changing attribute to name + support command with arg

Sort list_dir entries before applying offset/limit so pagination matches
the displayed order, update pagination/truncation expectations, and add
coverage for sorted pagination. This ensures stable, predictable
directory pages when list_dir is enabled.

.bazelignore

@@ -1,4 +0,0 @@
-# Without this, Bazel will consider BUILD.bazel files in
-# .git/sl/origbackups (which can be populated by Sapling SCM).
-.git
-codex-rs/target

.bazelrc

@@ -1,155 +0,0 @@
-common --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
-common --repo_env=BAZEL_NO_APPLE_CPP_TOOLCHAIN=1
-# Dummy xcode config so we don't need to build xcode_locator in repo rule.
-common --xcode_version_config=//:disable_xcode
-
-common --disk_cache=~/.cache/bazel-disk-cache
-common --repo_contents_cache=~/.cache/bazel-repo-contents-cache
-common --repository_cache=~/.cache/bazel-repo-cache
-common --remote_cache_compression
-startup --experimental_remote_repo_contents_cache
-
-common --experimental_platform_in_output_dir
-
-# Runfiles strategy rationale: codex-rs/utils/cargo-bin/README.md
-common --noenable_runfiles
-
-common --enable_platform_specific_config
-common:linux --host_platform=//:local_linux
-common:windows --host_platform=//:local_windows
-common --@rules_cc//cc/toolchains/args/archiver_flags:use_libtool_on_macos=False
-common --@llvm//config:experimental_stub_libgcc_s
-
-# TODO(zbarsky): rules_rust doesn't implement this flag properly with remote exec...
-# common --@rules_rust//rust/settings:pipelined_compilation
-
-common --incompatible_strict_action_env
-# Not ideal, but We need to allow dotslash to be found
-common:linux --test_env=PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
-common:macos --test_env=PATH=/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
-
-# Pass through some env vars Windows needs to use powershell?
-common:windows --test_env=PATH
-common:windows --test_env=SYSTEMROOT
-common:windows --test_env=COMSPEC
-common:windows --test_env=WINDIR
-
-common --test_output=errors
-common --bes_results_url=https://app.buildbuddy.io/invocation/
-common --bes_backend=grpcs://remote.buildbuddy.io
-common --remote_cache=grpcs://remote.buildbuddy.io
-common --remote_download_toplevel
-common --nobuild_runfile_links
-common --remote_timeout=3600
-common --noexperimental_throttle_remote_action_building
-common --experimental_remote_execution_keepalive
-common --grpc_keepalive_time=30s
-
-# This limits both in-flight executions and concurrent downloads. Even with high number
-# of jobs execution will still be limited by CPU cores, so this just pays a bit of
-# memory in exchange for higher download concurrency.
-common --jobs=30
-
-common:remote --extra_execution_platforms=//:rbe
-common:remote --remote_executor=grpcs://remote.buildbuddy.io
-common:remote --jobs=800
-# TODO(team): Evaluate if this actually helps, zbarsky is not sure, everything seems bottlenecked on `core` either way.
-# Enable pipelined compilation since we are not bound by local CPU count.
-#common:remote --@rules_rust//rust/settings:pipelined_compilation
-
-# GitHub Actions CI configs.
-common:ci --remote_download_minimal
-common:ci --keep_going
-common:ci --verbose_failures
-common:ci --build_metadata=REPO_URL=https://github.com/openai/codex.git
-common:ci --build_metadata=ROLE=CI
-common:ci --build_metadata=VISIBILITY=PUBLIC
-
-# Disable disk cache in CI since we have a remote one and aren't using persistent workers.
-common:ci --disk_cache=
-
-# Shared config for the main Bazel CI workflow.
-common:ci-bazel --config=ci
-common:ci-bazel --build_metadata=TAG_workflow=bazel
-
-# Shared config for Bazel-backed Rust linting.
-build:clippy --aspects=@rules_rust//rust:defs.bzl%rust_clippy_aspect
-build:clippy --output_groups=+clippy_checks
-build:clippy --@rules_rust//rust/settings:clippy.toml=//codex-rs:clippy.toml
-# Keep this deny-list in sync with `codex-rs/Cargo.toml` `[workspace.lints.clippy]`.
-# Cargo applies those lint levels to member crates that opt into `[lints] workspace = true`
-# in their own `Cargo.toml`, but `rules_rust` Bazel clippy does not read Cargo lint levels.
-# `clippy.toml` can configure lint behavior, but it cannot set allow/warn/deny/forbid levels.
-build:clippy --@rules_rust//rust/settings:clippy_flag=-Dwarnings
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::expect_used
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::identity_op
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_clamp
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_filter
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_find
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_flatten
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_map
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_memcpy
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_non_exhaustive
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_ok_or
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_range_contains
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_retain
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_strip
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_try_fold
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_unwrap_or
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_borrow
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_borrowed_reference
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_collect
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_late_init
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_option_as_deref
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_question_mark
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::needless_update
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_clone
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_closure
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_closure_for_method_calls
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::redundant_static_lifetimes
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::trivially_copy_pass_by_ref
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::uninlined_format_args
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_filter_map
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_lazy_evaluations
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_sort_by
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unnecessary_to_owned
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::unwrap_used
-
-# Shared config for Bazel-backed argument-comment-lint.
-build:argument-comment-lint --aspects=//tools/argument-comment-lint:lint_aspect.bzl%rust_argument_comment_lint_aspect
-build:argument-comment-lint --output_groups=argument_comment_lint_checks
-build:argument-comment-lint --@rules_rust//rust/toolchain/channel=nightly
-
-# Rearrange caches on Windows so they're on the same volume as the checkout.
-common:ci-windows --config=ci-bazel
-common:ci-windows --build_metadata=TAG_os=windows
-common:ci-windows --repo_contents_cache=D:/a/.cache/bazel-repo-contents-cache
-common:ci-windows --repository_cache=D:/a/.cache/bazel-repo-cache
-
-# We prefer to run the build actions entirely remotely so we can dial up the concurrency.
-# We have platform-specific tests, so we want to execute the tests on all platforms using the strongest sandboxing available on each platform.
-
-# On linux, we can do a full remote build/test, by targeting the right (x86/arm) runners, so we have coverage of both.
-# Linux crossbuilds don't work until we untangle the libc constraint mess.
-common:ci-linux --config=ci-bazel
-common:ci-linux --build_metadata=TAG_os=linux
-common:ci-linux --config=remote
-common:ci-linux --strategy=remote
-common:ci-linux --platforms=//:rbe
-
-# On mac, we can run all the build actions remotely but test actions locally.
-common:ci-macos --config=ci-bazel
-common:ci-macos --build_metadata=TAG_os=macos
-common:ci-macos --config=remote
-common:ci-macos --strategy=remote
-common:ci-macos --strategy=TestRunner=darwin-sandbox,local
-
-# Linux-only V8 CI config.
-common:ci-v8 --config=ci
-common:ci-v8 --build_metadata=TAG_workflow=v8
-common:ci-v8 --build_metadata=TAG_os=linux
-common:ci-v8 --config=remote
-common:ci-v8 --strategy=remote
-
-# Optional per-user local overrides.
-try-import %workspace%/user.bazelrc

.bazelversion

@@ -1 +0,0 @@
-9.0.0

.codespellignore

@@ -1,5 +1,3 @@
 iTerm
 iTerm2
-psuedo
-te
-TE
+psuedo

.codespellrc

@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
-ignore-words-list = ratatui,ser,iTerm,iterm2,iterm,te,TE,PASE,SEH
+ignore-words-list = ratatui,ser,iTerm,iterm2,iterm

.codex/skills/babysit-pr/SKILL.md

@@ -1,187 +0,0 @@
----
-name: babysit-pr
-description: Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
----
-
-# PR Babysitter
-
-## Objective
-Babysit a PR persistently until one of these terminal outcomes occurs:
-
-- The PR is merged or closed.
-- A situation requires user help (for example CI infrastructure issues, repeated flaky failures after retry budget is exhausted, permission problems, or ambiguity that cannot be resolved safely).
-- Optional handoff milestone: the PR is currently green + mergeable + review-clean. Treat this as a progress state, not a watcher stop, so late-arriving review comments are still surfaced promptly while the PR remains open.
-
-Do not stop merely because a single snapshot returns `idle` while checks are still pending.
-
-## Inputs
-Accept any of the following:
-
-- No PR argument: infer the PR from the current branch (`--pr auto`)
-- PR number
-- PR URL
-
-## Core Workflow
-
-1. When the user asks to "monitor"/"watch"/"babysit" a PR, start with the watcher's continuous mode (`--watch`) unless you are intentionally doing a one-shot diagnostic snapshot.
-2. Run the watcher script to snapshot PR/review/CI state (or consume each streamed snapshot from `--watch`).
-3. Inspect the `actions` list in the JSON response.
-4. If `diagnose_ci_failure` is present, inspect failed run logs and classify the failure.
-5. If the failure is likely caused by the current branch, patch code locally, commit, and push.
-6. If `process_review_comment` is present, inspect surfaced review items and decide whether to address them.
-7. If a review item is actionable and correct, patch code locally, commit, push, and then mark the associated review thread/comment as resolved once the fix is on GitHub.
-8. If a review item from another author is non-actionable, already addressed, or not valid, post one reply on the comment/thread explaining that decision (for example answering the question or explaining why no change is needed). If the watcher later surfaces your own reply, treat that self-authored item as already handled and do not reply again.
-9. If the failure is likely flaky/unrelated and `retry_failed_checks` is present, rerun failed jobs with `--retry-failed-now`.
-10. If both actionable review feedback and `retry_failed_checks` are present, prioritize review feedback first; a new commit will retrigger CI, so avoid rerunning flaky checks on the old SHA unless you intentionally defer the review change.
-11. On every loop, look for newly surfaced review feedback before acting on CI failures or mergeability state, then verify mergeability / merge-conflict status (for example via `gh pr view`) alongside CI.
-12. After any push or rerun action, immediately return to step 1 and continue polling on the updated SHA/state.
-13. If you had been using `--watch` before pausing to patch/commit/push, relaunch `--watch` yourself in the same turn immediately after the push (do not wait for the user to re-invoke the skill).
-14. Repeat polling until `stop_pr_closed` appears or a user-help-required blocker is reached. A green + review-clean + mergeable PR is a progress milestone, not a reason to stop the watcher while the PR is still open.
-15. Maintain terminal/session ownership: while babysitting is active, keep consuming watcher output in the same turn; do not leave a detached `--watch` process running and then end the turn as if monitoring were complete.
-
-## Commands
-
-### One-shot snapshot
-
-```bash
-python3 .codex/skills/babysit-pr/scripts/gh_pr_watch.py --pr auto --once
-```
-
-### Continuous watch (JSONL)
-
-```bash
-python3 .codex/skills/babysit-pr/scripts/gh_pr_watch.py --pr auto --watch
-```
-
-### Trigger flaky retry cycle (only when watcher indicates)
-
-```bash
-python3 .codex/skills/babysit-pr/scripts/gh_pr_watch.py --pr auto --retry-failed-now
-```
-
-### Explicit PR target
-
-```bash
-python3 .codex/skills/babysit-pr/scripts/gh_pr_watch.py --pr <number-or-url> --once
-```
-
-## CI Failure Classification
-Use `gh` commands to inspect failed runs before deciding to rerun.
-
-- `gh run view <run-id> --json jobs,name,workflowName,conclusion,status,url,headSha`
-- `gh run view <run-id> --log-failed`
-
-Prefer treating failures as branch-related when logs point to changed code (compile/test/lint/typecheck/snapshots/static analysis in touched areas).
-
-Prefer treating failures as flaky/unrelated when logs show transient infra/external issues (timeouts, runner provisioning failures, registry/network outages, GitHub Actions infra errors).
-
-If classification is ambiguous, perform one manual diagnosis attempt before choosing rerun.
-
-Read `.codex/skills/babysit-pr/references/heuristics.md` for a concise checklist.
-
-## Review Comment Handling
-The watcher surfaces review items from:
-
-- PR issue comments
-- Inline review comments
-- Review submissions (COMMENT / APPROVED / CHANGES_REQUESTED)
-
-It intentionally surfaces Codex reviewer bot feedback (for example comments/reviews from `chatgpt-codex-connector[bot]`) in addition to human reviewer feedback. Most unrelated bot noise should still be ignored.
-For safety, the watcher only auto-surfaces trusted human review authors (for example repo OWNER/MEMBER/COLLABORATOR, plus the authenticated operator) and approved review bots such as Codex.
-On a fresh watcher state file, existing pending review feedback may be surfaced immediately (not only comments that arrive after monitoring starts). This is intentional so already-open review comments are not missed.
-
-When you agree with a comment and it is actionable:
-
-1. Patch code locally.
-2. Commit with `codex: address PR review feedback (#<n>)`.
-3. Push to the PR head branch.
-4. After the push succeeds, mark the associated GitHub review thread/comment as resolved.
-5. Resume watching on the new SHA immediately (do not stop after reporting the push).
-6. If monitoring was running in `--watch` mode, restart `--watch` immediately after the push in the same turn; do not wait for the user to ask again.
-
-If you disagree or the comment is non-actionable/already addressed, reply once directly on the GitHub comment/thread so the reviewer gets an explicit answer, then continue the watcher loop. If the watcher later surfaces your own reply because the authenticated operator is treated as a trusted review author, treat that self-authored item as already handled and do not reply again.
-If a code review comment/thread is already marked as resolved in GitHub, treat it as non-actionable and safely ignore it unless new unresolved follow-up feedback appears.
-
-## Git Safety Rules
-
-- Work only on the PR head branch.
-- Avoid destructive git commands.
-- Do not switch branches unless necessary to recover context.
-- Before editing, check for unrelated uncommitted changes. If present, stop and ask the user.
-- After each successful fix, commit and `git push`, then re-run the watcher.
-- If you interrupted a live `--watch` session to make the fix, restart `--watch` immediately after the push in the same turn.
-- Do not run multiple concurrent `--watch` processes for the same PR/state file; keep one watcher session active and reuse it until it stops or you intentionally restart it.
-- A push is not a terminal outcome; continue the monitoring loop unless a strict stop condition is met.
-
-Commit message defaults:
-
-- `codex: fix CI failure on PR #<n>`
-- `codex: address PR review feedback (#<n>)`
-
-## Monitoring Loop Pattern
-Use this loop in a live Codex session:
-
-1. Run `--once`.
-2. Read `actions`.
-3. First check whether the PR is now merged or otherwise closed; if so, report that terminal state and stop polling immediately.
-4. Check CI summary, new review items, and mergeability/conflict status.
-5. Diagnose CI failures and classify branch-related vs flaky/unrelated.
-6. For each surfaced review item from another author, either reply once with an explanation if it is non-actionable or patch/commit/push and then resolve it if it is actionable. If a later snapshot surfaces your own reply, treat it as informational and continue without responding again.
-7. Process actionable review comments before flaky reruns when both are present; if a review fix requires a commit, push it and skip rerunning failed checks on the old SHA.
-8. Retry failed checks only when `retry_failed_checks` is present and you are not about to replace the current SHA with a review/CI fix commit.
-9. If you pushed a commit, resolved a review thread, replied to a review comment, or triggered a rerun, report the action briefly and continue polling (do not stop).
-10. After a review-fix push, proactively restart continuous monitoring (`--watch`) in the same turn unless a strict stop condition has already been reached.
-11. If everything is passing, mergeable, not blocked on required review approval, and there are no unaddressed review items, report that the PR is currently ready to merge but keep the watcher running so new review comments are surfaced quickly while the PR remains open.
-12. If blocked on a user-help-required issue (infra outage, exhausted flaky retries, unclear reviewer request, permissions), report the blocker and stop.
-13. Otherwise sleep according to the polling cadence below and repeat.
-
-When the user explicitly asks to monitor/watch/babysit a PR, prefer `--watch` so polling continues autonomously in one command. Use repeated `--once` snapshots only for debugging, local testing, or when the user explicitly asks for a one-shot check.
-Do not stop to ask the user whether to continue polling; continue autonomously until a strict stop condition is met or the user explicitly interrupts.
-Do not hand control back to the user after a review-fix push just because a new SHA was created; restarting the watcher and re-entering the poll loop is part of the same babysitting task.
-If a `--watch` process is still running and no strict stop condition has been reached, the babysitting task is still in progress; keep streaming/consuming watcher output instead of ending the turn.
-
-## Polling Cadence
-Keep review polling aggressive and continue monitoring even after CI turns green:
-
-- While CI is not green (pending/running/queued or failing): poll every 1 minute.
-- After CI turns green: keep polling at the base cadence while the PR remains open so newly posted review comments are surfaced promptly instead of waiting on a long green-state backoff.
-- Reset the cadence immediately whenever anything changes (new commit/SHA, check status changes, new review comments, mergeability changes, review decision changes).
-- If CI stops being green again (new commit, rerun, or regression): stay on the base polling cadence.
-- If any poll shows the PR is merged or otherwise closed: stop polling immediately and report the terminal state.
-
-## Stop Conditions (Strict)
-Stop only when one of the following is true:
-
-- PR merged or closed (stop as soon as a poll/snapshot confirms this).
-- User intervention is required and Codex cannot safely proceed alone.
-
-Keep polling when:
-
-- `actions` contains only `idle` but checks are still pending.
-- CI is still running/queued.
-- Review state is quiet but CI is not terminal.
-- CI is green but mergeability is unknown/pending.
-- CI is green and mergeable, but the PR is still open and you are waiting for possible new review comments or merge-conflict changes.
-- The PR is green but blocked on review approval (`REVIEW_REQUIRED` / similar); continue polling at the base cadence and surface any new review comments without asking for confirmation to keep watching.
-
-## Output Expectations
-Provide concise progress updates while monitoring and a final summary that includes:
-
-- During long unchanged monitoring periods, avoid emitting a full update on every poll; summarize only status changes plus occasional heartbeat updates.
-- Treat push confirmations, intermediate CI snapshots, ready-to-merge snapshots, and review-action updates as progress updates only; do not emit the final summary or end the babysitting session unless a strict stop condition is met.
-- A user request to "monitor" is not satisfied by a couple of sample polls; remain in the loop until a strict stop condition or an explicit user interruption.
-- A review-fix commit + push is not a completion event; immediately resume live monitoring (`--watch`) in the same turn and continue reporting progress updates.
-- When CI first transitions to all green for the current SHA, emit a one-time celebratory progress update (do not repeat it on every green poll). Preferred style: `🚀 CI is all green! 33/33 passed. Still on watch for review approval.`
-- Do not send the final summary while a watcher terminal is still running unless the watcher has emitted/confirmed a strict stop condition; otherwise continue with progress updates.
-
-- Final PR SHA
-- CI status summary
-- Mergeability / conflict status
-- Fixes pushed
-- Flaky retry cycles used
-- Remaining unresolved failures or review comments
-
-## References
-
-- Heuristics and decision tree: `.codex/skills/babysit-pr/references/heuristics.md`
-- GitHub CLI/API details used by the watcher: `.codex/skills/babysit-pr/references/github-api-notes.md`

.codex/skills/babysit-pr/agents/openai.yaml

@@ -1,4 +0,0 @@
-interface:
-  display_name: "PR Babysitter"
-  short_description: "Watch PR review comments, CI, and merge conflicts"
-  default_prompt: "Babysit the current PR: monitor reviewer comments, CI, and merge-conflict status (prefer the watcher’s --watch mode for live monitoring); surface new review feedback before acting on CI or mergeability work, fix valid issues, push updates, and rerun flaky failures up to 3 times. Keep exactly one watcher session active for the PR (do not leave duplicate --watch terminals running). If you pause monitoring to patch review/CI feedback, restart --watch yourself immediately after the push in the same turn. If a watcher is still running and no strict stop condition has been reached, the task is still in progress: keep consuming watcher output and sending progress updates instead of ending the turn. Do not treat a green + mergeable PR as a terminal stop while it is still open; continue polling autonomously after any push/rerun so newly posted review comments are surfaced until a strict terminal stop condition is reached or the user interrupts."

.codex/skills/babysit-pr/references/github-api-notes.md

@@ -1,72 +0,0 @@
-# GitHub CLI / API Notes For `babysit-pr`
-
-## Primary commands used
-
-### PR metadata
-
-- `gh pr view --json number,url,state,mergedAt,closedAt,headRefName,headRefOid,headRepository,headRepositoryOwner`
-
-Used to resolve PR number, URL, branch, head SHA, and closed/merged state.
-
-### PR checks summary
-
-- `gh pr checks --json name,state,bucket,link,workflow,event,startedAt,completedAt`
-
-Used to compute pending/failed/passed counts and whether the current CI round is terminal.
-
-### Workflow runs for head SHA
-
-- `gh api repos/{owner}/{repo}/actions/runs -X GET -f head_sha=<sha> -f per_page=100`
-
-Used to discover failed workflow runs and rerunnable run IDs.
-
-### Failed log inspection
-
-- `gh run view <run-id> --json jobs,name,workflowName,conclusion,status,url,headSha`
-- `gh run view <run-id> --log-failed`
-
-Used by Codex to classify branch-related vs flaky/unrelated failures.
-
-### Retry failed jobs only
-
-- `gh run rerun <run-id> --failed`
-
-Reruns only failed jobs (and dependencies) for a workflow run.
-
-## Review-related endpoints
-
-- Issue comments on PR:
-  - `gh api repos/{owner}/{repo}/issues/<pr_number>/comments?per_page=100`
-- Inline PR review comments:
-  - `gh api repos/{owner}/{repo}/pulls/<pr_number>/comments?per_page=100`
-- Review submissions:
-  - `gh api repos/{owner}/{repo}/pulls/<pr_number>/reviews?per_page=100`
-
-## JSON fields consumed by the watcher
-
-### `gh pr view`
-
-- `number`
-- `url`
-- `state`
-- `mergedAt`
-- `closedAt`
-- `headRefName`
-- `headRefOid`
-
-### `gh pr checks`
-
-- `bucket` (`pass`, `fail`, `pending`, `skipping`)
-- `state`
-- `name`
-- `workflow`
-- `link`
-
-### Actions runs API (`workflow_runs[]`)
-
-- `id`
-- `name`
-- `status`
-- `conclusion`
-- `html_url`
-- `head_sha`

.codex/skills/babysit-pr/references/heuristics.md

@@ -1,58 +0,0 @@
-# CI / Review Heuristics
-
-## CI classification checklist
-
-Treat as **branch-related** when logs clearly indicate a regression caused by the PR branch:
-
-- Compile/typecheck/lint failures in files or modules touched by the branch
-- Deterministic unit/integration test failures in changed areas
-- Snapshot output changes caused by UI/text changes in the branch
-- Static analysis violations introduced by the latest push
-- Build script/config changes in the PR causing a deterministic failure
-
-Treat as **likely flaky or unrelated** when evidence points to transient or external issues:
-
-- DNS/network/registry timeout errors while fetching dependencies
-- Runner image provisioning or startup failures
-- GitHub Actions infrastructure/service outages
-- Cloud/service rate limits or transient API outages
-- Non-deterministic failures in unrelated integration tests with known flake patterns
-
-If uncertain, inspect failed logs once before choosing rerun.
-
-## Decision tree (fix vs rerun vs stop)
-
-1. If PR is merged/closed: stop.
-2. If there are failed checks:
-   - Diagnose first.
-   - If branch-related: fix locally, commit, push.
-   - If likely flaky/unrelated and all checks for the current SHA are terminal: rerun failed jobs.
-   - If checks are still pending: wait.
-3. If flaky reruns for the same SHA reach the configured limit (default 3): stop and report persistent failure.
-4. Independently, process any new human review comments.
-
-## Review comment agreement criteria
-
-Address the comment when:
-
-- The comment is technically correct.
-- The change is actionable in the current branch.
-- The requested change does not conflict with the user’s intent or recent guidance.
-- The change can be made safely without unrelated refactors.
-
-Do not auto-fix when:
-
-- The comment is ambiguous and needs clarification.
-- The request conflicts with explicit user instructions.
-- The proposed change requires product/design decisions the user has not made.
-- The codebase is in a dirty/unrelated state that makes safe editing uncertain.
-
-## Stop-and-ask conditions
-
-Stop and ask the user instead of continuing automatically when:
-
-- The local worktree has unrelated uncommitted changes.
-- `gh` auth/permissions fail.
-- The PR branch cannot be pushed.
-- CI failures persist after the flaky retry budget.
-- Reviewer feedback requires a product decision or cross-team coordination.

.codex/skills/babysit-pr/scripts/gh_pr_watch.py

@@ -1,806 +0,0 @@
-#!/usr/bin/env python3
-"""Watch GitHub PR CI and review activity for Codex PR babysitting workflows."""
-
-import argparse
-import json
-import os
-import re
-import subprocess
-import sys
-import tempfile
-import time
-from pathlib import Path
-from urllib.parse import urlparse
-
-FAILED_RUN_CONCLUSIONS = {
-    "failure",
-    "timed_out",
-    "cancelled",
-    "action_required",
-    "startup_failure",
-    "stale",
-}
-PENDING_CHECK_STATES = {
-    "QUEUED",
-    "IN_PROGRESS",
-    "PENDING",
-    "WAITING",
-    "REQUESTED",
-}
-REVIEW_BOT_LOGIN_KEYWORDS = {
-    "codex",
-}
-TRUSTED_AUTHOR_ASSOCIATIONS = {
-    "OWNER",
-    "MEMBER",
-    "COLLABORATOR",
-}
-MERGE_BLOCKING_REVIEW_DECISIONS = {
-    "REVIEW_REQUIRED",
-    "CHANGES_REQUESTED",
-}
-MERGE_CONFLICT_OR_BLOCKING_STATES = {
-    "BLOCKED",
-    "DIRTY",
-    "DRAFT",
-    "UNKNOWN",
-}
-
-
-class GhCommandError(RuntimeError):
-    pass
-
-
-def parse_args():
-    parser = argparse.ArgumentParser(
-        description=(
-            "Normalize PR/CI/review state for Codex PR babysitting and optionally "
-            "trigger flaky reruns."
-        )
-    )
-    parser.add_argument("--pr", default="auto", help="auto, PR number, or PR URL")
-    parser.add_argument("--repo", help="Optional OWNER/REPO override")
-    parser.add_argument("--poll-seconds", type=int, default=30, help="Watch poll interval")
-    parser.add_argument(
-        "--max-flaky-retries",
-        type=int,
-        default=3,
-        help="Max rerun cycles per head SHA before stop recommendation",
-    )
-    parser.add_argument("--state-file", help="Path to state JSON file")
-    parser.add_argument("--once", action="store_true", help="Emit one snapshot and exit")
-    parser.add_argument("--watch", action="store_true", help="Continuously emit JSONL snapshots")
-    parser.add_argument(
-        "--retry-failed-now",
-        action="store_true",
-        help="Rerun failed jobs for current failed workflow runs when policy allows",
-    )
-    parser.add_argument(
-        "--json",
-        action="store_true",
-        help="Emit machine-readable output (default behavior for --once and --retry-failed-now)",
-    )
-    args = parser.parse_args()
-
-    if args.poll_seconds <= 0:
-        parser.error("--poll-seconds must be > 0")
-    if args.max_flaky_retries < 0:
-        parser.error("--max-flaky-retries must be >= 0")
-    if args.watch and args.retry_failed_now:
-        parser.error("--watch cannot be combined with --retry-failed-now")
-    if not args.once and not args.watch and not args.retry_failed_now:
-        args.once = True
-    return args
-
-
-def _format_gh_error(cmd, err):
-    stdout = (err.stdout or "").strip()
-    stderr = (err.stderr or "").strip()
-    parts = [f"GitHub CLI command failed: {' '.join(cmd)}"]
-    if stdout:
-        parts.append(f"stdout: {stdout}")
-    if stderr:
-        parts.append(f"stderr: {stderr}")
-    return "\n".join(parts)
-
-
-def gh_text(args, repo=None):
-    cmd = ["gh"]
-    # `gh api` does not accept `-R/--repo` on all gh versions. The watcher's
-    # API calls use explicit endpoints (e.g. repos/{owner}/{repo}/...), so the
-    # repo flag is unnecessary there.
-    if repo and (not args or args[0] != "api"):
-        cmd.extend(["-R", repo])
-    cmd.extend(args)
-    try:
-        proc = subprocess.run(cmd, check=True, capture_output=True, text=True)
-    except FileNotFoundError as err:
-        raise GhCommandError("`gh` command not found") from err
-    except subprocess.CalledProcessError as err:
-        raise GhCommandError(_format_gh_error(cmd, err)) from err
-    return proc.stdout
-
-
-def gh_json(args, repo=None):
-    raw = gh_text(args, repo=repo).strip()
-    if not raw:
-        return None
-    try:
-        return json.loads(raw)
-    except json.JSONDecodeError as err:
-        raise GhCommandError(f"Failed to parse JSON from gh output for {' '.join(args)}") from err
-
-
-def parse_pr_spec(pr_spec):
-    if pr_spec == "auto":
-        return {"mode": "auto", "value": None}
-    if re.fullmatch(r"\d+", pr_spec):
-        return {"mode": "number", "value": pr_spec}
-    parsed = urlparse(pr_spec)
-    if parsed.scheme and parsed.netloc and "/pull/" in parsed.path:
-        return {"mode": "url", "value": pr_spec}
-    raise ValueError("--pr must be 'auto', a PR number, or a PR URL")
-
-
-def pr_view_fields():
-    return (
-        "number,url,state,mergedAt,closedAt,headRefName,headRefOid,"
-        "headRepository,headRepositoryOwner,mergeable,mergeStateStatus,reviewDecision"
-    )
-
-
-def checks_fields():
-    return "name,state,bucket,link,workflow,event,startedAt,completedAt"
-
-
-def resolve_pr(pr_spec, repo_override=None):
-    parsed = parse_pr_spec(pr_spec)
-    cmd = ["pr", "view"]
-    if parsed["value"] is not None:
-        cmd.append(parsed["value"])
-    cmd.extend(["--json", pr_view_fields()])
-    data = gh_json(cmd, repo=repo_override)
-    if not isinstance(data, dict):
-        raise GhCommandError("Unexpected PR payload from `gh pr view`")
-
-    pr_url = str(data.get("url") or "")
-    repo = (
-        repo_override
-        or extract_repo_from_pr_url(pr_url)
-        or extract_repo_from_pr_view(data)
-    )
-    if not repo:
-        raise GhCommandError("Unable to determine OWNER/REPO for the PR")
-
-    state = str(data.get("state") or "")
-    merged = bool(data.get("mergedAt"))
-    closed = bool(data.get("closedAt")) or state.upper() == "CLOSED"
-
-    return {
-        "number": int(data["number"]),
-        "url": pr_url,
-        "repo": repo,
-        "head_sha": str(data.get("headRefOid") or ""),
-        "head_branch": str(data.get("headRefName") or ""),
-        "state": state,
-        "merged": merged,
-        "closed": closed,
-        "mergeable": str(data.get("mergeable") or ""),
-        "merge_state_status": str(data.get("mergeStateStatus") or ""),
-        "review_decision": str(data.get("reviewDecision") or ""),
-    }
-
-
-def extract_repo_from_pr_view(data):
-    head_repo = data.get("headRepository")
-    head_owner = data.get("headRepositoryOwner")
-    owner = None
-    name = None
-    if isinstance(head_owner, dict):
-        owner = head_owner.get("login") or head_owner.get("name")
-    elif isinstance(head_owner, str):
-        owner = head_owner
-    if isinstance(head_repo, dict):
-        name = head_repo.get("name")
-        repo_owner = head_repo.get("owner")
-        if not owner and isinstance(repo_owner, dict):
-            owner = repo_owner.get("login") or repo_owner.get("name")
-    elif isinstance(head_repo, str):
-        name = head_repo
-    if owner and name:
-        return f"{owner}/{name}"
-    return None
-def extract_repo_from_pr_url(pr_url):
-    parsed = urlparse(pr_url)
-    parts = [p for p in parsed.path.split("/") if p]
-    if len(parts) >= 4 and parts[2] == "pull":
-        return f"{parts[0]}/{parts[1]}"
-    return None
-
-
-def load_state(path):
-    if path.exists():
-        try:
-            data = json.loads(path.read_text())
-        except json.JSONDecodeError as err:
-            raise RuntimeError(f"State file is not valid JSON: {path}") from err
-        if not isinstance(data, dict):
-            raise RuntimeError(f"State file must contain an object: {path}")
-        return data, False
-    return {
-        "pr": {},
-        "started_at": None,
-        "last_seen_head_sha": None,
-        "retries_by_sha": {},
-        "seen_issue_comment_ids": [],
-        "seen_review_comment_ids": [],
-        "seen_review_ids": [],
-        "last_snapshot_at": None,
-    }, True
-
-
-def save_state(path, state):
-    path.parent.mkdir(parents=True, exist_ok=True)
-    payload = json.dumps(state, indent=2, sort_keys=True) + "\n"
-    fd, tmp_name = tempfile.mkstemp(prefix=f"{path.name}.", suffix=".tmp", dir=path.parent)
-    tmp_path = Path(tmp_name)
-    try:
-        with os.fdopen(fd, "w", encoding="utf-8") as tmp_file:
-            tmp_file.write(payload)
-        os.replace(tmp_path, path)
-    except Exception:
-        try:
-            tmp_path.unlink(missing_ok=True)
-        except OSError:
-            pass
-        raise
-
-
-def default_state_file_for(pr):
-    repo_slug = pr["repo"].replace("/", "-")
-    return Path(f"/tmp/codex-babysit-pr-{repo_slug}-pr{pr['number']}.json")
-
-
-def get_pr_checks(pr_spec, repo):
-    parsed = parse_pr_spec(pr_spec)
-    cmd = ["pr", "checks"]
-    if parsed["value"] is not None:
-        cmd.append(parsed["value"])
-    cmd.extend(["--json", checks_fields()])
-    data = gh_json(cmd, repo=repo)
-    if data is None:
-        return []
-    if not isinstance(data, list):
-        raise GhCommandError("Unexpected payload from `gh pr checks`")
-    return data
-
-
-def is_pending_check(check):
-    bucket = str(check.get("bucket") or "").lower()
-    state = str(check.get("state") or "").upper()
-    return bucket == "pending" or state in PENDING_CHECK_STATES
-
-
-def summarize_checks(checks):
-    pending_count = 0
-    failed_count = 0
-    passed_count = 0
-    for check in checks:
-        bucket = str(check.get("bucket") or "").lower()
-        if is_pending_check(check):
-            pending_count += 1
-        if bucket == "fail":
-            failed_count += 1
-        if bucket == "pass":
-            passed_count += 1
-    return {
-        "pending_count": pending_count,
-        "failed_count": failed_count,
-        "passed_count": passed_count,
-        "all_terminal": pending_count == 0,
-    }
-
-
-def get_workflow_runs_for_sha(repo, head_sha):
-    endpoint = f"repos/{repo}/actions/runs"
-    data = gh_json(
-        ["api", endpoint, "-X", "GET", "-f", f"head_sha={head_sha}", "-f", "per_page=100"],
-        repo=repo,
-    )
-    if not isinstance(data, dict):
-        raise GhCommandError("Unexpected payload from actions runs API")
-    runs = data.get("workflow_runs") or []
-    if not isinstance(runs, list):
-        raise GhCommandError("Expected `workflow_runs` to be a list")
-    return runs
-
-
-def failed_runs_from_workflow_runs(runs, head_sha):
-    failed_runs = []
-    for run in runs:
-        if not isinstance(run, dict):
-            continue
-        if str(run.get("head_sha") or "") != head_sha:
-            continue
-        conclusion = str(run.get("conclusion") or "")
-        if conclusion not in FAILED_RUN_CONCLUSIONS:
-            continue
-        failed_runs.append(
-            {
-                "run_id": run.get("id"),
-                "workflow_name": run.get("name") or run.get("display_title") or "",
-                "status": str(run.get("status") or ""),
-                "conclusion": conclusion,
-                "html_url": str(run.get("html_url") or ""),
-            }
-        )
-    failed_runs.sort(key=lambda item: (str(item.get("workflow_name") or ""), str(item.get("run_id") or "")))
-    return failed_runs
-
-
-def get_authenticated_login():
-    data = gh_json(["api", "user"])
-    if not isinstance(data, dict) or not data.get("login"):
-        raise GhCommandError("Unable to determine authenticated GitHub login from `gh api user`")
-    return str(data["login"])
-
-
-def comment_endpoints(repo, pr_number):
-    return {
-        "issue_comment": f"repos/{repo}/issues/{pr_number}/comments",
-        "review_comment": f"repos/{repo}/pulls/{pr_number}/comments",
-        "review": f"repos/{repo}/pulls/{pr_number}/reviews",
-    }
-
-
-def gh_api_list_paginated(endpoint, repo=None, per_page=100):
-    items = []
-    page = 1
-    while True:
-        sep = "&" if "?" in endpoint else "?"
-        page_endpoint = f"{endpoint}{sep}per_page={per_page}&page={page}"
-        payload = gh_json(["api", page_endpoint], repo=repo)
-        if payload is None:
-            break
-        if not isinstance(payload, list):
-            raise GhCommandError(f"Unexpected paginated payload from gh api {endpoint}")
-        items.extend(payload)
-        if len(payload) < per_page:
-            break
-        page += 1
-    return items
-
-
-def normalize_issue_comments(items):
-    out = []
-    for item in items:
-        if not isinstance(item, dict):
-            continue
-        out.append(
-            {
-                "kind": "issue_comment",
-                "id": str(item.get("id") or ""),
-                "author": extract_login(item.get("user")),
-                "author_association": str(item.get("author_association") or ""),
-                "created_at": str(item.get("created_at") or ""),
-                "body": str(item.get("body") or ""),
-                "path": None,
-                "line": None,
-                "url": str(item.get("html_url") or ""),
-            }
-        )
-    return out
-
-
-def normalize_review_comments(items):
-    out = []
-    for item in items:
-        if not isinstance(item, dict):
-            continue
-        line = item.get("line")
-        if line is None:
-            line = item.get("original_line")
-        out.append(
-            {
-                "kind": "review_comment",
-                "id": str(item.get("id") or ""),
-                "author": extract_login(item.get("user")),
-                "author_association": str(item.get("author_association") or ""),
-                "created_at": str(item.get("created_at") or ""),
-                "body": str(item.get("body") or ""),
-                "path": item.get("path"),
-                "line": line,
-                "url": str(item.get("html_url") or ""),
-            }
-        )
-    return out
-
-
-def normalize_reviews(items):
-    out = []
-    for item in items:
-        if not isinstance(item, dict):
-            continue
-        out.append(
-            {
-                "kind": "review",
-                "id": str(item.get("id") or ""),
-                "author": extract_login(item.get("user")),
-                "author_association": str(item.get("author_association") or ""),
-                "created_at": str(item.get("submitted_at") or item.get("created_at") or ""),
-                "body": str(item.get("body") or ""),
-                "path": None,
-                "line": None,
-                "url": str(item.get("html_url") or ""),
-            }
-        )
-    return out
-
-
-def extract_login(user_obj):
-    if isinstance(user_obj, dict):
-        return str(user_obj.get("login") or "")
-    return ""
-
-
-def is_bot_login(login):
-    return bool(login) and login.endswith("[bot]")
-
-
-def is_actionable_review_bot_login(login):
-    if not is_bot_login(login):
-        return False
-    lower_login = login.lower()
-    return any(keyword in lower_login for keyword in REVIEW_BOT_LOGIN_KEYWORDS)
-
-
-def is_trusted_human_review_author(item, authenticated_login):
-    author = str(item.get("author") or "")
-    if not author:
-        return False
-    if authenticated_login and author == authenticated_login:
-        return True
-    association = str(item.get("author_association") or "").upper()
-    return association in TRUSTED_AUTHOR_ASSOCIATIONS
-
-
-def fetch_new_review_items(pr, state, fresh_state, authenticated_login=None):
-    repo = pr["repo"]
-    pr_number = pr["number"]
-    endpoints = comment_endpoints(repo, pr_number)
-
-    issue_payload = gh_api_list_paginated(endpoints["issue_comment"], repo=repo)
-    review_comment_payload = gh_api_list_paginated(endpoints["review_comment"], repo=repo)
-    review_payload = gh_api_list_paginated(endpoints["review"], repo=repo)
-
-    issue_items = normalize_issue_comments(issue_payload)
-    review_comment_items = normalize_review_comments(review_comment_payload)
-    review_items = normalize_reviews(review_payload)
-    all_items = issue_items + review_comment_items + review_items
-
-    seen_issue = {str(x) for x in state.get("seen_issue_comment_ids") or []}
-    seen_review_comment = {str(x) for x in state.get("seen_review_comment_ids") or []}
-    seen_review = {str(x) for x in state.get("seen_review_ids") or []}
-
-    # On a brand-new state file, surface existing review activity instead of
-    # silently treating it as seen. This avoids missing already-pending review
-    # feedback when monitoring starts after comments were posted.
-
-    new_items = []
-    for item in all_items:
-        item_id = item.get("id")
-        if not item_id:
-            continue
-        author = item.get("author") or ""
-        if not author:
-            continue
-        if is_bot_login(author):
-            if not is_actionable_review_bot_login(author):
-                continue
-        elif not is_trusted_human_review_author(item, authenticated_login):
-            continue
-
-        kind = item["kind"]
-        if kind == "issue_comment" and item_id in seen_issue:
-            continue
-        if kind == "review_comment" and item_id in seen_review_comment:
-            continue
-        if kind == "review" and item_id in seen_review:
-            continue
-
-        new_items.append(item)
-        if kind == "issue_comment":
-            seen_issue.add(item_id)
-        elif kind == "review_comment":
-            seen_review_comment.add(item_id)
-        elif kind == "review":
-            seen_review.add(item_id)
-
-    new_items.sort(key=lambda item: (item.get("created_at") or "", item.get("kind") or "", item.get("id") or ""))
-    state["seen_issue_comment_ids"] = sorted(seen_issue)
-    state["seen_review_comment_ids"] = sorted(seen_review_comment)
-    state["seen_review_ids"] = sorted(seen_review)
-    return new_items
-
-
-def current_retry_count(state, head_sha):
-    retries = state.get("retries_by_sha") or {}
-    value = retries.get(head_sha, 0)
-    try:
-        return int(value)
-    except (TypeError, ValueError):
-        return 0
-
-
-def set_retry_count(state, head_sha, count):
-    retries = state.get("retries_by_sha")
-    if not isinstance(retries, dict):
-        retries = {}
-    retries[head_sha] = int(count)
-    state["retries_by_sha"] = retries
-
-
-def unique_actions(actions):
-    out = []
-    seen = set()
-    for action in actions:
-        if action not in seen:
-            out.append(action)
-            seen.add(action)
-    return out
-
-
-def is_pr_ready_to_merge(pr, checks_summary, new_review_items):
-    if pr["closed"] or pr["merged"]:
-        return False
-    if not checks_summary["all_terminal"]:
-        return False
-    if checks_summary["failed_count"] > 0 or checks_summary["pending_count"] > 0:
-        return False
-    if new_review_items:
-        return False
-    if str(pr.get("mergeable") or "") != "MERGEABLE":
-        return False
-    if str(pr.get("merge_state_status") or "") in MERGE_CONFLICT_OR_BLOCKING_STATES:
-        return False
-    if str(pr.get("review_decision") or "") in MERGE_BLOCKING_REVIEW_DECISIONS:
-        return False
-    return True
-
-
-def recommend_actions(pr, checks_summary, failed_runs, new_review_items, retries_used, max_retries):
-    actions = []
-    if pr["closed"] or pr["merged"]:
-        if new_review_items:
-            actions.append("process_review_comment")
-        actions.append("stop_pr_closed")
-        return unique_actions(actions)
-
-    if is_pr_ready_to_merge(pr, checks_summary, new_review_items):
-        actions.append("ready_to_merge")
-        return unique_actions(actions)
-
-    if new_review_items:
-        actions.append("process_review_comment")
-
-    has_failed_pr_checks = checks_summary["failed_count"] > 0
-    if has_failed_pr_checks:
-        if checks_summary["all_terminal"] and retries_used >= max_retries:
-            actions.append("stop_exhausted_retries")
-        else:
-            actions.append("diagnose_ci_failure")
-            if checks_summary["all_terminal"] and failed_runs and retries_used < max_retries:
-                actions.append("retry_failed_checks")
-
-    if not actions:
-        actions.append("idle")
-    return unique_actions(actions)
-
-
-def collect_snapshot(args):
-    pr = resolve_pr(args.pr, repo_override=args.repo)
-    state_path = Path(args.state_file) if args.state_file else default_state_file_for(pr)
-    state, fresh_state = load_state(state_path)
-
-    if not state.get("started_at"):
-        state["started_at"] = int(time.time())
-
-    authenticated_login = get_authenticated_login()
-    new_review_items = fetch_new_review_items(
-        pr,
-        state,
-        fresh_state=fresh_state,
-        authenticated_login=authenticated_login,
-    )
-    # Surface review feedback before drilling into CI and mergeability details.
-    # That keeps the babysitter responsive to new comments even when other
-    # actions are also available.
-    # `gh pr checks -R <repo>` requires an explicit PR/branch/url argument.
-    # After resolving `--pr auto`, reuse the concrete PR number.
-    checks = get_pr_checks(str(pr["number"]), repo=pr["repo"])
-    checks_summary = summarize_checks(checks)
-    workflow_runs = get_workflow_runs_for_sha(pr["repo"], pr["head_sha"])
-    failed_runs = failed_runs_from_workflow_runs(workflow_runs, pr["head_sha"])
-
-    retries_used = current_retry_count(state, pr["head_sha"])
-    actions = recommend_actions(
-        pr,
-        checks_summary,
-        failed_runs,
-        new_review_items,
-        retries_used,
-        args.max_flaky_retries,
-    )
-
-    state["pr"] = {"repo": pr["repo"], "number": pr["number"]}
-    state["last_seen_head_sha"] = pr["head_sha"]
-    state["last_snapshot_at"] = int(time.time())
-    save_state(state_path, state)
-
-    snapshot = {
-        "pr": pr,
-        "checks": checks_summary,
-        "failed_runs": failed_runs,
-        "new_review_items": new_review_items,
-        "actions": actions,
-        "retry_state": {
-            "current_sha_retries_used": retries_used,
-            "max_flaky_retries": args.max_flaky_retries,
-        },
-    }
-    return snapshot, state_path
-
-
-def retry_failed_now(args):
-    snapshot, state_path = collect_snapshot(args)
-    pr = snapshot["pr"]
-    checks_summary = snapshot["checks"]
-    failed_runs = snapshot["failed_runs"]
-    retries_used = snapshot["retry_state"]["current_sha_retries_used"]
-    max_retries = snapshot["retry_state"]["max_flaky_retries"]
-
-    result = {
-        "snapshot": snapshot,
-        "state_file": str(state_path),
-        "rerun_attempted": False,
-        "rerun_count": 0,
-        "rerun_run_ids": [],
-        "reason": None,
-    }
-
-    if pr["closed"] or pr["merged"]:
-        result["reason"] = "pr_closed"
-        return result
-    if checks_summary["failed_count"] <= 0:
-        result["reason"] = "no_failed_pr_checks"
-        return result
-    if not failed_runs:
-        result["reason"] = "no_failed_runs"
-        return result
-    if not checks_summary["all_terminal"]:
-        result["reason"] = "checks_still_pending"
-        return result
-    if retries_used >= max_retries:
-        result["reason"] = "retry_budget_exhausted"
-        return result
-
-    for run in failed_runs:
-        run_id = run.get("run_id")
-        if run_id in (None, ""):
-            continue
-        gh_text(["run", "rerun", str(run_id), "--failed"], repo=pr["repo"])
-        result["rerun_run_ids"].append(run_id)
-
-    if result["rerun_run_ids"]:
-        state, _ = load_state(state_path)
-        new_count = current_retry_count(state, pr["head_sha"]) + 1
-        set_retry_count(state, pr["head_sha"], new_count)
-        state["last_snapshot_at"] = int(time.time())
-        save_state(state_path, state)
-        result["rerun_attempted"] = True
-        result["rerun_count"] = len(result["rerun_run_ids"])
-        result["reason"] = "rerun_triggered"
-    else:
-        result["reason"] = "failed_runs_missing_ids"
-
-    return result
-
-
-def print_json(obj):
-    sys.stdout.write(json.dumps(obj, sort_keys=True) + "\n")
-    sys.stdout.flush()
-
-
-def print_event(event, payload):
-    print_json({"event": event, "payload": payload})
-
-
-def is_ci_green(snapshot):
-    checks = snapshot.get("checks") or {}
-    return (
-        bool(checks.get("all_terminal"))
-        and int(checks.get("failed_count") or 0) == 0
-        and int(checks.get("pending_count") or 0) == 0
-    )
-
-
-def snapshot_change_key(snapshot):
-    pr = snapshot.get("pr") or {}
-    checks = snapshot.get("checks") or {}
-    review_items = snapshot.get("new_review_items") or []
-    return (
-        str(pr.get("head_sha") or ""),
-        str(pr.get("state") or ""),
-        str(pr.get("mergeable") or ""),
-        str(pr.get("merge_state_status") or ""),
-        str(pr.get("review_decision") or ""),
-        int(checks.get("passed_count") or 0),
-        int(checks.get("failed_count") or 0),
-        int(checks.get("pending_count") or 0),
-        tuple(
-            (str(item.get("kind") or ""), str(item.get("id") or ""))
-            for item in review_items
-            if isinstance(item, dict)
-        ),
-        tuple(snapshot.get("actions") or []),
-    )
-
-
-def run_watch(args):
-    poll_seconds = args.poll_seconds
-    last_change_key = None
-    while True:
-        snapshot, state_path = collect_snapshot(args)
-        print_event(
-            "snapshot",
-            {
-                "snapshot": snapshot,
-                "state_file": str(state_path),
-                "next_poll_seconds": poll_seconds,
-            },
-        )
-        actions = set(snapshot.get("actions") or [])
-        if (
-            "stop_pr_closed" in actions
-            or "stop_exhausted_retries" in actions
-        ):
-            print_event("stop", {"actions": snapshot.get("actions"), "pr": snapshot.get("pr")})
-            return 0
-
-        current_change_key = snapshot_change_key(snapshot)
-        changed = current_change_key != last_change_key
-        green = is_ci_green(snapshot)
-        pr = snapshot.get("pr") or {}
-        pr_open = not bool(pr.get("closed")) and not bool(pr.get("merged"))
-
-        if not green or pr_open:
-            poll_seconds = args.poll_seconds
-        elif changed or last_change_key is None:
-            poll_seconds = args.poll_seconds
-
-        last_change_key = current_change_key
-        time.sleep(poll_seconds)
-
-
-def main():
-    args = parse_args()
-    try:
-        if args.retry_failed_now:
-            print_json(retry_failed_now(args))
-            return 0
-        if args.watch:
-            return run_watch(args)
-        snapshot, state_path = collect_snapshot(args)
-        snapshot["state_file"] = str(state_path)
-        print_json(snapshot)
-        return 0
-    except (GhCommandError, RuntimeError, ValueError) as err:
-        sys.stderr.write(f"gh_pr_watch.py error: {err}\n")
-        return 1
-    except KeyboardInterrupt:
-        sys.stderr.write("gh_pr_watch.py interrupted\n")
-        return 130
-
-
-if __name__ == "__main__":
-    raise SystemExit(main())

