press Enter to confirm and Codex will fork the conversation from that point, trim the visible transcript accordingly, and pre‑fill the composer with the selected user message so you can edit and resubmit it.
+
+In the transcript preview, the footer shows an `Esc edit prev` hint while editing is active.
+
+### `--cd`/`-C` flag
+
+Sometimes it is not convenient to `cd` to the directory you want Codex to use as the "working root" before running Codex. Fortunately, `codex` supports a `--cd` option so you can specify whatever folder you want. You can confirm that Codex is honoring `--cd` by double-checking the **workdir** it reports in the TUI at the start of a new session.
+
+### Shell completions
+
+Generate shell completion scripts via:
+
+```shell
+codex completion bash
+codex completion zsh
+codex completion fish
+```
+
 ### Experimenting with the Codex Sandbox
 
 To test to see what happens when a command is run under the sandbox provided by Codex, we provide the following subcommands in Codex CLI:
 
 ```
 # macOS
-codex sandbox macos [--full-auto] [COMMAND]...
+codex debug seatbelt [--full-auto] [COMMAND]...
 
 # Linux
-codex sandbox linux [--full-auto] [COMMAND]...
-
-# Legacy aliases
-codex debug seatbelt [--full-auto] [COMMAND]...
 codex debug landlock [--full-auto] [COMMAND]...
 ```
 
@@ -90,6 +97,7 @@ The same setting can be persisted in `~/.codex/config.toml` via the top-level `s
 This folder is the root of a Cargo workspace. It contains quite a bit of experimental code, but here are the key crates:
 
 - [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this to be a library crate that is generally useful for building other Rust/native applications that use Codex.
+- [`docs/agent_runtime_baseline.md`](./docs/agent_runtime_baseline.md) documents the current agent runtime interfaces (`Codex`, `Session`, `SessionTask`) and links to the ongoing refactor plan in `agent_refactor.md`.
 - [`exec/`](./exec) "headless" CLI for use in automation.
 - [`tui/`](./tui) CLI that launches a fullscreen TUI built with [Ratatui](https://ratatui.rs/).
 - [`cli/`](./cli) CLI multitool that provides the aforementioned CLIs via subcommands.

codex-rs/agent/Cargo.toml

@@ -0,0 +1,37 @@
+[package]
+name = "codex-agent"
+version.workspace = true
+edition.workspace = true
+
+[dependencies]
+anyhow = { workspace = true }
+async-trait = { workspace = true }
+codex-protocol = { workspace = true }
+codex-apply-patch = { workspace = true }
+mcp-types = { workspace = true }
+base64 = { workspace = true }
+serde_json = { workspace = true }
+libc = { workspace = true }
+portable-pty = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+sha1 = { workspace = true }
+shlex = { workspace = true }
+similar = { workspace = true }
+thiserror = { workspace = true }
+tokio = { workspace = true, features = ["macros", "process", "rt-multi-thread", "sync", "time"] }
+uuid = { workspace = true, features = ["serde", "v4"] }
+which = { workspace = true }
+wildmatch = { workspace = true }
+codex-file-search = { workspace = true }
+time = { workspace = true, features = ["formatting", "parsing", "local-offset", "macros"] }
+tracing = { workspace = true }
+tree-sitter = { workspace = true }
+tree-sitter-bash = { workspace = true }
+
+[dev-dependencies]
+core_test_support = { workspace = true }
+tempfile = { workspace = true }
+pretty_assertions = { workspace = true }
+
+[lints]
+workspace = true

codex-rs/agent/src/apply_patch.rs

@@ -1,18 +1,22 @@
-use crate::codex::Session;
-use crate::codex::TurnContext;
-use crate::function_tool::FunctionCallError;
-use crate::protocol::FileChange;
-use crate::protocol::ReviewDecision;
-use crate::safety::SafetyCheck;
-use crate::safety::assess_patch_safety;
+use std::collections::HashMap;
+use std::path::Path;
+use std::path::PathBuf;
+
 use codex_apply_patch::ApplyPatchAction;
 use codex_apply_patch::ApplyPatchFileChange;
-use std::collections::HashMap;
-use std::path::PathBuf;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::FileChange;
+use codex_protocol::protocol::ReviewDecision;
+use codex_protocol::protocol::SandboxPolicy;
+
+use crate::function_tool::FunctionCallError;
+use crate::safety::SafetyCheck;
+use crate::safety::assess_patch_safety;
+use crate::services::ApprovalCoordinator;
 
 pub const CODEX_APPLY_PATCH_ARG1: &str = "--codex-run-as-apply-patch";
 
-pub(crate) enum InternalApplyPatchInvocation {
+pub enum InternalApplyPatchInvocation {
     /// The `apply_patch` call was handled programmatically, without any sort
     /// of sandbox, because the user explicitly approved it. This is the
     /// result to use with the `shell` function call that contained `apply_patch`.
@@ -28,42 +32,42 @@ pub(crate) enum InternalApplyPatchInvocation {
 }
 
 #[derive(Debug)]
-pub(crate) struct ApplyPatchExec {
-    pub(crate) action: ApplyPatchAction,
-    pub(crate) user_explicitly_approved_this_action: bool,
+pub struct ApplyPatchExec {
+    pub action: ApplyPatchAction,
+    pub user_explicitly_approved_this_action: bool,
 }
 
-pub(crate) async fn apply_patch(
-    sess: &Session,
-    turn_context: &TurnContext,
+pub struct ApplyPatchContext<'a> {
+    pub approval_policy: AskForApproval,
+    pub sandbox_policy: &'a SandboxPolicy,
+    pub cwd: &'a Path,
+}
+
+pub async fn apply_patch(
+    approvals: &dyn ApprovalCoordinator,
+    context: ApplyPatchContext<'_>,
+    sub_id: &str,
     call_id: &str,
     action: ApplyPatchAction,
 ) -> InternalApplyPatchInvocation {
     match assess_patch_safety(
         &action,
-        turn_context.approval_policy,
-        &turn_context.sandbox_policy,
-        &turn_context.cwd,
+        context.approval_policy,
+        context.sandbox_policy,
+        context.cwd,
     ) {
-        SafetyCheck::AutoApprove {
-            user_explicitly_approved,
-            ..
-        } => InternalApplyPatchInvocation::DelegateToExec(ApplyPatchExec {
-            action,
-            user_explicitly_approved_this_action: user_explicitly_approved,
-        }),
+        SafetyCheck::AutoApprove { .. } => {
+            InternalApplyPatchInvocation::DelegateToExec(ApplyPatchExec {
+                action,
+                user_explicitly_approved_this_action: false,
+            })
+        }
         SafetyCheck::AskUser => {
-            // Compute a readable summary of path changes to include in the
-            // approval request so the user can make an informed decision.
-            //
-            // Note that it might be worth expanding this approval request to
-            // give the user the option to expand the set of writable roots so
-            // that similar patches can be auto-approved in the future during
-            // this session.
-            let rx_approve = sess
-                .request_patch_approval(turn_context, call_id.to_owned(), &action, None, None)
+            let approval = approvals
+                .request_patch_approval(sub_id.to_owned(), call_id.to_owned(), &action, None, None)
                 .await;
-            match rx_approve.await.unwrap_or_default() {
+
+            match approval {
                 ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
                     InternalApplyPatchInvocation::DelegateToExec(ApplyPatchExec {
                         action,
@@ -83,9 +87,7 @@ pub(crate) async fn apply_patch(
     }
 }
 
-pub(crate) fn convert_apply_patch_to_protocol(
-    action: &ApplyPatchAction,
-) -> HashMap<PathBuf, FileChange> {
+pub fn convert_apply_patch_to_protocol(action: &ApplyPatchAction) -> HashMap<PathBuf, FileChange> {
     let changes = action.changes();
     let mut result = HashMap::with_capacity(changes.len());
     for (path, change) in changes {
@@ -109,28 +111,3 @@ pub(crate) fn convert_apply_patch_to_protocol(
     }
     result
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use pretty_assertions::assert_eq;
-
-    use tempfile::tempdir;
-
-    #[test]
-    fn convert_apply_patch_maps_add_variant() {
-        let tmp = tempdir().expect("tmp");
-        let p = tmp.path().join("a.txt");
-        // Create an action with a single Add change
-        let action = ApplyPatchAction::new_add_for_test(&p, "hello".to_string());
-
-        let got = convert_apply_patch_to_protocol(&action);
-
-        assert_eq!(
-            got.get(&p),
-            Some(&FileChange::Add {
-                content: "hello".to_string()
-            })
-        );
-    }
-}

codex-rs/agent/src/bash.rs

@@ -5,13 +5,13 @@ use tree_sitter_bash::LANGUAGE as BASH;
 
 /// Parse the provided bash source using tree-sitter-bash, returning a Tree on
 /// success or None if parsing failed.
-pub fn try_parse_shell(shell_lc_arg: &str) -> Option<Tree> {
+pub fn try_parse_bash(bash_lc_arg: &str) -> Option<Tree> {
     let lang = BASH.into();
     let mut parser = Parser::new();
     #[expect(clippy::expect_used)]
     parser.set_language(&lang).expect("load bash grammar");
     let old_tree: Option<&Tree> = None;
-    parser.parse(shell_lc_arg, old_tree)
+    parser.parse(bash_lc_arg, old_tree)
 }
 
 /// Parse a script which may contain multiple simple commands joined only by
@@ -88,19 +88,18 @@ pub fn try_parse_word_only_commands_sequence(tree: &Tree, src: &str) -> Option<V
     Some(commands)
 }
 
-/// Returns the sequence of plain commands within a `bash -lc "..."` or
-/// `zsh -lc "..."` invocation when the script only contains word-only commands
-/// joined by safe operators.
-pub fn parse_shell_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
-    let [shell, flag, script] = command else {
+/// Returns the sequence of plain commands within a `bash -lc "..."` invocation
+/// when the script only contains word-only commands joined by safe operators.
+pub fn parse_bash_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
+    let [bash, flag, script] = command else {
         return None;
     };
 
-    if flag != "-lc" || !(shell == "bash" || shell == "zsh") {
+    if bash != "bash" || flag != "-lc" {
         return None;
     }
 
-    let tree = try_parse_shell(script)?;
+    let tree = try_parse_bash(script)?;
     try_parse_word_only_commands_sequence(&tree, script)
 }
 
@@ -155,7 +154,7 @@ mod tests {
     use super::*;
 
     fn parse_seq(src: &str) -> Option<Vec<Vec<String>>> {
-        let tree = try_parse_shell(src)?;
+        let tree = try_parse_bash(src)?;
         try_parse_word_only_commands_sequence(&tree, src)
     }
 
@@ -235,11 +234,4 @@ mod tests {
     fn rejects_trailing_operator_parse_error() {
         assert!(parse_seq("ls &&").is_none());
     }
-
-    #[test]
-    fn parse_zsh_lc_plain_commands() {
-        let command = vec!["zsh".to_string(), "-lc".to_string(), "ls".to_string()];
-        let parsed = parse_shell_lc_plain_commands(&command).unwrap();
-        assert_eq!(parsed, vec![vec!["ls".to_string()]]);
-    }
 }

codex-rs/agent/src/command_safety/is_dangerous_command.rs

@@ -1,4 +1,4 @@
-use crate::bash::parse_shell_lc_plain_commands;
+use crate::bash::parse_bash_lc_plain_commands;
 
 pub fn command_might_be_dangerous(command: &[String]) -> bool {
     if is_dangerous_to_call_with_exec(command) {
@@ -6,7 +6,7 @@ pub fn command_might_be_dangerous(command: &[String]) -> bool {
     }
 
     // Support `bash -lc "<script>"` where the any part of the script might contain a dangerous command.
-    if let Some(all_commands) = parse_shell_lc_plain_commands(command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(command)
         && all_commands
             .iter()
             .any(|cmd| is_dangerous_to_call_with_exec(cmd))
@@ -57,15 +57,6 @@ mod tests {
         ])));
     }
 
-    #[test]
-    fn zsh_git_reset_is_dangerous() {
-        assert!(command_might_be_dangerous(&vec_str(&[
-            "zsh",
-            "-lc",
-            "git reset --hard"
-        ])));
-    }
-
     #[test]
     fn git_status_is_not_dangerous() {
         assert!(!command_might_be_dangerous(&vec_str(&["git", "status"])));

codex-rs/agent/src/command_safety/is_safe_command.rs

@@ -1,25 +1,15 @@
-use crate::bash::parse_shell_lc_plain_commands;
+use crate::bash::parse_bash_lc_plain_commands;
 
 pub fn is_known_safe_command(command: &[String]) -> bool {
-    let command: Vec<String> = command
-        .iter()
-        .map(|s| {
-            if s == "zsh" {
-                "bash".to_string()
-            } else {
-                s.clone()
-            }
-        })
-        .collect();
     #[cfg(target_os = "windows")]
     {
         use super::windows_safe_commands::is_safe_command_windows;
-        if is_safe_command_windows(&command) {
+        if is_safe_command_windows(command) {
             return true;
         }
     }
 
-    if is_safe_to_call_with_exec(&command) {
+    if is_safe_to_call_with_exec(command) {
         return true;
     }
 
@@ -29,7 +19,7 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
     // introduce side effects ( "&&", "||", ";", and "|" ). If every
     // individual command in the script is itself a known‑safe command, then
     // the composite expression is considered safe.
-    if let Some(all_commands) = parse_shell_lc_plain_commands(&command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(command)
         && !all_commands.is_empty()
         && all_commands
             .iter()
@@ -41,14 +31,9 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
 }
 
 fn is_safe_to_call_with_exec(command: &[String]) -> bool {
-    let Some(cmd0) = command.first().map(String::as_str) else {
-        return false;
-    };
+    let cmd0 = command.first().map(String::as_str);
 
-    match std::path::Path::new(&cmd0)
-        .file_name()
-        .and_then(|osstr| osstr.to_str())
-    {
+    match cmd0 {
         #[rustfmt::skip]
         Some(
             "cat" |
@@ -118,12 +103,13 @@ fn is_safe_to_call_with_exec(command: &[String]) -> bool {
         // Rust
         Some("cargo") if command.get(1).map(String::as_str) == Some("check") => true,
 
-        // Special-case `sed -n {N|M,N}p`
+        // Special-case `sed -n {N|M,N}p FILE`
         Some("sed")
             if {
-                command.len() <= 4
+                command.len() == 4
                     && command.get(1).map(String::as_str) == Some("-n")
                     && is_valid_sed_n_arg(command.get(2).map(String::as_str))
+                    && command.get(3).map(String::is_empty) == Some(false)
             } =>
         {
             true
@@ -201,11 +187,6 @@ mod tests {
         ])));
     }
 
-    #[test]
-    fn zsh_lc_safe_command_sequence() {
-        assert!(is_known_safe_command(&vec_str(&["zsh", "-lc", "ls"])));
-    }
-
     #[test]
     fn unknown_or_partial() {
         assert!(!is_safe_to_call_with_exec(&vec_str(&["foo"])));

codex-rs/agent/src/command_safety/windows_safe_commands.rs

@@ -0,0 +1,25 @@
+// This is a WIP. This will eventually contain a real list of common safe Windows commands.
+pub fn is_safe_command_windows(_command: &[String]) -> bool {
+    false
+}
+
+#[cfg(test)]
+mod tests {
+    use super::is_safe_command_windows;
+
+    fn vec_str(args: &[&str]) -> Vec<String> {
+        args.iter().map(ToString::to_string).collect()
+    }
+
+    #[test]
+    fn everything_is_unsafe() {
+        for cmd in [
+            vec_str(&["powershell.exe", "-NoLogo", "-Command", "echo hello"]),
+            vec_str(&["copy", "foo", "bar"]),
+            vec_str(&["del", "file.txt"]),
+            vec_str(&["powershell.exe", "Get-ChildItem"]),
+        ] {
+            assert!(!is_safe_command_windows(&cmd));
+        }
+    }
+}

codex-rs/agent/src/config_types.rs

@@ -0,0 +1,305 @@
+//! Shared configuration data structures for Codex runtime and hosts.
+//
+// This module intentionally focuses on simple data containers without
+// business logic so they can be reused across crates.
+
+use std::collections::HashMap;
+use std::path::PathBuf;
+use std::time::Duration;
+use wildmatch::WildMatchPattern;
+
+use serde::Deserialize;
+use serde::Deserializer;
+use serde::Serialize;
+use serde::de::Error as SerdeError;
+
+#[derive(Serialize, Debug, Clone, PartialEq)]
+pub struct McpServerConfig {
+    pub command: String,
+
+    #[serde(default)]
+    pub args: Vec<String>,
+
+    #[serde(default)]
+    pub env: Option<HashMap<String, String>>,
+
+    /// Startup timeout in seconds for initializing MCP server & initially listing tools.
+    #[serde(
+        default,
+        with = "option_duration_secs",
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub startup_timeout_sec: Option<Duration>,
+
+    /// Default timeout for MCP tool calls initiated via this server.
+    #[serde(default, with = "option_duration_secs")]
+    pub tool_timeout_sec: Option<Duration>,
+}
+
+impl<'de> Deserialize<'de> for McpServerConfig {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        #[derive(Deserialize)]
+        struct RawMcpServerConfig {
+            command: String,
+            #[serde(default)]
+            args: Vec<String>,
+            #[serde(default)]
+            env: Option<HashMap<String, String>>,
+            #[serde(default)]
+            startup_timeout_sec: Option<f64>,
+            #[serde(default)]
+            startup_timeout_ms: Option<u64>,
+            #[serde(default, with = "option_duration_secs")]
+            tool_timeout_sec: Option<Duration>,
+        }
+
+        let raw = RawMcpServerConfig::deserialize(deserializer)?;
+
+        let startup_timeout_sec = match (raw.startup_timeout_sec, raw.startup_timeout_ms) {
+            (Some(sec), _) => {
+                let duration = Duration::try_from_secs_f64(sec).map_err(SerdeError::custom)?;
+                Some(duration)
+            }
+            (None, Some(ms)) => Some(Duration::from_millis(ms)),
+            (None, None) => None,
+        };
+
+        Ok(Self {
+            command: raw.command,
+            args: raw.args,
+            env: raw.env,
+            startup_timeout_sec,
+            tool_timeout_sec: raw.tool_timeout_sec,
+        })
+    }
+}
+
+mod option_duration_secs {
+    use serde::Deserialize;
+    use serde::Deserializer;
+    use serde::Serializer;
+    use std::time::Duration;
+
+    pub fn serialize<S>(value: &Option<Duration>, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        match value {
+            Some(duration) => serializer.serialize_some(&duration.as_secs_f64()),
+            None => serializer.serialize_none(),
+        }
+    }
+
+    pub fn deserialize<'de, D>(deserializer: D) -> Result<Option<Duration>, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let secs = Option::<f64>::deserialize(deserializer)?;
+        secs.map(|secs| Duration::try_from_secs_f64(secs).map_err(serde::de::Error::custom))
+            .transpose()
+    }
+}
+
+#[derive(Deserialize, Debug, Copy, Clone, PartialEq)]
+pub enum UriBasedFileOpener {
+    #[serde(rename = "vscode")]
+    VsCode,
+
+    #[serde(rename = "vscode-insiders")]
+    VsCodeInsiders,
+
+    #[serde(rename = "windsurf")]
+    Windsurf,
+
+    #[serde(rename = "cursor")]
+    Cursor,
+
+    /// Option to disable the URI-based file opener.
+    #[serde(rename = "none")]
+    None,
+}
+
+impl UriBasedFileOpener {
+    pub fn get_scheme(&self) -> Option<&str> {
+        match self {
+            UriBasedFileOpener::VsCode => Some("vscode"),
+            UriBasedFileOpener::VsCodeInsiders => Some("vscode-insiders"),
+            UriBasedFileOpener::Windsurf => Some("windsurf"),
+            UriBasedFileOpener::Cursor => Some("cursor"),
+            UriBasedFileOpener::None => None,
+        }
+    }
+}
+
+/// Settings that govern if and what will be written to `~/.codex/history.jsonl`.
+#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
+pub struct History {
+    /// If true, history entries will not be written to disk.
+    pub persistence: HistoryPersistence,
+
+    /// If set, the maximum size of the history file in bytes.
+    /// TODO(mbolin): Not currently honored.
+    pub max_bytes: Option<usize>,
+}
+
+#[derive(Deserialize, Debug, Copy, Clone, PartialEq, Default)]
+#[serde(rename_all = "kebab-case")]
+pub enum HistoryPersistence {
+    /// Save all history entries to disk.
+    #[default]
+    SaveAll,
+    /// Do not write history to disk.
+    None,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+#[serde(untagged)]
+pub enum Notifications {
+    Enabled(bool),
+    Custom(Vec<String>),
+}
+
+impl Default for Notifications {
+    fn default() -> Self {
+        Self::Enabled(false)
+    }
+}
+
+/// Collection of settings that are specific to the TUI.
+#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
+pub struct Tui {
+    /// Enable desktop notifications from the TUI when the terminal is unfocused.
+    /// Defaults to `false`.
+    #[serde(default)]
+    pub notifications: Notifications,
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
+pub struct SandboxWorkspaceWrite {
+    #[serde(default)]
+    pub writable_roots: Vec<PathBuf>,
+    #[serde(default)]
+    pub network_access: bool,
+    #[serde(default)]
+    pub exclude_tmpdir_env_var: bool,
+    #[serde(default)]
+    pub exclude_slash_tmp: bool,
+}
+
+impl From<SandboxWorkspaceWrite> for codex_protocol::mcp_protocol::SandboxSettings {
+    fn from(sandbox_workspace_write: SandboxWorkspaceWrite) -> Self {
+        Self {
+            writable_roots: sandbox_workspace_write.writable_roots,
+            network_access: Some(sandbox_workspace_write.network_access),
+            exclude_tmpdir_env_var: Some(sandbox_workspace_write.exclude_tmpdir_env_var),
+            exclude_slash_tmp: Some(sandbox_workspace_write.exclude_slash_tmp),
+        }
+    }
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
+#[serde(rename_all = "kebab-case")]
+pub enum ShellEnvironmentPolicyInherit {
+    /// "Core" environment variables for the platform. On UNIX, this would
+    /// include HOME, LOGNAME, PATH, SHELL, and USER, among others.
+    Core,
+
+    /// Inherits the full environment from the parent process.
+    #[default]
+    All,
+
+    /// Do not inherit any environment variables from the parent process.
+    None,
+}
+
+/// Policy for building the `env` when spawning a process via either the
+/// `shell` or `local_shell` tool.
+#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
+pub struct ShellEnvironmentPolicyToml {
+    pub inherit: Option<ShellEnvironmentPolicyInherit>,
+
+    pub ignore_default_excludes: Option<bool>,
+
+    /// List of regular expressions.
+    pub exclude: Option<Vec<String>>,
+
+    pub r#set: Option<HashMap<String, String>>,
+
+    /// List of regular expressions.
+    pub include_only: Option<Vec<String>>,
+
+    pub experimental_use_profile: Option<bool>,
+}
+
+pub type EnvironmentVariablePattern = WildMatchPattern<'*', '?'>;
+
+/// Deriving the `env` based on this policy works as follows:
+/// 1. Create an initial map based on the `inherit` policy.
+/// 2. If `ignore_default_excludes` is false, filter the map using the default
+///    exclude pattern(s), which are: `"*KEY*"` and `"*TOKEN*"`.
+/// 3. If `exclude` is not empty, filter the map using the provided patterns.
+/// 4. Insert any entries from `r#set` into the map.
+/// 5. If non-empty, filter the map using the `include_only` patterns.
+#[derive(Debug, Clone, PartialEq, Default)]
+pub struct ShellEnvironmentPolicy {
+    /// Starting point when building the environment.
+    pub inherit: ShellEnvironmentPolicyInherit,
+
+    /// True to skip the check to exclude default environment variables that
+    /// contain "KEY" or "TOKEN" in their name.
+    pub ignore_default_excludes: bool,
+
+    /// Environment variable names to exclude from the environment.
+    pub exclude: Vec<EnvironmentVariablePattern>,
+
+    /// (key, value) pairs to insert in the environment.
+    pub r#set: HashMap<String, String>,
+
+    /// Environment variable names to retain in the environment.
+    pub include_only: Vec<EnvironmentVariablePattern>,
+
+    /// If true, the shell profile will be used to run the command.
+    pub use_profile: bool,
+}
+
+impl From<ShellEnvironmentPolicyToml> for ShellEnvironmentPolicy {
+    fn from(toml: ShellEnvironmentPolicyToml) -> Self {
+        // Default to inheriting the full environment when not specified.
+        let inherit = toml.inherit.unwrap_or(ShellEnvironmentPolicyInherit::All);
+        let ignore_default_excludes = toml.ignore_default_excludes.unwrap_or(false);
+        let exclude = toml
+            .exclude
+            .unwrap_or_default()
+            .into_iter()
+            .map(|s| EnvironmentVariablePattern::new_case_insensitive(&s))
+            .collect();
+        let r#set = toml.r#set.unwrap_or_default();
+        let include_only = toml
+            .include_only
+            .unwrap_or_default()
+            .into_iter()
+            .map(|s| EnvironmentVariablePattern::new_case_insensitive(&s))
+            .collect();
+        let use_profile = toml.experimental_use_profile.unwrap_or(false);
+
+        Self {
+            inherit,
+            ignore_default_excludes,
+            exclude,
+            r#set,
+            include_only,
+            use_profile,
+        }
+    }
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Eq, Default, Hash)]
+#[serde(rename_all = "kebab-case")]
+pub enum ReasoningSummaryFormat {
+    #[default]
+    None,
+    Experimental,
+}

codex-rs/agent/src/conversation_history.rs

@@ -0,0 +1,117 @@
+use codex_protocol::models::ResponseItem;
+
+/// Transcript of conversation history shared across agent hosts.
+#[derive(Debug, Clone, Default)]
+pub struct ConversationHistory {
+    /// Oldest items appear at the start of the vector.
+    items: Vec<ResponseItem>,
+}
+
+impl ConversationHistory {
+    pub fn new() -> Self {
+        Self { items: Vec::new() }
+    }
+
+    /// Returns a clone of the stored transcript.
+    pub fn contents(&self) -> Vec<ResponseItem> {
+        self.items.clone()
+    }
+
+    /// Records additional response items, filtering out non-API messages.
+    pub fn record_items<I>(&mut self, items: I)
+    where
+        I: IntoIterator,
+        I::Item: std::ops::Deref<Target = ResponseItem>,
+    {
+        for item in items {
+            if !is_api_message(&item) {
+                continue;
+            }
+
+            self.items.push(item.clone());
+        }
+    }
+
+    pub fn replace(&mut self, items: Vec<ResponseItem>) {
+        self.items = items;
+    }
+}
+
+/// Detects whether the given message should be persisted to history.
+fn is_api_message(message: &ResponseItem) -> bool {
+    match message {
+        ResponseItem::Message { role, .. } => role.as_str() != "system",
+        ResponseItem::FunctionCallOutput { .. }
+        | ResponseItem::FunctionCall { .. }
+        | ResponseItem::CustomToolCall { .. }
+        | ResponseItem::CustomToolCallOutput { .. }
+        | ResponseItem::LocalShellCall { .. }
+        | ResponseItem::Reasoning { .. }
+        | ResponseItem::WebSearchCall { .. } => true,
+        ResponseItem::Other => false,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_protocol::models::ContentItem;
+
+    fn assistant_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "assistant".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+
+    fn user_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "user".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+
+    #[test]
+    fn filters_non_api_messages() {
+        let mut h = ConversationHistory::default();
+        let system = ResponseItem::Message {
+            id: None,
+            role: "system".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: "ignored".to_string(),
+            }],
+        };
+        h.record_items([&system, &ResponseItem::Other]);
+
+        let u = user_msg("hi");
+        let a = assistant_msg("hello");
+        h.record_items([&u, &a]);
+
+        let items = h.contents();
+        assert_eq!(
+            items,
+            vec![
+                ResponseItem::Message {
+                    id: None,
+                    role: "user".to_string(),
+                    content: vec![ContentItem::OutputText {
+                        text: "hi".to_string()
+                    }]
+                },
+                ResponseItem::Message {
+                    id: None,
+                    role: "assistant".to_string(),
+                    content: vec![ContentItem::OutputText {
+                        text: "hello".to_string()
+                    }]
+                }
+            ]
+        );
+    }
+}

codex-rs/agent/src/exec_command/exec_command_params.rs

@@ -0,0 +1,57 @@
+use serde::Deserialize;
+use serde::Serialize;
+
+use crate::exec_command::session_id::SessionId;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct ExecCommandParams {
+    pub(crate) cmd: String,
+
+    #[serde(default = "default_yield_time")]
+    pub(crate) yield_time_ms: u64,
+
+    #[serde(default = "max_output_tokens")]
+    pub(crate) max_output_tokens: u64,
+
+    #[serde(default = "default_shell")]
+    pub(crate) shell: String,
+
+    #[serde(default = "default_login")]
+    pub(crate) login: bool,
+}
+
+fn default_yield_time() -> u64 {
+    10_000
+}
+
+fn max_output_tokens() -> u64 {
+    10_000
+}
+
+fn default_login() -> bool {
+    true
+}
+
+fn default_shell() -> String {
+    "/bin/bash".to_string()
+}
+
+#[derive(Debug, Deserialize, Serialize)]
+pub struct WriteStdinParams {
+    pub(crate) session_id: SessionId,
+    pub(crate) chars: String,
+
+    #[serde(default = "write_stdin_default_yield_time_ms")]
+    pub(crate) yield_time_ms: u64,
+
+    #[serde(default = "write_stdin_default_max_output_tokens")]
+    pub(crate) max_output_tokens: u64,
+}
+
+fn write_stdin_default_yield_time_ms() -> u64 {
+    250
+}
+
+fn write_stdin_default_max_output_tokens() -> u64 {
+    10_000
+}

codex-rs/agent/src/exec_command/exec_command_session.rs

@@ -0,0 +1,98 @@
+use std::sync::Mutex as StdMutex;
+
+use tokio::sync::broadcast;
+use tokio::sync::mpsc;
+use tokio::task::JoinHandle;
+
+#[derive(Debug)]
+#[allow(dead_code)]
+pub struct ExecCommandSession {
+    /// Queue for writing bytes to the process stdin (PTY master write side).
+    writer_tx: mpsc::Sender<Vec<u8>>,
+    /// Broadcast stream of output chunks read from the PTY. New subscribers
+    /// receive only chunks emitted after they subscribe.
+    output_tx: broadcast::Sender<Vec<u8>>,
+
+    /// Child killer handle for termination on drop (can signal independently
+    /// of a thread blocked in `.wait()`).
+    killer: StdMutex<Option<Box<dyn portable_pty::ChildKiller + Send + Sync>>>,
+
+    /// JoinHandle for the blocking PTY reader task.
+    reader_handle: StdMutex<Option<JoinHandle<()>>>,
+
+    /// JoinHandle for the stdin writer task.
+    writer_handle: StdMutex<Option<JoinHandle<()>>>,
+
+    /// JoinHandle for the child wait task.
+    wait_handle: StdMutex<Option<JoinHandle<()>>>,
+
+    /// Tracks whether the underlying process has exited.
+    exit_status: std::sync::Arc<std::sync::atomic::AtomicBool>,
+}
+
+#[allow(dead_code)]
+impl ExecCommandSession {
+    pub fn new(
+        writer_tx: mpsc::Sender<Vec<u8>>,
+        output_tx: broadcast::Sender<Vec<u8>>,
+        killer: Box<dyn portable_pty::ChildKiller + Send + Sync>,
+        reader_handle: JoinHandle<()>,
+        writer_handle: JoinHandle<()>,
+        wait_handle: JoinHandle<()>,
+        exit_status: std::sync::Arc<std::sync::atomic::AtomicBool>,
+    ) -> (Self, broadcast::Receiver<Vec<u8>>) {
+        let initial_output_rx = output_tx.subscribe();
+        (
+            Self {
+                writer_tx,
+                output_tx,
+                killer: StdMutex::new(Some(killer)),
+                reader_handle: StdMutex::new(Some(reader_handle)),
+                writer_handle: StdMutex::new(Some(writer_handle)),
+                wait_handle: StdMutex::new(Some(wait_handle)),
+                exit_status,
+            },
+            initial_output_rx,
+        )
+    }
+
+    pub fn writer_sender(&self) -> mpsc::Sender<Vec<u8>> {
+        self.writer_tx.clone()
+    }
+
+    pub(crate) fn output_receiver(&self) -> broadcast::Receiver<Vec<u8>> {
+        self.output_tx.subscribe()
+    }
+
+    pub fn has_exited(&self) -> bool {
+        self.exit_status.load(std::sync::atomic::Ordering::SeqCst)
+    }
+}
+
+impl Drop for ExecCommandSession {
+    fn drop(&mut self) {
+        // Best-effort: terminate child first so blocking tasks can complete.
+        if let Ok(mut killer_opt) = self.killer.lock()
+            && let Some(mut killer) = killer_opt.take()
+        {
+            let _ = killer.kill();
+        }
+
+        // Abort background tasks; they may already have exited after kill.
+        if let Ok(mut h) = self.reader_handle.lock()
+            && let Some(handle) = h.take()
+        {
+            handle.abort();
+        }
+        if let Ok(mut h) = self.writer_handle.lock()
+            && let Some(handle) = h.take()
+        {
+            handle.abort();
+        }
+        if let Ok(mut h) = self.wait_handle.lock()
+            && let Some(handle) = h.take()
+        {
+            handle.abort();
+        }
+    }
+}

codex-rs/agent/src/exec_command/mod.rs

@@ -0,0 +1,11 @@
+mod exec_command_params;
+mod exec_command_session;
+mod session_id;
+mod session_manager;
+
+pub use exec_command_params::ExecCommandParams;
+pub use exec_command_params::WriteStdinParams;
+pub use exec_command_session::ExecCommandSession;
+pub use session_id::SessionId;
+pub use session_manager::ExecCommandOutput;
+pub use session_manager::SessionManager as ExecSessionManager;

codex-rs/agent/src/exec_command/session_id.rs

@@ -0,0 +1,5 @@
+use serde::Deserialize;
+use serde::Serialize;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
+pub struct SessionId(pub u32);

codex-rs/agent/src/exec_command/session_manager.rs

@@ -0,0 +1,513 @@
+use std::collections::HashMap;
+use std::io::ErrorKind;
+use std::io::Read;
+use std::sync::Arc;
+use std::sync::Mutex as StdMutex;
+use std::sync::atomic::AtomicBool;
+use std::sync::atomic::AtomicU32;
+use std::vec::Vec;
+
+use portable_pty::CommandBuilder;
+use portable_pty::PtySize;
+use portable_pty::native_pty_system;
+use tokio::sync::Mutex;
+use tokio::sync::mpsc;
+use tokio::sync::oneshot;
+use tokio::time::Duration;
+use tokio::time::Instant;
+use tokio::time::timeout;
+
+use crate::exec_command::exec_command_params::ExecCommandParams;
+use crate::exec_command::exec_command_params::WriteStdinParams;
+use crate::exec_command::exec_command_session::ExecCommandSession;
+use crate::exec_command::session_id::SessionId;
+use crate::truncate::truncate_middle;
+
+#[derive(Debug, Default)]
+pub struct SessionManager {
+    next_session_id: AtomicU32,
+    sessions: Mutex<HashMap<SessionId, ExecCommandSession>>,
+}
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub struct ExecCommandOutput {
+    wall_time: Duration,
+    exit_status: ExitStatus,
+    original_token_count: Option<u64>,
+    output: String,
+}
+
+impl ExecCommandOutput {
+    pub fn to_text_output(&self) -> String {
+        let wall_time_secs = self.wall_time.as_secs_f32();
+        let termination_status = match self.exit_status {
+            ExitStatus::Exited(code) => format!("Process exited with code {code}"),
+            ExitStatus::Ongoing(session_id) => {
+                format!("Process running with session ID {}", session_id.0)
+            }
+        };
+        let truncation_status = match self.original_token_count {
+            Some(tokens) => {
+                format!("\nWarning: truncated output (original token count: {tokens})")
+            }
+            None => "".to_string(),
+        };
+        format!(
+            r#"Wall time: {wall_time_secs:.3} seconds
+{termination_status}{truncation_status}
+Output:
+{output}"#,
+            output = self.output
+        )
+    }
+}
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub enum ExitStatus {
+    Exited(i32),
+    Ongoing(SessionId),
+}
+
+impl SessionManager {
+    /// Processes the request and is required to send a response via `outgoing`.
+    pub async fn handle_exec_command_request(
+        &self,
+        params: ExecCommandParams,
+    ) -> Result<ExecCommandOutput, String> {
+        // Allocate a session id.
+        let session_id = SessionId(
+            self.next_session_id
+                .fetch_add(1, std::sync::atomic::Ordering::SeqCst),
+        );
+
+        let (session, mut output_rx, mut exit_rx): (
+            ExecCommandSession,
+            tokio::sync::broadcast::Receiver<Vec<u8>>,
+            tokio::sync::oneshot::Receiver<i32>,
+        ) = create_exec_command_session(params.clone())
+            .await
+            .map_err(|err| {
+                format!(
+                    "failed to create exec command session for session id {}: {err}",
+                    session_id.0
+                )
+            })?;
+
+        // Insert into session map.
+        self.sessions.lock().await.insert(session_id, session);
+
+        // Collect output until either timeout expires or process exits.
+        // Do not cap during collection; truncate at the end if needed.
+        // Use a modest initial capacity to avoid large preallocation.
+        let cap_bytes_u64 = params.max_output_tokens.saturating_mul(4);
+        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
+        let mut collected: Vec<u8> = Vec::with_capacity(4096);
+
+        let start_time = Instant::now();
+        let deadline = start_time + Duration::from_millis(params.yield_time_ms);
+        let mut exit_code: Option<i32> = None;
+
+        loop {
+            if Instant::now() >= deadline {
+                break;
+            }
+            let remaining = deadline.saturating_duration_since(Instant::now());
+            tokio::select! {
+                biased;
+                exit = &mut exit_rx => {
+                    exit_code = exit.ok();
+                    // Small grace period to pull remaining buffered output
+                    let grace_deadline = Instant::now() + Duration::from_millis(25);
+                    while Instant::now() < grace_deadline {
+                        match timeout(Duration::from_millis(1), output_rx.recv()).await {
+                            Ok(Ok(chunk)) => {
+                                collected.extend_from_slice(&chunk);
+                            }
+                            Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
+                                // Skip missed messages; keep trying within grace period.
+                                continue;
+                            }
+                            Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
+                            Err(_) => break,
+                        }
+                    }
+                    break;
+                }
+                chunk = timeout(remaining, output_rx.recv()) => {
+                    match chunk {
+                        Ok(Ok(chunk)) => {
+                            collected.extend_from_slice(&chunk);
+                        }
+                        Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
+                            // Skip missed messages; continue collecting fresh output.
+                        }
+                        Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => { break; }
+                        Err(_) => { break; }
+                    }
+                }
+            }
+        }
+
+        let output = String::from_utf8_lossy(&collected).to_string();
+
+        let exit_status = if let Some(code) = exit_code {
+            ExitStatus::Exited(code)
+        } else {
+            ExitStatus::Ongoing(session_id)
+        };
+
+        // If output exceeds cap, truncate the middle and record original token estimate.
+        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
+        Ok(ExecCommandOutput {
+            wall_time: Instant::now().duration_since(start_time),
+            exit_status,
+            original_token_count,
+            output,
+        })
+    }
+
+    /// Write characters to a session's stdin and collect combined output for up to `yield_time_ms`.
+    pub async fn handle_write_stdin_request(
+        &self,
+        params: WriteStdinParams,
+    ) -> Result<ExecCommandOutput, String> {
+        let WriteStdinParams {
+            session_id,
+            chars,
+            yield_time_ms,
+            max_output_tokens,
+        } = params;
+
+        // Grab handles without holding the sessions lock across await points.
+        let (writer_tx, mut output_rx) = {
+            let sessions = self.sessions.lock().await;
+            match sessions.get(&session_id) {
+                Some(session) => (session.writer_sender(), session.output_receiver()),
+                None => {
+                    return Err(format!("unknown session id {}", session_id.0));
+                }
+            }
+        };
+
+        // Write stdin if provided.
+        if !chars.is_empty() && writer_tx.send(chars.into_bytes()).await.is_err() {
+            return Err("failed to write to stdin".to_string());
+        }
+
+        // Collect output up to yield_time_ms, truncating to max_output_tokens bytes.
+        let mut collected: Vec<u8> = Vec::with_capacity(4096);
+        let start_time = Instant::now();
+        let deadline = start_time + Duration::from_millis(yield_time_ms);
+        loop {
+            let now = Instant::now();
+            if now >= deadline {
+                break;
+            }
+            let remaining = deadline - now;
+            match timeout(remaining, output_rx.recv()).await {
+                Ok(Ok(chunk)) => {
+                    // Collect all output within the time budget; truncate at the end.
+                    collected.extend_from_slice(&chunk);
+                }
+                Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
+                    // Skip missed messages; continue collecting fresh output.
+                }
+                Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
+                Err(_) => break, // timeout
+            }
+        }
+
+        // Return structured output, truncating middle if over cap.
+        let output = String::from_utf8_lossy(&collected).to_string();
+        let cap_bytes_u64 = max_output_tokens.saturating_mul(4);
+        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
+        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
+        Ok(ExecCommandOutput {
+            wall_time: Instant::now().duration_since(start_time),
+            exit_status: ExitStatus::Ongoing(session_id),
+            original_token_count,
+            output,
+        })
+    }
+}
+
+/// Spawn PTY and child process per spawn_exec_command_session logic.
+async fn create_exec_command_session(
+    params: ExecCommandParams,
+) -> anyhow::Result<(
+    ExecCommandSession,
+    tokio::sync::broadcast::Receiver<Vec<u8>>,
+    oneshot::Receiver<i32>,
+)> {
+    let ExecCommandParams {
+        cmd,
+        yield_time_ms: _,
+        max_output_tokens: _,
+        shell,
+        login,
+    } = params;
+
+    // Use the native pty implementation for the system
+    let pty_system = native_pty_system();
+
+    // Create a new pty
+    let pair = pty_system.openpty(PtySize {
+        rows: 24,
+        cols: 80,
+        pixel_width: 0,
+        pixel_height: 0,
+    })?;
+
+    // Spawn a shell into the pty
+    let mut command_builder = CommandBuilder::new(shell);
+    let shell_mode_opt = if login { "-lc" } else { "-c" };
+    command_builder.arg(shell_mode_opt);
+    command_builder.arg(cmd);
+
+    let mut child = pair.slave.spawn_command(command_builder)?;
+    // Obtain a killer that can signal the process independently of `.wait()`.
+    let killer = child.clone_killer();
+
+    // Channel to forward write requests to the PTY writer.
+    let (writer_tx, mut writer_rx) = mpsc::channel::<Vec<u8>>(128);
+    // Broadcast for streaming PTY output to readers: subscribers receive from subscription time.
+    let (output_tx, _) = tokio::sync::broadcast::channel::<Vec<u8>>(256);
+    // Reader task: drain PTY and forward chunks to output channel.
+    let mut reader = pair.master.try_clone_reader()?;
+    let output_tx_clone = output_tx.clone();
+    let reader_handle = tokio::task::spawn_blocking(move || {
+        let mut buf = [0u8; 8192];
+        loop {
+            match reader.read(&mut buf) {
+                Ok(0) => break, // EOF
+                Ok(n) => {
+                    // Forward to broadcast; best-effort if there are subscribers.
+                    let _ = output_tx_clone.send(buf[..n].to_vec());
+                }
+                Err(ref e) if e.kind() == ErrorKind::Interrupted => {
+                    // Retry on EINTR
+                    continue;
+                }
+                Err(ref e) if e.kind() == ErrorKind::WouldBlock => {
+                    // We're in a blocking thread; back off briefly and retry.
+                    std::thread::sleep(Duration::from_millis(5));
+                    continue;
+                }
+                Err(_) => break,
+            }
+        }
+    });
+
+    // Writer task: apply stdin writes to the PTY writer.
+    let writer = pair.master.take_writer()?;
+    let writer = Arc::new(StdMutex::new(writer));
+    let writer_handle = tokio::spawn({
+        let writer = writer.clone();
+        async move {
+            while let Some(bytes) = writer_rx.recv().await {
+                let writer = writer.clone();
+                // Perform blocking write on a blocking thread.
+                let _ = tokio::task::spawn_blocking(move || {
+                    if let Ok(mut guard) = writer.lock() {
+                        use std::io::Write;
+                        let _ = guard.write_all(&bytes);
+                        let _ = guard.flush();
+                    }
+                })
+                .await;
+            }
+        }
+    });
+
+    // Keep the child alive until it exits, then signal exit code.
+    let (exit_tx, exit_rx) = oneshot::channel::<i32>();
+    let exit_status = Arc::new(AtomicBool::new(false));
+    let wait_exit_status = exit_status.clone();
+    let wait_handle = tokio::task::spawn_blocking(move || {
+        let code = match child.wait() {
+            Ok(status) => status.exit_code() as i32,
+            Err(_) => -1,
+        };
+        wait_exit_status.store(true, std::sync::atomic::Ordering::SeqCst);
+        let _ = exit_tx.send(code);
+    });
+
+    // Create and store the session with channels.
+    let (session, initial_output_rx) = ExecCommandSession::new(
+        writer_tx,
+        output_tx,
+        killer,
+        reader_handle,
+        writer_handle,
+        wait_handle,
+        exit_status,
+    );
+    Ok((session, initial_output_rx, exit_rx))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::exec_command::session_id::SessionId;
+
+    /// Test that verifies that [`SessionManager::handle_exec_command_request()`]
+    /// and [`SessionManager::handle_write_stdin_request()`] work as expected
+    /// in the presence of a process that never terminates (but produces
+    /// output continuously).
+    #[cfg(unix)]
+    #[allow(clippy::print_stderr)]
+    #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+    async fn session_manager_streams_and_truncates_from_now() {
+        use crate::exec_command::exec_command_params::ExecCommandParams;
+        use crate::exec_command::exec_command_params::WriteStdinParams;
+        use tokio::time::sleep;
+
+        let session_manager = SessionManager::default();
+        // Long-running loop that prints an increasing counter every ~100ms.
+        // Use Python for a portable, reliable sleep across shells/PTYs.
+        let cmd = r#"python3 - <<'PY'
+import sys, time
+count = 0
+while True:
+    print(count)
+    sys.stdout.flush()
+    count += 100
+    time.sleep(0.1)
+PY"#
+        .to_string();
+
+        // Start the session and collect ~3s of output.
+        let params = ExecCommandParams {
+            cmd,
+            yield_time_ms: 3_000,
+            max_output_tokens: 1_000, // large enough to avoid truncation here
+            shell: "/bin/bash".to_string(),
+            login: false,
+        };
+        let initial_output = match session_manager
+            .handle_exec_command_request(params.clone())
+            .await
+        {
+            Ok(v) => v,
+            Err(e) => {
+                // PTY may be restricted in some sandboxes; skip in that case.
+                if e.contains("openpty") || e.contains("Operation not permitted") {
+                    eprintln!("skipping test due to restricted PTY: {e}");
+                    return;
+                }
+                panic!("exec request failed unexpectedly: {e}");
+            }
+        };
+        eprintln!("initial output: {initial_output:?}");
+
+        // Should be ongoing (we launched a never-ending loop).
+        let session_id = match initial_output.exit_status {
+            ExitStatus::Ongoing(id) => id,
+            _ => panic!("expected ongoing session"),
+        };
+
+        // Parse the numeric lines and get the max observed value in the first window.
+        let first_nums = extract_monotonic_numbers(&initial_output.output);
+        assert!(
+            !first_nums.is_empty(),
+            "expected some output from first window"
+        );
+        let first_max = *first_nums.iter().max().unwrap();
+
+        // Wait ~4s so counters progress while we're not reading.
+        sleep(Duration::from_millis(4_000)).await;
+
+        // Now read ~3s of output "from now" only.
+        // Use a small token cap so truncation occurs and we test middle truncation.
+        let write_params = WriteStdinParams {
+            session_id,
+            chars: String::new(),
+            yield_time_ms: 3_000,
+            max_output_tokens: 16, // 16 tokens ~= 64 bytes -> likely truncation
+        };
+        let second = session_manager
+            .handle_write_stdin_request(write_params)
+            .await
+            .expect("write stdin should succeed");
+
+        // Verify truncation metadata and size bound (cap is tokens*4 bytes).
+        assert!(second.original_token_count.is_some());
+        let cap_bytes = (16u64 * 4) as usize;
+        assert!(second.output.len() <= cap_bytes);
+        // New middle marker should be present.
+        assert!(
+            second.output.contains("tokens truncated") && second.output.contains('…'),
+            "expected truncation marker in output, got: {}",
+            second.output
+        );
+
+        // Minimal freshness check: the earliest number we see in the second window
+        // should be significantly larger than the last from the first window.
+        let second_nums = extract_monotonic_numbers(&second.output);
+        assert!(
+            !second_nums.is_empty(),
+            "expected some numeric output from second window"
+        );
+        let second_min = *second_nums.iter().min().unwrap();
+
+        // We slept 4 seconds (~40 ticks at 100ms/tick, each +100), so expect
+        // an increase of roughly 4000 or more. Allow a generous margin.
+        assert!(
+            second_min >= first_max + 2000,
+            "second_min={second_min} first_max={first_max}",
+        );
+    }
+
+    #[cfg(unix)]
+    fn extract_monotonic_numbers(s: &str) -> Vec<i64> {
+        s.lines()
+            .filter_map(|line| {
+                if !line.is_empty()
+                    && line.chars().all(|c| c.is_ascii_digit())
+                    && let Ok(n) = line.parse::<i64>()
+                {
+                    // Our generator increments by 100; ignore spurious fragments.
+                    if n % 100 == 0 {
+                        return Some(n);
+                    }
+                }
+                None
+            })
+            .collect()
+    }
+
+    #[test]
+    fn to_text_output_exited_no_truncation() {
+        let out = ExecCommandOutput {
+            wall_time: Duration::from_millis(1234),
+            exit_status: ExitStatus::Exited(0),
+            original_token_count: None,
+            output: "hello".to_string(),
+        };
+        let text = out.to_text_output();
+        let expected = r#"Wall time: 1.234 seconds
+Process exited with code 0
+Output:
+hello"#;
+        assert_eq!(expected, text);
+    }
+
+    #[test]
+    fn to_text_output_ongoing_with_truncation() {
+        let out = ExecCommandOutput {
+            wall_time: Duration::from_millis(500),
+            exit_status: ExitStatus::Ongoing(SessionId(42)),
+            original_token_count: Some(1000),
+            output: "abc".to_string(),
+        };
+        let text = out.to_text_output();
+        let expected = r#"Wall time: 0.500 seconds
+Process running with session ID 42
+Warning: truncated output (original token count: 1000)
+Output:
+abc"#;
+        assert_eq!(expected, text);
+    }
+}

codex-rs/agent/src/function_tool.rs

@@ -0,0 +1,7 @@
+use thiserror::Error;
+
+#[derive(Debug, Error, PartialEq)]
+pub enum FunctionCallError {
+    #[error("{0}")]
+    RespondToModel(String),
+}

codex-rs/agent/src/lib.rs

@@ -0,0 +1,48 @@
+pub mod apply_patch;
+pub mod bash;
+pub mod command_safety;
+pub mod config_types;
+pub mod conversation_history;
+pub mod exec_command;
+pub mod function_tool;
+pub mod model_family;
+pub mod model_provider;
+pub mod notifications;
+pub mod rollout;
+pub mod runtime;
+pub mod runtime_config;
+pub mod safety;
+pub mod sandbox;
+pub mod services;
+pub mod session_services;
+pub mod session_state;
+pub mod shell;
+pub mod token_data;
+pub mod tooling;
+pub mod truncate;
+pub mod turn_diff_tracker;
+pub mod unified_exec;
+
+pub use apply_patch::*;
+pub use bash::*;
+pub use command_safety::*;
+pub use config_types::*;
+pub use conversation_history::*;
+pub use function_tool::*;
+pub use model_family::*;
+pub use model_provider::*;
+pub use notifications::*;
+pub use rollout::*;
+pub use runtime::*;
+pub use runtime_config::*;
+pub use safety::*;
+pub use sandbox::*;
+pub use services::*;
+pub use session_services::*;
+pub use session_state::*;
+pub use shell::*;
+pub use token_data::*;
+pub use tooling::*;
+pub use truncate::*;
+pub use turn_diff_tracker::*;
+pub use unified_exec::*;

codex-rs/agent/src/model_family.rs

@@ -0,0 +1,15 @@
+use crate::config_types::ReasoningSummaryFormat;
+use crate::tooling::ApplyPatchToolType;
+
+/// Metadata describing consistent behaviour across a family of models.
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub struct ModelFamily {
+    pub slug: String,
+    pub family: String,
+    pub needs_special_apply_patch_instructions: bool,
+    pub supports_reasoning_summaries: bool,
+    pub reasoning_summary_format: ReasoningSummaryFormat,
+    pub uses_local_shell_tool: bool,
+    pub apply_patch_tool_type: Option<ApplyPatchToolType>,
+    pub base_instructions: String,
+}

codex-rs/agent/src/model_provider.rs

@@ -0,0 +1,54 @@
+use std::collections::HashMap;
+
+use codex_protocol::mcp_protocol::AuthMode;
+use serde::Deserialize;
+use serde::Serialize;
+
+/// Wire protocol variants supported by model providers.
+#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum WireApi {
+    Responses,
+    #[default]
+    Chat,
+}
+
+/// Serializable representation of a provider definition shared across hosts.
+#[derive(Debug, Clone, Deserialize, Serialize, PartialEq)]
+pub struct ModelProviderInfo {
+    pub name: String,
+    pub base_url: Option<String>,
+    pub env_key: Option<String>,
+    pub env_key_instructions: Option<String>,
+    #[serde(default)]
+    pub wire_api: WireApi,
+    pub query_params: Option<HashMap<String, String>>,
+    pub http_headers: Option<HashMap<String, String>>,
+    pub env_http_headers: Option<HashMap<String, String>>,
+    pub request_max_retries: Option<u64>,
+    pub stream_max_retries: Option<u64>,
+    pub stream_idle_timeout_ms: Option<u64>,
+    #[serde(default)]
+    pub requires_openai_auth: bool,
+}
+
+impl ModelProviderInfo {
+    pub fn wire_api(&self) -> WireApi {
+        self.wire_api
+    }
+
+    pub fn requires_auth(&self) -> bool {
+        self.requires_openai_auth
+    }
+
+    pub fn base_url(&self, auth_mode: AuthMode) -> String {
+        let fallback = if auth_mode == AuthMode::ChatGPT {
+            "https://chatgpt.com/backend-api/codex"
+        } else {
+            "https://api.openai.com/v1"
+        };
+        self.base_url
+            .clone()
+            .unwrap_or_else(|| fallback.to_string())
+    }
+}

codex-rs/agent/src/notifications.rs

@@ -0,0 +1,15 @@
+use serde::Serialize;
+
+/// Cross-host notification payloads emitted by the agent runtime.
+#[derive(Debug, Clone, PartialEq, Serialize)]
+#[serde(tag = "type", rename_all = "kebab-case")]
+pub enum UserNotification {
+    #[serde(rename_all = "kebab-case")]
+    AgentTurnComplete {
+        turn_id: String,
+        /// Messages submitted by the user to start the turn.
+        input_messages: Vec<String>,
+        /// Final assistant message emitted at turn completion.
+        last_assistant_message: Option<String>,
+    },
+}

codex-rs/agent/src/rollout/list.rs

@@ -0,0 +1,330 @@
+use std::cmp::Reverse;
+use std::io;
+use std::path::Path;
+use std::path::PathBuf;
+
+use codex_file_search as file_search;
+use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::RolloutItem;
+use codex_protocol::protocol::RolloutLine;
+use serde_json::Value;
+use std::num::NonZero;
+use std::sync::Arc;
+use std::sync::atomic::AtomicBool;
+use time::OffsetDateTime;
+use time::PrimitiveDateTime;
+use time::format_description::FormatItem;
+use time::macros::format_description;
+use tokio::fs;
+use tokio::io::AsyncBufReadExt;
+use uuid::Uuid;
+
+use super::SESSIONS_SUBDIR;
+
+#[derive(Debug, Default, PartialEq)]
+pub struct ConversationsPage {
+    pub items: Vec<ConversationItem>,
+    pub next_cursor: Option<Cursor>,
+    pub num_scanned_files: usize,
+    pub reached_scan_cap: bool,
+}
+
+#[derive(Debug, PartialEq)]
+pub struct ConversationItem {
+    pub path: PathBuf,
+    pub head: Vec<Value>,
+}
+
+const MAX_SCAN_FILES: usize = 100;
+const HEAD_RECORD_LIMIT: usize = 10;
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct Cursor {
+    ts: OffsetDateTime,
+    id: Uuid,
+}
+
+impl Cursor {
+    fn new(ts: OffsetDateTime, id: Uuid) -> Self {
+        Self { ts, id }
+    }
+}
+
+impl serde::Serialize for Cursor {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        let ts_str = self
+            .ts
+            .format(&format_description!(
+                "[year]-[month]-[day]T[hour]-[minute]-[second]"
+            ))
+            .map_err(|e| serde::ser::Error::custom(format!("format error: {e}")))?;
+        serializer.serialize_str(&format!("{ts_str}|{}", self.id))
+    }
+}
+
+impl<'de> serde::Deserialize<'de> for Cursor {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: serde::Deserializer<'de>,
+    {
+        let s = String::deserialize(deserializer)?;
+        parse_cursor(&s).ok_or_else(|| serde::de::Error::custom("invalid cursor"))
+    }
+}
+
+pub async fn get_conversations(
+    codex_home: &Path,
+    page_size: usize,
+    cursor: Option<&Cursor>,
+) -> io::Result<ConversationsPage> {
+    let mut root = codex_home.to_path_buf();
+    root.push(SESSIONS_SUBDIR);
+
+    if !root.exists() {
+        return Ok(ConversationsPage::default());
+    }
+
+    let anchor = cursor.cloned();
+
+    traverse_directories_for_paths(root, page_size, anchor).await
+}
+
+pub async fn get_conversation(path: &Path) -> io::Result<String> {
+    fs::read_to_string(path).await
+}
+
+pub async fn find_conversation_path_by_id_str(
+    codex_home: &Path,
+    id_str: &str,
+) -> io::Result<Option<PathBuf>> {
+    if Uuid::parse_str(id_str).is_err() {
+        return Ok(None);
+    }
+
+    let mut root = codex_home.to_path_buf();
+    root.push(SESSIONS_SUBDIR);
+    if !root.exists() {
+        return Ok(None);
+    }
+
+    let limit = NonZero::new(1).ok_or_else(|| io::Error::other("search limit must be non-zero"))?;
+    let threads =
+        NonZero::new(2).ok_or_else(|| io::Error::other("thread pool size must be non-zero"))?;
+    let cancel = Arc::new(AtomicBool::new(false));
+    let exclude: Vec<String> = Vec::new();
+    let compute_indices = false;
+
+    let results = file_search::run(
+        id_str,
+        limit,
+        &root,
+        exclude,
+        threads,
+        cancel,
+        compute_indices,
+    )
+    .map_err(|e| io::Error::other(format!("file search failed: {e}")))?;
+
+    Ok(results
+        .matches
+        .into_iter()
+        .next()
+        .map(|m| root.join(m.path)))
+}
+
+async fn traverse_directories_for_paths(
+    root: PathBuf,
+    page_size: usize,
+    anchor: Option<Cursor>,
+) -> io::Result<ConversationsPage> {
+    let mut items: Vec<ConversationItem> = Vec::with_capacity(page_size);
+    let mut scanned_files = 0usize;
+    let mut anchor_passed = anchor.is_none();
+    let (anchor_ts, anchor_id) = match anchor {
+        Some(c) => (c.ts, c.id),
+        None => (OffsetDateTime::UNIX_EPOCH, Uuid::nil()),
+    };
+
+    let year_dirs = collect_dirs_desc(&root, |s| s.parse::<u16>().ok()).await?;
+
+    'outer: for (_year, year_path) in year_dirs.iter() {
+        if scanned_files >= MAX_SCAN_FILES {
+            break;
+        }
+        let month_dirs = collect_dirs_desc(year_path, |s| s.parse::<u8>().ok()).await?;
+        for (_month, month_path) in month_dirs.iter() {
+            if scanned_files >= MAX_SCAN_FILES {
+                break 'outer;
+            }
+            let day_dirs = collect_dirs_desc(month_path, |s| s.parse::<u8>().ok()).await?;
+            for (_day, day_path) in day_dirs.iter() {
+                if scanned_files >= MAX_SCAN_FILES {
+                    break 'outer;
+                }
+                let mut day_files = collect_files(day_path, |name_str, path| {
+                    if !name_str.starts_with("rollout-") || !name_str.ends_with(".jsonl") {
+                        return None;
+                    }
+
+                    parse_timestamp_uuid_from_filename(name_str)
+                        .map(|(ts, id)| (ts, id, name_str.to_string(), path.to_path_buf()))
+                })
+                .await?;
+                day_files.sort_by_key(|(ts, sid, _, _)| (Reverse(*ts), Reverse(*sid)));
+                for (ts, sid, _name_str, path) in day_files.into_iter() {
+                    scanned_files += 1;
+                    if scanned_files >= MAX_SCAN_FILES && items.len() >= page_size {
+                        break 'outer;
+                    }
+                    if !anchor_passed {
+                        if ts < anchor_ts || (ts == anchor_ts && sid < anchor_id) {
+                            anchor_passed = true;
+                        } else {
+                            continue;
+                        }
+                    }
+                    if items.len() == page_size {
+                        break 'outer;
+                    }
+                    let (head, saw_session_meta, saw_user_event) =
+                        read_head_and_flags(&path, HEAD_RECORD_LIMIT)
+                            .await
+                            .unwrap_or((Vec::new(), false, false));
+                    if saw_session_meta && saw_user_event {
+                        items.push(ConversationItem { path, head });
+                    }
+                }
+            }
+        }
+    }
+
+    let next = build_next_cursor(&items);
+    Ok(ConversationsPage {
+        items,
+        next_cursor: next,
+        num_scanned_files: scanned_files,
+        reached_scan_cap: scanned_files >= MAX_SCAN_FILES,
+    })
+}
+
+fn build_next_cursor(items: &[ConversationItem]) -> Option<Cursor> {
+    let last = items.last()?;
+    let file_name = last.path.file_name()?.to_string_lossy();
+    let (ts, id) = parse_timestamp_uuid_from_filename(&file_name)?;
+    Some(Cursor::new(ts, id))
+}
+
+async fn collect_dirs_desc<T, F>(parent: &Path, parse: F) -> io::Result<Vec<(T, PathBuf)>>
+where
+    T: Ord + Copy,
+    F: Fn(&str) -> Option<T>,
+{
+    let mut dir = fs::read_dir(parent).await?;
+    let mut vec: Vec<(T, PathBuf)> = Vec::new();
+    while let Some(entry) = dir.next_entry().await? {
+        if entry
+            .file_type()
+            .await
+            .map(|ft| ft.is_dir())
+            .unwrap_or(false)
+            && let Some(s) = entry.file_name().to_str()
+            && let Some(v) = parse(s)
+        {
+            vec.push((v, entry.path()));
+        }
+    }
+    vec.sort_by_key(|(v, _)| Reverse(*v));
+    Ok(vec)
+}
+
+async fn collect_files<T, F>(parent: &Path, parse: F) -> io::Result<Vec<T>>
+where
+    F: Fn(&str, &Path) -> Option<T>,
+{
+    let mut dir = fs::read_dir(parent).await?;
+    let mut collected: Vec<T> = Vec::new();
+    while let Some(entry) = dir.next_entry().await? {
+        if entry
+            .file_type()
+            .await
+            .map(|ft| ft.is_file())
+            .unwrap_or(false)
+            && let Some(s) = entry.file_name().to_str()
+            && let Some(v) = parse(s, &entry.path())
+        {
+            collected.push(v);
+        }
+    }
+    Ok(collected)
+}
+
+fn parse_timestamp_uuid_from_filename(name: &str) -> Option<(OffsetDateTime, Uuid)> {
+    let core = name.strip_prefix("rollout-")?.strip_suffix(".jsonl")?;
+    let (sep_idx, uuid) = core
+        .match_indices('-')
+        .rev()
+        .find_map(|(i, _)| Uuid::parse_str(&core[i + 1..]).ok().map(|u| (i, u)))?;
+    let ts_str = &core[..sep_idx];
+    let format: &[FormatItem] =
+        format_description!("[year]-[month]-[day]T[hour]-[minute]-[second]");
+    let ts = PrimitiveDateTime::parse(ts_str, format).ok()?.assume_utc();
+    Some((ts, uuid))
+}
+
+fn parse_cursor(token: &str) -> Option<Cursor> {
+    let (file_ts, uuid_str) = token.split_once('|')?;
+    let uuid = Uuid::parse_str(uuid_str).ok()?;
+    let format: &[FormatItem] =
+        format_description!("[year]-[month]-[day]T[hour]-[minute]-[second]");
+    let ts = PrimitiveDateTime::parse(file_ts, format).ok()?.assume_utc();
+    Some(Cursor::new(ts, uuid))
+}
+
+async fn read_head_and_flags(
+    path: &Path,
+    max_records: usize,
+) -> io::Result<(Vec<Value>, bool, bool)> {
+    let file = tokio::fs::File::open(path).await?;
+    let reader = tokio::io::BufReader::new(file);
+    let mut lines = reader.lines();
+    let mut head: Vec<Value> = Vec::new();
+    let mut saw_session_meta = false;
+    let mut saw_user_event = false;
+
+    while head.len() < max_records {
+        let line_opt = lines.next_line().await?;
+        let Some(line) = line_opt else { break };
+        let trimmed = line.trim();
+        if trimmed.is_empty() {
+            continue;
+        }
+
+        let parsed: Result<RolloutLine, _> = serde_json::from_str(trimmed);
+        let Ok(rollout_line) = parsed else { continue };
+
+        match rollout_line.item {
+            RolloutItem::SessionMeta(session_meta_line) => {
+                if let Ok(val) = serde_json::to_value(session_meta_line) {
+                    head.push(val);
+                    saw_session_meta = true;
+                }
+            }
+            RolloutItem::ResponseItem(item) => {
+                if let Ok(val) = serde_json::to_value(item) {
+                    head.push(val);
+                }
+            }
+            RolloutItem::TurnContext(_) | RolloutItem::Compacted(_) => {}
+            RolloutItem::EventMsg(ev) => {
+                if matches!(ev, EventMsg::UserMessage(_)) {
+                    saw_user_event = true;
+                }
+            }
+        }
+    }
+
+    Ok((head, saw_session_meta, saw_user_event))
+}

codex-rs/agent/src/rollout/mod.rs

@@ -0,0 +1,11 @@
+pub const SESSIONS_SUBDIR: &str = "sessions";
+pub const ARCHIVED_SESSIONS_SUBDIR: &str = "archived_sessions";
+
+pub mod list;
+pub mod policy;
+pub mod recorder;
+
+pub use recorder::GitInfoCollector;
+pub use recorder::RolloutConfig;
+pub use recorder::RolloutRecorder;
+pub use recorder::RolloutRecorderParams;

codex-rs/agent/src/rollout/policy.rs

@@ -1,14 +1,13 @@
-use crate::protocol::EventMsg;
-use crate::protocol::RolloutItem;
 use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::RolloutItem;
 
 /// Whether a rollout `item` should be persisted in rollout files.
 #[inline]
-pub(crate) fn is_persisted_response_item(item: &RolloutItem) -> bool {
+pub fn is_persisted_response_item(item: &RolloutItem) -> bool {
     match item {
         RolloutItem::ResponseItem(item) => should_persist_response_item(item),
         RolloutItem::EventMsg(ev) => should_persist_event_msg(ev),
-        // Persist Codex executive markers so we can analyze flows (e.g., compaction, API turns).
         RolloutItem::Compacted(_) | RolloutItem::TurnContext(_) | RolloutItem::SessionMeta(_) => {
             true
         }
@@ -17,7 +16,7 @@ pub(crate) fn is_persisted_response_item(item: &RolloutItem) -> bool {
 
 /// Whether a `ResponseItem` should be persisted in rollout files.
 #[inline]
-pub(crate) fn should_persist_response_item(item: &ResponseItem) -> bool {
+pub fn should_persist_response_item(item: &ResponseItem) -> bool {
     match item {
         ResponseItem::Message { .. }
         | ResponseItem::Reasoning { .. }
@@ -33,7 +32,7 @@ pub(crate) fn should_persist_response_item(item: &ResponseItem) -> bool {
 