.codex/skills/babysit-pr/scripts/test_gh_pr_watch.py

@@ -1,155 +0,0 @@
-import argparse
-import importlib.util
-from pathlib import Path
-
-import pytest
-
-
-MODULE_PATH = Path(__file__).with_name("gh_pr_watch.py")
-MODULE_SPEC = importlib.util.spec_from_file_location("gh_pr_watch", MODULE_PATH)
-gh_pr_watch = importlib.util.module_from_spec(MODULE_SPEC)
-assert MODULE_SPEC.loader is not None
-MODULE_SPEC.loader.exec_module(gh_pr_watch)
-
-
-def sample_pr():
-    return {
-        "number": 123,
-        "url": "https://github.com/openai/codex/pull/123",
-        "repo": "openai/codex",
-        "head_sha": "abc123",
-        "head_branch": "feature",
-        "state": "OPEN",
-        "merged": False,
-        "closed": False,
-        "mergeable": "MERGEABLE",
-        "merge_state_status": "CLEAN",
-        "review_decision": "",
-    }
-
-
-def sample_checks(**overrides):
-    checks = {
-        "pending_count": 0,
-        "failed_count": 0,
-        "passed_count": 12,
-        "all_terminal": True,
-    }
-    checks.update(overrides)
-    return checks
-
-
-def test_collect_snapshot_fetches_review_items_before_ci(monkeypatch, tmp_path):
-    call_order = []
-    pr = sample_pr()
-
-    monkeypatch.setattr(gh_pr_watch, "resolve_pr", lambda *args, **kwargs: pr)
-    monkeypatch.setattr(gh_pr_watch, "load_state", lambda path: ({}, True))
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "get_authenticated_login",
-        lambda: call_order.append("auth") or "octocat",
-    )
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "fetch_new_review_items",
-        lambda *args, **kwargs: call_order.append("review") or [],
-    )
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "get_pr_checks",
-        lambda *args, **kwargs: call_order.append("checks") or [],
-    )
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "summarize_checks",
-        lambda checks: call_order.append("summarize") or sample_checks(),
-    )
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "get_workflow_runs_for_sha",
-        lambda *args, **kwargs: call_order.append("workflow") or [],
-    )
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "failed_runs_from_workflow_runs",
-        lambda *args, **kwargs: call_order.append("failed_runs") or [],
-    )
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "recommend_actions",
-        lambda *args, **kwargs: call_order.append("recommend") or ["idle"],
-    )
-    monkeypatch.setattr(gh_pr_watch, "save_state", lambda *args, **kwargs: None)
-
-    args = argparse.Namespace(
-        pr="123",
-        repo=None,
-        state_file=str(tmp_path / "watcher-state.json"),
-        max_flaky_retries=3,
-    )
-
-    gh_pr_watch.collect_snapshot(args)
-
-    assert call_order.index("review") < call_order.index("checks")
-    assert call_order.index("review") < call_order.index("workflow")
-
-
-def test_recommend_actions_prioritizes_review_comments():
-    actions = gh_pr_watch.recommend_actions(
-        sample_pr(),
-        sample_checks(failed_count=1),
-        [{"run_id": 99}],
-        [{"kind": "review_comment", "id": "1"}],
-        0,
-        3,
-    )
-
-    assert actions == [
-        "process_review_comment",
-        "diagnose_ci_failure",
-        "retry_failed_checks",
-    ]
-
-
-def test_run_watch_keeps_polling_open_ready_to_merge_pr(monkeypatch):
-    sleeps = []
-    events = []
-    snapshot = {
-        "pr": sample_pr(),
-        "checks": sample_checks(),
-        "failed_runs": [],
-        "new_review_items": [],
-        "actions": ["ready_to_merge"],
-        "retry_state": {
-            "current_sha_retries_used": 0,
-            "max_flaky_retries": 3,
-        },
-    }
-
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "collect_snapshot",
-        lambda args: (snapshot, Path("/tmp/codex-babysit-pr-state.json")),
-    )
-    monkeypatch.setattr(
-        gh_pr_watch,
-        "print_event",
-        lambda event, payload: events.append((event, payload)),
-    )
-
-    class StopWatch(Exception):
-        pass
-
-    def fake_sleep(seconds):
-        sleeps.append(seconds)
-        if len(sleeps) >= 2:
-            raise StopWatch
-
-    monkeypatch.setattr(gh_pr_watch.time, "sleep", fake_sleep)
-
-    with pytest.raises(StopWatch):
-        gh_pr_watch.run_watch(argparse.Namespace(poll_seconds=30))
-
-    assert sleeps == [30, 30]
-    assert [event for event, _ in events] == ["snapshot", "snapshot"]

.codex/skills/remote-tests/SKILL.md

@@ -1,16 +0,0 @@
----
-name: remote-tests
-description: How to run tests using remote executor.
----
-
-Some codex integration tests support a running against a remote executor.
-This means that when CODEX_TEST_REMOTE_ENV environment variable is set they will attempt to start an executor process in a docker container CODEX_TEST_REMOTE_ENV points to and use it in tests.
-
-Docker container is built and initialized via ./scripts/test-remote-env.sh
-
-Currently running remote tests is only supported on Linux, so you need to use a devbox to run them
-
-You can list devboxes via `applied_devbox ls`, pick the one with `codex` in the name.
-Connect to devbox via `ssh <devbox_name>`.
-Reuse the same checkout of codex in `~/code/codex`. Reset files if needed. Multiple checkouts take longer to build and take up more space.
-Check whether the SHA and modified files are in sync between remote and local.

.codex/skills/test-tui/SKILL.md

@@ -1,14 +0,0 @@
----
-name: test-tui
-description: Guide for testing Codex TUI interactively
----
-
-You can start and use Codex TUI to verify changes. 
-
-Important notes:
-
-Start interactively.
-Always set RUST_LOG="trace" when starting the process.
-Pass `-c log_dir=<some_temp_dir>` argument to have logs written to a specific directory to help with debugging.
-When sending a test message programmatically, send text first, then send Enter in a separate write (do not send text + Enter in one burst).
-Use `just codex` target to run - `just codex -c ...`

.devcontainer/Dockerfile

@@ -11,7 +11,7 @@ RUN apt-get update && \
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     build-essential curl git ca-certificates \
-    pkg-config libcap-dev clang musl-tools libssl-dev just && \
+    pkg-config clang musl-tools libssl-dev just && \
     rm -rf /var/lib/apt/lists/*
 
 # Ubuntu 24.04 ships with user 'ubuntu' already created with UID 1000.

.github/ISSUE_TEMPLATE/1-codex-app.yml

@@ -1,54 +0,0 @@
-name: 🖥️ Codex App Bug
-description: Report an issue with the Codex App
-labels:
-  - app
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Before submitting a new issue, please search for existing issues to see if your issue has already been reported.
-        If it has, please add a 👍 reaction (no need to leave a comment) to the existing issue instead of creating a new one.
-
-  - type: input
-    id: version
-    attributes:
-      label: What version of the Codex App are you using (From “About Codex” dialog)?
-    validations:
-      required: true
-  - type: input
-    id: plan
-    attributes:
-      label: What subscription do you have?
-    validations:
-      required: true
-  - type: input
-    id: platform
-    attributes:
-      label: What platform is your computer?
-      description: |
-        For macOS and Linux: copy the output of `uname -mprs`
-        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
-  - type: textarea
-    id: actual
-    attributes:
-      label: What issue are you seeing?
-      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot.
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it. Please include session id, token limit usage, context window usage if applicable.
-    validations:
-      required: true
-  - type: textarea
-    id: expected
-    attributes:
-      label: What is the expected behavior?
-      description: If possible, please provide text instead of a screenshot.
-  - type: textarea
-    id: notes
-    attributes:
-      label: Additional information
-      description: Is there anything else you think we should know?

.github/ISSUE_TEMPLATE/2-bug-report.yml

@@ -0,0 +1,66 @@
+name: 🪲 Bug Report
+description: Report an issue that should be fixed
+labels:
+  - bug
+  - needs triage
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for submitting a bug report! It helps make Codex better for everyone.
+
+        If you need help or support using Codex, and are not reporting a bug, please post on [codex/discussions](https://github.com/openai/codex/discussions), where you can ask questions or engage with others on ideas for how to improve codex.
+
+        Make sure you are running the [latest](https://npmjs.com/package/@openai/codex) version of Codex CLI. The bug you are experiencing may already have been fixed.
+
+        Please try to include as much information as possible.
+
+  - type: input
+    id: version
+    attributes:
+      label: What version of Codex is running?
+      description: Copy the output of `codex --version`
+    validations:
+      required: true
+  - type: input
+    id: plan
+    attributes:
+      label: What subscription do you have?
+    validations:
+      required: true
+  - type: input
+    id: model
+    attributes:
+      label: Which model were you using?
+      description: Like `gpt-4.1`, `o4-mini`, `o3`, etc.
+  - type: input
+    id: platform
+    attributes:
+      label: What platform is your computer?
+      description: |
+        For MacOS and Linux: copy the output of `uname -mprs`
+        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
+  - type: textarea
+    id: actual
+    attributes:
+      label: What issue are you seeing?
+      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot. 
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: What steps can reproduce the bug?
+      description: Explain the bug and provide a code snippet that can reproduce it. Please include session id, token limit usage, context window usage if applicable.
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: What is the expected behavior?
+      description: If possible, please provide text instead of a screenshot.
+  - type: textarea
+    id: notes
+    attributes:
+      label: Additional information
+      description: Is there anything else you think we should know?

.github/ISSUE_TEMPLATE/2-extension.yml

@@ -1,61 +0,0 @@
-name: 🧑‍💻 IDE Extension Bug
-description: Report an issue with the IDE extension
-labels:
-  - extension
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Before submitting a new issue, please search for existing issues to see if your issue has already been reported.
-        If it has, please add a 👍 reaction (no need to leave a comment) to the existing issue instead of creating a new one.
-
-  - type: input
-    id: version
-    attributes:
-      label: What version of the IDE extension are you using?
-    validations:
-      required: true
-  - type: input
-    id: plan
-    attributes:
-      label: What subscription do you have?
-    validations:
-      required: true
-  - type: input
-    id: ide
-    attributes:
-      label: Which IDE are you using?
-      description: Like `VS Code`, `Cursor`, `Windsurf`, etc.
-    validations:
-      required: true
-  - type: input
-    id: platform
-    attributes:
-      label: What platform is your computer?
-      description: |
-        For macOS and Linux: copy the output of `uname -mprs`
-        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
-  - type: textarea
-    id: actual
-    attributes:
-      label: What issue are you seeing?
-      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot.
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it.
-    validations:
-      required: true
-  - type: textarea
-    id: expected
-    attributes:
-      label: What is the expected behavior?
-      description: If possible, please provide text instead of a screenshot.
-  - type: textarea
-    id: notes
-    attributes:
-      label: Additional information
-      description: Is there anything else you think we should know?

.github/ISSUE_TEMPLATE/3-cli.yml

@@ -1,70 +0,0 @@
-name: 💻 CLI Bug
-description: Report an issue in the Codex CLI
-labels:
-  - bug
-  - needs triage
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Before submitting a new issue, please search for existing issues to see if your issue has already been reported.
-        If it has, please add a 👍 reaction (no need to leave a comment) to the existing issue instead of creating a new one.
-
-        Make sure you are running the [latest](https://npmjs.com/package/@openai/codex) version of Codex CLI. The bug you are experiencing may already have been fixed.
-
-  - type: input
-    id: version
-    attributes:
-      label: What version of Codex CLI is running?
-      description: use `codex --version`
-    validations:
-      required: true
-  - type: input
-    id: plan
-    attributes:
-      label: What subscription do you have?
-    validations:
-      required: true
-  - type: input
-    id: model
-    attributes:
-      label: Which model were you using?
-      description: Like `gpt-5.2`, `gpt-5.2-codex`, etc.
-  - type: input
-    id: platform
-    attributes:
-      label: What platform is your computer?
-      description: |
-        For macOS and Linux: copy the output of `uname -mprs`
-        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
-  - type: input
-    id: terminal
-    attributes:
-      label: What terminal emulator and version are you using (if applicable)?
-      description: Also note any multiplexer in use (screen / tmux / zellij)
-      description: |
-        E.g, VSCode, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
-  - type: textarea
-    id: actual
-    attributes:
-      label: What issue are you seeing?
-      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot.
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it. Please include thread id if applicable.
-    validations:
-      required: true
-  - type: textarea
-    id: expected
-    attributes:
-      label: What is the expected behavior?
-      description: If possible, please provide text instead of a screenshot.
-  - type: textarea
-    id: notes
-    attributes:
-      label: Additional information
-      description: Is there anything else you think we should know?

.github/ISSUE_TEMPLATE/4-bug-report.yml

@@ -1,37 +0,0 @@
-name: 🪲 Other Bug
-description: Report an issue in Codex Web, integrations, or other Codex components
-labels:
-  - bug
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Before submitting a new issue, please search for existing issues to see if your issue has already been reported.
-        If it has, please add a 👍 reaction (no need to leave a comment) to the existing issue instead of creating a new one.
-
-        If you need help or support using Codex and are not reporting a bug, please post on [codex/discussions](https://github.com/openai/codex/discussions), where you can ask questions or engage with others on ideas for how to improve codex.
-
-  - type: textarea
-    id: actual
-    attributes:
-      label: What issue are you seeing?
-      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot.
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it.
-    validations:
-      required: true
-  - type: textarea
-    id: expected
-    attributes:
-      label: What is the expected behavior?
-      description: If possible, please provide text instead of a screenshot.
-  - type: textarea
-    id: notes
-    attributes:
-      label: Additional information
-      description: Is there anything else you think we should know?

.github/ISSUE_TEMPLATE/4-feature-request.yml

@@ -0,0 +1,25 @@
+name: 🎁 Feature Request
+description: Propose a new feature for Codex
+labels:
+  - enhancement
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Is Codex missing a feature that you'd like to see? Feel free to propose it here.
+
+        Before you submit a feature:
+        1. Search existing issues for similar features. If you find one, 👍 it rather than opening a new one.
+        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex#contributing) for more details.
+
+  - type: textarea
+    id: feature
+    attributes:
+      label: What feature would you like to see?
+    validations:
+      required: true
+  - type: textarea
+    id: notes
+    attributes:
+      label: Additional information
+      description: Is there anything else you think we should know?

.github/ISSUE_TEMPLATE/5-feature-request.yml

@@ -1,32 +0,0 @@
-name: 🎁 Feature Request
-description: Propose a new feature for Codex
-labels:
-  - enhancement
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Is Codex missing a feature that you'd like to see? Feel free to propose it here.
-
-        Before you submit a feature:
-        1. Search existing issues for similar features. If you find one, 👍 it rather than opening a new one.
-        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex#contributing) for more details.
-
-  - type: input
-    id: variant
-    attributes:
-      label: What variant of Codex are you using?
-      description: (e.g., App, IDE Extension, CLI, Web)
-    validations:
-      required: true
-  - type: textarea
-    id: feature
-    attributes:
-      label: What feature would you like to see?
-    validations:
-      required: true
-  - type: textarea
-    id: notes
-    attributes:
-      label: Additional information
-      description: Is there anything else you think we should know?

.github/ISSUE_TEMPLATE/5-vs-code-extension.yml

@@ -0,0 +1,62 @@
+name: 🧑‍💻 VS Code Extension
+description: Report an issue with the VS Code extension
+labels:
+  - extension
+  - needs triage
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Before submitting a new issue, please search for existing issues to see if your issue has already been reported.
+        If it has, please add a 👍 reaction (no need to leave a comment) to the existing issue instead of creating a new one.
+
+  - type: input
+    id: version
+    attributes:
+      label: What version of the VS Code extension are you using?
+    validations:
+      required: true
+  - type: input
+    id: plan
+    attributes:
+      label: What subscription do you have?
+    validations:
+      required: true
+  - type: input
+    id: ide
+    attributes:
+      label: Which IDE are you using?
+      description: Like `VS Code`, `Cursor`, `Windsurf`, etc.
+    validations:
+      required: true
+  - type: input
+    id: platform
+    attributes:
+      label: What platform is your computer?
+      description: |
+        For MacOS and Linux: copy the output of `uname -mprs`
+        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
+  - type: textarea
+    id: actual
+    attributes:
+      label: What issue are you seeing?
+      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot. 
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: What steps can reproduce the bug?
+      description: Explain the bug and provide a code snippet that can reproduce it. Please include session id, token limit usage, context window usage if applicable.
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: What is the expected behavior?
+      description: If possible, please provide text instead of a screenshot.
+  - type: textarea
+    id: notes
+    attributes:
+      label: Additional information
+      description: Is there anything else you think we should know?

.github/actions/linux-code-sign/action.yml

@@ -17,7 +17,6 @@ runs:
     - name: Cosign Linux artifacts
       shell: bash
       env:
-        ARTIFACTS_DIR: ${{ inputs.artifacts-dir }}
         COSIGN_EXPERIMENTAL: "1"
         COSIGN_YES: "true"
         COSIGN_OIDC_CLIENT_ID: "sigstore"
@@ -25,7 +24,7 @@ runs:
       run: |
         set -euo pipefail
 
-        dest="$ARTIFACTS_DIR"
+        dest="${{ inputs.artifacts-dir }}"
         if [[ ! -d "$dest" ]]; then
           echo "Destination $dest does not exist"
           exit 1

.github/actions/macos-code-sign/action.yml

@@ -117,8 +117,6 @@ runs:
     - name: Sign macOS binaries
       if: ${{ inputs.sign-binaries == 'true' }}
       shell: bash
-      env:
-        TARGET: ${{ inputs.target }}
       run: |
         set -euo pipefail
 
@@ -132,18 +130,15 @@ runs:
           keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
         fi
 
-        entitlements_path="$GITHUB_ACTION_PATH/codex.entitlements.plist"
-
         for binary in codex codex-responses-api-proxy; do
-          path="codex-rs/target/${TARGET}/release/${binary}"
-          codesign --force --options runtime --timestamp --entitlements "$entitlements_path" --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
+          path="codex-rs/target/${{ inputs.target }}/release/${binary}"
+          codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
         done
 
     - name: Notarize macOS binaries
       if: ${{ inputs.sign-binaries == 'true' }}
       shell: bash
       env:
-        TARGET: ${{ inputs.target }}
         APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
         APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
         APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -168,7 +163,7 @@ runs:
 
         notarize_binary() {
           local binary="$1"
-          local source_path="codex-rs/target/${TARGET}/release/${binary}"
+          local source_path="codex-rs/target/${{ inputs.target }}/release/${binary}"
           local archive_path="${RUNNER_TEMP}/${binary}.zip"
 
           if [[ ! -f "$source_path" ]]; then
@@ -189,7 +184,6 @@ runs:
       if: ${{ inputs.sign-dmg == 'true' }}
       shell: bash
       env:
-        TARGET: ${{ inputs.target }}
         APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
         APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
         APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -212,8 +206,7 @@ runs:
 
         source "$GITHUB_ACTION_PATH/notary_helpers.sh"
 
-        dmg_name="codex-${TARGET}.dmg"
-        dmg_path="codex-rs/target/${TARGET}/release/${dmg_name}"
+        dmg_path="codex-rs/target/${{ inputs.target }}/release/codex-${{ inputs.target }}.dmg"
 
         if [[ ! -f "$dmg_path" ]]; then
           echo "dmg $dmg_path not found"
@@ -226,7 +219,7 @@ runs:
         fi
 
         codesign --force --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$dmg_path"
-        notarize_submission "$dmg_name" "$dmg_path" "$notary_key_path"
+        notarize_submission "codex-${{ inputs.target }}.dmg" "$dmg_path" "$notary_key_path"
         xcrun stapler staple "$dmg_path"
 
     - name: Remove signing keychain

.github/actions/macos-code-sign/codex.entitlements.plist

@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.security.cs.allow-jit</key>
-	<true/>
-</dict>
-</plist>

.github/actions/setup-bazel-ci/action.yml

@@ -1,133 +0,0 @@
-name: setup-bazel-ci
-description: Prepare a Bazel CI runner with shared caches and optional test prerequisites.
-inputs:
-  target:
-    description: Target triple used for cache namespacing.
-    required: true
-  install-test-prereqs:
-    description: Install Node.js and DotSlash for Bazel-backed test jobs.
-    required: false
-    default: "false"
-outputs:
-  cache-hit:
-    description: Whether the Bazel repository cache key was restored exactly.
-    value: ${{ steps.cache_bazel_repository_restore.outputs.cache-hit }}
-
-runs:
-  using: composite
-  steps:
-    - name: Set up Node.js for js_repl tests
-      if: inputs.install-test-prereqs == 'true'
-      uses: actions/setup-node@v6
-      with:
-        node-version-file: codex-rs/node-version.txt
-
-    # Some integration tests rely on DotSlash being installed.
-    # See https://github.com/openai/codex/pull/7617.
-    - name: Install DotSlash
-      if: inputs.install-test-prereqs == 'true'
-      uses: facebook/install-dotslash@v2
-
-    - name: Make DotSlash available in PATH (Unix)
-      if: inputs.install-test-prereqs == 'true' && runner.os != 'Windows'
-      shell: bash
-      run: cp "$(which dotslash)" /usr/local/bin
-
-    - name: Make DotSlash available in PATH (Windows)
-      if: inputs.install-test-prereqs == 'true' && runner.os == 'Windows'
-      shell: pwsh
-      run: Copy-Item (Get-Command dotslash).Source -Destination "$env:LOCALAPPDATA\Microsoft\WindowsApps\dotslash.exe"
-
-    - name: Set up Bazel
-      uses: bazelbuild/setup-bazelisk@v3
-
-    # Restore bazel repository cache so we don't have to redownload all the external dependencies
-    # on every CI run.
-    - name: Restore bazel repository cache
-      id: cache_bazel_repository_restore
-      uses: actions/cache/restore@v5
-      with:
-        path: |
-          ~/.cache/bazel-repo-cache
-        key: bazel-cache-${{ inputs.target }}-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}
-        restore-keys: |
-          bazel-cache-${{ inputs.target }}
-
-    - name: Configure Bazel output root (Windows)
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: |
-        # Use the shortest available drive to reduce argv/path length issues,
-        # but avoid the drive root because some Windows test launchers mis-handle
-        # MANIFEST paths there.
-        $hasDDrive = Test-Path 'D:\'
-        $bazelOutputUserRoot = if ($hasDDrive) { 'D:\b' } else { 'C:\b' }
-        $repoContentsCache = Join-Path $env:RUNNER_TEMP "bazel-repo-contents-cache-$env:GITHUB_RUN_ID-$env:GITHUB_JOB"
-        "BAZEL_OUTPUT_USER_ROOT=$bazelOutputUserRoot" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-        "BAZEL_REPO_CONTENTS_CACHE=$repoContentsCache" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-        if (-not $hasDDrive) {
-          $repositoryCache = Join-Path $env:USERPROFILE '.cache\bazel-repo-cache'
-          "BAZEL_REPOSITORY_CACHE=$repositoryCache" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-        }
-
-    - name: Expose MSVC SDK environment (Windows)
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: |
-        # Bazel exec-side Rust build scripts do not reliably inherit the MSVC developer
-        # shell on GitHub-hosted Windows runners, so discover the latest VS install and
-        # ask `VsDevCmd.bat` to materialize the x64/x64 compiler + SDK environment.
-        $vswhere = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
-        if (-not (Test-Path $vswhere)) {
-          throw "vswhere.exe not found"
-        }
-
-        $installPath = & $vswhere -latest -products * -requires Microsoft.VisualStudio.Component.VC.Tools.x86.x64 -property installationPath 2>$null
-        if (-not $installPath) {
-          throw "Could not locate a Visual Studio installation with VC tools"
-        }
-
-        $vsDevCmd = Join-Path $installPath 'Common7\Tools\VsDevCmd.bat'
-        if (-not (Test-Path $vsDevCmd)) {
-          throw "VsDevCmd.bat not found at $vsDevCmd"
-        }
-
-        # Keep the export surface explicit: these are the paths and SDK roots that the
-        # MSVC toolchain probes need later when Bazel runs Windows exec-platform build
-        # scripts such as `aws-lc-sys`.
-        $varsToExport = @(
-          'INCLUDE',
-          'LIB',
-          'LIBPATH',
-          'PATH',
-          'UCRTVersion',
-          'UniversalCRTSdkDir',
-          'VCINSTALLDIR',
-          'VCToolsInstallDir',
-          'WindowsLibPath',
-          'WindowsSdkBinPath',
-          'WindowsSdkDir',
-          'WindowsSDKLibVersion',
-          'WindowsSDKVersion'
-        )
-
-        # `VsDevCmd.bat` is a batch file, so invoke it under `cmd.exe`, suppress its
-        # banner, then dump the resulting environment with `set`. Re-export only the
-        # approved keys into `GITHUB_ENV` so later steps inherit the same MSVC context.
-        $envLines = & cmd.exe /c ('"{0}" -no_logo -arch=x64 -host_arch=x64 >nul && set' -f $vsDevCmd)
-        foreach ($line in $envLines) {
-          if ($line -notmatch '^(.*?)=(.*)$') {
-            continue
-          }
-
-          $name = $matches[1]
-          $value = $matches[2]
-          if ($varsToExport -contains $name) {
-            "$name=$value" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-          }
-        }
-
-    - name: Enable Git long paths (Windows)
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: git config --global core.longpaths true

.github/blob-size-allowlist.txt

@@ -1,9 +0,0 @@
-# Paths are matched exactly, relative to the repository root.
-# Keep this list short and limited to intentional large checked-in assets.
-
-.github/codex-cli-splash.png
-MODULE.bazel.lock
-codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
-codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
-codex-rs/tui/tests/fixtures/oss-story.jsonl
-codex-rs/tui_app_server/tests/fixtures/oss-story.jsonl

.github/codex/labels/codex-rust-review.md

@@ -15,10 +15,10 @@ Things to look out for when doing the review:
 
 ## Code Organization
 
-- Each crate in the Cargo workspace in `codex-rs` has a specific purpose: make a note if you believe new code is not introduced in the correct crate.
+- Each create in the Cargo workspace in `codex-rs` has a specific purpose: make a note if you believe new code is not introduced in the correct crate.
 - When possible, try to keep the `core` crate as small as possible. Non-core but shared logic is often a good candidate for `codex-rs/common`.
 - Be wary of large files and offer suggestions for how to break things into more reasonably-sized files.
-- Rust files should generally be organized such that the public parts of the API appear near the top of the file and helper functions go below. This is analogous to the "inverted pyramid" structure that is favored in journalism.
+- Rust files should generally be organized such that the public parts of the API appear near the top of the file and helper functions go below. This is analagous to the "inverted pyramid" structure that is favored in journalism.
 
 ## Assertions in Tests
 

.github/dotslash-argument-comment-lint-config.json

@@ -1,24 +0,0 @@
-{
-  "outputs": {
-    "argument-comment-lint": {
-      "platforms": {
-        "macos-aarch64": {
-          "regex": "^argument-comment-lint-aarch64-apple-darwin\\.tar\\.gz$",
-          "path": "argument-comment-lint/bin/argument-comment-lint"
-        },
-        "linux-x86_64": {
-          "regex": "^argument-comment-lint-x86_64-unknown-linux-gnu\\.tar\\.gz$",
-          "path": "argument-comment-lint/bin/argument-comment-lint"
-        },
-        "linux-aarch64": {
-          "regex": "^argument-comment-lint-aarch64-unknown-linux-gnu\\.tar\\.gz$",
-          "path": "argument-comment-lint/bin/argument-comment-lint"
-        },
-        "windows-x86_64": {
-          "regex": "^argument-comment-lint-x86_64-pc-windows-msvc\\.zip$",
-          "path": "argument-comment-lint/bin/argument-comment-lint.exe"
-        }
-      }
-    }
-  }
-}

.github/dotslash-zsh-config.json

@@ -1,23 +0,0 @@
-{
-  "outputs": {
-    "codex-zsh": {
-      "platforms": {
-        "macos-aarch64": {
-          "name": "codex-zsh-aarch64-apple-darwin.tar.gz",
-          "format": "tar.gz",
-          "path": "codex-zsh/bin/zsh"
-        },
-        "linux-x86_64": {
-          "name": "codex-zsh-x86_64-unknown-linux-musl.tar.gz",
-          "format": "tar.gz",
-          "path": "codex-zsh/bin/zsh"
-        },
-        "linux-aarch64": {
-          "name": "codex-zsh-aarch64-unknown-linux-musl.tar.gz",
-          "format": "tar.gz",
-          "path": "codex-zsh/bin/zsh"
-        }
-      }
-    }
-  }
-}

.github/prompts/issue-deduplicator.txt

@@ -0,0 +1,18 @@
+You are an assistant that triages new GitHub issues by identifying potential duplicates.
+
+You will receive the following JSON files located in the current working directory:
+- `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
+- `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
+
+Instructions:
+- Load both files as JSON and review their contents carefully. The codex-existing-issues.json file is large, ensure you explore all of it.
+- Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
+- Only consider an issue a potential duplicate if there is a clear overlap in symptoms, feature requests, reproduction steps, or error messages.
+- Prioritize newer issues when similarity is comparable.
+- Ignore pull requests and issues whose similarity is tenuous.
+- When unsure, prefer returning fewer matches.
+
+Output requirements:
+- Respond with a JSON array of issue numbers (integers), ordered from most likely duplicate to least.
+- Include at most five numbers.
+- If you find no plausible duplicates, respond with `[]`.

.github/prompts/issue-labeler.txt

@@ -0,0 +1,26 @@
+You are an assistant that reviews GitHub issues for the repository.
+
+Your job is to choose the most appropriate existing labels for the issue described later in this prompt.
+Follow these rules:
+- Only pick labels out of the list below.
+- Prefer a small set of precise labels over many broad ones.
+- If none of the labels fit, respond with an empty JSON array: []
+- Output must be a JSON array of label names (strings) with no additional commentary.
+
+Labels to apply:
+1. bug — Reproducible defects in Codex products (CLI, VS Code extension, web, auth).
+2. enhancement — Feature requests or usability improvements that ask for new capabilities, better ergonomics, or quality-of-life tweaks.
+3. extension — VS Code (or other IDE) extension-specific issues.
+4. windows-os — Bugs or friction specific to Windows environments (PowerShell behavior, path handling, copy/paste, OS-specific auth or tooling failures).
+5. mcp — Topics involving Model Context Protocol servers/clients.
+6. codex-web — Issues targeting the Codex web UI/Cloud experience.
+8. azure — Problems or requests tied to Azure OpenAI deployments.
+9. documentation — Updates or corrections needed in docs/README/config references (broken links, missing examples, outdated keys, clarification requests).
+10. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
+
+Issue information is available in environment variables:
+
+ISSUE_NUMBER
+ISSUE_TITLE
+ISSUE_BODY
+REPO_FULL_NAME

.github/scripts/build-zsh-release-artifact.sh

@@ -1,61 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-if [[ "$#" -ne 1 ]]; then
-  echo "usage: $0 <archive-path>" >&2
-  exit 1
-fi
-
-archive_path="$1"
-workspace="${GITHUB_WORKSPACE:?missing GITHUB_WORKSPACE}"
-zsh_commit="${ZSH_COMMIT:?missing ZSH_COMMIT}"
-zsh_patch="${ZSH_PATCH:?missing ZSH_PATCH}"
-temp_root="${RUNNER_TEMP:-/tmp}"
-work_root="$(mktemp -d "${temp_root%/}/codex-zsh-release.XXXXXX")"
-trap 'rm -rf "$work_root"' EXIT
-
-source_root="${work_root}/zsh"
-package_root="${work_root}/codex-zsh"
-wrapper_path="${work_root}/exec-wrapper"
-stdout_path="${work_root}/stdout.txt"
-wrapper_log_path="${work_root}/wrapper.log"
-
-git clone https://git.code.sf.net/p/zsh/code "$source_root"
-cd "$source_root"
-git checkout "$zsh_commit"
-git apply "${workspace}/${zsh_patch}"
-./Util/preconfig
-./configure
-
-cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
-make -j"${cores}"
-
-cat > "$wrapper_path" <<'EOF'
-#!/usr/bin/env bash
-set -euo pipefail
-: "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
-printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
-file="$1"
-shift
-if [[ "$#" -eq 0 ]]; then
-  exec "$file"
-fi
-arg0="$1"
-shift
-exec -a "$arg0" "$file" "$@"
-EOF
-chmod +x "$wrapper_path"
-
-CODEX_WRAPPER_LOG="$wrapper_log_path" \
-EXEC_WRAPPER="$wrapper_path" \
-"${source_root}/Src/zsh" -fc '/bin/echo smoke-zsh' > "$stdout_path"
-
-grep -Fx "smoke-zsh" "$stdout_path"
-grep -Fx "/bin/echo" "$wrapper_log_path"
-
-mkdir -p "$package_root/bin" "$(dirname "${workspace}/${archive_path}")"
-cp "${source_root}/Src/zsh" "$package_root/bin/zsh"
-chmod +x "$package_root/bin/zsh"
-
-(cd "$work_root" && tar -czf "${workspace}/${archive_path}" codex-zsh)

.github/scripts/install-musl-build-tools.sh

@@ -1,279 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-: "${TARGET:?TARGET environment variable is required}"
-: "${GITHUB_ENV:?GITHUB_ENV environment variable is required}"
-
-apt_update_args=()
-if [[ -n "${APT_UPDATE_ARGS:-}" ]]; then
-  # shellcheck disable=SC2206
-  apt_update_args=(${APT_UPDATE_ARGS})
-fi
-
-apt_install_args=()
-if [[ -n "${APT_INSTALL_ARGS:-}" ]]; then
-  # shellcheck disable=SC2206
-  apt_install_args=(${APT_INSTALL_ARGS})
-fi
-
-sudo apt-get update "${apt_update_args[@]}"
-sudo apt-get install -y "${apt_install_args[@]}" ca-certificates curl musl-tools pkg-config libcap-dev g++ clang libc++-dev libc++abi-dev lld xz-utils
-
-case "${TARGET}" in
-  x86_64-unknown-linux-musl)
-    arch="x86_64"
-    ;;
-  aarch64-unknown-linux-musl)
-    arch="aarch64"
-    ;;
-  *)
-    echo "Unexpected musl target: ${TARGET}" >&2
-    exit 1
-    ;;
-esac
-
-libcap_version="2.75"
-libcap_sha256="de4e7e064c9ba451d5234dd46e897d7c71c96a9ebf9a0c445bc04f4742d83632"
-libcap_tarball_name="libcap-${libcap_version}.tar.xz"
-libcap_download_url="https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/${libcap_tarball_name}"
-
-# Use the musl toolchain as the Rust linker to avoid Zig injecting its own CRT.
-if command -v "${arch}-linux-musl-gcc" >/dev/null; then
-  musl_linker="$(command -v "${arch}-linux-musl-gcc")"
-elif command -v musl-gcc >/dev/null; then
-  musl_linker="$(command -v musl-gcc)"
-else
-  echo "musl gcc not found after install; arch=${arch}" >&2
-  exit 1
-fi
-
-zig_target="${TARGET/-unknown-linux-musl/-linux-musl}"
-runner_temp="${RUNNER_TEMP:-/tmp}"
-tool_root="${runner_temp}/codex-musl-tools-${TARGET}"
-mkdir -p "${tool_root}"
-
-libcap_root="${tool_root}/libcap-${libcap_version}"
-libcap_src_root="${libcap_root}/src"
-libcap_prefix="${libcap_root}/prefix"
-libcap_pkgconfig_dir="${libcap_prefix}/lib/pkgconfig"
-
-if [[ ! -f "${libcap_prefix}/lib/libcap.a" ]]; then
-  mkdir -p "${libcap_src_root}" "${libcap_prefix}/lib" "${libcap_prefix}/include/sys" "${libcap_prefix}/include/linux" "${libcap_pkgconfig_dir}"
-  libcap_tarball="${libcap_root}/${libcap_tarball_name}"
-
-  curl -fsSL "${libcap_download_url}" -o "${libcap_tarball}"
-  echo "${libcap_sha256}  ${libcap_tarball}" | sha256sum -c -
-
-  tar -xJf "${libcap_tarball}" -C "${libcap_src_root}"
-  libcap_source_dir="${libcap_src_root}/libcap-${libcap_version}"
-  make -C "${libcap_source_dir}/libcap" -j"$(nproc)" \
-    CC="${musl_linker}" \
-    AR=ar \
-    RANLIB=ranlib
-
-  cp "${libcap_source_dir}/libcap/libcap.a" "${libcap_prefix}/lib/libcap.a"
-  cp "${libcap_source_dir}/libcap/include/uapi/linux/capability.h" "${libcap_prefix}/include/linux/capability.h"
-  cp "${libcap_source_dir}/libcap/../libcap/include/sys/capability.h" "${libcap_prefix}/include/sys/capability.h"
-
-  cat > "${libcap_pkgconfig_dir}/libcap.pc" <<EOF
-prefix=${libcap_prefix}
-exec_prefix=\${prefix}
-libdir=\${prefix}/lib
-includedir=\${prefix}/include
-
-Name: libcap
-Description: Linux capabilities
-Version: ${libcap_version}
-Libs: -L\${libdir} -lcap
-Cflags: -I\${includedir}
-EOF
-fi
-
-sysroot=""
-if command -v zig >/dev/null; then
-  zig_bin="$(command -v zig)"
-  cc="${tool_root}/zigcc"
-  cxx="${tool_root}/zigcxx"
-
-  cat >"${cc}" <<EOF
-#!/usr/bin/env bash
-set -euo pipefail
-
-args=()
-skip_next=0
-pending_include=0
-for arg in "\$@"; do
-  if [[ "\${pending_include}" -eq 1 ]]; then
-    pending_include=0
-    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
-      # Keep host-only headers available, but after the target sysroot headers.
-      args+=("-idirafter" "\${arg}")
-    else
-      args+=("-I" "\${arg}")
-    fi
-    continue
-  fi
-
-  if [[ "\${skip_next}" -eq 1 ]]; then
-    skip_next=0
-    continue
-  fi
-  case "\${arg}" in
-    --target)
-      skip_next=1
-      continue
-      ;;
-    --target=*|-target=*|-target)
-      # Drop any explicit --target/-target flags. Zig expects -target and
-      # rejects Rust triples like *-unknown-linux-musl.
-      if [[ "\${arg}" == "-target" ]]; then
-        skip_next=1
-      fi
-      continue
-      ;;
-    -I)
-      pending_include=1
-      continue
-      ;;
-    -I/usr/include|-I/usr/include/*)
-      # Avoid making glibc headers win over musl headers.
-      args+=("-idirafter" "\${arg#-I}")
-      continue
-      ;;
-    -Wp,-U_FORTIFY_SOURCE)
-      # aws-lc-sys emits this GCC preprocessor forwarding form in debug
-      # builds, but zig cc expects the define flag directly.
-      args+=("-U_FORTIFY_SOURCE")
-      continue
-      ;;
-  esac
-  args+=("\${arg}")
-done
-
-exec "${zig_bin}" cc -target "${zig_target}" "\${args[@]}"
-EOF
-  cat >"${cxx}" <<EOF
-#!/usr/bin/env bash
-set -euo pipefail
-
-args=()
-skip_next=0
-pending_include=0
-for arg in "\$@"; do
-  if [[ "\${pending_include}" -eq 1 ]]; then
-    pending_include=0
-    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
-      # Keep host-only headers available, but after the target sysroot headers.
-      args+=("-idirafter" "\${arg}")
-    else
-      args+=("-I" "\${arg}")
-    fi
-    continue
-  fi
-
-  if [[ "\${skip_next}" -eq 1 ]]; then
-    skip_next=0
-    continue
-  fi
-  case "\${arg}" in
-    --target)
-      # Drop explicit --target and its value: we always pass zig's -target below.
-      skip_next=1
-      continue
-      ;;
-    --target=*|-target=*|-target)
-      # Zig expects -target and rejects Rust triples like *-unknown-linux-musl.
-      if [[ "\${arg}" == "-target" ]]; then
-        skip_next=1
-      fi
-      continue
-      ;;
-    -I)
-      pending_include=1
-      continue
-      ;;
-    -I/usr/include|-I/usr/include/*)
-      # Avoid making glibc headers win over musl headers.
-      args+=("-idirafter" "\${arg#-I}")
-      continue
-      ;;
-    -Wp,-U_FORTIFY_SOURCE)
-      # aws-lc-sys emits this GCC forwarding form in debug builds; zig c++
-      # expects the define flag directly.
-      args+=("-U_FORTIFY_SOURCE")
-      continue
-      ;;
-  esac
-  args+=("\${arg}")
-done
-
-exec "${zig_bin}" c++ -target "${zig_target}" "\${args[@]}"
-EOF
-  chmod +x "${cc}" "${cxx}"
-
-  sysroot="$("${zig_bin}" cc -target "${zig_target}" -print-sysroot 2>/dev/null || true)"
-else
-  cc="${musl_linker}"
-
-  if command -v "${arch}-linux-musl-g++" >/dev/null; then
-    cxx="$(command -v "${arch}-linux-musl-g++")"
-  elif command -v musl-g++ >/dev/null; then
-    cxx="$(command -v musl-g++)"
-  else
-    cxx="${cc}"
-  fi
-fi
-
-if [[ -n "${sysroot}" && "${sysroot}" != "/" ]]; then
-  echo "BORING_BSSL_SYSROOT=${sysroot}" >> "$GITHUB_ENV"
-  boring_sysroot_var="BORING_BSSL_SYSROOT_${TARGET}"
-  boring_sysroot_var="${boring_sysroot_var//-/_}"
-  echo "${boring_sysroot_var}=${sysroot}" >> "$GITHUB_ENV"
-fi
-
-cflags="-pthread"
-cxxflags="-pthread"
-if [[ "${TARGET}" == "aarch64-unknown-linux-musl" ]]; then
-  # BoringSSL enables -Wframe-larger-than=25344 under clang and treats warnings as errors.
-  cflags="${cflags} -Wno-error=frame-larger-than"
-  cxxflags="${cxxflags} -Wno-error=frame-larger-than"
-fi
-
-echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
-echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
-echo "CC=${cc}" >> "$GITHUB_ENV"
-echo "TARGET_CC=${cc}" >> "$GITHUB_ENV"
-target_cc_var="CC_${TARGET}"
-target_cc_var="${target_cc_var//-/_}"
-echo "${target_cc_var}=${cc}" >> "$GITHUB_ENV"
-echo "CXX=${cxx}" >> "$GITHUB_ENV"
-echo "TARGET_CXX=${cxx}" >> "$GITHUB_ENV"
-target_cxx_var="CXX_${TARGET}"
-target_cxx_var="${target_cxx_var//-/_}"
-echo "${target_cxx_var}=${cxx}" >> "$GITHUB_ENV"
-
-cargo_linker_var="CARGO_TARGET_${TARGET^^}_LINKER"
-cargo_linker_var="${cargo_linker_var//-/_}"
-echo "${cargo_linker_var}=${musl_linker}" >> "$GITHUB_ENV"
-
-echo "CMAKE_C_COMPILER=${cc}" >> "$GITHUB_ENV"
-echo "CMAKE_CXX_COMPILER=${cxx}" >> "$GITHUB_ENV"
-echo "CMAKE_ARGS=-DCMAKE_HAVE_THREADS_LIBRARY=1 -DCMAKE_USE_PTHREADS_INIT=1 -DCMAKE_THREAD_LIBS_INIT=-pthread -DTHREADS_PREFER_PTHREAD_FLAG=ON" >> "$GITHUB_ENV"
-
-# Allow pkg-config resolution during cross-compilation.
-echo "PKG_CONFIG_ALLOW_CROSS=1" >> "$GITHUB_ENV"
-pkg_config_path="${libcap_pkgconfig_dir}"
-if [[ -n "${PKG_CONFIG_PATH:-}" ]]; then
-  pkg_config_path="${pkg_config_path}:${PKG_CONFIG_PATH}"
-fi
-echo "PKG_CONFIG_PATH=${pkg_config_path}" >> "$GITHUB_ENV"
-pkg_config_path_var="PKG_CONFIG_PATH_${TARGET}"
-pkg_config_path_var="${pkg_config_path_var//-/_}"
-echo "${pkg_config_path_var}=${libcap_pkgconfig_dir}" >> "$GITHUB_ENV"
-
-if [[ -n "${sysroot}" && "${sysroot}" != "/" ]]; then
-  echo "PKG_CONFIG_SYSROOT_DIR=${sysroot}" >> "$GITHUB_ENV"
-  pkg_config_sysroot_var="PKG_CONFIG_SYSROOT_DIR_${TARGET}"
-  pkg_config_sysroot_var="${pkg_config_sysroot_var//-/_}"
-  echo "${pkg_config_sysroot_var}=${sysroot}" >> "$GITHUB_ENV"
-fi