 /// Whether an `EventMsg` should be persisted in rollout files.
 #[inline]
-pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
+pub fn should_persist_event_msg(ev: &EventMsg) -> bool {
     match ev {
         EventMsg::UserMessage(_)
         | EventMsg::AgentMessage(_)
@@ -70,9 +69,6 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
         | EventMsg::ListCustomPromptsResponse(_)
         | EventMsg::PlanUpdate(_)
         | EventMsg::ShutdownComplete
-        | EventMsg::ViewImageToolCall(_)
-        | EventMsg::ConversationPath(_)
-        | EventMsg::ItemStarted(_)
-        | EventMsg::ItemCompleted(_) => false,
+        | EventMsg::ConversationPath(_) => false,
     }
 }

codex-rs/agent/src/rollout/recorder.rs

@@ -1,19 +1,26 @@
-//! Persist Codex session rollouts (.jsonl) so sessions can be replayed or inspected later.
-
+use std::fs;
 use std::fs::File;
-use std::fs::{self};
 use std::io::Error as IoError;
 use std::path::Path;
 use std::path::PathBuf;
+use std::sync::Arc;
 
-use codex_protocol::ConversationId;
+use async_trait::async_trait;
+use codex_protocol::mcp_protocol::ConversationId;
+use codex_protocol::protocol::GitInfo;
+use codex_protocol::protocol::InitialHistory;
+use codex_protocol::protocol::ResumedHistory;
+use codex_protocol::protocol::RolloutItem;
+use codex_protocol::protocol::RolloutLine;
+use codex_protocol::protocol::SessionMeta;
+use codex_protocol::protocol::SessionMetaLine;
 use serde_json::Value;
 use time::OffsetDateTime;
 use time::format_description::FormatItem;
 use time::macros::format_description;
 use tokio::io::AsyncWriteExt;
+use tokio::sync::mpsc;
 use tokio::sync::mpsc::Sender;
-use tokio::sync::mpsc::{self};
 use tokio::sync::oneshot;
 use tracing::info;
 use tracing::warn;
@@ -23,38 +30,32 @@ use super::list::ConversationsPage;
 use super::list::Cursor;
 use super::list::get_conversations;
 use super::policy::is_persisted_response_item;
-use crate::config::Config;
-use crate::default_client::originator;
-use crate::git_info::collect_git_info;
-use codex_protocol::protocol::InitialHistory;
-use codex_protocol::protocol::ResumedHistory;
-use codex_protocol::protocol::RolloutItem;
-use codex_protocol::protocol::RolloutLine;
-use codex_protocol::protocol::SessionMeta;
-use codex_protocol::protocol::SessionMetaLine;
-use codex_protocol::protocol::SessionSource;
 
-/// Records all [`ResponseItem`]s for a session and flushes them to disk after
-/// every update.
-///
-/// Rollouts are recorded as JSONL and can be inspected with tools such as:
-///
-/// ```ignore
-/// $ jq -C . ~/.codex/sessions/rollout-2025-05-07T17-24-21-5973b6c0-94b8-487b-a530-2aeb6098ae0e.jsonl
-/// $ fx ~/.codex/sessions/rollout-2025-05-07T17-24-21-5973b6c0-94b8-487b-a530-2aeb6098ae0e.jsonl
-/// ```
+#[async_trait]
+pub trait GitInfoCollector: Send + Sync {
+    async fn collect(&self, cwd: &Path) -> Option<GitInfo>;
+}
+
+#[derive(Clone)]
+pub struct RolloutConfig {
+    pub codex_home: PathBuf,
+    pub originator: String,
+    pub cli_version: String,
+    pub git_info_collector: Option<Arc<dyn GitInfoCollector>>,
+}
+
 #[derive(Clone)]
 pub struct RolloutRecorder {
     tx: Sender<RolloutCmd>,
-    pub(crate) rollout_path: PathBuf,
+    rollout_path: PathBuf,
 }
 
 #[derive(Clone)]
 pub enum RolloutRecorderParams {
     Create {
         conversation_id: ConversationId,
+        cwd: PathBuf,
         instructions: Option<String>,
-        source: SessionSource,
     },
     Resume {
         path: PathBuf,
@@ -63,25 +64,20 @@ pub enum RolloutRecorderParams {
 
 enum RolloutCmd {
     AddItems(Vec<RolloutItem>),
-    /// Ensure all prior writes are processed; respond when flushed.
-    Flush {
-        ack: oneshot::Sender<()>,
-    },
-    Shutdown {
-        ack: oneshot::Sender<()>,
-    },
+    Flush { ack: oneshot::Sender<()> },
+    Shutdown { ack: oneshot::Sender<()> },
 }
 
 impl RolloutRecorderParams {
     pub fn new(
         conversation_id: ConversationId,
+        cwd: PathBuf,
         instructions: Option<String>,
-        source: SessionSource,
     ) -> Self {
         Self::Create {
             conversation_id,
+            cwd,
             instructions,
-            source,
         }
     }
 
@@ -91,32 +87,30 @@ impl RolloutRecorderParams {
 }
 
 impl RolloutRecorder {
-    /// List conversations (rollout files) under the provided Codex home directory.
     pub async fn list_conversations(
         codex_home: &Path,
         page_size: usize,
         cursor: Option<&Cursor>,
-        allowed_sources: &[SessionSource],
     ) -> std::io::Result<ConversationsPage> {
-        get_conversations(codex_home, page_size, cursor, allowed_sources).await
+        get_conversations(codex_home, page_size, cursor).await
     }
 
-    /// Attempt to create a new [`RolloutRecorder`]. If the sessions directory
-    /// cannot be created or the rollout file cannot be opened we return the
-    /// error so the caller can decide whether to disable persistence.
-    pub async fn new(config: &Config, params: RolloutRecorderParams) -> std::io::Result<Self> {
-        let (file, rollout_path, meta) = match params {
+    pub async fn new(
+        config: &RolloutConfig,
+        params: RolloutRecorderParams,
+    ) -> std::io::Result<Self> {
+        let (file, rollout_path, meta, cwd) = match params {
             RolloutRecorderParams::Create {
                 conversation_id,
+                cwd,
                 instructions,
-                source,
             } => {
                 let LogFileInfo {
                     file,
                     path,
                     conversation_id: session_id,
                     timestamp,
-                } = create_log_file(config, conversation_id)?;
+                } = create_log_file(&config.codex_home, conversation_id)?;
 
                 let timestamp_format: &[FormatItem] = format_description!(
                     "[year]-[month]-[day]T[hour]:[minute]:[second].[subsecond digits:3]Z"
@@ -126,19 +120,16 @@ impl RolloutRecorder {
                     .format(timestamp_format)
                     .map_err(|e| IoError::other(format!("failed to format timestamp: {e}")))?;
 
-                (
-                    tokio::fs::File::from_std(file),
-                    path,
-                    Some(SessionMeta {
-                        id: session_id,
-                        timestamp,
-                        cwd: config.cwd.clone(),
-                        originator: originator().value.clone(),
-                        cli_version: env!("CARGO_PKG_VERSION").to_string(),
-                        instructions,
-                        source,
-                    }),
-                )
+                let meta = SessionMeta {
+                    id: session_id,
+                    timestamp,
+                    cwd: cwd.clone(),
+                    originator: config.originator.clone(),
+                    cli_version: config.cli_version.clone(),
+                    instructions,
+                };
+
+                (tokio::fs::File::from_std(file), path, Some(meta), Some(cwd))
             }
             RolloutRecorderParams::Resume { path } => (
                 tokio::fs::OpenOptions::new()
@@ -147,31 +138,21 @@ impl RolloutRecorder {
                     .await?,
                 path,
                 None,
+                None,
             ),
         };
 
-        // Clone the cwd for the spawned task to collect git info asynchronously
-        let cwd = config.cwd.clone();
-
-        // A reasonably-sized bounded channel. If the buffer fills up the send
-        // future will yield, which is fine – we only need to ensure we do not
-        // perform *blocking* I/O on the caller's thread.
         let (tx, rx) = mpsc::channel::<RolloutCmd>(256);
+        let collector = config.git_info_collector.clone();
 
-        // Spawn a Tokio task that owns the file handle and performs async
-        // writes. Using `tokio::fs::File` keeps everything on the async I/O
-        // driver instead of blocking the runtime.
-        tokio::task::spawn(rollout_writer(file, rx, meta, cwd));
+        tokio::task::spawn(rollout_writer(file, rx, meta, cwd, collector));
 
         Ok(Self { tx, rollout_path })
     }
 
-    pub(crate) async fn record_items(&self, items: &[RolloutItem]) -> std::io::Result<()> {
+    pub async fn record_items(&self, items: &[RolloutItem]) -> std::io::Result<()> {
         let mut filtered = Vec::new();
         for item in items {
-            // Note that function calls may look a bit strange if they are
-            // "fully qualified MCP tool calls," so we could consider
-            // reformatting them in that case.
             if is_persisted_response_item(item) {
                 filtered.push(item.clone());
             }
@@ -185,7 +166,6 @@ impl RolloutRecorder {
             .map_err(|e| IoError::other(format!("failed to queue rollout items: {e}")))
     }
 
-    /// Flush all queued writes and wait until they are committed by the writer task.
     pub async fn flush(&self) -> std::io::Result<()> {
         let (tx, rx) = oneshot::channel();
         self.tx
@@ -196,7 +176,26 @@ impl RolloutRecorder {
             .map_err(|e| IoError::other(format!("failed waiting for rollout flush: {e}")))
     }
 
-    pub(crate) async fn get_rollout_history(path: &Path) -> std::io::Result<InitialHistory> {
+    pub async fn shutdown(&self) -> std::io::Result<()> {
+        let (tx_done, rx_done) = oneshot::channel();
+        match self.tx.send(RolloutCmd::Shutdown { ack: tx_done }).await {
+            Ok(_) => rx_done
+                .await
+                .map_err(|e| IoError::other(format!("failed waiting for rollout shutdown: {e}"))),
+            Err(e) => {
+                warn!("failed to send rollout shutdown command: {e}");
+                Err(IoError::other(format!(
+                    "failed to send rollout shutdown command: {e}"
+                )))
+            }
+        }
+    }
+
+    pub fn get_rollout_path(&self) -> PathBuf {
+        self.rollout_path.clone()
+    }
+
+    pub async fn get_rollout_history(path: &Path) -> std::io::Result<InitialHistory> {
         info!("Resuming rollout from {path:?}");
         let text = tokio::fs::read_to_string(path).await?;
         if text.trim().is_empty() {
@@ -217,33 +216,17 @@ impl RolloutRecorder {
                 }
             };
 
-            // Parse the rollout line structure
             match serde_json::from_value::<RolloutLine>(v.clone()) {
                 Ok(rollout_line) => match rollout_line.item {
                     RolloutItem::SessionMeta(session_meta_line) => {
-                        // Use the FIRST SessionMeta encountered in the file as the canonical
-                        // conversation id and main session information. Keep all items intact.
                         if conversation_id.is_none() {
                             conversation_id = Some(session_meta_line.meta.id);
                         }
                         items.push(RolloutItem::SessionMeta(session_meta_line));
                     }
-                    RolloutItem::ResponseItem(item) => {
-                        items.push(RolloutItem::ResponseItem(item));
-                    }
-                    RolloutItem::Compacted(item) => {
-                        items.push(RolloutItem::Compacted(item));
-                    }
-                    RolloutItem::TurnContext(item) => {
-                        items.push(RolloutItem::TurnContext(item));
-                    }
-                    RolloutItem::EventMsg(_ev) => {
-                        items.push(RolloutItem::EventMsg(_ev));
-                    }
+                    other => items.push(other),
                 },
-                Err(e) => {
-                    warn!("failed to parse rollout line: {v:?}, error: {e}");
-                }
+                Err(e) => warn!("failed to parse rollout line: {v:?}, error: {e}"),
             }
         }
 
@@ -266,57 +249,28 @@ impl RolloutRecorder {
             rollout_path: path.to_path_buf(),
         }))
     }
-
-    pub(crate) fn get_rollout_path(&self) -> PathBuf {
-        self.rollout_path.clone()
-    }
-
-    pub async fn shutdown(&self) -> std::io::Result<()> {
-        let (tx_done, rx_done) = oneshot::channel();
-        match self.tx.send(RolloutCmd::Shutdown { ack: tx_done }).await {
-            Ok(_) => rx_done
-                .await
-                .map_err(|e| IoError::other(format!("failed waiting for rollout shutdown: {e}"))),
-            Err(e) => {
-                warn!("failed to send rollout shutdown command: {e}");
-                Err(IoError::other(format!(
-                    "failed to send rollout shutdown command: {e}"
-                )))
-            }
-        }
-    }
 }
 
 struct LogFileInfo {
-    /// Opened file handle to the rollout file.
     file: File,
-
-    /// Full path to the rollout file.
     path: PathBuf,
-
-    /// Session ID (also embedded in filename).
     conversation_id: ConversationId,
-
-    /// Timestamp for the start of the session.
     timestamp: OffsetDateTime,
 }
 
 fn create_log_file(
-    config: &Config,
+    codex_home: &Path,
     conversation_id: ConversationId,
 ) -> std::io::Result<LogFileInfo> {
-    // Resolve ~/.codex/sessions/YYYY/MM/DD and create it if missing.
     let timestamp = OffsetDateTime::now_local()
         .map_err(|e| IoError::other(format!("failed to get local time: {e}")))?;
-    let mut dir = config.codex_home.clone();
+    let mut dir = codex_home.to_path_buf();
     dir.push(SESSIONS_SUBDIR);
     dir.push(timestamp.year().to_string());
     dir.push(format!("{:02}", u8::from(timestamp.month())));
     dir.push(format!("{:02}", timestamp.day()));
     fs::create_dir_all(&dir)?;
 
-    // Custom format for YYYY-MM-DDThh-mm-ss. Use `-` instead of `:` for
-    // compatibility with filesystems that do not allow colons in filenames.
     let format: &[FormatItem] =
         format_description!("[year]-[month]-[day]T[hour]-[minute]-[second]");
     let date_str = timestamp
@@ -324,7 +278,6 @@ fn create_log_file(
         .map_err(|e| IoError::other(format!("failed to format timestamp: {e}")))?;
 
     let filename = format!("rollout-{date_str}-{conversation_id}.jsonl");
-
     let path = dir.join(filename);
     let file = std::fs::OpenOptions::new()
         .append(true)
@@ -343,25 +296,27 @@ async fn rollout_writer(
     file: tokio::fs::File,
     mut rx: mpsc::Receiver<RolloutCmd>,
     mut meta: Option<SessionMeta>,
-    cwd: std::path::PathBuf,
+    cwd: Option<PathBuf>,
+    git_info_collector: Option<Arc<dyn GitInfoCollector>>,
 ) -> std::io::Result<()> {
     let mut writer = JsonlWriter { file };
 
-    // If we have a meta, collect git info asynchronously and write meta first
     if let Some(session_meta) = meta.take() {
-        let git_info = collect_git_info(&cwd).await;
+        let git_info =
+            if let (Some(provider), Some(cwd)) = (git_info_collector.as_ref(), cwd.as_ref()) {
+                provider.collect(cwd.as_path()).await
+            } else {
+                None
+            };
         let session_meta_line = SessionMetaLine {
             meta: session_meta,
             git: git_info,
         };
-
-        // Write the SessionMeta as the first item in the file, wrapped in a rollout line
         writer
             .write_rollout_item(RolloutItem::SessionMeta(session_meta_line))
             .await?;
     }
 
-    // Process rollout commands
     while let Some(cmd) = rx.recv().await {
         match cmd {
             RolloutCmd::AddItems(items) => {
@@ -372,7 +327,6 @@ async fn rollout_writer(
                 }
             }
             RolloutCmd::Flush { ack } => {
-                // Ensure underlying file is flushed and then ack.
                 if let Err(e) = writer.file.flush().await {
                     let _ = ack.send(());
                     return Err(e);
@@ -407,11 +361,14 @@ impl JsonlWriter {
         };
         self.write_line(&line).await
     }
+
     async fn write_line(&mut self, item: &impl serde::Serialize) -> std::io::Result<()> {
-        let mut json = serde_json::to_string(item)?;
-        json.push('\n');
-        self.file.write_all(json.as_bytes()).await?;
-        self.file.flush().await?;
-        Ok(())
+        let mut buf = serde_json::to_vec(item)
+            .map_err(|e| IoError::other(format!("failed to serialise rollout line: {e}")))?;
+        buf.push(b'\n');
+        self.file
+            .write_all(&buf)
+            .await
+            .map_err(|e| IoError::other(format!("failed to write rollout line: {e}")))
     }
 }

codex-rs/agent/src/runtime.rs

@@ -0,0 +1,16 @@
+use async_trait::async_trait;
+use codex_protocol::protocol::Event;
+use codex_protocol::protocol::Op;
+use codex_protocol::protocol::Submission;
+
+/// Minimal async interface for interacting with an agent runtime.
+#[async_trait]
+pub trait AgentRuntime: Send + Sync {
+    type Error: std::error::Error + Send + Sync + 'static;
+
+    async fn submit(&self, op: Op) -> Result<String, Self::Error>;
+
+    async fn submit_with_id(&self, submission: Submission) -> Result<(), Self::Error>;
+
+    async fn next_event(&self) -> Result<Event, Self::Error>;
+}

codex-rs/agent/src/runtime_config.rs

@@ -0,0 +1,46 @@
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use crate::config_types::History;
+use crate::config_types::McpServerConfig;
+use crate::config_types::ShellEnvironmentPolicy;
+use crate::model_family::ModelFamily;
+use crate::model_provider::ModelProviderInfo;
+use codex_protocol::config_types::ReasoningEffort;
+use codex_protocol::config_types::ReasoningSummary;
+use codex_protocol::config_types::Verbosity;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::SandboxPolicy;
+
+/// Configuration surface consumed by the agent runtime regardless of host.
+#[derive(Debug, Clone, PartialEq)]
+pub struct AgentConfig {
+    pub model: String,
+    pub review_model: String,
+    pub model_family: ModelFamily,
+    pub model_context_window: Option<u64>,
+    pub model_auto_compact_token_limit: Option<i64>,
+    pub model_reasoning_effort: Option<ReasoningEffort>,
+    pub model_reasoning_summary: ReasoningSummary,
+    pub model_verbosity: Option<Verbosity>,
+    pub model_provider: ModelProviderInfo,
+    pub approval_policy: AskForApproval,
+    pub sandbox_policy: SandboxPolicy,
+    pub shell_environment_policy: ShellEnvironmentPolicy,
+    pub user_instructions: Option<String>,
+    pub base_instructions: Option<String>,
+    pub notify: Option<Vec<String>>,
+    pub cwd: PathBuf,
+    pub codex_home: PathBuf,
+    pub history: History,
+    pub mcp_servers: HashMap<String, McpServerConfig>,
+    pub include_plan_tool: bool,
+    pub include_apply_patch_tool: bool,
+    pub include_view_image_tool: bool,
+    pub tools_web_search_request: bool,
+    pub use_experimental_streamable_shell_tool: bool,
+    pub use_experimental_unified_exec_tool: bool,
+    pub show_raw_agent_reasoning: bool,
+    pub codex_linux_sandbox_exe: Option<PathBuf>,
+    pub project_doc_max_bytes: usize,
+}

codex-rs/agent/src/safety.rs

@@ -0,0 +1,516 @@
+use std::collections::HashSet;
+use std::path::Path;
+use std::path::PathBuf;
+
+use codex_apply_patch::ApplyPatchAction;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::SandboxPolicy;
+
+use crate::command_safety::is_dangerous_command::command_might_be_dangerous;
+use crate::command_safety::is_safe_command::is_known_safe_command;
+use crate::sandbox::SandboxType;
+
+#[derive(Debug, PartialEq)]
+pub enum SafetyCheck {
+    AutoApprove { sandbox_type: SandboxType },
+    AskUser,
+    Reject { reason: String },
+}
+
+pub fn assess_patch_safety(
+    action: &ApplyPatchAction,
+    policy: AskForApproval,
+    sandbox_policy: &SandboxPolicy,
+    cwd: &Path,
+) -> SafetyCheck {
+    if action.is_empty() {
+        return SafetyCheck::Reject {
+            reason: "empty patch".to_string(),
+        };
+    }
+
+    match policy {
+        AskForApproval::OnFailure | AskForApproval::Never | AskForApproval::OnRequest => {
+            // Continue to see if this can be auto-approved.
+        }
+        // TODO(ragona): I'm not sure this is actually correct? I believe in this case
+        // we want to continue to the writable paths check before asking the user.
+        AskForApproval::UnlessTrusted => {
+            return SafetyCheck::AskUser;
+        }
+    }
+
+    // Even though the patch *appears* to be constrained to writable paths, it
+    // is possible that paths in the patch are hard links to files outside the
+    // writable roots, so we should still run `apply_patch` in a sandbox in that
+    // case.
+    if is_write_patch_constrained_to_writable_paths(action, sandbox_policy, cwd)
+        || policy == AskForApproval::OnFailure
+    {
+        // Only auto‑approve when we can actually enforce a sandbox. Otherwise
+        // fall back to asking the user because the patch may touch arbitrary
+        // paths outside the project.
+        match get_platform_sandbox() {
+            Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+            None if sandbox_policy == &SandboxPolicy::DangerFullAccess => {
+                // If the user has explicitly requested DangerFullAccess, then
+                // we can auto-approve even without a sandbox.
+                SafetyCheck::AutoApprove {
+                    sandbox_type: SandboxType::None,
+                }
+            }
+            None => SafetyCheck::AskUser,
+        }
+    } else if policy == AskForApproval::Never {
+        SafetyCheck::Reject {
+            reason: "writing outside of the project; rejected by user approval settings"
+                .to_string(),
+        }
+    } else {
+        SafetyCheck::AskUser
+    }
+}
+
+/// For a command to be run _without_ a sandbox, one of the following must be
+/// true:
+///
+/// - the user has explicitly approved the command
+/// - the command is on the "known safe" list
+/// - `DangerFullAccess` was specified and `UnlessTrusted` was not
+pub fn assess_command_safety(
+    command: &[String],
+    approval_policy: AskForApproval,
+    sandbox_policy: &SandboxPolicy,
+    approved: &HashSet<Vec<String>>,
+    with_escalated_permissions: bool,
+) -> SafetyCheck {
+    // Some commands look dangerous. Even if they are run inside a sandbox,
+    // unless the user has explicitly approved them, we should ask,
+    // regardless of the approval policy and sandbox policy.
+    if command_might_be_dangerous(command) && !approved.contains(command) {
+        return SafetyCheck::AskUser;
+    }
+
+    // A command is "trusted" because either:
+    // - it belongs to a set of commands we consider "safe" by default, or
+    // - the user has explicitly approved the command for this session
+    //
+    // Currently, whether a command is "trusted" is a simple boolean, but we
+    // should include more metadata on this command test to indicate whether it
+    // should be run inside a sandbox or not. (This could be something the user
+    // defines as part of `execpolicy`.)
+    //
+    // For example, when `is_known_safe_command(command)` returns `true`, it
+    // would probably be fine to run the command in a sandbox, but when
+    // `approved.contains(command)` is `true`, the user may have approved it for
+    // the session _because_ they know it needs to run outside a sandbox.
+
+    if is_known_safe_command(command) || approved.contains(command) {
+        return SafetyCheck::AutoApprove {
+            sandbox_type: SandboxType::None,
+        };
+    }
+
+    assess_safety_for_untrusted_command(approval_policy, sandbox_policy, with_escalated_permissions)
+}
+
+pub(crate) fn assess_safety_for_untrusted_command(
+    approval_policy: AskForApproval,
+    sandbox_policy: &SandboxPolicy,
+    with_escalated_permissions: bool,
+) -> SafetyCheck {
+    use AskForApproval::*;
+    use SandboxPolicy::*;
+
+    match (approval_policy, sandbox_policy) {
+        (UnlessTrusted, _) => {
+            // Even though the user may have opted into DangerFullAccess,
+            // they also requested that we ask for approval for untrusted
+            // commands.
+            SafetyCheck::AskUser
+        }
+        (OnFailure, DangerFullAccess)
+        | (Never, DangerFullAccess)
+        | (OnRequest, DangerFullAccess) => SafetyCheck::AutoApprove {
+            sandbox_type: SandboxType::None,
+        },
+        (OnRequest, ReadOnly) | (OnRequest, WorkspaceWrite { .. }) => {
+            if with_escalated_permissions {
+                SafetyCheck::AskUser
+            } else {
+                match get_platform_sandbox() {
+                    Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+                    // Fall back to asking since the command is untrusted and
+                    // we do not have a sandbox available
+                    None => SafetyCheck::AskUser,
+                }
+            }
+        }
+        (Never, ReadOnly)
+        | (Never, WorkspaceWrite { .. })
+        | (OnFailure, ReadOnly)
+        | (OnFailure, WorkspaceWrite { .. }) => {
+            match get_platform_sandbox() {
+                Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+                None => {
+                    if matches!(approval_policy, OnFailure) {
+                        // Since the command is not trusted, even though the
+                        // user has requested to only ask for approval on
+                        // failure, we will ask the user because no sandbox is
+                        // available.
+                        SafetyCheck::AskUser
+                    } else {
+                        // We are in non-interactive mode and lack approval, so
+                        // all we can do is reject the command.
+                        SafetyCheck::Reject {
+                            reason: "auto-rejected because command is not on trusted list"
+                                .to_string(),
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+pub fn get_platform_sandbox() -> Option<SandboxType> {
+    if cfg!(target_os = "macos") {
+        Some(SandboxType::MacosSeatbelt)
+    } else if cfg!(target_os = "linux") {
+        Some(SandboxType::LinuxSeccomp)
+    } else {
+        None
+    }
+}
+
+fn is_write_patch_constrained_to_writable_paths(
+    action: &ApplyPatchAction,
+    sandbox_policy: &SandboxPolicy,
+    cwd: &Path,
+) -> bool {
+    // Early‑exit if there are no declared writable roots.
+    let writable_roots = match sandbox_policy {
+        SandboxPolicy::ReadOnly => {
+            return false;
+        }
+        SandboxPolicy::DangerFullAccess => {
+            return true;
+        }
+        SandboxPolicy::WorkspaceWrite {
+            writable_roots,
+            exclude_slash_tmp: _exclude_slash_tmp,
+            exclude_tmpdir_env_var: _exclude_tmpdir,
+            network_access: _network_access,
+        } => writable_roots,
+    };
+
+    // If the policy allows writes outside the workspace (DangerFullAccess),
+    // we've already returned true above. At this point we only have
+    // `WorkspaceWrite`, which includes the cwd implicitly, so first check if
+    // the patch fully lives within the cwd. If it does then we're fine.
+    let workspace_root = cwd.canonicalize().unwrap_or_else(|_| cwd.to_path_buf());
+    if all_changes_within_root(action, &workspace_root) {
+        return true;
+    }
+
+    if writable_roots.is_empty() {
+        return false;
+    }
+
+    // When `/tmp` is excluded, filter it out of writable roots. Some patch commands write
+    // temporary files there even for workspace-only updates.
+    let mut writable_roots: Vec<&PathBuf> = writable_roots.iter().collect();
+    if matches!(
+        sandbox_policy,
+        SandboxPolicy::WorkspaceWrite {
+            exclude_slash_tmp: true,
+            ..
+        }
+    ) {
+        writable_roots.retain(|path| !path.as_path().starts_with("/tmp"));
+    }
+
+    let mut all_within_declared_root = true;
+    for change in action.changes() {
+        match change.0.strip_prefix(&workspace_root) {
+            Ok(relative_path) => {
+                if !is_within_any_root(relative_path, &writable_roots) {
+                    all_within_declared_root = false;
+                    break;
+                }
+            }
+            Err(_) => {
+                all_within_declared_root = false;
+                break;
+            }
+        }
+    }
+
+    all_within_declared_root
+}
+
+fn all_changes_within_root(action: &ApplyPatchAction, root: &Path) -> bool {
+    action
+        .changes()
+        .iter()
+        .all(|(path, _)| path.starts_with(root))
+}
+
+fn is_within_any_root(path: &Path, roots: &[&PathBuf]) -> bool {
+    roots.iter().any(|root| path.starts_with(root.as_path()))
+}
+
+#[cfg(any())]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn reject_empty_patch() {
+        let action = ApplyPatchAction::new_for_test(vec![]);
+        let sandbox_policy = SandboxPolicy::ReadOnly;
+        let cwd = Path::new(".");
+
+        assert_eq!(
+            assess_patch_safety(&action, AskForApproval::OnRequest, &sandbox_policy, cwd),
+            SafetyCheck::Reject {
+                reason: "empty patch".to_string(),
+            }
+        );
+    }
+
+    #[test]
+    fn auto_allow_patch_in_workspace_write_sandbox() {
+        let patch_action = ApplyPatchAction::new_for_test(vec![ApplyPatchFileChange::new_update(
+            PathBuf::from("src/main.rs"),
+            "diff --git a/src/main.rs b/src/main.rs\n".to_string(),
+            None,
+            "".to_string(),
+        )]);
+
+        let sandbox_policy = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![],
+            network_access: false,
+            exclude_tmpdir_env_var: false,
+            exclude_slash_tmp: false,
+        };
+
+        assert_eq!(
+            assess_patch_safety(
+                &patch_action,
+                AskForApproval::OnRequest,
+                &sandbox_policy,
+                Path::new("."),
+            ),
+            SafetyCheck::AutoApprove {
+                sandbox_type: get_platform_sandbox().unwrap_or(SandboxType::None),
+            }
+        );
+    }
+
+    #[test]
+    fn reject_patch_if_policy_is_never_and_writes_outside_of_workspace() {
+        let patch_action = ApplyPatchAction::new_for_test(vec![ApplyPatchFileChange::new_update(
+            PathBuf::from("../outside_file.txt"),
+            "diff --git a/../outside_file.txt b/../outside_file.txt\n".to_string(),
+            None,
+            "".to_string(),
+        )]);
+
+        let sandbox_policy = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![],
+            network_access: false,
+            exclude_tmpdir_env_var: false,
+            exclude_slash_tmp: false,
+        };
+
+        assert_eq!(
+            assess_patch_safety(
+                &patch_action,
+                AskForApproval::Never,
+                &sandbox_policy,
+                Path::new("."),
+            ),
+            SafetyCheck::Reject {
+                reason: "writing outside of the project; rejected by user approval settings"
+                    .to_string(),
+            }
+        );
+    }
+
+    #[test]
+    fn assess_command_safety_known_safe_command() {
+        let command = vec!["ls".to_string()];
+        let approval_policy = AskForApproval::OnRequest;
+        let sandbox_policy = SandboxPolicy::ReadOnly;
+        let approved = HashSet::new();
+        let request_escalated_privileges = false;
+
+        let safety_check = assess_command_safety(
+            &command,
+            approval_policy,
+            &sandbox_policy,
+            &approved,
+            request_escalated_privileges,
+        );
+
+        assert_eq!(
+            safety_check,
+            SafetyCheck::AutoApprove {
+                sandbox_type: SandboxType::None
+            }
+        );
+    }
+
+    #[test]
+    fn assess_command_safety_dangerous_command_to_reject() {
+        let command = vec!["rm".to_string(), "-rf".to_string(), "/".to_string()];
+        let approval_policy = AskForApproval::OnRequest;
+        let sandbox_policy = SandboxPolicy::ReadOnly;
+        let approved = HashSet::new();
+        let request_escalated_privileges = false;
+
+        let safety_check = assess_command_safety(
+            &command,
+            approval_policy,
+            &sandbox_policy,
+            &approved,
+            request_escalated_privileges,
+        );
+
+        assert_eq!(safety_check, SafetyCheck::AskUser);
+    }
+
+    #[test]
+    fn patch_within_declared_root() {
+        let tempdir = tempfile::tempdir().unwrap();
+        let cwd = tempdir.path().to_path_buf();
+        let parent = cwd.parent().unwrap().to_path_buf();
+
+        let make_add_change = |p: PathBuf| ApplyPatchAction::new_add_for_test(&p, "".to_string());
+
+        let add_inside = make_add_change(cwd.join("inner.txt"));
+        let add_outside = make_add_change(parent.join("outside.txt"));
+
+        // Policy limited to the workspace only; exclude system temp roots so
+        // only `cwd` is writable by default.
+        let policy_workspace_only = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![],
+            network_access: false,
+            exclude_tmpdir_env_var: true,
+            exclude_slash_tmp: true,
+        };
+
+        assert!(is_write_patch_constrained_to_writable_paths(
+            &add_inside,
+            &policy_workspace_only,
+            &cwd,
+        ));
+
+        assert!(!is_write_patch_constrained_to_writable_paths(
+            &add_outside,
+            &policy_workspace_only,
+            &cwd,
+        ));
+
+        // With the parent dir explicitly added as a writable root, the
+        // outside write should be permitted.
+        let policy_with_parent = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![parent],
+            network_access: false,
+            exclude_tmpdir_env_var: true,
+            exclude_slash_tmp: true,
+        };
+        assert!(is_write_patch_constrained_to_writable_paths(
+            &add_outside,
+            &policy_with_parent,
+            &cwd,
+        ));
+    }
+
+    #[test]
+    fn test_request_escalated_privileges() {
+        // Should not be a trusted command
+        let command = vec!["git commit".to_string()];
+        let approval_policy = AskForApproval::OnRequest;
+        let sandbox_policy = SandboxPolicy::ReadOnly;
+        let approved: HashSet<Vec<String>> = HashSet::new();
+        let request_escalated_privileges = true;
+
+        let safety_check = assess_command_safety(
+            &command,
+            approval_policy,
+            &sandbox_policy,
+            &approved,
+            request_escalated_privileges,
+        );
+
+        assert_eq!(safety_check, SafetyCheck::AskUser);
+    }
+
+    #[test]
+    fn dangerous_command_allowed_if_explicitly_approved() {
+        let command = vec!["git".to_string(), "reset".to_string(), "--hard".to_string()];
+        let approval_policy = AskForApproval::OnRequest;
+        let sandbox_policy = SandboxPolicy::ReadOnly;
+        let mut approved: HashSet<Vec<String>> = HashSet::new();
+        approved.insert(command.clone());
+        let request_escalated_privileges = false;
+
+        let safety_check = assess_command_safety(
+            &command,
+            approval_policy,
+            &sandbox_policy,
+            &approved,
+            request_escalated_privileges,
+        );
+
+        assert_eq!(
+            safety_check,
+            SafetyCheck::AutoApprove {
+                sandbox_type: SandboxType::None
+            }
+        );
+    }
+
+    #[test]
+    fn dangerous_command_not_allowed_if_not_explicitly_approved() {
+        let command = vec!["git".to_string(), "reset".to_string(), "--hard".to_string()];
+        let approval_policy = AskForApproval::Never;
+        let sandbox_policy = SandboxPolicy::ReadOnly;
+        let approved: HashSet<Vec<String>> = HashSet::new();
+        let request_escalated_privileges = false;
+
+        let safety_check = assess_command_safety(
+            &command,
+            approval_policy,
+            &sandbox_policy,
+            &approved,
+            request_escalated_privileges,
+        );
+
+        assert_eq!(safety_check, SafetyCheck::AskUser);
+    }
+
+    #[test]
+    fn test_request_escalated_privileges_no_sandbox_fallback() {
+        let command = vec!["git".to_string(), "commit".to_string()];
+        let approval_policy = AskForApproval::OnRequest;
+        let sandbox_policy = SandboxPolicy::ReadOnly;
+        let approved: HashSet<Vec<String>> = HashSet::new();
+        let request_escalated_privileges = false;
+
+        let safety_check = assess_command_safety(
+            &command,
+            approval_policy,
+            &sandbox_policy,
+            &approved,
+            request_escalated_privileges,
+        );
+
+        let expected = match get_platform_sandbox() {
+            Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
+            None => SafetyCheck::AskUser,
+        };
+        assert_eq!(safety_check, expected);
+    }
+}

codex-rs/agent/src/sandbox/mod.rs

@@ -0,0 +1,3 @@
+pub mod types;
+
+pub use types::SandboxType;

codex-rs/agent/src/sandbox/types.rs

@@ -0,0 +1,10 @@
+#[derive(Clone, Copy, Debug, PartialEq)]
+pub enum SandboxType {
+    None,
+
+    /// Only available on macOS.
+    MacosSeatbelt,
+
+    /// Only available on Linux.
+    LinuxSeccomp,
+}

codex-rs/agent/src/services.rs

@@ -0,0 +1,138 @@
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use async_trait::async_trait;
+use codex_apply_patch::ApplyPatchAction;
+use codex_protocol::mcp_protocol::AuthMode;
+use codex_protocol::protocol::ReviewDecision;
+use codex_protocol::protocol::RolloutItem;
+use mcp_types::Tool;
+use serde_json::Value;
+
+use crate::exec_command::ExecCommandOutput;
+use crate::exec_command::ExecCommandParams;
+use crate::exec_command::WriteStdinParams;
+use crate::notifications::UserNotification;
+use crate::rollout::RolloutRecorder;
+use crate::token_data::PlanType;
+use crate::unified_exec::UnifiedExecError;
+use crate::unified_exec::UnifiedExecRequest;
+use crate::unified_exec::UnifiedExecResult;
+
+/// Authentication context made available to the provider layer.
+#[async_trait]
+pub trait ProviderAuth: Send + Sync {
+    fn mode(&self) -> AuthMode;
+
+    async fn access_token(&self) -> std::io::Result<String>;
+
+    fn account_id(&self) -> Option<String>;
+
+    fn plan_type(&self) -> Option<PlanType>;
+}
+
+/// Provides access to credentials required when talking to model providers.
+#[async_trait]
+pub trait CredentialsProvider: Send + Sync {
+    fn auth(&self) -> Option<std::sync::Arc<dyn ProviderAuth>>;
+
+    async fn refresh_token(&self) -> std::io::Result<Option<String>>;
+}
+
+/// Emits user-facing notifications for turn completion or other events.
+pub trait Notifier: Send + Sync {
+    fn notify(&self, notification: &UserNotification);
+}
+
+/// Runtime callbacks for user approval workflows.
+#[async_trait]
+pub trait ApprovalCoordinator: Send + Sync {
+    async fn request_patch_approval(
+        &self,
+        sub_id: String,
+        call_id: String,
+        action: &ApplyPatchAction,
+        reason: Option<String>,
+        grant_root: Option<PathBuf>,
+    ) -> ReviewDecision;
+
+    async fn request_command_approval(
+        &self,
+        sub_id: String,
+        call_id: String,
+        command: Vec<String>,
+        cwd: PathBuf,
+        reason: Option<String>,
+    ) -> ReviewDecision;
+
+    async fn add_approved_command(&self, command: Vec<String>);
+}
+
+/// Aggregates and dispatches MCP tool calls across configured servers.
+#[async_trait]
+pub trait McpInterface: Send + Sync {
+    fn list_all_tools(&self) -> HashMap<String, Tool>;
+
+    fn parse_tool_name(&self, tool_name: &str) -> Option<(String, String)>;
+
+    async fn call_tool(
+        &self,
+        server: &str,
+        tool: &str,
+        arguments: Option<Value>,
+    ) -> anyhow::Result<mcp_types::CallToolResult>;
+}
+
+/// Persists rollout events for later inspection or replay.
+#[async_trait]
+pub trait RolloutSink: Send + Sync {
+    async fn record_items(&self, items: &[RolloutItem]) -> std::io::Result<()>;
+
+    async fn flush(&self) -> std::io::Result<()>;
+
+    async fn shutdown(&self) -> std::io::Result<()>;
+
+    fn get_rollout_path(&self) -> PathBuf;
+}
+
+#[async_trait]
+impl RolloutSink for RolloutRecorder {
+    async fn record_items(&self, items: &[RolloutItem]) -> std::io::Result<()> {
+        RolloutRecorder::record_items(self, items).await
+    }
+
+    async fn flush(&self) -> std::io::Result<()> {
+        RolloutRecorder::flush(self).await
+    }
+
+    async fn shutdown(&self) -> std::io::Result<()> {
+        RolloutRecorder::shutdown(self).await
+    }
+
+    fn get_rollout_path(&self) -> PathBuf {
+        RolloutRecorder::get_rollout_path(self)
+    }
+}
+
+/// Handles sandboxed exec orchestration, including long-running sessions.
+#[async_trait]
+pub trait SandboxManager: Send + Sync {
+    async fn handle_exec_command_request(
+        &self,
+        params: ExecCommandParams,
+    ) -> Result<ExecCommandOutput, String>;
+
+    async fn handle_write_stdin_request(
+        &self,
+        params: WriteStdinParams,
+    ) -> Result<ExecCommandOutput, String>;
+
+    async fn handle_unified_exec_request(
+        &self,
+        request: UnifiedExecRequest<'_>,
+    ) -> Result<UnifiedExecResult, UnifiedExecError>;
+
+    fn codex_linux_sandbox_exe(&self) -> &Option<PathBuf>;
+
+    fn user_shell(&self) -> &crate::shell::Shell;
+}

codex-rs/agent/src/session_services.rs

@@ -0,0 +1,18 @@
+use std::sync::Arc;
+
+use tokio::sync::Mutex;
+
+use crate::services::McpInterface;
+use crate::services::Notifier;
+use crate::services::RolloutSink;
+use crate::services::SandboxManager;
+
+/// Aggregated services that back a running agent session. Hosts provide
+/// implementations for these traits and hand them to the runtime at spawn.
+pub struct SessionServices {
+    pub mcp: Arc<dyn McpInterface>,
+    pub notifier: Arc<dyn Notifier>,
+    pub sandbox: Arc<dyn SandboxManager>,
+    pub rollout: Mutex<Option<Arc<dyn RolloutSink>>>,
+    pub show_raw_agent_reasoning: bool,
+}

codex-rs/agent/src/session_state.rs

@@ -0,0 +1,76 @@
+use std::collections::HashSet;
+
+use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::RateLimitSnapshot;
+use codex_protocol::protocol::TokenUsage;
+use codex_protocol::protocol::TokenUsageInfo;
+
+use crate::conversation_history::ConversationHistory;
+
+/// Persistent, session-scoped state previously stored directly on `Session`.
+#[derive(Default)]
+pub struct SessionState {
+    approved_commands: HashSet<Vec<String>>,
+    history: ConversationHistory,
+    token_info: Option<TokenUsageInfo>,
+    latest_rate_limits: Option<RateLimitSnapshot>,
+}
+
+impl SessionState {
+    /// Create a new session state mirroring previous `State::default()` semantics.
+    pub fn new() -> Self {
+        Self {
+            history: ConversationHistory::new(),
+            ..Default::default()
+        }
+    }
+
+    // History helpers
+    pub fn record_items<I>(&mut self, items: I)
+    where
+        I: IntoIterator,
+        I::Item: std::ops::Deref<Target = ResponseItem>,
+    {
+        self.history.record_items(items)
+    }
+
+    pub fn history_snapshot(&self) -> Vec<ResponseItem> {
+        self.history.contents()
+    }
+
+    pub fn replace_history(&mut self, items: Vec<ResponseItem>) {
+        self.history.replace(items);
+    }
+
+    // Approved command helpers
+    pub fn add_approved_command(&mut self, cmd: Vec<String>) {
+        self.approved_commands.insert(cmd);
+    }
+
+    pub fn approved_commands_ref(&self) -> &HashSet<Vec<String>> {
+        &self.approved_commands
+    }
+
+    // Token/rate limit helpers
+    pub fn update_token_info_from_usage(
+        &mut self,
+        usage: &TokenUsage,
+        model_context_window: Option<u64>,
+    ) {
+        self.token_info = TokenUsageInfo::new_or_append(
+            &self.token_info,
+            &Some(usage.clone()),
+            model_context_window,
+        );
+    }
+
+    pub fn set_rate_limits(&mut self, snapshot: RateLimitSnapshot) {
+        self.latest_rate_limits = Some(snapshot);
+    }
+
+    pub fn token_info_and_rate_limits(
+        &self,
+    ) -> (Option<TokenUsageInfo>, Option<RateLimitSnapshot>) {
+        (self.token_info.clone(), self.latest_rate_limits.clone())
+    }
+}

codex-rs/agent/src/shell.rs

@@ -0,0 +1,271 @@
+use serde::Deserialize;
+use serde::Serialize;
+use shlex;
+use std::path::PathBuf;
+
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
+pub struct ZshShell {
+    pub(crate) shell_path: String,
+    pub(crate) zshrc_path: String,
+}
+
+impl ZshShell {
+    pub fn new(shell_path: impl Into<String>, zshrc_path: impl Into<String>) -> Self {
+        Self {
+            shell_path: shell_path.into(),
+            zshrc_path: zshrc_path.into(),
+        }
+    }
+
+    pub fn shell_path(&self) -> &str {
+        &self.shell_path
+    }
+
+    pub fn zshrc_path(&self) -> &str {
+        &self.zshrc_path
+    }
+}
+
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
+pub struct BashShell {
+    pub(crate) shell_path: String,
+    pub(crate) bashrc_path: String,
+}
+
+impl BashShell {
+    pub fn new(shell_path: impl Into<String>, bashrc_path: impl Into<String>) -> Self {
+        Self {
+            shell_path: shell_path.into(),
+            bashrc_path: bashrc_path.into(),
+        }
+    }
+
+    pub fn shell_path(&self) -> &str {
+        &self.shell_path
+    }
+
+    pub fn bashrc_path(&self) -> &str {
+        &self.bashrc_path
+    }
+}
+
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
+pub struct PowerShellConfig {
+    pub(crate) exe: String, // Executable name or path, e.g. "pwsh" or "powershell.exe".
+    pub(crate) bash_exe_fallback: Option<PathBuf>, // In case the model generates a bash command.
+}
+
+impl PowerShellConfig {
+    pub fn new(exe: impl Into<String>, bash_exe_fallback: Option<PathBuf>) -> Self {
+        Self {
+            exe: exe.into(),
+            bash_exe_fallback,
+        }
+    }
+
+    pub fn exe(&self) -> &str {
+        &self.exe
+    }
+
+    pub fn bash_exe_fallback(&self) -> Option<&PathBuf> {
+        self.bash_exe_fallback.as_ref()
+    }
+}
+
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
+pub enum Shell {
+    Zsh(ZshShell),
+    Bash(BashShell),
+    PowerShell(PowerShellConfig),
+    Unknown,
+}
+
+impl Shell {
+    pub fn format_default_shell_invocation(&self, command: Vec<String>) -> Option<Vec<String>> {
+        match self {
+            Shell::Zsh(zsh) => format_shell_invocation_with_rc(
+                command.as_slice(),
+                &zsh.shell_path,
+                &zsh.zshrc_path,
+            ),
+            Shell::Bash(bash) => format_shell_invocation_with_rc(
+                command.as_slice(),
+                &bash.shell_path,
+                &bash.bashrc_path,
+            ),
+            Shell::PowerShell(ps) => {
+                // If model generated a bash command, prefer a detected bash fallback
+                if let Some(script) = strip_bash_lc(command.as_slice()) {
+                    return match &ps.bash_exe_fallback {
+                        Some(bash) => Some(vec![
+                            bash.to_string_lossy().to_string(),
+                            "-lc".to_string(),
+                            script,
+                        ]),
+
+                        // No bash fallback → run the script under PowerShell.
+                        // It will likely fail (except for some simple commands), but the error
+                        // should give a clue to the model to fix upon retry that it's running under PowerShell.
+                        None => Some(vec![
+                            ps.exe.clone(),
+                            "-NoProfile".to_string(),
+                            "-Command".to_string(),
+                            script,
+                        ]),
+                    };
+                }
+
+                // Not a bash command. If model did not generate a PowerShell command,
+                // turn it into a PowerShell command.
+                let first = command.first().map(String::as_str);
+                if first != Some(ps.exe.as_str()) {
+                    // TODO (CODEX_2900): Handle escaping newlines.
+                    if command.iter().any(|a| a.contains('\n') || a.contains('\r')) {
+                        return Some(command);
+                    }
+
+                    let joined = shlex::try_join(command.iter().map(String::as_str)).ok();
+                    return joined.map(|arg| {
+                        vec![
+                            ps.exe.clone(),
+                            "-NoProfile".to_string(),
+                            "-Command".to_string(),
+                            arg,
+                        ]
+                    });
+                }
+
+                // Model generated a PowerShell command. Run it.
+                Some(command)
+            }
+            Shell::Unknown => None,
+        }
+    }
+
+    pub fn name(&self) -> Option<String> {
+        match self {
+            Shell::Zsh(zsh) => std::path::Path::new(&zsh.shell_path)
+                .file_name()
+                .map(|s| s.to_string_lossy().to_string()),
+            Shell::Bash(bash) => std::path::Path::new(&bash.shell_path)
+                .file_name()
+                .map(|s| s.to_string_lossy().to_string()),
+            Shell::PowerShell(ps) => Some(ps.exe.clone()),
+            Shell::Unknown => None,
+        }
+    }
+}
+
+fn format_shell_invocation_with_rc(
+    command: &[String],
+    shell_path: &str,
+    rc_path: &str,
+) -> Option<Vec<String>> {
+    let joined = strip_bash_lc(command)
+        .or_else(|| shlex::try_join(command.iter().map(String::as_str)).ok())?;
+
+    let rc_command = if std::path::Path::new(rc_path).exists() {
+        format!("source {rc_path} && ({joined})")
+    } else {
+        joined
+    };
+
+    Some(vec![shell_path.to_string(), "-lc".to_string(), rc_command])
+}
+
+fn strip_bash_lc(command: &[String]) -> Option<String> {
+    match command {
+        // exactly three items
+        [first, second, third]
+            // first two must be "bash", "-lc"
+            if first == "bash" && second == "-lc" =>
+        {
+            Some(third.clone())
+        }
+        _ => None,
+    }
+}
+
+#[cfg(unix)]
+fn detect_default_user_shell() -> Shell {
+    use libc::getpwuid;
+    use libc::getuid;
+    use std::ffi::CStr;
+
+    unsafe {
+        let uid = getuid();
+        let pw = getpwuid(uid);
+
+        if !pw.is_null() {
+            let shell_path = CStr::from_ptr((*pw).pw_shell)
+                .to_string_lossy()
+                .into_owned();
+            let home_path = CStr::from_ptr((*pw).pw_dir).to_string_lossy().into_owned();
+
+            if shell_path.ends_with("/zsh") {
+                return Shell::Zsh(ZshShell {
+                    shell_path,
+                    zshrc_path: format!("{home_path}/.zshrc"),
+                });
+            }
+
+            if shell_path.ends_with("/bash") {
+                return Shell::Bash(BashShell {
+                    shell_path,
+                    bashrc_path: format!("{home_path}/.bashrc"),
+                });
+            }
+        }
+    }
+    Shell::Unknown
+}
+
+#[cfg(unix)]
+pub async fn default_user_shell() -> Shell {
+    detect_default_user_shell()
+}
+
+#[cfg(target_os = "windows")]
+pub async fn default_user_shell() -> Shell {
+    use tokio::process::Command;
+
+    // Prefer PowerShell 7+ (`pwsh`) if available, otherwise fall back to Windows PowerShell.
+    let has_pwsh = Command::new("pwsh")
+        .arg("-NoLogo")
+        .arg("-NoProfile")
+        .arg("-Command")
+        .arg("$PSVersionTable.PSVersion.Major")
+        .output()
+        .await
+        .map(|o| o.status.success())
+        .unwrap_or(false);
+    let bash_exe = if Command::new("bash.exe")
+        .arg("--version")
+        .output()
+        .await
+        .ok()
+        .map(|o| o.status.success())
+        .unwrap_or(false)
+    {
+        which::which("bash.exe").ok()
+    } else {
+        None
+    };
+
+    if has_pwsh {
+        Shell::PowerShell(PowerShellConfig {
+            exe: "pwsh.exe".to_string(),
+            bash_exe_fallback: bash_exe,
+        })
+    } else {
+        Shell::PowerShell(PowerShellConfig {
+            exe: "powershell.exe".to_string(),
+            bash_exe_fallback: bash_exe,
+        })
+    }
+}
+
+#[cfg(all(not(target_os = "windows"), not(unix)))]
+pub async fn default_user_shell() -> Shell {
+    Shell::Unknown
+}

codex-rs/agent/src/token_data.rs

@@ -0,0 +1,182 @@
+use base64::Engine;
+use serde::Deserialize;
+use serde::Serialize;
+use thiserror::Error;
+
+#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]
+pub struct TokenData {
+    /// Flat info parsed from the JWT in auth.json.
+    #[serde(
+        deserialize_with = "deserialize_id_token",
+        serialize_with = "serialize_id_token"
+    )]
+    pub id_token: IdTokenInfo,
+
+    /// This is a JWT.
+    pub access_token: String,
+
+    pub refresh_token: String,
+
+    pub account_id: Option<String>,
+}
+
+/// Flat subset of useful claims in id_token from auth.json.
+#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
+pub struct IdTokenInfo {
+    pub email: Option<String>,
+    /// The ChatGPT subscription plan type
+    /// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").
+    /// (Note: values may vary by backend.)
+    pub chatgpt_plan_type: Option<PlanType>,
+    pub raw_jwt: String,
+}
+
+impl IdTokenInfo {
+    pub fn get_chatgpt_plan_type(&self) -> Option<String> {
+        self.chatgpt_plan_type.as_ref().map(|t| match t {
+            PlanType::Known(plan) => format!("{plan:?}"),
+            PlanType::Unknown(s) => s.clone(),
+        })
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum PlanType {
+    Known(KnownPlan),
+    Unknown(String),
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum KnownPlan {
+    Free,
+    Plus,
+    Pro,
+    Team,
+    Business,
+    Enterprise,
+    Edu,
+}
+
+#[derive(Deserialize)]
+struct IdClaims {
+    #[serde(default)]
+    email: Option<String>,
+    #[serde(rename = "https://api.openai.com/auth", default)]
+    auth: Option<AuthClaims>,
+}
+
+#[derive(Deserialize)]
+struct AuthClaims {
+    #[serde(default)]
+    chatgpt_plan_type: Option<PlanType>,
+}
+
+#[derive(Debug, Error)]
+pub enum IdTokenInfoError {
+    #[error("invalid ID token format")]
+    InvalidFormat,
+    #[error(transparent)]
+    Base64(#[from] base64::DecodeError),
+    #[error(transparent)]
+    Json(#[from] serde_json::Error),
+}
+
+pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
+    // JWT format: header.payload.signature
+    let mut parts = id_token.split('.');
+    let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {
+        (Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),
+        _ => return Err(IdTokenInfoError::InvalidFormat),
+    };
+
+    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
+    let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;
+
+    Ok(IdTokenInfo {
+        email: claims.email,
+        chatgpt_plan_type: claims.auth.and_then(|a| a.chatgpt_plan_type),
+        raw_jwt: id_token.to_string(),
+    })
+}
+
+fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>
+where
+    D: serde::Deserializer<'de>,
+{
+    let s = String::deserialize(deserializer)?;
+    parse_id_token(&s).map_err(serde::de::Error::custom)
+}
+
+fn serialize_id_token<S>(id_token: &IdTokenInfo, serializer: S) -> Result<S::Ok, S::Error>
+where
+    S: serde::Serializer,
+{
+    serializer.serialize_str(&id_token.raw_jwt)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use serde::Serialize;
+
+    #[test]
+    fn id_token_info_parses_email_and_plan() {
+        #[derive(Serialize)]
+        struct Header {
+            alg: &'static str,
+            typ: &'static str,
+        }
+        let header = Header {
+            alg: "none",
+            typ: "JWT",
+        };
+        let payload = serde_json::json!({
+            "email": "user@example.com",
+            "https://api.openai.com/auth": {
+                "chatgpt_plan_type": "pro"
+            }
+        });
+
+        fn b64url_no_pad(bytes: &[u8]) -> String {
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+        }
+
+        let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
+        let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
+        let signature_b64 = b64url_no_pad(b"sig");
+        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+        let info = parse_id_token(&fake_jwt).expect("should parse");
+        assert_eq!(info.email.as_deref(), Some("user@example.com"));
+        assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Pro"));
+    }
+
+    #[test]
+    fn id_token_info_handles_missing_fields() {
+        #[derive(Serialize)]
+        struct Header {
+            alg: &'static str,
+            typ: &'static str,
+        }
+        let header = Header {
+            alg: "none",
+            typ: "JWT",
+        };
+        let payload = serde_json::json!({ "sub": "123" });
+
+        fn b64url_no_pad(bytes: &[u8]) -> String {
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+        }
+
+        let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
+        let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
+        let signature_b64 = b64url_no_pad(b"sig");
+        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+        let info = parse_id_token(&fake_jwt).expect("should parse");
+        assert!(info.email.is_none());
+        assert!(info.get_chatgpt_plan_type().is_none());
+    }
+}

codex-rs/agent/src/tooling.rs

@@ -0,0 +1,10 @@
+use serde::Deserialize;
+use serde::Serialize;
+
+/// Represents which apply_patch tool variant a model expects.
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Hash)]
+#[serde(rename_all = "snake_case")]
+pub enum ApplyPatchToolType {
+    Freeform,
+    Function,
+}

codex-rs/agent/src/truncate.rs

@@ -0,0 +1,180 @@
+//! Utilities for truncating large chunks of output while preserving a prefix
+//! and suffix on UTF-8 boundaries.
+
+/// Truncate the middle of a UTF-8 string to at most `max_bytes` bytes,
+/// preserving the beginning and the end. Returns the possibly truncated
+/// string and `Some(original_token_count)` (estimated at 4 bytes/token)
+/// if truncation occurred; otherwise returns the original string and `None`.
+pub fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>) {
+    if s.len() <= max_bytes {
+        return (s.to_string(), None);
+    }
+
+    let est_tokens = (s.len() as u64).div_ceil(4);
+    if max_bytes == 0 {
+        return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
+    }
+
+    fn truncate_on_boundary(input: &str, max_len: usize) -> &str {
+        if input.len() <= max_len {
+            return input;
+        }
+        let mut end = max_len;
+        while end > 0 && !input.is_char_boundary(end) {
+            end -= 1;
+        }
+        &input[..end]
+    }
+
+    fn pick_prefix_end(s: &str, left_budget: usize) -> usize {
+        if let Some(head) = s.get(..left_budget)
+            && let Some(i) = head.rfind('\n')
+        {
+            return i + 1;
+        }
+        truncate_on_boundary(s, left_budget).len()
+    }
+
+    fn pick_suffix_start(s: &str, right_budget: usize) -> usize {
+        let start_tail = s.len().saturating_sub(right_budget);
+        if let Some(tail) = s.get(start_tail..)
+            && let Some(i) = tail.find('\n')
+        {
+            return start_tail + i + 1;
+        }
+
+        let mut idx = start_tail.min(s.len());
+        while idx < s.len() && !s.is_char_boundary(idx) {
+            idx += 1;
+        }
+        idx
+    }
+
+    let mut guess_tokens = est_tokens;
+    for _ in 0..4 {
+        let marker = format!("…{guess_tokens} tokens truncated…");
+        let marker_len = marker.len();
+        let keep_budget = max_bytes.saturating_sub(marker_len);
+        if keep_budget == 0 {
+            return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
+        }
+
+        let left_budget = keep_budget / 2;
+        let right_budget = keep_budget - left_budget;
+        let prefix_end = pick_prefix_end(s, left_budget);
+        let mut suffix_start = pick_suffix_start(s, right_budget);
+        if suffix_start < prefix_end {
+            suffix_start = prefix_end;
+        }
+
+        let kept_content_bytes = prefix_end + (s.len() - suffix_start);
+        let truncated_content_bytes = s.len().saturating_sub(kept_content_bytes);
+        let new_tokens = (truncated_content_bytes as u64).div_ceil(4);
+
+        if new_tokens == guess_tokens {
+            let mut out = String::with_capacity(marker_len + kept_content_bytes + 1);
+            out.push_str(&s[..prefix_end]);
+            out.push_str(&marker);
+            out.push('\n');
+            out.push_str(&s[suffix_start..]);
+            return (out, Some(est_tokens));
+        }
+
+        guess_tokens = new_tokens;
+    }
+
+    let marker = format!("…{guess_tokens} tokens truncated…");
+    let marker_len = marker.len();
+    let keep_budget = max_bytes.saturating_sub(marker_len);
+    if keep_budget == 0 {
+        return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
+    }
+
+    let left_budget = keep_budget / 2;
+    let right_budget = keep_budget - left_budget;
+    let prefix_end = pick_prefix_end(s, left_budget);
+    let suffix_start = pick_suffix_start(s, right_budget);
+
+    let mut out = String::with_capacity(marker_len + prefix_end + (s.len() - suffix_start) + 1);
+    out.push_str(&s[..prefix_end]);
+    out.push_str(&marker);
+    out.push('\n');
+    out.push_str(&s[suffix_start..]);
+    (out, Some(est_tokens))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::truncate_middle;
+
+    #[test]
+    fn truncate_middle_no_newlines_fallback() {
+        let s = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ*";
+        let max_bytes = 32;
+        let (out, original) = truncate_middle(s, max_bytes);
+        assert!(out.starts_with("abc"));
+        assert!(out.contains("tokens truncated"));
+        assert!(out.ends_with("XYZ*"));
+        assert_eq!(original, Some((s.len() as u64).div_ceil(4)));
+    }
+
+    #[test]
+    fn truncate_middle_prefers_newline_boundaries() {
+        let mut s = String::new();
+        for i in 1..=20 {
+            s.push_str(&format!("{i:03}\n"));
+        }
+        assert_eq!(s.len(), 80);
+
+        let max_bytes = 64;
+        let (out, tokens) = truncate_middle(&s, max_bytes);
+        assert!(out.starts_with("001\n002\n003\n004\n"));
+        assert!(out.contains("tokens truncated"));
+        assert!(out.ends_with("017\n018\n019\n020\n"));
+        assert_eq!(tokens, Some(20));
+    }
+
+    #[test]
+    fn truncate_middle_handles_utf8_content() {
+        let s = "😀😀😀😀😀😀😀😀😀😀\nsecond line with ascii text\n";
+        let max_bytes = 32;
+        let (out, tokens) = truncate_middle(s, max_bytes);
+
+        assert!(out.contains("tokens truncated"));
+        assert!(!out.contains('\u{fffd}'));
+        assert_eq!(tokens, Some((s.len() as u64).div_ceil(4)));
+    }
+
+    #[test]
+    fn truncate_middle_prefers_newline_boundaries_2() {
+        // Build a multi-line string of 20 numbered lines (each "NNN\n").
+        let mut s = String::new();
+        for i in 1..=20 {
+            s.push_str(&format!("{i:03}\n"));
+        }
+        // Total length: 20 lines * 4 bytes per line = 80 bytes.
+        assert_eq!(s.len(), 80);
+
+        // Choose a cap that forces truncation while leaving room for
+        // a few lines on each side after accounting for the marker.
+        let max_bytes = 64;
+        // Expect exact output: first 4 lines, marker, last 4 lines, and correct token estimate (80/4 = 20).
+        assert_eq!(
+            truncate_middle(&s, max_bytes),
+            (
+                r#"001
+002
+003
+004
+…12 tokens truncated…
+017
+018
+019
+020
+"#
+                .to_string(),
+                Some(20)
+            )
+        );
+    }
+}