.github/scripts/run-argument-comment-lint-bazel.sh

@@ -1,115 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-ci_config=ci-linux
-case "${RUNNER_OS:-}" in
-  macOS)
-    ci_config=ci-macos
-    ;;
-  Windows)
-    ci_config=ci-windows
-    ;;
-esac
-
-bazel_lint_args=("$@")
-if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-  has_host_platform_override=0
-  for arg in "${bazel_lint_args[@]}"; do
-    if [[ "$arg" == --host_platform=* ]]; then
-      has_host_platform_override=1
-      break
-    fi
-  done
-
-  if [[ $has_host_platform_override -eq 0 ]]; then
-    # The nightly Windows lint toolchain is registered with an MSVC exec
-    # platform even though the lint target platform stays on `windows-gnullvm`.
-    # Override the host platform here so the exec-side helper binaries actually
-    # match the registered toolchain set.
-    bazel_lint_args+=("--host_platform=//:local_windows_msvc")
-  fi
-
-  # Native Windows lint runs need exec-side Rust helper binaries and proc-macros
-  # to use rust-lld instead of the C++ linker path. The default `none`
-  # preference resolves to `cc` when a cc_toolchain is present, which currently
-  # routes these exec actions through clang++ with an argument shape it cannot
-  # consume.
-  bazel_lint_args+=("--@rules_rust//rust/settings:toolchain_linker_preference=rust")
-
-  # Some Rust top-level targets are still intentionally incompatible with the
-  # local Windows MSVC exec platform. Skip those explicit targets so the native
-  # lint aspect can run across the compatible crate graph instead of failing the
-  # whole build after analysis.
-  bazel_lint_args+=("--skip_incompatible_explicit_targets")
-fi
-
-bazel_startup_args=()
-if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
-  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
-fi
-
-run_bazel() {
-  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
-    return
-  fi
-
-  bazel "$@"
-}
-
-run_bazel_with_startup_args() {
-  if [[ ${#bazel_startup_args[@]} -gt 0 ]]; then
-    run_bazel "${bazel_startup_args[@]}" "$@"
-    return
-  fi
-
-  run_bazel "$@"
-}
-
-read_query_labels() {
-  local query="$1"
-  local query_stdout
-  local query_stderr
-  query_stdout="$(mktemp)"
-  query_stderr="$(mktemp)"
-
-  if ! run_bazel_with_startup_args \
-    --noexperimental_remote_repo_contents_cache \
-    query \
-    --keep_going \
-    --output=label \
-    "$query" >"$query_stdout" 2>"$query_stderr"; then
-    cat "$query_stderr" >&2
-    rm -f "$query_stdout" "$query_stderr"
-    exit 1
-  fi
-
-  cat "$query_stdout"
-  rm -f "$query_stdout" "$query_stderr"
-}
-
-final_build_targets=(//codex-rs/...)
-if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-  # Bazel's local Windows platform currently lacks a default test toolchain for
-  # `rust_test`, so target the concrete Rust crate rules directly. The lint
-  # aspect still walks their crate graph, which preserves incremental reuse for
-  # non-test code while avoiding non-Rust wrapper targets such as platform_data.
-  final_build_targets=()
-  while IFS= read -r label; do
-    [[ -n "$label" ]] || continue
-    final_build_targets+=("$label")
-  done < <(read_query_labels 'kind("rust_(library|binary|proc_macro) rule", //codex-rs/...)')
-
-  if [[ ${#final_build_targets[@]} -eq 0 ]]; then
-    echo "Failed to discover Windows Bazel lint targets." >&2
-    exit 1
-  fi
-fi
-
-./.github/scripts/run-bazel-ci.sh \
-  -- \
-  build \
-  "${bazel_lint_args[@]}" \
-  -- \
-  "${final_build_targets[@]}"

.github/scripts/run-bazel-ci.sh

@@ -1,252 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-print_failed_bazel_test_logs=0
-use_node_test_env=0
-remote_download_toplevel=0
-
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --print-failed-test-logs)
-      print_failed_bazel_test_logs=1
-      shift
-      ;;
-    --use-node-test-env)
-      use_node_test_env=1
-      shift
-      ;;
-    --remote-download-toplevel)
-      remote_download_toplevel=1
-      shift
-      ;;
-    --)
-      shift
-      break
-      ;;
-    *)
-      echo "Unknown option: $1" >&2
-      exit 1
-      ;;
-  esac
-done
-
-if [[ $# -eq 0 ]]; then
-  echo "Usage: $0 [--print-failed-test-logs] [--use-node-test-env] [--remote-download-toplevel] -- <bazel args> -- <targets>" >&2
-  exit 1
-fi
-
-bazel_startup_args=()
-if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
-  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
-fi
-
-run_bazel() {
-  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
-    return
-  fi
-
-  bazel "$@"
-}
-
-ci_config=ci-linux
-case "${RUNNER_OS:-}" in
-  macOS)
-    ci_config=ci-macos
-    ;;
-  Windows)
-    ci_config=ci-windows
-    ;;
-esac
-
-print_bazel_test_log_tails() {
-  local console_log="$1"
-  local testlogs_dir
-  local -a bazel_info_cmd=(bazel)
-
-  if (( ${#bazel_startup_args[@]} > 0 )); then
-    bazel_info_cmd+=("${bazel_startup_args[@]}")
-  fi
-
-  testlogs_dir="$(run_bazel "${bazel_info_cmd[@]:1}" info bazel-testlogs 2>/dev/null || echo bazel-testlogs)"
-
-  local failed_targets=()
-  while IFS= read -r target; do
-    failed_targets+=("$target")
-  done < <(
-    grep -E '^FAIL: //' "$console_log" \
-      | sed -E 's#^FAIL: (//[^ ]+).*#\1#' \
-      | sort -u
-  )
-
-  if [[ ${#failed_targets[@]} -eq 0 ]]; then
-    echo "No failed Bazel test targets were found in console output."
-    return
-  fi
-
-  for target in "${failed_targets[@]}"; do
-    local rel_path="${target#//}"
-    rel_path="${rel_path/:/\/}"
-    local test_log="${testlogs_dir}/${rel_path}/test.log"
-
-    echo "::group::Bazel test log tail for ${target}"
-    if [[ -f "$test_log" ]]; then
-      tail -n 200 "$test_log"
-    else
-      echo "Missing test log: $test_log"
-    fi
-    echo "::endgroup::"
-  done
-}
-
-bazel_args=()
-bazel_targets=()
-found_target_separator=0
-for arg in "$@"; do
-  if [[ "$arg" == "--" && $found_target_separator -eq 0 ]]; then
-    found_target_separator=1
-    continue
-  fi
-
-  if [[ $found_target_separator -eq 0 ]]; then
-    bazel_args+=("$arg")
-  else
-    bazel_targets+=("$arg")
-  fi
-done
-
-if [[ ${#bazel_args[@]} -eq 0 || ${#bazel_targets[@]} -eq 0 ]]; then
-  echo "Expected Bazel args and targets separated by --" >&2
-  exit 1
-fi
-
-if [[ $use_node_test_env -eq 1 && "${RUNNER_OS:-}" != "Windows" ]]; then
-  # Bazel test sandboxes on macOS may resolve an older Homebrew `node`
-  # before the `actions/setup-node` runtime on PATH.
-  node_bin="$(which node)"
-  bazel_args+=("--test_env=CODEX_JS_REPL_NODE_PATH=${node_bin}")
-fi
-
-post_config_bazel_args=()
-if [[ $remote_download_toplevel -eq 1 ]]; then
-  # Override the CI config's remote_download_minimal setting when callers need
-  # the built artifact to exist on disk after the command completes.
-  post_config_bazel_args+=(--remote_download_toplevel)
-fi
-
-if [[ -n "${BAZEL_REPO_CONTENTS_CACHE:-}" ]]; then
-  # Windows self-hosted runners can run multiple Bazel jobs concurrently. Give
-  # each job its own repo contents cache so they do not fight over the shared
-  # path configured in `ci-windows`.
-  post_config_bazel_args+=("--repo_contents_cache=${BAZEL_REPO_CONTENTS_CACHE}")
-fi
-
-if [[ -n "${BAZEL_REPOSITORY_CACHE:-}" ]]; then
-  post_config_bazel_args+=("--repository_cache=${BAZEL_REPOSITORY_CACHE}")
-fi
-
-if [[ -n "${CODEX_BAZEL_EXECUTION_LOG_COMPACT_DIR:-}" ]]; then
-  post_config_bazel_args+=(
-    "--execution_log_compact_file=${CODEX_BAZEL_EXECUTION_LOG_COMPACT_DIR}/execution-log-${bazel_args[0]}-${GITHUB_JOB:-local}-$$.zst"
-  )
-fi
-
-if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-  windows_action_env_vars=(
-    INCLUDE
-    LIB
-    LIBPATH
-    PATH
-    UCRTVersion
-    UniversalCRTSdkDir
-    VCINSTALLDIR
-    VCToolsInstallDir
-    WindowsLibPath
-    WindowsSdkBinPath
-    WindowsSdkDir
-    WindowsSDKLibVersion
-    WindowsSDKVersion
-  )
-
-  for env_var in "${windows_action_env_vars[@]}"; do
-    if [[ -n "${!env_var:-}" ]]; then
-      post_config_bazel_args+=("--action_env=${env_var}" "--host_action_env=${env_var}")
-    fi
-  done
-fi
-
-bazel_console_log="$(mktemp)"
-trap 'rm -f "$bazel_console_log"' EXIT
-
-bazel_cmd=(bazel)
-if (( ${#bazel_startup_args[@]} > 0 )); then
-  bazel_cmd+=("${bazel_startup_args[@]}")
-fi
-
-if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
-  echo "BuildBuddy API key is available; using remote Bazel configuration."
-  # Work around Bazel 9 remote repo contents cache / overlay materialization failures
-  # seen in CI (for example "is not a symlink" or permission errors while
-  # materializing external repos such as rules_perl). We still use BuildBuddy for
-  # remote execution/cache; this only disables the startup-level repo contents cache.
-  bazel_run_args=(
-    "${bazel_args[@]}"
-    "--config=${ci_config}"
-    "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
-  )
-  if (( ${#post_config_bazel_args[@]} > 0 )); then
-    bazel_run_args+=("${post_config_bazel_args[@]}")
-  fi
-  set +e
-  run_bazel "${bazel_cmd[@]:1}" \
-    --noexperimental_remote_repo_contents_cache \
-    "${bazel_run_args[@]}" \
-    -- \
-    "${bazel_targets[@]}" \
-    2>&1 | tee "$bazel_console_log"
-  bazel_status=${PIPESTATUS[0]}
-  set -e
-else
-  echo "BuildBuddy API key is not available; using local Bazel configuration."
-  # Keep fork/community PRs on Bazel but disable remote services that are
-  # configured in .bazelrc and require auth.
-  #
-  # Flag docs:
-  # - Command-line reference: https://bazel.build/reference/command-line-reference
-  # - Remote caching overview: https://bazel.build/remote/caching
-  # - Remote execution overview: https://bazel.build/remote/rbe
-  # - Build Event Protocol overview: https://bazel.build/remote/bep
-  #
-  # --noexperimental_remote_repo_contents_cache:
-  #   disable remote repo contents cache enabled in .bazelrc startup options.
-  #   https://bazel.build/reference/command-line-reference#startup_options-flag--experimental_remote_repo_contents_cache
-  # --remote_cache= and --remote_executor=:
-  #   clear remote cache/execution endpoints configured in .bazelrc.
-  #   https://bazel.build/reference/command-line-reference#common_options-flag--remote_cache
-  #   https://bazel.build/reference/command-line-reference#common_options-flag--remote_executor
-  bazel_run_args=(
-    "${bazel_args[@]}"
-    --remote_cache=
-    --remote_executor=
-  )
-  if (( ${#post_config_bazel_args[@]} > 0 )); then
-    bazel_run_args+=("${post_config_bazel_args[@]}")
-  fi
-  set +e
-  run_bazel "${bazel_cmd[@]:1}" \
-    --noexperimental_remote_repo_contents_cache \
-    "${bazel_run_args[@]}" \
-    -- \
-    "${bazel_targets[@]}" \
-    2>&1 | tee "$bazel_console_log"
-  bazel_status=${PIPESTATUS[0]}
-  set -e
-fi
-
-if [[ ${bazel_status:-0} -ne 0 ]]; then
-  if [[ $print_failed_bazel_test_logs -eq 1 ]]; then
-    print_bazel_test_log_tails "$bazel_console_log"
-  fi
-  exit "$bazel_status"
-fi

.github/scripts/rusty_v8_bazel.py

@@ -1,287 +0,0 @@
-#!/usr/bin/env python3
-
-from __future__ import annotations
-
-import argparse
-import gzip
-import re
-import shutil
-import subprocess
-import sys
-import tempfile
-import tomllib
-from pathlib import Path
-
-
-ROOT = Path(__file__).resolve().parents[2]
-MUSL_RUNTIME_ARCHIVE_LABELS = [
-    "@llvm//runtimes/libcxx:libcxx.static",
-    "@llvm//runtimes/libcxx:libcxxabi.static",
-]
-LLVM_AR_LABEL = "@llvm//tools:llvm-ar"
-LLVM_RANLIB_LABEL = "@llvm//tools:llvm-ranlib"
-
-
-def bazel_execroot() -> Path:
-    result = subprocess.run(
-        ["bazel", "info", "execution_root"],
-        cwd=ROOT,
-        check=True,
-        capture_output=True,
-        text=True,
-    )
-    return Path(result.stdout.strip())
-
-
-def bazel_output_base() -> Path:
-    result = subprocess.run(
-        ["bazel", "info", "output_base"],
-        cwd=ROOT,
-        check=True,
-        capture_output=True,
-        text=True,
-    )
-    return Path(result.stdout.strip())
-
-
-def bazel_output_path(path: str) -> Path:
-    if path.startswith("external/"):
-        return bazel_output_base() / path
-    return bazel_execroot() / path
-
-
-def bazel_output_files(
-    platform: str,
-    labels: list[str],
-    compilation_mode: str = "fastbuild",
-) -> list[Path]:
-    expression = "set(" + " ".join(labels) + ")"
-    result = subprocess.run(
-        [
-            "bazel",
-            "cquery",
-            "-c",
-            compilation_mode,
-            f"--platforms=@llvm//platforms:{platform}",
-            "--output=files",
-            expression,
-        ],
-        cwd=ROOT,
-        check=True,
-        capture_output=True,
-        text=True,
-    )
-    return [bazel_output_path(line.strip()) for line in result.stdout.splitlines() if line.strip()]
-
-
-def bazel_build(
-    platform: str,
-    labels: list[str],
-    compilation_mode: str = "fastbuild",
-) -> None:
-    subprocess.run(
-        [
-            "bazel",
-            "build",
-            "-c",
-            compilation_mode,
-            f"--platforms=@llvm//platforms:{platform}",
-            *labels,
-        ],
-        cwd=ROOT,
-        check=True,
-    )
-
-
-def ensure_bazel_output_files(
-    platform: str,
-    labels: list[str],
-    compilation_mode: str = "fastbuild",
-) -> list[Path]:
-    outputs = bazel_output_files(platform, labels, compilation_mode)
-    if all(path.exists() for path in outputs):
-        return outputs
-
-    bazel_build(platform, labels, compilation_mode)
-    outputs = bazel_output_files(platform, labels, compilation_mode)
-    missing = [str(path) for path in outputs if not path.exists()]
-    if missing:
-        raise SystemExit(f"missing built outputs for {labels}: {missing}")
-    return outputs
-
-
-def release_pair_label(target: str) -> str:
-    target_suffix = target.replace("-", "_")
-    return f"//third_party/v8:rusty_v8_release_pair_{target_suffix}"
-
-
-def resolved_v8_crate_version() -> str:
-    cargo_lock = tomllib.loads((ROOT / "codex-rs" / "Cargo.lock").read_text())
-    versions = sorted(
-        {
-            package["version"]
-            for package in cargo_lock["package"]
-            if package["name"] == "v8"
-        }
-    )
-    if len(versions) == 1:
-        return versions[0]
-    if len(versions) > 1:
-        raise SystemExit(f"expected exactly one resolved v8 version, found: {versions}")
-
-    module_bazel = (ROOT / "MODULE.bazel").read_text()
-    matches = sorted(
-        set(
-            re.findall(
-                r'https://static\.crates\.io/crates/v8/v8-([0-9]+\.[0-9]+\.[0-9]+)\.crate',
-                module_bazel,
-            )
-        )
-    )
-    if len(matches) != 1:
-        raise SystemExit(
-            "expected exactly one pinned v8 crate version in MODULE.bazel, "
-            f"found: {matches}"
-        )
-    return matches[0]
-
-
-def staged_archive_name(target: str, source_path: Path) -> str:
-    if source_path.suffix == ".lib":
-        return f"rusty_v8_release_{target}.lib.gz"
-    return f"librusty_v8_release_{target}.a.gz"
-
-
-def is_musl_archive_target(target: str, source_path: Path) -> bool:
-    return target.endswith("-unknown-linux-musl") and source_path.suffix == ".a"
-
-
-def single_bazel_output_file(
-    platform: str,
-    label: str,
-    compilation_mode: str = "fastbuild",
-) -> Path:
-    outputs = ensure_bazel_output_files(platform, [label], compilation_mode)
-    if len(outputs) != 1:
-        raise SystemExit(f"expected exactly one output for {label}, found {outputs}")
-    return outputs[0]
-
-
-def merged_musl_archive(
-    platform: str,
-    lib_path: Path,
-    compilation_mode: str = "fastbuild",
-) -> Path:
-    llvm_ar = single_bazel_output_file(platform, LLVM_AR_LABEL, compilation_mode)
-    llvm_ranlib = single_bazel_output_file(platform, LLVM_RANLIB_LABEL, compilation_mode)
-    runtime_archives = [
-        single_bazel_output_file(platform, label, compilation_mode)
-        for label in MUSL_RUNTIME_ARCHIVE_LABELS
-    ]
-
-    temp_dir = Path(tempfile.mkdtemp(prefix="rusty-v8-musl-stage-"))
-    merged_archive = temp_dir / lib_path.name
-    merge_commands = "\n".join(
-        [
-            f"create {merged_archive}",
-            f"addlib {lib_path}",
-            *[f"addlib {archive}" for archive in runtime_archives],
-            "save",
-            "end",
-        ]
-    )
-    subprocess.run(
-        [str(llvm_ar), "-M"],
-        cwd=ROOT,
-        check=True,
-        input=merge_commands,
-        text=True,
-    )
-    subprocess.run([str(llvm_ranlib), str(merged_archive)], cwd=ROOT, check=True)
-    return merged_archive
-
-
-def stage_release_pair(
-    platform: str,
-    target: str,
-    output_dir: Path,
-    compilation_mode: str = "fastbuild",
-) -> None:
-    outputs = ensure_bazel_output_files(
-        platform,
-        [release_pair_label(target)],
-        compilation_mode,
-    )
-
-    try:
-        lib_path = next(path for path in outputs if path.suffix in {".a", ".lib"})
-    except StopIteration as exc:
-        raise SystemExit(f"missing static library output for {target}") from exc
-
-    try:
-        binding_path = next(path for path in outputs if path.suffix == ".rs")
-    except StopIteration as exc:
-        raise SystemExit(f"missing Rust binding output for {target}") from exc
-
-    output_dir.mkdir(parents=True, exist_ok=True)
-    staged_library = output_dir / staged_archive_name(target, lib_path)
-    staged_binding = output_dir / f"src_binding_release_{target}.rs"
-    source_archive = (
-        merged_musl_archive(platform, lib_path, compilation_mode)
-        if is_musl_archive_target(target, lib_path)
-        else lib_path
-    )
-
-    with source_archive.open("rb") as src, staged_library.open("wb") as dst:
-        with gzip.GzipFile(
-            filename="",
-            mode="wb",
-            fileobj=dst,
-            compresslevel=6,
-            mtime=0,
-        ) as gz:
-            shutil.copyfileobj(src, gz)
-
-    shutil.copyfile(binding_path, staged_binding)
-
-    print(staged_library)
-    print(staged_binding)
-
-
-def parse_args() -> argparse.Namespace:
-    parser = argparse.ArgumentParser()
-    subparsers = parser.add_subparsers(dest="command", required=True)
-
-    stage_release_pair_parser = subparsers.add_parser("stage-release-pair")
-    stage_release_pair_parser.add_argument("--platform", required=True)
-    stage_release_pair_parser.add_argument("--target", required=True)
-    stage_release_pair_parser.add_argument("--output-dir", required=True)
-    stage_release_pair_parser.add_argument(
-        "--compilation-mode",
-        default="fastbuild",
-        choices=["fastbuild", "opt", "dbg"],
-    )
-
-    subparsers.add_parser("resolved-v8-crate-version")
-
-    return parser.parse_args()
-
-
-def main() -> int:
-    args = parse_args()
-    if args.command == "stage-release-pair":
-        stage_release_pair(
-            platform=args.platform,
-            target=args.target,
-            output_dir=Path(args.output_dir),
-            compilation_mode=args.compilation_mode,
-        )
-        return 0
-    if args.command == "resolved-v8-crate-version":
-        print(resolved_v8_crate_version())
-        return 0
-    raise SystemExit(f"unsupported command: {args.command}")
-
-
-if __name__ == "__main__":
-    sys.exit(main())

.github/scripts/verify_bazel_clippy_lints.py

@@ -1,234 +0,0 @@
-#!/usr/bin/env python3
-
-from __future__ import annotations
-
-import argparse
-import re
-import sys
-import tomllib
-from pathlib import Path
-
-
-ROOT = Path(__file__).resolve().parents[2]
-DEFAULT_CARGO_TOML = ROOT / "codex-rs" / "Cargo.toml"
-DEFAULT_BAZELRC = ROOT / ".bazelrc"
-BAZEL_CLIPPY_FLAG_PREFIX = "build:clippy --@rules_rust//rust/settings:clippy_flag="
-BAZEL_SPECIAL_FLAGS = {"-Dwarnings"}
-VALID_LEVELS = {"allow", "warn", "deny", "forbid"}
-LONG_FLAG_RE = re.compile(
-    r"^--(?P<level>allow|warn|deny|forbid)=clippy::(?P<lint>[a-z0-9_]+)$"
-)
-SHORT_FLAG_RE = re.compile(r"^-(?P<level>[AWDF])clippy::(?P<lint>[a-z0-9_]+)$")
-SHORT_LEVEL_NAMES = {
-    "A": "allow",
-    "W": "warn",
-    "D": "deny",
-    "F": "forbid",
-}
-
-
-def main() -> int:
-    parser = argparse.ArgumentParser(
-        description=(
-            "Verify that Bazel clippy flags in .bazelrc stay in sync with "
-            "codex-rs/Cargo.toml [workspace.lints.clippy]."
-        )
-    )
-    parser.add_argument(
-        "--cargo-toml",
-        type=Path,
-        default=DEFAULT_CARGO_TOML,
-        help="Path to the workspace Cargo.toml to inspect.",
-    )
-    parser.add_argument(
-        "--bazelrc",
-        type=Path,
-        default=DEFAULT_BAZELRC,
-        help="Path to the .bazelrc file to inspect.",
-    )
-    args = parser.parse_args()
-
-    cargo_toml = args.cargo_toml.resolve()
-    bazelrc = args.bazelrc.resolve()
-
-    cargo_lints = load_workspace_clippy_lints(cargo_toml)
-    bazel_lints = load_bazel_clippy_lints(bazelrc)
-
-    missing = sorted(cargo_lints.keys() - bazel_lints.keys())
-    extra = sorted(bazel_lints.keys() - cargo_lints.keys())
-    mismatched = sorted(
-        lint
-        for lint in cargo_lints.keys() & bazel_lints.keys()
-        if cargo_lints[lint] != bazel_lints[lint]
-    )
-
-    if missing or extra or mismatched:
-        print_sync_error(
-            cargo_toml=cargo_toml,
-            bazelrc=bazelrc,
-            cargo_lints=cargo_lints,
-            bazel_lints=bazel_lints,
-            missing=missing,
-            extra=extra,
-            mismatched=mismatched,
-        )
-        return 1
-
-    print(
-        "Bazel clippy flags in "
-        f"{display_path(bazelrc)} match "
-        f"{display_path(cargo_toml)} [workspace.lints.clippy]."
-    )
-    return 0
-
-
-def load_workspace_clippy_lints(cargo_toml: Path) -> dict[str, str]:
-    workspace = tomllib.loads(cargo_toml.read_text())["workspace"]
-    clippy_lints = workspace["lints"]["clippy"]
-    parsed: dict[str, str] = {}
-    for lint, level in clippy_lints.items():
-        if not isinstance(level, str):
-            raise SystemExit(
-                f"expected string lint level for clippy::{lint} in {cargo_toml}, got {level!r}"
-            )
-        normalized = level.strip().lower()
-        if normalized not in VALID_LEVELS:
-            raise SystemExit(
-                f"unsupported lint level {level!r} for clippy::{lint} in {cargo_toml}"
-            )
-        parsed[lint] = normalized
-    return parsed
-
-
-def load_bazel_clippy_lints(bazelrc: Path) -> dict[str, str]:
-    parsed: dict[str, str] = {}
-    line_numbers: dict[str, int] = {}
-
-    for lineno, line in enumerate(bazelrc.read_text().splitlines(), start=1):
-        if not line.startswith(BAZEL_CLIPPY_FLAG_PREFIX):
-            continue
-
-        flag = line.removeprefix(BAZEL_CLIPPY_FLAG_PREFIX).strip()
-        if flag in BAZEL_SPECIAL_FLAGS:
-            continue
-
-        parsed_flag = parse_bazel_lint_flag(flag)
-        if parsed_flag is None:
-            continue
-
-        lint, level = parsed_flag
-        if lint in parsed:
-            raise SystemExit(
-                f"duplicate Bazel clippy entry for clippy::{lint} at "
-                f"{bazelrc}:{line_numbers[lint]} and {bazelrc}:{lineno}"
-            )
-        parsed[lint] = level
-        line_numbers[lint] = lineno
-
-    return parsed
-
-
-def parse_bazel_lint_flag(flag: str) -> tuple[str, str] | None:
-    long_match = LONG_FLAG_RE.match(flag)
-    if long_match:
-        return long_match["lint"], long_match["level"]
-
-    short_match = SHORT_FLAG_RE.match(flag)
-    if short_match:
-        return short_match["lint"], SHORT_LEVEL_NAMES[short_match["level"]]
-
-    return None
-
-
-def print_sync_error(
-    *,
-    cargo_toml: Path,
-    bazelrc: Path,
-    cargo_lints: dict[str, str],
-    bazel_lints: dict[str, str],
-    missing: list[str],
-    extra: list[str],
-    mismatched: list[str],
-) -> None:
-    cargo_toml_display = display_path(cargo_toml)
-    bazelrc_display = display_path(bazelrc)
-    example_manifest = find_workspace_lints_example_manifest()
-
-    print(
-        "ERROR: Bazel clippy flags are out of sync with Cargo workspace clippy lints.",
-        file=sys.stderr,
-    )
-    print(file=sys.stderr)
-    print(
-        f"Cargo defines the source of truth in {cargo_toml_display} "
-        "[workspace.lints.clippy].",
-        file=sys.stderr,
-    )
-    if example_manifest is not None:
-        print(
-            "Cargo applies those lint levels to member crates that opt into "
-            f"`[lints] workspace = true`, for example {example_manifest}.",
-            file=sys.stderr,
-        )
-    print(
-        "Bazel clippy does not ingest Cargo lint levels automatically, and "
-        "`clippy.toml` can configure lint behavior but cannot set allow/warn/deny/forbid.",
-        file=sys.stderr,
-    )
-    print(
-        f"Update {bazelrc_display} so its `build:clippy` "
-        "`clippy_flag` entries match Cargo.",
-        file=sys.stderr,
-    )
-
-    if missing:
-        print(file=sys.stderr)
-        print("Missing Bazel entries:", file=sys.stderr)
-        for lint in missing:
-            print(f"  {render_bazelrc_line(lint, cargo_lints[lint])}", file=sys.stderr)
-
-    if mismatched:
-        print(file=sys.stderr)
-        print("Mismatched lint levels:", file=sys.stderr)
-        for lint in mismatched:
-            cargo_level = cargo_lints[lint]
-            bazel_level = bazel_lints[lint]
-            print(
-                f"  clippy::{lint}: Cargo has {cargo_level}, Bazel has {bazel_level}",
-                file=sys.stderr,
-            )
-            print(
-                f"    expected: {render_bazelrc_line(lint, cargo_level)}",
-                file=sys.stderr,
-            )
-
-    if extra:
-        print(file=sys.stderr)
-        print("Extra Bazel entries with no Cargo counterpart:", file=sys.stderr)
-        for lint in extra:
-            print(f"  {render_bazelrc_line(lint, bazel_lints[lint])}", file=sys.stderr)
-
-
-def render_bazelrc_line(lint: str, level: str) -> str:
-    return f"{BAZEL_CLIPPY_FLAG_PREFIX}--{level}=clippy::{lint}"
-
-
-def display_path(path: Path) -> str:
-    try:
-        return str(path.relative_to(ROOT))
-    except ValueError:
-        return str(path)
-
-
-def find_workspace_lints_example_manifest() -> str | None:
-    for cargo_toml in sorted((ROOT / "codex-rs").glob("**/Cargo.toml")):
-        if cargo_toml == DEFAULT_CARGO_TOML:
-            continue
-        data = tomllib.loads(cargo_toml.read_text())
-        if data.get("lints", {}).get("workspace") is True:
-            return str(cargo_toml.relative_to(ROOT))
-    return None
-
-
-if __name__ == "__main__":
-    sys.exit(main())

.github/scripts/verify_cargo_workspace_manifests.py

@@ -1,388 +0,0 @@
-#!/usr/bin/env python3
-
-"""Verify that codex-rs Cargo manifests follow workspace manifest policy.
-
-Checks:
-- Crates inherit `[workspace.package]` metadata.
-- Crates opt into `[lints] workspace = true`.
-- Crate names follow the codex-rs directory naming conventions.
-- Workspace manifests do not introduce workspace crate feature toggles.
-"""
-
-from __future__ import annotations
-
-import sys
-import tomllib
-from pathlib import Path
-
-
-ROOT = Path(__file__).resolve().parents[2]
-CARGO_RS_ROOT = ROOT / "codex-rs"
-WORKSPACE_PACKAGE_FIELDS = ("version", "edition", "license")
-TOP_LEVEL_NAME_EXCEPTIONS = {
-    "windows-sandbox-rs": "codex-windows-sandbox",
-}
-UTILITY_NAME_EXCEPTIONS = {
-    "path-utils": "codex-utils-path",
-}
-MANIFEST_FEATURE_EXCEPTIONS = {}
-OPTIONAL_DEPENDENCY_EXCEPTIONS = set()
-INTERNAL_DEPENDENCY_FEATURE_EXCEPTIONS = {}
-
-
-def main() -> int:
-    internal_package_names = workspace_package_names()
-    used_manifest_feature_exceptions: set[str] = set()
-    used_optional_dependency_exceptions: set[tuple[str, str, str]] = set()
-    used_internal_dependency_feature_exceptions: set[tuple[str, str, str]] = set()
-    failures_by_path: dict[str, list[str]] = {}
-
-    for path in manifests_to_verify():
-        if errors := manifest_errors(
-            path,
-            internal_package_names,
-            used_manifest_feature_exceptions,
-            used_optional_dependency_exceptions,
-            used_internal_dependency_feature_exceptions,
-        ):
-            failures_by_path[manifest_key(path)] = errors
-
-    add_unused_exception_errors(
-        failures_by_path,
-        used_manifest_feature_exceptions,
-        used_optional_dependency_exceptions,
-        used_internal_dependency_feature_exceptions,
-    )
-
-    if not failures_by_path:
-        return 0
-
-    print(
-        "Cargo manifests under codex-rs must inherit workspace package metadata, "
-        "opt into workspace lints, and avoid introducing new workspace crate "
-        "features."
-    )
-    print(
-        "Workspace crate features are disallowed because our Bazel build setup "
-        "does not honor them today, which can let issues hidden behind feature "
-        "gates go unnoticed, and because they add extra crate build "
-        "permutations we want to avoid."
-    )
-    print(
-        "Cargo only applies `codex-rs/Cargo.toml` `[workspace.lints.clippy]` "
-        "entries to a crate when that crate declares:"
-    )
-    print()
-    print("[lints]")
-    print("workspace = true")
-    print()
-    print(
-        "Without that opt-in, `cargo clippy` can miss violations that Bazel clippy "
-        "catches."
-    )
-    print()
-    print(
-        "Package-name checks apply to `codex-rs/<crate>/Cargo.toml` and "
-        "`codex-rs/utils/<crate>/Cargo.toml`."
-    )
-    print(
-        "Workspace crate features are forbidden; add a targeted exception here "
-        "only if there is a deliberate temporary migration in flight."
-    )
-    print()
-    for path in sorted(failures_by_path):
-        errors = failures_by_path[path]
-        print(f"{path}:")
-        for error in errors:
-            print(f"  - {error}")
-
-    return 1
-
-
-def manifest_errors(
-    path: Path,
-    internal_package_names: set[str],
-    used_manifest_feature_exceptions: set[str],
-    used_optional_dependency_exceptions: set[tuple[str, str, str]],
-    used_internal_dependency_feature_exceptions: set[tuple[str, str, str]],
-) -> list[str]:
-    manifest = load_manifest(path)
-    package = manifest.get("package")
-    if not isinstance(package, dict) and path != CARGO_RS_ROOT / "Cargo.toml":
-        return []
-
-    errors = []
-    if isinstance(package, dict):
-        for field in WORKSPACE_PACKAGE_FIELDS:
-            if not is_workspace_reference(package.get(field)):
-                errors.append(f"set `{field}.workspace = true` in `[package]`")
-
-        lints = manifest.get("lints")
-        if not (isinstance(lints, dict) and lints.get("workspace") is True):
-            errors.append("add `[lints]` with `workspace = true`")
-
-        expected_name = expected_package_name(path)
-        if expected_name is not None:
-            actual_name = package.get("name")
-            if actual_name != expected_name:
-                errors.append(
-                    f"set `[package].name` to `{expected_name}` (found `{actual_name}`)"
-                )
-
-    path_key = manifest_key(path)
-    features = manifest.get("features")
-    if features is not None:
-        normalized_features = normalize_feature_mapping(features)
-        expected_features = MANIFEST_FEATURE_EXCEPTIONS.get(path_key)
-        if expected_features is None:
-            errors.append(
-                "remove `[features]`; new workspace crate features are not allowed"
-            )
-        else:
-            used_manifest_feature_exceptions.add(path_key)
-            if normalized_features != expected_features:
-                errors.append(
-                    "limit `[features]` to the existing exception list while "
-                    "workspace crate features are being removed "
-                    f"(expected {render_feature_mapping(expected_features)})"
-                )
-
-    for section_name, dependencies in dependency_sections(manifest):
-        for dependency_name, dependency in dependencies.items():
-            if not isinstance(dependency, dict):
-                continue
-
-            if dependency.get("optional") is True:
-                exception_key = (path_key, section_name, dependency_name)
-                if exception_key in OPTIONAL_DEPENDENCY_EXCEPTIONS:
-                    used_optional_dependency_exceptions.add(exception_key)
-                else:
-                    errors.append(
-                        "remove `optional = true` from "
-                        f"`{dependency_entry_label(section_name, dependency_name)}`; "
-                        "new optional dependencies are not allowed because they "
-                        "create crate features"
-                    )
-
-            if not is_internal_dependency(path, dependency_name, dependency, internal_package_names):
-                continue
-
-            dependency_features = dependency.get("features")
-            if dependency_features is not None:
-                normalized_dependency_features = normalize_string_list(
-                    dependency_features
-                )
-                exception_key = (path_key, section_name, dependency_name)
-                expected_dependency_features = (
-                    INTERNAL_DEPENDENCY_FEATURE_EXCEPTIONS.get(exception_key)
-                )
-                if expected_dependency_features is None:
-                    errors.append(
-                        "remove `features = [...]` from workspace dependency "
-                        f"`{dependency_entry_label(section_name, dependency_name)}`; "
-                        "new workspace crate feature activations are not allowed"
-                    )
-                else:
-                    used_internal_dependency_feature_exceptions.add(exception_key)
-                    if normalized_dependency_features != expected_dependency_features:
-                        errors.append(
-                            "limit workspace dependency features on "
-                            f"`{dependency_entry_label(section_name, dependency_name)}` "
-                            "to the existing exception list while workspace crate "
-                            "features are being removed "
-                            f"(expected {render_string_list(expected_dependency_features)})"
-                        )
-
-            if dependency.get("default-features") is False:
-                errors.append(
-                    "remove `default-features = false` from workspace dependency "
-                    f"`{dependency_entry_label(section_name, dependency_name)}`; "
-                    "new workspace crate feature toggles are not allowed"
-                )
-
-    return errors
-
-
-def expected_package_name(path: Path) -> str | None:
-    parts = path.relative_to(CARGO_RS_ROOT).parts
-    if len(parts) == 2 and parts[1] == "Cargo.toml":
-        directory = parts[0]
-        return TOP_LEVEL_NAME_EXCEPTIONS.get(
-            directory,
-            directory if directory.startswith("codex-") else f"codex-{directory}",
-        )
-    if len(parts) == 3 and parts[0] == "utils" and parts[2] == "Cargo.toml":
-        directory = parts[1]
-        return UTILITY_NAME_EXCEPTIONS.get(directory, f"codex-utils-{directory}")
-    return None
-
-
-def is_workspace_reference(value: object) -> bool:
-    return isinstance(value, dict) and value.get("workspace") is True
-
-
-def manifest_key(path: Path) -> str:
-    return str(path.relative_to(ROOT))
-
-
-def normalize_feature_mapping(value: object) -> dict[str, tuple[str, ...]] | None:
-    if not isinstance(value, dict):
-        return None
-
-    normalized = {}
-    for key, features in value.items():
-        if not isinstance(key, str):
-            return None
-        normalized_features = normalize_string_list(features)
-        if normalized_features is None:
-            return None
-        normalized[key] = normalized_features
-    return normalized
-
-
-def normalize_string_list(value: object) -> tuple[str, ...] | None:
-    if not isinstance(value, list) or not all(isinstance(item, str) for item in value):
-        return None
-    return tuple(value)
-
-
-def render_feature_mapping(features: dict[str, tuple[str, ...]]) -> str:
-    entries = [
-        f"{name} = {render_string_list(items)}" for name, items in features.items()
-    ]
-    return ", ".join(entries)
-
-
-def render_string_list(items: tuple[str, ...]) -> str:
-    return "[" + ", ".join(f'"{item}"' for item in items) + "]"
-
-
-def dependency_sections(manifest: dict) -> list[tuple[str, dict]]:
-    sections = []
-    for section_name in ("dependencies", "dev-dependencies", "build-dependencies"):
-        dependencies = manifest.get(section_name)
-        if isinstance(dependencies, dict):
-            sections.append((section_name, dependencies))
-
-    workspace = manifest.get("workspace")
-    if isinstance(workspace, dict):
-        workspace_dependencies = workspace.get("dependencies")
-        if isinstance(workspace_dependencies, dict):
-            sections.append(("workspace.dependencies", workspace_dependencies))
-
-    target = manifest.get("target")
-    if not isinstance(target, dict):
-        return sections
-
-    for target_name, tables in target.items():
-        if not isinstance(tables, dict):
-            continue
-        for section_name in ("dependencies", "dev-dependencies", "build-dependencies"):
-            dependencies = tables.get(section_name)
-            if isinstance(dependencies, dict):
-                sections.append((f"target.{target_name}.{section_name}", dependencies))
-
-    return sections
-
-
-def dependency_entry_label(section_name: str, dependency_name: str) -> str:
-    return f"[{section_name}].{dependency_name}"
-
-
-def is_internal_dependency(
-    manifest_path: Path,
-    dependency_name: str,
-    dependency: dict,
-    internal_package_names: set[str],
-) -> bool:
-    package_name = dependency.get("package", dependency_name)
-    if isinstance(package_name, str) and package_name in internal_package_names:
-        return True
-
-    dependency_path = dependency.get("path")
-    if not isinstance(dependency_path, str):
-        return False
-
-    resolved_dependency_path = (manifest_path.parent / dependency_path).resolve()
-    try:
-        resolved_dependency_path.relative_to(CARGO_RS_ROOT)
-    except ValueError:
-        return False
-    return True
-
-
-def add_unused_exception_errors(
-    failures_by_path: dict[str, list[str]],
-    used_manifest_feature_exceptions: set[str],
-    used_optional_dependency_exceptions: set[tuple[str, str, str]],
-    used_internal_dependency_feature_exceptions: set[tuple[str, str, str]],
-) -> None:
-    for path_key in sorted(
-        set(MANIFEST_FEATURE_EXCEPTIONS) - used_manifest_feature_exceptions
-    ):
-        add_failure(
-            failures_by_path,
-            path_key,
-            "remove the stale `[features]` exception from "
-            "`MANIFEST_FEATURE_EXCEPTIONS`",
-        )
-
-    for path_key, section_name, dependency_name in sorted(
-        OPTIONAL_DEPENDENCY_EXCEPTIONS - used_optional_dependency_exceptions
-    ):
-        add_failure(
-            failures_by_path,
-            path_key,
-            "remove the stale optional-dependency exception for "
-            f"`{dependency_entry_label(section_name, dependency_name)}` from "
-            "`OPTIONAL_DEPENDENCY_EXCEPTIONS`",
-        )
-
-    for path_key, section_name, dependency_name in sorted(
-        set(INTERNAL_DEPENDENCY_FEATURE_EXCEPTIONS)
-        - used_internal_dependency_feature_exceptions
-    ):
-        add_failure(
-            failures_by_path,
-            path_key,
-            "remove the stale internal dependency feature exception for "
-            f"`{dependency_entry_label(section_name, dependency_name)}` from "
-            "`INTERNAL_DEPENDENCY_FEATURE_EXCEPTIONS`",
-        )
-
-
-def add_failure(failures_by_path: dict[str, list[str]], path_key: str, error: str) -> None:
-    failures_by_path.setdefault(path_key, []).append(error)
-
-
-def workspace_package_names() -> set[str]:
-    package_names = set()
-    for path in cargo_manifests():
-        manifest = load_manifest(path)
-        package = manifest.get("package")
-        if not isinstance(package, dict):
-            continue
-        package_name = package.get("name")
-        if isinstance(package_name, str):
-            package_names.add(package_name)
-    return package_names
-
-
-def load_manifest(path: Path) -> dict:
-    return tomllib.loads(path.read_text())
-
-
-def cargo_manifests() -> list[Path]:
-    return sorted(
-        path
-        for path in CARGO_RS_ROOT.rglob("Cargo.toml")
-        if path != CARGO_RS_ROOT / "Cargo.toml"
-    )
-
-
-def manifests_to_verify() -> list[Path]:
-    return [CARGO_RS_ROOT / "Cargo.toml", *cargo_manifests()]
-
-
-if __name__ == "__main__":
-    sys.exit(main())

.github/workflows/Dockerfile.bazel

@@ -1,36 +0,0 @@
-FROM ubuntu:24.04
-
-# TODO(mbolin): Published to docker.io/mbolin491/codex-bazel:latest for
-# initial debugging, but we should publish to a more proper location.
-#
-# docker buildx create --use
-# docker buildx build --platform linux/amd64,linux/arm64 -f .github/workflows/Dockerfile.bazel -t mbolin491/codex-bazel:latest --push .
-
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    curl git python3 ca-certificates xz-utils && \
-    rm -rf /var/lib/apt/lists/*
-
-COPY codex-rs/node-version.txt /tmp/node-version.txt
-
-RUN set -eux; \
-    node_arch="$(dpkg --print-architecture)"; \
-    case "${node_arch}" in \
-      amd64) node_dist_arch="x64" ;; \
-      arm64) node_dist_arch="arm64" ;; \
-      *) echo "unsupported architecture: ${node_arch}"; exit 1 ;; \
-    esac; \
-    node_version="$(tr -d '[:space:]' </tmp/node-version.txt)"; \
-    curl -fsSLO "https://nodejs.org/dist/v${node_version}/node-v${node_version}-linux-${node_dist_arch}.tar.xz"; \
-    tar -xJf "node-v${node_version}-linux-${node_dist_arch}.tar.xz" -C /usr/local --strip-components=1; \
-    rm "node-v${node_version}-linux-${node_dist_arch}.tar.xz" /tmp/node-version.txt; \
-    node --version; \
-    npm --version
-
-# Install dotslash.
-RUN curl -LSfs "https://github.com/facebook/dotslash/releases/download/v0.5.8/dotslash-ubuntu-22.04.$(uname -m).tar.gz" | tar fxz - -C /usr/local/bin
-
-# Ubuntu 24.04 ships with user 'ubuntu' already created with UID 1000.
-USER ubuntu
-
-WORKDIR /workspace

.github/workflows/README.md

@@ -1,33 +0,0 @@
-# Workflow Strategy
-
-The workflows in this directory are split so that pull requests get fast, review-friendly signal while `main` still gets the full cross-platform verification pass.
-
-## Pull Requests
-
-- `bazel.yml` is the main pre-merge verification path for Rust code.
-  It runs Bazel `test` and Bazel `clippy` on the supported Bazel targets.
-- `rust-ci.yml` keeps the Cargo-native PR checks intentionally small:
-  - `cargo fmt --check`
-  - `cargo shear`
-  - `argument-comment-lint` on Linux, macOS, and Windows
-  - `tools/argument-comment-lint` package tests when the lint or its workflow wiring changes
-
-The PR workflow still keeps the Linux lint lane on the default-targets-only invocation for now, but the released linter runs on Linux, macOS, and Windows before merge.
-
-## Post-Merge On `main`
-
-- `bazel.yml` also runs on pushes to `main`.
-  This re-verifies the merged Bazel path and helps keep the BuildBuddy caches warm.
-- `rust-ci-full.yml` is the full Cargo-native verification workflow.
-  It keeps the heavier checks off the PR path while still validating them after merge:
-  - the full Cargo `clippy` matrix
-  - the full Cargo `nextest` matrix
-  - release-profile Cargo builds
-  - cross-platform `argument-comment-lint`
-  - Linux remote-env tests
-
-## Rule Of Thumb
-
-- If a build/test/clippy check can be expressed in Bazel, prefer putting the PR-time version in `bazel.yml`.
-- Keep `rust-ci.yml` fast enough that it usually does not dominate PR latency.
-- Reserve `rust-ci-full.yml` for heavyweight Cargo-native coverage that Bazel does not replace yet.

.github/workflows/bazel.yml

@@ -1,185 +0,0 @@
-name: Bazel
-
-# Note this workflow was originally derived from:
-# https://github.com/cerisier/toolchains_llvm_bootstrapped/blob/main/.github/workflows/ci.yaml
-
-on:
-  pull_request: {}
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-concurrency:
-  # Cancel previous actions from the same PR or branch except 'main' branch.
-  # See https://docs.github.com/en/actions/using-jobs/using-concurrency and https://docs.github.com/en/actions/learn-github-actions/contexts for more info.
-  group: concurrency-group::${{ github.workflow }}::${{ github.event.pull_request.number > 0 && format('pr-{0}', github.event.pull_request.number) || github.ref_name }}${{ github.ref_name == 'main' && format('::{0}', github.run_id) || ''}}
-  cancel-in-progress: ${{ github.ref_name != 'main' }}
-jobs:
-  test:
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # macOS
-          - os: macos-15-xlarge
-            target: aarch64-apple-darwin
-          - os: macos-15-xlarge
-            target: x86_64-apple-darwin
-
-          # Linux
-          - os: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-          - os: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-          # 2026-02-27 Bazel tests have been flaky on arm in CI.
-          # Disable until we can investigate and stabilize them.
-          # - os: ubuntu-24.04-arm
-          #   target: aarch64-unknown-linux-musl
-          # - os: ubuntu-24.04-arm
-          #   target: aarch64-unknown-linux-gnu
-
-          # Windows
-          - os: windows-latest
-            target: x86_64-pc-windows-gnullvm
-    runs-on: ${{ matrix.os }}
-
-    # Configure a human readable name for each job
-    name: Local Bazel build on ${{ matrix.os }} for ${{ matrix.target }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Bazel CI
-        id: setup_bazel
-        uses: ./.github/actions/setup-bazel-ci
-        with:
-          target: ${{ matrix.target }}
-          install-test-prereqs: "true"
-
-      - name: Check MODULE.bazel.lock is up to date
-        if: matrix.os == 'ubuntu-24.04' && matrix.target == 'x86_64-unknown-linux-gnu'
-        shell: bash
-        run: ./scripts/check-module-bazel-lock.sh
-
-      - name: Set up Bazel execution logs
-        shell: bash
-        run: |
-          mkdir -p "${RUNNER_TEMP}/bazel-execution-logs"
-          echo "CODEX_BAZEL_EXECUTION_LOG_COMPACT_DIR=${RUNNER_TEMP}/bazel-execution-logs" >> "${GITHUB_ENV}"
-
-      - name: bazel test //...
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          bazel_targets=(
-            //...
-            # Keep standalone V8 library targets out of the ordinary Bazel CI
-            # path. V8 consumers under `//codex-rs/...` still participate
-            # transitively through `//...`.
-            -//third_party/v8:all
-          )
-
-          ./.github/scripts/run-bazel-ci.sh \
-            --print-failed-test-logs \
-            --use-node-test-env \
-            -- \
-            test \
-            --test_tag_filters=-argument-comment-lint \
-            --test_verbose_timeout_warnings \
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
-            -- \
-            "${bazel_targets[@]}"
-
-      - name: Upload Bazel execution logs
-        if: always() && !cancelled()
-        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: bazel-execution-logs-test-${{ matrix.target }}
-          path: ${{ runner.temp }}/bazel-execution-logs
-          if-no-files-found: ignore
-
-      # Save bazel repository cache explicitly; make non-fatal so cache uploading
-      # never fails the overall job. Only save when key wasn't hit.
-      - name: Save bazel repository cache
-        if: always() && !cancelled() && steps.setup_bazel.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cache/bazel-repo-cache
-          key: bazel-cache-${{ matrix.target }}-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}
-
-  clippy:
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # Keep Linux lint coverage on x64 and add the arm64 macOS path that
-          # the Bazel test job already exercises. Add Windows gnullvm as well
-          # so PRs get Bazel-native lint signal on the same Windows toolchain
-          # that the Bazel test job uses.
-          - os: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-          - os: macos-15-xlarge
-            target: aarch64-apple-darwin
-          - os: windows-latest
-            target: x86_64-pc-windows-gnullvm
-    runs-on: ${{ matrix.os }}
-    name: Bazel clippy on ${{ matrix.os }} for ${{ matrix.target }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Bazel CI
-        id: setup_bazel
-        uses: ./.github/actions/setup-bazel-ci
-        with:
-          target: ${{ matrix.target }}
-
-      - name: Set up Bazel execution logs
-        shell: bash
-        run: |
-          mkdir -p "${RUNNER_TEMP}/bazel-execution-logs"
-          echo "CODEX_BAZEL_EXECUTION_LOG_COMPACT_DIR=${RUNNER_TEMP}/bazel-execution-logs" >> "${GITHUB_ENV}"
-
-      - name: bazel build --config=clippy //codex-rs/...
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          # Keep the initial Bazel clippy scope on codex-rs and out of the
-          # V8 proof-of-concept target for now.
-          ./.github/scripts/run-bazel-ci.sh \
-            -- \
-            build \
-            --config=clippy \
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
-            --build_metadata=TAG_job=clippy \
-            -- \
-            //codex-rs/... \
-            -//codex-rs/v8-poc:all
-
-      - name: Upload Bazel execution logs
-        if: always() && !cancelled()
-        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: bazel-execution-logs-clippy-${{ matrix.target }}
-          path: ${{ runner.temp }}/bazel-execution-logs
-          if-no-files-found: ignore
-
-      # Save bazel repository cache explicitly; make non-fatal so cache uploading
-      # never fails the overall job. Only save when key wasn't hit.
-      - name: Save bazel repository cache
-        if: always() && !cancelled() && steps.setup_bazel.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cache/bazel-repo-cache
-          key: bazel-cache-${{ matrix.target }}-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}

.github/workflows/blob-size-policy.yml

@@ -1,32 +0,0 @@
-name: blob-size-policy
-
-on:
-  pull_request: {}
-
-jobs:
-  check:
-    name: Blob size policy
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Determine PR comparison range
-        id: range
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "base=$(git rev-parse HEAD^1)" >> "$GITHUB_OUTPUT"
-          echo "head=$(git rev-parse HEAD^2)" >> "$GITHUB_OUTPUT"
-
-      - name: Check changed blob sizes
-        env:
-          BASE_SHA: ${{ steps.range.outputs.base }}
-          HEAD_SHA: ${{ steps.range.outputs.head }}
-        run: |
-          python3 scripts/check_blob_size.py \
-            --base "$BASE_SHA" \
-            --head "$HEAD_SHA" \
-            --max-bytes 512000 \
-            --allowlist .github/blob-size-allowlist.txt

.github/workflows/cargo-deny.yml

@@ -14,13 +14,13 @@ jobs:
         working-directory: ./codex-rs
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
+        uses: dtolnay/rust-toolchain@stable
 
       - name: Run cargo-deny
-        uses: EmbarkStudios/cargo-deny-action@82eb9f621fbc699dd0918f3ea06864c14cc84246 # v2
+        uses: EmbarkStudios/cargo-deny-action@v2
         with:
           rust-version: stable
           manifest-path: ./codex-rs/Cargo.toml

.github/workflows/ci.yml

@@ -12,21 +12,15 @@ jobs:
       NODE_OPTIONS: --max-old-space-size=4096
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Verify codex-rs Cargo manifests inherit workspace settings
-        run: python3 .github/scripts/verify_cargo_workspace_manifests.py
-
-      - name: Verify Bazel clippy flags match Cargo workspace lints
-        run: python3 .github/scripts/verify_bazel_clippy_lints.py
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
+        uses: pnpm/action-setup@v4
         with:
           run_install: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@v6
         with:
           node-version: 22
 
@@ -34,7 +28,7 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       # stage_npm_packages.py requires DotSlash when staging releases.
-      - uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
+      - uses: facebook/install-dotslash@v2
 
       - name: Stage npm package
         id: stage_npm_package
@@ -43,7 +37,7 @@ jobs:
         run: |
           set -euo pipefail
           # Use a rust-release version that includes all native binaries.
-          CODEX_VERSION=0.115.0
+          CODEX_VERSION=0.74.0
           OUTPUT_DIR="${RUNNER_TEMP}"
           python3 ./scripts/stage_npm_packages.py \
             --release-version "$CODEX_VERSION" \
@@ -53,7 +47,7 @@ jobs:
           echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"
 
       - name: Upload staged npm package artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@v6
         with:
           name: codex-npm-staging
           path: ${{ steps.stage_npm_package.outputs.pack_output }}

.github/workflows/cla.yml

@@ -18,7 +18,7 @@ jobs:
     if: ${{ github.repository_owner == 'openai' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
+      - uses: contributor-assistant/github-action@v2.6.1
         # Run on close only if the PR was merged. This will lock the PR to preserve
         # the CLA agreement. We don't want to lock PRs that have been closed without
         # merging because the contributor may want to respond with additional comments.

.github/workflows/close-stale-contributor-prs.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Close inactive PRs from contributors
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/codespell.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
       - name: Annotate locations with typos
         uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1
       - name: Codespell

.github/workflows/issue-deduplicator.yml

@@ -7,61 +7,43 @@ on:
       - labeled
 
 jobs:
-  gather-duplicates-all:
-    name: Identify potential duplicates (all issues)
+  gather-duplicates:
+    name: Identify potential duplicates
     # Prevent runs on forks (requires OpenAI API key, wastes Actions minutes)
     if: github.repository == 'openai/codex' && (github.event.action == 'opened' || (github.event.action == 'labeled' && github.event.label.name == 'codex-deduplicate'))
     runs-on: ubuntu-latest
     permissions:
       contents: read
     outputs:
-      issues_json: ${{ steps.normalize-all.outputs.issues_json }}
-      reason: ${{ steps.normalize-all.outputs.reason }}
-      has_matches: ${{ steps.normalize-all.outputs.has_matches }}
+      codex_output: ${{ steps.codex.outputs.final-message }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v6
 
       - name: Prepare Codex inputs
         env:
           GH_TOKEN: ${{ github.token }}
-          REPO: ${{ github.repository }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
           set -eo pipefail
 
           CURRENT_ISSUE_FILE=codex-current-issue.json
-          EXISTING_ALL_FILE=codex-existing-issues-all.json
+          EXISTING_ISSUES_FILE=codex-existing-issues.json
 
-          gh issue list --repo "$REPO" \
-            --json number,title,body,createdAt,updatedAt,state,labels \
+          gh issue list --repo "${{ github.repository }}" \
+            --json number,title,body,createdAt \
             --limit 1000 \
             --state all \
             --search "sort:created-desc" \
-            | jq '[.[] | {
-                number,
-                title,
-                body: ((.body // "")[0:4000]),
-                createdAt,
-                updatedAt,
-                state,
-                labels: ((.labels // []) | map(.name))
-              }]' \
-            > "$EXISTING_ALL_FILE"
+            | jq '.' \
+            > "$EXISTING_ISSUES_FILE"
 
-          gh issue view "$ISSUE_NUMBER" \
-            --repo "$REPO" \
+          gh issue view "${{ github.event.issue.number }}" \
+            --repo "${{ github.repository }}" \
             --json number,title,body \
-            | jq '{number, title, body: ((.body // "")[0:4000])}' \
+            | jq '.' \
             > "$CURRENT_ISSUE_FILE"
 
-          echo "Prepared duplicate detection input files."
-          echo "all_issue_count=$(jq 'length' "$EXISTING_ALL_FILE")"
-
-      # Prompt instructions are intentionally inline in this workflow. The old
-      # .github/prompts/issue-deduplicator.txt file is obsolete and removed.
-      - id: codex-all
-        name: Find duplicates (pass 1, all issues)
-        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
+      - id: codex
+        uses: openai/codex-action@main
         with:
           openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
           allow-users: "*"
@@ -70,17 +52,14 @@ jobs:
 
             You will receive the following JSON files located in the current working directory:
             - `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
-            - `codex-existing-issues-all.json`: JSON array of recent issues with states, timestamps, and labels.
+            - `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
 
             Instructions:
             - Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
-            - Prioritize concrete overlap in symptoms, reproduction details, error signatures, and user intent.
-            - Prefer active unresolved issues when confidence is similar.
-            - Closed issues can still be valid duplicates if they clearly match.
-            - Return fewer matches rather than speculative ones.
-            - If confidence is low, return an empty list.
-            - Include at most five issue numbers.
-            - After analysis, provide a short reason for your decision.
+            - Focus on the underlying intent and context of each issue—such as reported symptoms, feature requests, reproduction steps, or error messages—rather than relying solely on string similarity or synthetic metrics.
+            - After your analysis, validate your results in 1-2 lines explaining your decision to return the selected matches.
+            - When unsure, prefer returning fewer matches.
+            - Include at most five numbers.
 
           output-schema: |
             {
@@ -98,253 +77,19 @@ jobs:
               "additionalProperties": false
             }
 
-      - id: normalize-all
-        name: Normalize pass 1 output
-        env:
-          CODEX_OUTPUT: ${{ steps.codex-all.outputs.final-message }}
-          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          set -eo pipefail
-
-          raw=${CODEX_OUTPUT//$'\r'/}
-          parsed=false
-          issues='[]'
-          reason=''
-
-          if [ -n "$raw" ] && printf '%s' "$raw" | jq -e 'type == "object" and (.issues | type == "array")' >/dev/null 2>&1; then
-            parsed=true
-            issues=$(printf '%s' "$raw" | jq -c '[.issues[] | tostring]')
-            reason=$(printf '%s' "$raw" | jq -r '.reason // ""')
-          else
-            reason='Pass 1 output was empty or invalid JSON.'
-          fi
-
-          filtered=$(jq -cn --argjson issues "$issues" --arg current "$CURRENT_ISSUE_NUMBER" '[
-            $issues[]
-            | tostring
-            | select(. != $current)
-          ] | reduce .[] as $issue ([]; if index($issue) then . else . + [$issue] end) | .[:5]')
-
-          has_matches=false
-          if [ "$(jq 'length' <<< "$filtered")" -gt 0 ]; then
-            has_matches=true
-          fi
-
-          echo "Pass 1 parsed: $parsed"
-          echo "Pass 1 matches after filtering: $(jq 'length' <<< "$filtered")"
-          echo "Pass 1 reason: $reason"
-
-          {
-            echo "issues_json=$filtered"
-            echo "reason<<EOF"
-            echo "$reason"
-            echo "EOF"
-            echo "has_matches=$has_matches"
-          } >> "$GITHUB_OUTPUT"
-
-  gather-duplicates-open:
-    name: Identify potential duplicates (open issues fallback)
-    # Pass 1 may drop sudo on the runner, so run the fallback in a fresh job.
-    needs: gather-duplicates-all
-    if: ${{ needs.gather-duplicates-all.result == 'success' && needs.gather-duplicates-all.outputs.has_matches != 'true' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      issues_json: ${{ steps.normalize-open.outputs.issues_json }}
-      reason: ${{ steps.normalize-open.outputs.reason }}
-      has_matches: ${{ steps.normalize-open.outputs.has_matches }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Prepare Codex inputs
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPO: ${{ github.repository }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          set -eo pipefail
-
-          CURRENT_ISSUE_FILE=codex-current-issue.json
-          EXISTING_OPEN_FILE=codex-existing-issues-open.json
-
-          gh issue list --repo "$REPO" \
-            --json number,title,body,createdAt,updatedAt,state,labels \
-            --limit 1000 \
-            --state open \
-            --search "sort:created-desc" \
-            | jq '[.[] | {
-                number,
-                title,
-                body: ((.body // "")[0:4000]),
-                createdAt,
-                updatedAt,
-                state,
-                labels: ((.labels // []) | map(.name))
-              }]' \
-            > "$EXISTING_OPEN_FILE"
-
-          gh issue view "$ISSUE_NUMBER" \
-            --repo "$REPO" \
-            --json number,title,body \
-            | jq '{number, title, body: ((.body // "")[0:4000])}' \
-            > "$CURRENT_ISSUE_FILE"
-
-          echo "Prepared fallback duplicate detection input files."
-          echo "open_issue_count=$(jq 'length' "$EXISTING_OPEN_FILE")"
-
-      - id: codex-open
-        name: Find duplicates (pass 2, open issues)
-        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
-        with:
-          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
-          allow-users: "*"
-          prompt: |
-            You are an assistant that triages new GitHub issues by identifying potential duplicates.
-
-            This is a fallback pass because a broad search did not find convincing matches.
-
-            You will receive the following JSON files located in the current working directory:
-            - `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
-            - `codex-existing-issues-open.json`: JSON array of open issues only.
-
-            Instructions:
-            - Search only these active unresolved issues for duplicates of the current issue.
-            - Prioritize concrete overlap in symptoms, reproduction details, error signatures, and user intent.
-            - Prefer fewer, higher-confidence matches.
-            - If confidence is low, return an empty list.
-            - Include at most five issue numbers.
-            - After analysis, provide a short reason for your decision.
-
-          output-schema: |
-            {
-              "type": "object",
-              "properties": {
-                "issues": {
-                  "type": "array",
-                  "items": {
-                    "type": "string"
-                  }
-                },
-                "reason": { "type": "string" }
-              },
-              "required": ["issues", "reason"],
-              "additionalProperties": false
-            }
-
-      - id: normalize-open
-        name: Normalize pass 2 output
-        env:
-          CODEX_OUTPUT: ${{ steps.codex-open.outputs.final-message }}
-          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: |
-          set -eo pipefail
-
-          raw=${CODEX_OUTPUT//$'\r'/}
-          parsed=false
-          issues='[]'
-          reason=''
-
-          if [ -n "$raw" ] && printf '%s' "$raw" | jq -e 'type == "object" and (.issues | type == "array")' >/dev/null 2>&1; then
-            parsed=true
-            issues=$(printf '%s' "$raw" | jq -c '[.issues[] | tostring]')
-            reason=$(printf '%s' "$raw" | jq -r '.reason // ""')
-          else
-            reason='Pass 2 output was empty or invalid JSON.'
-          fi
-
-          filtered=$(jq -cn --argjson issues "$issues" --arg current "$CURRENT_ISSUE_NUMBER" '[
-            $issues[]
-            | tostring
-            | select(. != $current)
-          ] | reduce .[] as $issue ([]; if index($issue) then . else . + [$issue] end) | .[:5]')
-
-          has_matches=false
-          if [ "$(jq 'length' <<< "$filtered")" -gt 0 ]; then
-            has_matches=true
-          fi
-
-          echo "Pass 2 parsed: $parsed"
-          echo "Pass 2 matches after filtering: $(jq 'length' <<< "$filtered")"
-          echo "Pass 2 reason: $reason"
-
-          {
-            echo "issues_json=$filtered"
-            echo "reason<<EOF"
-            echo "$reason"
-            echo "EOF"
-            echo "has_matches=$has_matches"
-          } >> "$GITHUB_OUTPUT"
-
-  select-final:
-    name: Select final duplicate set
-    needs:
-      - gather-duplicates-all
-      - gather-duplicates-open
-    if: ${{ always() && needs.gather-duplicates-all.result == 'success' && (needs.gather-duplicates-open.result == 'success' || needs.gather-duplicates-open.result == 'skipped') }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      codex_output: ${{ steps.select-final.outputs.codex_output }}
-    steps:
-      - id: select-final
-        name: Select final duplicate set
-        env:
-          PASS1_ISSUES: ${{ needs.gather-duplicates-all.outputs.issues_json }}
-          PASS1_REASON: ${{ needs.gather-duplicates-all.outputs.reason }}
-          PASS2_ISSUES: ${{ needs.gather-duplicates-open.outputs.issues_json }}
-          PASS2_REASON: ${{ needs.gather-duplicates-open.outputs.reason }}
-          PASS1_HAS_MATCHES: ${{ needs.gather-duplicates-all.outputs.has_matches }}
-          PASS2_HAS_MATCHES: ${{ needs.gather-duplicates-open.outputs.has_matches }}
-        run: |
-          set -eo pipefail
-
-          selected_issues='[]'
-          selected_reason='No plausible duplicates found.'
-          selected_pass='none'
-
-          if [ "$PASS1_HAS_MATCHES" = "true" ]; then
-            selected_issues=${PASS1_ISSUES:-'[]'}
-            selected_reason=${PASS1_REASON:-'Pass 1 found duplicates.'}
-            selected_pass='all'
-          fi
-
-          if [ "$PASS2_HAS_MATCHES" = "true" ]; then
-            selected_issues=${PASS2_ISSUES:-'[]'}
-            selected_reason=${PASS2_REASON:-'Pass 2 found duplicates.'}
-            selected_pass='open-fallback'
-          fi
-
-          final_json=$(jq -cn \
-            --argjson issues "$selected_issues" \
-            --arg reason "$selected_reason" \
-            --arg pass "$selected_pass" \
-            '{issues: $issues, reason: $reason, pass: $pass}')
-
-          echo "Final pass used: $selected_pass"
-          echo "Final duplicate count: $(jq '.issues | length' <<< "$final_json")"
-          echo "Final reason: $(jq -r '.reason' <<< "$final_json")"
-
-          {
-            echo "codex_output<<EOF"
-            echo "$final_json"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
   comment-on-issue:
     name: Comment with potential duplicates
-    needs: select-final
-    if: ${{ always() && needs.select-final.result == 'success' }}
+    needs: gather-duplicates
+    if: ${{ needs.gather-duplicates.result != 'skipped' }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
       issues: write
     steps:
       - name: Comment on issue
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@v8
         env:
-          CODEX_OUTPUT: ${{ needs.select-final.outputs.codex_output }}
+          CODEX_OUTPUT: ${{ needs.gather-duplicates.outputs.codex_output }}
         with:
           github-token: ${{ github.token }}
           script: |
@@ -360,17 +105,11 @@ jobs:
 
             const issues = Array.isArray(parsed?.issues) ? parsed.issues : [];
             const currentIssueNumber = String(context.payload.issue.number);
-            const passUsed = typeof parsed?.pass === 'string' ? parsed.pass : 'unknown';
-            const reason = typeof parsed?.reason === 'string' ? parsed.reason : '';
 
             console.log(`Current issue number: ${currentIssueNumber}`);
-            console.log(`Pass used: ${passUsed}`);
-            if (reason) {
-              console.log(`Reason: ${reason}`);
-            }
             console.log(issues);
 
-            const filteredIssues = [...new Set(issues.map((value) => String(value)))].filter((value) => value !== currentIssueNumber).slice(0, 5);
+            const filteredIssues = issues.filter((value) => String(value) !== currentIssueNumber);
 
             if (filteredIssues.length === 0) {
               core.info('Codex reported no potential duplicates.');
@@ -396,7 +135,6 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
-          gh issue edit "$ISSUE_NUMBER" --remove-label codex-deduplicate || true
+          gh issue edit "${{ github.event.issue.number }}" --remove-label codex-deduplicate || true
           echo "Attempted to remove label: codex-deduplicate"

.github/workflows/issue-labeler.yml

@@ -17,10 +17,10 @@ jobs:
     outputs:
       codex_output: ${{ steps.codex.outputs.final-message }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v6
 
       - id: codex
-        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
+        uses: openai/codex-action@main
         with:
           openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
           allow-users: "*"
@@ -38,10 +38,9 @@ jobs:
             - If applicable, add one of the following labels to specify which sub-product or product surface the issue relates to.
             1. CLI — the Codex command line interface.
             2. extension — VS Code (or other IDE) extension-specific issues.
-            3. app - Issues related to the Codex desktop application.
-            4. codex-web — Issues targeting the Codex web UI/Cloud experience.
-            5. github-action — Issues with the Codex GitHub action.
-            6. iOS — Issues with the Codex iOS app.
+            3. codex-web — Issues targeting the Codex web UI/Cloud experience.
+            4. github-action — Issues with the Codex GitHub action.
+            5. iOS — Issues with the Codex iOS app.
 
             - Additionally add zero or more of the following labels that are relevant to the issue content. Prefer a small set of precise labels over many broad ones.
             1. windows-os — Bugs or friction specific to Windows environments (always when PowerShell is mentioned, path handling, copy/paste, OS-specific auth or tooling failures).
@@ -50,17 +49,14 @@ jobs:
             4. azure — Problems or requests tied to Azure OpenAI deployments.
             5. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
             6. code-review — Issues related to the code review feature or functionality.
-            7. safety-check - Issues related to cyber risk detection or trusted access verification.
-            8. auth - Problems related to authentication, login, or access tokens.
-            9. exec - Problems related to the "codex exec" command or functionality.
-            10. hooks - Problems related to event hooks
-            11. context - Problems related to compaction, context windows, or available context reporting.
-            12. skills - Problems related to skills or plugins
-            13. custom-model - Problems that involve using custom model providers, local models, or OSS models.
-            14. rate-limits - Problems related to token limits, rate limits, or token usage reporting.
-            15. sandbox - Issues related to local sandbox environments or tool call approvals to override sandbox restrictions.
-            16. tool-calls - Problems related to specific tool call invocations including unexpected errors, failures, or hangs.
-            17. TUI - Problems with the terminal user interface (TUI) including keyboard shortcuts, copy & pasting, menus, or screen update issues.
+            7. auth - Problems related to authentication, login, or access tokens.
+            8. codex-exec - Problems related to the "codex exec" command or functionality.
+            9. context-management - Problems related to compaction, context windows, or available context reporting.
+            10. custom-model - Problems that involve using custom model providers, local models, or OSS models.
+            11. rate-limits - Problems related to token limits, rate limits, or token usage reporting.
+            12. sandbox - Issues related to local sandbox environments or tool call approvals to override sandbox restrictions.
+            13. tool-calls - Problems related to specific tool call invocations including unexpected errors, failures, or hangs.
+            14. TUI - Problems with the terminal user interface (TUI) including keyboard shortcuts, copy & pasting, menus, or screen update issues.
 
             Issue number: ${{ github.event.issue.number }}
 

.github/workflows/rust-ci-full.yml

@@ -1,775 +0,0 @@
-name: rust-ci-full
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-# CI builds in debug (dev) for faster signal.
-
-jobs:
-  # --- CI that doesn't need specific targets ---------------------------------
-  general:
-    name: Format / etc
-    runs-on: ubuntu-24.04
-    defaults:
-      run:
-        working-directory: codex-rs
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          components: rustfmt
-      - name: cargo fmt
-        run: cargo fmt -- --config imports_granularity=Item --check
-
-  cargo_shear:
-    name: cargo shear
-    runs-on: ubuntu-24.04
-    defaults:
-      run:
-        working-directory: codex-rs
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
-        with:
-          tool: cargo-shear
-          version: 1.5.1
-      - name: cargo shear
-        run: cargo shear
-
-  argument_comment_lint_package:
-    name: Argument comment lint package
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          toolchain: nightly-2025-09-18
-          components: llvm-tools-preview, rustc-dev, rust-src
-      - name: Cache cargo-dylint tooling
-        id: cargo_dylint_cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cargo/bin/cargo-dylint
-            ~/.cargo/bin/dylint-link
-            ~/.cargo/registry/index
-            ~/.cargo/registry/cache
-            ~/.cargo/git/db
-          key: argument-comment-lint-${{ runner.os }}-${{ hashFiles('tools/argument-comment-lint/Cargo.lock', 'tools/argument-comment-lint/rust-toolchain', '.github/workflows/rust-ci.yml', '.github/workflows/rust-ci-full.yml') }}
-      - name: Install cargo-dylint tooling
-        if: ${{ steps.cargo_dylint_cache.outputs.cache-hit != 'true' }}
-        run: cargo install --locked cargo-dylint dylint-link
-      - name: Check Python wrapper syntax
-        run: python3 -m py_compile tools/argument-comment-lint/wrapper_common.py tools/argument-comment-lint/run.py tools/argument-comment-lint/run-prebuilt-linter.py tools/argument-comment-lint/test_wrapper_common.py
-      - name: Test Python wrapper helpers
-        run: python3 -m unittest discover -s tools/argument-comment-lint -p 'test_*.py'
-      - name: Test argument comment lint package
-        working-directory: tools/argument-comment-lint
-        run: cargo test
-
-  argument_comment_lint_prebuilt:
-    name: Argument comment lint - ${{ matrix.name }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - name: Linux
-            runner: ubuntu-24.04
-          - name: macOS
-            runner: macos-15-xlarge
-          - name: Windows
-            runner: windows-x64
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: ./.github/actions/setup-bazel-ci
-        with:
-          target: ${{ runner.os }}
-          install-test-prereqs: true
-      - name: Install Linux sandbox build dependencies
-        if: ${{ runner.os == 'Linux' }}
-        shell: bash
-        run: |
-          sudo DEBIAN_FRONTEND=noninteractive apt-get update
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
-      - name: Run argument comment lint on codex-rs via Bazel
-        if: ${{ runner.os != 'Windows' }}
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          bazel_targets="$(./tools/argument-comment-lint/list-bazel-targets.sh)"
-          ./.github/scripts/run-bazel-ci.sh \
-            -- \
-            build \
-            --config=argument-comment-lint \
-            --keep_going \
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
-            -- \
-            ${bazel_targets}
-      - name: Run argument comment lint on codex-rs via Bazel
-        if: ${{ runner.os == 'Windows' }}
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          ./.github/scripts/run-argument-comment-lint-bazel.sh \
-            --config=argument-comment-lint \
-            --platforms=//:local_windows \
-            --keep_going \
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
-
-  # --- CI to validate on different os/targets --------------------------------
-  lint_build:
-    name: Lint/Build — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.profile == 'release' && ' (release)' || '' }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    timeout-minutes: 30
-    defaults:
-      run:
-        working-directory: codex-rs
-    env:
-      # Speed up repeated builds across CI runs by caching compiled objects, except on
-      # arm64 macOS runners cross-targeting x86_64 where ring/cc-rs can produce
-      # mixed-architecture archives under sccache.
-      USE_SCCACHE: ${{ (startsWith(matrix.runner, 'windows') || (matrix.runner == 'macos-15-xlarge' && matrix.target == 'x86_64-apple-darwin')) && 'false' || 'true' }}
-      CARGO_INCREMENTAL: "0"
-      SCCACHE_CACHE_SIZE: 10G
-      # In rust-ci, representative release-profile checks use thin LTO for faster feedback.
-      CARGO_PROFILE_RELEASE_LTO: ${{ matrix.profile == 'release' && 'thin' || 'fat' }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            profile: dev
-          - runner: macos-15-xlarge
-            target: x86_64-apple-darwin
-            profile: dev
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-
-          # Also run representative release builds on Mac and Linux because
-          # there could be release-only build errors we want to catch.
-          # Hopefully this also pre-populates the build cache to speed up
-          # releases.
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            profile: release
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            profile: release
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            profile: release
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            profile: release
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            profile: release
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - name: Install Linux build dependencies
-        if: ${{ runner.os == 'Linux' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            sudo apt-get update -y
-            packages=(pkg-config libcap-dev)
-            if [[ "${{ matrix.target }}" == 'x86_64-unknown-linux-musl' || "${{ matrix.target }}" == 'aarch64-unknown-linux-musl' ]]; then
-              packages+=(libubsan1)
-            fi
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends "${packages[@]}"
-          fi
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          targets: ${{ matrix.target }}
-          components: clippy
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Use hermetic Cargo home (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          cargo_home="${GITHUB_WORKSPACE}/.cargo-home"
-          mkdir -p "${cargo_home}/bin"
-          echo "CARGO_HOME=${cargo_home}" >> "$GITHUB_ENV"
-          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
-          : > "${cargo_home}/config.toml"
-
-      - name: Compute lockfile hash
-        id: lockhash
-        working-directory: codex-rs
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-
-      # Explicit cache restore: split cargo home vs target, so we can
-      # avoid caching the large target dir on the gnu-dev job.
-      - name: Restore cargo home cache
-        id: cache_cargo_home_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
-          restore-keys: |
-            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
-
-      # Install and restore sccache cache
-      - name: Install sccache
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
-        with:
-          tool: sccache
-          version: 0.7.5
-
-      - name: Configure sccache backend
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if [[ -n "${ACTIONS_CACHE_URL:-}" && -n "${ACTIONS_RUNTIME_TOKEN:-}" ]]; then
-            echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
-            echo "Using sccache GitHub backend"
-          else
-            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
-            echo "Using sccache local disk + actions/cache fallback"
-          fi
-
-      - name: Enable sccache wrapper
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
-
-      - name: Restore sccache cache (fallback)
-        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
-        id: cache_sccache_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
-          restore-keys: |
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Disable sccache wrapper (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "RUSTC_WRAPPER=" >> "$GITHUB_ENV"
-          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Prepare APT cache directories (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          sudo mkdir -p /var/cache/apt/archives /var/lib/apt/lists
-          sudo chown -R "$USER:$USER" /var/cache/apt /var/lib/apt/lists
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Restore APT cache (musl)
-        id: cache_apt_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            /var/cache/apt
-          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Install Zig
-        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
-        with:
-          version: 0.14.0
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Install musl build tools
-        env:
-          DEBIAN_FRONTEND: noninteractive
-          TARGET: ${{ matrix.target }}
-          APT_UPDATE_ARGS: -o Acquire::Retries=3
-          APT_INSTALL_ARGS: --no-install-recommends
-        shell: bash
-        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Configure rustc UBSan wrapper (musl host)
-        shell: bash
-        run: |
-          set -euo pipefail
-          ubsan=""
-          if command -v ldconfig >/dev/null 2>&1; then
-            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
-          fi
-          wrapper_root="${RUNNER_TEMP:-/tmp}"
-          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
-          cat > "${wrapper}" <<EOF
-          #!/usr/bin/env bash
-          set -euo pipefail
-          if [[ -n "${ubsan}" ]]; then
-            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
-          fi
-          exec "\$1" "\${@:2}"
-          EOF
-          chmod +x "${wrapper}"
-          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
-          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Clear sanitizer flags (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
-          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
-          # Override any runner-level Cargo config rustflags as well.
-          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-
-          sanitize_flags() {
-            local input="$1"
-            input="${input//-fsanitize=undefined/}"
-            input="${input//-fno-sanitize-recover=undefined/}"
-            input="${input//-fno-sanitize-trap=undefined/}"
-            echo "$input"
-          }
-
-          cflags="$(sanitize_flags "${CFLAGS-}")"
-          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
-          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
-          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
-        name: Configure musl rusty_v8 artifact overrides
-        env:
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          version="$(python3 "${GITHUB_WORKSPACE}/.github/scripts/rusty_v8_bazel.py" resolved-v8-crate-version)"
-          release_tag="rusty-v8-v${version}"
-          base_url="https://github.com/openai/codex/releases/download/${release_tag}"
-          archive="https://github.com/openai/codex/releases/download/rusty-v8-v${version}/librusty_v8_release_${TARGET}.a.gz"
-          binding_dir="${RUNNER_TEMP}/rusty_v8"
-          binding_path="${binding_dir}/src_binding_release_${TARGET}.rs"
-          mkdir -p "${binding_dir}"
-          curl -fsSL "${base_url}/src_binding_release_${TARGET}.rs" -o "${binding_path}"
-          echo "RUSTY_V8_ARCHIVE=${archive}" >> "$GITHUB_ENV"
-          echo "RUSTY_V8_SRC_BINDING_PATH=${binding_path}" >> "$GITHUB_ENV"
-
-      - name: Install cargo-chef
-        if: ${{ matrix.profile == 'release' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
-        with:
-          tool: cargo-chef
-          version: 0.1.71
-
-      - name: Pre-warm dependency cache (cargo-chef)
-        if: ${{ matrix.profile == 'release' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          RECIPE="${RUNNER_TEMP}/chef-recipe.json"
-          cargo chef prepare --recipe-path "$RECIPE"
-          cargo chef cook --recipe-path "$RECIPE" --target ${{ matrix.target }} --release
-
-      - name: cargo clippy
-        run: cargo clippy --target ${{ matrix.target }} --tests --profile ${{ matrix.profile }} --timings -- -D warnings
-
-      - name: Upload Cargo timings (clippy)
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: cargo-timings-rust-ci-clippy-${{ matrix.target }}-${{ matrix.profile }}
-          path: codex-rs/target/**/cargo-timings/cargo-timing.html
-          if-no-files-found: warn
-
-      # Save caches explicitly; make non-fatal so cache packaging
-      # never fails the overall job. Only save when key wasn't hit.
-      - name: Save cargo home cache
-        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
-
-      - name: Save sccache cache (fallback)
-        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
-
-      - name: sccache stats
-        if: always() && env.USE_SCCACHE == 'true'
-        continue-on-error: true
-        run: sccache --show-stats || true
-
-      - name: sccache summary
-        if: always() && env.USE_SCCACHE == 'true'
-        shell: bash
-        run: |
-          {
-            echo "### sccache stats — ${{ matrix.target }} (${{ matrix.profile }})";
-            echo;
-            echo '```';
-            sccache --show-stats || true;
-            echo '```';
-          } >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Save APT cache (musl)
-        if: always() && !cancelled() && (matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl') && steps.cache_apt_restore.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            /var/cache/apt
-          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1
-
-  tests:
-    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.remote_env == 'true' && ' (remote)' || '' }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    # Perhaps we can bring this back down to 30m once we finish the cutover
-    # from tui_app_server/ to tui/. Incidentally, windows-arm64 was the main
-    # offender for exceeding the timeout.
-    timeout-minutes: 45
-    defaults:
-      run:
-        working-directory: codex-rs
-    env:
-      # Speed up repeated builds across CI runs by caching compiled objects, except on
-      # arm64 macOS runners cross-targeting x86_64 where ring/cc-rs can produce
-      # mixed-architecture archives under sccache.
-      USE_SCCACHE: ${{ (startsWith(matrix.runner, 'windows') || (matrix.runner == 'macos-15-xlarge' && matrix.target == 'x86_64-apple-darwin')) && 'false' || 'true' }}
-      CARGO_INCREMENTAL: "0"
-      SCCACHE_CACHE_SIZE: 10G
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            profile: dev
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-            profile: dev
-            remote_env: "true"
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - name: Set up Node.js for js_repl tests
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-        with:
-          node-version-file: codex-rs/node-version.txt
-      - name: Install Linux build dependencies
-        if: ${{ runner.os == 'Linux' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
-          fi
-
-      # Some integration tests rely on DotSlash being installed.
-      # See https://github.com/openai/codex/pull/7617.
-      - name: Install DotSlash
-        uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
-
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          targets: ${{ matrix.target }}
-
-      - name: Compute lockfile hash
-        id: lockhash
-        working-directory: codex-rs
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-
-      - name: Restore cargo home cache
-        id: cache_cargo_home_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
-          restore-keys: |
-            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
-
-      - name: Install sccache
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
-        with:
-          tool: sccache
-          version: 0.7.5
-
-      - name: Configure sccache backend
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if [[ -n "${ACTIONS_CACHE_URL:-}" && -n "${ACTIONS_RUNTIME_TOKEN:-}" ]]; then
-            echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
-            echo "Using sccache GitHub backend"
-          else
-            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
-            echo "Using sccache local disk + actions/cache fallback"
-          fi
-
-      - name: Enable sccache wrapper
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
-
-      - name: Restore sccache cache (fallback)
-        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
-        id: cache_sccache_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
-          restore-keys: |
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
-
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
-        with:
-          tool: nextest
-          version: 0.9.103
-
-      - name: Enable unprivileged user namespaces (Linux)
-        if: runner.os == 'Linux'
-        run: |
-          # Required for bubblewrap to work on Linux CI runners.
-          sudo sysctl -w kernel.unprivileged_userns_clone=1
-          # Ubuntu 24.04+ can additionally gate unprivileged user namespaces
-          # behind AppArmor.
-          if sudo sysctl -a 2>/dev/null | grep -q '^kernel.apparmor_restrict_unprivileged_userns'; then
-            sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
-          fi
-
-      - name: Set up remote test env (Docker)
-        if: ${{ runner.os == 'Linux' && matrix.remote_env == 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          export CODEX_TEST_REMOTE_ENV_CONTAINER_NAME=codex-remote-test-env
-          source "${GITHUB_WORKSPACE}/scripts/test-remote-env.sh"
-          echo "CODEX_TEST_REMOTE_ENV=${CODEX_TEST_REMOTE_ENV}" >> "$GITHUB_ENV"
-
-      - name: tests
-        id: test
-        run: cargo nextest run --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
-        env:
-          RUST_BACKTRACE: 1
-          NEXTEST_STATUS_LEVEL: leak
-
-      - name: Upload Cargo timings (nextest)
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}
-          path: codex-rs/target/**/cargo-timings/cargo-timing.html
-          if-no-files-found: warn
-
-      - name: Save cargo home cache
-        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
-
-      - name: Save sccache cache (fallback)
-        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
-
-      - name: sccache stats
-        if: always() && env.USE_SCCACHE == 'true'
-        continue-on-error: true
-        run: sccache --show-stats || true
-
-      - name: sccache summary
-        if: always() && env.USE_SCCACHE == 'true'
-        shell: bash
-        run: |
-          {
-            echo "### sccache stats — ${{ matrix.target }} (tests)";
-            echo;
-            echo '```';
-            sccache --show-stats || true;
-            echo '```';
-          } >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Tear down remote test env
-        if: ${{ always() && runner.os == 'Linux' && matrix.remote_env == 'true' }}
-        shell: bash
-        run: |
-          set +e
-          if [[ "${{ steps.test.outcome }}" != "success" ]]; then
-            docker logs codex-remote-test-env || true
-          fi
-          docker rm -f codex-remote-test-env >/dev/null 2>&1 || true
-
-      - name: verify tests passed
-        if: steps.test.outcome == 'failure'
-        run: |
-          echo "Tests failed. See logs for details."
-          exit 1
-
-  # --- Gatherer job for the full post-merge workflow --------------------------
-  results:
-    name: Full CI results
-    needs:
-      [
-        general,
-        cargo_shear,
-        argument_comment_lint_package,
-        argument_comment_lint_prebuilt,
-        lint_build,
-        tests,
-      ]
-    if: always()
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Summarize
-        shell: bash
-        run: |
-          echo "argpkg : ${{ needs.argument_comment_lint_package.result }}"
-          echo "arglint: ${{ needs.argument_comment_lint_prebuilt.result }}"
-          echo "general: ${{ needs.general.result }}"
-          echo "shear  : ${{ needs.cargo_shear.result }}"
-          echo "lint   : ${{ needs.lint_build.result }}"
-          echo "tests  : ${{ needs.tests.result }}"
-          [[ '${{ needs.argument_comment_lint_package.result }}' == 'success' ]] || { echo 'argument_comment_lint_package failed'; exit 1; }
-          [[ '${{ needs.argument_comment_lint_prebuilt.result }}' == 'success' ]] || { echo 'argument_comment_lint_prebuilt failed'; exit 1; }
-          [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
-          [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
-          [[ '${{ needs.lint_build.result }}' == 'success' ]] || { echo 'lint_build failed'; exit 1; }
-          [[ '${{ needs.tests.result }}' == 'success' ]] || { echo 'tests failed'; exit 1; }
-
-      - name: sccache summary note
-        if: always()
-        run: |
-          echo "Per-job sccache stats are attached to each matrix job's Step Summary."

.github/workflows/rust-ci.yml

@@ -1,20 +1,23 @@
 name: rust-ci
 on:
   pull_request: {}
+  push:
+    branches:
+      - main
   workflow_dispatch:
 
+# CI builds in debug (dev) for faster signal.
+
 jobs:
-  # --- Detect what changed so the fast PR workflow only runs relevant jobs ----
+  # --- Detect what changed to detect which tests to run (always runs) -------------------------------------
   changed:
     name: Detect changed areas
     runs-on: ubuntu-24.04
     outputs:
-      argument_comment_lint: ${{ steps.detect.outputs.argument_comment_lint }}
-      argument_comment_lint_package: ${{ steps.detect.outputs.argument_comment_lint_package }}
       codex: ${{ steps.detect.outputs.codex }}
       workflows: ${{ steps.detect.outputs.workflows }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Detect changed paths (no external action)
@@ -28,56 +31,53 @@ jobs:
             HEAD_SHA='${{ github.event.pull_request.head.sha }}'
             echo "Base SHA: $BASE_SHA"
             echo "Head SHA: $HEAD_SHA"
+            # List files changed between base and PR head
             mapfile -t files < <(git diff --name-only --no-renames "$BASE_SHA" "$HEAD_SHA")
           else
-            # On manual runs, default to the full fast-PR bundle.
-            files=("codex-rs/force" "tools/argument-comment-lint/force" ".github/force")
+            # On push / manual runs, default to running everything
+            files=("codex-rs/force" ".github/force")
           fi
 
           codex=false
-          argument_comment_lint=false
-          argument_comment_lint_package=false
           workflows=false
           for f in "${files[@]}"; do
             [[ $f == codex-rs/* ]] && codex=true
-            [[ $f == codex-rs/* || $f == tools/argument-comment-lint/* || $f == justfile ]] && argument_comment_lint=true
-            [[ $f == tools/argument-comment-lint/* || $f == .github/workflows/rust-ci.yml || $f == .github/workflows/rust-ci-full.yml ]] && argument_comment_lint_package=true
             [[ $f == .github/* ]] && workflows=true
           done
 
-          echo "argument_comment_lint=$argument_comment_lint" >> "$GITHUB_OUTPUT"
-          echo "argument_comment_lint_package=$argument_comment_lint_package" >> "$GITHUB_OUTPUT"
           echo "codex=$codex" >> "$GITHUB_OUTPUT"
           echo "workflows=$workflows" >> "$GITHUB_OUTPUT"
 
-  # --- Fast Cargo-native PR checks -------------------------------------------
+  # --- CI that doesn't need specific targets ---------------------------------
   general:
     name: Format / etc
     runs-on: ubuntu-24.04
     needs: changed
-    if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' }}
+    if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' || github.event_name == 'push' }}
     defaults:
       run:
         working-directory: codex-rs
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@1.90
         with:
           components: rustfmt
       - name: cargo fmt
         run: cargo fmt -- --config imports_granularity=Item --check
+      - name: Verify codegen for mcp-types
+        run: ./mcp-types/check_lib_rs.py
 
   cargo_shear:
     name: cargo shear
     runs-on: ubuntu-24.04
     needs: changed
-    if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' }}
+    if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' || github.event_name == 'push' }}
     defaults:
       run:
         working-directory: codex-rs
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@1.90
       - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
         with:
           tool: cargo-shear
@@ -85,145 +85,460 @@ jobs:
       - name: cargo shear
         run: cargo shear
 
-  argument_comment_lint_package:
-    name: Argument comment lint package
-    runs-on: ubuntu-24.04
+  # --- CI to validate on different os/targets --------------------------------
+  lint_build:
+    name: Lint/Build — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.profile == 'release' && ' (release)' || '' }}
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
     needs: changed
-    if: ${{ needs.changed.outputs.argument_comment_lint_package == 'true' }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-      - name: Install nightly argument-comment-lint toolchain
-        shell: bash
-        run: |
-          rustup toolchain install nightly-2025-09-18 \
-            --profile minimal \
-            --component llvm-tools-preview \
-            --component rustc-dev \
-            --component rust-src \
-            --no-self-update
-          rustup default nightly-2025-09-18
-      - name: Cache cargo-dylint tooling
-        id: cargo_dylint_cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cargo/bin/cargo-dylint
-            ~/.cargo/bin/dylint-link
-            ~/.cargo/registry/index
-            ~/.cargo/registry/cache
-            ~/.cargo/git/db
-          key: argument-comment-lint-${{ runner.os }}-${{ hashFiles('tools/argument-comment-lint/Cargo.lock', 'tools/argument-comment-lint/rust-toolchain', '.github/workflows/rust-ci.yml', '.github/workflows/rust-ci-full.yml') }}
-      - name: Install cargo-dylint tooling
-        if: ${{ steps.cargo_dylint_cache.outputs.cache-hit != 'true' }}
-        run: cargo install --locked cargo-dylint dylint-link
-      - name: Check Python wrapper syntax
-        run: python3 -m py_compile tools/argument-comment-lint/wrapper_common.py tools/argument-comment-lint/run.py tools/argument-comment-lint/run-prebuilt-linter.py tools/argument-comment-lint/test_wrapper_common.py
-      - name: Test Python wrapper helpers
-        run: python3 -m unittest discover -s tools/argument-comment-lint -p 'test_*.py'
-      - name: Test argument comment lint package
-        working-directory: tools/argument-comment-lint
-        run: cargo test
+    # Keep job-level if to avoid spinning up runners when not needed
+    if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' || github.event_name == 'push' }}
+    defaults:
+      run:
+        working-directory: codex-rs
+    env:
+      # Speed up repeated builds across CI runs by caching compiled objects (non-Windows).
+      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
+      CARGO_INCREMENTAL: "0"
+      SCCACHE_CACHE_SIZE: 10G
 