codex-rs/agent/src/turn_diff_tracker.rs

@@ -0,0 +1,896 @@
+use std::collections::HashMap;
+use std::fs;
+use std::path::Path;
+use std::path::PathBuf;
+use std::process::Command;
+
+use anyhow::Context;
+use anyhow::Result;
+use anyhow::anyhow;
+use sha1::digest::Output;
+use uuid::Uuid;
+
+use codex_protocol::protocol::FileChange;
+
+const ZERO_OID: &str = "0000000000000000000000000000000000000000";
+const DEV_NULL: &str = "/dev/null";
+
+struct BaselineFileInfo {
+    path: PathBuf,
+    content: Vec<u8>,
+    mode: FileMode,
+    oid: String,
+}
+
+/// Tracks sets of changes to files and exposes the overall unified diff.
+/// Internally, the way this works is now:
+/// 1. Maintain an in-memory baseline snapshot of files when they are first seen.
+///    For new additions, do not create a baseline so that diffs are shown as proper additions (using /dev/null).
+/// 2. Keep a stable internal filename (uuid) per external path for rename tracking.
+/// 3. To compute the aggregated unified diff, compare each baseline snapshot to the current file on disk entirely in-memory
+///    using the `similar` crate and emit unified diffs with rewritten external paths.
+#[derive(Default)]
+pub struct TurnDiffTracker {
+    /// Map external path -> internal filename (uuid).
+    external_to_temp_name: HashMap<PathBuf, String>,
+    /// Internal filename -> baseline file info.
+    baseline_file_info: HashMap<String, BaselineFileInfo>,
+    /// Internal filename -> external path as of current accumulated state (after applying all changes).
+    /// This is where renames are tracked.
+    temp_name_to_current_path: HashMap<String, PathBuf>,
+    /// Cache of known git worktree roots to avoid repeated filesystem walks.
+    git_root_cache: Vec<PathBuf>,
+}
+
+impl TurnDiffTracker {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    /// Front-run apply patch calls to track the starting contents of any modified files.
+    /// - Creates an in-memory baseline snapshot for files that already exist on disk when first seen.
+    /// - For additions, we intentionally do not create a baseline snapshot so that diffs are proper additions.
+    /// - Also updates internal mappings for move/rename events.
+    pub fn on_patch_begin(&mut self, changes: &HashMap<PathBuf, FileChange>) {
+        for (path, change) in changes.iter() {
+            // Ensure a stable internal filename exists for this external path.
+            if !self.external_to_temp_name.contains_key(path.as_path()) {
+                let internal = Uuid::new_v4().to_string();
+                self.external_to_temp_name
+                    .insert(path.clone(), internal.clone());
+                self.temp_name_to_current_path
+                    .insert(internal.clone(), path.clone());
+
+                // If the file exists on disk now, snapshot as baseline; else leave missing to represent /dev/null.
+                let baseline_file_info = if path.exists() {
+                    let mode = file_mode_for_path(path);
+                    let mode_val = mode.unwrap_or(FileMode::Regular);
+                    let content = blob_bytes(path, mode_val).unwrap_or_default();
+                    let oid = if mode == Some(FileMode::Symlink) {
+                        format!("{:x}", git_blob_sha1_hex_bytes(&content))
+                    } else {
+                        self.git_blob_oid_for_path(path)
+                            .unwrap_or_else(|| format!("{:x}", git_blob_sha1_hex_bytes(&content)))
+                    };
+                    Some(BaselineFileInfo {
+                        path: path.clone(),
+                        content,
+                        mode: mode_val,
+                        oid,
+                    })
+                } else {
+                    Some(BaselineFileInfo {
+                        path: path.clone(),
+                        content: vec![],
+                        mode: FileMode::Regular,
+                        oid: ZERO_OID.to_string(),
+                    })
+                };
+
+                if let Some(baseline_file_info) = baseline_file_info {
+                    self.baseline_file_info
+                        .insert(internal.clone(), baseline_file_info);
+                }
+            }
+
+            // Track rename/move in current mapping if provided in an Update.
+            if let FileChange::Update {
+                move_path: Some(dest),
+                ..
+            } = change
+            {
+                let uuid_filename = match self.external_to_temp_name.get(path.as_path()) {
+                    Some(i) => i.clone(),
+                    None => {
+                        // This should be rare, but if we haven't mapped the source, create it with no baseline.
+                        let i = Uuid::new_v4().to_string();
+                        self.baseline_file_info.insert(
+                            i.clone(),
+                            BaselineFileInfo {
+                                path: path.clone(),
+                                content: vec![],
+                                mode: FileMode::Regular,
+                                oid: ZERO_OID.to_string(),
+                            },
+                        );
+                        i
+                    }
+                };
+                // Update current external mapping for temp file name.
+                self.temp_name_to_current_path
+                    .insert(uuid_filename.clone(), dest.clone());
+                // Update forward file_mapping: external current -> internal name.
+                self.external_to_temp_name.remove(path);
+                self.external_to_temp_name
+                    .insert(dest.clone(), uuid_filename);
+            };
+        }
+    }
+
+    fn get_path_for_internal(&self, internal: &str) -> Option<PathBuf> {
+        self.temp_name_to_current_path
+            .get(internal)
+            .cloned()
+            .or_else(|| {
+                self.baseline_file_info
+                    .get(internal)
+                    .map(|info| info.path.clone())
+            })
+    }
+
+    /// Find the git worktree root for a file/directory by walking up to the first ancestor containing a `.git` entry.
+    /// Uses a simple cache of known roots and avoids negative-result caching for simplicity.
+    fn find_git_root_cached(&mut self, start: &Path) -> Option<PathBuf> {
+        let dir = if start.is_dir() {
+            start
+        } else {
+            start.parent()?
+        };
+
+        // Fast path: if any cached root is an ancestor of this path, use it.
+        if let Some(root) = self
+            .git_root_cache
+            .iter()
+            .find(|r| dir.starts_with(r))
+            .cloned()
+        {
+            return Some(root);
+        }
+
+        // Walk up to find a `.git` marker.
+        let mut cur = dir.to_path_buf();
+        loop {
+            let git_marker = cur.join(".git");
+            if git_marker.is_dir() || git_marker.is_file() {
+                if !self.git_root_cache.iter().any(|r| r == &cur) {
+                    self.git_root_cache.push(cur.clone());
+                }
+                return Some(cur);
+            }
+
+            // On Windows, avoid walking above the drive or UNC share root.
+            #[cfg(windows)]
+            {
+                if is_windows_drive_or_unc_root(&cur) {
+                    return None;
+                }
+            }
+
+            if let Some(parent) = cur.parent() {
+                cur = parent.to_path_buf();
+            } else {
+                return None;
+            }
+        }
+    }
+
+    /// Return a display string for `path` relative to its git root if found, else absolute.
+    fn relative_to_git_root_str(&mut self, path: &Path) -> String {
+        let s = if let Some(root) = self.find_git_root_cached(path) {
+            if let Ok(rel) = path.strip_prefix(&root) {
+                rel.display().to_string()
+            } else {
+                path.display().to_string()
+            }
+        } else {
+            path.display().to_string()
+        };
+        s.replace('\\', "/")
+    }
+
+    /// Ask git to compute the blob SHA-1 for the file at `path` within its repository.
+    /// Returns None if no repository is found or git invocation fails.
+    fn git_blob_oid_for_path(&mut self, path: &Path) -> Option<String> {
+        let root = self.find_git_root_cached(path)?;
+        // Compute a path relative to the repo root for better portability across platforms.
+        let rel = path.strip_prefix(&root).unwrap_or(path);
+        let output = Command::new("git")
+            .arg("-C")
+            .arg(&root)
+            .arg("hash-object")
+            .arg("--")
+            .arg(rel)
+            .output()
+            .ok()?;
+        if !output.status.success() {
+            return None;
+        }
+        let s = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if s.len() == 40 { Some(s) } else { None }
+    }
+
+    /// Recompute the aggregated unified diff by comparing all of the in-memory snapshots that were
+    /// collected before the first time they were touched by apply_patch during this turn with
+    /// the current repo state.
+    pub fn get_unified_diff(&mut self) -> Result<Option<String>> {
+        let mut aggregated = String::new();
+
+        // Compute diffs per tracked internal file in a stable order by external path.
+        let mut baseline_file_names: Vec<String> =
+            self.baseline_file_info.keys().cloned().collect();
+        // Sort lexicographically by full repo-relative path to match git behavior.
+        baseline_file_names.sort_by_key(|internal| {
+            self.get_path_for_internal(internal)
+                .map(|p| self.relative_to_git_root_str(&p))
+                .unwrap_or_default()
+        });
+
+        for internal in baseline_file_names {
+            aggregated.push_str(self.get_file_diff(&internal).as_str());
+            if !aggregated.ends_with('\n') {
+                aggregated.push('\n');
+            }
+        }
+
+        if aggregated.trim().is_empty() {
+            Ok(None)
+        } else {
+            Ok(Some(aggregated))
+        }
+    }
+
+    fn get_file_diff(&mut self, internal_file_name: &str) -> String {
+        let mut aggregated = String::new();
+
+        // Snapshot lightweight fields only.
+        let (baseline_external_path, baseline_mode, left_oid) = {
+            if let Some(info) = self.baseline_file_info.get(internal_file_name) {
+                (info.path.clone(), info.mode, info.oid.clone())
+            } else {
+                (PathBuf::new(), FileMode::Regular, ZERO_OID.to_string())
+            }
+        };
+        let current_external_path = match self.get_path_for_internal(internal_file_name) {
+            Some(p) => p,
+            None => return aggregated,
+        };
+
+        let current_mode = file_mode_for_path(&current_external_path).unwrap_or(FileMode::Regular);
+        let right_bytes = blob_bytes(&current_external_path, current_mode);
+
+        // Compute displays with &mut self before borrowing any baseline content.
+        let left_display = self.relative_to_git_root_str(&baseline_external_path);
+        let right_display = self.relative_to_git_root_str(&current_external_path);
+
+        // Compute right oid before borrowing baseline content.
+        let right_oid = if let Some(b) = right_bytes.as_ref() {
+            if current_mode == FileMode::Symlink {
+                format!("{:x}", git_blob_sha1_hex_bytes(b))
+            } else {
+                self.git_blob_oid_for_path(&current_external_path)
+                    .unwrap_or_else(|| format!("{:x}", git_blob_sha1_hex_bytes(b)))
+            }
+        } else {
+            ZERO_OID.to_string()
+        };
+
+        // Borrow baseline content only after all &mut self uses are done.
+        let left_present = left_oid.as_str() != ZERO_OID;
+        let left_bytes: Option<&[u8]> = if left_present {
+            self.baseline_file_info
+                .get(internal_file_name)
+                .map(|i| i.content.as_slice())
+        } else {
+            None
+        };
+
+        // Fast path: identical bytes or both missing.
+        if left_bytes == right_bytes.as_deref() {
+            return aggregated;
+        }
+
+        aggregated.push_str(&format!("diff --git a/{left_display} b/{right_display}\n"));
+
+        let is_add = !left_present && right_bytes.is_some();
+        let is_delete = left_present && right_bytes.is_none();
+
+        if is_add {
+            aggregated.push_str(&format!("new file mode {current_mode}\n"));
+        } else if is_delete {
+            aggregated.push_str(&format!("deleted file mode {baseline_mode}\n"));
+        } else if baseline_mode != current_mode {
+            aggregated.push_str(&format!("old mode {baseline_mode}\n"));
+            aggregated.push_str(&format!("new mode {current_mode}\n"));
+        }
+
+        let left_text = left_bytes.and_then(|b| std::str::from_utf8(b).ok());
+        let right_text = right_bytes
+            .as_deref()
+            .and_then(|b| std::str::from_utf8(b).ok());
+
+        let can_text_diff = matches!(
+            (left_text, right_text, is_add, is_delete),
+            (Some(_), Some(_), _, _) | (_, Some(_), true, _) | (Some(_), _, _, true)
+        );
+
+        if can_text_diff {
+            let l = left_text.unwrap_or("");
+            let r = right_text.unwrap_or("");
+
+            aggregated.push_str(&format!("index {left_oid}..{right_oid}\n"));
+
+            let old_header = if left_present {
+                format!("a/{left_display}")
+            } else {
+                DEV_NULL.to_string()
+            };
+            let new_header = if right_bytes.is_some() {
+                format!("b/{right_display}")
+            } else {
+                DEV_NULL.to_string()
+            };
+
+            let diff = similar::TextDiff::from_lines(l, r);
+            let unified = diff
+                .unified_diff()
+                .context_radius(3)
+                .header(&old_header, &new_header)
+                .to_string();
+
+            aggregated.push_str(&unified);
+        } else {
+            aggregated.push_str(&format!("index {left_oid}..{right_oid}\n"));
+            let old_header = if left_present {
+                format!("a/{left_display}")
+            } else {
+                DEV_NULL.to_string()
+            };
+            let new_header = if right_bytes.is_some() {
+                format!("b/{right_display}")
+            } else {
+                DEV_NULL.to_string()
+            };
+            aggregated.push_str(&format!("--- {old_header}\n"));
+            aggregated.push_str(&format!("+++ {new_header}\n"));
+            aggregated.push_str("Binary files differ\n");
+        }
+        aggregated
+    }
+}
+
+/// Compute the Git SHA-1 blob object ID for the given content (bytes).
+fn git_blob_sha1_hex_bytes(data: &[u8]) -> Output<sha1::Sha1> {
+    // Git blob hash is sha1 of: "blob <len>\0<data>"
+    let header = format!("blob {}\0", data.len());
+    use sha1::Digest;
+    let mut hasher = sha1::Sha1::new();
+    hasher.update(header.as_bytes());
+    hasher.update(data);
+    hasher.finalize()
+}
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+enum FileMode {
+    Regular,
+    #[cfg(unix)]
+    Executable,
+    Symlink,
+}
+
+impl FileMode {
+    fn as_str(self) -> &'static str {
+        match self {
+            FileMode::Regular => "100644",
+            #[cfg(unix)]
+            FileMode::Executable => "100755",
+            FileMode::Symlink => "120000",
+        }
+    }
+}
+
+impl std::fmt::Display for FileMode {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(self.as_str())
+    }
+}
+
+#[cfg(unix)]
+fn file_mode_for_path(path: &Path) -> Option<FileMode> {
+    use std::os::unix::fs::PermissionsExt;
+    let meta = fs::symlink_metadata(path).ok()?;
+    let ft = meta.file_type();
+    if ft.is_symlink() {
+        return Some(FileMode::Symlink);
+    }
+    let mode = meta.permissions().mode();
+    let is_exec = (mode & 0o111) != 0;
+    Some(if is_exec {
+        FileMode::Executable
+    } else {
+        FileMode::Regular
+    })
+}
+
+#[cfg(not(unix))]
+fn file_mode_for_path(_path: &Path) -> Option<FileMode> {
+    // Default to non-executable on non-unix.
+    Some(FileMode::Regular)
+}
+
+fn blob_bytes(path: &Path, mode: FileMode) -> Option<Vec<u8>> {
+    if path.exists() {
+        let contents = if mode == FileMode::Symlink {
+            symlink_blob_bytes(path)
+                .ok_or_else(|| anyhow!("failed to read symlink target for {}", path.display()))
+        } else {
+            fs::read(path)
+                .with_context(|| format!("failed to read current file for diff {}", path.display()))
+        };
+        contents.ok()
+    } else {
+        None
+    }
+}
+
+#[cfg(unix)]
+fn symlink_blob_bytes(path: &Path) -> Option<Vec<u8>> {
+    use std::os::unix::ffi::OsStrExt;
+    let target = std::fs::read_link(path).ok()?;
+    Some(target.as_os_str().as_bytes().to_vec())
+}
+
+#[cfg(not(unix))]
+fn symlink_blob_bytes(_path: &Path) -> Option<Vec<u8>> {
+    None
+}
+
+#[cfg(windows)]
+fn is_windows_drive_or_unc_root(p: &std::path::Path) -> bool {
+    use std::path::Component;
+    let mut comps = p.components();
+    matches!(
+        (comps.next(), comps.next(), comps.next()),
+        (Some(Component::Prefix(_)), Some(Component::RootDir), None)
+    )
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+    use tempfile::tempdir;
+
+    /// Compute the Git SHA-1 blob object ID for the given content (string).
+    /// This delegates to the bytes version to avoid UTF-8 lossy conversions here.
+    fn git_blob_sha1_hex(data: &str) -> String {
+        format!("{:x}", git_blob_sha1_hex_bytes(data.as_bytes()))
+    }
+
+    fn normalize_diff_for_test(input: &str, root: &Path) -> String {
+        let root_str = root.display().to_string().replace('\\', "/");
+        let replaced = input.replace(&root_str, "<TMP>");
+        // Split into blocks on lines starting with "diff --git ", sort blocks for determinism, and rejoin
+        let mut blocks: Vec<String> = Vec::new();
+        let mut current = String::new();
+        for line in replaced.lines() {
+            if line.starts_with("diff --git ") && !current.is_empty() {
+                blocks.push(current);
+                current = String::new();
+            }
+            if !current.is_empty() {
+                current.push('\n');
+            }
+            current.push_str(line);
+        }
+        if !current.is_empty() {
+            blocks.push(current);
+        }
+        blocks.sort();
+        let mut out = blocks.join("\n");
+        if !out.ends_with('\n') {
+            out.push('\n');
+        }
+        out
+    }
+
+    #[test]
+    fn accumulates_add_and_update() {
+        let mut acc = TurnDiffTracker::new();
+
+        let dir = tempdir().unwrap();
+        let file = dir.path().join("a.txt");
+
+        // First patch: add file (baseline should be /dev/null).
+        let add_changes = HashMap::from([(
+            file.clone(),
+            FileChange::Add {
+                content: "foo\n".to_string(),
+            },
+        )]);
+        acc.on_patch_begin(&add_changes);
+
+        // Simulate apply: create the file on disk.
+        fs::write(&file, "foo\n").unwrap();
+        let first = acc.get_unified_diff().unwrap().unwrap();
+        let first = normalize_diff_for_test(&first, dir.path());
+        let expected_first = {
+            let mode = file_mode_for_path(&file).unwrap_or(FileMode::Regular);
+            let right_oid = git_blob_sha1_hex("foo\n");
+            format!(
+                r#"diff --git a/<TMP>/a.txt b/<TMP>/a.txt
+new file mode {mode}
+index {ZERO_OID}..{right_oid}
+--- {DEV_NULL}
++++ b/<TMP>/a.txt
+@@ -0,0 +1 @@
++foo
+"#,
+            )
+        };
+        assert_eq!(first, expected_first);
+
+        // Second patch: update the file on disk.
+        let update_changes = HashMap::from([(
+            file.clone(),
+            FileChange::Update {
+                unified_diff: "".to_owned(),
+                move_path: None,
+            },
+        )]);
+        acc.on_patch_begin(&update_changes);
+
+        // Simulate apply: append a new line.
+        fs::write(&file, "foo\nbar\n").unwrap();
+        let combined = acc.get_unified_diff().unwrap().unwrap();
+        let combined = normalize_diff_for_test(&combined, dir.path());
+        let expected_combined = {
+            let mode = file_mode_for_path(&file).unwrap_or(FileMode::Regular);
+            let right_oid = git_blob_sha1_hex("foo\nbar\n");
+            format!(
+                r#"diff --git a/<TMP>/a.txt b/<TMP>/a.txt
+new file mode {mode}
+index {ZERO_OID}..{right_oid}
+--- {DEV_NULL}
++++ b/<TMP>/a.txt
+@@ -0,0 +1,2 @@
++foo
++bar
+"#,
+            )
+        };
+        assert_eq!(combined, expected_combined);
+    }
+
+    #[test]
+    fn accumulates_delete() {
+        let dir = tempdir().unwrap();
+        let file = dir.path().join("b.txt");
+        fs::write(&file, "x\n").unwrap();
+
+        let mut acc = TurnDiffTracker::new();
+        let del_changes = HashMap::from([(
+            file.clone(),
+            FileChange::Delete {
+                content: "x\n".to_string(),
+            },
+        )]);
+        acc.on_patch_begin(&del_changes);
+
+        // Simulate apply: delete the file from disk.
+        let baseline_mode = file_mode_for_path(&file).unwrap_or(FileMode::Regular);
+        fs::remove_file(&file).unwrap();
+        let diff = acc.get_unified_diff().unwrap().unwrap();
+        let diff = normalize_diff_for_test(&diff, dir.path());
+        let expected = {
+            let left_oid = git_blob_sha1_hex("x\n");
+            format!(
+                r#"diff --git a/<TMP>/b.txt b/<TMP>/b.txt
+deleted file mode {baseline_mode}
+index {left_oid}..{ZERO_OID}
+--- a/<TMP>/b.txt
++++ {DEV_NULL}
+@@ -1 +0,0 @@
+-x
+"#,
+            )
+        };
+        assert_eq!(diff, expected);
+    }
+
+    #[test]
+    fn accumulates_move_and_update() {
+        let dir = tempdir().unwrap();
+        let src = dir.path().join("src.txt");
+        let dest = dir.path().join("dst.txt");
+        fs::write(&src, "line\n").unwrap();
+
+        let mut acc = TurnDiffTracker::new();
+        let mv_changes = HashMap::from([(
+            src.clone(),
+            FileChange::Update {
+                unified_diff: "".to_owned(),
+                move_path: Some(dest.clone()),
+            },
+        )]);
+        acc.on_patch_begin(&mv_changes);
+
+        // Simulate apply: move and update content.
+        fs::rename(&src, &dest).unwrap();
+        fs::write(&dest, "line2\n").unwrap();
+
+        let out = acc.get_unified_diff().unwrap().unwrap();
+        let out = normalize_diff_for_test(&out, dir.path());
+        let expected = {
+            let left_oid = git_blob_sha1_hex("line\n");
+            let right_oid = git_blob_sha1_hex("line2\n");
+            format!(
+                r#"diff --git a/<TMP>/src.txt b/<TMP>/dst.txt
+index {left_oid}..{right_oid}
+--- a/<TMP>/src.txt
++++ b/<TMP>/dst.txt
+@@ -1 +1 @@
+-line
++line2
+"#
+            )
+        };
+        assert_eq!(out, expected);
+    }
+
+    #[test]
+    fn move_without_1change_yields_no_diff() {
+        let dir = tempdir().unwrap();
+        let src = dir.path().join("moved.txt");
+        let dest = dir.path().join("renamed.txt");
+        fs::write(&src, "same\n").unwrap();
+
+        let mut acc = TurnDiffTracker::new();
+        let mv_changes = HashMap::from([(
+            src.clone(),
+            FileChange::Update {
+                unified_diff: "".to_owned(),
+                move_path: Some(dest.clone()),
+            },
+        )]);
+        acc.on_patch_begin(&mv_changes);
+
+        // Simulate apply: move only, no content change.
+        fs::rename(&src, &dest).unwrap();
+
+        let diff = acc.get_unified_diff().unwrap();
+        assert_eq!(diff, None);
+    }
+
+    #[test]
+    fn move_declared_but_file_only_appears_at_dest_is_add() {
+        let dir = tempdir().unwrap();
+        let src = dir.path().join("src.txt");
+        let dest = dir.path().join("dest.txt");
+        let mut acc = TurnDiffTracker::new();
+        let mv = HashMap::from([(
+            src,
+            FileChange::Update {
+                unified_diff: "".into(),
+                move_path: Some(dest.clone()),
+            },
+        )]);
+        acc.on_patch_begin(&mv);
+        // No file existed initially; create only dest
+        fs::write(&dest, "hello\n").unwrap();
+        let diff = acc.get_unified_diff().unwrap().unwrap();
+        let diff = normalize_diff_for_test(&diff, dir.path());
+        let expected = {
+            let mode = file_mode_for_path(&dest).unwrap_or(FileMode::Regular);
+            let right_oid = git_blob_sha1_hex("hello\n");
+            format!(
+                r#"diff --git a/<TMP>/src.txt b/<TMP>/dest.txt
+new file mode {mode}
+index {ZERO_OID}..{right_oid}
+--- {DEV_NULL}
++++ b/<TMP>/dest.txt
+@@ -0,0 +1 @@
++hello
+"#,
+            )
+        };
+        assert_eq!(diff, expected);
+    }
+
+    #[test]
+    fn update_persists_across_new_baseline_for_new_file() {
+        let dir = tempdir().unwrap();
+        let a = dir.path().join("a.txt");
+        let b = dir.path().join("b.txt");
+        fs::write(&a, "foo\n").unwrap();
+        fs::write(&b, "z\n").unwrap();
+
+        let mut acc = TurnDiffTracker::new();
+
+        // First: update existing a.txt (baseline snapshot is created for a).
+        let update_a = HashMap::from([(
+            a.clone(),
+            FileChange::Update {
+                unified_diff: "".to_owned(),
+                move_path: None,
+            },
+        )]);
+        acc.on_patch_begin(&update_a);
+        // Simulate apply: modify a.txt on disk.
+        fs::write(&a, "foo\nbar\n").unwrap();
+        let first = acc.get_unified_diff().unwrap().unwrap();
+        let first = normalize_diff_for_test(&first, dir.path());
+        let expected_first = {
+            let left_oid = git_blob_sha1_hex("foo\n");
+            let right_oid = git_blob_sha1_hex("foo\nbar\n");
+            format!(
+                r#"diff --git a/<TMP>/a.txt b/<TMP>/a.txt
+index {left_oid}..{right_oid}
+--- a/<TMP>/a.txt
++++ b/<TMP>/a.txt
+@@ -1 +1,2 @@
+ foo
++bar
+"#
+            )
+        };
+        assert_eq!(first, expected_first);
+
+        // Next: introduce a brand-new path b.txt into baseline snapshots via a delete change.
+        let del_b = HashMap::from([(
+            b.clone(),
+            FileChange::Delete {
+                content: "z\n".to_string(),
+            },
+        )]);
+        acc.on_patch_begin(&del_b);
+        // Simulate apply: delete b.txt.
+        let baseline_mode = file_mode_for_path(&b).unwrap_or(FileMode::Regular);
+        fs::remove_file(&b).unwrap();
+
+        let combined = acc.get_unified_diff().unwrap().unwrap();
+        let combined = normalize_diff_for_test(&combined, dir.path());
+        let expected = {
+            let left_oid_a = git_blob_sha1_hex("foo\n");
+            let right_oid_a = git_blob_sha1_hex("foo\nbar\n");
+            let left_oid_b = git_blob_sha1_hex("z\n");
+            format!(
+                r#"diff --git a/<TMP>/a.txt b/<TMP>/a.txt
+index {left_oid_a}..{right_oid_a}
+--- a/<TMP>/a.txt
++++ b/<TMP>/a.txt
+@@ -1 +1,2 @@
+ foo
++bar
+diff --git a/<TMP>/b.txt b/<TMP>/b.txt
+deleted file mode {baseline_mode}
+index {left_oid_b}..{ZERO_OID}
+--- a/<TMP>/b.txt
++++ {DEV_NULL}
+@@ -1 +0,0 @@
+-z
+"#,
+            )
+        };
+        assert_eq!(combined, expected);
+    }
+
+    #[test]
+    fn binary_files_differ_update() {
+        let dir = tempdir().unwrap();
+        let file = dir.path().join("bin.dat");
+
+        // Initial non-UTF8 bytes
+        let left_bytes: Vec<u8> = vec![0xff, 0xfe, 0xfd, 0x00];
+        // Updated non-UTF8 bytes
+        let right_bytes: Vec<u8> = vec![0x01, 0x02, 0x03, 0x00];
+
+        fs::write(&file, &left_bytes).unwrap();
+
+        let mut acc = TurnDiffTracker::new();
+        let update_changes = HashMap::from([(
+            file.clone(),
+            FileChange::Update {
+                unified_diff: "".to_owned(),
+                move_path: None,
+            },
+        )]);
+        acc.on_patch_begin(&update_changes);
+
+        // Apply update on disk
+        fs::write(&file, &right_bytes).unwrap();
+
+        let diff = acc.get_unified_diff().unwrap().unwrap();
+        let diff = normalize_diff_for_test(&diff, dir.path());
+        let expected = {
+            let left_oid = format!("{:x}", git_blob_sha1_hex_bytes(&left_bytes));
+            let right_oid = format!("{:x}", git_blob_sha1_hex_bytes(&right_bytes));
+            format!(
+                r#"diff --git a/<TMP>/bin.dat b/<TMP>/bin.dat
+index {left_oid}..{right_oid}
+--- a/<TMP>/bin.dat
++++ b/<TMP>/bin.dat
+Binary files differ
+"#
+            )
+        };
+        assert_eq!(diff, expected);
+    }
+
+    #[test]
+    fn filenames_with_spaces_add_and_update() {
+        let mut acc = TurnDiffTracker::new();
+
+        let dir = tempdir().unwrap();
+        let file = dir.path().join("name with spaces.txt");
+
+        // First patch: add file (baseline should be /dev/null).
+        let add_changes = HashMap::from([(
+            file.clone(),
+            FileChange::Add {
+                content: "foo\n".to_string(),
+            },
+        )]);
+        acc.on_patch_begin(&add_changes);
+
+        // Simulate apply: create the file on disk.
+        fs::write(&file, "foo\n").unwrap();
+        let first = acc.get_unified_diff().unwrap().unwrap();
+        let first = normalize_diff_for_test(&first, dir.path());
+        let expected_first = {
+            let mode = file_mode_for_path(&file).unwrap_or(FileMode::Regular);
+            let right_oid = git_blob_sha1_hex("foo\n");
+            format!(
+                r#"diff --git a/<TMP>/name with spaces.txt b/<TMP>/name with spaces.txt
+new file mode {mode}
+index {ZERO_OID}..{right_oid}
+--- {DEV_NULL}
++++ b/<TMP>/name with spaces.txt
+@@ -0,0 +1 @@
++foo
+"#,
+            )
+        };
+        assert_eq!(first, expected_first);
+
+        // Second patch: update the file on disk.
+        let update_changes = HashMap::from([(
+            file.clone(),
+            FileChange::Update {
+                unified_diff: "".to_owned(),
+                move_path: None,
+            },
+        )]);
+        acc.on_patch_begin(&update_changes);
+
+        // Simulate apply: append a new line with a space.
+        fs::write(&file, "foo\nbar baz\n").unwrap();
+        let combined = acc.get_unified_diff().unwrap().unwrap();
+        let combined = normalize_diff_for_test(&combined, dir.path());
+        let expected_combined = {
+            let mode = file_mode_for_path(&file).unwrap_or(FileMode::Regular);
+            let right_oid = git_blob_sha1_hex("foo\nbar baz\n");
+            format!(
+                r#"diff --git a/<TMP>/name with spaces.txt b/<TMP>/name with spaces.txt
+new file mode {mode}
+index {ZERO_OID}..{right_oid}
+--- {DEV_NULL}
++++ b/<TMP>/name with spaces.txt
+@@ -0,0 +1,2 @@
++foo
++bar baz
+"#,
+            )
+        };
+        assert_eq!(combined, expected_combined);
+    }
+}

codex-rs/agent/src/unified_exec/errors.rs

@@ -0,0 +1,22 @@
+use thiserror::Error;
+
+#[derive(Debug, Error)]
+pub enum UnifiedExecError {
+    #[error("Failed to create unified exec session: {pty_error}")]
+    CreateSession {
+        #[source]
+        pty_error: anyhow::Error,
+    },
+    #[error("Unknown session id {session_id}")]
+    UnknownSessionId { session_id: i32 },
+    #[error("failed to write to stdin")]
+    WriteToStdin,
+    #[error("missing command line for unified exec request")]
+    MissingCommandLine,
+}
+
+impl UnifiedExecError {
+    pub(crate) fn create_session(error: anyhow::Error) -> Self {
+        Self::CreateSession { pty_error: error }
+    }
+}

codex-rs/agent/src/unified_exec/mod.rs

@@ -0,0 +1,655 @@
+use portable_pty::CommandBuilder;
+use portable_pty::PtySize;
+use portable_pty::native_pty_system;
+use std::collections::HashMap;
+use std::collections::VecDeque;
+use std::io::ErrorKind;
+use std::io::Read;
+use std::sync::Arc;
+use std::sync::Mutex as StdMutex;
+use std::sync::atomic::AtomicBool;
+use std::sync::atomic::AtomicI32;
+use std::sync::atomic::Ordering;
+use tokio::sync::Mutex;
+use tokio::sync::Notify;
+use tokio::sync::mpsc;
+use tokio::task::JoinHandle;
+use tokio::time::Duration;
+use tokio::time::Instant;
+
+use crate::exec_command::ExecCommandSession;
+use crate::truncate::truncate_middle;
+
+mod errors;
+
+pub use errors::UnifiedExecError;
+
+const DEFAULT_TIMEOUT_MS: u64 = 1_000;
+const MAX_TIMEOUT_MS: u64 = 60_000;
+const UNIFIED_EXEC_OUTPUT_MAX_BYTES: usize = 128 * 1024; // 128 KiB
+
+#[derive(Debug)]
+pub struct UnifiedExecRequest<'a> {
+    pub session_id: Option<i32>,
+    pub input_chunks: &'a [String],
+    pub timeout_ms: Option<u64>,
+}
+
+#[derive(Debug, Clone, PartialEq)]
+pub struct UnifiedExecResult {
+    pub session_id: Option<i32>,
+    pub output: String,
+}
+
+#[derive(Debug, Default)]
+pub struct UnifiedExecSessionManager {
+    next_session_id: AtomicI32,
+    sessions: Mutex<HashMap<i32, ManagedUnifiedExecSession>>,
+}
+
+#[derive(Debug)]
+struct ManagedUnifiedExecSession {
+    session: ExecCommandSession,
+    output_buffer: OutputBuffer,
+    /// Notifies waiters whenever new output has been appended to
+    /// `output_buffer`, allowing clients to poll for fresh data.
+    output_notify: Arc<Notify>,
+    output_task: JoinHandle<()>,
+}
+
+#[derive(Debug, Default)]
+struct OutputBufferState {
+    chunks: VecDeque<Vec<u8>>,
+    total_bytes: usize,
+}
+
+impl OutputBufferState {
+    fn push_chunk(&mut self, chunk: Vec<u8>) {
+        self.total_bytes = self.total_bytes.saturating_add(chunk.len());
+        self.chunks.push_back(chunk);
+
+        let mut excess = self
+            .total_bytes
+            .saturating_sub(UNIFIED_EXEC_OUTPUT_MAX_BYTES);
+
+        while excess > 0 {
+            match self.chunks.front_mut() {
+                Some(front) if excess >= front.len() => {
+                    excess -= front.len();
+                    self.total_bytes = self.total_bytes.saturating_sub(front.len());
+                    self.chunks.pop_front();
+                }
+                Some(front) => {
+                    front.drain(..excess);
+                    self.total_bytes = self.total_bytes.saturating_sub(excess);
+                    break;
+                }
+                None => break,
+            }
+        }
+    }
+
+    fn drain(&mut self) -> Vec<Vec<u8>> {
+        let drained: Vec<Vec<u8>> = self.chunks.drain(..).collect();
+        self.total_bytes = 0;
+        drained
+    }
+}
+
+type OutputBuffer = Arc<Mutex<OutputBufferState>>;
+type OutputHandles = (OutputBuffer, Arc<Notify>);
+
+impl ManagedUnifiedExecSession {
+    fn new(
+        session: ExecCommandSession,
+        initial_output_rx: tokio::sync::broadcast::Receiver<Vec<u8>>,
+    ) -> Self {
+        let output_buffer = Arc::new(Mutex::new(OutputBufferState::default()));
+        let output_notify = Arc::new(Notify::new());
+        let mut receiver = initial_output_rx;
+        let buffer_clone = Arc::clone(&output_buffer);
+        let notify_clone = Arc::clone(&output_notify);
+        let output_task = tokio::spawn(async move {
+            while let Ok(chunk) = receiver.recv().await {
+                let mut guard = buffer_clone.lock().await;
+                guard.push_chunk(chunk);
+                drop(guard);
+                notify_clone.notify_waiters();
+            }
+        });
+
+        Self {
+            session,
+            output_buffer,
+            output_notify,
+            output_task,
+        }
+    }
+
+    fn writer_sender(&self) -> mpsc::Sender<Vec<u8>> {
+        self.session.writer_sender()
+    }
+
+    fn output_handles(&self) -> OutputHandles {
+        (
+            Arc::clone(&self.output_buffer),
+            Arc::clone(&self.output_notify),
+        )
+    }
+
+    fn has_exited(&self) -> bool {
+        self.session.has_exited()
+    }
+}
+
+impl Drop for ManagedUnifiedExecSession {
+    fn drop(&mut self) {
+        self.output_task.abort();
+    }
+}
+
+impl UnifiedExecSessionManager {
+    pub async fn handle_request(
+        &self,
+        request: UnifiedExecRequest<'_>,
+    ) -> Result<UnifiedExecResult, UnifiedExecError> {
+        let (timeout_ms, timeout_warning) = match request.timeout_ms {
+            Some(requested) if requested > MAX_TIMEOUT_MS => (
+                MAX_TIMEOUT_MS,
+                Some(format!(
+                    "Warning: requested timeout {requested}ms exceeds maximum of {MAX_TIMEOUT_MS}ms; clamping to {MAX_TIMEOUT_MS}ms.\n"
+                )),
+            ),
+            Some(requested) => (requested, None),
+            None => (DEFAULT_TIMEOUT_MS, None),
+        };
+
+        let mut new_session: Option<ManagedUnifiedExecSession> = None;
+        let session_id;
+        let writer_tx;
+        let output_buffer;
+        let output_notify;
+
+        if let Some(existing_id) = request.session_id {
+            let mut sessions = self.sessions.lock().await;
+            match sessions.get(&existing_id) {
+                Some(session) => {
+                    if session.has_exited() {
+                        sessions.remove(&existing_id);
+                        return Err(UnifiedExecError::UnknownSessionId {
+                            session_id: existing_id,
+                        });
+                    }
+                    let (buffer, notify) = session.output_handles();
+                    session_id = existing_id;
+                    writer_tx = session.writer_sender();
+                    output_buffer = buffer;
+                    output_notify = notify;
+                }
+                None => {
+                    return Err(UnifiedExecError::UnknownSessionId {
+                        session_id: existing_id,
+                    });
+                }
+            }
+            drop(sessions);
+        } else {
+            let command = request.input_chunks.to_vec();
+            let new_id = self.next_session_id.fetch_add(1, Ordering::SeqCst);
+            let (session, initial_output_rx) = create_unified_exec_session(&command).await?;
+            let managed_session = ManagedUnifiedExecSession::new(session, initial_output_rx);
+            let (buffer, notify) = managed_session.output_handles();
+            writer_tx = managed_session.writer_sender();
+            output_buffer = buffer;
+            output_notify = notify;
+            session_id = new_id;
+            new_session = Some(managed_session);
+        };
+
+        if request.session_id.is_some() {
+            let joined_input = request.input_chunks.join(" ");
+            if !joined_input.is_empty() && writer_tx.send(joined_input.into_bytes()).await.is_err()
+            {
+                return Err(UnifiedExecError::WriteToStdin);
+            }
+        }
+
+        let mut collected: Vec<u8> = Vec::with_capacity(4096);
+        let start = Instant::now();
+        let deadline = start + Duration::from_millis(timeout_ms);
+
+        loop {
+            let drained_chunks;
+            let mut wait_for_output = None;
+            {
+                let mut guard = output_buffer.lock().await;
+                drained_chunks = guard.drain();
+                if drained_chunks.is_empty() {
+                    wait_for_output = Some(output_notify.notified());
+                }
+            }
+
+            if drained_chunks.is_empty() {
+                let remaining = deadline.saturating_duration_since(Instant::now());
+                if remaining == Duration::ZERO {
+                    break;
+                }
+
+                let notified = wait_for_output.unwrap_or_else(|| output_notify.notified());
+                tokio::pin!(notified);
+                tokio::select! {
+                    _ = &mut notified => {}
+                    _ = tokio::time::sleep(remaining) => break,
+                }
+                continue;
+            }
+
+            for chunk in drained_chunks {
+                collected.extend_from_slice(&chunk);
+            }
+
+            if Instant::now() >= deadline {
+                break;
+            }
+        }
+
+        let (output, _maybe_tokens) = truncate_middle(
+            &String::from_utf8_lossy(&collected),
+            UNIFIED_EXEC_OUTPUT_MAX_BYTES,
+        );
+        let output = if let Some(warning) = timeout_warning {
+            format!("{warning}{output}")
+        } else {
+            output
+        };
+
+        let should_store_session = if let Some(session) = new_session.as_ref() {
+            !session.has_exited()
+        } else if request.session_id.is_some() {
+            let mut sessions = self.sessions.lock().await;
+            if let Some(existing) = sessions.get(&session_id) {
+                if existing.has_exited() {
+                    sessions.remove(&session_id);
+                    false
+                } else {
+                    true
+                }
+            } else {
+                false
+            }
+        } else {
+            true
+        };
+
+        if should_store_session {
+            if let Some(session) = new_session {
+                self.sessions.lock().await.insert(session_id, session);
+            }
+            Ok(UnifiedExecResult {
+                session_id: Some(session_id),
+                output,
+            })
+        } else {
+            Ok(UnifiedExecResult {
+                session_id: None,
+                output,
+            })
+        }
+    }
+}
+
+async fn create_unified_exec_session(
+    command: &[String],
+) -> Result<
+    (
+        ExecCommandSession,
+        tokio::sync::broadcast::Receiver<Vec<u8>>,
+    ),
+    UnifiedExecError,
+> {
+    if command.is_empty() {
+        return Err(UnifiedExecError::MissingCommandLine);
+    }
+
+    let pty_system = native_pty_system();
+
+    let pair = pty_system
+        .openpty(PtySize {
+            rows: 24,
+            cols: 80,
+            pixel_width: 0,
+            pixel_height: 0,
+        })
+        .map_err(UnifiedExecError::create_session)?;
+
+    // Safe thanks to the check at the top of the function.
+    let mut command_builder = CommandBuilder::new(command[0].clone());
+    for arg in &command[1..] {
+        command_builder.arg(arg);
+    }
+
+    let mut child = pair
+        .slave
+        .spawn_command(command_builder)
+        .map_err(UnifiedExecError::create_session)?;
+    let killer = child.clone_killer();
+
+    let (writer_tx, mut writer_rx) = mpsc::channel::<Vec<u8>>(128);
+    let (output_tx, _) = tokio::sync::broadcast::channel::<Vec<u8>>(256);
+
+    let mut reader = pair
+        .master
+        .try_clone_reader()
+        .map_err(UnifiedExecError::create_session)?;
+    let output_tx_clone = output_tx.clone();
+    let reader_handle = tokio::task::spawn_blocking(move || {
+        let mut buf = [0u8; 8192];
+        loop {
+            match reader.read(&mut buf) {
+                Ok(0) => break,
+                Ok(n) => {
+                    let _ = output_tx_clone.send(buf[..n].to_vec());
+                }
+                Err(ref e) if e.kind() == ErrorKind::Interrupted => continue,
+                Err(ref e) if e.kind() == ErrorKind::WouldBlock => {
+                    std::thread::sleep(Duration::from_millis(5));
+                    continue;
+                }
+                Err(_) => break,
+            }
+        }
+    });
+
+    let writer = pair
+        .master
+        .take_writer()
+        .map_err(UnifiedExecError::create_session)?;
+    let writer = Arc::new(StdMutex::new(writer));
+    let writer_handle = tokio::spawn({
+        let writer = writer.clone();
+        async move {
+            while let Some(bytes) = writer_rx.recv().await {
+                let writer = writer.clone();
+                let _ = tokio::task::spawn_blocking(move || {
+                    if let Ok(mut guard) = writer.lock() {
+                        use std::io::Write;
+                        let _ = guard.write_all(&bytes);
+                        let _ = guard.flush();
+                    }
+                })
+                .await;
+            }
+        }
+    });
+
+    let exit_status = Arc::new(AtomicBool::new(false));
+    let wait_exit_status = Arc::clone(&exit_status);
+    let wait_handle = tokio::task::spawn_blocking(move || {
+        let _ = child.wait();
+        wait_exit_status.store(true, Ordering::SeqCst);
+    });
+
+    let (session, initial_output_rx) = ExecCommandSession::new(
+        writer_tx,
+        output_tx,
+        killer,
+        reader_handle,
+        writer_handle,
+        wait_handle,
+        exit_status,
+    );
+    Ok((session, initial_output_rx))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    #[cfg(unix)]
+    use core_test_support::skip_if_sandbox;
+
+    #[test]
+    fn push_chunk_trims_only_excess_bytes() {
+        let mut buffer = OutputBufferState::default();
+        buffer.push_chunk(vec![b'a'; UNIFIED_EXEC_OUTPUT_MAX_BYTES]);
+        buffer.push_chunk(vec![b'b']);
+        buffer.push_chunk(vec![b'c']);
+
+        assert_eq!(buffer.total_bytes, UNIFIED_EXEC_OUTPUT_MAX_BYTES);
+        assert_eq!(buffer.chunks.len(), 3);
+        assert_eq!(
+            buffer.chunks.front().unwrap().len(),
+            UNIFIED_EXEC_OUTPUT_MAX_BYTES - 2
+        );
+        assert_eq!(buffer.chunks.pop_back().unwrap(), vec![b'c']);
+        assert_eq!(buffer.chunks.pop_back().unwrap(), vec![b'b']);
+    }
+
+    #[cfg(unix)]
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn unified_exec_persists_across_requests_jif() -> Result<(), UnifiedExecError> {
+        skip_if_sandbox!(Ok(()));
+
+        let manager = UnifiedExecSessionManager::default();
+
+        let open_shell = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: None,
+                input_chunks: &["bash".to_string(), "-i".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+        let session_id = open_shell.session_id.expect("expected session_id");
+
+        manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_id),
+                input_chunks: &[
+                    "export".to_string(),
+                    "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
+                ],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+
+        let out_2 = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_id),
+                input_chunks: &["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+        assert!(out_2.output.contains("codex"));
+
+        Ok(())
+    }
+
+    #[cfg(unix)]
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn multi_unified_exec_sessions() -> Result<(), UnifiedExecError> {
+        skip_if_sandbox!(Ok(()));
+
+        let manager = UnifiedExecSessionManager::default();
+
+        let shell_a = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: None,
+                input_chunks: &["/bin/bash".to_string(), "-i".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+        let session_a = shell_a.session_id.expect("expected session id");
+
+        manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_a),
+                input_chunks: &["export CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+
+        let out_2 = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: None,
+                input_chunks: &[
+                    "echo".to_string(),
+                    "$CODEX_INTERACTIVE_SHELL_VAR\n".to_string(),
+                ],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+        assert!(!out_2.output.contains("codex"));
+
+        let out_3 = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_a),
+                input_chunks: &["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+        assert!(out_3.output.contains("codex"));
+
+        Ok(())
+    }
+
+    #[cfg(unix)]
+    #[tokio::test]
+    async fn unified_exec_timeouts() -> Result<(), UnifiedExecError> {
+        skip_if_sandbox!(Ok(()));
+
+        let manager = UnifiedExecSessionManager::default();
+
+        let open_shell = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: None,
+                input_chunks: &["bash".to_string(), "-i".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+        let session_id = open_shell.session_id.expect("expected session id");
+
+        manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_id),
+                input_chunks: &[
+                    "export".to_string(),
+                    "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
+                ],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+
+        let out_2 = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_id),
+                input_chunks: &["sleep 5 && echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
+                timeout_ms: Some(10),
+            })
+            .await?;
+        assert!(!out_2.output.contains("codex"));
+
+        tokio::time::sleep(Duration::from_secs(7)).await;
+
+        let empty = Vec::new();
+        let out_3 = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_id),
+                input_chunks: &empty,
+                timeout_ms: Some(100),
+            })
+            .await?;
+
+        assert!(out_3.output.contains("codex"));
+
+        Ok(())
+    }
+
+    #[cfg(unix)]
+    #[tokio::test]
+    #[ignore] // Ignored while we have a better way to test this.
+    async fn requests_with_large_timeout_are_capped() -> Result<(), UnifiedExecError> {
+        let manager = UnifiedExecSessionManager::default();
+
+        let result = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: None,
+                input_chunks: &["echo".to_string(), "codex".to_string()],
+                timeout_ms: Some(120_000),
+            })
+            .await?;
+
+        assert!(result.output.starts_with(
+            "Warning: requested timeout 120000ms exceeds maximum of 60000ms; clamping to 60000ms.\n"
+        ));
+        assert!(result.output.contains("codex"));
+
+        Ok(())
+    }
+
+    #[cfg(unix)]
+    #[tokio::test]
+    #[ignore] // Ignored while we have a better way to test this.
+    async fn completed_commands_do_not_persist_sessions() -> Result<(), UnifiedExecError> {
+        let manager = UnifiedExecSessionManager::default();
+        let result = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: None,
+                input_chunks: &["/bin/echo".to_string(), "codex".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+
+        assert!(result.session_id.is_none());
+        assert!(result.output.contains("codex"));
+
+        assert!(manager.sessions.lock().await.is_empty());
+
+        Ok(())
+    }
+
+    #[cfg(unix)]
+    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+    async fn reusing_completed_session_returns_unknown_session() -> Result<(), UnifiedExecError> {
+        skip_if_sandbox!(Ok(()));
+
+        let manager = UnifiedExecSessionManager::default();
+
+        let open_shell = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: None,
+                input_chunks: &["/bin/bash".to_string(), "-i".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+        let session_id = open_shell.session_id.expect("expected session id");
+
+        manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_id),
+                input_chunks: &["exit\n".to_string()],
+                timeout_ms: Some(2_500),
+            })
+            .await?;
+
+        tokio::time::sleep(Duration::from_millis(200)).await;
+
+        let err = manager
+            .handle_request(UnifiedExecRequest {
+                session_id: Some(session_id),
+                input_chunks: &[],
+                timeout_ms: Some(100),
+            })
+            .await
+            .expect_err("expected unknown session error");
+
+        match err {
+            UnifiedExecError::UnknownSessionId { session_id: err_id } => {
+                assert_eq!(err_id, session_id);
+            }
+            other => panic!("expected UnknownSessionId, got {other:?}"),
+        }
+
+        assert!(!manager.sessions.lock().await.contains_key(&session_id));
+
+        Ok(())
+    }
+}

codex-rs/agent_refactor.md

@@ -0,0 +1,112 @@
+# Agent Runtime Refactor
+
+## Goals
+- Decouple the Codex agent loop from CLI-specific wiring so it can run as a reusable library or standalone binary.
+- Preserve the current behaviour of `codex-core` (tooling, approvals, sandboxing, MCP integration) while providing a cleaner embedding surface.
+- Enable specialised hosts—CLI, training harnesses, response API bridges—to share the same runtime with minimal glue code.
+
+## Proposed Architecture
+### 1. `codex-agent` crate (new)
+- Owns the session runtime: `AgentRuntime`, `AgentHandle`, the states, and the task runners now under `core/src/tasks`.
+- Exposes a queue-like API: `AgentHandle::submit(Op/Submission)` and `AgentHandle::next_event()` mirroring today’s behaviour.
+- Re-exports protocol types from `codex-protocol` so consumers do not depend on the entire `codex-core` tree.
+- Houses the agent loop (`run_task`, `run_turn`, exec/safety plumbing) together with the sandbox planner (`ExecPlan`, `PreparedExec`, etc.).
+
+### 2. Shared configuration surface
+- Introduce `AgentConfig` as the minimal runtime configuration (model, provider, approvals, sandbox defaults, cwd, user/base instructions, feature flags relevant to the loop).
+- Provide `From<&Config>` for CLI compatibility; training/other hosts construct `AgentConfig` directly.
+- CLI-only concerns (logging, auth prompts, workspace presets) stay inside `codex-core` and are translated before spawning the runtime.
+
+### 3. Service abstraction layer
+- Define traits that the runtime depends on instead of concrete CLI structs:
+  - `CredentialsProvider` (wraps `AuthManager`).
+  - `Notifier` (reuses `UserNotifier` contract).
+  - `McpInterface` (start/list tools, dispatch tool calls).
+  - `SandboxManager` (wraps `BackendRegistry`/`prepare_exec_invocation` wiring).
+  - `RolloutSink` (write/flush rollout items; default no-op).
+- Provide default implementations in `codex-core` that simply wrap the existing services (`SessionServices`).
+
+### 4. Task subsystem consolidation
+- Keep the new `SessionTask` trait and concrete tasks (`RegularTask`, `ReviewTask`, `CompactTask`) inside `codex-agent` so custom hosts can opt into additional tasks without touching CLI crates.
+- Ensure task lifecycle management (`spawn_task`, `abort_all_tasks`, `ActiveTurn`) stays encapsulated in the runtime and surfaces only high-level signals (events, cancellation APIs).
+
+### 5. Sandbox execution layer
+- Move the recently created `core/src/sandbox` module into `codex-agent` (or re-export) so runtime owns exec planning.
+- Runtime exposes an injectable `SandboxRuntimeConfig` (paths, seatbelt binary, stdout streaming choice) and calls into `SandboxManager` to execute plans.
+- Respect existing environment variables and approval policies; no semantic changes to seatbelt handling.
+
+### 6. Host integrations
+- CLI crate: replaces direct usage of `Codex::spawn` with `AgentRuntime::spawn`, adapting CLI config/auth providers to runtime traits. Behaviour remains identical.
+- Training binary (`codex-agent-bin`): thin crate that parses CLI flags (Response API URL, auth token, optional instructions) and bridges remote Ops/Events to the runtime via chosen transport (MCP channel, HTTP/WebSocket bridge).
+- Additional hosts can embed the runtime by implementing the service traits and providing transport glue.
+
+### 7. Transport adapters
+- Internally keep `async_channel` for runtime queues.
+- Provide helper adapters (`AgentTransport` trait) so callers can hook streams (local channel, TCP bridge, etc.) while keeping backpressure and graceful shutdown semantics consistent.
+
+## Guidelines
+- **Config boundary**: new code must depend on `AgentConfig`; only CLI/front-ends may use the broader `Config` struct. Avoid adding CLI-specific fields to the runtime config.
+- **Trait-based services**: any runtime dependency that could vary across hosts (MCP, rollout persistence, sandbox execution, notifications) should be expressed as a trait with a default implementation living in `codex-core`.
+- **Task authoring**: additional tasks must implement `SessionTask`; tasks are responsible for calling `run_task`/`exit_review_mode` helpers and returning final assistant output for `TaskComplete` events.
+- **Sandbox safety**: all exec/patch calls must flow through `plan_exec`/`plan_apply_patch` (now under `codex-agent::sandbox`) to preserve approval semantics. Never bypass `SandboxManager`.
+- **MCP usage**: runtime talks only through `McpInterface`; hosts provide concrete connectors (existing CLI manager, lightweight training stub, etc.).
+- **Rollout handling**: default `RolloutSink` should no-op; hosts that require persistence (CLI, evaluation harness) supply an implementation that wraps existing recorder.
+- **Transport/backpressure**: treat the runtime queue as bounded and handle cancellations; adapters must propagate `Op::Shutdown` promptly.
+- **Observability**: keep tracing instrumentation intact; new modules should use existing `tracing` spans for start/end of tasks, exec calls, and MCP interactions.
+- **Code quality**: write minimalist idiomatic code. Leverage the capacity of Rust 
+
+## Current Scope Snapshot
+- `codex-agent` owns the execution/runtime surface: conversation history, rollout recording, function tool plumbing, sandbox planning, command/apply_patch safety, and the new `ApprovalCoordinator` trait that abstracts user approvals. Host-agnostic helpers such as shell formatting, bash parsing, and command safety now live here.
+- `codex-core` focuses on CLI integration: loading user configuration, wiring concrete services (auth, MCP, sandbox manager), translating CLI policies into runtime configs, and exposing the embedded runtime to front-ends. It re-exports runtime modules needed by existing callers but should avoid hosting new agent logic.
+- Session bootstrap now flows through a host-provided `prepare_session_bootstrap` helper: the CLI constructs rollout/MCP/sandbox services, builds the new `codex_agent::SessionServices` + `SessionState`, pre-builds the initial `TurnContext` (model client + tool config), and hands them to `Session::new` instead of constructing them inline.
+
+
+## Implementation Plan
+1. **Baseline & documentation**
+   - Capture current interfaces (`Codex`, `Session`, `SessionTask`) and update developer docs to reference this refactor plan.
+   - Add smoke tests covering multi-task scenarios (regular + review + compact) to guard against regressions during extraction.
+
+2. **Introduce `AgentConfig`**
+   - Define struct + conversion helpers inside `codex-core`.
+   - Refactor internal `Session::new` / `TurnContext` builders to accept `AgentConfig` without changing external behaviour.
+
+3. **Service trait extraction**
+   - Carve out trait definitions (`CredentialsProvider`, `McpInterface`, `SandboxManager`, `RolloutSink`, `Notifier`).
+   - Provide adapters backed by existing `SessionServices`.
+   - Update `Session` and helper modules to depend on traits rather than concrete structs.
+
+4. **Create `codex-agent` crate**
+   - Scaffold crate, move runtime modules (`codex.rs`, `state`, `tasks`, `sandbox`) while keeping module paths stable via `pub use` re-exports.
+   - Resolve module imports to reference trait abstractions / helper crates (e.g., `codex_protocol`, `codex-apply-patch`).
+   - Ensure crate exposes `AgentRuntime`, `AgentHandle`, and service traits.
+
+5. **Adapt `codex-core`**
+   - Replace `Codex::spawn` with thin wrapper that constructs `AgentConfig`, runtime service adapters, and delegates to `codex-agent`.
+   - Update public API to re-export runtime types if downstream crates expect them.
+   - Confirm unit tests continue to pass.
+
+6. **Update front-ends**
+   - CLI crate: switch to new runtime API; verify login/auth flows, approvals, and sandbox invocations.
+   - Other binaries (`chatgpt`, etc.) migrate similarly, adjusting imports/config conversions.
+
+7. **Add training binary**
+   - Implement new `codex-agent-bin` crate providing CLI for Response API URL + auth.
+   - Reuse existing MCP client logic where possible; otherwise, provide minimal HTTP bridge translating Ops/Events.
+   - Add integration tests using mocked Response API.
+
+8. **Refine transport adapters**
+   - Add optional helper module offering channel/TCP/WebSocket adapters along with graceful shutdown behaviour.
+   - Document how hosts select or implement transports.
+
+9. **Finalize rollout persistence strategy**
+   - Implement `RolloutSink` adapters (file-based, in-memory, disabled).
+   - Ensure CLI wires existing recorder; training binary can opt in/out via flags.
+
+10. **Docs & polish**
+    - Update repository documentation (`README`, architecture docs) to reference the new crates and APIs.
+    - Record migration notes for downstream consumers.
+    - Run `just fmt`, scoped `just fix -p`, and targeted tests for touched crates before merging.
+
+11. **Validation**
+    - Execute `cargo test -p codex-agent`, `cargo test -p codex-core`, and full suite (`cargo test --all-features`) once shared crates change.
+    - Perform manual verification: CLI session, review task, training binary against mock Response API, ensuring approvals and sandboxing behave identically.

codex-rs/ansi-escape/src/lib.rs

@@ -3,30 +3,11 @@ use ansi_to_tui::IntoText;
 use ratatui::text::Line;
 use ratatui::text::Text;
 
-// Expand tabs in a best-effort way for transcript rendering.
-// Tabs can interact poorly with left-gutter prefixes in our TUI and CLI
-// transcript views (e.g., `nl` separates line numbers from content with a tab).
-// Replacing tabs with spaces avoids odd visual artifacts without changing
-// semantics for our use cases.
-fn expand_tabs(s: &str) -> std::borrow::Cow<'_, str> {
-    if s.contains('\t') {
-        // Keep it simple: replace each tab with 4 spaces.
-        // We do not try to align to tab stops since most usages (like `nl`)
-        // look acceptable with a fixed substitution and this avoids stateful math
-        // across spans.
-        std::borrow::Cow::Owned(s.replace('\t', "    "))
-    } else {
-        std::borrow::Cow::Borrowed(s)
-    }
-}
-
 /// This function should be used when the contents of `s` are expected to match
 /// a single line. If multiple lines are found, a warning is logged and only the
 /// first line is returned.
 pub fn ansi_escape_line(s: &str) -> Line<'static> {
-    // Normalize tabs to spaces to avoid odd gutter collisions in transcript mode.
-    let s = expand_tabs(s);
-    let text = ansi_escape(&s);
+    let text = ansi_escape(s);
     match text.lines.as_slice() {
         [] => "".into(),
         [only] => only.clone(),

codex-rs/app-server-protocol/Cargo.toml

@@ -1,27 +0,0 @@
-[package]
-edition = "2024"
-name = "codex-app-server-protocol"
-version = { workspace = true }
-
-[lib]
-name = "codex_app_server_protocol"
-path = "src/lib.rs"
-
-[lints]
-workspace = true
-
-[dependencies]
-anyhow = { workspace = true }
-clap = { workspace = true, features = ["derive"] }
-codex-protocol = { workspace = true }
-paste = { workspace = true }
-schemars = { workspace = true }
-serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
-strum_macros = { workspace = true }
-ts-rs = { workspace = true }
-uuid = { workspace = true, features = ["serde", "v7"] }
-
-[dev-dependencies]
-anyhow = { workspace = true }
-pretty_assertions = { workspace = true }

codex-rs/app-server-protocol/src/bin/export.rs

@@ -1,22 +0,0 @@
-use anyhow::Result;
-use clap::Parser;
-use std::path::PathBuf;
-
-#[derive(Parser, Debug)]
-#[command(
-    about = "Generate TypeScript bindings and JSON Schemas for the Codex app-server protocol"
-)]
-struct Args {
-    /// Output directory where generated files will be written
-    #[arg(short = 'o', long = "out", value_name = "DIR")]
-    out_dir: PathBuf,
-
-    /// Optional Prettier executable path to format generated TypeScript files
-    #[arg(short = 'p', long = "prettier", value_name = "PRETTIER_BIN")]
-    prettier: Option<PathBuf>,
-}
-
-fn main() -> Result<()> {
-    let args = Args::parse();
-    codex_app_server_protocol::generate_types(&args.out_dir, args.prettier.as_deref())
-}

codex-rs/app-server-protocol/src/export.rs

@@ -1,404 +0,0 @@
-use crate::ClientNotification;
-use crate::ClientRequest;
-use crate::ServerNotification;
-use crate::ServerRequest;
-use crate::export_client_response_schemas;
-use crate::export_client_responses;
-use crate::export_server_response_schemas;
-use crate::export_server_responses;
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::anyhow;
-use schemars::JsonSchema;
-use schemars::schema::RootSchema;
-use schemars::schema_for;
-use serde::Serialize;
-use serde_json::Map;
-use serde_json::Value;
-use std::collections::BTreeMap;
-use std::ffi::OsStr;
-use std::fs;
-use std::io::Read;
-use std::io::Write;
-use std::path::Path;
-use std::path::PathBuf;
-use std::process::Command;
-use ts_rs::TS;
-
-const HEADER: &str = "// GENERATED CODE! DO NOT MODIFY BY HAND!\n\n";
-
-macro_rules! for_each_schema_type {
-    ($macro:ident) => {
-        $macro!(crate::RequestId);
-        $macro!(crate::JSONRPCMessage);
-        $macro!(crate::JSONRPCRequest);
-        $macro!(crate::JSONRPCNotification);
-        $macro!(crate::JSONRPCResponse);
-        $macro!(crate::JSONRPCError);
-        $macro!(crate::JSONRPCErrorError);
-        $macro!(crate::AddConversationListenerParams);
-        $macro!(crate::AddConversationSubscriptionResponse);
-        $macro!(crate::ApplyPatchApprovalParams);
-        $macro!(crate::ApplyPatchApprovalResponse);
-        $macro!(crate::ArchiveConversationParams);
-        $macro!(crate::ArchiveConversationResponse);
-        $macro!(crate::AuthMode);
-        $macro!(crate::AuthStatusChangeNotification);
-        $macro!(crate::CancelLoginChatGptParams);
-        $macro!(crate::CancelLoginChatGptResponse);
-        $macro!(crate::ClientInfo);
-        $macro!(crate::ClientNotification);
-        $macro!(crate::ClientRequest);
-        $macro!(crate::ConversationSummary);
-        $macro!(crate::ExecCommandApprovalParams);
-        $macro!(crate::ExecCommandApprovalResponse);
-        $macro!(crate::ExecOneOffCommandParams);
-        $macro!(crate::ExecOneOffCommandResponse);
-        $macro!(crate::FuzzyFileSearchParams);
-        $macro!(crate::FuzzyFileSearchResponse);
-        $macro!(crate::FuzzyFileSearchResult);
-        $macro!(crate::GetAuthStatusParams);
-        $macro!(crate::GetAuthStatusResponse);
-        $macro!(crate::GetUserAgentResponse);
-        $macro!(crate::GetUserSavedConfigResponse);
-        $macro!(crate::GitDiffToRemoteParams);
-        $macro!(crate::GitDiffToRemoteResponse);
-        $macro!(crate::GitSha);
-        $macro!(crate::InitializeParams);
-        $macro!(crate::InitializeResponse);
-        $macro!(crate::InputItem);
-        $macro!(crate::InterruptConversationParams);
-        $macro!(crate::InterruptConversationResponse);
-        $macro!(crate::ListConversationsParams);
-        $macro!(crate::ListConversationsResponse);
-        $macro!(crate::LoginApiKeyParams);
-        $macro!(crate::LoginApiKeyResponse);
-        $macro!(crate::LoginChatGptCompleteNotification);
-        $macro!(crate::LoginChatGptResponse);
-        $macro!(crate::LogoutChatGptParams);
-        $macro!(crate::LogoutChatGptResponse);
-        $macro!(crate::NewConversationParams);
-        $macro!(crate::NewConversationResponse);
-        $macro!(crate::Profile);
-        $macro!(crate::RemoveConversationListenerParams);
-        $macro!(crate::RemoveConversationSubscriptionResponse);
-        $macro!(crate::ResumeConversationParams);
-        $macro!(crate::ResumeConversationResponse);
-        $macro!(crate::SandboxSettings);
-        $macro!(crate::SendUserMessageParams);
-        $macro!(crate::SendUserMessageResponse);
-        $macro!(crate::SendUserTurnParams);
-        $macro!(crate::SendUserTurnResponse);
-        $macro!(crate::ServerNotification);
-        $macro!(crate::ServerRequest);
-        $macro!(crate::SessionConfiguredNotification);
-        $macro!(crate::SetDefaultModelParams);
-        $macro!(crate::SetDefaultModelResponse);
-        $macro!(crate::Tools);
-        $macro!(crate::UserInfoResponse);
-        $macro!(crate::UserSavedConfig);
-        $macro!(codex_protocol::protocol::EventMsg);
-        $macro!(codex_protocol::protocol::FileChange);
-        $macro!(codex_protocol::parse_command::ParsedCommand);
-        $macro!(codex_protocol::protocol::SandboxPolicy);
-    };
-}
-
-pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
-    generate_ts(out_dir, prettier)?;
-    generate_json(out_dir)?;
-    Ok(())
-}
-
-pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
-    ensure_dir(out_dir)?;
-
-    ClientRequest::export_all_to(out_dir)?;
-    export_client_responses(out_dir)?;
-    ClientNotification::export_all_to(out_dir)?;
-
-    ServerRequest::export_all_to(out_dir)?;
-    export_server_responses(out_dir)?;
-    ServerNotification::export_all_to(out_dir)?;
-
-    generate_index_ts(out_dir)?;
-
-    let ts_files = ts_files_in(out_dir)?;
-    for file in &ts_files {
-        prepend_header_if_missing(file)?;
-    }
-
-    if let Some(prettier_bin) = prettier
-        && !ts_files.is_empty()
-    {
-        let status = Command::new(prettier_bin)
-            .arg("--write")
-            .args(ts_files.iter().map(|p| p.as_os_str()))
-            .status()
-            .with_context(|| format!("Failed to invoke Prettier at {}", prettier_bin.display()))?;
-        if !status.success() {
-            return Err(anyhow!("Prettier failed with status {status}"));
-        }
-    }
-
-    Ok(())
-}
-
-pub fn generate_json(out_dir: &Path) -> Result<()> {
-    ensure_dir(out_dir)?;
-    let mut bundle: BTreeMap<String, RootSchema> = BTreeMap::new();
-
-    macro_rules! add_schema {
-        ($ty:path) => {{
-            let name = type_basename(stringify!($ty));
-            let schema = write_json_schema_with_return::<$ty>(out_dir, &name)?;
-            bundle.insert(name, schema);
-        }};
-    }
-
-    for_each_schema_type!(add_schema);
-
-    export_client_response_schemas(out_dir)?;
-    export_server_response_schemas(out_dir)?;
-
-    let mut definitions = Map::new();
-
-    const SPECIAL_DEFINITIONS: &[&str] = &[
-        "ClientNotification",
-        "ClientRequest",
-        "EventMsg",
-        "FileChange",
-        "InputItem",
-        "ParsedCommand",
-        "SandboxPolicy",
-        "ServerNotification",
-        "ServerRequest",
-    ];
-
-    for (name, schema) in bundle {
-        let mut schema_value = serde_json::to_value(schema)?;
-        if let Value::Object(ref mut obj) = schema_value {
-            if let Some(defs) = obj.remove("definitions")
-                && let Value::Object(defs_obj) = defs
-            {
-                for (def_name, def_schema) in defs_obj {
-                    if !SPECIAL_DEFINITIONS.contains(&def_name.as_str()) {
-                        definitions.insert(def_name, def_schema);
-                    }
-                }
-            }
-
-            if let Some(Value::Array(one_of)) = obj.get_mut("oneOf") {
-                for variant in one_of.iter_mut() {
-                    if let Some(variant_name) = variant_definition_name(&name, variant)
-                        && let Value::Object(variant_obj) = variant
-                    {
-                        variant_obj.insert("title".into(), Value::String(variant_name));
-                    }
-                }
-            }
-        }
-        definitions.insert(name, schema_value);
-    }
-
-    let mut root = Map::new();
-    root.insert(
-        "$schema".to_string(),
-        Value::String("http://json-schema.org/draft-07/schema#".into()),
-    );
-    root.insert(
-        "title".to_string(),
-        Value::String("CodexAppServerProtocol".into()),
-    );
-    root.insert("type".to_string(), Value::String("object".into()));
-    root.insert("definitions".to_string(), Value::Object(definitions));
-
-    write_pretty_json(
-        out_dir.join("codex_app_server_protocol.schemas.json"),
-        &Value::Object(root),
-    )?;
-
-    Ok(())
-}
-
-fn write_json_schema_with_return<T>(out_dir: &Path, name: &str) -> Result<RootSchema>
-where
-    T: JsonSchema,
-{
-    let file_stem = name.trim();
-    let schema = schema_for!(T);
-    write_pretty_json(out_dir.join(format!("{file_stem}.json")), &schema)
-        .with_context(|| format!("Failed to write JSON schema for {file_stem}"))?;
-    Ok(schema)
-}
-
-pub(crate) fn write_json_schema<T>(out_dir: &Path, name: &str) -> Result<()>
-where
-    T: JsonSchema,
-{
-    write_json_schema_with_return::<T>(out_dir, name).map(|_| ())
-}
-
-fn write_pretty_json(path: PathBuf, value: &impl Serialize) -> Result<()> {
-    let json = serde_json::to_vec_pretty(value)
-        .with_context(|| format!("Failed to serialize JSON schema to {}", path.display()))?;
-    fs::write(&path, json).with_context(|| format!("Failed to write {}", path.display()))?;
-    Ok(())
-}
-fn type_basename(type_path: &str) -> String {
-    type_path
-        .rsplit_once("::")
-        .map(|(_, name)| name)
-        .unwrap_or(type_path)
-        .trim()
-        .to_string()
-}
-
-fn variant_definition_name(base: &str, variant: &Value) -> Option<String> {
-    if let Some(props) = variant.get("properties").and_then(Value::as_object) {
-        if let Some(method_literal) = literal_from_property(props, "method") {
-            let pascal = to_pascal_case(method_literal);
-            return Some(match base {
-                "ClientRequest" | "ServerRequest" => format!("{pascal}Request"),
-                "ClientNotification" | "ServerNotification" => format!("{pascal}Notification"),
-                _ => format!("{pascal}{base}"),
-            });
-        }
-
-        if let Some(type_literal) = literal_from_property(props, "type") {
-            let pascal = to_pascal_case(type_literal);
-            return Some(match base {
-                "EventMsg" => format!("{pascal}EventMsg"),
-                _ => format!("{pascal}{base}"),
-            });
-        }
-
-        if let Some(mode_literal) = literal_from_property(props, "mode") {
-            let pascal = to_pascal_case(mode_literal);
-            return Some(match base {
-                "SandboxPolicy" => format!("{pascal}SandboxPolicy"),
-                _ => format!("{pascal}{base}"),
-            });
-        }
-
-        if props.len() == 1
-            && let Some(key) = props.keys().next()
-        {
-            let pascal = to_pascal_case(key);
-            return Some(format!("{pascal}{base}"));
-        }
-    }
-
-    if let Some(required) = variant.get("required").and_then(Value::as_array)
-        && required.len() == 1
-        && let Some(key) = required[0].as_str()
-    {
-        let pascal = to_pascal_case(key);
-        return Some(format!("{pascal}{base}"));
-    }
-
-    None
-}
-
-fn literal_from_property<'a>(props: &'a Map<String, Value>, key: &str) -> Option<&'a str> {
-    props
-        .get(key)
-        .and_then(|value| value.get("enum"))
-        .and_then(Value::as_array)
-        .and_then(|arr| arr.first())
-        .and_then(Value::as_str)
-}
-
-fn to_pascal_case(input: &str) -> String {
-    let mut result = String::new();
-    let mut capitalize_next = true;
-
-    for c in input.chars() {
-        if c == '_' || c == '-' {
-            capitalize_next = true;
-            continue;
-        }
-
-        if capitalize_next {
-            result.extend(c.to_uppercase());
-            capitalize_next = false;
-        } else {
-            result.push(c);
-        }
-    }
-
-    result
-}
-
-fn ensure_dir(dir: &Path) -> Result<()> {
-    fs::create_dir_all(dir)
-        .with_context(|| format!("Failed to create output directory {}", dir.display()))
-}
-
-fn prepend_header_if_missing(path: &Path) -> Result<()> {
-    let mut content = String::new();
-    {
-        let mut f = fs::File::open(path)
-            .with_context(|| format!("Failed to open {} for reading", path.display()))?;
-        f.read_to_string(&mut content)
-            .with_context(|| format!("Failed to read {}", path.display()))?;
-    }
-
-    if content.starts_with(HEADER) {
-        return Ok(());
-    }
-
-    let mut f = fs::File::create(path)
-        .with_context(|| format!("Failed to open {} for writing", path.display()))?;
-    f.write_all(HEADER.as_bytes())
-        .with_context(|| format!("Failed to write header to {}", path.display()))?;
-    f.write_all(content.as_bytes())
-        .with_context(|| format!("Failed to write content to {}", path.display()))?;
-    Ok(())
-}
-
-fn ts_files_in(dir: &Path) -> Result<Vec<PathBuf>> {
-    let mut files = Vec::new();
-    for entry in
-        fs::read_dir(dir).with_context(|| format!("Failed to read dir {}", dir.display()))?
-    {
-        let entry = entry?;
-        let path = entry.path();
-        if path.is_file() && path.extension() == Some(OsStr::new("ts")) {
-            files.push(path);
-        }
-    }
-    files.sort();
-    Ok(files)
-}
-
-fn generate_index_ts(out_dir: &Path) -> Result<PathBuf> {
-    let mut entries: Vec<String> = Vec::new();
-    let mut stems: Vec<String> = ts_files_in(out_dir)?
-        .into_iter()
-        .filter_map(|p| {
-            let stem = p.file_stem()?.to_string_lossy().into_owned();
-            if stem == "index" { None } else { Some(stem) }
-        })
-        .collect();
-    stems.sort();
-    stems.dedup();
-
-    for name in stems {
-        entries.push(format!("export type {{ {name} }} from \"./{name}\";\n"));
-    }
-
-    let mut content =
-        String::with_capacity(HEADER.len() + entries.iter().map(String::len).sum::<usize>());
-    content.push_str(HEADER);
-    for line in &entries {
-        content.push_str(line);
-    }
-
-    let index_path = out_dir.join("index.ts");
-    let mut f = fs::File::create(&index_path)
-        .with_context(|| format!("Failed to create {}", index_path.display()))?;
-    f.write_all(content.as_bytes())
-        .with_context(|| format!("Failed to write {}", index_path.display()))?;
-    Ok(index_path)
-}

codex-rs/app-server-protocol/src/jsonrpc_lite.rs

@@ -1,68 +0,0 @@
-//! We do not do true JSON-RPC 2.0, as we neither send nor expect the
-//! "jsonrpc": "2.0" field.
-
-use schemars::JsonSchema;
-use serde::Deserialize;
-use serde::Serialize;
-use ts_rs::TS;
-
-pub const JSONRPC_VERSION: &str = "2.0";
-
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, Hash, Eq, JsonSchema, TS)]
-#[serde(untagged)]
-pub enum RequestId {
-    String(String),
-    #[ts(type = "number")]
-    Integer(i64),
-}
-
-pub type Result = serde_json::Value;
-
-/// Refers to any valid JSON-RPC object that can be decoded off the wire, or encoded to be sent.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
-#[serde(untagged)]
-pub enum JSONRPCMessage {
-    Request(JSONRPCRequest),
-    Notification(JSONRPCNotification),
-    Response(JSONRPCResponse),
-    Error(JSONRPCError),
-}
-
-/// A request that expects a response.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
-pub struct JSONRPCRequest {
-    pub id: RequestId,
-    pub method: String,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub params: Option<serde_json::Value>,
-}
-
-/// A notification which does not expect a response.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
-pub struct JSONRPCNotification {
-    pub method: String,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub params: Option<serde_json::Value>,
-}
-
-/// A successful (non-error) response to a request.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
-pub struct JSONRPCResponse {
-    pub id: RequestId,
-    pub result: Result,
-}
-
-/// A response to a request that indicates an error occurred.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
-pub struct JSONRPCError {
-    pub error: JSONRPCErrorError,
-    pub id: RequestId,
-}
-
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
-pub struct JSONRPCErrorError {
-    pub code: i64,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub data: Option<serde_json::Value>,
-    pub message: String,
-}

codex-rs/app-server-protocol/src/lib.rs

@@ -1,9 +0,0 @@
-mod export;
-mod jsonrpc_lite;
-mod protocol;
-
-pub use export::generate_json;
-pub use export::generate_ts;
-pub use export::generate_types;
-pub use jsonrpc_lite::*;
-pub use protocol::*;

codex-rs/app-server/Cargo.toml

@@ -1,52 +0,0 @@
-[package]
-edition = "2024"
-name = "codex-app-server"
-version = { workspace = true }
-
-[[bin]]
-name = "codex-app-server"
-path = "src/main.rs"
-
-[lib]
-name = "codex_app_server"
-path = "src/lib.rs"
-
-[lints]
-workspace = true
-
-[dependencies]
-anyhow = { workspace = true }
-codex-arg0 = { workspace = true }
-codex-common = { workspace = true, features = ["cli"] }
-codex-core = { workspace = true }
-codex-backend-client = { workspace = true }
-codex-file-search = { workspace = true }
-codex-login = { workspace = true }
-codex-protocol = { workspace = true }
-codex-app-server-protocol = { workspace = true }
-codex-utils-json-to-toml = { workspace = true }
-chrono = { workspace = true }
-serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
-tokio = { workspace = true, features = [
-    "io-std",
-    "macros",
-    "process",
-    "rt-multi-thread",
-    "signal",
-] }
-tracing = { workspace = true, features = ["log"] }
-tracing-subscriber = { workspace = true, features = ["env-filter", "fmt"] }
-opentelemetry-appender-tracing = { workspace = true }
-uuid = { workspace = true, features = ["serde", "v7"] }
-
-[dev-dependencies]
-app_test_support = { workspace = true }
-assert_cmd = { workspace = true }
-base64 = { workspace = true }
-core_test_support = { workspace = true }
-os_info = { workspace = true }
-pretty_assertions = { workspace = true }
-tempfile = { workspace = true }
-toml = { workspace = true }
-wiremock = { workspace = true }

codex-rs/app-server/README.md

@@ -1,15 +0,0 @@
-# codex-app-server
-
-`codex app-server` is the harness Codex uses to power rich interfaces such as the [Codex VS Code extension](https://marketplace.visualstudio.com/items?itemName=openai.chatgpt). The message schema is currently unstable, but those who wish to build experimental UIs on top of Codex may find it valuable.
-
-## Protocol
-
-Similar to [MCP](https://modelcontextprotocol.io/), `codex app-server` supports bidirectional communication, streaming JSONL over stdio. The protocol is JSON-RPC 2.0, though the `"jsonrpc":"2.0"` header is omitted.
-
-## Message Schema
-
-Currently, you can dump a TypeScript version of the schema using `codex generate-ts`. It is specific to the version of Codex you used to run `generate-ts`, so the two are guaranteed to be compatible.
-
-```
-codex generate-ts --out DIR
-```

codex-rs/app-server/src/error_code.rs

@@ -1,2 +0,0 @@
-pub(crate) const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-pub(crate) const INTERNAL_ERROR_CODE: i64 = -32603;

codex-rs/app-server/src/fuzzy_file_search.rs

@@ -1,92 +0,0 @@
-use std::num::NonZero;
-use std::num::NonZeroUsize;
-use std::path::Path;
-use std::path::PathBuf;
-use std::sync::Arc;
-use std::sync::atomic::AtomicBool;
-
-use codex_app_server_protocol::FuzzyFileSearchResult;
-use codex_file_search as file_search;
-use tokio::task::JoinSet;
-use tracing::warn;
-
-const LIMIT_PER_ROOT: usize = 50;
-const MAX_THREADS: usize = 12;
-const COMPUTE_INDICES: bool = true;
-
-pub(crate) async fn run_fuzzy_file_search(
-    query: String,
-    roots: Vec<String>,
-    cancellation_flag: Arc<AtomicBool>,
-) -> Vec<FuzzyFileSearchResult> {
-    #[expect(clippy::expect_used)]
-    let limit_per_root =
-        NonZero::new(LIMIT_PER_ROOT).expect("LIMIT_PER_ROOT should be a valid non-zero usize");
-
-    let cores = std::thread::available_parallelism()
-        .map(std::num::NonZero::get)
-        .unwrap_or(1);
-    let threads = cores.min(MAX_THREADS);
-    let threads_per_root = (threads / roots.len()).max(1);
-    let threads = NonZero::new(threads_per_root).unwrap_or(NonZeroUsize::MIN);
-
-    let mut files: Vec<FuzzyFileSearchResult> = Vec::new();
-    let mut join_set = JoinSet::new();
-
-    for root in roots {
-        let search_dir = PathBuf::from(&root);
-        let query = query.clone();
-        let cancel_flag = cancellation_flag.clone();
-        join_set.spawn_blocking(move || {
-            match file_search::run(
-                query.as_str(),
-                limit_per_root,
-                &search_dir,
-                Vec::new(),
-                threads,
-                cancel_flag,
-                COMPUTE_INDICES,
-            ) {
-                Ok(res) => Ok((root, res)),
-                Err(err) => Err((root, err)),
-            }
-        });
-    }
-
-    while let Some(res) = join_set.join_next().await {
-        match res {
-            Ok(Ok((root, res))) => {
-                for m in res.matches {
-                    let path = m.path;
-                    //TODO(shijie): Move file name generation to file_search lib.
-                    let file_name = Path::new(&path)
-                        .file_name()
-                        .map(|name| name.to_string_lossy().into_owned())
-                        .unwrap_or_else(|| path.clone());
-                    let result = FuzzyFileSearchResult {
-                        root: root.clone(),
-                        path,
-                        file_name,
-                        score: m.score,
-                        indices: m.indices,
-                    };
-                    files.push(result);
-                }
-            }
-            Ok(Err((root, err))) => {
-                warn!("fuzzy-file-search in dir '{root}' failed: {err}");
-            }
-            Err(err) => {
-                warn!("fuzzy-file-search join_next failed: {err}");
-            }
-        }
-    }
-
-    files.sort_by(file_search::cmp_by_score_desc_then_path_asc::<
-        FuzzyFileSearchResult,
-        _,
-        _,
-    >(|f| f.score, |f| f.path.as_str()));
-
-    files
-}

codex-rs/app-server/src/lib.rs

@@ -1,159 +0,0 @@
-#![deny(clippy::print_stdout, clippy::print_stderr)]
-
-use codex_common::CliConfigOverrides;
-use codex_core::config::Config;
-use codex_core::config::ConfigOverrides;
-use opentelemetry_appender_tracing::layer::OpenTelemetryTracingBridge;
-use std::io::ErrorKind;
-use std::io::Result as IoResult;
-use std::path::PathBuf;
-
-use crate::message_processor::MessageProcessor;
-use crate::outgoing_message::OutgoingMessage;
-use crate::outgoing_message::OutgoingMessageSender;
-use codex_app_server_protocol::JSONRPCMessage;
-use tokio::io::AsyncBufReadExt;
-use tokio::io::AsyncWriteExt;
-use tokio::io::BufReader;
-use tokio::io::{self};
-use tokio::sync::mpsc;
-use tracing::debug;
-use tracing::error;
-use tracing::info;
-use tracing_subscriber::EnvFilter;
-use tracing_subscriber::Layer;
-use tracing_subscriber::layer::SubscriberExt;
-use tracing_subscriber::util::SubscriberInitExt;
-
-mod codex_message_processor;
-mod error_code;
-mod fuzzy_file_search;
-mod message_processor;
-mod models;
-mod outgoing_message;
-
-/// Size of the bounded channels used to communicate between tasks. The value
-/// is a balance between throughput and memory usage – 128 messages should be
-/// plenty for an interactive CLI.
-const CHANNEL_CAPACITY: usize = 128;
-
-pub async fn run_main(
-    codex_linux_sandbox_exe: Option<PathBuf>,
-    cli_config_overrides: CliConfigOverrides,
-) -> IoResult<()> {
-    // Set up channels.
-    let (incoming_tx, mut incoming_rx) = mpsc::channel::<JSONRPCMessage>(CHANNEL_CAPACITY);
-    let (outgoing_tx, mut outgoing_rx) = mpsc::unbounded_channel::<OutgoingMessage>();
-
-    // Task: read from stdin, push to `incoming_tx`.
-    let stdin_reader_handle = tokio::spawn({
-        async move {
-            let stdin = io::stdin();
-            let reader = BufReader::new(stdin);
-            let mut lines = reader.lines();
-
-            while let Some(line) = lines.next_line().await.unwrap_or_default() {
-                match serde_json::from_str::<JSONRPCMessage>(&line) {
-                    Ok(msg) => {
-                        if incoming_tx.send(msg).await.is_err() {
-                            // Receiver gone – nothing left to do.
-                            break;
-                        }
-                    }
-                    Err(e) => error!("Failed to deserialize JSONRPCMessage: {e}"),
-                }
-            }
-
-            debug!("stdin reader finished (EOF)");
-        }
-    });
-
-    // Parse CLI overrides once and derive the base Config eagerly so later
-    // components do not need to work with raw TOML values.
-    let cli_kv_overrides = cli_config_overrides.parse_overrides().map_err(|e| {
-        std::io::Error::new(
-            ErrorKind::InvalidInput,
-            format!("error parsing -c overrides: {e}"),
-        )
-    })?;
-    let config = Config::load_with_cli_overrides(cli_kv_overrides, ConfigOverrides::default())
-        .await
-        .map_err(|e| {
-            std::io::Error::new(ErrorKind::InvalidData, format!("error loading config: {e}"))
-        })?;
-
-    let otel =
-        codex_core::otel_init::build_provider(&config, env!("CARGO_PKG_VERSION")).map_err(|e| {
-            std::io::Error::new(
-                ErrorKind::InvalidData,
-                format!("error loading otel config: {e}"),
-            )
-        })?;
-
-    // Install a simple subscriber so `tracing` output is visible.  Users can
-    // control the log level with `RUST_LOG`.
-    let stderr_fmt = tracing_subscriber::fmt::layer()
-        .with_writer(std::io::stderr)
-        .with_filter(EnvFilter::from_default_env());
-
-    let _ = tracing_subscriber::registry()
-        .with(stderr_fmt)
-        .with(otel.as_ref().map(|provider| {
-            OpenTelemetryTracingBridge::new(&provider.logger).with_filter(
-                tracing_subscriber::filter::filter_fn(codex_core::otel_init::codex_export_filter),
-            )
-        }))
-        .try_init();
-
-    // Task: process incoming messages.
-    let processor_handle = tokio::spawn({
-        let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
-        let mut processor = MessageProcessor::new(
-            outgoing_message_sender,
-            codex_linux_sandbox_exe,
-            std::sync::Arc::new(config),
-        );
-        async move {
-            while let Some(msg) = incoming_rx.recv().await {
-                match msg {
-                    JSONRPCMessage::Request(r) => processor.process_request(r).await,
-                    JSONRPCMessage::Response(r) => processor.process_response(r).await,
-                    JSONRPCMessage::Notification(n) => processor.process_notification(n).await,
-                    JSONRPCMessage::Error(e) => processor.process_error(e),
-                }
-            }
-
-            info!("processor task exited (channel closed)");
-        }
-    });
-
-    // Task: write outgoing messages to stdout.
-    let stdout_writer_handle = tokio::spawn(async move {
-        let mut stdout = io::stdout();
-        while let Some(outgoing_message) = outgoing_rx.recv().await {
-            let Ok(value) = serde_json::to_value(outgoing_message) else {
-                error!("Failed to convert OutgoingMessage to JSON value");
-                continue;
-            };
-            match serde_json::to_string(&value) {
-                Ok(mut json) => {
-                    json.push('\n');
-                    if let Err(e) = stdout.write_all(json.as_bytes()).await {
-                        error!("Failed to write to stdout: {e}");
-                        break;
-                    }
-                }
-                Err(e) => error!("Failed to serialize JSONRPCMessage: {e}"),
-            }
-        }
-
-        info!("stdout writer exited (channel closed)");
-    });
-
-    // Wait for all tasks to finish.  The typical exit path is the stdin reader
-    // hitting EOF which, once it drops `incoming_tx`, propagates shutdown to
-    // the processor and then to the stdout task.
-    let _ = tokio::join!(stdin_reader_handle, processor_handle, stdout_writer_handle);
-
-    Ok(())
-}

codex-rs/app-server/src/main.rs

@@ -1,10 +0,0 @@
-use codex_app_server::run_main;
-use codex_arg0::arg0_dispatch_or_else;
-use codex_common::CliConfigOverrides;
-
-fn main() -> anyhow::Result<()> {
-    arg0_dispatch_or_else(|codex_linux_sandbox_exe| async move {
-        run_main(codex_linux_sandbox_exe, CliConfigOverrides::default()).await?;
-        Ok(())
-    })
-}

codex-rs/app-server/src/message_processor.rs

@@ -1,137 +0,0 @@
-use std::path::PathBuf;
-
-use crate::codex_message_processor::CodexMessageProcessor;
-use crate::error_code::INVALID_REQUEST_ERROR_CODE;
-use crate::outgoing_message::OutgoingMessageSender;
-use codex_app_server_protocol::ClientInfo;
-use codex_app_server_protocol::ClientRequest;
-use codex_app_server_protocol::InitializeResponse;
-
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCErrorError;
-use codex_app_server_protocol::JSONRPCNotification;
-use codex_app_server_protocol::JSONRPCRequest;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_core::AuthManager;
-use codex_core::ConversationManager;
-use codex_core::config::Config;
-use codex_core::default_client::USER_AGENT_SUFFIX;
-use codex_core::default_client::get_codex_user_agent;
-use codex_protocol::protocol::SessionSource;
-use std::sync::Arc;
-
-pub(crate) struct MessageProcessor {
-    outgoing: Arc<OutgoingMessageSender>,
-    codex_message_processor: CodexMessageProcessor,
-    initialized: bool,
-}
-
-impl MessageProcessor {
-    /// Create a new `MessageProcessor`, retaining a handle to the outgoing
-    /// `Sender` so handlers can enqueue messages to be written to stdout.
-    pub(crate) fn new(
-        outgoing: OutgoingMessageSender,
-        codex_linux_sandbox_exe: Option<PathBuf>,
-        config: Arc<Config>,
-    ) -> Self {
-        let outgoing = Arc::new(outgoing);
-        let auth_manager = AuthManager::shared(config.codex_home.clone(), false);
-        let conversation_manager = Arc::new(ConversationManager::new(
-            auth_manager.clone(),
-            SessionSource::VSCode,
-        ));
-        let codex_message_processor = CodexMessageProcessor::new(
-            auth_manager,
-            conversation_manager,
-            outgoing.clone(),
-            codex_linux_sandbox_exe,
-            config,
-        );
-
-        Self {
-            outgoing,
-            codex_message_processor,
-            initialized: false,
-        }
-    }
-
-    pub(crate) async fn process_request(&mut self, request: JSONRPCRequest) {
-        let request_id = request.id.clone();
-        if let Ok(request_json) = serde_json::to_value(request)
-            && let Ok(codex_request) = serde_json::from_value::<ClientRequest>(request_json)
-        {
-            match codex_request {
-                // Handle Initialize internally so CodexMessageProcessor does not have to concern
-                // itself with the `initialized` bool.
-                ClientRequest::Initialize { request_id, params } => {
-                    if self.initialized {
-                        let error = JSONRPCErrorError {
-                            code: INVALID_REQUEST_ERROR_CODE,
-                            message: "Already initialized".to_string(),
-                            data: None,
-                        };
-                        self.outgoing.send_error(request_id, error).await;
-                        return;
-                    } else {
-                        let ClientInfo {
-                            name,
-                            title: _title,
-                            version,
-                        } = params.client_info;
-                        let user_agent_suffix = format!("{name}; {version}");
-                        if let Ok(mut suffix) = USER_AGENT_SUFFIX.lock() {
-                            *suffix = Some(user_agent_suffix);
-                        }
-
-                        let user_agent = get_codex_user_agent();
-                        let response = InitializeResponse { user_agent };
-                        self.outgoing.send_response(request_id, response).await;
-
-                        self.initialized = true;
-                        return;
-                    }
-                }
-                _ => {
-                    if !self.initialized {
-                        let error = JSONRPCErrorError {
-                            code: INVALID_REQUEST_ERROR_CODE,
-                            message: "Not initialized".to_string(),
-                            data: None,
-                        };
-                        self.outgoing.send_error(request_id, error).await;
-                        return;
-                    }
-                }
-            }
-
-            self.codex_message_processor
-                .process_request(codex_request)
-                .await;
-        } else {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "Invalid request".to_string(),
-                data: None,
-            };
-            self.outgoing.send_error(request_id, error).await;
-        }
-    }
-
-    pub(crate) async fn process_notification(&self, notification: JSONRPCNotification) {
-        // Currently, we do not expect to receive any notifications from the
-        // client, so we just log them.
-        tracing::info!("<- notification: {:?}", notification);
-    }
-
-    /// Handle a standalone JSON-RPC response originating from the peer.
-    pub(crate) async fn process_response(&mut self, response: JSONRPCResponse) {
-        tracing::info!("<- response: {:?}", response);
-        let JSONRPCResponse { id, result, .. } = response;
-        self.outgoing.notify_client_response(id, result).await
-    }
-
-    /// Handle an error object received from the peer.
-    pub(crate) fn process_error(&mut self, err: JSONRPCError) {
-        tracing::error!("<- error: {:?}", err);
-    }
-}

codex-rs/app-server/src/models.rs

@@ -1,38 +0,0 @@
-use codex_app_server_protocol::Model;
-use codex_app_server_protocol::ReasoningEffortOption;
-use codex_common::model_presets::ModelPreset;
-use codex_common::model_presets::ReasoningEffortPreset;
-use codex_common::model_presets::builtin_model_presets;
-
-pub fn supported_models() -> Vec<Model> {
-    builtin_model_presets(None)
-        .into_iter()
-        .map(model_from_preset)
-        .collect()
-}
-
-fn model_from_preset(preset: ModelPreset) -> Model {
-    Model {
-        id: preset.id.to_string(),
-        model: preset.model.to_string(),
-        display_name: preset.display_name.to_string(),
-        description: preset.description.to_string(),
-        supported_reasoning_efforts: reasoning_efforts_from_preset(
-            preset.supported_reasoning_efforts,
-        ),
-        default_reasoning_effort: preset.default_reasoning_effort,
-        is_default: preset.is_default,
-    }
-}
-
-fn reasoning_efforts_from_preset(
-    efforts: &'static [ReasoningEffortPreset],
-) -> Vec<ReasoningEffortOption> {
-    efforts
-        .iter()
-        .map(|preset| ReasoningEffortOption {
-            reasoning_effort: preset.effort,
-            description: preset.description.to_string(),
-        })
-        .collect()
-}

codex-rs/app-server/src/outgoing_message.rs

@@ -1,174 +0,0 @@
-use std::collections::HashMap;
-use std::sync::atomic::AtomicI64;
-use std::sync::atomic::Ordering;
-
-use codex_app_server_protocol::JSONRPCErrorError;
-use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::Result;
-use codex_app_server_protocol::ServerNotification;
-use codex_app_server_protocol::ServerRequest;
-use codex_app_server_protocol::ServerRequestPayload;
-use serde::Serialize;
-use tokio::sync::Mutex;
-use tokio::sync::mpsc;
-use tokio::sync::oneshot;
-use tracing::warn;
-
-use crate::error_code::INTERNAL_ERROR_CODE;
-
-/// Sends messages to the client and manages request callbacks.
-pub(crate) struct OutgoingMessageSender {
-    next_request_id: AtomicI64,
-    sender: mpsc::UnboundedSender<OutgoingMessage>,
-    request_id_to_callback: Mutex<HashMap<RequestId, oneshot::Sender<Result>>>,
-}
-
-impl OutgoingMessageSender {
-    pub(crate) fn new(sender: mpsc::UnboundedSender<OutgoingMessage>) -> Self {
-        Self {
-            next_request_id: AtomicI64::new(0),
-            sender,
-            request_id_to_callback: Mutex::new(HashMap::new()),
-        }
-    }
-
-    pub(crate) async fn send_request(
-        &self,
-        request: ServerRequestPayload,
-    ) -> oneshot::Receiver<Result> {
-        let id = RequestId::Integer(self.next_request_id.fetch_add(1, Ordering::Relaxed));
-        let outgoing_message_id = id.clone();
-        let (tx_approve, rx_approve) = oneshot::channel();
-        {
-            let mut request_id_to_callback = self.request_id_to_callback.lock().await;
-            request_id_to_callback.insert(id, tx_approve);
-        }
-
-        let outgoing_message =
-            OutgoingMessage::Request(request.request_with_id(outgoing_message_id));
-        let _ = self.sender.send(outgoing_message);
-        rx_approve
-    }
-
-    pub(crate) async fn notify_client_response(&self, id: RequestId, result: Result) {
-        let entry = {
-            let mut request_id_to_callback = self.request_id_to_callback.lock().await;
-            request_id_to_callback.remove_entry(&id)
-        };
-
-        match entry {
-            Some((id, sender)) => {
-                if let Err(err) = sender.send(result) {
-                    warn!("could not notify callback for {id:?} due to: {err:?}");
-                }
-            }
-            None => {
-                warn!("could not find callback for {id:?}");
-            }
-        }
-    }
-
-    pub(crate) async fn send_response<T: Serialize>(&self, id: RequestId, response: T) {
-        match serde_json::to_value(response) {
-            Ok(result) => {
-                let outgoing_message = OutgoingMessage::Response(OutgoingResponse { id, result });
-                let _ = self.sender.send(outgoing_message);
-            }
-            Err(err) => {
-                self.send_error(
-                    id,
-                    JSONRPCErrorError {
-                        code: INTERNAL_ERROR_CODE,
-                        message: format!("failed to serialize response: {err}"),
-                        data: None,
-                    },
-                )
-                .await;
-            }
-        }
-    }
-
-    pub(crate) async fn send_server_notification(&self, notification: ServerNotification) {
-        let _ = self
-            .sender
-            .send(OutgoingMessage::AppServerNotification(notification));
-    }
-
-    /// All notifications should be migrated to [`ServerNotification`] and
-    /// [`OutgoingMessage::Notification`] should be removed.
-    pub(crate) async fn send_notification(&self, notification: OutgoingNotification) {
-        let outgoing_message = OutgoingMessage::Notification(notification);
-        let _ = self.sender.send(outgoing_message);
-    }
-
-    pub(crate) async fn send_error(&self, id: RequestId, error: JSONRPCErrorError) {
-        let outgoing_message = OutgoingMessage::Error(OutgoingError { id, error });
-        let _ = self.sender.send(outgoing_message);
-    }
-}
-
-/// Outgoing message from the server to the client.
-#[derive(Debug, Clone, Serialize)]
-#[serde(untagged)]
-pub(crate) enum OutgoingMessage {
-    Request(ServerRequest),
-    Notification(OutgoingNotification),
-    /// AppServerNotification is specific to the case where this is run as an
-    /// "app server" as opposed to an MCP server.
-    AppServerNotification(ServerNotification),
-    Response(OutgoingResponse),
-    Error(OutgoingError),
-}
-
-#[derive(Debug, Clone, PartialEq, Serialize)]
-pub(crate) struct OutgoingNotification {
-    pub method: String,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub params: Option<serde_json::Value>,
-}
-
-#[derive(Debug, Clone, PartialEq, Serialize)]
-pub(crate) struct OutgoingResponse {
-    pub id: RequestId,
-    pub result: Result,
-}
-
-#[derive(Debug, Clone, PartialEq, Serialize)]
-pub(crate) struct OutgoingError {
-    pub error: JSONRPCErrorError,
-    pub id: RequestId,
-}
-
-#[cfg(test)]
-mod tests {
-    use codex_app_server_protocol::LoginChatGptCompleteNotification;
-    use pretty_assertions::assert_eq;
-    use serde_json::json;
-    use uuid::Uuid;
-
-    use super::*;
-
-    #[test]
-    fn verify_server_notification_serialization() {
-        let notification =
-            ServerNotification::LoginChatGptComplete(LoginChatGptCompleteNotification {
-                login_id: Uuid::nil(),
-                success: true,
-                error: None,
-            });
-
-        let jsonrpc_notification = OutgoingMessage::AppServerNotification(notification);
-        assert_eq!(
-            json!({
-                "method": "loginChatGptComplete",
-                "params": {
-                    "loginId": Uuid::nil(),
-                    "success": true,
-                },
-            }),
-            serde_json::to_value(jsonrpc_notification)
-                .expect("ensure the strum macros serialize the method field correctly"),
-            "ensure the strum macros serialize the method field correctly"
-        );
-    }
-}

codex-rs/app-server/tests/all.rs

@@ -1,3 +0,0 @@
-// Single integration test binary that aggregates all test modules.
-// The submodules live in `tests/suite/`.
-mod suite;

codex-rs/app-server/tests/common/Cargo.toml

@@ -1,24 +0,0 @@
-[package]
-edition = "2024"
-name = "app_test_support"
-version = { workspace = true }
-
-[lib]
-path = "lib.rs"
-
-[dependencies]
-anyhow = { workspace = true }
-assert_cmd = { workspace = true }
-base64 = { workspace = true }
-chrono = { workspace = true }
-codex-app-server-protocol = { workspace = true }
-codex-core = { workspace = true }
-serde = { workspace = true }
-serde_json = { workspace = true }
-tokio = { workspace = true, features = [
-    "io-std",
-    "macros",
-    "process",
-    "rt-multi-thread",
-] }
-wiremock = { workspace = true }

codex-rs/app-server/tests/common/auth_fixtures.rs

@@ -1,131 +0,0 @@
-use std::path::Path;
-
-use anyhow::Context;
-use anyhow::Result;
-use base64::Engine;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
-use chrono::DateTime;
-use chrono::Utc;
-use codex_core::auth::AuthDotJson;
-use codex_core::auth::get_auth_file;
-use codex_core::auth::write_auth_json;
-use codex_core::token_data::TokenData;
-use codex_core::token_data::parse_id_token;
-use serde_json::json;
-
-/// Builder for writing a fake ChatGPT auth.json in tests.
-#[derive(Debug, Clone)]
-pub struct ChatGptAuthFixture {
-    access_token: String,
-    refresh_token: String,
-    account_id: Option<String>,
-    claims: ChatGptIdTokenClaims,
-    last_refresh: Option<Option<DateTime<Utc>>>,
-}
-
-impl ChatGptAuthFixture {
-    pub fn new(access_token: impl Into<String>) -> Self {
-        Self {
-            access_token: access_token.into(),
-            refresh_token: "refresh-token".to_string(),
-            account_id: None,
-            claims: ChatGptIdTokenClaims::default(),
-            last_refresh: None,
-        }
-    }
-
-    pub fn refresh_token(mut self, refresh_token: impl Into<String>) -> Self {
-        self.refresh_token = refresh_token.into();
-        self
-    }
-
-    pub fn account_id(mut self, account_id: impl Into<String>) -> Self {
-        self.account_id = Some(account_id.into());
-        self
-    }
-
-    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
-        self.claims.plan_type = Some(plan_type.into());
-        self
-    }
-
-    pub fn email(mut self, email: impl Into<String>) -> Self {
-        self.claims.email = Some(email.into());
-        self
-    }
-
-    pub fn last_refresh(mut self, last_refresh: Option<DateTime<Utc>>) -> Self {
-        self.last_refresh = Some(last_refresh);
-        self
-    }
-
-    pub fn claims(mut self, claims: ChatGptIdTokenClaims) -> Self {
-        self.claims = claims;
-        self
-    }
-}
-
-#[derive(Debug, Clone, Default)]
-pub struct ChatGptIdTokenClaims {
-    pub email: Option<String>,
-    pub plan_type: Option<String>,
-}
-
-impl ChatGptIdTokenClaims {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn email(mut self, email: impl Into<String>) -> Self {
-        self.email = Some(email.into());
-        self
-    }
-
-    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
-        self.plan_type = Some(plan_type.into());
-        self
-    }
-}
-
-pub fn encode_id_token(claims: &ChatGptIdTokenClaims) -> Result<String> {
-    let header = json!({ "alg": "none", "typ": "JWT" });
-    let mut payload = serde_json::Map::new();
-    if let Some(email) = &claims.email {
-        payload.insert("email".to_string(), json!(email));
-    }
-    if let Some(plan_type) = &claims.plan_type {
-        payload.insert(
-            "https://api.openai.com/auth".to_string(),
-            json!({ "chatgpt_plan_type": plan_type }),
-        );
-    }
-    let payload = serde_json::Value::Object(payload);
-
-    let header_b64 =
-        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&header).context("serialize jwt header")?);
-    let payload_b64 =
-        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&payload).context("serialize jwt payload")?);
-    let signature_b64 = URL_SAFE_NO_PAD.encode(b"signature");
-    Ok(format!("{header_b64}.{payload_b64}.{signature_b64}"))
-}
-
-pub fn write_chatgpt_auth(codex_home: &Path, fixture: ChatGptAuthFixture) -> Result<()> {
-    let id_token_raw = encode_id_token(&fixture.claims)?;
-    let id_token = parse_id_token(&id_token_raw).context("parse id token")?;
-    let tokens = TokenData {
-        id_token,
-        access_token: fixture.access_token,
-        refresh_token: fixture.refresh_token,
-        account_id: fixture.account_id,
-    };
-
-    let last_refresh = fixture.last_refresh.unwrap_or_else(|| Some(Utc::now()));
-
-    let auth = AuthDotJson {
-        openai_api_key: None,
-        tokens: Some(tokens),
-        last_refresh,
-    };
-
-    write_auth_json(&get_auth_file(codex_home), &auth).context("write auth.json")
-}

codex-rs/app-server/tests/common/lib.rs

@@ -1,22 +0,0 @@
-mod auth_fixtures;
-mod mcp_process;
-mod mock_model_server;
-mod responses;
-
-pub use auth_fixtures::ChatGptAuthFixture;
-pub use auth_fixtures::ChatGptIdTokenClaims;
-pub use auth_fixtures::encode_id_token;
-pub use auth_fixtures::write_chatgpt_auth;
-use codex_app_server_protocol::JSONRPCResponse;
-pub use mcp_process::McpProcess;
-pub use mock_model_server::create_mock_chat_completions_server;
-pub use responses::create_apply_patch_sse_response;
-pub use responses::create_final_assistant_message_sse_response;
-pub use responses::create_shell_sse_response;
-use serde::de::DeserializeOwned;
-
-pub fn to_response<T: DeserializeOwned>(response: JSONRPCResponse) -> anyhow::Result<T> {
-    let value = serde_json::to_value(response.result)?;
-    let codex_response = serde_json::from_value(value)?;
-    Ok(codex_response)
-}

codex-rs/app-server/tests/common/mcp_process.rs

@@ -1,517 +0,0 @@
-use std::collections::VecDeque;
-use std::path::Path;
-use std::process::Stdio;
-use std::sync::atomic::AtomicI64;
-use std::sync::atomic::Ordering;
-use tokio::io::AsyncBufReadExt;
-use tokio::io::AsyncWriteExt;
-use tokio::io::BufReader;
-use tokio::process::Child;
-use tokio::process::ChildStdin;
-use tokio::process::ChildStdout;
-
-use anyhow::Context;
-use assert_cmd::prelude::*;
-use codex_app_server_protocol::AddConversationListenerParams;
-use codex_app_server_protocol::ArchiveConversationParams;
-use codex_app_server_protocol::CancelLoginChatGptParams;
-use codex_app_server_protocol::ClientInfo;
-use codex_app_server_protocol::ClientNotification;
-use codex_app_server_protocol::GetAuthStatusParams;
-use codex_app_server_protocol::InitializeParams;
-use codex_app_server_protocol::InterruptConversationParams;
-use codex_app_server_protocol::ListConversationsParams;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::LoginApiKeyParams;
-use codex_app_server_protocol::NewConversationParams;
-use codex_app_server_protocol::RemoveConversationListenerParams;
-use codex_app_server_protocol::ResumeConversationParams;
-use codex_app_server_protocol::SendUserMessageParams;
-use codex_app_server_protocol::SendUserTurnParams;
-use codex_app_server_protocol::ServerRequest;
-use codex_app_server_protocol::SetDefaultModelParams;
-
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCMessage;
-use codex_app_server_protocol::JSONRPCNotification;
-use codex_app_server_protocol::JSONRPCRequest;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::RequestId;
-use std::process::Command as StdCommand;
-use tokio::process::Command;
-
-pub struct McpProcess {
-    next_request_id: AtomicI64,
-    /// Retain this child process until the client is dropped. The Tokio runtime
-    /// will make a "best effort" to reap the process after it exits, but it is
-    /// not a guarantee. See the `kill_on_drop` documentation for details.
-    #[allow(dead_code)]
-    process: Child,
-    stdin: ChildStdin,
-    stdout: BufReader<ChildStdout>,
-    pending_user_messages: VecDeque<JSONRPCNotification>,
-}
-
-impl McpProcess {
-    pub async fn new(codex_home: &Path) -> anyhow::Result<Self> {
-        Self::new_with_env(codex_home, &[]).await
-    }
-
-    /// Creates a new MCP process, allowing tests to override or remove
-    /// specific environment variables for the child process only.
-    ///
-    /// Pass a tuple of (key, Some(value)) to set/override, or (key, None) to
-    /// remove a variable from the child's environment.
-    pub async fn new_with_env(
-        codex_home: &Path,
-        env_overrides: &[(&str, Option<&str>)],
-    ) -> anyhow::Result<Self> {
-        // Use assert_cmd to locate the binary path and then switch to tokio::process::Command
-        let std_cmd = StdCommand::cargo_bin("codex-app-server")
-            .context("should find binary for codex-mcp-server")?;
-
-        let program = std_cmd.get_program().to_owned();
-
-        let mut cmd = Command::new(program);
-
-        cmd.stdin(Stdio::piped());
-        cmd.stdout(Stdio::piped());
-        cmd.stderr(Stdio::piped());
-        cmd.env("CODEX_HOME", codex_home);
-        cmd.env("RUST_LOG", "debug");
-
-        for (k, v) in env_overrides {
-            match v {
-                Some(val) => {
-                    cmd.env(k, val);
-                }
-                None => {
-                    cmd.env_remove(k);
-                }
-            }
-        }
-
-        let mut process = cmd
-            .kill_on_drop(true)
-            .spawn()
-            .context("codex-mcp-server proc should start")?;
-        let stdin = process
-            .stdin
-            .take()
-            .ok_or_else(|| anyhow::format_err!("mcp should have stdin fd"))?;
-        let stdout = process
-            .stdout
-            .take()
-            .ok_or_else(|| anyhow::format_err!("mcp should have stdout fd"))?;
-        let stdout = BufReader::new(stdout);
-
-        // Forward child's stderr to our stderr so failures are visible even
-        // when stdout/stderr are captured by the test harness.
-        if let Some(stderr) = process.stderr.take() {
-            let mut stderr_reader = BufReader::new(stderr).lines();
-            tokio::spawn(async move {
-                while let Ok(Some(line)) = stderr_reader.next_line().await {
-                    eprintln!("[mcp stderr] {line}");
-                }
-            });
-        }
-        Ok(Self {
-            next_request_id: AtomicI64::new(0),
-            process,
-            stdin,
-            stdout,
-            pending_user_messages: VecDeque::new(),
-        })
-    }
-
-    /// Performs the initialization handshake with the MCP server.
-    pub async fn initialize(&mut self) -> anyhow::Result<()> {
-        let params = Some(serde_json::to_value(InitializeParams {
-            client_info: ClientInfo {
-                name: "codex-app-server-tests".to_string(),
-                title: None,
-                version: "0.1.0".to_string(),
-            },
-        })?);
-        let req_id = self.send_request("initialize", params).await?;
-        let initialized = self.read_jsonrpc_message().await?;
-        let JSONRPCMessage::Response(response) = initialized else {
-            unreachable!("expected JSONRPCMessage::Response for initialize, got {initialized:?}");
-        };
-        if response.id != RequestId::Integer(req_id) {
-            anyhow::bail!(
-                "initialize response id mismatch: expected {}, got {:?}",
-                req_id,
-                response.id
-            );
-        }
-
-        // Send notifications/initialized to ack the response.
-        self.send_notification(ClientNotification::Initialized)
-            .await?;
-
-        Ok(())
-    }
-
-    /// Send a `newConversation` JSON-RPC request.
-    pub async fn send_new_conversation_request(
-        &mut self,
-        params: NewConversationParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("newConversation", params).await
-    }
-
-    /// Send an `archiveConversation` JSON-RPC request.
-    pub async fn send_archive_conversation_request(
-        &mut self,
-        params: ArchiveConversationParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("archiveConversation", params).await
-    }
-
-    /// Send an `addConversationListener` JSON-RPC request.
-    pub async fn send_add_conversation_listener_request(
-        &mut self,
-        params: AddConversationListenerParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("addConversationListener", params).await
-    }
-
-    /// Send a `sendUserMessage` JSON-RPC request with a single text item.
-    pub async fn send_send_user_message_request(
-        &mut self,
-        params: SendUserMessageParams,
-    ) -> anyhow::Result<i64> {
-        // Wire format expects variants in camelCase; text item uses external tagging.
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("sendUserMessage", params).await
-    }
-
-    /// Send a `removeConversationListener` JSON-RPC request.
-    pub async fn send_remove_conversation_listener_request(
-        &mut self,
-        params: RemoveConversationListenerParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("removeConversationListener", params)
-            .await
-    }
-
-    /// Send a `sendUserTurn` JSON-RPC request.
-    pub async fn send_send_user_turn_request(
-        &mut self,
-        params: SendUserTurnParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("sendUserTurn", params).await
-    }
-
-    /// Send a `interruptConversation` JSON-RPC request.
-    pub async fn send_interrupt_conversation_request(
-        &mut self,
-        params: InterruptConversationParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("interruptConversation", params).await
-    }
-
-    /// Send a `getAuthStatus` JSON-RPC request.
-    pub async fn send_get_auth_status_request(
-        &mut self,
-        params: GetAuthStatusParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("getAuthStatus", params).await
-    }
-
-    /// Send a `getUserSavedConfig` JSON-RPC request.
-    pub async fn send_get_user_saved_config_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("getUserSavedConfig", None).await
-    }
-
-    /// Send a `getUserAgent` JSON-RPC request.
-    pub async fn send_get_user_agent_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("getUserAgent", None).await
-    }
-
-    /// Send an `account/rateLimits/read` JSON-RPC request.
-    pub async fn send_get_account_rate_limits_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("account/rateLimits/read", None).await
-    }
-
-    /// Send a `userInfo` JSON-RPC request.
-    pub async fn send_user_info_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("userInfo", None).await
-    }
-
-    /// Send a `setDefaultModel` JSON-RPC request.
-    pub async fn send_set_default_model_request(
-        &mut self,
-        params: SetDefaultModelParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("setDefaultModel", params).await
-    }
-
-    /// Send a `listConversations` JSON-RPC request.
-    pub async fn send_list_conversations_request(
-        &mut self,
-        params: ListConversationsParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("listConversations", params).await
-    }
-
-    /// Send a `model/list` JSON-RPC request.
-    pub async fn send_list_models_request(
-        &mut self,
-        params: ListModelsParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("model/list", params).await
-    }
-
-    /// Send a `resumeConversation` JSON-RPC request.
-    pub async fn send_resume_conversation_request(
-        &mut self,
-        params: ResumeConversationParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("resumeConversation", params).await
-    }
-
-    /// Send a `loginApiKey` JSON-RPC request.
-    pub async fn send_login_api_key_request(
-        &mut self,
-        params: LoginApiKeyParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("loginApiKey", params).await
-    }
-
-    /// Send a `loginChatGpt` JSON-RPC request.
-    pub async fn send_login_chat_gpt_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("loginChatGpt", None).await
-    }
-
-    /// Send a `cancelLoginChatGpt` JSON-RPC request.
-    pub async fn send_cancel_login_chat_gpt_request(
-        &mut self,
-        params: CancelLoginChatGptParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("cancelLoginChatGpt", params).await
-    }
-
-    /// Send a `logoutChatGpt` JSON-RPC request.
-    pub async fn send_logout_chat_gpt_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("logoutChatGpt", None).await
-    }
-
-    /// Send a `fuzzyFileSearch` JSON-RPC request.
-    pub async fn send_fuzzy_file_search_request(
-        &mut self,
-        query: &str,
-        roots: Vec<String>,
-        cancellation_token: Option<String>,
-    ) -> anyhow::Result<i64> {
-        let mut params = serde_json::json!({
-            "query": query,
-            "roots": roots,
-        });
-        if let Some(token) = cancellation_token {
-            params["cancellationToken"] = serde_json::json!(token);
-        }
-        self.send_request("fuzzyFileSearch", Some(params)).await
-    }
-
-    async fn send_request(
-        &mut self,
-        method: &str,
-        params: Option<serde_json::Value>,
-    ) -> anyhow::Result<i64> {
-        let request_id = self.next_request_id.fetch_add(1, Ordering::Relaxed);
-
-        let message = JSONRPCMessage::Request(JSONRPCRequest {
-            id: RequestId::Integer(request_id),
-            method: method.to_string(),
-            params,
-        });
-        self.send_jsonrpc_message(message).await?;
-        Ok(request_id)
-    }
-
-    pub async fn send_response(
-        &mut self,
-        id: RequestId,
-        result: serde_json::Value,
-    ) -> anyhow::Result<()> {
-        self.send_jsonrpc_message(JSONRPCMessage::Response(JSONRPCResponse { id, result }))
-            .await
-    }
-
-    pub async fn send_notification(
-        &mut self,
-        notification: ClientNotification,
-    ) -> anyhow::Result<()> {
-        let value = serde_json::to_value(notification)?;
-        self.send_jsonrpc_message(JSONRPCMessage::Notification(JSONRPCNotification {
-            method: value
-                .get("method")
-                .and_then(|m| m.as_str())
-                .ok_or_else(|| anyhow::format_err!("notification missing method field"))?
-                .to_string(),
-            params: value.get("params").cloned(),
-        }))
-        .await
-    }
-
-    async fn send_jsonrpc_message(&mut self, message: JSONRPCMessage) -> anyhow::Result<()> {
-        eprintln!("writing message to stdin: {message:?}");
-        let payload = serde_json::to_string(&message)?;
-        self.stdin.write_all(payload.as_bytes()).await?;
-        self.stdin.write_all(b"\n").await?;
-        self.stdin.flush().await?;
-        Ok(())
-    }
-
-    async fn read_jsonrpc_message(&mut self) -> anyhow::Result<JSONRPCMessage> {
-        let mut line = String::new();
-        self.stdout.read_line(&mut line).await?;
-        let message = serde_json::from_str::<JSONRPCMessage>(&line)?;
-        eprintln!("read message from stdout: {message:?}");
-        Ok(message)
-    }
-
-    pub async fn read_stream_until_request_message(&mut self) -> anyhow::Result<ServerRequest> {
-        eprintln!("in read_stream_until_request_message()");
-
-        loop {
-            let message = self.read_jsonrpc_message().await?;
-
-            match message {
-                JSONRPCMessage::Notification(notification) => {
-                    eprintln!("notification: {notification:?}");
-                    self.enqueue_user_message(notification);
-                }
-                JSONRPCMessage::Request(jsonrpc_request) => {
-                    return jsonrpc_request.try_into().with_context(
-                        || "failed to deserialize ServerRequest from JSONRPCRequest",
-                    );
-                }
-                JSONRPCMessage::Error(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Error: {message:?}");
-                }
-                JSONRPCMessage::Response(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Response: {message:?}");
-                }
-            }
-        }
-    }
-
-    pub async fn read_stream_until_response_message(
-        &mut self,
-        request_id: RequestId,
-    ) -> anyhow::Result<JSONRPCResponse> {
-        eprintln!("in read_stream_until_response_message({request_id:?})");
-
-        loop {
-            let message = self.read_jsonrpc_message().await?;
-            match message {
-                JSONRPCMessage::Notification(notification) => {
-                    eprintln!("notification: {notification:?}");
-                    self.enqueue_user_message(notification);
-                }
-                JSONRPCMessage::Request(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Request: {message:?}");
-                }
-                JSONRPCMessage::Error(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Error: {message:?}");
-                }
-                JSONRPCMessage::Response(jsonrpc_response) => {
-                    if jsonrpc_response.id == request_id {
-                        return Ok(jsonrpc_response);
-                    }
-                }
-            }
-        }
-    }
-
-    pub async fn read_stream_until_error_message(
-        &mut self,
-        request_id: RequestId,
-    ) -> anyhow::Result<JSONRPCError> {
-        loop {
-            let message = self.read_jsonrpc_message().await?;
-            match message {
-                JSONRPCMessage::Notification(notification) => {
-                    eprintln!("notification: {notification:?}");
-                    self.enqueue_user_message(notification);
-                }
-                JSONRPCMessage::Request(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Request: {message:?}");
-                }
-                JSONRPCMessage::Response(_) => {
-                    // Keep scanning; we're waiting for an error with matching id.
-                }
-                JSONRPCMessage::Error(err) => {
-                    if err.id == request_id {
-                        return Ok(err);
-                    }
-                }
-            }
-        }
-    }
-
-    pub async fn read_stream_until_notification_message(
-        &mut self,
-        method: &str,
-    ) -> anyhow::Result<JSONRPCNotification> {
-        eprintln!("in read_stream_until_notification_message({method})");
-
-        if let Some(notification) = self.take_pending_notification_by_method(method) {
-            return Ok(notification);
-        }
-
-        loop {
-            let message = self.read_jsonrpc_message().await?;
-            match message {
-                JSONRPCMessage::Notification(notification) => {
-                    if notification.method == method {
-                        return Ok(notification);
-                    }
-                    self.enqueue_user_message(notification);
-                }
-                JSONRPCMessage::Request(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Request: {message:?}");
-                }
-                JSONRPCMessage::Error(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Error: {message:?}");
-                }
-                JSONRPCMessage::Response(_) => {
-                    anyhow::bail!("unexpected JSONRPCMessage::Response: {message:?}");
-                }
-            }
-        }
-    }
-
-    fn take_pending_notification_by_method(&mut self, method: &str) -> Option<JSONRPCNotification> {
-        if let Some(pos) = self
-            .pending_user_messages
-            .iter()
-            .position(|notification| notification.method == method)
-        {
-            return self.pending_user_messages.remove(pos);
-        }
-        None
-    }
-
-    fn enqueue_user_message(&mut self, notification: JSONRPCNotification) {
-        if notification.method == "codex/event/user_message" {
-            self.pending_user_messages.push_back(notification);
-        }
-    }
-}

codex-rs/app-server/tests/common/mock_model_server.rs

@@ -1,47 +0,0 @@
-use std::sync::atomic::AtomicUsize;
-use std::sync::atomic::Ordering;
-
-use wiremock::Mock;
-use wiremock::MockServer;
-use wiremock::Respond;
-use wiremock::ResponseTemplate;
-use wiremock::matchers::method;
-use wiremock::matchers::path;
-
-/// Create a mock server that will provide the responses, in order, for
-/// requests to the `/v1/chat/completions` endpoint.
-pub async fn create_mock_chat_completions_server(responses: Vec<String>) -> MockServer {
-    let server = MockServer::start().await;
-
-    let num_calls = responses.len();
-    let seq_responder = SeqResponder {
-        num_calls: AtomicUsize::new(0),
-        responses,
-    };
-
-    Mock::given(method("POST"))
-        .and(path("/v1/chat/completions"))
-        .respond_with(seq_responder)
-        .expect(num_calls as u64)
-        .mount(&server)
-        .await;
-
-    server
-}
-
-struct SeqResponder {
-    num_calls: AtomicUsize,
-    responses: Vec<String>,
-}
-
-impl Respond for SeqResponder {
-    fn respond(&self, _: &wiremock::Request) -> ResponseTemplate {
-        let call_num = self.num_calls.fetch_add(1, Ordering::SeqCst);
-        match self.responses.get(call_num) {
-            Some(response) => ResponseTemplate::new(200)
-                .insert_header("content-type", "text/event-stream")
-                .set_body_raw(response.clone(), "text/event-stream"),
-            None => panic!("no response for {call_num}"),
-        }
-    }
-}

codex-rs/app-server/tests/common/responses.rs

@@ -1,95 +0,0 @@
-use serde_json::json;
-use std::path::Path;
-
-pub fn create_shell_sse_response(
-    command: Vec<String>,
-    workdir: Option<&Path>,
-    timeout_ms: Option<u64>,
-    call_id: &str,
-) -> anyhow::Result<String> {
-    // The `arguments`` for the `shell` tool is a serialized JSON object.
-    let tool_call_arguments = serde_json::to_string(&json!({
-        "command": command,
-        "workdir": workdir.map(|w| w.to_string_lossy()),
-        "timeout": timeout_ms
-    }))?;
-    let tool_call = json!({
-        "choices": [
-            {
-                "delta": {
-                    "tool_calls": [
-                        {
-                            "id": call_id,
-                            "function": {
-                                "name": "shell",
-                                "arguments": tool_call_arguments
-                            }
-                        }
-                    ]
-                },
-                "finish_reason": "tool_calls"
-            }
-        ]
-    });
-
-    let sse = format!(
-        "data: {}\n\ndata: DONE\n\n",
-        serde_json::to_string(&tool_call)?
-    );
-    Ok(sse)
-}
-
-pub fn create_final_assistant_message_sse_response(message: &str) -> anyhow::Result<String> {
-    let assistant_message = json!({
-        "choices": [
-            {
-                "delta": {
-                    "content": message
-                },
-                "finish_reason": "stop"
-            }
-        ]
-    });
-
-    let sse = format!(
-        "data: {}\n\ndata: DONE\n\n",
-        serde_json::to_string(&assistant_message)?
-    );
-    Ok(sse)
-}
-
-pub fn create_apply_patch_sse_response(
-    patch_content: &str,
-    call_id: &str,
-) -> anyhow::Result<String> {
-    // Use shell command to call apply_patch with heredoc format
-    let shell_command = format!("apply_patch <<'EOF'\n{patch_content}\nEOF");
-    let tool_call_arguments = serde_json::to_string(&json!({
-        "command": ["bash", "-lc", shell_command]
-    }))?;
-
-    let tool_call = json!({
-        "choices": [
-            {
-                "delta": {
-                    "tool_calls": [
-                        {
-                            "id": call_id,
-                            "function": {
-                                "name": "shell",
-                                "arguments": tool_call_arguments
-                            }
-                        }
-                    ]
-                },
-                "finish_reason": "tool_calls"
-            }
-        ]
-    });
-
-    let sse = format!(
-        "data: {}\n\ndata: DONE\n\n",
-        serde_json::to_string(&tool_call)?
-    );
-    Ok(sse)
-}

codex-rs/app-server/tests/suite/fuzzy_file_search.rs

@@ -1,146 +0,0 @@
-use anyhow::Context;
-use anyhow::Result;
-use app_test_support::McpProcess;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::RequestId;
-use pretty_assertions::assert_eq;
-use serde_json::json;
-use tempfile::TempDir;
-use tokio::time::timeout;
-
-const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_fuzzy_file_search_sorts_and_includes_indices() -> Result<()> {
-    // Prepare a temporary Codex home and a separate root with test files.
-    let codex_home = TempDir::new().context("create temp codex home")?;
-    let root = TempDir::new().context("create temp search root")?;
-
-    // Create files designed to have deterministic ordering for query "abe".
-    std::fs::write(root.path().join("abc"), "x").context("write file abc")?;
-    std::fs::write(root.path().join("abcde"), "x").context("write file abcde")?;
-    std::fs::write(root.path().join("abexy"), "x").context("write file abexy")?;
-    std::fs::write(root.path().join("zzz.txt"), "x").context("write file zzz")?;
-    let sub_dir = root.path().join("sub");
-    std::fs::create_dir_all(&sub_dir).context("create sub dir")?;
-    let sub_abce_path = sub_dir.join("abce");
-    std::fs::write(&sub_abce_path, "x").context("write file sub/abce")?;
-    let sub_abce_rel = sub_abce_path
-        .strip_prefix(root.path())
-        .context("strip root prefix from sub/abce")?
-        .to_string_lossy()
-        .to_string();
-
-    // Start MCP server and initialize.
-    let mut mcp = McpProcess::new(codex_home.path())
-        .await
-        .context("spawn mcp")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("init timeout")?
-        .context("init failed")?;
-
-    let root_path = root.path().to_string_lossy().to_string();
-    // Send fuzzyFileSearch request.
-    let request_id = mcp
-        .send_fuzzy_file_search_request("abe", vec![root_path.clone()], None)
-        .await
-        .context("send fuzzyFileSearch")?;
-
-    // Read response and verify shape and ordering.
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("fuzzyFileSearch timeout")?
-    .context("fuzzyFileSearch resp")?;
-
-    let value = resp.result;
-    // The path separator on Windows affects the score.
-    let expected_score = if cfg!(windows) { 69 } else { 72 };
-
-    assert_eq!(
-        value,
-        json!({
-            "files": [
-                {
-                    "root": root_path.clone(),
-                    "path": "abexy",
-                    "file_name": "abexy",
-                    "score": 88,
-                    "indices": [0, 1, 2],
-                },
-                {
-                    "root": root_path.clone(),
-                    "path": "abcde",
-                    "file_name": "abcde",
-                    "score": 74,
-                    "indices": [0, 1, 4],
-                },
-                {
-                    "root": root_path.clone(),
-                    "path": sub_abce_rel,
-                    "file_name": "abce",
-                    "score": expected_score,
-                    "indices": [4, 5, 7],
-                },
-            ]
-        })
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_fuzzy_file_search_accepts_cancellation_token() -> Result<()> {
-    let codex_home = TempDir::new().context("create temp codex home")?;
-    let root = TempDir::new().context("create temp search root")?;
-
-    std::fs::write(root.path().join("alpha.txt"), "contents").context("write alpha")?;
-
-    let mut mcp = McpProcess::new(codex_home.path())
-        .await
-        .context("spawn mcp")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("init timeout")?
-        .context("init failed")?;
-
-    let root_path = root.path().to_string_lossy().to_string();
-    let request_id = mcp
-        .send_fuzzy_file_search_request("alp", vec![root_path.clone()], None)
-        .await
-        .context("send fuzzyFileSearch")?;
-
-    let request_id_2 = mcp
-        .send_fuzzy_file_search_request(
-            "alp",
-            vec![root_path.clone()],
-            Some(request_id.to_string()),
-        )
-        .await
-        .context("send fuzzyFileSearch")?;
-
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id_2)),
-    )
-    .await
-    .context("fuzzyFileSearch timeout")?
-    .context("fuzzyFileSearch resp")?;
-
-    let files = resp
-        .result
-        .get("files")
-        .context("files key missing")?
-        .as_array()
-        .context("files not array")?
-        .clone();
-
-    assert_eq!(files.len(), 1);
-    assert_eq!(files[0]["root"], root_path);
-    assert_eq!(files[0]["path"], "alpha.txt");
-
-    Ok(())
-}

codex-rs/app-server/tests/suite/mod.rs

@@ -1,15 +0,0 @@
-mod archive_conversation;
-mod auth;
-mod codex_message_processor_flow;
-mod config;
-mod create_conversation;
-mod fuzzy_file_search;
-mod interrupt;
-mod list_resume;
-mod login;
-mod model_list;
-mod rate_limits;
-mod send_message;
-mod set_default_model;
-mod user_agent;
-mod user_info;

codex-rs/app-server/tests/suite/model_list.rs

@@ -1,183 +0,0 @@
-use std::time::Duration;
-
-use anyhow::Result;
-use anyhow::anyhow;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::ListModelsResponse;
-use codex_app_server_protocol::Model;
-use codex_app_server_protocol::ReasoningEffortOption;
-use codex_app_server_protocol::RequestId;
-use codex_protocol::config_types::ReasoningEffort;
-use pretty_assertions::assert_eq;
-use tempfile::TempDir;
-use tokio::time::timeout;
-
-const DEFAULT_TIMEOUT: Duration = Duration::from_secs(10);
-const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(100),
-            cursor: None,
-        })
-        .await?;
-
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-
-    let ListModelsResponse { items, next_cursor } = to_response::<ListModelsResponse>(response)?;
-
-    let expected_models = vec![
-        Model {
-            id: "gpt-5-codex".to_string(),
-            model: "gpt-5-codex".to_string(),
-            display_name: "gpt-5-codex".to_string(),
-            description: "Optimized for coding tasks with many tools.".to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Fastest responses with limited reasoning".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Dynamically adjusts reasoning based on the task".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex or ambiguous problems"
-                        .to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: true,
-        },
-        Model {
-            id: "gpt-5".to_string(),
-            model: "gpt-5".to_string(),
-            display_name: "gpt-5".to_string(),
-            description: "Broad world knowledge with strong general reasoning.".to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Minimal,
-                    description: "Fastest responses with little reasoning".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Balances speed with some reasoning; useful for straightforward \
-                                   queries and short explanations"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Provides a solid balance of reasoning depth and latency for \
-                         general-purpose tasks"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex or ambiguous problems"
-                        .to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: false,
-        },
-    ];
-
-    assert_eq!(items, expected_models);
-    assert!(next_cursor.is_none());
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_pagination_works() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let first_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
-            cursor: None,
-        })
-        .await?;
-
-    let first_response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(first_request)),
-    )
-    .await??;
-
-    let ListModelsResponse {
-        items: first_items,
-        next_cursor: first_cursor,
-    } = to_response::<ListModelsResponse>(first_response)?;
-
-    assert_eq!(first_items.len(), 1);
-    assert_eq!(first_items[0].id, "gpt-5-codex");
-    let next_cursor = first_cursor.ok_or_else(|| anyhow!("cursor for second page"))?;
-
-    let second_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
-            cursor: Some(next_cursor.clone()),
-        })
-        .await?;
-
-    let second_response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(second_request)),
-    )
-    .await??;
-
-    let ListModelsResponse {
-        items: second_items,
-        next_cursor: second_cursor,
-    } = to_response::<ListModelsResponse>(second_response)?;
-
-    assert_eq!(second_items.len(), 1);
-    assert_eq!(second_items[0].id, "gpt-5");
-    assert!(second_cursor.is_none());
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_rejects_invalid_cursor() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: None,
-            cursor: Some("invalid".to_string()),
-        })
-        .await?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(error.error.message, "invalid cursor: invalid");
-    Ok(())
-}

codex-rs/app-server/tests/suite/rate_limits.rs

@@ -1,215 +0,0 @@
-use anyhow::Context;
-use anyhow::Result;
-use app_test_support::ChatGptAuthFixture;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use app_test_support::write_chatgpt_auth;
-use codex_app_server_protocol::GetAccountRateLimitsResponse;
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::LoginApiKeyParams;
-use codex_app_server_protocol::RequestId;
-use codex_protocol::protocol::RateLimitSnapshot;
-use codex_protocol::protocol::RateLimitWindow;
-use pretty_assertions::assert_eq;
-use serde_json::json;
-use std::path::Path;
-use tempfile::TempDir;
-use tokio::time::timeout;
-use wiremock::Mock;
-use wiremock::MockServer;
-use wiremock::ResponseTemplate;
-use wiremock::matchers::header;
-use wiremock::matchers::method;
-use wiremock::matchers::path;
-
-const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
-const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_requires_auth() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-
-    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read error")?;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(
-        error.error.message,
-        "codex account authentication required to read rate limits"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_requires_chatgpt_auth() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-
-    let mut mcp = McpProcess::new(codex_home.path())
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    login_with_api_key(&mut mcp, "sk-test-key").await?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read error")?;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(
-        error.error.message,
-        "chatgpt authentication required to read rate limits"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-    write_chatgpt_auth(
-        codex_home.path(),
-        ChatGptAuthFixture::new("chatgpt-token")
-            .account_id("account-123")
-            .plan_type("pro"),
-    )
-    .context("write chatgpt auth")?;
-
-    let server = MockServer::start().await;
-    let server_url = server.uri();
-    write_chatgpt_base_url(codex_home.path(), &server_url).context("write chatgpt base url")?;
-
-    let primary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T00:02:00Z")
-        .expect("parse primary reset timestamp")
-        .timestamp();
-    let secondary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T01:00:00Z")
-        .expect("parse secondary reset timestamp")
-        .timestamp();
-    let response_body = json!({
-        "plan_type": "pro",
-        "rate_limit": {
-            "allowed": true,
-            "limit_reached": false,
-            "primary_window": {
-                "used_percent": 42,
-                "limit_window_seconds": 3600,
-                "reset_after_seconds": 120,
-                "reset_at": primary_reset_timestamp,
-            },
-            "secondary_window": {
-                "used_percent": 5,
-                "limit_window_seconds": 86400,
-                "reset_after_seconds": 43200,
-                "reset_at": secondary_reset_timestamp,
-            }
-        }
-    });
-
-    Mock::given(method("GET"))
-        .and(path("/api/codex/usage"))
-        .and(header("authorization", "Bearer chatgpt-token"))
-        .and(header("chatgpt-account-id", "account-123"))
-        .respond_with(ResponseTemplate::new(200).set_body_json(response_body))
-        .mount(&server)
-        .await;
-
-    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read response")?;
-
-    let received: GetAccountRateLimitsResponse =
-        to_response(response).context("deserialize rate limit response")?;
-
-    let expected = GetAccountRateLimitsResponse {
-        rate_limits: RateLimitSnapshot {
-            primary: Some(RateLimitWindow {
-                used_percent: 42.0,
-                window_minutes: Some(60),
-                resets_at: Some(primary_reset_timestamp),
-            }),
-            secondary: Some(RateLimitWindow {
-                used_percent: 5.0,
-                window_minutes: Some(1440),
-                resets_at: Some(secondary_reset_timestamp),
-            }),
-        },
-    };
-    assert_eq!(received, expected);
-
-    Ok(())
-}
-
-async fn login_with_api_key(mcp: &mut McpProcess, api_key: &str) -> Result<()> {
-    let request_id = mcp
-        .send_login_api_key_request(LoginApiKeyParams {
-            api_key: api_key.to_string(),
-        })
-        .await
-        .context("send loginApiKey")?;
-
-    timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("loginApiKey timeout")?
-    .context("loginApiKey response")?;
-
-    Ok(())
-}
-
-fn write_chatgpt_base_url(codex_home: &Path, base_url: &str) -> std::io::Result<()> {
-    let config_toml = codex_home.join("config.toml");
-    std::fs::write(config_toml, format!("chatgpt_base_url = \"{base_url}\"\n"))
-}

codex-rs/app-server/tests/suite/user_info.rs

@@ -1,51 +0,0 @@
-use std::time::Duration;
-
-use app_test_support::ChatGptAuthFixture;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use app_test_support::write_chatgpt_auth;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::UserInfoResponse;
-use pretty_assertions::assert_eq;
-use tempfile::TempDir;
-use tokio::time::timeout;
-
-const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(10);
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn user_info_returns_email_from_auth_json() {
-    let codex_home = TempDir::new().expect("create tempdir");
-
-    write_chatgpt_auth(
-        codex_home.path(),
-        ChatGptAuthFixture::new("access")
-            .refresh_token("refresh")
-            .email("user@example.com"),
-    )
-    .expect("write chatgpt auth");
-
-    let mut mcp = McpProcess::new(codex_home.path())
-        .await
-        .expect("spawn mcp process");
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .expect("initialize timeout")
-        .expect("initialize request");
-
-    let request_id = mcp.send_user_info_request().await.expect("send userInfo");
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .expect("userInfo timeout")
-    .expect("userInfo response");
-
-    let received: UserInfoResponse = to_response(response).expect("deserialize userInfo response");
-    let expected = UserInfoResponse {
-        alleged_user_email: Some("user@example.com".to_string()),
-    };
-
-    assert_eq!(received, expected);
-}

codex-rs/apply-patch/Cargo.toml

@@ -23,6 +23,5 @@ tree-sitter-bash = { workspace = true }
 
 [dev-dependencies]
 assert_cmd = { workspace = true }
-assert_matches = { workspace = true }
 pretty_assertions = { workspace = true }
 tempfile = { workspace = true }

codex-rs/apply-patch/src/lib.rs

@@ -843,7 +843,6 @@ pub fn print_summary(
 #[cfg(test)]
 mod tests {
     use super::*;
-    use assert_matches::assert_matches;
     use pretty_assertions::assert_eq;
     use std::fs;
     use std::string::ToString;
@@ -895,10 +894,10 @@ mod tests {
 
     fn assert_not_match(script: &str) {
         let args = args_bash(script);
-        assert_matches!(
+        assert!(matches!(
             maybe_parse_apply_patch(&args),
             MaybeApplyPatch::NotApplyPatch
-        );
+        ));
     }
 
     #[test]
@@ -906,10 +905,10 @@ mod tests {
         let patch = "*** Begin Patch\n*** Add File: foo\n+hi\n*** End Patch".to_string();
         let args = vec![patch];
         let dir = tempdir().unwrap();
-        assert_matches!(
+        assert!(matches!(
             maybe_parse_apply_patch_verified(&args, dir.path()),
             MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation)
-        );
+        ));
     }
 
     #[test]
@@ -917,10 +916,10 @@ mod tests {
         let script = "*** Begin Patch\n*** Add File: foo\n+hi\n*** End Patch";
         let args = args_bash(script);
         let dir = tempdir().unwrap();
-        assert_matches!(
+        assert!(matches!(
             maybe_parse_apply_patch_verified(&args, dir.path()),
             MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation)
-        );
+        ));
     }
 
     #[test]

codex-rs/async-utils/Cargo.toml

@@ -1,15 +0,0 @@
-[package]
-edition.workspace = true
-name = "codex-async-utils"
-version.workspace = true
-
-[lints]
-workspace = true
-
-[dependencies]
-async-trait.workspace = true
-tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread", "time"] }
-tokio-util.workspace = true
-
-[dev-dependencies]
-pretty_assertions.workspace = true