-  argument_comment_lint_prebuilt:
-    name: Argument comment lint - ${{ matrix.name }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    timeout-minutes: ${{ matrix.timeout_minutes }}
-    needs: changed
-    if: ${{ needs.changed.outputs.argument_comment_lint == 'true' || needs.changed.outputs.workflows == 'true' }}
     strategy:
       fail-fast: false
       matrix:
         include:
-          - name: Linux
-            runner: ubuntu-24.04
-            timeout_minutes: 30
-          - name: macOS
-            runner: macos-15-xlarge
-            timeout_minutes: 30
-          - name: Windows
-            runner: windows-x64
-            timeout_minutes: 30
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            profile: dev
+          - runner: macos-14
+            target: x86_64-apple-darwin
+            profile: dev
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            profile: dev
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-gnu
+            profile: dev
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            profile: dev
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-gnu
+            profile: dev
+          - runner: windows-latest
+            target: x86_64-pc-windows-msvc
+            profile: dev
+          - runner: windows-11-arm
+            target: aarch64-pc-windows-msvc
+            profile: dev
+
+          # Also run representative release builds on Mac and Linux because
+          # there could be release-only build errors we want to catch.
+          # Hopefully this also pre-populates the build cache to speed up
+          # releases.
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            profile: release
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            profile: release
+          - runner: windows-latest
+            target: x86_64-pc-windows-msvc
+            profile: release
+          - runner: windows-11-arm
+            target: aarch64-pc-windows-msvc
+            profile: release
+
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: ./.github/actions/setup-bazel-ci
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@1.90
         with:
-          target: ${{ runner.os }}
-          install-test-prereqs: true
-      - name: Install Linux sandbox build dependencies
-        if: ${{ runner.os == 'Linux' }}
+          targets: ${{ matrix.target }}
+          components: clippy
+
+      - name: Compute lockfile hash
+        id: lockhash
+        working-directory: codex-rs
         shell: bash
         run: |
-          sudo DEBIAN_FRONTEND=noninteractive apt-get update
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
-      - name: Run argument comment lint on codex-rs via Bazel
-        if: ${{ runner.os != 'Windows' }}
+          set -euo pipefail
+          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
+          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
+
+      # Explicit cache restore: split cargo home vs target, so we can
+      # avoid caching the large target dir on the gnu-dev job.
+      - name: Restore cargo home cache
+        id: cache_cargo_home_restore
+        uses: actions/cache/restore@v5
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+          restore-keys: |
+            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
+
+      # Install and restore sccache cache
+      - name: Install sccache
+        if: ${{ env.USE_SCCACHE == 'true' }}
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        with:
+          tool: sccache
+          version: 0.7.5
+
+      - name: Configure sccache backend
+        if: ${{ env.USE_SCCACHE == 'true' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ -n "${ACTIONS_CACHE_URL:-}" && -n "${ACTIONS_RUNTIME_TOKEN:-}" ]]; then
+            echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
+            echo "Using sccache GitHub backend"
+          else
+            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
+            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
+            echo "Using sccache local disk + actions/cache fallback"
+          fi
+
+      - name: Enable sccache wrapper
+        if: ${{ env.USE_SCCACHE == 'true' }}
+        shell: bash
+        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+
+      - name: Restore sccache cache (fallback)
+        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
+        id: cache_sccache_restore
+        uses: actions/cache/restore@v5
+        with:
+          path: ${{ github.workspace }}/.sccache/
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          restore-keys: |
+            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
+            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
+
+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Prepare APT cache directories (musl)
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo mkdir -p /var/cache/apt/archives /var/lib/apt/lists
+          sudo chown -R "$USER:$USER" /var/cache/apt /var/lib/apt/lists
+
+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Restore APT cache (musl)
+        id: cache_apt_restore
+        uses: actions/cache/restore@v5
+        with:
+          path: |
+            /var/cache/apt
+          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1
+
+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Install musl build tools
         env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+          DEBIAN_FRONTEND: noninteractive
         shell: bash
         run: |
-          bazel_targets="$(./tools/argument-comment-lint/list-bazel-targets.sh)"
-          ./.github/scripts/run-bazel-ci.sh \
-            -- \
-            build \
-            --config=argument-comment-lint \
-            --keep_going \
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
-            -- \
-            ${bazel_targets}
-      - name: Run argument comment lint on codex-rs via Bazel
-        if: ${{ runner.os == 'Windows' }}
+          set -euo pipefail
+          sudo apt-get -y update -o Acquire::Retries=3
+          sudo apt-get -y install --no-install-recommends musl-tools pkg-config
+
+      - name: Install cargo-chef
+        if: ${{ matrix.profile == 'release' }}
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        with:
+          tool: cargo-chef
+          version: 0.1.71
+
+      - name: Pre-warm dependency cache (cargo-chef)
+        if: ${{ matrix.profile == 'release' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          RECIPE="${RUNNER_TEMP}/chef-recipe.json"
+          cargo chef prepare --recipe-path "$RECIPE"
+          cargo chef cook --recipe-path "$RECIPE" --target ${{ matrix.target }} --release --all-features
+
+      - name: cargo clippy
+        id: clippy
+        run: cargo clippy --target ${{ matrix.target }} --all-features --tests --profile ${{ matrix.profile }} -- -D warnings
+
+      # Running `cargo build` from the workspace root builds the workspace using
+      # the union of all features from third-party crates. This can mask errors
+      # where individual crates have underspecified features. To avoid this, we
+      # run `cargo check` for each crate individually, though because this is
+      # slower, we only do this for the x86_64-unknown-linux-gnu target.
+      - name: cargo check individual crates
+        id: cargo_check_all_crates
+        if: ${{ matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release' }}
+        continue-on-error: true
+        run: |
+          find . -name Cargo.toml -mindepth 2 -maxdepth 2 -print0 \
+            | xargs -0 -n1 -I{} bash -c 'cd "$(dirname "{}")" && cargo check --profile ${{ matrix.profile }}'
+
+      # Save caches explicitly; make non-fatal so cache packaging
+      # never fails the overall job. Only save when key wasn't hit.
+      - name: Save cargo home cache
+        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
+        continue-on-error: true
+        uses: actions/cache/save@v5
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+
+      - name: Save sccache cache (fallback)
+        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
+        continue-on-error: true
+        uses: actions/cache/save@v5
+        with:
+          path: ${{ github.workspace }}/.sccache/
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+
+      - name: sccache stats
+        if: always() && env.USE_SCCACHE == 'true'
+        continue-on-error: true
+        run: sccache --show-stats || true
+
+      - name: sccache summary
+        if: always() && env.USE_SCCACHE == 'true'
+        shell: bash
+        run: |
+          {
+            echo "### sccache stats — ${{ matrix.target }} (${{ matrix.profile }})";
+            echo;
+            echo '```';
+            sccache --show-stats || true;
+            echo '```';
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Save APT cache (musl)
+        if: always() && !cancelled() && (matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl') && steps.cache_apt_restore.outputs.cache-hit != 'true'
+        continue-on-error: true
+        uses: actions/cache/save@v5
+        with:
+          path: |
+            /var/cache/apt
+          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1
+
+      # Fail the job if any of the previous steps failed.
+      - name: verify all steps passed
+        if: |
+          steps.clippy.outcome == 'failure' ||
+          steps.cargo_check_all_crates.outcome == 'failure'
+        run: |
+          echo "One or more checks failed (clippy or cargo_check_all_crates). See logs for details."
+          exit 1
+
+  tests:
+    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    needs: changed
+    if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' || github.event_name == 'push' }}
+    defaults:
+      run:
+        working-directory: codex-rs
+    env:
+      # Speed up repeated builds across CI runs by caching compiled objects (non-Windows).
+      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
+      CARGO_INCREMENTAL: "0"
+      SCCACHE_CACHE_SIZE: 10G
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            profile: dev
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-gnu
+            profile: dev
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-gnu
+            profile: dev
+          - runner: windows-latest
+            target: x86_64-pc-windows-msvc
+            profile: dev
+          - runner: windows-11-arm
+            target: aarch64-pc-windows-msvc
+            profile: dev
+
+    steps:
+      - uses: actions/checkout@v6
+
+      # We have been running out of space when running this job on Linux for
+      # x86_64-unknown-linux-gnu, so remove some unnecessary dependencies.
+      - name: Remove unnecessary dependencies to save space
+        if: ${{ startsWith(matrix.runner, 'ubuntu') }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo rm -rf \
+            /usr/local/lib/android \
+            /usr/share/dotnet \
+            /usr/local/share/boost \
+            /usr/local/lib/node_modules \
+            /opt/ghc
+          sudo apt-get remove -y docker.io docker-compose podman buildah
+
+      # Some integration tests rely on DotSlash being installed.
+      # See https://github.com/openai/codex/pull/7617.
+      - name: Install DotSlash
+        uses: facebook/install-dotslash@v2
+
+      - uses: dtolnay/rust-toolchain@1.90
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Compute lockfile hash
+        id: lockhash
+        working-directory: codex-rs
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
+          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
+
+      - name: Restore cargo home cache
+        id: cache_cargo_home_restore
+        uses: actions/cache/restore@v5
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+          restore-keys: |
+            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
+
+      - name: Install sccache
+        if: ${{ env.USE_SCCACHE == 'true' }}
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        with:
+          tool: sccache
+          version: 0.7.5
+
+      - name: Configure sccache backend
+        if: ${{ env.USE_SCCACHE == 'true' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ -n "${ACTIONS_CACHE_URL:-}" && -n "${ACTIONS_RUNTIME_TOKEN:-}" ]]; then
+            echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
+            echo "Using sccache GitHub backend"
+          else
+            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
+            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
+            echo "Using sccache local disk + actions/cache fallback"
+          fi
+
+      - name: Enable sccache wrapper
+        if: ${{ env.USE_SCCACHE == 'true' }}
+        shell: bash
+        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+
+      - name: Restore sccache cache (fallback)
+        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
+        id: cache_sccache_restore
+        uses: actions/cache/restore@v5
+        with:
+          path: ${{ github.workspace }}/.sccache/
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          restore-keys: |
+            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
+            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
+
+      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        with:
+          tool: nextest
+          version: 0.9.103
+
+      - name: tests
+        id: test
+        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
         env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+          RUST_BACKTRACE: 1
+          NEXTEST_STATUS_LEVEL: leak
+
+      - name: Save cargo home cache
+        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
+        continue-on-error: true
+        uses: actions/cache/save@v5
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+
+      - name: Save sccache cache (fallback)
+        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
+        continue-on-error: true
+        uses: actions/cache/save@v5
+        with:
+          path: ${{ github.workspace }}/.sccache/
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+
+      - name: sccache stats
+        if: always() && env.USE_SCCACHE == 'true'
+        continue-on-error: true
+        run: sccache --show-stats || true
+
+      - name: sccache summary
+        if: always() && env.USE_SCCACHE == 'true'
         shell: bash
         run: |
-          ./.github/scripts/run-argument-comment-lint-bazel.sh \
-            --config=argument-comment-lint \
-            --platforms=//:local_windows \
-            --keep_going \
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
+          {
+            echo "### sccache stats — ${{ matrix.target }} (tests)";
+            echo;
+            echo '```';
+            sccache --show-stats || true;
+            echo '```';
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: verify tests passed
+        if: steps.test.outcome == 'failure'
+        run: |
+          echo "Tests failed. See logs for details."
+          exit 1
 
   # --- Gatherer job that you mark as the ONLY required status -----------------
   results:
     name: CI results (required)
-    needs:
-      [
-        changed,
-        general,
-        cargo_shear,
-        argument_comment_lint_package,
-        argument_comment_lint_prebuilt,
-      ]
+    needs: [changed, general, cargo_shear, lint_build, tests]
     if: always()
     runs-on: ubuntu-24.04
     steps:
       - name: Summarize
         shell: bash
         run: |
-          echo "argpkg : ${{ needs.argument_comment_lint_package.result }}"
-          echo "arglint: ${{ needs.argument_comment_lint_prebuilt.result }}"
           echo "general: ${{ needs.general.result }}"
           echo "shear  : ${{ needs.cargo_shear.result }}"
+          echo "lint   : ${{ needs.lint_build.result }}"
+          echo "tests  : ${{ needs.tests.result }}"
 
           # If nothing relevant changed (PR touching only root README, etc.),
           # declare success regardless of other jobs.
-          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' != 'true' && '${{ needs.changed.outputs.codex }}' != 'true' && '${{ needs.changed.outputs.workflows }}' != 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.codex }}' != 'true' && '${{ needs.changed.outputs.workflows }}' != 'true' && '${{ github.event_name }}' != 'push' ]]; then
             echo 'No relevant changes -> CI not required.'
             exit 0
           fi
 
-          if [[ '${{ needs.changed.outputs.argument_comment_lint_package }}' == 'true' ]]; then
-            [[ '${{ needs.argument_comment_lint_package.result }}' == 'success' ]] || { echo 'argument_comment_lint_package failed'; exit 1; }
-          fi
+          # Otherwise require the jobs to have succeeded
+          [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
+          [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
+          [[ '${{ needs.lint_build.result }}' == 'success' ]] || { echo 'lint_build failed'; exit 1; }
+          [[ '${{ needs.tests.result }}' == 'success' ]] || { echo 'tests failed'; exit 1; }
 
-          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
-            [[ '${{ needs.argument_comment_lint_prebuilt.result }}' == 'success' ]] || { echo 'argument_comment_lint_prebuilt failed'; exit 1; }
-          fi
-
-          if [[ '${{ needs.changed.outputs.codex }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
-            [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
-            [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
-          fi
+      - name: sccache summary note
+        if: always()
+        run: |
+          echo "Per-job sccache stats are attached to each matrix job's Step Summary."

.github/workflows/rust-release-argument-comment-lint.yml

@@ -1,103 +0,0 @@
-name: rust-release-argument-comment-lint
-
-on:
-  workflow_call:
-    inputs:
-      publish:
-        required: true
-        type: boolean
-
-jobs:
-  skip:
-    if: ${{ !inputs.publish }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo "Skipping argument-comment-lint release assets for prerelease tag"
-
-  build:
-    if: ${{ inputs.publish }}
-    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    timeout-minutes: 60
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            archive_name: argument-comment-lint-aarch64-apple-darwin.tar.gz
-            lib_name: libargument_comment_lint@nightly-2025-09-18-aarch64-apple-darwin.dylib
-            runner_binary: argument-comment-lint
-            cargo_dylint_binary: cargo-dylint
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-            archive_name: argument-comment-lint-x86_64-unknown-linux-gnu.tar.gz
-            lib_name: libargument_comment_lint@nightly-2025-09-18-x86_64-unknown-linux-gnu.so
-            runner_binary: argument-comment-lint
-            cargo_dylint_binary: cargo-dylint
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-            archive_name: argument-comment-lint-aarch64-unknown-linux-gnu.tar.gz
-            lib_name: libargument_comment_lint@nightly-2025-09-18-aarch64-unknown-linux-gnu.so
-            runner_binary: argument-comment-lint
-            cargo_dylint_binary: cargo-dylint
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            archive_name: argument-comment-lint-x86_64-pc-windows-msvc.zip
-            lib_name: argument_comment_lint@nightly-2025-09-18-x86_64-pc-windows-msvc.dll
-            runner_binary: argument-comment-lint.exe
-            cargo_dylint_binary: cargo-dylint.exe
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          toolchain: nightly-2025-09-18
-          targets: ${{ matrix.target }}
-          components: llvm-tools-preview, rustc-dev, rust-src
-
-      - name: Install tooling
-        shell: bash
-        run: |
-          install_root="${RUNNER_TEMP}/argument-comment-lint-tools"
-          cargo install --locked cargo-dylint --root "$install_root"
-          cargo install --locked dylint-link
-          echo "INSTALL_ROOT=$install_root" >> "$GITHUB_ENV"
-
-      - name: Cargo build
-        working-directory: tools/argument-comment-lint
-        shell: bash
-        run: cargo build --release --target ${{ matrix.target }}
-
-      - name: Stage artifact
-        shell: bash
-        run: |
-          dest="dist/argument-comment-lint/${{ matrix.target }}"
-          mkdir -p "$dest"
-          package_root="${RUNNER_TEMP}/argument-comment-lint"
-          rm -rf "$package_root"
-          mkdir -p "$package_root/bin" "$package_root/lib"
-
-          cp "tools/argument-comment-lint/target/${{ matrix.target }}/release/${{ matrix.runner_binary }}" \
-            "$package_root/bin/${{ matrix.runner_binary }}"
-          cp "${INSTALL_ROOT}/bin/${{ matrix.cargo_dylint_binary }}" \
-            "$package_root/bin/${{ matrix.cargo_dylint_binary }}"
-          cp "tools/argument-comment-lint/target/${{ matrix.target }}/release/${{ matrix.lib_name }}" \
-            "$package_root/lib/${{ matrix.lib_name }}"
-
-          archive_path="$dest/${{ matrix.archive_name }}"
-          if [[ "${{ runner.os }}" == "Windows" ]]; then
-            (cd "${RUNNER_TEMP}" && 7z a "$GITHUB_WORKSPACE/$archive_path" argument-comment-lint >/dev/null)
-          else
-            (cd "${RUNNER_TEMP}" && tar -czf "$GITHUB_WORKSPACE/$archive_path" argument-comment-lint)
-          fi
-
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: argument-comment-lint-${{ matrix.target }}
-          path: dist/argument-comment-lint/${{ matrix.target }}/*

.github/workflows/rust-release-prepare.yml

@@ -18,7 +18,7 @@ jobs:
     if: github.repository == 'openai/codex'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v6
         with:
           ref: main
           fetch-depth: 0
@@ -43,7 +43,7 @@ jobs:
           curl --http1.1 --fail --show-error --location "${headers[@]}" "${url}" | jq '.' > codex-rs/core/models.json
 
       - name: Open pull request (if changed)
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
+        uses: peter-evans/create-pull-request@v8
         with:
           commit-message: "Update models.json"
           title: "Update models.json"

.github/workflows/rust-release-windows.yml

@@ -1,264 +0,0 @@
-name: rust-release-windows
-
-on:
-  workflow_call:
-    inputs:
-      release-lto:
-        required: true
-        type: string
-    secrets:
-      AZURE_TRUSTED_SIGNING_CLIENT_ID:
-        required: true
-      AZURE_TRUSTED_SIGNING_TENANT_ID:
-        required: true
-      AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID:
-        required: true
-      AZURE_TRUSTED_SIGNING_ENDPOINT:
-        required: true
-      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME:
-        required: true
-      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME:
-        required: true
-
-jobs:
-  build-windows-binaries:
-    name: Build Windows binaries - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
-    runs-on: ${{ matrix.runs_on }}
-    timeout-minutes: 60
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: codex-rs
-    env:
-      CARGO_PROFILE_RELEASE_LTO: ${{ inputs.release-lto }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            bundle: primary
-            build_args: --bin codex --bin codex-responses-api-proxy
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            bundle: primary
-            build_args: --bin codex --bin codex-responses-api-proxy
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            bundle: helpers
-            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            bundle: helpers
-            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - name: Print runner specs (Windows)
-        shell: powershell
-        run: |
-          $computer = Get-CimInstance Win32_ComputerSystem
-          $cpu = Get-CimInstance Win32_Processor | Select-Object -First 1
-          $ramGiB = [math]::Round($computer.TotalPhysicalMemory / 1GB, 1)
-          Write-Host "Runner: $env:RUNNER_NAME"
-          Write-Host "OS: $([System.Environment]::OSVersion.VersionString)"
-          Write-Host "CPU: $($cpu.Name)"
-          Write-Host "Logical CPUs: $($computer.NumberOfLogicalProcessors)"
-          Write-Host "Physical CPUs: $($computer.NumberOfProcessors)"
-          Write-Host "Total RAM: $ramGiB GiB"
-          Write-Host "Disk usage:"
-          Get-PSDrive -PSProvider FileSystem | Format-Table -AutoSize Name, @{Name='Size(GB)';Expression={[math]::Round(($_.Used + $_.Free) / 1GB, 1)}}, @{Name='Free(GB)';Expression={[math]::Round($_.Free / 1GB, 1)}}
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          targets: ${{ matrix.target }}
-
-      - name: Cargo build (Windows binaries)
-        shell: bash
-        run: |
-          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}
-
-      - name: Upload Cargo timings
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: cargo-timings-rust-release-windows-${{ matrix.target }}-${{ matrix.bundle }}
-          path: codex-rs/target/**/cargo-timings/cargo-timing.html
-          if-no-files-found: warn
-
-      - name: Stage Windows binaries
-        shell: bash
-        run: |
-          output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
-          mkdir -p "$output_dir"
-          if [[ "${{ matrix.bundle }}" == "primary" ]]; then
-            cp target/${{ matrix.target }}/release/codex.exe "$output_dir/codex.exe"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$output_dir/codex-responses-api-proxy.exe"
-          else
-            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$output_dir/codex-windows-sandbox-setup.exe"
-            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$output_dir/codex-command-runner.exe"
-          fi
-
-      - name: Upload Windows binaries
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: windows-binaries-${{ matrix.target }}-${{ matrix.bundle }}
-          path: |
-            codex-rs/target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}/*
-
-  build-windows:
-    needs:
-      - build-windows-binaries
-    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runs_on }}
-    timeout-minutes: 60
-    permissions:
-      contents: read
-      id-token: write
-    defaults:
-      run:
-        working-directory: codex-rs
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Download prebuilt Windows primary binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          name: windows-binaries-${{ matrix.target }}-primary
-          path: codex-rs/target/${{ matrix.target }}/release
-
-      - name: Download prebuilt Windows helper binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          name: windows-binaries-${{ matrix.target }}-helpers
-          path: codex-rs/target/${{ matrix.target }}/release
-
-      - name: Verify binaries
-        shell: bash
-        run: |
-          set -euo pipefail
-          ls -lh target/${{ matrix.target }}/release/codex.exe
-          ls -lh target/${{ matrix.target }}/release/codex-responses-api-proxy.exe
-          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
-          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe
-
-      - name: Sign Windows binaries with Azure Trusted Signing
-        uses: ./.github/actions/windows-code-sign
-        with:
-          target: ${{ matrix.target }}
-          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
-          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
-          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
-          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
-
-      - name: Stage artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          mkdir -p "$dest"
-
-          cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
-          cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
-          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
-
-      - name: Install DotSlash
-        uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
-
-      - name: Compress artifacts
-        shell: bash
-        run: |
-          # Path that contains the uncompressed binaries for the current
-          # ${{ matrix.target }}
-          dest="dist/${{ matrix.target }}"
-          repo_root=$PWD
-
-          # For compatibility with environments that lack the `zstd` tool we
-          # additionally create a `.tar.gz` and `.zip` for every Windows binary.
-          # The end result is:
-          #   codex-<target>.zst
-          #   codex-<target>.tar.gz
-          #   codex-<target>.zip
-          for f in "$dest"/*; do
-            base="$(basename "$f")"
-            # Skip files that are already archives (shouldn't happen, but be
-            # safe).
-            if [[ "$base" == *.tar.gz || "$base" == *.zip || "$base" == *.dmg ]]; then
-              continue
-            fi
-
-            # Don't try to compress signature bundles.
-            if [[ "$base" == *.sigstore ]]; then
-              continue
-            fi
-
-            # Create per-binary tar.gz
-            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
-
-            # Create zip archive for Windows binaries.
-            # Must run from inside the dest dir so 7z won't embed the
-            # directory path inside the zip.
-            if [[ "$base" == "codex-${{ matrix.target }}.exe" ]]; then
-              # Bundle the sandbox helper binaries into the main codex zip so
-              # WinGet installs include the required helpers next to codex.exe.
-              # Fall back to the single-binary zip if the helpers are missing
-              # to avoid breaking releases.
-              bundle_dir="$(mktemp -d)"
-              runner_src="$dest/codex-command-runner-${{ matrix.target }}.exe"
-              setup_src="$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-              if [[ -f "$runner_src" && -f "$setup_src" ]]; then
-                cp "$dest/$base" "$bundle_dir/$base"
-                cp "$runner_src" "$bundle_dir/codex-command-runner.exe"
-                cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
-                # Use an absolute path so bundle zips land in the real dist
-                # dir even when 7z runs from a temp directory.
-                (cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
-              else
-                echo "warning: missing sandbox binaries; falling back to single-binary zip"
-                echo "warning: expected $runner_src and $setup_src"
-                (cd "$dest" && 7z a "${base}.zip" "$base")
-              fi
-              rm -rf "$bundle_dir"
-            else
-              (cd "$dest" && 7z a "${base}.zip" "$base")
-            fi
-
-            # Keep raw executables and produce .zst alongside them.
-            "${GITHUB_WORKSPACE}/.github/workflows/zstd" -T0 -19 "$dest/$base"
-          done
-
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: ${{ matrix.target }}
-          path: |
-            codex-rs/dist/${{ matrix.target }}/*

.github/workflows/rust-release-zsh.yml

@@ -1,95 +0,0 @@
-name: rust-release-zsh
-
-on:
-  workflow_call:
-
-env:
-  ZSH_COMMIT: 77045ef899e53b9598bebc5a41db93a548a40ca6
-  ZSH_PATCH: codex-rs/shell-escalation/patches/zsh-exec-wrapper.patch
-
-jobs:
-  linux:
-    name: Build zsh (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    container:
-      image: ${{ matrix.image }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: ubuntu:24.04
-            archive_name: codex-zsh-x86_64-unknown-linux-musl.tar.gz
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: arm64v8/ubuntu:24.04
-            archive_name: codex-zsh-aarch64-unknown-linux-musl.tar.gz
-
-    steps:
-      - name: Install build prerequisites
-        shell: bash
-        run: |
-          set -euo pipefail
-          apt-get update
-          DEBIAN_FRONTEND=noninteractive apt-get install -y \
-            autoconf \
-            bison \
-            build-essential \
-            ca-certificates \
-            gettext \
-            git \
-            libncursesw5-dev
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Build, smoke-test, and stage zsh artifact
-        shell: bash
-        run: |
-          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
-            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"
-
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: codex-zsh-${{ matrix.target }}
-          path: dist/zsh/${{ matrix.target }}/*
-
-  darwin:
-    name: Build zsh (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            variant: macos-15
-            archive_name: codex-zsh-aarch64-apple-darwin.tar.gz
-
-    steps:
-      - name: Install build prerequisites
-        shell: bash
-        run: |
-          set -euo pipefail
-          if ! command -v autoconf >/dev/null 2>&1; then
-            brew install autoconf
-          fi
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Build, smoke-test, and stage zsh artifact
-        shell: bash
-        run: |
-          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
-            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"
-
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: codex-zsh-${{ matrix.target }}
-          path: dist/zsh/${{ matrix.target }}/*

.github/workflows/rust-release.yml

@@ -19,8 +19,8 @@ jobs:
   tag-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@c2b55edffaf41a251c410bb32bed22afefa800f1 # 1.92
+      - uses: actions/checkout@v6
+
       - name: Validate tag matches Cargo.toml version
         shell: bash
         run: |
@@ -48,18 +48,14 @@ jobs:
   build:
     needs: tag-check
     name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    timeout-minutes: 60
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
     permissions:
       contents: read
       id-token: write
     defaults:
       run:
         working-directory: codex-rs
-    env:
-      # 2026-03-04: temporarily change releases to use thin LTO because
-      # Ubuntu ARM is timing out at 60 minutes.
-      CARGO_PROFILE_RELEASE_LTO: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'thin' }}
 
     strategy:
       fail-fast: false
@@ -77,169 +73,41 @@ jobs:
             target: aarch64-unknown-linux-musl
           - runner: ubuntu-24.04-arm
             target: aarch64-unknown-linux-gnu
+          - runner: windows-latest
+            target: x86_64-pc-windows-msvc
+          - runner: windows-11-arm
+            target: aarch64-pc-windows-msvc
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - name: Print runner specs (Linux)
-        if: ${{ runner.os == 'Linux' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          cpu_model="$(lscpu | awk -F: '/Model name/ {gsub(/^[ \t]+/, "", $2); print $2; exit}')"
-          total_ram="$(awk '/MemTotal/ {printf "%.1f GiB\n", $2 / 1024 / 1024}' /proc/meminfo)"
-          echo "Runner: ${RUNNER_NAME:-unknown}"
-          echo "OS: $(uname -a)"
-          echo "CPU model: ${cpu_model}"
-          echo "Logical CPUs: $(nproc)"
-          echo "Total RAM: ${total_ram}"
-          echo "Disk usage:"
-          df -h .
-      - name: Print runner specs (macOS)
-        if: ${{ runner.os == 'macOS' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          total_ram="$(sysctl -n hw.memsize | awk '{printf "%.1f GiB\n", $1 / 1024 / 1024 / 1024}')"
-          echo "Runner: ${RUNNER_NAME:-unknown}"
-          echo "OS: $(sw_vers -productName) $(sw_vers -productVersion)"
-          echo "Hardware model: $(sysctl -n hw.model)"
-          echo "CPU architecture: $(uname -m)"
-          echo "Logical CPUs: $(sysctl -n hw.logicalcpu)"
-          echo "Physical CPUs: $(sysctl -n hw.physicalcpu)"
-          echo "Total RAM: ${total_ram}"
-          echo "Disk usage:"
-          df -h .
-      - name: Install Linux bwrap build dependencies
-        if: ${{ runner.os == 'Linux' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          sudo apt-get update -y
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
-      - name: Install UBSan runtime (musl)
-        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
-          fi
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@1.90
         with:
           targets: ${{ matrix.target }}
 
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Use hermetic Cargo home (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          cargo_home="${GITHUB_WORKSPACE}/.cargo-home"
-          mkdir -p "${cargo_home}/bin"
-          echo "CARGO_HOME=${cargo_home}" >> "$GITHUB_ENV"
-          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
-          : > "${cargo_home}/config.toml"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Install Zig
-        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
+      - uses: actions/cache@v5
         with:
-          version: 0.14.0
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            ${{ github.workspace }}/codex-rs/target/
+          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-release-${{ hashFiles('**/Cargo.lock') }}
 
       - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
         name: Install musl build tools
-        env:
-          TARGET: ${{ matrix.target }}
-        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Configure rustc UBSan wrapper (musl host)
-        shell: bash
         run: |
-          set -euo pipefail
-          ubsan=""
-          if command -v ldconfig >/dev/null 2>&1; then
-            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
-          fi
-          wrapper_root="${RUNNER_TEMP:-/tmp}"
-          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
-          cat > "${wrapper}" <<EOF
-          #!/usr/bin/env bash
-          set -euo pipefail
-          if [[ -n "${ubsan}" ]]; then
-            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
-          fi
-          exec "\$1" "\${@:2}"
-          EOF
-          chmod +x "${wrapper}"
-          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
-          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Clear sanitizer flags (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Avoid problematic aws-lc jitter entropy code path on musl builders.
-          echo "AWS_LC_SYS_NO_JITTER_ENTROPY=1" >> "$GITHUB_ENV"
-          target_no_jitter="AWS_LC_SYS_NO_JITTER_ENTROPY_${{ matrix.target }}"
-          target_no_jitter="${target_no_jitter//-/_}"
-          echo "${target_no_jitter}=1" >> "$GITHUB_ENV"
-
-          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
-          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
-          # Override any runner-level Cargo config rustflags as well.
-          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-
-          sanitize_flags() {
-            local input="$1"
-            input="${input//-fsanitize=undefined/}"
-            input="${input//-fno-sanitize-recover=undefined/}"
-            input="${input//-fno-sanitize-trap=undefined/}"
-            echo "$input"
-          }
-
-          cflags="$(sanitize_flags "${CFLAGS-}")"
-          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
-          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
-          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
-        name: Configure musl rusty_v8 artifact overrides
-        env:
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          version="$(python3 "${GITHUB_WORKSPACE}/.github/scripts/rusty_v8_bazel.py" resolved-v8-crate-version)"
-          release_tag="rusty-v8-v${version}"
-          base_url="https://github.com/openai/codex/releases/download/${release_tag}"
-          archive="https://github.com/openai/codex/releases/download/rusty-v8-v${version}/librusty_v8_release_${TARGET}.a.gz"
-          binding_dir="${RUNNER_TEMP}/rusty_v8"
-          binding_path="${binding_dir}/src_binding_release_${TARGET}.rs"
-          mkdir -p "${binding_dir}"
-          curl -fsSL "${base_url}/src_binding_release_${TARGET}.rs" -o "${binding_path}"
-          echo "RUSTY_V8_ARCHIVE=${archive}" >> "$GITHUB_ENV"
-          echo "RUSTY_V8_SRC_BINDING_PATH=${binding_path}" >> "$GITHUB_ENV"
+          sudo apt-get update
+          sudo apt-get install -y musl-tools pkg-config
 
       - name: Cargo build
         shell: bash
         run: |
-          echo "CARGO_PROFILE_RELEASE_LTO: ${CARGO_PROFILE_RELEASE_LTO}"
-          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy
-
-      - name: Upload Cargo timings
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: cargo-timings-rust-release-${{ matrix.target }}
-          path: codex-rs/target/**/cargo-timings/cargo-timing.html
-          if-no-files-found: warn
+          if [[ "${{ contains(matrix.target, 'windows') }}" == 'true' ]]; then
+            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy --bin codex-windows-sandbox-setup --bin codex-command-runner
+          else
+            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
+          fi
 
       - if: ${{ contains(matrix.target, 'linux') }}
         name: Cosign Linux artifacts
@@ -248,6 +116,18 @@ jobs:
           target: ${{ matrix.target }}
           artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
 
+      - if: ${{ contains(matrix.target, 'windows') }}
+        name: Sign Windows binaries with Azure Trusted Signing
+        uses: ./.github/actions/windows-code-sign
+        with:
+          target: ${{ matrix.target }}
+          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
+          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+
       - if: ${{ runner.os == 'macOS' }}
         name: MacOS code signing (binaries)
         uses: ./.github/actions/macos-code-sign
@@ -326,8 +206,15 @@ jobs:
           dest="dist/${{ matrix.target }}"
           mkdir -p "$dest"
 
-          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
+          if [[ "${{ matrix.runner }}" == windows* ]]; then
+            cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
+            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
+          else
+            cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
+          fi
 
           if [[ "${{ matrix.target }}" == *linux* ]]; then
             cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
@@ -338,6 +225,11 @@ jobs:
             cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
           fi
 
+      - if: ${{ matrix.runner == 'windows-11-arm' }}
+        name: Install zstd
+        shell: powershell
+        run: choco install -y zstandard
+
       - name: Compress artifacts
         shell: bash
         run: |
@@ -345,11 +237,21 @@ jobs:
           # ${{ matrix.target }}
           dest="dist/${{ matrix.target }}"
 
+          # We want to ship the raw Windows executables in the GitHub Release
+          # in addition to the compressed archives. Keep the originals for
+          # Windows targets; remove them elsewhere to limit the number of
+          # artifacts that end up in the GitHub Release.
+          keep_originals=false
+          if [[ "${{ matrix.runner }}" == windows* ]]; then
+            keep_originals=true
+          fi
+
           # For compatibility with environments that lack the `zstd` tool we
-          # additionally create a `.tar.gz` alongside every binary we publish.
-          # The end result is:
+          # additionally create a `.tar.gz` for all platforms and `.zip` for
+          # Windows alongside every single binary that we publish. The end result is:
           #   codex-<target>.zst          (existing)
           #   codex-<target>.tar.gz       (new)
+          #   codex-<target>.zip          (only for Windows)
 
           # 1. Produce a .tar.gz for every file in the directory *before* we
           #    run `zstd --rm`, because that flag deletes the original files.
@@ -369,12 +271,23 @@ jobs:
             # Create per-binary tar.gz
             tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
 
-            # Also create .zst and remove the uncompressed binaries to keep
-            # non-Windows artifact directories small.
-            zstd -T0 -19 --rm "$dest/$base"
+            # Create zip archive for Windows binaries
+            # Must run from inside the dest dir so 7z won't
+            # embed the directory path inside the zip.
+            if [[ "${{ matrix.runner }}" == windows* ]]; then
+              (cd "$dest" && 7z a "${base}.zip" "$base")
+            fi
+
+            # Also create .zst (existing behaviour) *and* remove the original
+            # uncompressed binary to keep the directory small.
+            zstd_args=(-T0 -19)
+            if [[ "${keep_originals}" == false ]]; then
+              zstd_args+=(--rm)
+            fi
+            zstd "${zstd_args[@]}" "$dest/$base"
           done
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@v6
         with:
           name: ${{ matrix.target }}
           # Upload the per-binary .zst files as well as the new .tar.gz
@@ -382,31 +295,19 @@ jobs:
           path: |
             codex-rs/dist/${{ matrix.target }}/*
 
-  build-windows:
+  shell-tool-mcp:
+    name: shell-tool-mcp
     needs: tag-check
-    uses: ./.github/workflows/rust-release-windows.yml
-    with:
-      release-lto: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }}
-    secrets: inherit
-
-  argument-comment-lint-release-assets:
-    name: argument-comment-lint release assets
-    needs: tag-check
-    uses: ./.github/workflows/rust-release-argument-comment-lint.yml
+    uses: ./.github/workflows/shell-tool-mcp.yml
     with:
+      release-tag: ${{ github.ref_name }}
       publish: true
-
-  zsh-release-assets:
-    name: zsh release assets
-    needs: tag-check
-    uses: ./.github/workflows/rust-release-zsh.yml
+    secrets: inherit
 
   release:
     needs:
       - build
-      - build-windows
-      - argument-comment-lint-release-assets
-      - zsh-release-assets
+      - shell-tool-mcp
     name: release
     runs-on: ubuntu-latest
     permissions:
@@ -420,7 +321,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
 
       - name: Generate release notes from tag commit message
         id: release_notes
@@ -442,28 +343,21 @@ jobs:
 
           echo "path=${notes_path}" >> "${GITHUB_OUTPUT}"
 
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@v7
         with:
           path: dist
 
       - name: List
         run: ls -R dist/
 
+      # This is a temporary fix: we should modify shell-tool-mcp.yml so these
+      # files do not end up in dist/ in the first place.
       - name: Delete entries from dist/ that should not go in the release
         run: |
-          rm -rf dist/windows-binaries*
-          # cargo-timing.html appears under multiple target-specific directories.
-          # If included in files: dist/**, release upload races on duplicate
-          # asset names and can fail with 404s.
-          find dist -type f -name 'cargo-timing.html' -delete
-          find dist -type d -empty -delete
+          rm -rf dist/shell-tool-mcp*
 
           ls -R dist/
 
-      - name: Add config schema release asset
-        run: |
-          cp codex-rs/core/config.schema.json dist/config-schema.json
-
       - name: Define release name
         id: release_name
         run: |
@@ -492,12 +386,12 @@ jobs:
           fi
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
+        uses: pnpm/action-setup@v4
         with:
           run_install: false
 
       - name: Setup Node.js for npm packaging
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@v6
         with:
           node-version: 22
 
@@ -505,25 +399,19 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       # stage_npm_packages.py requires DotSlash when staging releases.
-      - uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
+      - uses: facebook/install-dotslash@v2
       - name: Stage npm packages
         env:
           GH_TOKEN: ${{ github.token }}
-          RELEASE_VERSION: ${{ steps.release_name.outputs.name }}
         run: |
           ./scripts/stage_npm_packages.py \
-            --release-version "$RELEASE_VERSION" \
+            --release-version "${{ steps.release_name.outputs.name }}" \
             --package codex \
             --package codex-responses-api-proxy \
             --package codex-sdk
 
-      - name: Stage installer scripts
-        run: |
-          cp scripts/install/install.sh dist/install.sh
-          cp scripts/install/install.ps1 dist/install.ps1
-
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
+        uses: softprops/action-gh-release@v2
         with:
           name: ${{ steps.release_name.outputs.name }}
           tag_name: ${{ github.ref_name }}
@@ -533,40 +421,13 @@ jobs:
           # (e.g. -alpha, -beta). Otherwise publish a normal release.
           prerelease: ${{ contains(steps.release_name.outputs.name, '-') }}
 
-      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
+      - uses: facebook/dotslash-publish-release@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag: ${{ github.ref_name }}
           config: .github/dotslash-config.json
 
-      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag: ${{ github.ref_name }}
-          config: .github/dotslash-zsh-config.json
-
-      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag: ${{ github.ref_name }}
-          config: .github/dotslash-argument-comment-lint-config.json
-
-      - name: Trigger developers.openai.com deploy
-        # Only trigger the deploy if the release is not a pre-release.
-        # The deploy is used to update the developers.openai.com website with the new config schema json file.
-        if: ${{ !contains(steps.release_name.outputs.name, '-') }}
-        continue-on-error: true
-        env:
-          DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL: ${{ secrets.DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL }}
-        run: |
-          if ! curl -sS -f -o /dev/null -X POST "$DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL"; then
-            echo "::warning title=developers.openai.com deploy hook failed::Vercel deploy hook POST failed for ${GITHUB_REF_NAME}"
-            exit 1
-          fi
-
   # Publish to npm using OIDC authentication.
   # July 31, 2025: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
   # npm docs: https://docs.npmjs.com/trusted-publishers
@@ -582,7 +443,7 @@ jobs:
 
     steps:
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           registry-url: "https://registry.npmjs.org"
@@ -595,27 +456,23 @@ jobs:
       - name: Download npm tarballs from release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          RELEASE_TAG: ${{ needs.release.outputs.tag }}
-          RELEASE_VERSION: ${{ needs.release.outputs.version }}
         run: |
           set -euo pipefail
-          version="$RELEASE_VERSION"
-          tag="$RELEASE_TAG"
+          version="${{ needs.release.outputs.version }}"
+          tag="${{ needs.release.outputs.tag }}"
           mkdir -p dist/npm
-          patterns=(
-            "codex-npm-${version}.tgz"
-            "codex-npm-linux-*-${version}.tgz"
-            "codex-npm-darwin-*-${version}.tgz"
-            "codex-npm-win32-*-${version}.tgz"
-            "codex-responses-api-proxy-npm-${version}.tgz"
-            "codex-sdk-npm-${version}.tgz"
-          )
-          for pattern in "${patterns[@]}"; do
-            gh release download "$tag" \
-              --repo "${GITHUB_REPOSITORY}" \
-              --pattern "$pattern" \
-              --dir dist/npm
-          done
+          gh release download "$tag" \
+            --repo "${GITHUB_REPOSITORY}" \
+            --pattern "codex-npm-${version}.tgz" \
+            --dir dist/npm
+          gh release download "$tag" \
+            --repo "${GITHUB_REPOSITORY}" \
+            --pattern "codex-responses-api-proxy-npm-${version}.tgz" \
+            --dir dist/npm
+          gh release download "$tag" \
+            --repo "${GITHUB_REPOSITORY}" \
+            --pattern "codex-sdk-npm-${version}.tgz" \
+            --dir dist/npm
 
       # No NODE_AUTH_TOKEN needed because we use OIDC.
       - name: Publish to npm
@@ -624,84 +481,21 @@ jobs:
           NPM_TAG: ${{ needs.release.outputs.npm_tag }}
         run: |
           set -euo pipefail
-          prefix=""
+          tag_args=()
           if [[ -n "${NPM_TAG}" ]]; then
-            prefix="${NPM_TAG}-"
+            tag_args+=(--tag "${NPM_TAG}")
           fi
 
-          shopt -s nullglob
-          tarballs=(dist/npm/*-"${VERSION}".tgz)
-          if [[ ${#tarballs[@]} -eq 0 ]]; then
-            echo "No npm tarballs found in dist/npm for version ${VERSION}"
-            exit 1
-          fi
+          tarballs=(
+            "codex-npm-${VERSION}.tgz"
+            "codex-responses-api-proxy-npm-${VERSION}.tgz"
+            "codex-sdk-npm-${VERSION}.tgz"
+          )
 
           for tarball in "${tarballs[@]}"; do
-            filename="$(basename "${tarball}")"
-            tag=""
-
-            case "${filename}" in
-              codex-npm-linux-*-"${VERSION}".tgz|codex-npm-darwin-*-"${VERSION}".tgz|codex-npm-win32-*-"${VERSION}".tgz)
-                platform="${filename#codex-npm-}"
-                platform="${platform%-${VERSION}.tgz}"
-                tag="${prefix}${platform}"
-                ;;
-              codex-npm-"${VERSION}".tgz|codex-responses-api-proxy-npm-"${VERSION}".tgz|codex-sdk-npm-"${VERSION}".tgz)
-                tag="${NPM_TAG}"
-                ;;
-              *)
-                echo "Unexpected npm tarball: ${filename}"
-                exit 1
-                ;;
-            esac
-
-            publish_cmd=(npm publish "${GITHUB_WORKSPACE}/${tarball}")
-            if [[ -n "${tag}" ]]; then
-              publish_cmd+=(--tag "${tag}")
-            fi
-
-            echo "+ ${publish_cmd[*]}"
-            set +e
-            publish_output="$("${publish_cmd[@]}" 2>&1)"
-            publish_status=$?
-            set -e
-
-            echo "${publish_output}"
-            if [[ ${publish_status} -eq 0 ]]; then
-              continue
-            fi
-
-            if grep -qiE "previously published|cannot publish over|version already exists" <<< "${publish_output}"; then
-              echo "Skipping already-published package version for ${filename}"
-              continue
-            fi
-
-            exit "${publish_status}"
+            npm publish "${GITHUB_WORKSPACE}/dist/npm/${tarball}" "${tag_args[@]}"
           done
 
-  winget:
-    name: winget
-    needs: release
-    # Only publish stable/mainline releases to WinGet; pre-releases include a
-    # '-' in the semver string (e.g., 1.2.3-alpha.1).
-    if: ${{ !contains(needs.release.outputs.version, '-') }}
-    # This job only invokes a GitHub Action to open/update the winget-pkgs PR;
-    # it does not execute Windows-only tooling, so Linux is sufficient.
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Publish to WinGet
-        uses: vedantmgoyal9/winget-releaser@7bd472be23763def6e16bd06cc8b1cdfab0e2fd5
-        with:
-          identifier: OpenAI.Codex
-          version: ${{ needs.release.outputs.version }}
-          release-tag: ${{ needs.release.outputs.tag }}
-          fork-user: openai-oss-forks
-          installers-regex: '^codex-(?:x86_64|aarch64)-pc-windows-msvc\.exe\.zip$'
-          token: ${{ secrets.WINGET_PUBLISH_PAT }}
-
   update-branch:
     name: Update latest-alpha-cli branch
     permissions:

.github/workflows/rusty-v8-release.yml

@@ -1,188 +0,0 @@
-name: rusty-v8-release
-
-on:
-  workflow_dispatch:
-    inputs:
-      release_tag:
-        description: Optional release tag. Defaults to rusty-v8-v<resolved_v8_version>.
-        required: false
-        type: string
-      publish:
-        description: Publish the staged musl artifacts to a GitHub release.
-        required: false
-        default: true
-        type: boolean
-
-concurrency:
-  group: ${{ github.workflow }}::${{ inputs.release_tag || github.run_id }}
-  cancel-in-progress: false
-
-jobs:
-  metadata:
-    runs-on: ubuntu-latest
-    outputs:
-      release_tag: ${{ steps.release_tag.outputs.release_tag }}
-      v8_version: ${{ steps.v8_version.outputs.version }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-        with:
-          python-version: "3.12"
-
-      - name: Resolve exact v8 crate version
-        id: v8_version
-        shell: bash
-        run: |
-          set -euo pipefail
-          version="$(python3 .github/scripts/rusty_v8_bazel.py resolved-v8-crate-version)"
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-
-      - name: Resolve release tag
-        id: release_tag
-        env:
-          RELEASE_TAG_INPUT: ${{ inputs.release_tag }}
-          V8_VERSION: ${{ steps.v8_version.outputs.version }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          release_tag="${RELEASE_TAG_INPUT}"
-          if [[ -z "${release_tag}" ]]; then
-            release_tag="rusty-v8-v${V8_VERSION}"
-          fi
-
-          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
-
-  build:
-    name: Build ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-      actions: read
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            platform: linux_amd64_musl
-            target: x86_64-unknown-linux-musl
-          - runner: ubuntu-24.04-arm
-            platform: linux_arm64_musl
-            target: aarch64-unknown-linux-musl
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Bazel
-        uses: bazelbuild/setup-bazelisk@6ecf4fd8b7d1f9721785f1dd656a689acf9add47 # v3
-
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-        with:
-          python-version: "3.12"
-
-      - name: Build Bazel V8 release pair
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-          PLATFORM: ${{ matrix.platform }}
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          target_suffix="${TARGET//-/_}"
-          pair_target="//third_party/v8:rusty_v8_release_pair_${target_suffix}"
-          extra_targets=()
-          if [[ "${TARGET}" == *-unknown-linux-musl ]]; then
-            extra_targets=(
-              "@llvm//runtimes/libcxx:libcxx.static"
-              "@llvm//runtimes/libcxx:libcxxabi.static"
-            )
-          fi
-
-          bazel_args=(
-            build
-            -c
-            opt
-            "--platforms=@llvm//platforms:${PLATFORM}"
-            "${pair_target}"
-            "${extra_targets[@]}"
-            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
-          )
-
-          bazel \
-            --noexperimental_remote_repo_contents_cache \
-            "${bazel_args[@]}" \
-            --config=ci-v8 \
-            "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
-
-      - name: Stage release pair
-        env:
-          PLATFORM: ${{ matrix.platform }}
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          python3 .github/scripts/rusty_v8_bazel.py stage-release-pair \
-            --platform "${PLATFORM}" \
-            --target "${TARGET}" \
-            --compilation-mode opt \
-            --output-dir "dist/${TARGET}"
-
-      - name: Upload staged musl artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: rusty-v8-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
-          path: dist/${{ matrix.target }}/*
-
-  publish-release:
-    if: ${{ inputs.publish }}
-    needs:
-      - metadata
-      - build
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      actions: read
-
-    steps:
-      - name: Ensure publishing from default branch
-        if: ${{ github.ref_name != github.event.repository.default_branch }}
-        env:
-          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "Publishing is only allowed from ${DEFAULT_BRANCH}; current ref is ${GITHUB_REF_NAME}." >&2
-          exit 1
-
-      - name: Ensure release tag is new
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_TAG: ${{ needs.metadata.outputs.release_tag }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          if gh release view "${RELEASE_TAG}" --repo "${GITHUB_REPOSITORY}" > /dev/null 2>&1; then
-            echo "Release tag ${RELEASE_TAG} already exists; musl artifact tags are immutable." >&2
-            exit 1
-          fi
-
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          path: dist
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
-        with:
-          tag_name: ${{ needs.metadata.outputs.release_tag }}
-          name: ${{ needs.metadata.outputs.release_tag }}
-          files: dist/**
-          # Keep V8 artifact releases out of Codex's normal "latest release" channel.
-          prerelease: true

.github/workflows/sdk.yml

@@ -7,98 +7,28 @@ on:
 
 jobs:
   sdks:
-    runs-on:
-      group: codex-runners
-      labels: codex-linux-x64
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Install Linux bwrap build dependencies
-        shell: bash
-        run: |
-          set -euo pipefail
-          sudo apt-get update -y
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
+        uses: pnpm/action-setup@v4
         with:
           run_install: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: pnpm
 
-      - name: Set up Bazel CI
-        id: setup_bazel
-        uses: ./.github/actions/setup-bazel-ci
-        with:
-          target: x86_64-unknown-linux-gnu
+      - uses: dtolnay/rust-toolchain@1.90
 
-      - name: Build codex with Bazel
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Use the shared CI wrapper so fork PRs fall back cleanly when
-          # BuildBuddy credentials are unavailable. This workflow needs the
-          # built `codex` binary on disk afterwards, so ask the wrapper to
-          # override CI's default remote_download_minimal behavior.
-          ./.github/scripts/run-bazel-ci.sh \
-            --remote-download-toplevel \
-            -- \
-            build \
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
-            --build_metadata=TAG_job=sdk \
-            -- \
-            //codex-rs/cli:codex
-
-          # Resolve the exact output file using the same wrapper/config path as
-          # the build instead of guessing which Bazel convenience symlink is
-          # available on the runner.
-          cquery_output="$(
-            ./.github/scripts/run-bazel-ci.sh \
-              -- \
-              cquery \
-              --output=files \
-              -- \
-              //codex-rs/cli:codex \
-              | grep -E '^(/|bazel-out/)' \
-              | tail -n 1
-          )"
-          if [[ "${cquery_output}" = /* ]]; then
-            codex_bazel_output_path="${cquery_output}"
-          else
-            codex_bazel_output_path="${GITHUB_WORKSPACE}/${cquery_output}"
-          fi
-          if [[ -z "${codex_bazel_output_path}" ]]; then
-            echo "Bazel did not report an output path for //codex-rs/cli:codex." >&2
-            exit 1
-          fi
-          if [[ ! -e "${codex_bazel_output_path}" ]]; then
-            echo "Unable to locate the Bazel-built codex binary at ${codex_bazel_output_path}." >&2
-            exit 1
-          fi
-
-          # Stage the binary into the workspace and point the SDK tests at that
-          # stable path. The tests spawn `codex` directly many times, so using a
-          # normal executable path is more reliable than invoking Bazel for each
-          # test process.
-          install_dir="${GITHUB_WORKSPACE}/.tmp/sdk-ci"
-          mkdir -p "${install_dir}"
-          install -m 755 "${codex_bazel_output_path}" "${install_dir}/codex"
-          echo "CODEX_EXEC_PATH=${install_dir}/codex" >> "$GITHUB_ENV"
-
-      - name: Warm up Bazel-built codex
-        shell: bash
-        run: |
-          set -euo pipefail
-          "${CODEX_EXEC_PATH}" --version
+      - name: build codex
+        run: cargo build --bin codex
+        working-directory: codex-rs
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -111,12 +41,3 @@ jobs:
 
       - name: Test SDK packages
         run: pnpm -r --filter ./sdk/typescript run test
-
-      - name: Save bazel repository cache
-        if: always() && !cancelled() && steps.setup_bazel.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cache/bazel-repo-cache
-          key: bazel-cache-x86_64-unknown-linux-gnu-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}

.github/workflows/shell-tool-mcp-ci.yml

@@ -0,0 +1,48 @@
+name: shell-tool-mcp CI
+
+on:
+  push:
+    paths:
+      - "shell-tool-mcp/**"
+      - ".github/workflows/shell-tool-mcp-ci.yml"
+      - "pnpm-lock.yaml"
+      - "pnpm-workspace.yaml"
+  pull_request:
+    paths:
+      - "shell-tool-mcp/**"
+      - ".github/workflows/shell-tool-mcp-ci.yml"
+      - "pnpm-lock.yaml"
+      - "pnpm-workspace.yaml"
+
+env:
+  NODE_VERSION: 22
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Format check
+        run: pnpm --filter @openai/codex-shell-tool-mcp run format
+
+      - name: Run tests
+        run: pnpm --filter @openai/codex-shell-tool-mcp test
+
+      - name: Build
+        run: pnpm --filter @openai/codex-shell-tool-mcp run build

.github/workflows/shell-tool-mcp.yml

@@ -0,0 +1,405 @@
+name: shell-tool-mcp
+
+on:
+  workflow_call:
+    inputs:
+      release-version:
+        description: Version to publish (x.y.z or x.y.z-alpha.N). Defaults to GITHUB_REF_NAME when it starts with rust-v.
+        required: false
+        type: string
+      release-tag:
+        description: Tag name to use when downloading release artifacts (defaults to rust-v<version>).
+        required: false
+        type: string
+      publish:
+        description: Whether to publish to npm when the version is releasable.
+        required: false
+        default: true
+        type: boolean
+
+env:
+  NODE_VERSION: 22
+
+jobs:
+  metadata:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.compute.outputs.version }}
+      release_tag: ${{ steps.compute.outputs.release_tag }}
+      should_publish: ${{ steps.compute.outputs.should_publish }}
+      npm_tag: ${{ steps.compute.outputs.npm_tag }}
+    steps:
+      - name: Compute version and tags
+        id: compute
+        run: |
+          set -euo pipefail
+
+          version="${{ inputs.release-version }}"
+          release_tag="${{ inputs.release-tag }}"
+
+          if [[ -z "$version" ]]; then
+            if [[ -n "$release_tag" && "$release_tag" =~ ^rust-v.+ ]]; then
+              version="${release_tag#rust-v}"
+            elif [[ "${GITHUB_REF_NAME:-}" =~ ^rust-v.+ ]]; then
+              version="${GITHUB_REF_NAME#rust-v}"
+              release_tag="${GITHUB_REF_NAME}"
+            else
+              echo "release-version is required when GITHUB_REF_NAME is not a rust-v tag."
+              exit 1
+            fi
+          fi
+
+          if [[ -z "$release_tag" ]]; then
+            release_tag="rust-v${version}"
+          fi
+
+          npm_tag=""
+          should_publish="false"
+          if [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            should_publish="true"
+          elif [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
+            should_publish="true"
+            npm_tag="alpha"
+          fi
+
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
+          echo "npm_tag=${npm_tag}" >> "$GITHUB_OUTPUT"
+          echo "should_publish=${should_publish}" >> "$GITHUB_OUTPUT"
+
+  rust-binaries:
+    name: Build Rust - ${{ matrix.target }}
+    needs: metadata
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    defaults:
+      run:
+        working-directory: codex-rs
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-15-xlarge
+            target: aarch64-apple-darwin
+          - runner: macos-15-xlarge
+            target: x86_64-apple-darwin
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            install_musl: true
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            install_musl: true
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - uses: dtolnay/rust-toolchain@1.90
+        with:
+          targets: ${{ matrix.target }}
+
+      - if: ${{ matrix.install_musl }}
+        name: Install musl build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y musl-tools pkg-config
+
+      - name: Build exec server binaries
+        run: cargo build --release --target ${{ matrix.target }} --bin codex-exec-mcp-server --bin codex-execve-wrapper
+
+      - name: Stage exec server binaries
+        run: |
+          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}"
+          mkdir -p "$dest"
+          cp "target/${{ matrix.target }}/release/codex-exec-mcp-server" "$dest/"
+          cp "target/${{ matrix.target }}/release/codex-execve-wrapper" "$dest/"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: shell-tool-mcp-rust-${{ matrix.target }}
+          path: artifacts/**
+          if-no-files-found: error
+
+  bash-linux:
+    name: Build Bash (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
+    needs: metadata
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    container:
+      image: ${{ matrix.image }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: ubuntu:24.04
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: ubuntu-22.04
+            image: ubuntu:22.04
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: debian-12
+            image: debian:12
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: debian-11
+            image: debian:11
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: centos-9
+            image: quay.io/centos/centos:stream9
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: arm64v8/ubuntu:24.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-22.04
+            image: arm64v8/ubuntu:22.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-20.04
+            image: arm64v8/ubuntu:20.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: debian-12
+            image: arm64v8/debian:12
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: debian-11
+            image: arm64v8/debian:11
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: centos-9
+            image: quay.io/centos/centos:stream9
+    steps:
+      - name: Install build prerequisites
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            apt-get update
+            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext
+          elif command -v dnf >/dev/null 2>&1; then
+            dnf install -y git gcc gcc-c++ make bison autoconf gettext
+          elif command -v yum >/dev/null 2>&1; then
+            yum install -y git gcc gcc-c++ make bison autoconf gettext
+          else
+            echo "Unsupported package manager in container"
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build patched Bash
+        shell: bash
+        run: |
+          set -euo pipefail
+          git clone --depth 1 https://github.com/bminor/bash /tmp/bash
+          cd /tmp/bash
+          git fetch --depth 1 origin a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
+          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
+          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
+          ./configure --without-bash-malloc
+          cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
+          make -j"${cores}"
+
+          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
+          mkdir -p "$dest"
+          cp bash "$dest/bash"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
+          path: artifacts/**
+          if-no-files-found: error
+
+  bash-darwin:
+    name: Build Bash (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
+    needs: metadata
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-15-xlarge
+            target: aarch64-apple-darwin
+            variant: macos-15
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            variant: macos-14
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build patched Bash
+        shell: bash
+        run: |
+          set -euo pipefail
+          git clone --depth 1 https://github.com/bminor/bash /tmp/bash
+          cd /tmp/bash
+          git fetch --depth 1 origin a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
+          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
+          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
+          ./configure --without-bash-malloc
+          cores="$(getconf _NPROCESSORS_ONLN)"
+          make -j"${cores}"
+
+          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
+          mkdir -p "$dest"
+          cp bash "$dest/bash"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
+          path: artifacts/**
+          if-no-files-found: error
+
+  package:
+    name: Package npm module
+    needs:
+      - metadata
+      - rust-binaries
+      - bash-linux
+      - bash-darwin
+    runs-on: ubuntu-latest
+    env:
+      PACKAGE_VERSION: ${{ needs.metadata.outputs.version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.8.1
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Install JavaScript dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build (shell-tool-mcp)
+        run: pnpm --filter @openai/codex-shell-tool-mcp run build
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v7
+        with:
+          path: artifacts
+
+      - name: Assemble staging directory
+        id: staging
+        shell: bash
+        run: |
+          set -euo pipefail
+          staging="${STAGING_DIR}"
+          mkdir -p "$staging" "$staging/vendor"
+          cp shell-tool-mcp/README.md "$staging/"
+          cp shell-tool-mcp/package.json "$staging/"
+          cp -R shell-tool-mcp/bin "$staging/"
+
+          found_vendor="false"
+          shopt -s nullglob
+          for vendor_dir in artifacts/*/vendor; do
+            rsync -av "$vendor_dir/" "$staging/vendor/"
+            found_vendor="true"
+          done
+          if [[ "$found_vendor" == "false" ]]; then
+            echo "No vendor payloads were downloaded."
+            exit 1
+          fi
+
+          node - <<'NODE'
+            import fs from "node:fs";
+            import path from "node:path";
+
+            const stagingDir = process.env.STAGING_DIR;
+            const version = process.env.PACKAGE_VERSION;
+            const pkgPath = path.join(stagingDir, "package.json");
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+            pkg.version = version;
+            fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n");
+          NODE
+
+          echo "dir=$staging" >> "$GITHUB_OUTPUT"
+        env:
+          STAGING_DIR: ${{ runner.temp }}/shell-tool-mcp
+
+      - name: Ensure binaries are executable
+        run: |
+          set -euo pipefail
+          staging="${{ steps.staging.outputs.dir }}"
+          chmod +x \
+            "$staging"/vendor/*/codex-exec-mcp-server \
+            "$staging"/vendor/*/codex-execve-wrapper \
+            "$staging"/vendor/*/bash/*/bash
+
+      - name: Create npm tarball
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p dist/npm
+          staging="${{ steps.staging.outputs.dir }}"
+          pack_info=$(cd "$staging" && npm pack --ignore-scripts --json --pack-destination "${GITHUB_WORKSPACE}/dist/npm")
+          filename=$(PACK_INFO="$pack_info" node -e 'const data = JSON.parse(process.env.PACK_INFO); console.log(data[0].filename);')
+          mv "dist/npm/${filename}" "dist/npm/codex-shell-tool-mcp-npm-${PACKAGE_VERSION}.tgz"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: codex-shell-tool-mcp-npm
+          path: dist/npm/codex-shell-tool-mcp-npm-${{ env.PACKAGE_VERSION }}.tgz
+          if-no-files-found: error
+
+  publish:
+    name: Publish npm package
+    needs:
+      - metadata
+      - package
+    if: ${{ inputs.publish && needs.metadata.outputs.should_publish == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.8.1
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          registry-url: https://registry.npmjs.org
+          scope: "@openai"
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
+      - name: Download npm tarball
+        uses: actions/download-artifact@v7
+        with:
+          name: codex-shell-tool-mcp-npm
+          path: dist/npm
+
+      - name: Publish to npm
+        env:
+          NPM_TAG: ${{ needs.metadata.outputs.npm_tag }}
+          VERSION: ${{ needs.metadata.outputs.version }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          tag_args=()
+          if [[ -n "${NPM_TAG}" ]]; then
+            tag_args+=(--tag "${NPM_TAG}")
+          fi
+          npm publish "dist/npm/codex-shell-tool-mcp-npm-${VERSION}.tgz" "${tag_args[@]}"

.github/workflows/v8-canary.yml

@@ -1,132 +0,0 @@
-name: v8-canary
-
-on:
-  pull_request:
-    paths:
-      - ".github/scripts/rusty_v8_bazel.py"
-      - ".github/workflows/rusty-v8-release.yml"
-      - ".github/workflows/v8-canary.yml"
-      - "MODULE.bazel"
-      - "MODULE.bazel.lock"
-      - "codex-rs/Cargo.toml"
-      - "patches/BUILD.bazel"
-      - "patches/v8_*.patch"
-      - "third_party/v8/**"
-  push:
-    branches:
-      - main
-    paths:
-      - ".github/scripts/rusty_v8_bazel.py"
-      - ".github/workflows/rusty-v8-release.yml"
-      - ".github/workflows/v8-canary.yml"
-      - "MODULE.bazel"
-      - "MODULE.bazel.lock"
-      - "codex-rs/Cargo.toml"
-      - "patches/BUILD.bazel"
-      - "patches/v8_*.patch"
-      - "third_party/v8/**"
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}::${{ github.event.pull_request.number > 0 && format('pr-{0}', github.event.pull_request.number) || github.ref_name }}
-  cancel-in-progress: ${{ github.ref_name != 'main' }}
-
-jobs:
-  metadata:
-    runs-on: ubuntu-latest
-    outputs:
-      v8_version: ${{ steps.v8_version.outputs.version }}
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-        with:
-          python-version: "3.12"
-
-      - name: Resolve exact v8 crate version
-        id: v8_version
-        shell: bash
-        run: |
-          set -euo pipefail
-          version="$(python3 .github/scripts/rusty_v8_bazel.py resolved-v8-crate-version)"
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-
-  build:
-    name: Build ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-      actions: read
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            platform: linux_amd64_musl
-            target: x86_64-unknown-linux-musl
-          - runner: ubuntu-24.04-arm
-            platform: linux_arm64_musl
-            target: aarch64-unknown-linux-musl
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Bazel
-        uses: bazelbuild/setup-bazelisk@6ecf4fd8b7d1f9721785f1dd656a689acf9add47 # v3
-
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-        with:
-          python-version: "3.12"
-
-      - name: Build Bazel V8 release pair
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-          PLATFORM: ${{ matrix.platform }}
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          target_suffix="${TARGET//-/_}"
-          pair_target="//third_party/v8:rusty_v8_release_pair_${target_suffix}"
-          extra_targets=(
-            "@llvm//runtimes/libcxx:libcxx.static"
-            "@llvm//runtimes/libcxx:libcxxabi.static"
-          )
-
-          bazel_args=(
-            build
-            "--platforms=@llvm//platforms:${PLATFORM}"
-            "${pair_target}"
-            "${extra_targets[@]}"
-            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
-          )
-
-          bazel \
-            --noexperimental_remote_repo_contents_cache \
-            "${bazel_args[@]}" \
-            --config=ci-v8 \
-            "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
-
-      - name: Stage release pair
-        env:
-          PLATFORM: ${{ matrix.platform }}
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          python3 .github/scripts/rusty_v8_bazel.py stage-release-pair \
-            --platform "${PLATFORM}" \
-            --target "${TARGET}" \
-            --output-dir "dist/${TARGET}"
-
-      - name: Upload staged musl artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: v8-canary-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
-          path: dist/${{ matrix.target }}/*

.github/workflows/zstd

@@ -1,46 +0,0 @@
-#!/usr/bin/env dotslash
-
-// This DotSlash file wraps zstd for Windows runners.
-// The upstream release provides win32/win64 binaries; for windows-aarch64 we
-// use the win64 artifact via Windows x64 emulation.
-{
-  "name": "zstd",
-  "platforms": {
-    "windows-x86_64": {
-      "size": 1747181,
-      "hash": "sha256",
-      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
-      "format": "zip",
-      "path": "zstd-v1.5.7-win64/zstd.exe",
-      "providers": [
-        {
-          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
-        },
-        {
-          "type": "github-release",
-          "repo": "facebook/zstd",
-          "tag": "v1.5.7",
-          "name": "zstd-v1.5.7-win64.zip"
-        }
-      ]
-    },
-    "windows-aarch64": {
-      "size": 1747181,
-      "hash": "sha256",
-      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
-      "format": "zip",
-      "path": "zstd-v1.5.7-win64/zstd.exe",
-      "providers": [
-        {
-          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
-        },
-        {
-          "type": "github-release",
-          "repo": "facebook/zstd",
-          "tag": "v1.5.7",
-          "name": "zstd-v1.5.7-win64.zip"
-        }
-      ]
-    }
-  }
-}

.gitignore

@@ -9,8 +9,6 @@ node_modules
 
 # build
 dist/
-bazel-*
-user.bazelrc
 build/
 out/
 storybook-static/

.markdownlint-cli2.yaml

@@ -1,6 +0,0 @@
-config:
-  MD013:
-    line_length: 100
-
-globs:
-  - "docs/tui-chat-composer.md"

.vscode/settings.json

@@ -1,7 +1,7 @@
 {
     "rust-analyzer.checkOnSave": true,
     "rust-analyzer.check.command": "clippy",
-    "rust-analyzer.check.extraArgs": ["--tests"],
+    "rust-analyzer.check.extraArgs": ["--all-features", "--tests"],
     "rust-analyzer.rustfmt.extraArgs": ["--config", "imports_granularity=Item"],
     "rust-analyzer.cargo.targetDir": "${workspaceFolder}/codex-rs/target/rust-analyzer",
     "[rust]": {

AGENTS.md

@@ -11,58 +11,14 @@ In the codex-rs folder where the rust code lives:
 - Always collapse if statements per https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
 - Always inline format! args when possible per https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
 - Use method references over closures when possible per https://rust-lang.github.io/rust-clippy/master/index.html#redundant_closure_for_method_calls
-- Avoid bool or ambiguous `Option` parameters that force callers to write hard-to-read code such as `foo(false)` or `bar(None)`. Prefer enums, named methods, newtypes, or other idiomatic Rust API shapes when they keep the callsite self-documenting.
-- When you cannot make that API change and still need a small positional-literal callsite in Rust, follow the `argument_comment_lint` convention:
-  - Use an exact `/*param_name*/` comment before opaque literal arguments such as `None`, booleans, and numeric literals when passing them by position.
-  - Do not add these comments for string or char literals unless the comment adds real clarity; those literals are intentionally exempt from the lint.
-  - The parameter name in the comment must exactly match the callee signature.
-  - You can run `just argument-comment-lint` to run the lint check locally. This is powered by Bazel, so running it the first time can be slow if Bazel is not warmed up, though incremental invocations should take <15s. Most of the time, it is best to update the PR and let CI take responsibility for checking this (or run it asynchronously in the background after submitting the PR). Note CI checks all three platforms, which the local run does not.
-- When possible, make `match` statements exhaustive and avoid wildcard arms.
-- Newly added traits should include doc comments that explain their role and how implementations are expected to use them.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
 - When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
-- If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
-- If you change Rust dependencies (`Cargo.toml` or `Cargo.lock`), run `just bazel-lock-update` from the
-  repo root to refresh `MODULE.bazel.lock`, and include that lockfile update in the same change.
-- After dependency changes, run `just bazel-lock-check` from the repo root so lockfile drift is caught
-  locally before CI.
-- Bazel does not automatically make source-tree files available to compile-time Rust file access. If
-  you add `include_str!`, `include_bytes!`, `sqlx::migrate!`, or similar build-time file or
-  directory reads, update the crate's `BUILD.bazel` (`compile_data`, `build_script_data`, or test
-  data) or Bazel may fail even when Cargo passes.
-- Do not create small helper methods that are referenced only once.
-- Avoid large modules:
-  - Prefer adding new modules instead of growing existing ones.
-  - Target Rust modules under 500 LoC, excluding tests.
-  - If a file exceeds roughly 800 LoC, add new functionality in a new module instead of extending
-    the existing file unless there is a strong documented reason not to.
-  - This rule applies especially to high-touch files that already attract unrelated changes, such
-    as `codex-rs/tui/src/app.rs`, `codex-rs/tui/src/bottom_pane/chat_composer.rs`,
-    `codex-rs/tui/src/bottom_pane/footer.rs`, `codex-rs/tui/src/chatwidget.rs`,
-    `codex-rs/tui/src/bottom_pane/mod.rs`, and similarly central orchestration modules.
-  - When extracting code from a large module, move the related tests and module/type docs toward
-    the new implementation so the invariants stay close to the code that owns them.
-- When running Rust commands (e.g. `just fix` or `cargo test`) be patient with the command and never try to kill them using the PID. Rust lock can make the execution slow, this is expected.
 
-Run `just fmt` (in `codex-rs` directory) automatically after you have finished making Rust code changes; do not ask for approval to run it. Additionally, run the tests:
+Run `just fmt` (in `codex-rs` directory) automatically after making Rust code changes; do not ask for approval to run it. Before finalizing a change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates. Additionally, run the tests:
 
 1. Run the test for the specific project that was changed. For example, if changes were made in `codex-rs/tui`, run `cargo test -p codex-tui`.
-2. Once those pass, if any changes were made in common, core, or protocol, run the complete test suite with `cargo test` (or `just test` if `cargo-nextest` is installed). Avoid `--all-features` for routine local runs because it expands the build matrix and can significantly increase `target/` disk usage; use it only when you specifically need full feature coverage. project-specific or individual tests can be run without asking the user, but do ask the user before running the complete test suite.
-
-Before finalizing a large change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates. Do not re-run tests after running `fix` or `fmt`.
-
-## The `codex-core` crate
-
-Over time, the `codex-core` crate (defined in `codex-rs/core/`) has become bloated because it is the largest crate, so it is often easier to add something new to `codex-core` rather than refactor out the library code you need so your new code neither takes a dependency on, nor contributes to the size of, `codex-core`.
-
-To that end: **resist adding code to codex-core**!
-
-Particularly when introducing a new concept/feature/API, before adding to `codex-core`, consider whether:
-
-- There is an existing crate other than `codex-core` that is an appropriate place for your new code to live.
-- It is time to introduce a new crate to the Cargo workspace for your new functionality. Refactor existing code as necessary to make this happen.
-
-Likewise, when reviewing code, do not hesitate to push back on PRs that would unnecessarily add code to `codex-core`.
+2. Once those pass, if any changes were made in common, core, or protocol, run the complete test suite with `cargo test --all-features`.
+   When running interactively, ask the user before running `just fix` to finalize. `just fmt` does not require approval. project-specific or individual tests can be run without asking the user, but do ask the user before running the complete test suite.
 
 ## TUI style conventions
 
@@ -100,14 +56,7 @@ See `codex-rs/tui/styles.md`.
 
 ### Snapshot tests
 
-This repo uses snapshot tests (via `insta`), especially in `codex-rs/tui`, to validate rendered output.
-
-**Requirement:** any change that affects user-visible UI (including adding new UI) must include
-corresponding `insta` snapshot coverage (add a new snapshot test if one doesn't exist yet, or
-update the existing snapshot). Review and accept snapshot updates as part of the PR so UI impact
-is easy to review and future diffs stay visual.
-
-When UI or text output changes intentionally, update the snapshots as follows:
+This repo uses snapshot tests (via `insta`), especially in `codex-rs/tui`, to validate rendered output. When UI or text output changes intentionally, update the snapshots as follows:
 
 - Run tests to generate any updated snapshots:
   - `cargo test -p codex-tui`
@@ -160,50 +109,3 @@ If you don’t have the tool:
   let request = mock.single_request();
   // assert using request.function_call_output(call_id) or request.json_body() or other helpers.
   ```
-
-## App-server API Development Best Practices
-
-These guidelines apply to app-server protocol work in `codex-rs`, especially:
-
-- `app-server-protocol/src/protocol/common.rs`
-- `app-server-protocol/src/protocol/v2.rs`
-- `app-server/README.md`
-
-### Core Rules
-
-- All active API development should happen in app-server v2. Do not add new API surface area to v1.
-- Follow payload naming consistently:
-  `*Params` for request payloads, `*Response` for responses, and `*Notification` for notifications.
-- Expose RPC methods as `<resource>/<method>` and keep `<resource>` singular (for example, `thread/read`, `app/list`).
-- Always expose fields as camelCase on the wire with `#[serde(rename_all = "camelCase")]` unless a tagged union or explicit compatibility requirement needs a targeted rename.
-- Exception: config RPC payloads are expected to use snake_case to mirror config.toml keys (see the config read/write/list APIs in `app-server-protocol/src/protocol/v2.rs`).
-- Always set `#[ts(export_to = "v2/")]` on v2 request/response/notification types so generated TypeScript lands in the correct namespace.
-- Never use `#[serde(skip_serializing_if = "Option::is_none")]` for v2 API payload fields.
-  Exception: client->server requests that intentionally have no params may use:
-  `params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>`.
-- Keep Rust and TS wire renames aligned. If a field or variant uses `#[serde(rename = "...")]`, add matching `#[ts(rename = "...")]`.
-- For discriminated unions, use explicit tagging in both serializers:
-  `#[serde(tag = "type", ...)]` and `#[ts(tag = "type", ...)]`.
-- Prefer plain `String` IDs at the API boundary (do UUID parsing/conversion internally if needed).
-- Timestamps should be integer Unix seconds (`i64`) and named `*_at` (for example, `created_at`, `updated_at`, `resets_at`).
-- For experimental API surface area:
-  use `#[experimental("method/or/field")]`, derive `ExperimentalApi` when field-level gating is needed, and use `inspect_params: true` in `common.rs` when only some fields of a method are experimental.
-
-### Client->server request payloads (`*Params`)
-
-- Every optional field must be annotated with `#[ts(optional = nullable)]`. Do not use `#[ts(optional = nullable)]` outside client->server request payloads (`*Params`).
-- Optional collection fields (for example `Vec`, `HashMap`) must use `Option<...>` + `#[ts(optional = nullable)]`. Do not use `#[serde(default)]` to model optional collections, and do not use `skip_serializing_if` on v2 payload fields.
-- When you want omission to mean `false` for boolean fields, use `#[serde(default, skip_serializing_if = "std::ops::Not::not")] pub field: bool` over `Option<bool>`.
-- For new list methods, implement cursor pagination by default:
-  request fields `pub cursor: Option<String>` and `pub limit: Option<u32>`,
-  response fields `pub data: Vec<...>` and `pub next_cursor: Option<String>`.
-
-### Development Workflow
-
-- Update docs/examples when API behavior changes (at minimum `app-server/README.md`).
-- Regenerate schema fixtures when API shapes change:
-  `just write-app-server-schema`
-  (and `just write-app-server-schema --experimental` when experimental API fixtures are affected).
-- Validate with `cargo test -p codex-app-server-protocol`.
-- Avoid boilerplate tests that only assert experimental field markers for individual
-  request fields in `common.rs`; rely on schema generation/tests and behavioral coverage instead.

BUILD.bazel

@@ -1,42 +0,0 @@
-load("@apple_support//xcode:xcode_config.bzl", "xcode_config")
-
-xcode_config(name = "disable_xcode")
-
-# We mark the local platform as glibc-compatible so that rust can grab a toolchain for us.
-# TODO(zbarsky): Upstream a better libc constraint into rules_rust.
-# We only enable this on linux though for sanity, and because it breaks remote execution.
-platform(
-    name = "local_linux",
-    constraint_values = [
-        # We mark the local platform as glibc-compatible because musl-built rust cannot dlopen proc macros.
-        "@llvm//constraints/libc:gnu.2.28",
-    ],
-    parents = ["@platforms//host"],
-)
-
-platform(
-    name = "local_windows",
-    constraint_values = [
-        "@rules_rs//rs/experimental/platforms/constraints:windows_gnullvm",
-    ],
-    parents = ["@platforms//host"],
-)
-
-platform(
-    name = "local_windows_msvc",
-    constraint_values = [
-        "@rules_rs//rs/experimental/platforms/constraints:windows_msvc",
-    ],
-    parents = ["@platforms//host"],
-)
-
-alias(
-    name = "rbe",
-    actual = "@rbe_platform",
-)
-
-exports_files([
-    "AGENTS.md",
-    "workspace_root_test_launcher.bat.tpl",
-    "workspace_root_test_launcher.sh.tpl",
-])

MODULE.bazel

@@ -1,452 +0,0 @@
-module(name = "codex")
-
-bazel_dep(name = "bazel_skylib", version = "1.8.2")
-bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "llvm", version = "0.6.8")
-# The upstream LLVM archive contains a few unix-only symlink entries and is
-# missing a couple of MinGW compatibility archives that windows-gnullvm needs
-# during extraction and linking, so patch it until upstream grows native support.
-single_version_override(
-    module_name = "llvm",
-    patch_strip = 1,
-    patches = [
-        "//patches:llvm_windows_symlink_extract.patch",
-    ],
-)
-# Abseil picks a MinGW pthread TLS path that does not match our hermetic
-# windows-gnullvm toolchain; force it onto the portable C++11 thread-local path.
-single_version_override(
-    module_name = "abseil-cpp",
-    patch_strip = 1,
-    patches = [
-        "//patches:abseil_windows_gnullvm_thread_identity.patch",
-    ],
-)
-
-register_toolchains("@llvm//toolchain:all")
-
-osx = use_extension("@llvm//extensions:osx.bzl", "osx")
-osx.from_archive(
-    sha256 = "1bde70c0b1c2ab89ff454acbebf6741390d7b7eb149ca2a3ca24cc9203a408b7",
-    strip_prefix = "Payload/Library/Developer/CommandLineTools/SDKs/MacOSX26.4.sdk",
-    type = "pkg",
-    urls = [
-        "https://swcdn.apple.com/content/downloads/32/53/047-96692-A_OAHIHT53YB/ybtshxmrcju8m2qvw3w5elr4rajtg1x3y3/CLTools_macOSNMOS_SDK.pkg",
-    ],
-)
-osx.frameworks(names = [
-    "ApplicationServices",
-    "AppKit",
-    "ColorSync",
-    "CoreFoundation",
-    "CoreGraphics",
-    "CoreServices",
-    "CoreText",
-    "AudioToolbox",
-    "CFNetwork",
-    "FontServices",
-    "AudioUnit",
-    "CoreAudio",
-    "CoreAudioTypes",
-    "Foundation",
-    "ImageIO",
-    "IOKit",
-    "Kernel",
-    "OSLog",
-    "Security",
-    "SystemConfiguration",
-])
-use_repo(osx, "macos_sdk")
-
-# Needed to disable xcode...
-bazel_dep(name = "apple_support", version = "2.1.0")
-bazel_dep(name = "rules_cc", version = "0.2.16")
-bazel_dep(name = "rules_platform", version = "0.1.0")
-bazel_dep(name = "rules_rs", version = "0.0.43")
-# `rules_rs` 0.0.43 does not model `windows-gnullvm` as a distinct Windows exec
-# platform, so patch it until upstream grows that support for both x86_64 and
-# aarch64.
-single_version_override(
-    module_name = "rules_rs",
-    patch_strip = 1,
-    patches = [
-        "//patches:rules_rs_windows_gnullvm_exec.patch",
-        "//patches:rules_rs_delete_git_worktree_pointer.patch",
-    ],
-    version = "0.0.43",
-)
-
-rules_rust = use_extension("@rules_rs//rs/experimental:rules_rust.bzl", "rules_rust")
-# Build-script probe binaries inherit CFLAGS/CXXFLAGS from Bazel's C++
-# toolchain. On `windows-gnullvm`, llvm-mingw does not ship
-# `libssp_nonshared`, so strip the forwarded stack-protector flags there.
-rules_rust.patch(
-    patches = [
-        "//patches:rules_rust_windows_gnullvm_build_script.patch",
-        "//patches:rules_rust_windows_exec_msvc_build_script_env.patch",
-        "//patches:rules_rust_windows_bootstrap_process_wrapper_linker.patch",
-        "//patches:rules_rust_windows_msvc_direct_link_args.patch",
-        "//patches:rules_rust_windows_exec_bin_target.patch",
-        "//patches:rules_rust_windows_exec_std.patch",
-        "//patches:rules_rust_windows_exec_rustc_dev_rlib.patch",
-        "//patches:rules_rust_repository_set_exec_constraints.patch",
-    ],
-    strip = 1,
-)
-use_repo(rules_rust, "rules_rust")
-
-nightly_rust = use_extension(
-    "@rules_rs//rs/experimental:rules_rust_reexported_extensions.bzl",
-    "rust",
-)
-nightly_rust.toolchain(
-    versions = ["nightly/2025-09-18"],
-    dev_components = True,
-    edition = "2024",
-)
-# Keep Windows exec tools on MSVC so Bazel helper binaries link correctly, but
-# lint crate targets as `windows-gnullvm` to preserve the repo's actual cfgs.
-nightly_rust.repository_set(
-    name = "rust_windows_x86_64",
-    dev_components = True,
-    edition = "2024",
-    exec_triple = "x86_64-pc-windows-msvc",
-    exec_compatible_with = [
-        "@platforms//cpu:x86_64",
-        "@platforms//os:windows",
-        "@rules_rs//rs/experimental/platforms/constraints:windows_msvc",
-    ],
-    target_compatible_with = [
-        "@platforms//cpu:x86_64",
-        "@platforms//os:windows",
-        "@rules_rs//rs/experimental/platforms/constraints:windows_msvc",
-    ],
-    target_triple = "x86_64-pc-windows-msvc",
-    versions = ["nightly/2025-09-18"],
-)
-nightly_rust.repository_set(
-    name = "rust_windows_x86_64",
-    target_compatible_with = [
-        "@platforms//cpu:x86_64",
-        "@platforms//os:windows",
-        "@rules_rs//rs/experimental/platforms/constraints:windows_gnullvm",
-    ],
-    target_triple = "x86_64-pc-windows-gnullvm",
-)
-use_repo(nightly_rust, "rust_toolchains")
-
-toolchains = use_extension("@rules_rs//rs/experimental/toolchains:module_extension.bzl", "toolchains")
-toolchains.toolchain(
-    edition = "2024",
-    version = "1.93.0",
-)
-use_repo(toolchains, "default_rust_toolchains")
-
-register_toolchains("@default_rust_toolchains//:all")
-register_toolchains("@rust_toolchains//:all")
-
-crate = use_extension("@rules_rs//rs:extensions.bzl", "crate")
-crate.from_cargo(
-    cargo_lock = "//codex-rs:Cargo.lock",
-    cargo_toml = "//codex-rs:Cargo.toml",
-    platform_triples = [
-        "aarch64-unknown-linux-gnu",
-        "aarch64-unknown-linux-musl",
-        "aarch64-apple-darwin",
-        # Keep both Windows ABIs in the generated Cargo metadata: the V8
-        # experiment still consumes release assets that only exist under the
-        # MSVC names while targeting the GNU toolchain.
-        "aarch64-pc-windows-msvc",
-        "aarch64-pc-windows-gnullvm",
-        "x86_64-unknown-linux-gnu",
-        "x86_64-unknown-linux-musl",
-        "x86_64-apple-darwin",
-        "x86_64-pc-windows-msvc",
-        "x86_64-pc-windows-gnullvm",
-    ],
-    use_experimental_platforms = True,
-)
-crate.from_cargo(
-    name = "argument_comment_lint_crates",
-    cargo_lock = "//tools/argument-comment-lint:Cargo.lock",
-    cargo_toml = "//tools/argument-comment-lint:Cargo.toml",
-    platform_triples = [
-        "aarch64-unknown-linux-gnu",
-        "aarch64-unknown-linux-musl",
-        "aarch64-apple-darwin",
-        "aarch64-pc-windows-msvc",
-        "aarch64-pc-windows-gnullvm",
-        "x86_64-unknown-linux-gnu",
-        "x86_64-unknown-linux-musl",
-        "x86_64-apple-darwin",
-        "x86_64-pc-windows-msvc",
-        "x86_64-pc-windows-gnullvm",
-    ],
-    use_experimental_platforms = True,
-)
-
-bazel_dep(name = "zstd", version = "1.5.7")
-
-crate.annotation(
-    crate = "zstd-sys",
-    gen_build_script = "off",
-    deps = ["@zstd"],
-)
-crate.annotation(
-    build_script_env = {
-        "AWS_LC_SYS_NO_JITTER_ENTROPY": "1",
-    },
-    crate = "aws-lc-sys",
-    patch_args = ["-p1"],
-    patches = [
-        "//patches:aws-lc-sys_memcmp_check.patch",
-        "//patches:aws-lc-sys_windows_msvc_prebuilt_nasm.patch",
-        "//patches:aws-lc-sys_windows_msvc_memcmp_probe.patch",
-    ],
-)
-
-crate.annotation(
-    # The build script only validates embedded source/version metadata.
-    crate = "rustc_apfloat",
-    gen_build_script = "off",
-)
-
-inject_repo(crate, "zstd")
-use_repo(crate, "argument_comment_lint_crates")
-
-bazel_dep(name = "bzip2", version = "1.0.8.bcr.3")
-
-crate.annotation(
-    crate = "bzip2-sys",
-    gen_build_script = "off",
-    deps = ["@bzip2//:bz2"],
-)
-
-inject_repo(crate, "bzip2")
-
-bazel_dep(name = "zlib", version = "1.3.1.bcr.8")
-
-crate.annotation(
-    crate = "libz-sys",
-    gen_build_script = "off",
-    deps = ["@zlib"],
-)
-
-inject_repo(crate, "zlib")
-
-bazel_dep(name = "xz", version = "5.4.5.bcr.8")
-
-crate.annotation(
-    crate = "lzma-sys",
-    gen_build_script = "off",
-    deps = ["@xz//:lzma"],
-)
-
-bazel_dep(name = "openssl", version = "3.5.4.bcr.0")
-
-inject_repo(crate, "xz")
-
-crate.annotation(
-    build_script_data = [
-        "@openssl//:gen_dir",
-    ],
-    build_script_env = {
-        "OPENSSL_DIR": "$(execpath @openssl//:gen_dir)",
-        "OPENSSL_NO_VENDOR": "1",
-        "OPENSSL_STATIC": "1",
-    },
-    crate = "openssl-sys",
-    data = ["@openssl//:gen_dir"],
-    gen_build_script = "on",
-)
-
-inject_repo(crate, "openssl")
-
-crate.annotation(
-    crate = "runfiles",
-    workspace_cargo_toml = "rust/runfiles/Cargo.toml",
-)
-
-http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
-http_file = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file")
-new_local_repository = use_repo_rule("@bazel_tools//tools/build_defs/repo:local.bzl", "new_local_repository")
-
-new_local_repository(
-    name = "v8_targets",
-    build_file = "//third_party/v8:BUILD.bazel",
-    path = "third_party/v8",
-)
-
-crate.annotation(
-    build_script_data = [
-        "@v8_targets//:rusty_v8_archive_for_target",
-        "@v8_targets//:rusty_v8_binding_for_target",
-    ],
-    build_script_env = {
-        "RUSTY_V8_ARCHIVE": "$(execpath @v8_targets//:rusty_v8_archive_for_target)",
-        "RUSTY_V8_SRC_BINDING_PATH": "$(execpath @v8_targets//:rusty_v8_binding_for_target)",
-    },
-    crate = "v8",
-    gen_build_script = "on",
-    patch_args = ["-p1"],
-    patches = [
-        "//patches:rusty_v8_prebuilt_out_dir.patch",
-    ],
-)
-
-inject_repo(crate, "v8_targets")
-
-llvm = use_extension("@llvm//extensions:llvm.bzl", "llvm")
-use_repo(llvm, "llvm-project")
-
-crate.annotation(
-    # Provide the hermetic SDK path so the build script doesn't try to invoke an unhermetic `xcrun --show-sdk-path`.
-    build_script_data = [
-        "@macos_sdk//sysroot",
-    ],
-    build_script_env = {
-        "BINDGEN_EXTRA_CLANG_ARGS": "-Xclang -internal-isystem -Xclang $(location @llvm//:builtin_resource_dir)/include",
-        "COREAUDIO_SDK_PATH": "$(location @macos_sdk//sysroot)",
-        "LIBCLANG_PATH": "$(location @llvm-project//clang:libclang_interface_output)",
-    },
-    build_script_tools = [
-        "@llvm-project//clang:libclang_interface_output",
-        "@llvm//:builtin_resource_dir",
-    ],
-    crate = "coreaudio-sys",
-    gen_build_script = "on",
-)
-
-inject_repo(crate, "llvm", "llvm-project", "macos_sdk")
-
-# Fix readme inclusions
-crate.annotation(
-    crate = "windows-link",
-    patch_args = ["-p1"],
-    patches = [
-        "//patches:windows-link.patch",
-    ],
-)
-
-bazel_dep(name = "alsa_lib", version = "1.2.9.bcr.4")
-
-crate.annotation(
-    crate = "alsa-sys",
-    gen_build_script = "off",
-    deps = ["@alsa_lib"],
-)
-
-inject_repo(crate, "alsa_lib")
-
-bazel_dep(name = "v8", version = "14.6.202.9")
-archive_override(
-    module_name = "v8",
-    integrity = "sha256-JphDwLAzsd9KvgRZ7eQvNtPU6qGd3XjFt/a/1QITAJU=",
-    patch_strip = 3,
-    patches = [
-        "//patches:v8_module_deps.patch",
-        "//patches:v8_bazel_rules.patch",
-        "//patches:v8_source_portability.patch",
-    ],
-    strip_prefix = "v8-14.6.202.9",
-    urls = ["https://github.com/v8/v8/archive/refs/tags/14.6.202.9.tar.gz"],
-)
-
-http_archive(
-    name = "v8_crate_146_4_0",
-    build_file = "//third_party/v8:v8_crate.BUILD.bazel",
-    sha256 = "d97bcac5cdc5a195a4813f1855a6bc658f240452aac36caa12fd6c6f16026ab1",
-    strip_prefix = "v8-146.4.0",
-    type = "tar.gz",
-    urls = ["https://static.crates.io/crates/v8/v8-146.4.0.crate"],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_aarch64_apple_darwin_archive",
-    downloaded_file_path = "librusty_v8_release_aarch64-apple-darwin.a.gz",
-    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_aarch64-apple-darwin.a.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_aarch64_unknown_linux_gnu_archive",
-    downloaded_file_path = "librusty_v8_release_aarch64-unknown-linux-gnu.a.gz",
-    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_aarch64-unknown-linux-gnu.a.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_aarch64_pc_windows_msvc_archive",
-    downloaded_file_path = "rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
-    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_x86_64_apple_darwin_archive",
-    downloaded_file_path = "librusty_v8_release_x86_64-apple-darwin.a.gz",
-    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_x86_64-apple-darwin.a.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_x86_64_unknown_linux_gnu_archive",
-    downloaded_file_path = "librusty_v8_release_x86_64-unknown-linux-gnu.a.gz",
-    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_x86_64-unknown-linux-gnu.a.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_x86_64_pc_windows_msvc_archive",
-    downloaded_file_path = "rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
-    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_aarch64_unknown_linux_musl_archive",
-    downloaded_file_path = "librusty_v8_release_aarch64-unknown-linux-musl.a.gz",
-    urls = [
-        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/librusty_v8_release_aarch64-unknown-linux-musl.a.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_aarch64_unknown_linux_musl_binding",
-    downloaded_file_path = "src_binding_release_aarch64-unknown-linux-musl.rs",
-    urls = [
-        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/src_binding_release_aarch64-unknown-linux-musl.rs",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_x86_64_unknown_linux_musl_archive",
-    downloaded_file_path = "librusty_v8_release_x86_64-unknown-linux-musl.a.gz",
-    urls = [
-        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/librusty_v8_release_x86_64-unknown-linux-musl.a.gz",
-    ],
-)
-
-http_file(
-    name = "rusty_v8_146_4_0_x86_64_unknown_linux_musl_binding",
-    downloaded_file_path = "src_binding_release_x86_64-unknown-linux-musl.rs",
-    urls = [
-        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/src_binding_release_x86_64-unknown-linux-musl.rs",
-    ],
-)
-
-use_repo(crate, "crates")
-
-bazel_dep(name = "libcap", version = "2.27.bcr.1")
-
-rbe_platform_repository = use_repo_rule("//:rbe.bzl", "rbe_platform_repository")
-
-rbe_platform_repository(
-    name = "rbe_platform",
-)

NOTICE

@@ -4,6 +4,3 @@ Copyright 2025 OpenAI
 This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
 Copyright (c) 2016-2022 Florian Dehau
 Copyright (c) 2023-2025 The Ratatui Developers
-
-This project includes Meriyah parser assets from [meriyah](https://github.com/meriyah/meriyah), licensed under the ISC license.
-Copyright (c) 2019 and later, KFlash and others.

PNPM.md

@@ -0,0 +1,70 @@
+# Migration to pnpm
+
+This project has been migrated from npm to pnpm to improve dependency management and developer experience.
+
+## Why pnpm?
+
+- **Faster installation**: pnpm is significantly faster than npm and yarn
+- **Disk space savings**: pnpm uses a content-addressable store to avoid duplication
+- **Phantom dependency prevention**: pnpm creates a strict node_modules structure
+- **Native workspaces support**: simplified monorepo management
+
+## How to use pnpm
+
+### Installation
+
+```bash
+# Global installation of pnpm
+npm install -g pnpm@10.8.1
+
+# Or with corepack (available with Node.js 22+)
+corepack enable
+corepack prepare pnpm@10.8.1 --activate
+```
+
+### Common commands
+
+| npm command     | pnpm equivalent  |
+| --------------- | ---------------- |
+| `npm install`   | `pnpm install`   |
+| `npm run build` | `pnpm run build` |
+| `npm test`      | `pnpm test`      |
+| `npm run lint`  | `pnpm run lint`  |
+
+### Workspace-specific commands
+
+| Action                                     | Command                                  |
+| ------------------------------------------ | ---------------------------------------- |
+| Run a command in a specific package        | `pnpm --filter @openai/codex run build`  |
+| Install a dependency in a specific package | `pnpm --filter @openai/codex add lodash` |
+| Run a command in all packages              | `pnpm -r run test`                       |
+
+## Monorepo structure
+
+```
+codex/
+├── pnpm-workspace.yaml    # Workspace configuration
+├── .npmrc                 # pnpm configuration
+├── package.json           # Root dependencies and scripts
+├── codex-cli/             # Main package
+│   └── package.json       # codex-cli specific dependencies
+└── docs/                  # Documentation (future package)
+```
+
+## Configuration files
+
+- **pnpm-workspace.yaml**: Defines the packages included in the monorepo
+- **.npmrc**: Configures pnpm behavior
+- **Root package.json**: Contains shared scripts and dependencies
+
+## CI/CD
+
+CI/CD workflows have been updated to use pnpm instead of npm. Make sure your CI environments use pnpm 10.8.1 or higher.
+
+## Known issues
+
+If you encounter issues with pnpm, try the following solutions:
+
+1. Remove the `node_modules` folder and `pnpm-lock.yaml` file, then run `pnpm install`
+2. Make sure you're using pnpm 10.8.1 or higher
+3. Verify that Node.js 22 or higher is installed

README.md

@@ -1,11 +1,10 @@
 <p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install --cask codex</code></p>
 <p align="center"><strong>Codex CLI</strong> is a coding agent from OpenAI that runs locally on your computer.
 <p align="center">
-  <img src="https://github.com/openai/codex/blob/main/.github/codex-cli-splash.png" alt="Codex CLI splash" width="80%" />
+  <img src="./.github/codex-cli-splash.png" alt="Codex CLI splash" width="80%" />
 </p>
 </br>
 If you want Codex in your code editor (VS Code, Cursor, Windsurf), <a href="https://developers.openai.com/codex/ide">install in your IDE.</a>
-</br>If you want the desktop app experience, run <code>codex app</code> or visit <a href="https://chatgpt.com/codex?app-landing-page=true">the Codex App page</a>.
 </br>If you are looking for the <em>cloud-based agent</em> from OpenAI, <strong>Codex Web</strong>, go to <a href="https://chatgpt.com/codex">chatgpt.com/codex</a>.</p>
 
 ---

SECURITY.md

@@ -1,13 +0,0 @@
-# Security Policy
-
-Thank you for helping us keep Codex secure!
-
-## Reporting Security Issues
-
-The security is essential to OpenAI's mission. We appreciate the work of security researchers acting in good faith to identify and responsibly report potential vulnerabilities, helping us maintain strong privacy and security standards for our users and technology.
-
-Our security program is managed through Bugcrowd, and we ask that any validated vulnerabilities be reported via the [Bugcrowd program](https://bugcrowd.com/engagements/openai).
-
-## Vulnerability Disclosure Program
-
-Our Vulnerability Program Guidelines are defined on our [Bugcrowd program page](https://bugcrowd.com/engagements/openai).

announcement_tip.toml

@@ -10,14 +10,7 @@ from_date = "2024-10-01"
 to_date = "2024-10-15"
 target_app = "cli"
 
-# Test announcement only for local build version until 2026-01-10 excluded (past)
 [[announcements]]
 content = "This is a test announcement"
 version_regex = "^0\\.0\\.0$"
-to_date = "2026-05-10"
-
-[[announcements]]
-content = "**BREAKING NEWS**: `gpt-5.3-codex` is out! Upgrade to `0.98.0` for a faster, smarter, more steerable agent."
-from_date = "2026-02-01"
-to_date = "2026-02-16"
-version_regex = "^0\\.(?:[0-9]|[1-8][0-9]|9[0-7])\\."
+to_date = "2026-01-10"

codex-cli/bin/codex.js

@@ -3,23 +3,12 @@
 
 import { spawn } from "node:child_process";
 import { existsSync } from "fs";
-import { createRequire } from "node:module";
 import path from "path";
 import { fileURLToPath } from "url";
 
 // __dirname equivalent in ESM
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-const require = createRequire(import.meta.url);
-
-const PLATFORM_PACKAGE_BY_TARGET = {
-  "x86_64-unknown-linux-musl": "@openai/codex-linux-x64",
-  "aarch64-unknown-linux-musl": "@openai/codex-linux-arm64",
-  "x86_64-apple-darwin": "@openai/codex-darwin-x64",
-  "aarch64-apple-darwin": "@openai/codex-darwin-arm64",
-  "x86_64-pc-windows-msvc": "@openai/codex-win32-x64",
-  "aarch64-pc-windows-msvc": "@openai/codex-win32-arm64",
-};
 
 const { platform, arch } = process;
 
@@ -70,51 +59,9 @@ if (!targetTriple) {
   throw new Error(`Unsupported platform: ${platform} (${arch})`);
 }
 
-const platformPackage = PLATFORM_PACKAGE_BY_TARGET[targetTriple];
-if (!platformPackage) {
-  throw new Error(`Unsupported target triple: ${targetTriple}`);
-}
-
-const codexBinaryName = process.platform === "win32" ? "codex.exe" : "codex";
-const localVendorRoot = path.join(__dirname, "..", "vendor");
-const localBinaryPath = path.join(
-  localVendorRoot,
-  targetTriple,
-  "codex",
-  codexBinaryName,
-);
-
-let vendorRoot;
-try {
-  const packageJsonPath = require.resolve(`${platformPackage}/package.json`);
-  vendorRoot = path.join(path.dirname(packageJsonPath), "vendor");
-} catch {
-  if (existsSync(localBinaryPath)) {
-    vendorRoot = localVendorRoot;
-  } else {
-    const packageManager = detectPackageManager();
-    const updateCommand =
-      packageManager === "bun"
-        ? "bun install -g @openai/codex@latest"
-        : "npm install -g @openai/codex@latest";
-    throw new Error(
-      `Missing optional dependency ${platformPackage}. Reinstall Codex: ${updateCommand}`,
-    );
-  }
-}
-
-if (!vendorRoot) {
-  const packageManager = detectPackageManager();
-  const updateCommand =
-    packageManager === "bun"
-      ? "bun install -g @openai/codex@latest"
-      : "npm install -g @openai/codex@latest";
-  throw new Error(
-    `Missing optional dependency ${platformPackage}. Reinstall Codex: ${updateCommand}`,
-  );
-}
-
+const vendorRoot = path.join(__dirname, "..", "vendor");
 const archRoot = path.join(vendorRoot, targetTriple);
+const codexBinaryName = process.platform === "win32" ? "codex.exe" : "codex";
 const binaryPath = path.join(archRoot, "codex", codexBinaryName);
 
 // Use an asynchronous spawn instead of spawnSync so that Node is able to
@@ -148,6 +95,7 @@ function detectPackageManager() {
     return "bun";
   }
 
+
   if (
     __dirname.includes(".bun/install/global") ||
     __dirname.includes(".bun\\install\\global")

codex-cli/bin/rg

@@ -4,74 +4,74 @@
   "name": "rg",
   "platforms": {
     "macos-aarch64": {
-      "size": 1777930,
-      "hash": "sha256",
-      "digest": "378e973289176ca0c6054054ee7f631a065874a352bf43f0fa60ef079b6ba715",
+      "size": 1787248,
+      "hash": "blake3",
+      "digest": "8d9942032585ea8ee805937634238d9aee7b210069f4703c88fbe568e26fb78a",
       "format": "tar.gz",
-      "path": "ripgrep-15.1.0-aarch64-apple-darwin/rg",
+      "path": "ripgrep-14.1.1-aarch64-apple-darwin/rg",
       "providers": [
         {
-          "url": "https://github.com/BurntSushi/ripgrep/releases/download/15.1.0/ripgrep-15.1.0-aarch64-apple-darwin.tar.gz"
+          "url": "https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep-14.1.1-aarch64-apple-darwin.tar.gz"
         }
       ]
     },
     "linux-aarch64": {
-      "size": 1869959,
-      "hash": "sha256",
-      "digest": "2b661c6ef508e902f388e9098d9c4c5aca72c87b55922d94abdba830b4dc885e",
+      "size": 2047405,
+      "hash": "blake3",
+      "digest": "0b670b8fa0a3df2762af2fc82cc4932f684ca4c02dbd1260d4f3133fd4b2a515",
       "format": "tar.gz",
-      "path": "ripgrep-15.1.0-aarch64-unknown-linux-gnu/rg",
+      "path": "ripgrep-14.1.1-aarch64-unknown-linux-gnu/rg",
       "providers": [
         {
-          "url": "https://github.com/BurntSushi/ripgrep/releases/download/15.1.0/ripgrep-15.1.0-aarch64-unknown-linux-gnu.tar.gz"
+          "url": "https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep-14.1.1-aarch64-unknown-linux-gnu.tar.gz"
         }
       ]
     },
     "macos-x86_64": {
-      "size": 1894127,
-      "hash": "sha256",
-      "digest": "64811cb24e77cac3057d6c40b63ac9becf9082eedd54ca411b475b755d334882",
+      "size": 2082672,
+      "hash": "blake3",
+      "digest": "e9b862fc8da3127f92791f0ff6a799504154ca9d36c98bf3e60a81c6b1f7289e",
       "format": "tar.gz",
-      "path": "ripgrep-15.1.0-x86_64-apple-darwin/rg",
+      "path": "ripgrep-14.1.1-x86_64-apple-darwin/rg",
       "providers": [
         {
-          "url": "https://github.com/BurntSushi/ripgrep/releases/download/15.1.0/ripgrep-15.1.0-x86_64-apple-darwin.tar.gz"
+          "url": "https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep-14.1.1-x86_64-apple-darwin.tar.gz"
         }
       ]
     },
     "linux-x86_64": {
-      "size": 2263077,
-      "hash": "sha256",
-      "digest": "1c9297be4a084eea7ecaedf93eb03d058d6faae29bbc57ecdaf5063921491599",
+      "size": 2566310,
+      "hash": "blake3",
+      "digest": "f73cca4e54d78c31f832c7f6e2c0b4db8b04fa3eaa747915727d570893dbee76",
       "format": "tar.gz",
-      "path": "ripgrep-15.1.0-x86_64-unknown-linux-musl/rg",
+      "path": "ripgrep-14.1.1-x86_64-unknown-linux-musl/rg",
       "providers": [
         {
-          "url": "https://github.com/BurntSushi/ripgrep/releases/download/15.1.0/ripgrep-15.1.0-x86_64-unknown-linux-musl.tar.gz"
+          "url": "https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep-14.1.1-x86_64-unknown-linux-musl.tar.gz"
         }
       ]
     },
     "windows-x86_64": {
-      "size": 1810687,
-      "hash": "sha256",
-      "digest": "124510b94b6baa3380d051fdf4650eaa80a302c876d611e9dba0b2e18d87493a",
+      "size": 2058893,
+      "hash": "blake3",
+      "digest": "a8ce1a6fed4f8093ee997e57f33254e94b2cd18e26358b09db599c89882eadbd",
       "format": "zip",
-      "path": "ripgrep-15.1.0-x86_64-pc-windows-msvc/rg.exe",
+      "path": "ripgrep-14.1.1-x86_64-pc-windows-msvc/rg.exe",
       "providers": [
         {
-          "url": "https://github.com/BurntSushi/ripgrep/releases/download/15.1.0/ripgrep-15.1.0-x86_64-pc-windows-msvc.zip"
+          "url": "https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep-14.1.1-x86_64-pc-windows-msvc.zip"
         }
       ]
     },
     "windows-aarch64": {
-      "size": 1675460,
-      "hash": "sha256",
-      "digest": "00d931fb5237c9696ca49308818edb76d8eb6fc132761cb2a1bd616b2df02f8e",
+      "size": 1667740,
+      "hash": "blake3",
+      "digest": "47b971a8c4fca1d23a4e7c19bd4d88465ebc395598458133139406d3bf85f3fa",
       "format": "zip",
-      "path": "ripgrep-15.1.0-aarch64-pc-windows-msvc/rg.exe",
+      "path": "rg.exe",
       "providers": [
         {
-          "url": "https://github.com/BurntSushi/ripgrep/releases/download/15.1.0/ripgrep-15.1.0-aarch64-pc-windows-msvc.zip"
+          "url": "https://github.com/microsoft/ripgrep-prebuilt/releases/download/v13.0.0-13/ripgrep-v13.0.0-13-aarch64-pc-windows-msvc.zip"
         }
       ]
     }

codex-cli/package-lock.json

@@ -0,0 +1,18 @@
+{
+  "name": "@openai/codex",
+  "version": "0.0.0-dev",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {
+      "name": "@openai/codex",
+      "version": "0.0.0-dev",
+      "license": "Apache-2.0",
+      "bin": {
+        "codex": "bin/codex.js"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    }
+  }
+}

codex-cli/package.json

@@ -17,6 +17,5 @@
     "type": "git",
     "url": "git+https://github.com/openai/codex.git",
     "directory": "codex-cli"
-  },
-  "packageManager": "pnpm@10.29.3+sha512.498e1fb4cca5aa06c1dcf2611e6fafc50972ffe7189998c409e90de74566444298ffe43e6cd2acdc775ba1aa7cc5e092a8b7054c811ba8c5770f84693d33d2dc"
+  }
 }

codex-cli/scripts/README.md

@@ -14,10 +14,6 @@ example, to stage the CLI, responses proxy, and SDK packages for version `0.6.0`
 This downloads the native artifacts once, hydrates `vendor/` for each package, and writes
 tarballs to `dist/npm/`.
 
-When `--package codex` is provided, the staging helper builds the lightweight
-`@openai/codex` meta package plus all platform-native `@openai/codex` variants
-that are later published under platform-specific dist-tags.
-
 If you need to invoke `build_npm_package.py` directly, run
 `codex-cli/scripts/install_native_deps.py` first and pass `--vendor-src` pointing to the
 directory that contains the populated `vendor/` tree.

codex-cli/scripts/build_npm_package.py

@@ -14,78 +14,15 @@ CODEX_CLI_ROOT = SCRIPT_DIR.parent
 REPO_ROOT = CODEX_CLI_ROOT.parent
 RESPONSES_API_PROXY_NPM_ROOT = REPO_ROOT / "codex-rs" / "responses-api-proxy" / "npm"
 CODEX_SDK_ROOT = REPO_ROOT / "sdk" / "typescript"
-CODEX_NPM_NAME = "@openai/codex"
-
-# `npm_name` is the local optional-dependency alias consumed by `bin/codex.js`.
-# The underlying package published to npm is always `@openai/codex`.
-CODEX_PLATFORM_PACKAGES: dict[str, dict[str, str]] = {
-    "codex-linux-x64": {
-        "npm_name": "@openai/codex-linux-x64",
-        "npm_tag": "linux-x64",
-        "target_triple": "x86_64-unknown-linux-musl",
-        "os": "linux",
-        "cpu": "x64",
-    },
-    "codex-linux-arm64": {
-        "npm_name": "@openai/codex-linux-arm64",
-        "npm_tag": "linux-arm64",
-        "target_triple": "aarch64-unknown-linux-musl",
-        "os": "linux",
-        "cpu": "arm64",
-    },
-    "codex-darwin-x64": {
-        "npm_name": "@openai/codex-darwin-x64",
-        "npm_tag": "darwin-x64",
-        "target_triple": "x86_64-apple-darwin",
-        "os": "darwin",
-        "cpu": "x64",
-    },
-    "codex-darwin-arm64": {
-        "npm_name": "@openai/codex-darwin-arm64",
-        "npm_tag": "darwin-arm64",
-        "target_triple": "aarch64-apple-darwin",
-        "os": "darwin",
-        "cpu": "arm64",
-    },
-    "codex-win32-x64": {
-        "npm_name": "@openai/codex-win32-x64",
-        "npm_tag": "win32-x64",
-        "target_triple": "x86_64-pc-windows-msvc",
-        "os": "win32",
-        "cpu": "x64",
-    },
-    "codex-win32-arm64": {
-        "npm_name": "@openai/codex-win32-arm64",
-        "npm_tag": "win32-arm64",
-        "target_triple": "aarch64-pc-windows-msvc",
-        "os": "win32",
-        "cpu": "arm64",
-    },
-}
-
-PACKAGE_EXPANSIONS: dict[str, list[str]] = {
-    "codex": ["codex", *CODEX_PLATFORM_PACKAGES],
-}
 
 PACKAGE_NATIVE_COMPONENTS: dict[str, list[str]] = {
-    "codex": [],
-    "codex-linux-x64": ["codex", "rg"],
-    "codex-linux-arm64": ["codex", "rg"],
-    "codex-darwin-x64": ["codex", "rg"],
-    "codex-darwin-arm64": ["codex", "rg"],
-    "codex-win32-x64": ["codex", "rg", "codex-windows-sandbox-setup", "codex-command-runner"],
-    "codex-win32-arm64": ["codex", "rg", "codex-windows-sandbox-setup", "codex-command-runner"],
+    "codex": ["codex", "rg"],
     "codex-responses-api-proxy": ["codex-responses-api-proxy"],
-    "codex-sdk": [],
+    "codex-sdk": ["codex"],
 }
-
-PACKAGE_TARGET_FILTERS: dict[str, str] = {
-    package_name: package_config["target_triple"]
-    for package_name, package_config in CODEX_PLATFORM_PACKAGES.items()
+WINDOWS_ONLY_COMPONENTS: dict[str, list[str]] = {
+    "codex": ["codex-windows-sandbox-setup", "codex-command-runner"],
 }
-
-PACKAGE_CHOICES = tuple(PACKAGE_NATIVE_COMPONENTS)
-
 COMPONENT_DEST_DIR: dict[str, str] = {
     "codex": "codex",
     "codex-responses-api-proxy": "codex-responses-api-proxy",
@@ -99,7 +36,7 @@ def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(description="Build or stage the Codex CLI npm package.")
     parser.add_argument(
         "--package",
-        choices=PACKAGE_CHOICES,
+        choices=("codex", "codex-responses-api-proxy", "codex-sdk"),
         default="codex",
         help="Which npm package to stage (default: codex).",
     )
@@ -161,7 +98,6 @@ def main() -> int:
 
         vendor_src = args.vendor_src.resolve() if args.vendor_src else None
         native_components = PACKAGE_NATIVE_COMPONENTS.get(package, [])
-        target_filter = PACKAGE_TARGET_FILTERS.get(package)
 
         if native_components:
             if vendor_src is None:
@@ -172,12 +108,7 @@ def main() -> int:
                     "pointing to a directory containing pre-installed binaries."
                 )
 
-            copy_native_binaries(
-                vendor_src,
-                staging_dir,
-                native_components,
-                target_filter={target_filter} if target_filter else None,
-            )
+            copy_native_binaries(vendor_src, staging_dir, package, native_components)
 
         if release_version:
             staging_dir_str = str(staging_dir)
@@ -194,17 +125,12 @@ def main() -> int:
                     "Verify the responses API proxy:\n"
                     f"    node {staging_dir_str}/bin/codex-responses-api-proxy.js --help\n\n"
                 )
-            elif package in CODEX_PLATFORM_PACKAGES:
-                print(
-                    f"Staged version {version} for release in {staging_dir_str}\n\n"
-                    "Verify native payload contents:\n"
-                    f"    ls {staging_dir_str}/vendor\n\n"
-                )
             else:
                 print(
                     f"Staged version {version} for release in {staging_dir_str}\n\n"
                     "Verify the SDK contents:\n"
                     f"    ls {staging_dir_str}/dist\n"
+                    f"    ls {staging_dir_str}/vendor\n"
                     "    node -e \"import('./dist/index.js').then(() => console.log('ok'))\"\n\n"
                 )
         else:
@@ -234,9 +160,6 @@ def prepare_staging_dir(staging_dir: Path | None) -> tuple[Path, bool]:
 
 
 def stage_sources(staging_dir: Path, version: str, package: str) -> None:
-    package_json: dict
-    package_json_path: Path | None = None
-
     if package == "codex":
         bin_dir = staging_dir / "bin"
         bin_dir.mkdir(parents=True, exist_ok=True)
@@ -250,35 +173,6 @@ def stage_sources(staging_dir: Path, version: str, package: str) -> None:
             shutil.copy2(readme_src, staging_dir / "README.md")
 
         package_json_path = CODEX_CLI_ROOT / "package.json"
-    elif package in CODEX_PLATFORM_PACKAGES:
-        platform_package = CODEX_PLATFORM_PACKAGES[package]
-        platform_npm_tag = platform_package["npm_tag"]
-        platform_version = compute_platform_package_version(version, platform_npm_tag)
-
-        readme_src = REPO_ROOT / "README.md"
-        if readme_src.exists():
-            shutil.copy2(readme_src, staging_dir / "README.md")
-
-        with open(CODEX_CLI_ROOT / "package.json", "r", encoding="utf-8") as fh:
-            codex_package_json = json.load(fh)
-
-        package_json = {
-            "name": CODEX_NPM_NAME,
-            "version": platform_version,
-            "license": codex_package_json.get("license", "Apache-2.0"),
-            "os": [platform_package["os"]],
-            "cpu": [platform_package["cpu"]],
-            "files": ["vendor"],
-            "repository": codex_package_json.get("repository"),
-        }
-
-        engines = codex_package_json.get("engines")
-        if isinstance(engines, dict):
-            package_json["engines"] = engines
-
-        package_manager = codex_package_json.get("packageManager")
-        if isinstance(package_manager, str):
-            package_json["packageManager"] = package_manager
     elif package == "codex-responses-api-proxy":
         bin_dir = staging_dir / "bin"
         bin_dir.mkdir(parents=True, exist_ok=True)
@@ -296,44 +190,27 @@ def stage_sources(staging_dir: Path, version: str, package: str) -> None:
     else:
         raise RuntimeError(f"Unknown package '{package}'.")
 
-    if package_json_path is not None:
-        with open(package_json_path, "r", encoding="utf-8") as fh:
-            package_json = json.load(fh)
-        package_json["version"] = version
+    with open(package_json_path, "r", encoding="utf-8") as fh:
+        package_json = json.load(fh)
+    package_json["version"] = version
 
-    if package == "codex":
-        package_json["files"] = ["bin"]
-        package_json["optionalDependencies"] = {
-            CODEX_PLATFORM_PACKAGES[platform_package]["npm_name"]: (
-                f"npm:{CODEX_NPM_NAME}@"
-                f"{compute_platform_package_version(version, CODEX_PLATFORM_PACKAGES[platform_package]['npm_tag'])}"
-            )
-            for platform_package in PACKAGE_EXPANSIONS["codex"]
-            if platform_package != "codex"
-        }
-
-    elif package == "codex-sdk":
+    if package == "codex-sdk":
         scripts = package_json.get("scripts")
         if isinstance(scripts, dict):
             scripts.pop("prepare", None)
 
-        dependencies = package_json.get("dependencies")
-        if not isinstance(dependencies, dict):
-            dependencies = {}
-        dependencies[CODEX_NPM_NAME] = version
-        package_json["dependencies"] = dependencies
+        files = package_json.get("files")
+        if isinstance(files, list):
+            if "vendor" not in files:
+                files.append("vendor")
+        else:
+            package_json["files"] = ["dist", "vendor"]
 
     with open(staging_dir / "package.json", "w", encoding="utf-8") as out:
         json.dump(package_json, out, indent=2)
         out.write("\n")
 
 
-def compute_platform_package_version(version: str, platform_tag: str) -> str:
-    # npm forbids republishing the same package name/version, so each
-    # platform-specific tarball needs a unique version string.
-    return f"{version}-{platform_tag}"
-
-
 def run_command(cmd: list[str], cwd: Path | None = None) -> None:
     print("+", " ".join(cmd))
     subprocess.run(cmd, cwd=cwd, check=True)
@@ -363,8 +240,8 @@ def stage_codex_sdk_sources(staging_dir: Path) -> None:
 def copy_native_binaries(
     vendor_src: Path,
     staging_dir: Path,
+    package: str,
     components: list[str],
-    target_filter: set[str] | None = None,
 ) -> None:
     vendor_src = vendor_src.resolve()
     if not vendor_src.exists():
@@ -379,18 +256,15 @@ def copy_native_binaries(
         shutil.rmtree(vendor_dest)
     vendor_dest.mkdir(parents=True, exist_ok=True)
 
-    copied_targets: set[str] = set()
-
     for target_dir in vendor_src.iterdir():
         if not target_dir.is_dir():
             continue
 
-        if target_filter is not None and target_dir.name not in target_filter:
-            continue
+        if "windows" in target_dir.name:
+            components_set.update(WINDOWS_ONLY_COMPONENTS.get(package, []))
 
         dest_target_dir = vendor_dest / target_dir.name
         dest_target_dir.mkdir(parents=True, exist_ok=True)
-        copied_targets.add(target_dir.name)
 
         for component in components_set:
             dest_dir_name = COMPONENT_DEST_DIR.get(component)
@@ -408,12 +282,6 @@ def copy_native_binaries(
                 shutil.rmtree(dest_component_dir)
             shutil.copytree(src_component_dir, dest_component_dir)
 
-    if target_filter is not None:
-        missing_targets = sorted(target_filter - copied_targets)
-        if missing_targets:
-            missing_list = ", ".join(missing_targets)
-            raise RuntimeError(f"Missing target directories in vendor source: {missing_list}")
-
 
 def run_npm_pack(staging_dir: Path, output_path: Path) -> Path:
     output_path = output_path.resolve()

codex-rs/.cargo/config.toml

@@ -1,11 +1,5 @@
 [target.'cfg(all(windows, target_env = "msvc"))']
 rustflags = ["-C", "link-arg=/STACK:8388608"]
 
-# MSVC emits a warning about code that may trip "Cortex-A53 MPCore processor bug #843419" (see
-# https://developer.arm.com/documentation/epm048406/latest) which is sometimes emitted by LLVM.
-# Since Arm64 Windows 10+ isn't supported on that processor, it's safe to disable the warning.
-[target.aarch64-pc-windows-msvc]
-rustflags = ["-C", "link-arg=/STACK:8388608", "-C", "link-arg=/arm64hazardfree"]
-
 [target.'cfg(all(windows, target_env = "gnu"))']
 rustflags = ["-C", "link-arg=-Wl,--stack,8388608"]

codex-rs/.config/nextest.toml

@@ -2,12 +2,6 @@
 # Do not increase, fix your test instead
 slow-timeout = { period = "15s", terminate-after = 2 }
 
-[test-groups.app_server_protocol_codegen]
-max-threads = 1
-
-[test-groups.app_server_integration]
-max-threads = 1
-
 
 [[profile.default.overrides]]
 # Do not add new tests here
@@ -17,13 +11,3 @@ slow-timeout = { period = "1m", terminate-after = 4 }
 [[profile.default.overrides]]
 filter = 'test(approval_matrix_covers_all_modes)'
 slow-timeout = { period = "30s", terminate-after = 2 }
-
-[[profile.default.overrides]]
-filter = 'package(codex-app-server-protocol) & (test(typescript_schema_fixtures_match_generated) | test(json_schema_fixtures_match_generated) | test(generate_ts_with_experimental_api_retains_experimental_entries) | test(generated_ts_optional_nullable_fields_only_in_params) | test(generate_json_filters_experimental_fields_and_methods))'
-test-group = 'app_server_protocol_codegen'
-
-[[profile.default.overrides]]
-# These integration tests spawn a fresh app-server subprocess per case.
-# Keep the library unit tests parallel.
-filter = 'package(codex-app-server) & kind(test)'
-test-group = 'app_server_integration'

codex-rs/BUILD.bazel

@@ -1,18 +0,0 @@
-exports_files([
-    "clippy.toml",
-    "node-version.txt",
-])
-
-filegroup(
-    name = "workspace-files",
-    srcs = glob(
-        [
-            "*",
-            ".cargo/**",
-        ],
-        exclude = [
-            "BUILD.bazel",
-        ],
-    ),
-    visibility = ["//visibility:public"],
-)

codex-rs/Cargo.toml

@@ -1,36 +1,20 @@
 [workspace]
 members = [
-    "analytics",
     "backend-client",
     "ansi-escape",
     "async-utils",
     "app-server",
-    "app-server-client",
     "app-server-protocol",
     "app-server-test-client",
-    "debug-client",
     "apply-patch",
     "arg0",
     "feedback",
-    "features",
     "codex-backend-openapi-models",
-    "code-mode",
-    "cloud-requirements",
     "cloud-tasks",
     "cloud-tasks-client",
-    "cloud-tasks-mock-client",
     "cli",
-    "connectors",
-    "config",
-    "shell-command",
-    "shell-escalation",
-    "shell",
-    "skills",
+    "common",
     "core",
-    "core-skills",
-    "hooks",
-    "instructions",
-    "secrets",
     "exec",
     "exec-server",
     "execpolicy",
@@ -40,50 +24,28 @@ members = [
     "linux-sandbox",
     "lmstudio",
     "login",
-    "codex-mcp",
     "mcp-server",
-    "network-proxy",
+    "mcp-types",
     "ollama",
     "process-hardening",
     "protocol",
-    "rollout",
     "rmcp-client",
     "responses-api-proxy",
-    "sandboxing",
     "stdio-to-uds",
     "otel",
     "tui",
-    "tools",
-    "v8-poc",
+    "tui2",
     "utils/absolute-path",
     "utils/cargo-bin",
-    "git-utils",
+    "utils/git",
     "utils/cache",
     "utils/image",
     "utils/json-to-toml",
-    "utils/home-dir",
     "utils/pty",
     "utils/readiness",
-    "utils/rustls-provider",
     "utils/string",
-    "utils/cli",
-    "utils/elapsed",
-    "utils/sandbox-summary",
-    "utils/sleep-inhibitor",
-    "utils/approval-presets",
-    "utils/oss",
-    "utils/output-truncation",
-    "utils/path-utils",
-    "utils/plugins",
-    "utils/fuzzy-match",
-    "utils/stream-parser",
-    "utils/template",
     "codex-client",
     "codex-api",
-    "state",
-    "terminal-detection",
-    "codex-experimental-api-macros",
-    "plugin",
 ]
 resolver = "2"
 
@@ -99,98 +61,56 @@ license = "Apache-2.0"
 [workspace.dependencies]
 # Internal
 app_test_support = { path = "app-server/tests/common" }
-codex-analytics = { path = "analytics" }
 codex-ansi-escape = { path = "ansi-escape" }
 codex-api = { path = "codex-api" }
 codex-app-server = { path = "app-server" }
-codex-app-server-client = { path = "app-server-client" }
 codex-app-server-protocol = { path = "app-server-protocol" }
-codex-app-server-test-client = { path = "app-server-test-client" }
 codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
 codex-backend-client = { path = "backend-client" }
 codex-chatgpt = { path = "chatgpt" }
-codex-cli = { path = "cli" }
 codex-client = { path = "codex-client" }
-codex-cloud-requirements = { path = "cloud-requirements" }
-codex-cloud-tasks-client = { path = "cloud-tasks-client" }
-codex-cloud-tasks-mock-client = { path = "cloud-tasks-mock-client" }
-codex-code-mode = { path = "code-mode" }
-codex-config = { path = "config" }
-codex-connectors = { path = "connectors" }
+codex-common = { path = "common" }
 codex-core = { path = "core" }
-codex-core-skills = { path = "core-skills" }
 codex-exec = { path = "exec" }
-codex-exec-server = { path = "exec-server" }
 codex-execpolicy = { path = "execpolicy" }
-codex-experimental-api-macros = { path = "codex-experimental-api-macros" }
-codex-features = { path = "features" }
 codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
-codex-git-utils = { path = "git-utils" }
-codex-hooks = { path = "hooks" }
-codex-instructions = { path = "instructions" }
+codex-git = { path = "utils/git" }
 codex-keyring-store = { path = "keyring-store" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
 codex-login = { path = "login" }
-codex-mcp = { path = "codex-mcp" }
 codex-mcp-server = { path = "mcp-server" }
-codex-network-proxy = { path = "network-proxy" }
 codex-ollama = { path = "ollama" }
 codex-otel = { path = "otel" }
-codex-plugin = { path = "plugin" }
 codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
-codex-rollout = { path = "rollout" }
-codex-sandboxing = { path = "sandboxing" }
-codex-secrets = { path = "secrets" }
-codex-shell-command = { path = "shell-command" }
-codex-shell-escalation = { path = "shell-escalation" }
-codex-shell = { path = "shell" }
-codex-skills = { path = "skills" }
-codex-state = { path = "state" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
-codex-terminal-detection = { path = "terminal-detection" }
-codex-tools = { path = "tools" }
 codex-tui = { path = "tui" }
+codex-tui2 = { path = "tui2" }
 codex-utils-absolute-path = { path = "utils/absolute-path" }
-codex-utils-approval-presets = { path = "utils/approval-presets" }
 codex-utils-cache = { path = "utils/cache" }
 codex-utils-cargo-bin = { path = "utils/cargo-bin" }
-codex-utils-cli = { path = "utils/cli" }
-codex-utils-elapsed = { path = "utils/elapsed" }
-codex-utils-fuzzy-match = { path = "utils/fuzzy-match" }
-codex-utils-home-dir = { path = "utils/home-dir" }
 codex-utils-image = { path = "utils/image" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
-codex-utils-oss = { path = "utils/oss" }
-codex-utils-output-truncation = { path = "utils/output-truncation" }
-codex-utils-path = { path = "utils/path-utils" }
-codex-utils-plugins = { path = "utils/plugins" }
 codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
-codex-utils-rustls-provider = { path = "utils/rustls-provider" }
-codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
-codex-utils-sleep-inhibitor = { path = "utils/sleep-inhibitor" }
-codex-utils-stream-parser = { path = "utils/stream-parser" }
 codex-utils-string = { path = "utils/string" }
-codex-utils-template = { path = "utils/template" }
-codex-v8-poc = { path = "v8-poc" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
+exec_server_test_support = { path = "exec-server/tests/common" }
+mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
 
 # External
-age = "0.11.1"
 allocative = "0.3.3"
 ansi-to-tui = "7.0.0"
 anyhow = "1"
 arboard = { version = "3", features = ["wayland-data-control"] }
-arc-swap = "1.9.0"
 assert_cmd = "2"
 assert_matches = "1.5.0"
 async-channel = "2.3.1"
@@ -198,18 +118,14 @@ async-stream = "0.3.6"
 async-trait = "0.1.89"
 axum = { version = "0.8", default-features = false }
 base64 = "0.22.1"
-bm25 = "2.3.2"
 bytes = "1.10.1"
 chardetng = "0.1.17"
-chrono = "0.4.43"
+chrono = "0.4.42"
 clap = "4"
 clap_complete = "4"
 color-eyre = "0.6.3"
-constant_time_eq = "0.3.1"
-crossbeam-channel = "0.5.15"
 crossterm = "0.28.1"
-csv = "1.3.1"
-ctor = "0.6.3"
+ctor = "0.5.0"
 derive_more = "2"
 diffy = "0.4.2"
 dirs = "6"
@@ -217,14 +133,11 @@ dotenvy = "0.15.7"
 dunce = "1.0.4"
 encoding_rs = "0.8.35"
 env-flags = "0.1.1"
-env_logger = "0.11.9"
+env_logger = "0.11.5"
+escargot = "0.5"
 eventsource-stream = "0.2.3"
 futures = { version = "0.3", default-features = false }
-gethostname = "1.1.0"
-globset = "0.4"
-hmac = "0.12.1"
 http = "1.3.1"
-iana-time-zone = "0.1.64"
 icu_decimal = "2.1"
 icu_locale_core = "2.1"
 icu_provider = { version = "2.1", features = ["sync"] }
@@ -232,21 +145,19 @@ ignore = "0.4.23"
 image = { version = "^0.25.9", default-features = false }
 include_dir = "0.7.4"
 indexmap = "2.12.0"
-insta = "1.46.3"
-inventory = "0.3.19"
+insta = "1.46.0"
 itertools = "0.14.0"
-jsonwebtoken = "9.3.1"
 keyring = { version = "3.6", default-features = false }
 landlock = "0.4.4"
 lazy_static = "1"
-libc = "0.2.182"
+libc = "0.2.177"
 log = "0.4"
 lru = "0.16.3"
 maplit = "1.0.2"
 mime_guess = "2.0.5"
 multimap = "0.10.0"
 notify = "8.2.0"
-nucleo = { git = "https://github.com/helix-editor/nucleo.git", rev = "4253de9faabb4e5c6d81d946a5e35a90f87347ee" }
+nucleo-matcher = "0.3.1"
 once_cell = "1.20.2"
 openssl-sys = "*"
 opentelemetry = "0.31.0"
@@ -254,37 +165,29 @@ opentelemetry-appender-tracing = "0.31.0"
 opentelemetry-otlp = "0.31.0"
 opentelemetry-semantic-conventions = "0.31.0"
 opentelemetry_sdk = "0.31.0"
+tracing-opentelemetry = "0.32.0"
 os_info = "3.12.0"
-owo-colors = "4.3.0"
+owo-colors = "4.2.0"
 path-absolutize = "3.1.1"
 pathdiff = "0.2"
 portable-pty = "0.9.0"
 predicates = "3"
 pretty_assertions = "1.4.1"
 pulldown-cmark = "0.10"
-quick-xml = "0.38.4"
 rand = "0.9"
 ratatui = "0.29.0"
+ratatui-core = "0.1.0"
 ratatui-macros = "0.6.0"
-regex = "1.12.3"
+regex = "1.12.2"
 regex-lite = "0.1.8"
 reqwest = "0.12"
-rmcp = { version = "0.15.0", default-features = false }
-runfiles = { git = "https://github.com/dzbarsky/rules_rust", rev = "b56cbaa8465e74127f1ea216f813cd377295ad81" }
-rustls = { version = "0.23", default-features = false, features = [
-    "ring",
-    "std",
-] }
-rustls-native-certs = "0.8.3"
-rustls-pki-types = "1.14.0"
+rmcp = { version = "0.12.0", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
-semver = "1.0"
 sentry = "0.46.0"
 serde = "1"
 serde_json = "1"
-serde_path_to_error = "0.1.20"
-serde_with = "3.17"
+serde_with = "3.16"
 serde_yaml = "0.9"
 serial_test = "3.2.0"
 sha1 = "0.10.6"
@@ -292,61 +195,44 @@ sha2 = "0.10"
 shlex = "1.3.0"
 similar = "2.7.0"
 socket2 = "0.6.1"
-sqlx = { version = "0.8.6", default-features = false, features = [
-    "chrono",
-    "json",
-    "macros",
-    "migrate",
-    "runtime-tokio-rustls",
-    "sqlite",
-    "time",
-    "uuid",
-] }
 starlark = "0.13.0"
 strum = "0.27.2"
-strum_macros = "0.28.0"
+strum_macros = "0.27.2"
 supports-color = "3.0.2"
-syntect = "5"
 sys-locale = "0.3.2"
 tempfile = "3.23.0"
 test-log = "0.2.19"
 textwrap = "0.16.2"
 thiserror = "2.0.17"
-time = "0.3.47"
+time = "0.3"
 tiny_http = "0.12"
 tokio = "1"
 tokio-stream = "0.1.18"
 tokio-test = "0.4"
-tokio-tungstenite = { version = "0.28.0", features = [
-    "proxy",
-    "rustls-tls-native-roots",
-] }
-tokio-util = "0.7.18"
+tokio-util = "0.7.16"
 toml = "0.9.5"
 toml_edit = "0.24.0"
-tracing = "0.1.44"
+tracing = "0.1.43"
 tracing-appender = "0.2.3"
-tracing-opentelemetry = "0.32.0"
 tracing-subscriber = "0.3.22"
 tracing-test = "0.2.5"
 tree-sitter = "0.25.10"
 tree-sitter-bash = "0.25"
+zstd = "0.13"
+tree-sitter-highlight = "0.25.10"
 ts-rs = "11"
-tungstenite = { version = "0.27.0", features = ["deflate", "proxy"] }
+tui-scrollbar = "0.2.1"
 uds_windows = "1.1.0"
 unicode-segmentation = "1.12.0"
 unicode-width = "0.2"
 url = "2"
 urlencoding = "2.1"
 uuid = "1"
-v8 = "=146.4.0"
 vt100 = "0.16.2"
 walkdir = "2.5.0"
 webbrowser = "1.0"
-which = "8"
+which = "6"
 wildmatch = "2.6.1"
-zip = "2.4.2"
-zstd = "0.13"
 
 wiremock = "0.6"
 zeroize = "1.8.2"
@@ -392,17 +278,10 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = [
-    "icu_provider",
-    "openssl-sys",
-    "codex-utils-readiness",
-    "codex-utils-template",
-    "codex-v8-poc",
-]
+ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness"]
 
 [profile.release]
 lto = "fat"
-split-debuginfo = "off"
 # Because we bundle some of these executables with the TypeScript CLI, we
 # remove everything to make the binary as small as possible.
 strip = "symbols"
@@ -420,11 +299,6 @@ opt-level = 0
 # ratatui = { path = "../../ratatui" }
 crossterm = { git = "https://github.com/nornagon/crossterm", branch = "nornagon/color-query" }
 ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
-tokio-tungstenite = { git = "https://github.com/openai-oss-forks/tokio-tungstenite", rev = "132f5b39c862e3a970f731d709608b3e6276d5f6" }
-tungstenite = { git = "https://github.com/openai-oss-forks/tungstenite-rs", rev = "9200079d3b54a1ff51072e24d81fd354f085156f" }
 
 # Uncomment to debug local changes.
 # rmcp = { path = "../../rust-sdk/crates/rmcp" }
-
-[patch."ssh://git@github.com/openai-oss-forks/tungstenite-rs.git"]
-tungstenite = { git = "https://github.com/openai-oss-forks/tungstenite-rs", rev = "9200079d3b54a1ff51072e24d81fd354f085156f" }

codex-rs/README.md

@@ -50,8 +50,7 @@ You can enable notifications by configuring a script that is run whenever the ag
 
 ### `codex exec` to run Codex programmatically/non-interactively
 
-To run Codex non-interactively, run `codex exec PROMPT` (you can also pass the prompt via `stdin`) and Codex will work on your task until it decides that it is done and exits. If you provide both a prompt argument and piped stdin, Codex appends stdin as a `<stdin>` block after the prompt so patterns like `echo "my output" | codex exec "Summarize this concisely"` work naturally. Output is printed to the terminal directly. You can set the `RUST_LOG` environment variable to see more about what's going on.
-Use `codex exec --ephemeral ...` to run without persisting session rollout files to disk.
+To run Codex non-interactively, run `codex exec PROMPT` (you can also pass the prompt via `stdin`) and Codex will work on your task until it decides that it is done and exits. Output is printed to the terminal directly. You can set the `RUST_LOG` environment variable to see more about what's going on.
 
 ### Experimenting with the Codex Sandbox
 
@@ -88,7 +87,6 @@ codex --sandbox danger-full-access
 ```
 
 The same setting can be persisted in `~/.codex/config.toml` via the top-level `sandbox_mode = "MODE"` key, e.g. `sandbox_mode = "workspace-write"`.
-In `workspace-write`, Codex also includes `~/.codex/memories` in its writable roots so memory maintenance does not require an extra approval.
 
 ## Code Organization
 
@@ -98,5 +96,3 @@ This folder is the root of a Cargo workspace. It contains quite a bit of experim
 - [`exec/`](./exec) "headless" CLI for use in automation.
 - [`tui/`](./tui) CLI that launches a fullscreen TUI built with [Ratatui](https://ratatui.rs/).
 - [`cli/`](./cli) CLI multitool that provides the aforementioned CLIs via subcommands.
-
-If you want to contribute or inspect behavior in detail, start by reading the module-level `README.md` files under each crate and run the project workspace from the top-level `codex-rs` directory so shared config, features, and build scripts stay aligned.

codex-rs/analytics/BUILD.bazel

@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "analytics",
-    crate_name = "codex_analytics",
-)

codex-rs/analytics/Cargo.toml

@@ -1,32 +0,0 @@
-[package]
-edition.workspace = true
-license.workspace = true
-name = "codex-analytics"
-version.workspace = true
-
-[lib]
-doctest = false
-name = "codex_analytics"
-path = "src/lib.rs"
-
-[lints]
-workspace = true
-
-[dependencies]
-codex-app-server-protocol = { workspace = true }
-codex-git-utils = { workspace = true }
-codex-login = { workspace = true }
-codex-plugin = { workspace = true }
-codex-protocol = { workspace = true }
-os_info = { workspace = true }
-serde = { workspace = true, features = ["derive"] }
-sha1 = { workspace = true }
-tokio = { workspace = true, features = [
-    "macros",
-    "rt-multi-thread",
-] }
-tracing = { workspace = true, features = ["log"] }
-
-[dev-dependencies]
-pretty_assertions = { workspace = true }
-serde_json = { workspace = true }

codex-rs/analytics/src/analytics_client_tests.rs

@@ -1,689 +0,0 @@
-use crate::client::AnalyticsEventsQueue;
-use crate::events::AppServerRpcTransport;
-use crate::events::CodexAppMentionedEventRequest;
-use crate::events::CodexAppServerClientMetadata;
-use crate::events::CodexAppUsedEventRequest;
-use crate::events::CodexPluginEventRequest;
-use crate::events::CodexPluginUsedEventRequest;
-use crate::events::CodexRuntimeMetadata;
-use crate::events::ThreadInitializationMode;
-use crate::events::ThreadInitializedEvent;
-use crate::events::ThreadInitializedEventParams;
-use crate::events::TrackEventRequest;
-use crate::events::codex_app_metadata;
-use crate::events::codex_plugin_metadata;
-use crate::events::codex_plugin_used_metadata;
-use crate::facts::AnalyticsFact;
-use crate::facts::AppInvocation;
-use crate::facts::AppMentionedInput;
-use crate::facts::AppUsedInput;
-use crate::facts::CustomAnalyticsFact;
-use crate::facts::InvocationType;
-use crate::facts::PluginState;
-use crate::facts::PluginStateChangedInput;
-use crate::facts::PluginUsedInput;
-use crate::facts::SkillInvocation;
-use crate::facts::SkillInvokedInput;
-use crate::facts::TrackEventsContext;
-use crate::reducer::AnalyticsReducer;
-use crate::reducer::normalize_path_for_skill_id;
-use crate::reducer::skill_id_for_local_skill;
-use codex_app_server_protocol::ApprovalsReviewer as AppServerApprovalsReviewer;
-use codex_app_server_protocol::AskForApproval as AppServerAskForApproval;
-use codex_app_server_protocol::ClientInfo;
-use codex_app_server_protocol::ClientResponse;
-use codex_app_server_protocol::InitializeCapabilities;
-use codex_app_server_protocol::InitializeParams;
-use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::SandboxPolicy as AppServerSandboxPolicy;
-use codex_app_server_protocol::SessionSource as AppServerSessionSource;
-use codex_app_server_protocol::Thread;
-use codex_app_server_protocol::ThreadResumeResponse;
-use codex_app_server_protocol::ThreadStartResponse;
-use codex_app_server_protocol::ThreadStatus as AppServerThreadStatus;
-use codex_login::default_client::DEFAULT_ORIGINATOR;
-use codex_login::default_client::originator;
-use codex_plugin::AppConnectorId;
-use codex_plugin::PluginCapabilitySummary;
-use codex_plugin::PluginId;
-use codex_plugin::PluginTelemetryMetadata;
-use pretty_assertions::assert_eq;
-use serde_json::json;
-use std::collections::HashSet;
-use std::path::PathBuf;
-use std::sync::Arc;
-use std::sync::Mutex;
-use tokio::sync::mpsc;
-
-fn sample_thread(thread_id: &str, ephemeral: bool) -> Thread {
-    Thread {
-        id: thread_id.to_string(),
-        forked_from_id: None,
-        preview: "first prompt".to_string(),
-        ephemeral,
-        model_provider: "openai".to_string(),
-        created_at: 1,
-        updated_at: 2,
-        status: AppServerThreadStatus::Idle,
-        path: None,
-        cwd: PathBuf::from("/tmp"),
-        cli_version: "0.0.0".to_string(),
-        source: AppServerSessionSource::Exec,
-        agent_nickname: None,
-        agent_role: None,
-        git_info: None,
-        name: None,
-        turns: Vec::new(),
-    }
-}
-
-fn sample_thread_start_response(thread_id: &str, ephemeral: bool, model: &str) -> ClientResponse {
-    ClientResponse::ThreadStart {
-        request_id: RequestId::Integer(1),
-        response: ThreadStartResponse {
-            thread: sample_thread(thread_id, ephemeral),
-            model: model.to_string(),
-            model_provider: "openai".to_string(),
-            service_tier: None,
-            cwd: PathBuf::from("/tmp"),
-            approval_policy: AppServerAskForApproval::OnFailure,
-            approvals_reviewer: AppServerApprovalsReviewer::User,
-            sandbox: AppServerSandboxPolicy::DangerFullAccess,
-            reasoning_effort: None,
-        },
-    }
-}
-
-fn sample_thread_resume_response(thread_id: &str, ephemeral: bool, model: &str) -> ClientResponse {
-    ClientResponse::ThreadResume {
-        request_id: RequestId::Integer(2),
-        response: ThreadResumeResponse {
-            thread: sample_thread(thread_id, ephemeral),
-            model: model.to_string(),
-            model_provider: "openai".to_string(),
-            service_tier: None,
-            cwd: PathBuf::from("/tmp"),
-            approval_policy: AppServerAskForApproval::OnFailure,
-            approvals_reviewer: AppServerApprovalsReviewer::User,
-            sandbox: AppServerSandboxPolicy::DangerFullAccess,
-            reasoning_effort: None,
-        },
-    }
-}
-
-fn expected_absolute_path(path: &PathBuf) -> String {
-    std::fs::canonicalize(path)
-        .unwrap_or_else(|_| path.to_path_buf())
-        .to_string_lossy()
-        .replace('\\', "/")
-}
-
-#[test]
-fn normalize_path_for_skill_id_repo_scoped_uses_relative_path() {
-    let repo_root = PathBuf::from("/repo/root");
-    let skill_path = PathBuf::from("/repo/root/.codex/skills/doc/SKILL.md");
-
-    let path = normalize_path_for_skill_id(
-        Some("https://example.com/repo.git"),
-        Some(repo_root.as_path()),
-        skill_path.as_path(),
-    );
-
-    assert_eq!(path, ".codex/skills/doc/SKILL.md");
-}
-
-#[test]
-fn normalize_path_for_skill_id_user_scoped_uses_absolute_path() {
-    let skill_path = PathBuf::from("/Users/abc/.codex/skills/doc/SKILL.md");
-
-    let path = normalize_path_for_skill_id(
-        /*repo_url*/ None,
-        /*repo_root*/ None,
-        skill_path.as_path(),
-    );
-    let expected = expected_absolute_path(&skill_path);
-
-    assert_eq!(path, expected);
-}
-
-#[test]
-fn normalize_path_for_skill_id_admin_scoped_uses_absolute_path() {
-    let skill_path = PathBuf::from("/etc/codex/skills/doc/SKILL.md");
-
-    let path = normalize_path_for_skill_id(
-        /*repo_url*/ None,
-        /*repo_root*/ None,
-        skill_path.as_path(),
-    );
-    let expected = expected_absolute_path(&skill_path);
-
-    assert_eq!(path, expected);
-}
-
-#[test]
-fn normalize_path_for_skill_id_repo_root_not_in_skill_path_uses_absolute_path() {
-    let repo_root = PathBuf::from("/repo/root");
-    let skill_path = PathBuf::from("/other/path/.codex/skills/doc/SKILL.md");
-
-    let path = normalize_path_for_skill_id(
-        Some("https://example.com/repo.git"),
-        Some(repo_root.as_path()),
-        skill_path.as_path(),
-    );
-    let expected = expected_absolute_path(&skill_path);
-
-    assert_eq!(path, expected);
-}
-
-#[test]
-fn app_mentioned_event_serializes_expected_shape() {
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-1".to_string(),
-    };
-    let event = TrackEventRequest::AppMentioned(CodexAppMentionedEventRequest {
-        event_type: "codex_app_mentioned",
-        event_params: codex_app_metadata(
-            &tracking,
-            AppInvocation {
-                connector_id: Some("calendar".to_string()),
-                app_name: Some("Calendar".to_string()),
-                invocation_type: Some(InvocationType::Explicit),
-            },
-        ),
-    });
-
-    let payload = serde_json::to_value(&event).expect("serialize app mentioned event");
-
-    assert_eq!(
-        payload,
-        json!({
-            "event_type": "codex_app_mentioned",
-            "event_params": {
-                "connector_id": "calendar",
-                "thread_id": "thread-1",
-                "turn_id": "turn-1",
-                "app_name": "Calendar",
-                "product_client_id": originator().value,
-                "invoke_type": "explicit",
-                "model_slug": "gpt-5"
-            }
-        })
-    );
-}
-
-#[test]
-fn app_used_event_serializes_expected_shape() {
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-2".to_string(),
-        turn_id: "turn-2".to_string(),
-    };
-    let event = TrackEventRequest::AppUsed(CodexAppUsedEventRequest {
-        event_type: "codex_app_used",
-        event_params: codex_app_metadata(
-            &tracking,
-            AppInvocation {
-                connector_id: Some("drive".to_string()),
-                app_name: Some("Google Drive".to_string()),
-                invocation_type: Some(InvocationType::Implicit),
-            },
-        ),
-    });
-
-    let payload = serde_json::to_value(&event).expect("serialize app used event");
-
-    assert_eq!(
-        payload,
-        json!({
-            "event_type": "codex_app_used",
-            "event_params": {
-                "connector_id": "drive",
-                "thread_id": "thread-2",
-                "turn_id": "turn-2",
-                "app_name": "Google Drive",
-                "product_client_id": originator().value,
-                "invoke_type": "implicit",
-                "model_slug": "gpt-5"
-            }
-        })
-    );
-}
-
-#[test]
-fn app_used_dedupe_is_keyed_by_turn_and_connector() {
-    let (sender, _receiver) = mpsc::channel(1);
-    let queue = AnalyticsEventsQueue {
-        sender,
-        app_used_emitted_keys: Arc::new(Mutex::new(HashSet::new())),
-        plugin_used_emitted_keys: Arc::new(Mutex::new(HashSet::new())),
-    };
-    let app = AppInvocation {
-        connector_id: Some("calendar".to_string()),
-        app_name: Some("Calendar".to_string()),
-        invocation_type: Some(InvocationType::Implicit),
-    };
-
-    let turn_1 = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-1".to_string(),
-    };
-    let turn_2 = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-2".to_string(),
-    };
-
-    assert_eq!(queue.should_enqueue_app_used(&turn_1, &app), true);
-    assert_eq!(queue.should_enqueue_app_used(&turn_1, &app), false);
-    assert_eq!(queue.should_enqueue_app_used(&turn_2, &app), true);
-}
-
-#[test]
-fn thread_initialized_event_serializes_expected_shape() {
-    let event = TrackEventRequest::ThreadInitialized(ThreadInitializedEvent {
-        event_type: "codex_thread_initialized",
-        event_params: ThreadInitializedEventParams {
-            thread_id: "thread-0".to_string(),
-            app_server_client: CodexAppServerClientMetadata {
-                product_client_id: DEFAULT_ORIGINATOR.to_string(),
-                client_name: Some("codex-tui".to_string()),
-                client_version: Some("1.0.0".to_string()),
-                rpc_transport: AppServerRpcTransport::Stdio,
-                experimental_api_enabled: Some(true),
-            },
-            runtime: CodexRuntimeMetadata {
-                codex_rs_version: "0.1.0".to_string(),
-                runtime_os: "macos".to_string(),
-                runtime_os_version: "15.3.1".to_string(),
-                runtime_arch: "aarch64".to_string(),
-            },
-            model: "gpt-5".to_string(),
-            ephemeral: true,
-            thread_source: Some("user"),
-            initialization_mode: ThreadInitializationMode::New,
-            subagent_source: None,
-            parent_thread_id: None,
-            created_at: 1,
-        },
-    });
-
-    let payload = serde_json::to_value(&event).expect("serialize thread initialized event");
-
-    assert_eq!(
-        payload,
-        json!({
-            "event_type": "codex_thread_initialized",
-            "event_params": {
-                "thread_id": "thread-0",
-                "app_server_client": {
-                    "product_client_id": DEFAULT_ORIGINATOR,
-                    "client_name": "codex-tui",
-                    "client_version": "1.0.0",
-                    "rpc_transport": "stdio",
-                    "experimental_api_enabled": true
-                },
-                "runtime": {
-                    "codex_rs_version": "0.1.0",
-                    "runtime_os": "macos",
-                    "runtime_os_version": "15.3.1",
-                    "runtime_arch": "aarch64"
-                },
-                "model": "gpt-5",
-                "ephemeral": true,
-                "thread_source": "user",
-                "initialization_mode": "new",
-                "subagent_source": null,
-                "parent_thread_id": null,
-                "created_at": 1
-            }
-        })
-    );
-}
-
-#[tokio::test]
-async fn initialize_caches_client_and_thread_lifecycle_publishes_once_initialized() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-
-    reducer
-        .ingest(
-            AnalyticsFact::Response {
-                connection_id: 7,
-                response: Box::new(sample_thread_start_response(
-                    "thread-no-client",
-                    /*ephemeral*/ false,
-                    "gpt-5",
-                )),
-            },
-            &mut events,
-        )
-        .await;
-    assert!(events.is_empty(), "thread events should require initialize");
-
-    reducer
-        .ingest(
-            AnalyticsFact::Initialize {
-                connection_id: 7,
-                params: InitializeParams {
-                    client_info: ClientInfo {
-                        name: "codex-tui".to_string(),
-                        title: None,
-                        version: "1.0.0".to_string(),
-                    },
-                    capabilities: Some(InitializeCapabilities {
-                        experimental_api: false,
-                        opt_out_notification_methods: None,
-                    }),
-                },
-                product_client_id: DEFAULT_ORIGINATOR.to_string(),
-                runtime: CodexRuntimeMetadata {
-                    codex_rs_version: "0.99.0".to_string(),
-                    runtime_os: "linux".to_string(),
-                    runtime_os_version: "24.04".to_string(),
-                    runtime_arch: "x86_64".to_string(),
-                },
-                rpc_transport: AppServerRpcTransport::Websocket,
-            },
-            &mut events,
-        )
-        .await;
-    assert!(events.is_empty(), "initialize should not publish by itself");
-
-    reducer
-        .ingest(
-            AnalyticsFact::Response {
-                connection_id: 7,
-                response: Box::new(sample_thread_resume_response(
-                    "thread-1", /*ephemeral*/ true, "gpt-5",
-                )),
-            },
-            &mut events,
-        )
-        .await;
-
-    let payload = serde_json::to_value(&events).expect("serialize events");
-    assert_eq!(payload.as_array().expect("events array").len(), 1);
-    assert_eq!(payload[0]["event_type"], "codex_thread_initialized");
-    assert_eq!(
-        payload[0]["event_params"]["app_server_client"]["product_client_id"],
-        DEFAULT_ORIGINATOR
-    );
-    assert_eq!(
-        payload[0]["event_params"]["app_server_client"]["client_name"],
-        "codex-tui"
-    );
-    assert_eq!(
-        payload[0]["event_params"]["app_server_client"]["client_version"],
-        "1.0.0"
-    );
-    assert_eq!(
-        payload[0]["event_params"]["app_server_client"]["rpc_transport"],
-        "websocket"
-    );
-    assert_eq!(
-        payload[0]["event_params"]["app_server_client"]["experimental_api_enabled"],
-        false
-    );
-    assert_eq!(
-        payload[0]["event_params"]["runtime"]["codex_rs_version"],
-        "0.99.0"
-    );
-    assert_eq!(payload[0]["event_params"]["runtime"]["runtime_os"], "linux");
-    assert_eq!(
-        payload[0]["event_params"]["runtime"]["runtime_os_version"],
-        "24.04"
-    );
-    assert_eq!(
-        payload[0]["event_params"]["runtime"]["runtime_arch"],
-        "x86_64"
-    );
-    assert_eq!(payload[0]["event_params"]["initialization_mode"], "resumed");
-    assert_eq!(payload[0]["event_params"]["thread_source"], "user");
-    assert_eq!(payload[0]["event_params"]["subagent_source"], json!(null));
-    assert_eq!(payload[0]["event_params"]["parent_thread_id"], json!(null));
-}
-
-#[test]
-fn plugin_used_event_serializes_expected_shape() {
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-3".to_string(),
-        turn_id: "turn-3".to_string(),
-    };
-    let event = TrackEventRequest::PluginUsed(CodexPluginUsedEventRequest {
-        event_type: "codex_plugin_used",
-        event_params: codex_plugin_used_metadata(&tracking, sample_plugin_metadata()),
-    });
-
-    let payload = serde_json::to_value(&event).expect("serialize plugin used event");
-
-    assert_eq!(
-        payload,
-        json!({
-            "event_type": "codex_plugin_used",
-            "event_params": {
-                "plugin_id": "sample@test",
-                "plugin_name": "sample",
-                "marketplace_name": "test",
-                "has_skills": true,
-                "mcp_server_count": 2,
-                "connector_ids": ["calendar", "drive"],
-                "product_client_id": originator().value,
-                "thread_id": "thread-3",
-                "turn_id": "turn-3",
-                "model_slug": "gpt-5"
-            }
-        })
-    );
-}
-
-#[test]
-fn plugin_management_event_serializes_expected_shape() {
-    let event = TrackEventRequest::PluginInstalled(CodexPluginEventRequest {
-        event_type: "codex_plugin_installed",
-        event_params: codex_plugin_metadata(sample_plugin_metadata()),
-    });
-
-    let payload = serde_json::to_value(&event).expect("serialize plugin installed event");
-
-    assert_eq!(
-        payload,
-        json!({
-            "event_type": "codex_plugin_installed",
-            "event_params": {
-                "plugin_id": "sample@test",
-                "plugin_name": "sample",
-                "marketplace_name": "test",
-                "has_skills": true,
-                "mcp_server_count": 2,
-                "connector_ids": ["calendar", "drive"],
-                "product_client_id": originator().value
-            }
-        })
-    );
-}
-
-#[test]
-fn plugin_used_dedupe_is_keyed_by_turn_and_plugin() {
-    let (sender, _receiver) = mpsc::channel(1);
-    let queue = AnalyticsEventsQueue {
-        sender,
-        app_used_emitted_keys: Arc::new(Mutex::new(HashSet::new())),
-        plugin_used_emitted_keys: Arc::new(Mutex::new(HashSet::new())),
-    };
-    let plugin = sample_plugin_metadata();
-
-    let turn_1 = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-1".to_string(),
-    };
-    let turn_2 = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-2".to_string(),
-    };
-
-    assert_eq!(queue.should_enqueue_plugin_used(&turn_1, &plugin), true);
-    assert_eq!(queue.should_enqueue_plugin_used(&turn_1, &plugin), false);
-    assert_eq!(queue.should_enqueue_plugin_used(&turn_2, &plugin), true);
-}
-
-#[tokio::test]
-async fn reducer_ingests_skill_invoked_fact() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-1".to_string(),
-    };
-    let skill_path = PathBuf::from("/Users/abc/.codex/skills/doc/SKILL.md");
-    let expected_skill_id = skill_id_for_local_skill(
-        /*repo_url*/ None,
-        /*repo_root*/ None,
-        skill_path.as_path(),
-        "doc",
-    );
-
-    reducer
-        .ingest(
-            AnalyticsFact::Custom(CustomAnalyticsFact::SkillInvoked(SkillInvokedInput {
-                tracking,
-                invocations: vec![SkillInvocation {
-                    skill_name: "doc".to_string(),
-                    skill_scope: codex_protocol::protocol::SkillScope::User,
-                    skill_path,
-                    invocation_type: InvocationType::Explicit,
-                }],
-            })),
-            &mut events,
-        )
-        .await;
-
-    let payload = serde_json::to_value(&events).expect("serialize events");
-    assert_eq!(
-        payload,
-        json!([{
-            "event_type": "skill_invocation",
-            "skill_id": expected_skill_id,
-            "skill_name": "doc",
-            "event_params": {
-                "product_client_id": originator().value,
-                "skill_scope": "user",
-                "repo_url": null,
-                "thread_id": "thread-1",
-                "invoke_type": "explicit",
-                "model_slug": "gpt-5"
-            }
-        }])
-    );
-}
-
-#[tokio::test]
-async fn reducer_ingests_app_and_plugin_facts() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-1".to_string(),
-    };
-
-    reducer
-        .ingest(
-            AnalyticsFact::Custom(CustomAnalyticsFact::AppMentioned(AppMentionedInput {
-                tracking: tracking.clone(),
-                mentions: vec![AppInvocation {
-                    connector_id: Some("calendar".to_string()),
-                    app_name: Some("Calendar".to_string()),
-                    invocation_type: Some(InvocationType::Explicit),
-                }],
-            })),
-            &mut events,
-        )
-        .await;
-    reducer
-        .ingest(
-            AnalyticsFact::Custom(CustomAnalyticsFact::AppUsed(AppUsedInput {
-                tracking: tracking.clone(),
-                app: AppInvocation {
-                    connector_id: Some("drive".to_string()),
-                    app_name: Some("Drive".to_string()),
-                    invocation_type: Some(InvocationType::Implicit),
-                },
-            })),
-            &mut events,
-        )
-        .await;
-    reducer
-        .ingest(
-            AnalyticsFact::Custom(CustomAnalyticsFact::PluginUsed(PluginUsedInput {
-                tracking,
-                plugin: sample_plugin_metadata(),
-            })),
-            &mut events,
-        )
-        .await;
-
-    let payload = serde_json::to_value(&events).expect("serialize events");
-    assert_eq!(payload.as_array().expect("events array").len(), 3);
-    assert_eq!(payload[0]["event_type"], "codex_app_mentioned");
-    assert_eq!(payload[1]["event_type"], "codex_app_used");
-    assert_eq!(payload[2]["event_type"], "codex_plugin_used");
-}
-
-#[tokio::test]
-async fn reducer_ingests_plugin_state_changed_fact() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-
-    reducer
-        .ingest(
-            AnalyticsFact::Custom(CustomAnalyticsFact::PluginStateChanged(
-                PluginStateChangedInput {
-                    plugin: sample_plugin_metadata(),
-                    state: PluginState::Disabled,
-                },
-            )),
-            &mut events,
-        )
-        .await;
-
-    let payload = serde_json::to_value(&events).expect("serialize events");
-    assert_eq!(
-        payload,
-        json!([{
-            "event_type": "codex_plugin_disabled",
-            "event_params": {
-                "plugin_id": "sample@test",
-                "plugin_name": "sample",
-                "marketplace_name": "test",
-                "has_skills": true,
-                "mcp_server_count": 2,
-                "connector_ids": ["calendar", "drive"],
-                "product_client_id": originator().value
-            }
-        }])
-    );
-}
-
-fn sample_plugin_metadata() -> PluginTelemetryMetadata {
-    PluginTelemetryMetadata {
-        plugin_id: PluginId::parse("sample@test").expect("valid plugin id"),
-        capability_summary: Some(PluginCapabilitySummary {
-            config_name: "sample@test".to_string(),
-            display_name: "sample".to_string(),
-            description: None,
-            has_skills: true,
-            mcp_server_names: vec!["mcp-1".to_string(), "mcp-2".to_string()],
-            app_connector_ids: vec![
-                AppConnectorId("calendar".to_string()),
-                AppConnectorId("drive".to_string()),
-            ],
-        }),
-    }
-}

codex-rs/analytics/src/client.rs

@@ -1,272 +0,0 @@
-use crate::events::AppServerRpcTransport;
-use crate::events::TrackEventRequest;
-use crate::events::TrackEventsRequest;
-use crate::events::current_runtime_metadata;
-use crate::facts::AnalyticsFact;
-use crate::facts::AppInvocation;
-use crate::facts::AppMentionedInput;
-use crate::facts::AppUsedInput;
-use crate::facts::CustomAnalyticsFact;
-use crate::facts::PluginState;
-use crate::facts::PluginStateChangedInput;
-use crate::facts::SkillInvocation;
-use crate::facts::SkillInvokedInput;
-use crate::facts::TrackEventsContext;
-use crate::reducer::AnalyticsReducer;
-use codex_app_server_protocol::ClientResponse;
-use codex_app_server_protocol::InitializeParams;
-use codex_login::AuthManager;
-use codex_login::default_client::create_client;
-use codex_plugin::PluginTelemetryMetadata;
-use std::collections::HashSet;
-use std::sync::Arc;
-use std::sync::Mutex;
-use std::time::Duration;
-use tokio::sync::mpsc;
-
-const ANALYTICS_EVENTS_QUEUE_SIZE: usize = 256;
-const ANALYTICS_EVENTS_TIMEOUT: Duration = Duration::from_secs(10);
-const ANALYTICS_EVENT_DEDUPE_MAX_KEYS: usize = 4096;
-
-#[derive(Clone)]
-pub(crate) struct AnalyticsEventsQueue {
-    pub(crate) sender: mpsc::Sender<AnalyticsFact>,
-    pub(crate) app_used_emitted_keys: Arc<Mutex<HashSet<(String, String)>>>,
-    pub(crate) plugin_used_emitted_keys: Arc<Mutex<HashSet<(String, String)>>>,
-}
-
-#[derive(Clone)]
-pub struct AnalyticsEventsClient {
-    queue: AnalyticsEventsQueue,
-    analytics_enabled: Option<bool>,
-}
-
-impl AnalyticsEventsQueue {
-    pub(crate) fn new(auth_manager: Arc<AuthManager>, base_url: String) -> Self {
-        let (sender, mut receiver) = mpsc::channel(ANALYTICS_EVENTS_QUEUE_SIZE);
-        tokio::spawn(async move {
-            let mut reducer = AnalyticsReducer::default();
-            while let Some(input) = receiver.recv().await {
-                let mut events = Vec::new();
-                reducer.ingest(input, &mut events).await;
-                send_track_events(&auth_manager, &base_url, events).await;
-            }
-        });
-        Self {
-            sender,
-            app_used_emitted_keys: Arc::new(Mutex::new(HashSet::new())),
-            plugin_used_emitted_keys: Arc::new(Mutex::new(HashSet::new())),
-        }
-    }
-
-    fn try_send(&self, input: AnalyticsFact) {
-        if self.sender.try_send(input).is_err() {
-            //TODO: add a metric for this
-            tracing::warn!("dropping analytics events: queue is full");
-        }
-    }
-
-    pub(crate) fn should_enqueue_app_used(
-        &self,
-        tracking: &TrackEventsContext,
-        app: &AppInvocation,
-    ) -> bool {
-        let Some(connector_id) = app.connector_id.as_ref() else {
-            return true;
-        };
-        let mut emitted = self
-            .app_used_emitted_keys
-            .lock()
-            .unwrap_or_else(std::sync::PoisonError::into_inner);
-        if emitted.len() >= ANALYTICS_EVENT_DEDUPE_MAX_KEYS {
-            emitted.clear();
-        }
-        emitted.insert((tracking.turn_id.clone(), connector_id.clone()))
-    }
-
-    pub(crate) fn should_enqueue_plugin_used(
-        &self,
-        tracking: &TrackEventsContext,
-        plugin: &PluginTelemetryMetadata,
-    ) -> bool {
-        let mut emitted = self
-            .plugin_used_emitted_keys
-            .lock()
-            .unwrap_or_else(std::sync::PoisonError::into_inner);
-        if emitted.len() >= ANALYTICS_EVENT_DEDUPE_MAX_KEYS {
-            emitted.clear();
-        }
-        emitted.insert((tracking.turn_id.clone(), plugin.plugin_id.as_key()))
-    }
-}
-
-impl AnalyticsEventsClient {
-    pub fn new(
-        auth_manager: Arc<AuthManager>,
-        base_url: String,
-        analytics_enabled: Option<bool>,
-    ) -> Self {
-        Self {
-            queue: AnalyticsEventsQueue::new(Arc::clone(&auth_manager), base_url),
-            analytics_enabled,
-        }
-    }
-
-    pub fn track_skill_invocations(
-        &self,
-        tracking: TrackEventsContext,
-        invocations: Vec<SkillInvocation>,
-    ) {
-        if invocations.is_empty() {
-            return;
-        }
-        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::SkillInvoked(
-            SkillInvokedInput {
-                tracking,
-                invocations,
-            },
-        )));
-    }
-
-    pub fn track_initialize(
-        &self,
-        connection_id: u64,
-        params: InitializeParams,
-        product_client_id: String,
-        rpc_transport: AppServerRpcTransport,
-    ) {
-        self.record_fact(AnalyticsFact::Initialize {
-            connection_id,
-            params,
-            product_client_id,
-            runtime: current_runtime_metadata(),
-            rpc_transport,
-        });
-    }
-
-    pub fn track_app_mentioned(&self, tracking: TrackEventsContext, mentions: Vec<AppInvocation>) {
-        if mentions.is_empty() {
-            return;
-        }
-        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::AppMentioned(
-            AppMentionedInput { tracking, mentions },
-        )));
-    }
-
-    pub fn track_app_used(&self, tracking: TrackEventsContext, app: AppInvocation) {
-        if !self.queue.should_enqueue_app_used(&tracking, &app) {
-            return;
-        }
-        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::AppUsed(
-            AppUsedInput { tracking, app },
-        )));
-    }
-
-    pub fn track_plugin_used(&self, tracking: TrackEventsContext, plugin: PluginTelemetryMetadata) {
-        if !self.queue.should_enqueue_plugin_used(&tracking, &plugin) {
-            return;
-        }
-        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::PluginUsed(
-            crate::facts::PluginUsedInput { tracking, plugin },
-        )));
-    }
-
-    pub fn track_plugin_installed(&self, plugin: PluginTelemetryMetadata) {
-        self.record_fact(AnalyticsFact::Custom(
-            CustomAnalyticsFact::PluginStateChanged(PluginStateChangedInput {
-                plugin,
-                state: PluginState::Installed,
-            }),
-        ));
-    }
-
-    pub fn track_plugin_uninstalled(&self, plugin: PluginTelemetryMetadata) {
-        self.record_fact(AnalyticsFact::Custom(
-            CustomAnalyticsFact::PluginStateChanged(PluginStateChangedInput {
-                plugin,
-                state: PluginState::Uninstalled,
-            }),
-        ));
-    }
-
-    pub fn track_plugin_enabled(&self, plugin: PluginTelemetryMetadata) {
-        self.record_fact(AnalyticsFact::Custom(
-            CustomAnalyticsFact::PluginStateChanged(PluginStateChangedInput {
-                plugin,
-                state: PluginState::Enabled,
-            }),
-        ));
-    }
-
-    pub fn track_plugin_disabled(&self, plugin: PluginTelemetryMetadata) {
-        self.record_fact(AnalyticsFact::Custom(
-            CustomAnalyticsFact::PluginStateChanged(PluginStateChangedInput {
-                plugin,
-                state: PluginState::Disabled,
-            }),
-        ));
-    }
-
-    pub(crate) fn record_fact(&self, input: AnalyticsFact) {
-        if self.analytics_enabled == Some(false) {
-            return;
-        }
-        self.queue.try_send(input);
-    }
-
-    pub fn track_response(&self, connection_id: u64, response: ClientResponse) {
-        self.record_fact(AnalyticsFact::Response {
-            connection_id,
-            response: Box::new(response),
-        });
-    }
-}
-
-async fn send_track_events(
-    auth_manager: &AuthManager,
-    base_url: &str,
-    events: Vec<TrackEventRequest>,
-) {
-    if events.is_empty() {
-        return;
-    }
-    let Some(auth) = auth_manager.auth().await else {
-        return;
-    };
-    if !auth.is_chatgpt_auth() {
-        return;
-    }
-    let access_token = match auth.get_token() {
-        Ok(token) => token,
-        Err(_) => return,
-    };
-    let Some(account_id) = auth.get_account_id() else {
-        return;
-    };
-
-    let base_url = base_url.trim_end_matches('/');
-    let url = format!("{base_url}/codex/analytics-events/events");
-    let payload = TrackEventsRequest { events };
-
-    let response = create_client()
-        .post(&url)
-        .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .bearer_auth(&access_token)
-        .header("chatgpt-account-id", &account_id)
-        .header("Content-Type", "application/json")
-        .json(&payload)
-        .send()
-        .await;
-
-    match response {
-        Ok(response) if response.status().is_success() => {}
-        Ok(response) => {
-            let status = response.status();
-            let body = response.text().await.unwrap_or_default();
-            tracing::warn!("events failed with status {status}: {body}");
-        }
-        Err(err) => {
-            tracing::warn!("failed to send events request: {err}");
-        }
-    }
-}

codex-rs/analytics/src/events.rs

@@ -1,230 +0,0 @@
-use crate::facts::AppInvocation;
-use crate::facts::InvocationType;
-use crate::facts::PluginState;
-use crate::facts::TrackEventsContext;
-use codex_login::default_client::originator;
-use codex_plugin::PluginTelemetryMetadata;
-use codex_protocol::protocol::SessionSource;
-use serde::Serialize;
-
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub enum AppServerRpcTransport {
-    Stdio,
-    Websocket,
-    InProcess,
-}
-
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub(crate) enum ThreadInitializationMode {
-    New,
-    Forked,
-    Resumed,
-}
-
-#[derive(Serialize)]
-pub(crate) struct TrackEventsRequest {
-    pub(crate) events: Vec<TrackEventRequest>,
-}
-
-#[derive(Serialize)]
-#[serde(untagged)]
-pub(crate) enum TrackEventRequest {
-    SkillInvocation(SkillInvocationEventRequest),
-    ThreadInitialized(ThreadInitializedEvent),
-    AppMentioned(CodexAppMentionedEventRequest),
-    AppUsed(CodexAppUsedEventRequest),
-    PluginUsed(CodexPluginUsedEventRequest),
-    PluginInstalled(CodexPluginEventRequest),
-    PluginUninstalled(CodexPluginEventRequest),
-    PluginEnabled(CodexPluginEventRequest),
-    PluginDisabled(CodexPluginEventRequest),
-}
-
-#[derive(Serialize)]
-pub(crate) struct SkillInvocationEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) skill_id: String,
-    pub(crate) skill_name: String,
-    pub(crate) event_params: SkillInvocationEventParams,
-}
-
-#[derive(Serialize)]
-pub(crate) struct SkillInvocationEventParams {
-    pub(crate) product_client_id: Option<String>,
-    pub(crate) skill_scope: Option<String>,
-    pub(crate) repo_url: Option<String>,
-    pub(crate) thread_id: Option<String>,
-    pub(crate) invoke_type: Option<InvocationType>,
-    pub(crate) model_slug: Option<String>,
-}
-
-#[derive(Clone, Serialize)]
-pub(crate) struct CodexAppServerClientMetadata {
-    pub(crate) product_client_id: String,
-    pub(crate) client_name: Option<String>,
-    pub(crate) client_version: Option<String>,
-    pub(crate) rpc_transport: AppServerRpcTransport,
-    pub(crate) experimental_api_enabled: Option<bool>,
-}
-
-#[derive(Clone, Serialize)]
-pub(crate) struct CodexRuntimeMetadata {
-    pub(crate) codex_rs_version: String,
-    pub(crate) runtime_os: String,
-    pub(crate) runtime_os_version: String,
-    pub(crate) runtime_arch: String,
-}
-
-#[derive(Serialize)]
-pub(crate) struct ThreadInitializedEventParams {
-    pub(crate) thread_id: String,
-    pub(crate) app_server_client: CodexAppServerClientMetadata,
-    pub(crate) runtime: CodexRuntimeMetadata,
-    pub(crate) model: String,
-    pub(crate) ephemeral: bool,
-    pub(crate) thread_source: Option<&'static str>,
-    pub(crate) initialization_mode: ThreadInitializationMode,
-    pub(crate) subagent_source: Option<String>,
-    pub(crate) parent_thread_id: Option<String>,
-    pub(crate) created_at: u64,
-}
-
-#[derive(Serialize)]
-pub(crate) struct ThreadInitializedEvent {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: ThreadInitializedEventParams,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexAppMetadata {
-    pub(crate) connector_id: Option<String>,
-    pub(crate) thread_id: Option<String>,
-    pub(crate) turn_id: Option<String>,
-    pub(crate) app_name: Option<String>,
-    pub(crate) product_client_id: Option<String>,
-    pub(crate) invoke_type: Option<InvocationType>,
-    pub(crate) model_slug: Option<String>,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexAppMentionedEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexAppMetadata,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexAppUsedEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexAppMetadata,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexPluginMetadata {
-    pub(crate) plugin_id: Option<String>,
-    pub(crate) plugin_name: Option<String>,
-    pub(crate) marketplace_name: Option<String>,
-    pub(crate) has_skills: Option<bool>,
-    pub(crate) mcp_server_count: Option<usize>,
-    pub(crate) connector_ids: Option<Vec<String>>,
-    pub(crate) product_client_id: Option<String>,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexPluginUsedMetadata {
-    #[serde(flatten)]
-    pub(crate) plugin: CodexPluginMetadata,
-    pub(crate) thread_id: Option<String>,
-    pub(crate) turn_id: Option<String>,
-    pub(crate) model_slug: Option<String>,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexPluginEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexPluginMetadata,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexPluginUsedEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexPluginUsedMetadata,
-}
-
-pub(crate) fn plugin_state_event_type(state: PluginState) -> &'static str {
-    match state {
-        PluginState::Installed => "codex_plugin_installed",
-        PluginState::Uninstalled => "codex_plugin_uninstalled",
-        PluginState::Enabled => "codex_plugin_enabled",
-        PluginState::Disabled => "codex_plugin_disabled",
-    }
-}
-
-pub(crate) fn codex_app_metadata(
-    tracking: &TrackEventsContext,
-    app: AppInvocation,
-) -> CodexAppMetadata {
-    CodexAppMetadata {
-        connector_id: app.connector_id,
-        thread_id: Some(tracking.thread_id.clone()),
-        turn_id: Some(tracking.turn_id.clone()),
-        app_name: app.app_name,
-        product_client_id: Some(originator().value),
-        invoke_type: app.invocation_type,
-        model_slug: Some(tracking.model_slug.clone()),
-    }
-}
-
-pub(crate) fn codex_plugin_metadata(plugin: PluginTelemetryMetadata) -> CodexPluginMetadata {
-    let capability_summary = plugin.capability_summary;
-    CodexPluginMetadata {
-        plugin_id: Some(plugin.plugin_id.as_key()),
-        plugin_name: Some(plugin.plugin_id.plugin_name),
-        marketplace_name: Some(plugin.plugin_id.marketplace_name),
-        has_skills: capability_summary
-            .as_ref()
-            .map(|summary| summary.has_skills),
-        mcp_server_count: capability_summary
-            .as_ref()
-            .map(|summary| summary.mcp_server_names.len()),
-        connector_ids: capability_summary.map(|summary| {
-            summary
-                .app_connector_ids
-                .into_iter()
-                .map(|connector_id| connector_id.0)
-                .collect()
-        }),
-        product_client_id: Some(originator().value),
-    }
-}
-
-pub(crate) fn codex_plugin_used_metadata(
-    tracking: &TrackEventsContext,
-    plugin: PluginTelemetryMetadata,
-) -> CodexPluginUsedMetadata {
-    CodexPluginUsedMetadata {
-        plugin: codex_plugin_metadata(plugin),
-        thread_id: Some(tracking.thread_id.clone()),
-        turn_id: Some(tracking.turn_id.clone()),
-        model_slug: Some(tracking.model_slug.clone()),
-    }
-}
-
-pub(crate) fn thread_source_name(thread_source: &SessionSource) -> Option<&'static str> {
-    match thread_source {
-        SessionSource::Cli | SessionSource::VSCode | SessionSource::Exec => Some("user"),
-        SessionSource::SubAgent(_) => Some("subagent"),
-        SessionSource::Mcp | SessionSource::Custom(_) | SessionSource::Unknown => None,
-    }
-}
-
-pub(crate) fn current_runtime_metadata() -> CodexRuntimeMetadata {
-    let os_info = os_info::get();
-    CodexRuntimeMetadata {
-        codex_rs_version: env!("CARGO_PKG_VERSION").to_string(),
-        runtime_os: std::env::consts::OS.to_string(),
-        runtime_os_version: os_info.version().to_string(),
-        runtime_arch: std::env::consts::ARCH.to_string(),
-    }
-}

codex-rs/analytics/src/facts.rs

@@ -1,116 +0,0 @@
-use crate::events::AppServerRpcTransport;
-use crate::events::CodexRuntimeMetadata;
-use codex_app_server_protocol::ClientRequest;
-use codex_app_server_protocol::ClientResponse;
-use codex_app_server_protocol::InitializeParams;
-use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::ServerNotification;
-use codex_plugin::PluginTelemetryMetadata;
-use codex_protocol::protocol::SkillScope;
-use serde::Serialize;
-use std::path::PathBuf;
-
-#[derive(Clone)]
-pub struct TrackEventsContext {
-    pub model_slug: String,
-    pub thread_id: String,
-    pub turn_id: String,
-}
-
-pub fn build_track_events_context(
-    model_slug: String,
-    thread_id: String,
-    turn_id: String,
-) -> TrackEventsContext {
-    TrackEventsContext {
-        model_slug,
-        thread_id,
-        turn_id,
-    }
-}
-
-#[derive(Clone, Debug)]
-pub struct SkillInvocation {
-    pub skill_name: String,
-    pub skill_scope: SkillScope,
-    pub skill_path: PathBuf,
-    pub invocation_type: InvocationType,
-}
-
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "lowercase")]
-pub enum InvocationType {
-    Explicit,
-    Implicit,
-}
-
-pub struct AppInvocation {
-    pub connector_id: Option<String>,
-    pub app_name: Option<String>,
-    pub invocation_type: Option<InvocationType>,
-}
-
-#[allow(dead_code)]
-pub(crate) enum AnalyticsFact {
-    Initialize {
-        connection_id: u64,
-        params: InitializeParams,
-        product_client_id: String,
-        runtime: CodexRuntimeMetadata,
-        rpc_transport: AppServerRpcTransport,
-    },
-    Request {
-        connection_id: u64,
-        request_id: RequestId,
-        request: Box<ClientRequest>,
-    },
-    Response {
-        connection_id: u64,
-        response: Box<ClientResponse>,
-    },
-    Notification(Box<ServerNotification>),
-    // Facts that do not naturally exist on the app-server protocol surface, or
-    // would require non-trivial protocol reshaping on this branch.
-    Custom(CustomAnalyticsFact),
-}
-
-pub(crate) enum CustomAnalyticsFact {
-    SkillInvoked(SkillInvokedInput),
-    AppMentioned(AppMentionedInput),
-    AppUsed(AppUsedInput),
-    PluginUsed(PluginUsedInput),
-    PluginStateChanged(PluginStateChangedInput),
-}
-
-pub(crate) struct SkillInvokedInput {
-    pub tracking: TrackEventsContext,
-    pub invocations: Vec<SkillInvocation>,
-}
-
-pub(crate) struct AppMentionedInput {
-    pub tracking: TrackEventsContext,
-    pub mentions: Vec<AppInvocation>,
-}
-
-pub(crate) struct AppUsedInput {
-    pub tracking: TrackEventsContext,
-    pub app: AppInvocation,
-}
-
-pub(crate) struct PluginUsedInput {
-    pub tracking: TrackEventsContext,
-    pub plugin: PluginTelemetryMetadata,
-}
-
-pub(crate) struct PluginStateChangedInput {
-    pub plugin: PluginTelemetryMetadata,
-    pub state: PluginState,
-}
-
-#[derive(Clone, Copy)]
-pub(crate) enum PluginState {
-    Installed,
-    Uninstalled,
-    Enabled,
-    Disabled,
-}

codex-rs/analytics/src/lib.rs

@@ -1,15 +0,0 @@
-mod client;
-mod events;
-mod facts;
-mod reducer;
-
-pub use client::AnalyticsEventsClient;
-pub use events::AppServerRpcTransport;
-pub use facts::AppInvocation;
-pub use facts::InvocationType;
-pub use facts::SkillInvocation;
-pub use facts::TrackEventsContext;
-pub use facts::build_track_events_context;
-
-#[cfg(test)]
-mod analytics_client_tests;

codex-rs/analytics/src/reducer.rs

@@ -1,305 +0,0 @@
-use crate::events::AppServerRpcTransport;
-use crate::events::CodexAppMentionedEventRequest;
-use crate::events::CodexAppServerClientMetadata;
-use crate::events::CodexAppUsedEventRequest;
-use crate::events::CodexPluginEventRequest;
-use crate::events::CodexPluginUsedEventRequest;
-use crate::events::CodexRuntimeMetadata;
-use crate::events::SkillInvocationEventParams;
-use crate::events::SkillInvocationEventRequest;
-use crate::events::ThreadInitializationMode;
-use crate::events::ThreadInitializedEvent;
-use crate::events::ThreadInitializedEventParams;
-use crate::events::TrackEventRequest;
-use crate::events::codex_app_metadata;
-use crate::events::codex_plugin_metadata;
-use crate::events::codex_plugin_used_metadata;
-use crate::events::plugin_state_event_type;
-use crate::events::thread_source_name;
-use crate::facts::AnalyticsFact;
-use crate::facts::AppMentionedInput;
-use crate::facts::AppUsedInput;
-use crate::facts::CustomAnalyticsFact;
-use crate::facts::PluginState;
-use crate::facts::PluginStateChangedInput;
-use crate::facts::PluginUsedInput;
-use crate::facts::SkillInvokedInput;
-use codex_app_server_protocol::ClientResponse;
-use codex_app_server_protocol::InitializeParams;
-use codex_git_utils::collect_git_info;
-use codex_git_utils::get_git_repo_root;
-use codex_login::default_client::originator;
-use codex_protocol::protocol::SessionSource;
-use codex_protocol::protocol::SkillScope;
-use sha1::Digest;
-use std::collections::HashMap;
-use std::path::Path;
-
-#[derive(Default)]
-pub(crate) struct AnalyticsReducer {
-    connections: HashMap<u64, ConnectionState>,
-}
-
-struct ConnectionState {
-    app_server_client: CodexAppServerClientMetadata,
-    runtime: CodexRuntimeMetadata,
-}
-
-impl AnalyticsReducer {
-    pub(crate) async fn ingest(&mut self, input: AnalyticsFact, out: &mut Vec<TrackEventRequest>) {
-        match input {
-            AnalyticsFact::Initialize {
-                connection_id,
-                params,
-                product_client_id,
-                runtime,
-                rpc_transport,
-            } => {
-                self.ingest_initialize(
-                    connection_id,
-                    params,
-                    product_client_id,
-                    runtime,
-                    rpc_transport,
-                );
-            }
-            AnalyticsFact::Request {
-                connection_id: _connection_id,
-                request_id: _request_id,
-                request: _request,
-            } => {}
-            AnalyticsFact::Response {
-                connection_id,
-                response,
-            } => {
-                self.ingest_response(connection_id, *response, out);
-            }
-            AnalyticsFact::Notification(_notification) => {}
-            AnalyticsFact::Custom(input) => match input {
-                CustomAnalyticsFact::SkillInvoked(input) => {
-                    self.ingest_skill_invoked(input, out).await;
-                }
-                CustomAnalyticsFact::AppMentioned(input) => {
-                    self.ingest_app_mentioned(input, out);
-                }
-                CustomAnalyticsFact::AppUsed(input) => {
-                    self.ingest_app_used(input, out);
-                }
-                CustomAnalyticsFact::PluginUsed(input) => {
-                    self.ingest_plugin_used(input, out);
-                }
-                CustomAnalyticsFact::PluginStateChanged(input) => {
-                    self.ingest_plugin_state_changed(input, out);
-                }
-            },
-        }
-    }
-
-    fn ingest_initialize(
-        &mut self,
-        connection_id: u64,
-        params: InitializeParams,
-        product_client_id: String,
-        runtime: CodexRuntimeMetadata,
-        rpc_transport: AppServerRpcTransport,
-    ) {
-        self.connections.insert(
-            connection_id,
-            ConnectionState {
-                app_server_client: CodexAppServerClientMetadata {
-                    product_client_id,
-                    client_name: Some(params.client_info.name),
-                    client_version: Some(params.client_info.version),
-                    rpc_transport,
-                    experimental_api_enabled: params
-                        .capabilities
-                        .map(|capabilities| capabilities.experimental_api),
-                },
-                runtime,
-            },
-        );
-    }
-
-    async fn ingest_skill_invoked(
-        &mut self,
-        input: SkillInvokedInput,
-        out: &mut Vec<TrackEventRequest>,
-    ) {
-        let SkillInvokedInput {
-            tracking,
-            invocations,
-        } = input;
-        for invocation in invocations {
-            let skill_scope = match invocation.skill_scope {
-                SkillScope::User => "user",
-                SkillScope::Repo => "repo",
-                SkillScope::System => "system",
-                SkillScope::Admin => "admin",
-            };
-            let repo_root = get_git_repo_root(invocation.skill_path.as_path());
-            let repo_url = if let Some(root) = repo_root.as_ref() {
-                collect_git_info(root)
-                    .await
-                    .and_then(|info| info.repository_url)
-            } else {
-                None
-            };
-            let skill_id = skill_id_for_local_skill(
-                repo_url.as_deref(),
-                repo_root.as_deref(),
-                invocation.skill_path.as_path(),
-                invocation.skill_name.as_str(),
-            );
-            out.push(TrackEventRequest::SkillInvocation(
-                SkillInvocationEventRequest {
-                    event_type: "skill_invocation",
-                    skill_id,
-                    skill_name: invocation.skill_name.clone(),
-                    event_params: SkillInvocationEventParams {
-                        thread_id: Some(tracking.thread_id.clone()),
-                        invoke_type: Some(invocation.invocation_type),
-                        model_slug: Some(tracking.model_slug.clone()),
-                        product_client_id: Some(originator().value),
-                        repo_url,
-                        skill_scope: Some(skill_scope.to_string()),
-                    },
-                },
-            ));
-        }
-    }
-
-    fn ingest_app_mentioned(&mut self, input: AppMentionedInput, out: &mut Vec<TrackEventRequest>) {
-        let AppMentionedInput { tracking, mentions } = input;
-        out.extend(mentions.into_iter().map(|mention| {
-            let event_params = codex_app_metadata(&tracking, mention);
-            TrackEventRequest::AppMentioned(CodexAppMentionedEventRequest {
-                event_type: "codex_app_mentioned",
-                event_params,
-            })
-        }));
-    }
-
-    fn ingest_app_used(&mut self, input: AppUsedInput, out: &mut Vec<TrackEventRequest>) {
-        let AppUsedInput { tracking, app } = input;
-        let event_params = codex_app_metadata(&tracking, app);
-        out.push(TrackEventRequest::AppUsed(CodexAppUsedEventRequest {
-            event_type: "codex_app_used",
-            event_params,
-        }));
-    }
-
-    fn ingest_plugin_used(&mut self, input: PluginUsedInput, out: &mut Vec<TrackEventRequest>) {
-        let PluginUsedInput { tracking, plugin } = input;
-        out.push(TrackEventRequest::PluginUsed(CodexPluginUsedEventRequest {
-            event_type: "codex_plugin_used",
-            event_params: codex_plugin_used_metadata(&tracking, plugin),
-        }));
-    }
-
-    fn ingest_plugin_state_changed(
-        &mut self,
-        input: PluginStateChangedInput,
-        out: &mut Vec<TrackEventRequest>,
-    ) {
-        let PluginStateChangedInput { plugin, state } = input;
-        let event = CodexPluginEventRequest {
-            event_type: plugin_state_event_type(state),
-            event_params: codex_plugin_metadata(plugin),
-        };
-        out.push(match state {
-            PluginState::Installed => TrackEventRequest::PluginInstalled(event),
-            PluginState::Uninstalled => TrackEventRequest::PluginUninstalled(event),
-            PluginState::Enabled => TrackEventRequest::PluginEnabled(event),
-            PluginState::Disabled => TrackEventRequest::PluginDisabled(event),
-        });
-    }
-
-    fn ingest_response(
-        &mut self,
-        connection_id: u64,
-        response: ClientResponse,
-        out: &mut Vec<TrackEventRequest>,
-    ) {
-        let (thread, model, initialization_mode) = match response {
-            ClientResponse::ThreadStart { response, .. } => (
-                response.thread,
-                response.model,
-                ThreadInitializationMode::New,
-            ),
-            ClientResponse::ThreadResume { response, .. } => (
-                response.thread,
-                response.model,
-                ThreadInitializationMode::Resumed,
-            ),
-            ClientResponse::ThreadFork { response, .. } => (
-                response.thread,
-                response.model,
-                ThreadInitializationMode::Forked,
-            ),
-            _ => return,
-        };
-        let thread_source: SessionSource = thread.source.into();
-        let Some(connection_state) = self.connections.get(&connection_id) else {
-            return;
-        };
-        out.push(TrackEventRequest::ThreadInitialized(
-            ThreadInitializedEvent {
-                event_type: "codex_thread_initialized",
-                event_params: ThreadInitializedEventParams {
-                    thread_id: thread.id,
-                    app_server_client: connection_state.app_server_client.clone(),
-                    runtime: connection_state.runtime.clone(),
-                    model,
-                    ephemeral: thread.ephemeral,
-                    thread_source: thread_source_name(&thread_source),
-                    initialization_mode,
-                    subagent_source: None,
-                    parent_thread_id: None,
-                    created_at: u64::try_from(thread.created_at).unwrap_or_default(),
-                },
-            },
-        ));
-    }
-}
-
-pub(crate) fn skill_id_for_local_skill(
-    repo_url: Option<&str>,
-    repo_root: Option<&Path>,
-    skill_path: &Path,
-    skill_name: &str,
-) -> String {
-    let path = normalize_path_for_skill_id(repo_url, repo_root, skill_path);
-    let prefix = if let Some(url) = repo_url {
-        format!("repo_{url}")
-    } else {
-        "personal".to_string()
-    };
-    let raw_id = format!("{prefix}_{path}_{skill_name}");
-    let mut hasher = sha1::Sha1::new();
-    sha1::Digest::update(&mut hasher, raw_id.as_bytes());
-    format!("{:x}", sha1::Digest::finalize(hasher))
-}
-
-/// Returns a normalized path for skill ID construction.
-///
-/// - Repo-scoped skills use a path relative to the repo root.
-/// - User/admin/system skills use an absolute path.
-pub(crate) fn normalize_path_for_skill_id(
-    repo_url: Option<&str>,
-    repo_root: Option<&Path>,
-    skill_path: &Path,
-) -> String {
-    let resolved_path =
-        std::fs::canonicalize(skill_path).unwrap_or_else(|_| skill_path.to_path_buf());
-    match (repo_url, repo_root) {
-        (Some(_), Some(root)) => {
-            let resolved_root = std::fs::canonicalize(root).unwrap_or_else(|_| root.to_path_buf());
-            resolved_path
-                .strip_prefix(&resolved_root)
-                .unwrap_or(resolved_path.as_path())
-                .to_string_lossy()
-                .replace('\\', "/")
-        }
-        _ => resolved_path.to_string_lossy().replace('\\', "/"),
-    }
-}

codex-rs/ansi-escape/BUILD.bazel

@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "ansi-escape",
-    crate_name = "codex_ansi_escape",
-)

codex-rs/ansi-escape/Cargo.toml

@@ -8,9 +8,6 @@ license.workspace = true
 name = "codex_ansi_escape"
 path = "src/lib.rs"
 
-[lints]
-workspace = true
-
 [dependencies]
 ansi-to-tui = { workspace = true }
 ratatui = { workspace = true, features = [

codex-rs/app-server-client/BUILD.bazel

@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "app-server-client",
-    crate_name = "codex_app_server_client",
-)

codex-rs/app-server-client/Cargo.toml

@@ -1,33 +0,0 @@
-[package]
-name = "codex-app-server-client"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-
-[lib]
-name = "codex_app_server_client"
-path = "src/lib.rs"
-
-[lints]
-workspace = true
-
-[dependencies]
-codex-app-server = { workspace = true }
-codex-app-server-protocol = { workspace = true }
-codex-arg0 = { workspace = true }
-codex-core = { workspace = true }
-codex-feedback = { workspace = true }
-codex-protocol = { workspace = true }
-futures = { workspace = true }
-serde = { workspace = true }
-serde_json = { workspace = true }
-tokio = { workspace = true, features = ["sync", "time", "rt"] }
-tokio-tungstenite = { workspace = true }
-toml = { workspace = true }
-tracing = { workspace = true }
-url = { workspace = true }
-
-[dev-dependencies]
-pretty_assertions = { workspace = true }
-serde_json = { workspace = true }
-tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }