docs: refresh codex-cli readme

.github/workflows/rust-ci.yml

@@ -201,7 +201,7 @@ jobs:
         # Tests take too long for release builds to run them on every PR.
         if: ${{ matrix.profile != 'release' }}
         continue-on-error: true
-        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
+        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }}
         env:
           RUST_BACKTRACE: 1
 

.github/workflows/rust-release.yml

@@ -58,9 +58,9 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - runner: macos-15-xlarge
+          - runner: macos-14
             target: aarch64-apple-darwin
-          - runner: macos-15-xlarge
+          - runner: macos-14
             target: x86_64-apple-darwin
           - runner: ubuntu-24.04
             target: x86_64-unknown-linux-musl
@@ -100,7 +100,7 @@ jobs:
       - name: Cargo build
         run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
 
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-14' }}
         name: Configure Apple code signing
         shell: bash
         env:
@@ -185,7 +185,7 @@ jobs:
           echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
           echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
 
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-14' }}
         name: Sign macOS binaries
         shell: bash
         run: |
@@ -206,7 +206,7 @@ jobs:
             codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
           done
 
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-14' }}
         name: Notarize macOS binaries
         shell: bash
         env:
@@ -328,7 +328,7 @@ jobs:
           done
 
       - name: Remove signing keychain
-        if: ${{ always() && matrix.runner == 'macos-15-xlarge' }}
+        if: ${{ always() && matrix.runner == 'macos-14' }}
         shell: bash
         env:
           APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}

README.md

@@ -33,8 +33,6 @@ Then simply run `codex` to get started:
 codex
 ```
 
-If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-update-codex-isnt-upgrading-me).
-
 <details>
 <summary>You can also go to the <a href="https://github.com/openai/codex/releases/latest">latest GitHub Release</a> and download the appropriate binary for your platform.</summary>
 

codex-cli/README.md

@@ -3,8 +3,8 @@
 
 <p align="center"><code>npm i -g @openai/codex</code></p>
 
-> [!IMPORTANT]
-> This is the documentation for the _legacy_ TypeScript implementation of the Codex CLI. It has been superseded by the _Rust_ implementation. See the [README in the root of the Codex repository](https://github.com/openai/codex/blob/main/README.md) for details.
+> [!NOTE]
+> This README focuses on the native Rust CLI. For additional deep dives, see the [docs/](../docs) folder and the [root README](https://github.com/openai/codex/blob/main/README.md).
 
 ![Codex demo GIF using: codex "explain this codebase to me"](../.github/demo.gif)
 
@@ -94,37 +94,8 @@ export OPENAI_API_KEY="your-api-key-here"
 >
 > The CLI will automatically load variables from `.env` (via `dotenv/config`).
 
-<details>
-<summary><strong>Use <code>--provider</code> to use other models</strong></summary>
-
-> Codex also allows you to use other providers that support the OpenAI Chat Completions API. You can set the provider in the config file or use the `--provider` flag. The possible options for `--provider` are:
->
-> - openai (default)
-> - openrouter
-> - azure
-> - gemini
-> - ollama
-> - mistral
-> - deepseek
-> - xai
-> - groq
-> - arceeai
-> - any other provider that is compatible with the OpenAI API
->
-> If you use a provider other than OpenAI, you will need to set the API key for the provider in the config file or in the environment variable as:
->
-> ```shell
-> export <provider>_API_KEY="your-api-key-here"
-> ```
->
-> If you use a provider not listed above, you must also set the base URL for the provider:
->
-> ```shell
-> export <provider>_BASE_URL="https://your-provider-api-base-url"
-> ```
-
-</details>
-<br />
+> [!TIP]
+> The CLI ships with OpenAI and local OSS providers out of the box. To add additional providers, edit the `[model_providers]` table in `~/.codex/config.toml`. See [Configuration guide](#configuration-guide) for examples.
 
 Run interactively:
 
@@ -139,7 +110,7 @@ codex "explain this codebase to me"
 ```
 
 ```shell
-codex --approval-mode full-auto "create the fanciest todo-list app"
+codex --full-auto "create the fanciest todo-list app"
 ```
 
 That's it - Codex will scaffold a file, run it inside a sandbox, install any
@@ -165,67 +136,61 @@ And it's **fully open-source** so you can see and contribute to how it develops!
 
 ## Security model & permissions
 
-Codex lets you decide _how much autonomy_ the agent receives and auto-approval policy via the
-`--approval-mode` flag (or the interactive onboarding prompt):
+Codex lets you decide _how much autonomy_ the agent receives via the
+`--ask-for-approval` flag (or the interactive onboarding prompt). The default is `on-request`.
 
-| Mode                      | What the agent may do without asking                                                                | Still requires approval                                                                         |
-| ------------------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| **Suggest** <br>(default) | <li>Read any file in the repo                                                                       | <li>**All** file writes/patches<li> **Any** arbitrary shell commands (aside from reading files) |
-| **Auto Edit**             | <li>Read **and** apply-patch writes to files                                                        | <li>**All** shell commands                                                                      |
-| **Full Auto**             | <li>Read/write files <li> Execute shell commands (network disabled, writes limited to your workdir) | -                                                                                               |
+| Mode (`--ask-for-approval …`) | Auto-approves                                                                                                                                  | Escalates to you when…                                                                                 |
+| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
+| `untrusted`                  | Built-in "safe" commands that only read files (`ls`, `cat`, `sed`, etc.)                                                                        | The model proposes writing to disk or running any other command.                                       |
+| `on-failure`                 | All commands, executed inside the configured sandbox with network access disabled and writes limited to the allowed directories.               | A command fails in the sandbox and the model wants to retry it without sandboxing.                     |
+| `on-request` _(default)_     | Whatever the model deems safe; it typically asks you before launching riskier commands or writing files.                                       | The model decides it wants confirmation, or the sandbox refuses a command and the model asks to retry. |
+| `never`                      | Everything, with no escalation.                                                                                                                | Never; failures are returned straight to the model.                                                    |
 
-In **Full Auto** every command is run **network-disabled** and confined to the
-current working directory (plus temporary files) for defense-in-depth. Codex
-will also show a warning/confirmation if you start in **auto-edit** or
-**full-auto** while the directory is _not_ tracked by Git, so you always have a
-safety net.
-
-Coming soon: you'll be able to whitelist specific commands to auto-execute with
-the network enabled, once we're confident in additional safeguards.
+Use `codex --full-auto` as a shorthand for `--ask-for-approval on-failure --sandbox workspace-write`. For air-gapped or CI environments that provide their own isolation, `--dangerously-bypass-approvals-and-sandbox` disables both confirmation prompts and sandboxing—double-check before using it.
 
 ### Platform sandboxing details
 
 The hardening mechanism Codex uses depends on your OS:
 
 - **macOS 12+** - commands are wrapped with **Apple Seatbelt** (`sandbox-exec`).
-
   - Everything is placed in a read-only jail except for a small set of
     writable roots (`$PWD`, `$TMPDIR`, `~/.codex`, etc.).
-  - Outbound network is _fully blocked_ by default - even if a child process
+  - Outbound network is _fully blocked_ by default – even if a child process
     tries to `curl` somewhere it will fail.
 
-- **Linux** - there is no sandboxing by default.
-  We recommend using Docker for sandboxing, where Codex launches itself inside a **minimal
-  container image** and mounts your repo _read/write_ at the same path. A
-  custom `iptables`/`ipset` firewall script denies all egress except the
-  OpenAI API. This gives you deterministic, reproducible runs without needing
-  root on the host. You can use the [`run_in_container.sh`](../codex-cli/scripts/run_in_container.sh) script to set up the sandbox.
+- **Linux** - commands run through the bundled `codex-linux-sandbox` helper. It combines **Landlock** filesystem rules with a **seccomp** filter, mirroring the macOS policy: commands start network-disabled and only the working directory (plus a few temp paths) are writable. You still get escape hatches via the `--sandbox` flag:
+  - `--sandbox read-only` is ideal for review-only sessions.
+  - `--sandbox danger-full-access` turns the sandbox off. Pair it with `--ask-for-approval untrusted` if you still want Codex to double-check risky commands.
+
+Containers (Docker/Podman) can still be useful when you want completely reproducible toolchains, GPU access, or custom OS packages. In that case launch the CLI inside your container and keep the built-in sandbox on; it will happily sandbox _inside_ the container.
 
 ---
 
 ## System requirements
 
-| Requirement                 | Details                                                         |
-| --------------------------- | --------------------------------------------------------------- |
-| Operating systems           | macOS 12+, Ubuntu 20.04+/Debian 10+, or Windows 11 **via WSL2** |
-| Node.js                     | **16 or newer** (Node 20 LTS recommended)                       |
-| Git (optional, recommended) | 2.23+ for built-in PR helpers                                   |
-| RAM                         | 4-GB minimum (8-GB recommended)                                 |
+| Requirement                 | Details                                                                 |
+| --------------------------- | ----------------------------------------------------------------------- |
+| Operating systems           | macOS 12+, Ubuntu 22.04+/Debian 12+, or Windows 11 via WSL2             |
+| Runtime dependencies        | None for the packaged binaries (install via npm, Homebrew, or releases) |
+| Git (optional, recommended) | 2.39+ for built-in PR helpers                                           |
+| RAM                         | 4-GB minimum (8-GB recommended)                                         |
 
-> Never run `sudo npm install -g`; fix npm permissions instead.
+> Never run `sudo npm install -g`; fix npm or use another package manager instead.
 
 ---
 
 ## CLI reference
 
-| Command                              | Purpose                             | Example                              |
-| ------------------------------------ | ----------------------------------- | ------------------------------------ |
-| `codex`                              | Interactive REPL                    | `codex`                              |
-| `codex "..."`                        | Initial prompt for interactive REPL | `codex "fix lint errors"`            |
-| `codex -q "..."`                     | Non-interactive "quiet mode"        | `codex -q --json "explain utils.ts"` |
-| `codex completion <bash\|zsh\|fish>` | Print shell completion script       | `codex completion bash`              |
+| Command                              | Purpose                                             | Example                                              |
+| ------------------------------------ | --------------------------------------------------- | ---------------------------------------------------- |
+| `codex`                              | Launch the interactive TUI                         | `codex`                                              |
+| `codex "..."`                        | Seed the interactive session with an opening task  | `codex "fix lint errors"`                            |
+| `codex exec "..."`                   | Run a non-interactive turn in the current repo     | `codex exec "count the total number of TODO comments"` |
+| `codex exec --json "..."`            | Stream machine-readable events as JSON Lines       | `codex exec --json --full-auto "update CHANGELOG"`   |
+| `codex exec resume --last "..."`     | Resume the most recent non-interactive session     | `codex exec resume --last "ship the follow-up fix"`  |
+| `codex completion <bash\|zsh\|fish>` | Print shell completion script for your shell       | `codex completion bash`                              |
 
-Key flags: `--model/-m`, `--approval-mode/-a`, `--quiet/-q`, and `--notify`.
+Helpful flags: `--model/-m`, `--ask-for-approval/-a`, `--sandbox/-s`, `--oss`, `--full-auto`, `--config/-c key=value`, and `--web-search`.
 
 ---
 
@@ -237,8 +202,6 @@ You can give Codex extra instructions and guidance using `AGENTS.md` files. Code
 2. `AGENTS.md` at repo root - shared project notes
 3. `AGENTS.md` in the current working directory - sub-folder/feature specifics
 
-Disable loading of these files with `--no-project-doc` or the environment variable `CODEX_DISABLE_PROJECT_DOC=1`.
-
 ---
 
 ## Non-interactive / CI mode
@@ -250,19 +213,21 @@ Run Codex head-less in pipelines. Example GitHub Action step:
   run: |
     npm install -g @openai/codex
     export OPENAI_API_KEY="${{ secrets.OPENAI_KEY }}"
-    codex -a auto-edit --quiet "update CHANGELOG for next release"
+    codex exec --json --full-auto "update CHANGELOG for next release" > codex.log
 ```
 
-Set `CODEX_QUIET_MODE=1` to silence interactive UI noise.
+`codex exec` streams its progress to stderr and writes the final assistant reply to stdout. Use `--json` when you need structured output, or `-o path/to/result.json` to capture just the closing message.
 
 ## Tracing / verbose logging
 
-Setting the environment variable `DEBUG=true` prints full API request and response details:
+Set `RUST_LOG` to control structured logging. The default filter is `codex_core=info,codex_tui=info,codex_rmcp_client=info`. To turn on verbose logs for troubleshooting:
 
 ```shell
-DEBUG=true codex
+RUST_LOG=codex_core=debug,codex_tui=debug codex
 ```
 
+Logs are written to `~/.codex/logs/codex-tui.log` in addition to stderr. You can use standard `env_logger` syntax (e.g., `RUST_LOG=info,reqwest=trace`).
+
 ---
 
 ## Recipes
@@ -302,28 +267,21 @@ pnpm add -g @openai/codex
 <summary><strong>Build from source</strong></summary>
 
 ```bash
-# Clone the repository and navigate to the CLI package
+# Clone the repository and navigate to the workspace root
 git clone https://github.com/openai/codex.git
-cd codex/codex-cli
+cd codex
 
-# Enable corepack
-corepack enable
+# Ensure you have the latest stable Rust toolchain
+rustup default stable
 
-# Install dependencies and build
-pnpm install
-pnpm build
+# (Optional) install just for handy automation
+cargo install just
 
-# Linux-only: download prebuilt sandboxing binaries (requires gh and zstd).
-./scripts/install_native_deps.sh
+# Build the interactive CLI
+cargo build -p codex-tui
 
-# Get the usage and the options
-node ./dist/cli.js --help
-
-# Run the locally-built CLI directly
-node ./dist/cli.js
-
-# Or link the command globally for convenience
-pnpm link
+# Run it directly from source
+cargo run -p codex-tui -- --help
 ```
 
 </details>
@@ -332,153 +290,93 @@ pnpm link
 
 ## Configuration guide
 
-Codex configuration files can be placed in the `~/.codex/` directory, supporting both YAML and JSON formats.
+Codex reads configuration from `~/.codex/config.toml` (or `$CODEX_HOME/config.toml`). TOML is the only supported format. Command-line flags (`--model`, `--ask-for-approval`, `--config key=value`, etc.) override whatever is set in the file.
 
 ### Basic configuration parameters
 
-| Parameter           | Type    | Default    | Description                      | Available Options                                                                              |
-| ------------------- | ------- | ---------- | -------------------------------- | ---------------------------------------------------------------------------------------------- |
-| `model`             | string  | `o4-mini`  | AI model to use                  | Any model name supporting OpenAI API                                                           |
-| `approvalMode`      | string  | `suggest`  | AI assistant's permission mode   | `suggest` (suggestions only)<br>`auto-edit` (automatic edits)<br>`full-auto` (fully automatic) |
-| `fullAutoErrorMode` | string  | `ask-user` | Error handling in full-auto mode | `ask-user` (prompt for user input)<br>`ignore-and-continue` (ignore and proceed)               |
-| `notify`            | boolean | `true`     | Enable desktop notifications     | `true`/`false`                                                                                 |
+| Key                | Type     | Default                                      | Description                                                                                       |
+| ------------------ | -------- | -------------------------------------------- | ------------------------------------------------------------------------------------------------- |
+| `model`            | string   | `gpt-5-codex` (macOS/Linux) / `gpt-5` (WSL)  | Selects the default model.                                                                        |
+| `model_provider`   | string   | `openai`                                     | Picks an entry from the `[model_providers]` table.                                                |
+| `approval_policy`  | string   | `on-request`                                 | Matches the CLI `--ask-for-approval` flag (`untrusted`, `on-failure`, `on-request`, `never`).      |
+| `sandbox_mode`     | string   | `workspace-write` on trusted repos, otherwise read-only | Controls how shell commands are sandboxed (`read-only`, `workspace-write`, `danger-full-access`). |
+| `notify`           | array    | _unset_                                      | Optional notifier command: e.g. `notify = ["terminal-notifier", "-message", "Codex done"]`.       |
+| `tui_notifications`| table    | `{"approvals": true, "turns": true}`         | Controls OSC 9 terminal notifications.                                                            |
+| `history.persistence` | string | `save-all`                                   | `save-all`, `commands-only`, or `none`.                                                           |
+| `hide_agent_reasoning` | bool | `false`                                      | Suppress reasoning summaries in the UI.                                                           |
 
-### Custom AI provider configuration
+Use `codex --config key=value` to experiment without editing the file. For example, `codex --config approval_policy="untrusted"`.
 
-In the `providers` object, you can configure multiple AI service providers. Each provider requires the following parameters:
+### Managing model providers
 
-| Parameter | Type   | Description                             | Example                       |
-| --------- | ------ | --------------------------------------- | ----------------------------- |
-| `name`    | string | Display name of the provider            | `"OpenAI"`                    |
-| `baseURL` | string | API service URL                         | `"https://api.openai.com/v1"` |
-| `envKey`  | string | Environment variable name (for API key) | `"OPENAI_API_KEY"`            |
+The CLI bundles two providers: `openai` (Responses API) and `oss` (local models via Ollama). You can add more by extending the `model_providers` map. Entries do **not** replace the defaults; they are merged in.
 
-### History configuration
+```toml
+model = "gpt-4o"
+model_provider = "openai-chat"
 
-In the `history` object, you can configure conversation history settings:
+[model_providers.openai-chat]
+name = "OpenAI (Chat Completions)"
+base_url = "https://api.openai.com/v1"
+wire_api = "chat"
+env_key = "OPENAI_API_KEY"
 
-| Parameter           | Type    | Description                                            | Example Value |
-| ------------------- | ------- | ------------------------------------------------------ | ------------- |
-| `maxSize`           | number  | Maximum number of history entries to save              | `1000`        |
-| `saveHistory`       | boolean | Whether to save history                                | `true`        |
-| `sensitivePatterns` | array   | Patterns of sensitive information to filter in history | `[]`          |
-
-### Configuration examples
-
-1. YAML format (save as `~/.codex/config.yaml`):
-
-```yaml
-model: o4-mini
-approvalMode: suggest
-fullAutoErrorMode: ask-user
-notify: true
+[model_providers.ollama]
+name = "Ollama"
+base_url = "http://localhost:11434/v1"
 ```
 
-2. JSON format (save as `~/.codex/config.json`):
+Set API keys by exporting the environment variable referenced by each provider (`env_key`). If you need to override headers or query parameters, add `http_headers`, `env_http_headers`, or `query_params` within the provider block. See [`docs/config.md`](../docs/config.md#model_providers) for more examples, including Azure and custom retries.
 
-```json
-{
-  "model": "o4-mini",
-  "approvalMode": "suggest",
-  "fullAutoErrorMode": "ask-user",
-  "notify": true
-}
+### History, profiles, and overrides
+
+- History is controlled via the `[history]` table. Example:
+
+  ```toml
+  [history]
+  persistence = "commands-only"
+  redact_patterns = ["api_key=*"]
+  ```
+
+- Use profiles to store alternative defaults:
+
+  ```toml
+  [profiles.ops]
+  model = "gpt-5"
+  approval_policy = "untrusted"
+  sandbox_mode = "read-only"
+  ```
+
+  Launch with `codex --profile ops`.
+
+- Override individual keys for a single run: `codex --config history.persistence="none"`.
+
+### MCP servers and instructions
+
+Add MCP integrations with `[mcp_servers.<id>]` blocks (stdio or streamable HTTP). Refer to [`docs/config.md#mcps`](../docs/config.md#mcp-integration) for the schema.
+
+For persistent guidance, create `AGENTS.md` files in `~/.codex`, your repo root, or subdirectories. Codex merges them from root to current directory before each turn.
+
+### Example `config.toml`
+
+```toml
+model = "gpt-5-codex"
+model_provider = "openai"
+approval_policy = "untrusted"
+sandbox_mode = "workspace-write"
+
+[history]
+persistence = "save-all"
+
+[model_providers.azure]
+name = "Azure"
+base_url = "https://YOUR_RESOURCE_NAME.openai.azure.com/openai"
+env_key = "AZURE_OPENAI_API_KEY"
+wire_api = "responses"
+query_params = { api-version = "2025-04-01-preview" }
 ```
 
-### Full configuration example
-
-Below is a comprehensive example of `config.json` with multiple custom providers:
-
-```json
-{
-  "model": "o4-mini",
-  "provider": "openai",
-  "providers": {
-    "openai": {
-      "name": "OpenAI",
-      "baseURL": "https://api.openai.com/v1",
-      "envKey": "OPENAI_API_KEY"
-    },
-    "azure": {
-      "name": "AzureOpenAI",
-      "baseURL": "https://YOUR_PROJECT_NAME.openai.azure.com/openai",
-      "envKey": "AZURE_OPENAI_API_KEY"
-    },
-    "openrouter": {
-      "name": "OpenRouter",
-      "baseURL": "https://openrouter.ai/api/v1",
-      "envKey": "OPENROUTER_API_KEY"
-    },
-    "gemini": {
-      "name": "Gemini",
-      "baseURL": "https://generativelanguage.googleapis.com/v1beta/openai",
-      "envKey": "GEMINI_API_KEY"
-    },
-    "ollama": {
-      "name": "Ollama",
-      "baseURL": "http://localhost:11434/v1",
-      "envKey": "OLLAMA_API_KEY"
-    },
-    "mistral": {
-      "name": "Mistral",
-      "baseURL": "https://api.mistral.ai/v1",
-      "envKey": "MISTRAL_API_KEY"
-    },
-    "deepseek": {
-      "name": "DeepSeek",
-      "baseURL": "https://api.deepseek.com",
-      "envKey": "DEEPSEEK_API_KEY"
-    },
-    "xai": {
-      "name": "xAI",
-      "baseURL": "https://api.x.ai/v1",
-      "envKey": "XAI_API_KEY"
-    },
-    "groq": {
-      "name": "Groq",
-      "baseURL": "https://api.groq.com/openai/v1",
-      "envKey": "GROQ_API_KEY"
-    },
-    "arceeai": {
-      "name": "ArceeAI",
-      "baseURL": "https://conductor.arcee.ai/v1",
-      "envKey": "ARCEEAI_API_KEY"
-    }
-  },
-  "history": {
-    "maxSize": 1000,
-    "saveHistory": true,
-    "sensitivePatterns": []
-  }
-}
-```
-
-### Custom instructions
-
-You can create a `~/.codex/AGENTS.md` file to define custom guidance for the agent:
-
-```markdown
-- Always respond with emojis
-- Only use git commands when explicitly requested
-```
-
-### Environment variables setup
-
-For each AI provider, you need to set the corresponding API key in your environment variables. For example:
-
-```bash
-# OpenAI
-export OPENAI_API_KEY="your-api-key-here"
-
-# Azure OpenAI
-export AZURE_OPENAI_API_KEY="your-azure-api-key-here"
-export AZURE_OPENAI_API_VERSION="2025-04-01-preview" (Optional)
-
-# OpenRouter
-export OPENROUTER_API_KEY="your-openrouter-key-here"
-
-# Similarly for other providers
-```
+Restart Codex (or run the next command with `--config`) after editing the file to pick up changes.
 
 ---
 
@@ -494,7 +392,7 @@ In 2021, OpenAI released Codex, an AI system designed to generate code from natu
 <details>
 <summary>Which models are supported?</summary>
 
-Any model available with [Responses API](https://platform.openai.com/docs/api-reference/responses). The default is `o4-mini`, but pass `--model gpt-4.1` or set `model: gpt-4.1` in your config file to override.
+Any model available via the [Responses API](https://platform.openai.com/docs/api-reference/responses). The default is `gpt-5-codex` (or `gpt-5` on Windows/WSL), but pass `--model` or set `model = "gpt-4.1"` in `config.toml` to override.
 
 </details>
 <details>
@@ -507,13 +405,13 @@ It's possible that your [API account needs to be verified](https://help.openai.c
 <details>
 <summary>How do I stop Codex from editing my files?</summary>
 
-Codex runs model-generated commands in a sandbox. If a proposed command or file change doesn't look right, you can simply type **n** to deny the command or give the model feedback.
+Run with `codex --ask-for-approval untrusted` or `codex --sandbox read-only` to force Codex to ask before making changes. In interactive sessions, you can also deny a specific command or patch by answering **n** when prompted.
 
 </details>
 <details>
 <summary>Does it work on Windows?</summary>
 
-Not directly. It requires [Windows Subsystem for Linux (WSL2)](https://learn.microsoft.com/en-us/windows/wsl/install) - Codex is regularly tested on macOS and Linux with Node 20+, and also supports Node 16.
+Not natively. Use [Windows Subsystem for Linux (WSL2)](https://learn.microsoft.com/en-us/windows/wsl/install) and install the Linux build inside your WSL environment. We regularly test on macOS and Linux.
 
 </details>
 
@@ -544,59 +442,25 @@ We're excited to launch a **$1 million initiative** supporting open source proje
 
 ## Contributing
 
-This project is under active development and the code will likely change pretty significantly. We'll update this message once that's complete!
+This project is under active development and we currently prioritize external contributions that address bugs or security issues. If you are proposing a new feature or behavior change, please open an issue first and get confirmation from the team before investing significant effort.
 
-More broadly we welcome contributions - whether you are opening your very first pull request or you're a seasoned maintainer. At the same time we care about reliability and long-term maintainability, so the bar for merging code is intentionally **high**. The guidelines below spell out what "high-quality" means in practice and should make the whole process transparent and friendly.
+We care deeply about reliability and long-term maintainability, so the bar for merging code is intentionally **high**. Use this README together with the canonical [contributor guide](../docs/contributing.md).
 
 ### Development workflow
 
-- Create a _topic branch_ from `main` - e.g. `feat/interactive-prompt`.
-- Keep your changes focused. Multiple unrelated fixes should be opened as separate PRs.
-- Use `pnpm test:watch` during development for super-fast feedback.
-- We use **Vitest** for unit tests, **ESLint** + **Prettier** for style, and **TypeScript** for type-checking.
-- Before pushing, run the full test/type/lint suite:
-
-### Git hooks with Husky
-
-This project uses [Husky](https://typicode.github.io/husky/) to enforce code quality checks:
-
-- **Pre-commit hook**: Automatically runs lint-staged to format and lint files before committing
-- **Pre-push hook**: Runs tests and type checking before pushing to the remote
-
-These hooks help maintain code quality and prevent pushing code with failing tests. For more details, see [HUSKY.md](./HUSKY.md).
-
-```bash
-pnpm test && pnpm run lint && pnpm run typecheck
-```
-
-- If you have **not** yet signed the Contributor License Agreement (CLA), add a PR comment containing the exact text
-
-  ```text
-  I have read the CLA Document and I hereby sign the CLA
-  ```
-
-  The CLA-Assistant bot will turn the PR status green once all authors have signed.
-
-```bash
-# Watch mode (tests rerun on change)
-pnpm test:watch
-
-# Type-check without emitting files
-pnpm typecheck
-
-# Automatically fix lint + prettier issues
-pnpm lint:fix
-pnpm format:fix
-```
+- Create a topic branch from `main` (for example `feat/improve-sandbox`).
+- Keep changes focused; unrelated fixes should land as separate PRs.
+- Install Rust 1.80+ and `just`. Most commands run from the repo root:
+  - `just fmt` formats all Rust code.
+  - `just fix -p codex-tui` runs `cargo clippy --fix` and `cargo fmt` for the TUI crate (swap the crate name as appropriate).
+  - `cargo test -p codex-tui` or other crate-specific test commands keep feedback fast.
+- If you touch shared crates (for example `codex-core` or `codex-common`), prefer `cargo test --all-features` after the targeted suite passes.
 
 ### Debugging
 
-To debug the CLI with a visual debugger, do the following in the `codex-cli` folder:
-
-- Run `pnpm run build` to build the CLI, which will generate `cli.js.map` alongside `cli.js` in the `dist` folder.
-- Run the CLI with `node --inspect-brk ./dist/cli.js` The program then waits until a debugger is attached before proceeding. Options:
-  - In VS Code, choose **Debug: Attach to Node Process** from the command palette and choose the option in the dropdown with debug port `9229` (likely the first option)
-  - Go to <chrome://inspect> in Chrome and find **localhost:9229** and click **trace**
+- Run `cargo run -p codex-tui --` to launch the CLI under your debugger of choice. `cargo run -p codex-cli --bin codex-linux-sandbox -- --help` is helpful when iterating on the sandbox helper.
+- Set `RUST_LOG=codex_core=debug,codex_tui=debug` to capture verbose logs (see [Tracing](#tracing--verbose-logging)).
+- Use `cargo test -p <crate> -- --nocapture` to see println!/tracing output from tests while iterating on new features.
 
 ### Writing high-impact code changes
 
@@ -607,10 +471,10 @@ To debug the CLI with a visual debugger, do the following in the `codex-cli` fol
 
 ### Opening a pull request
 
-- Fill in the PR template (or include similar information) - **What? Why? How?**
-- Run **all** checks locally (`npm test && npm run lint && npm run typecheck`). CI failures that could have been caught locally slow down the process.
+- Fill in the PR template (or include similar information) – **What? Why? How?**
+- Run **all** checks locally (`cargo test`, `cargo clippy --tests`, `cargo fmt -- --check`, plus any `just fix -p <crate>` you relied on). CI failures that could have been caught locally slow down the process.
 - Make sure your branch is up-to-date with `main` and that you have resolved merge conflicts.
-- Mark the PR as **Ready for review** only when you believe it is in a merge-able state.
+- Mark the PR as **Ready for review** only when you believe it is in a mergeable state.
 
 ### Review process
 
@@ -655,29 +519,22 @@ The **DCO check** blocks merges until every commit in the PR carries the footer
 
 ### Releasing `codex`
 
-To publish a new version of the CLI you first need to stage the npm package. A
-helper script in `codex-cli/scripts/` does all the heavy lifting. Inside the
-`codex-cli` folder run:
+To stage npm artifacts for a release, run the helper from the repo root:
 
 ```bash
-# Classic, JS implementation that includes small, native binaries for Linux sandboxing.
-pnpm stage-release
-
-# Optionally specify the temp directory to reuse between runs.
-RELEASE_DIR=$(mktemp -d)
-pnpm stage-release --tmp "$RELEASE_DIR"
-
-# "Fat" package that additionally bundles the native Rust CLI binaries for
-# Linux. End-users can then opt-in at runtime by setting CODEX_RUST=1.
-pnpm stage-release --native
+./scripts/stage_npm_packages.py \
+  --release-version 0.6.0 \
+  --package codex
 ```
 
-Go to the folder where the release is staged and verify that it works as intended. If so, run the following from the temp folder:
+The script assembles native binaries, hydrates the `vendor/` tree, and writes tarballs to `dist/npm/`. Inspect the generated package contents (for example by extracting them or running `npm pack --dry-run`). When satisfied:
 
+```bash
+cd dist/npm
+npm publish codex-0.6.0.tgz
 ```
-cd "$RELEASE_DIR"
-npm publish
-```
+
+Add additional `--package` flags if you need to ship the responses proxy or SDK in the same release. See [`codex-cli/scripts/README.md`](./scripts/README.md) for details and troubleshooting tips.
 
 ### Alternative build options
 

codex-rs/Cargo.lock

@@ -182,10 +182,7 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "assert_cmd",
- "base64",
- "chrono",
  "codex-app-server-protocol",
- "codex-core",
  "serde",
  "serde_json",
  "tokio",
@@ -837,10 +834,8 @@ dependencies = [
  "app_test_support",
  "assert_cmd",
  "base64",
- "chrono",
  "codex-app-server-protocol",
  "codex-arg0",
- "codex-backend-client",
  "codex-common",
  "codex-core",
  "codex-file-search",
@@ -848,7 +843,6 @@ dependencies = [
  "codex-protocol",
  "codex-utils-json-to-toml",
  "core_test_support",
- "opentelemetry-appender-tracing",
  "os_info",
  "pretty_assertions",
  "serde",
@@ -923,8 +917,6 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "codex-backend-openapi-models",
- "codex-core",
- "codex-protocol",
  "pretty_assertions",
  "reqwest",
  "serde",
@@ -937,7 +929,6 @@ version = "0.0.0"
 dependencies = [
  "serde",
  "serde_json",
- "serde_with",
 ]
 
 [[package]]
@@ -1061,12 +1052,12 @@ dependencies = [
  "codex-apply-patch",
  "codex-async-utils",
  "codex-file-search",
+ "codex-mcp-client",
  "codex-otel",
  "codex-protocol",
  "codex-rmcp-client",
  "codex-utils-pty",
  "codex-utils-string",
- "codex-utils-tokenizer",
  "core-foundation 0.9.4",
  "core_test_support",
  "dirs",
@@ -1075,7 +1066,6 @@ dependencies = [
  "escargot",
  "eventsource-stream",
  "futures",
- "http",
  "indexmap 2.10.0",
  "landlock",
  "libc",
@@ -1250,6 +1240,19 @@ dependencies = [
  "wiremock",
 ]
 
+[[package]]
+name = "codex-mcp-client"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "mcp-types",
+ "serde",
+ "serde_json",
+ "tokio",
+ "tracing",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "codex-mcp-server"
 version = "0.0.0"
@@ -1443,12 +1446,12 @@ dependencies = [
  "libc",
  "mcp-types",
  "opentelemetry-appender-tracing",
+ "path-clean",
  "pathdiff",
  "pretty_assertions",
  "pulldown-cmark",
  "rand 0.9.2",
  "ratatui",
- "ratatui-macros",
  "regex-lite",
  "serde",
  "serde_json",
@@ -1505,16 +1508,6 @@ dependencies = [
 name = "codex-utils-string"
 version = "0.0.0"
 
-[[package]]
-name = "codex-utils-tokenizer"
-version = "0.0.0"
-dependencies = [
- "anyhow",
- "pretty_assertions",
- "thiserror 2.0.16",
- "tiktoken-rs",
-]
-
 [[package]]
 name = "color-eyre"
 version = "0.6.5"
@@ -1635,7 +1628,6 @@ dependencies = [
  "anyhow",
  "assert_cmd",
  "codex-core",
- "codex-protocol",
  "notify",
  "regex-lite",
  "serde_json",
@@ -2313,17 +2305,6 @@ dependencies = [
  "once_cell",
 ]
 
-[[package]]
-name = "fancy-regex"
-version = "0.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "531e46835a22af56d1e3b66f04844bed63158bc094a628bec1d321d9b4c44bf2"
-dependencies = [
- "bit-set",
- "regex-automata",
- "regex-syntax 0.8.5",
-]
-
 [[package]]
 name = "fastrand"
 version = "2.3.0"
@@ -4296,6 +4277,12 @@ dependencies = [
  "path-dedot",
 ]
 
+[[package]]
+name = "path-clean"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef"
+
 [[package]]
 name = "path-dedot"
 version = "3.1.1"
@@ -4641,7 +4628,7 @@ dependencies = [
  "pin-project-lite",
  "quinn-proto",
  "quinn-udp",
- "rustc-hash 2.1.1",
+ "rustc-hash",
  "rustls",
  "socket2 0.6.0",
  "thiserror 2.0.16",
@@ -4661,7 +4648,7 @@ dependencies = [
  "lru-slab",
  "rand 0.9.2",
  "ring",
- "rustc-hash 2.1.1",
+ "rustc-hash",
  "rustls",
  "rustls-pki-types",
  "slab",
@@ -4789,15 +4776,6 @@ dependencies = [
  "unicode-width 0.2.1",
 ]
 
-[[package]]
-name = "ratatui-macros"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fef540f80dbe8a0773266fa6077788ceb65ef624cdbf36e131aaf90b4a52df4"
-dependencies = [
- "ratatui",
-]
-
 [[package]]
 name = "redox_syscall"
 version = "0.5.15"
@@ -4955,9 +4933,9 @@ dependencies = [
 
 [[package]]
 name = "rmcp"
-version = "0.8.3"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fdad1258f7259fdc0f2dfc266939c82c3b5d1fd72bcde274d600cdc27e60243"
+checksum = "6f35acda8f89fca5fd8c96cae3c6d5b4c38ea0072df4c8030915f3b5ff469c1c"
 dependencies = [
  "base64",
  "bytes",
@@ -4989,9 +4967,9 @@ dependencies = [
 
 [[package]]
 name = "rmcp-macros"
-version = "0.8.3"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ede0589a208cc7ce81d1be68aa7e74b917fcd03c81528408bab0457e187dcd9b"
+checksum = "c9f1d5220aaa23b79c3d02e18f7a554403b3ccea544bbb6c69d6bcb3e854a274"
 dependencies = [
  "darling 0.21.3",
  "proc-macro2",
@@ -5006,12 +4984,6 @@ version = "0.1.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "989e6739f80c4ad5b13e0fd7fe89531180375b18520cc8c82080e4dc4035b84f"
 
-[[package]]
-name = "rustc-hash"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
-
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -6192,21 +6164,6 @@ dependencies = [
  "zune-jpeg",
 ]
 
-[[package]]
-name = "tiktoken-rs"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25563eeba904d770acf527e8b370fe9a5547bacd20ff84a0b6c3bc41288e5625"
-dependencies = [
- "anyhow",
- "base64",
- "bstr",
- "fancy-regex",
- "lazy_static",
- "regex",
- "rustc-hash 1.1.0",
-]
-
 [[package]]
 name = "time"
 version = "0.3.44"

codex-rs/Cargo.toml

@@ -20,6 +20,7 @@ members = [
     "git-tooling",
     "linux-sandbox",
     "login",
+    "mcp-client",
     "mcp-server",
     "mcp-types",
     "ollama",
@@ -36,7 +37,6 @@ members = [
     "utils/readiness",
     "utils/pty",
     "utils/string",
-    "utils/tokenizer",
 ]
 resolver = "2"
 
@@ -57,7 +57,6 @@ codex-app-server-protocol = { path = "app-server-protocol" }
 codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
-codex-backend-client = { path = "backend-client" }
 codex-chatgpt = { path = "chatgpt" }
 codex-common = { path = "common" }
 codex-core = { path = "core" }
@@ -67,6 +66,7 @@ codex-file-search = { path = "file-search" }
 codex-git-tooling = { path = "git-tooling" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-login = { path = "login" }
+codex-mcp-client = { path = "mcp-client" }
 codex-mcp-server = { path = "mcp-server" }
 codex-ollama = { path = "ollama" }
 codex-otel = { path = "otel" }
@@ -78,10 +78,9 @@ codex-rmcp-client = { path = "rmcp-client" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
-codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
+codex-utils-pty = { path = "utils/pty" }
 codex-utils-string = { path = "utils/string" }
-codex-utils-tokenizer = { path = "utils/tokenizer" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
@@ -116,7 +115,6 @@ env_logger = "0.11.5"
 escargot = "0.5"
 eventsource-stream = "0.2.3"
 futures = { version = "0.3", default-features = false }
-http = "1.3.1"
 icu_decimal = "2.0.0"
 icu_locale_core = "2.0.0"
 ignore = "0.4.23"
@@ -144,6 +142,7 @@ os_info = "3.12.0"
 owo-colors = "4.2.0"
 paste = "1.0.15"
 path-absolutize = "3.1.1"
+path-clean = "1.0.1"
 pathdiff = "0.2"
 portable-pty = "0.9.0"
 predicates = "3"
@@ -151,10 +150,9 @@ pretty_assertions = "1.4.1"
 pulldown-cmark = "0.10"
 rand = "0.9"
 ratatui = "0.29.0"
-ratatui-macros = "0.6.0"
 regex-lite = "0.1.7"
 reqwest = "0.12"
-rmcp = { version = "0.8.3", default-features = false }
+rmcp = { version = "0.8.0", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
 sentry = "0.34.0"
@@ -247,7 +245,7 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["openssl-sys", "codex-utils-readiness", "codex-utils-tokenizer"]
+ignored = ["openssl-sys", "codex-utils-readiness"]
 
 [profile.release]
 lto = "fat"
@@ -258,11 +256,6 @@ strip = "symbols"
 # See https://github.com/openai/codex/issues/1411 for details.
 codegen-units = 1
 
-[profile.ci-test]
-debug = 1         # Reduce debug symbol size
-inherits = "test"
-opt-level = 0
-
 [patch.crates-io]
 # Uncomment to debug local changes.
 # ratatui = { path = "../../ratatui" }

codex-rs/app-server-protocol/src/export.rs

@@ -23,7 +23,6 @@ use std::io::Write;
 use std::path::Path;
 use std::path::PathBuf;
 use std::process::Command;
-use ts_rs::ExportError;
 use ts_rs::TS;
 
 const HEADER: &str = "// GENERATED CODE! DO NOT MODIFY BY HAND!\n\n";
@@ -105,19 +104,6 @@ macro_rules! for_each_schema_type {
     };
 }
 
-fn export_ts_with_context<F>(label: &str, export: F) -> Result<()>
-where
-    F: FnOnce() -> std::result::Result<(), ExportError>,
-{
-    match export() {
-        Ok(()) => Ok(()),
-        Err(ExportError::CannotBeExported(ty)) => Err(anyhow!(
-            "failed to export {label}: dependency {ty} cannot be exported"
-        )),
-        Err(err) => Err(err.into()),
-    }
-}
-
 pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
     generate_ts(out_dir, prettier)?;
     generate_json(out_dir)?;
@@ -127,17 +113,13 @@ pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
 pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
     ensure_dir(out_dir)?;
 
-    export_ts_with_context("ClientRequest", || ClientRequest::export_all_to(out_dir))?;
-    export_ts_with_context("client responses", || export_client_responses(out_dir))?;
-    export_ts_with_context("ClientNotification", || {
-        ClientNotification::export_all_to(out_dir)
-    })?;
+    ClientRequest::export_all_to(out_dir)?;
+    export_client_responses(out_dir)?;
+    ClientNotification::export_all_to(out_dir)?;
 
-    export_ts_with_context("ServerRequest", || ServerRequest::export_all_to(out_dir))?;
-    export_ts_with_context("server responses", || export_server_responses(out_dir))?;
-    export_ts_with_context("ServerNotification", || {
-        ServerNotification::export_all_to(out_dir)
-    })?;
+    ServerRequest::export_all_to(out_dir)?;
+    export_server_responses(out_dir)?;
+    ServerNotification::export_all_to(out_dir)?;
 
     generate_index_ts(out_dir)?;
 

codex-rs/app-server-protocol/src/protocol.rs

@@ -5,7 +5,6 @@ use crate::JSONRPCNotification;
 use crate::JSONRPCRequest;
 use crate::RequestId;
 use codex_protocol::ConversationId;
-use codex_protocol::account::Account;
 use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
@@ -15,7 +14,6 @@ use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::FileChange;
-use codex_protocol::protocol::RateLimitSnapshot;
 use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnAbortReason;
@@ -94,43 +92,6 @@ macro_rules! client_request_definitions {
 }
 
 client_request_definitions! {
-    /// NEW APIs
-    #[serde(rename = "model/list")]
-    #[ts(rename = "model/list")]
-    ListModels {
-        params: ListModelsParams,
-        response: ListModelsResponse,
-    },
-
-    #[serde(rename = "account/login")]
-    #[ts(rename = "account/login")]
-    LoginAccount {
-        params: LoginAccountParams,
-        response: LoginAccountResponse,
-    },
-
-    #[serde(rename = "account/logout")]
-    #[ts(rename = "account/logout")]
-    LogoutAccount {
-        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
-        response: LogoutAccountResponse,
-    },
-
-    #[serde(rename = "account/rateLimits/read")]
-    #[ts(rename = "account/rateLimits/read")]
-    GetAccountRateLimits {
-        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
-        response: GetAccountRateLimitsResponse,
-    },
-
-    #[serde(rename = "account/read")]
-    #[ts(rename = "account/read")]
-    GetAccount {
-        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
-        response: GetAccountResponse,
-    },
-
-    /// DEPRECATED APIs below
     Initialize {
         params: InitializeParams,
         response: InitializeResponse,
@@ -279,6 +240,10 @@ pub struct NewConversationParams {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub base_instructions: Option<String>,
 
+    /// Whether to include the plan tool in the conversation.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub include_plan_tool: Option<bool>,
+
     /// Whether to include the apply patch tool in the conversation.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub include_apply_patch_tool: Option<bool>,
@@ -336,79 +301,6 @@ pub struct ListConversationsResponse {
     pub next_cursor: Option<String>,
 }
 
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct ListModelsParams {
-    /// Optional page size; defaults to a reasonable server-side value.
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub page_size: Option<usize>,
-    /// Opaque pagination cursor returned by a previous call.
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub cursor: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct Model {
-    pub id: String,
-    pub model: String,
-    pub display_name: String,
-    pub description: String,
-    pub supported_reasoning_efforts: Vec<ReasoningEffortOption>,
-    pub default_reasoning_effort: ReasoningEffort,
-    // Only one model should be marked as default.
-    pub is_default: bool,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct ReasoningEffortOption {
-    pub reasoning_effort: ReasoningEffort,
-    pub description: String,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct ListModelsResponse {
-    pub items: Vec<Model>,
-    /// Opaque cursor to pass to the next call to continue after the last item.
-    /// if None, there are no more items to return.
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub next_cursor: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(tag = "type")]
-#[ts(tag = "type")]
-pub enum LoginAccountParams {
-    #[serde(rename = "apiKey")]
-    #[ts(rename = "apiKey")]
-    ApiKey {
-        #[serde(rename = "apiKey")]
-        #[ts(rename = "apiKey")]
-        api_key: String,
-    },
-    #[serde(rename = "chatgpt")]
-    #[ts(rename = "chatgpt")]
-    ChatGpt,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct LoginAccountResponse {
-    /// Only set if the login method is ChatGPT.
-    #[schemars(with = "String")]
-    pub login_id: Option<Uuid>,
-
-    /// URL the client should open in a browser to initiate the OAuth flow.
-    /// Only set if the login method is ChatGPT.
-    pub auth_url: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct LogoutAccountResponse {}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ResumeConversationParams {
@@ -528,18 +420,6 @@ pub struct ExecOneOffCommandResponse {
     pub stderr: String,
 }
 
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct GetAccountRateLimitsResponse {
-    pub rate_limits: RateLimitSnapshot,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(transparent)]
-#[ts(export)]
-#[ts(type = "Account | null")]
-pub struct GetAccountResponse(#[ts(type = "Account | null")] pub Option<Account>);
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetAuthStatusResponse {
@@ -938,13 +818,6 @@ pub struct AuthStatusChangeNotification {
 #[serde(tag = "method", content = "params", rename_all = "camelCase")]
 #[strum(serialize_all = "camelCase")]
 pub enum ServerNotification {
-    /// NEW NOTIFICATIONS
-    #[serde(rename = "account/rateLimits/updated")]
-    #[ts(rename = "account/rateLimits/updated")]
-    #[strum(serialize = "account/rateLimits/updated")]
-    AccountRateLimitsUpdated(RateLimitSnapshot),
-
-    /// DEPRECATED NOTIFICATIONS below
     /// Authentication status changed
     AuthStatusChange(AuthStatusChangeNotification),
 
@@ -958,7 +831,6 @@ pub enum ServerNotification {
 impl ServerNotification {
     pub fn to_params(self) -> Result<serde_json::Value, serde_json::Error> {
         match self {
-            ServerNotification::AccountRateLimitsUpdated(params) => serde_json::to_value(params),
             ServerNotification::AuthStatusChange(params) => serde_json::to_value(params),
             ServerNotification::LoginChatGptComplete(params) => serde_json::to_value(params),
             ServerNotification::SessionConfigured(params) => serde_json::to_value(params),
@@ -1001,6 +873,7 @@ mod tests {
                 sandbox: None,
                 config: None,
                 base_instructions: None,
+                include_plan_tool: None,
                 include_apply_patch_tool: None,
             },
         };
@@ -1097,110 +970,4 @@ mod tests {
         assert_eq!(payload.request_with_id(RequestId::Integer(7)), request);
         Ok(())
     }
-
-    #[test]
-    fn serialize_get_account_rate_limits() -> Result<()> {
-        let request = ClientRequest::GetAccountRateLimits {
-            request_id: RequestId::Integer(1),
-            params: None,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/rateLimits/read",
-                "id": 1,
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_account_login_api_key() -> Result<()> {
-        let request = ClientRequest::LoginAccount {
-            request_id: RequestId::Integer(2),
-            params: LoginAccountParams::ApiKey {
-                api_key: "secret".to_string(),
-            },
-        };
-        assert_eq!(
-            json!({
-                "method": "account/login",
-                "id": 2,
-                "params": {
-                    "type": "apiKey",
-                    "apiKey": "secret"
-                }
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_account_login_chatgpt() -> Result<()> {
-        let request = ClientRequest::LoginAccount {
-            request_id: RequestId::Integer(3),
-            params: LoginAccountParams::ChatGpt,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/login",
-                "id": 3,
-                "params": {
-                    "type": "chatgpt"
-                }
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_account_logout() -> Result<()> {
-        let request = ClientRequest::LogoutAccount {
-            request_id: RequestId::Integer(4),
-            params: None,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/logout",
-                "id": 4,
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_get_account() -> Result<()> {
-        let request = ClientRequest::GetAccount {
-            request_id: RequestId::Integer(5),
-            params: None,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/read",
-                "id": 5,
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_list_models() -> Result<()> {
-        let request = ClientRequest::ListModels {
-            request_id: RequestId::Integer(6),
-            params: ListModelsParams::default(),
-        };
-        assert_eq!(
-            json!({
-                "method": "model/list",
-                "id": 6,
-                "params": {}
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
 }

codex-rs/app-server/Cargo.toml

@@ -19,13 +19,11 @@ anyhow = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
-codex-backend-client = { workspace = true }
 codex-file-search = { workspace = true }
 codex-login = { workspace = true }
 codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-utils-json-to-toml = { workspace = true }
-chrono = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [
@@ -37,7 +35,6 @@ tokio = { workspace = true, features = [
 ] }
 tracing = { workspace = true, features = ["log"] }
 tracing-subscriber = { workspace = true, features = ["env-filter", "fmt"] }
-opentelemetry-appender-tracing = { workspace = true }
 uuid = { workspace = true, features = ["serde", "v7"] }
 
 [dev-dependencies]

codex-rs/app-server/src/codex_message_processor.rs

@@ -1,7 +1,6 @@
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
 use crate::fuzzy_file_search::run_fuzzy_file_search;
-use crate::models::supported_models;
 use crate::outgoing_message::OutgoingMessageSender;
 use crate::outgoing_message::OutgoingNotification;
 use codex_app_server_protocol::AddConversationListenerParams;
@@ -10,7 +9,6 @@ use codex_app_server_protocol::ApplyPatchApprovalParams;
 use codex_app_server_protocol::ApplyPatchApprovalResponse;
 use codex_app_server_protocol::ArchiveConversationParams;
 use codex_app_server_protocol::ArchiveConversationResponse;
-use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::AuthStatusChangeNotification;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ConversationSummary;
@@ -20,7 +18,6 @@ use codex_app_server_protocol::ExecOneOffCommandParams;
 use codex_app_server_protocol::ExecOneOffCommandResponse;
 use codex_app_server_protocol::FuzzyFileSearchParams;
 use codex_app_server_protocol::FuzzyFileSearchResponse;
-use codex_app_server_protocol::GetAccountRateLimitsResponse;
 use codex_app_server_protocol::GetUserAgentResponse;
 use codex_app_server_protocol::GetUserSavedConfigResponse;
 use codex_app_server_protocol::GitDiffToRemoteResponse;
@@ -30,8 +27,6 @@ use codex_app_server_protocol::InterruptConversationResponse;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::ListConversationsParams;
 use codex_app_server_protocol::ListConversationsResponse;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::ListModelsResponse;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::LoginApiKeyResponse;
 use codex_app_server_protocol::LoginChatGptCompleteNotification;
@@ -54,7 +49,6 @@ use codex_app_server_protocol::SetDefaultModelParams;
 use codex_app_server_protocol::SetDefaultModelResponse;
 use codex_app_server_protocol::UserInfoResponse;
 use codex_app_server_protocol::UserSavedConfig;
-use codex_backend_client::Client as BackendClient;
 use codex_core::AuthManager;
 use codex_core::CodexConversation;
 use codex_core::ConversationManager;
@@ -83,6 +77,7 @@ use codex_core::protocol::ApplyPatchApprovalRequestEvent;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::ExecApprovalRequestEvent;
+use codex_core::protocol::InputItem as CoreInputItem;
 use codex_core::protocol::Op;
 use codex_core::protocol::ReviewDecision;
 use codex_login::ServerOptions as LoginServerOptions;
@@ -90,11 +85,10 @@ use codex_login::ShutdownHandle;
 use codex_login::run_login_server;
 use codex_protocol::ConversationId;
 use codex_protocol::config_types::ForcedLoginMethod;
-use codex_protocol::items::TurnItem;
+use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::RateLimitSnapshot;
+use codex_protocol::protocol::InputMessageKind;
 use codex_protocol::protocol::USER_MESSAGE_BEGIN;
-use codex_protocol::user_input::UserInput as CoreInputItem;
 use codex_utils_json_to_toml::json_to_toml;
 use std::collections::HashMap;
 use std::ffi::OsStr;
@@ -113,6 +107,7 @@ use uuid::Uuid;
 
 // Duration before a ChatGPT login attempt is abandoned.
 const LOGIN_CHATGPT_TIMEOUT: Duration = Duration::from_secs(10 * 60);
+
 struct ActiveLogin {
     shutdown_handle: ShutdownHandle,
     login_id: Uuid,
@@ -173,30 +168,6 @@ impl CodexMessageProcessor {
             ClientRequest::ListConversations { request_id, params } => {
                 self.handle_list_conversations(request_id, params).await;
             }
-            ClientRequest::ListModels { request_id, params } => {
-                self.list_models(request_id, params).await;
-            }
-            ClientRequest::LoginAccount {
-                request_id,
-                params: _,
-            } => {
-                self.send_unimplemented_error(request_id, "account/login")
-                    .await;
-            }
-            ClientRequest::LogoutAccount {
-                request_id,
-                params: _,
-            } => {
-                self.send_unimplemented_error(request_id, "account/logout")
-                    .await;
-            }
-            ClientRequest::GetAccount {
-                request_id,
-                params: _,
-            } => {
-                self.send_unimplemented_error(request_id, "account/read")
-                    .await;
-            }
             ClientRequest::ResumeConversation { request_id, params } => {
                 self.handle_resume_conversation(request_id, params).await;
             }
@@ -269,24 +240,9 @@ impl CodexMessageProcessor {
             ClientRequest::ExecOneOffCommand { request_id, params } => {
                 self.exec_one_off_command(request_id, params).await;
             }
-            ClientRequest::GetAccountRateLimits {
-                request_id,
-                params: _,
-            } => {
-                self.get_account_rate_limits(request_id).await;
-            }
         }
     }
 
-    async fn send_unimplemented_error(&self, request_id: RequestId, method: &str) {
-        let error = JSONRPCErrorError {
-            code: INTERNAL_ERROR_CODE,
-            message: format!("{method} is not implemented yet"),
-            data: None,
-        };
-        self.outgoing.send_error(request_id, error).await;
-    }
-
     async fn login_api_key(&mut self, request_id: RequestId, params: LoginApiKeyParams) {
         if matches!(
             self.config.forced_login_method,
@@ -571,53 +527,6 @@ impl CodexMessageProcessor {
         self.outgoing.send_response(request_id, response).await;
     }
 
-    async fn get_account_rate_limits(&self, request_id: RequestId) {
-        match self.fetch_account_rate_limits().await {
-            Ok(rate_limits) => {
-                let response = GetAccountRateLimitsResponse { rate_limits };
-                self.outgoing.send_response(request_id, response).await;
-            }
-            Err(error) => {
-                self.outgoing.send_error(request_id, error).await;
-            }
-        }
-    }
-
-    async fn fetch_account_rate_limits(&self) -> Result<RateLimitSnapshot, JSONRPCErrorError> {
-        let Some(auth) = self.auth_manager.auth() else {
-            return Err(JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "codex account authentication required to read rate limits".to_string(),
-                data: None,
-            });
-        };
-
-        if auth.mode != AuthMode::ChatGPT {
-            return Err(JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "chatgpt authentication required to read rate limits".to_string(),
-                data: None,
-            });
-        }
-
-        let client = BackendClient::from_auth(self.config.chatgpt_base_url.clone(), &auth)
-            .await
-            .map_err(|err| JSONRPCErrorError {
-                code: INTERNAL_ERROR_CODE,
-                message: format!("failed to construct backend client: {err}"),
-                data: None,
-            })?;
-
-        client
-            .get_rate_limits()
-            .await
-            .map_err(|err| JSONRPCErrorError {
-                code: INTERNAL_ERROR_CODE,
-                message: format!("failed to fetch codex rate limits: {err}"),
-                data: None,
-            })
-    }
-
     async fn get_user_saved_config(&self, request_id: RequestId) {
         let toml_value = match load_config_as_toml(&self.config.codex_home).await {
             Ok(val) => val,
@@ -865,58 +774,6 @@ impl CodexMessageProcessor {
         self.outgoing.send_response(request_id, response).await;
     }
 
-    async fn list_models(&self, request_id: RequestId, params: ListModelsParams) {
-        let ListModelsParams { page_size, cursor } = params;
-        let models = supported_models();
-        let total = models.len();
-
-        if total == 0 {
-            let response = ListModelsResponse {
-                items: Vec::new(),
-                next_cursor: None,
-            };
-            self.outgoing.send_response(request_id, response).await;
-            return;
-        }
-
-        let effective_page_size = page_size.unwrap_or(total).max(1).min(total);
-        let start = match cursor {
-            Some(cursor) => match cursor.parse::<usize>() {
-                Ok(idx) => idx,
-                Err(_) => {
-                    let error = JSONRPCErrorError {
-                        code: INVALID_REQUEST_ERROR_CODE,
-                        message: format!("invalid cursor: {cursor}"),
-                        data: None,
-                    };
-                    self.outgoing.send_error(request_id, error).await;
-                    return;
-                }
-            },
-            None => 0,
-        };
-
-        if start > total {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: format!("cursor {start} exceeds total models {total}"),
-                data: None,
-            };
-            self.outgoing.send_error(request_id, error).await;
-            return;
-        }
-
-        let end = start.saturating_add(effective_page_size).min(total);
-        let items = models[start..end].to_vec();
-        let next_cursor = if end < total {
-            Some(end.to_string())
-        } else {
-            None
-        };
-        let response = ListModelsResponse { items, next_cursor };
-        self.outgoing.send_response(request_id, response).await;
-    }
-
     async fn handle_resume_conversation(
         &self,
         request_id: RequestId,
@@ -969,9 +826,18 @@ impl CodexMessageProcessor {
                         },
                     ))
                     .await;
-                let initial_messages = session_configured
-                    .initial_messages
-                    .map(|msgs| msgs.into_iter().collect());
+                let initial_messages = session_configured.initial_messages.map(|msgs| {
+                    msgs.into_iter()
+                        .filter(|event| {
+                            // Don't send non-plain user messages (like user instructions
+                            // or environment context) back so they don't get rendered.
+                            if let EventMsg::UserMessage(user_message) = event {
+                                return matches!(user_message.kind, Some(InputMessageKind::Plain));
+                            }
+                            true
+                        })
+                        .collect()
+                });
 
                 // Reply with conversation id + model and initial messages (when present)
                 let response = codex_app_server_protocol::ResumeConversationResponse {
@@ -1466,15 +1332,6 @@ async fn apply_bespoke_event_handling(
                 on_exec_approval_response(event_id, rx, conversation).await;
             });
         }
-        EventMsg::TokenCount(token_count_event) => {
-            if let Some(rate_limits) = token_count_event.rate_limits {
-                outgoing
-                    .send_server_notification(ServerNotification::AccountRateLimitsUpdated(
-                        rate_limits,
-                    ))
-                    .await;
-            }
-        }
         // If this is a TurnAborted, reply to any pending interrupt requests.
         EventMsg::TurnAborted(turn_aborted_event) => {
             let pending = {
@@ -1507,6 +1364,7 @@ async fn derive_config_from_params(
         sandbox: sandbox_mode,
         config: cli_overrides,
         base_instructions,
+        include_plan_tool,
         include_apply_patch_tool,
     } = params;
     let overrides = ConfigOverrides {
@@ -1519,6 +1377,7 @@ async fn derive_config_from_params(
         model_provider: None,
         codex_linux_sandbox_exe,
         base_instructions,
+        include_plan_tool,
         include_apply_patch_tool,
         include_view_image_tool: None,
         show_raw_agent_reasoning: None,
@@ -1625,8 +1484,18 @@ fn extract_conversation_summary(
     let preview = head
         .iter()
         .filter_map(|value| serde_json::from_value::<ResponseItem>(value.clone()).ok())
-        .find_map(|item| match codex_core::parse_turn_item(&item) {
-            Some(TurnItem::UserMessage(user)) => Some(user.message()),
+        .find_map(|item| match item {
+            ResponseItem::Message { content, .. } => {
+                content.into_iter().find_map(|content| match content {
+                    ContentItem::InputText { text } => {
+                        match InputMessageKind::from(("user", &text)) {
+                            InputMessageKind::Plain => Some(text),
+                            _ => None,
+                        }
+                    }
+                    _ => None,
+                })
+            }
             _ => None,
         })?;
 

codex-rs/app-server/src/fuzzy_file_search.rs

@@ -46,7 +46,6 @@ pub(crate) async fn run_fuzzy_file_search(
                 threads,
                 cancel_flag,
                 COMPUTE_INDICES,
-                true,
             ) {
                 Ok(res) => Ok((root, res)),
                 Err(err) => Err((root, err)),

codex-rs/app-server/src/lib.rs

@@ -1,16 +1,13 @@
 #![deny(clippy::print_stdout, clippy::print_stderr)]
 
-use codex_common::CliConfigOverrides;
-use codex_core::config::Config;
-use codex_core::config::ConfigOverrides;
-use opentelemetry_appender_tracing::layer::OpenTelemetryTracingBridge;
 use std::io::ErrorKind;
 use std::io::Result as IoResult;
 use std::path::PathBuf;
 
-use crate::message_processor::MessageProcessor;
-use crate::outgoing_message::OutgoingMessage;
-use crate::outgoing_message::OutgoingMessageSender;
+use codex_common::CliConfigOverrides;
+use codex_core::config::Config;
+use codex_core::config::ConfigOverrides;
+
 use codex_app_server_protocol::JSONRPCMessage;
 use tokio::io::AsyncBufReadExt;
 use tokio::io::AsyncWriteExt;
@@ -21,15 +18,15 @@ use tracing::debug;
 use tracing::error;
 use tracing::info;
 use tracing_subscriber::EnvFilter;
-use tracing_subscriber::Layer;
-use tracing_subscriber::layer::SubscriberExt;
-use tracing_subscriber::util::SubscriberInitExt;
+
+use crate::message_processor::MessageProcessor;
+use crate::outgoing_message::OutgoingMessage;
+use crate::outgoing_message::OutgoingMessageSender;
 
 mod codex_message_processor;
 mod error_code;
 mod fuzzy_file_search;
 mod message_processor;
-mod models;
 mod outgoing_message;
 
 /// Size of the bounded channels used to communicate between tasks. The value
@@ -41,6 +38,13 @@ pub async fn run_main(
     codex_linux_sandbox_exe: Option<PathBuf>,
     cli_config_overrides: CliConfigOverrides,
 ) -> IoResult<()> {
+    // Install a simple subscriber so `tracing` output is visible.  Users can
+    // control the log level with `RUST_LOG`.
+    tracing_subscriber::fmt()
+        .with_writer(std::io::stderr)
+        .with_env_filter(EnvFilter::from_default_env())
+        .init();
+
     // Set up channels.
     let (incoming_tx, mut incoming_rx) = mpsc::channel::<JSONRPCMessage>(CHANNEL_CAPACITY);
     let (outgoing_tx, mut outgoing_rx) = mpsc::unbounded_channel::<OutgoingMessage>();
@@ -82,29 +86,6 @@ pub async fn run_main(
             std::io::Error::new(ErrorKind::InvalidData, format!("error loading config: {e}"))
         })?;
 
-    let otel =
-        codex_core::otel_init::build_provider(&config, env!("CARGO_PKG_VERSION")).map_err(|e| {
-            std::io::Error::new(
-                ErrorKind::InvalidData,
-                format!("error loading otel config: {e}"),
-            )
-        })?;
-
-    // Install a simple subscriber so `tracing` output is visible.  Users can
-    // control the log level with `RUST_LOG`.
-    let stderr_fmt = tracing_subscriber::fmt::layer()
-        .with_writer(std::io::stderr)
-        .with_filter(EnvFilter::from_default_env());
-
-    let _ = tracing_subscriber::registry()
-        .with(stderr_fmt)
-        .with(otel.as_ref().map(|provider| {
-            OpenTelemetryTracingBridge::new(&provider.logger).with_filter(
-                tracing_subscriber::filter::filter_fn(codex_core::otel_init::codex_export_filter),
-            )
-        }))
-        .try_init();
-
     // Task: process incoming messages.
     let processor_handle = tokio::spawn({
         let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);

codex-rs/app-server/src/models.rs

@@ -1,38 +0,0 @@
-use codex_app_server_protocol::Model;
-use codex_app_server_protocol::ReasoningEffortOption;
-use codex_common::model_presets::ModelPreset;
-use codex_common::model_presets::ReasoningEffortPreset;
-use codex_common::model_presets::builtin_model_presets;
-
-pub fn supported_models() -> Vec<Model> {
-    builtin_model_presets(None)
-        .into_iter()
-        .map(model_from_preset)
-        .collect()
-}
-
-fn model_from_preset(preset: ModelPreset) -> Model {
-    Model {
-        id: preset.id.to_string(),
-        model: preset.model.to_string(),
-        display_name: preset.display_name.to_string(),
-        description: preset.description.to_string(),
-        supported_reasoning_efforts: reasoning_efforts_from_preset(
-            preset.supported_reasoning_efforts,
-        ),
-        default_reasoning_effort: preset.default_reasoning_effort,
-        is_default: preset.is_default,
-    }
-}
-
-fn reasoning_efforts_from_preset(
-    efforts: &'static [ReasoningEffortPreset],
-) -> Vec<ReasoningEffortOption> {
-    efforts
-        .iter()
-        .map(|preset| ReasoningEffortOption {
-            reasoning_effort: preset.effort,
-            description: preset.description.to_string(),
-        })
-        .collect()
-}

codex-rs/app-server/src/outgoing_message.rs

@@ -142,8 +142,6 @@ pub(crate) struct OutgoingError {
 #[cfg(test)]
 mod tests {
     use codex_app_server_protocol::LoginChatGptCompleteNotification;
-    use codex_protocol::protocol::RateLimitSnapshot;
-    use codex_protocol::protocol::RateLimitWindow;
     use pretty_assertions::assert_eq;
     use serde_json::json;
     use uuid::Uuid;
@@ -173,34 +171,4 @@ mod tests {
             "ensure the strum macros serialize the method field correctly"
         );
     }
-
-    #[test]
-    fn verify_account_rate_limits_notification_serialization() {
-        let notification = ServerNotification::AccountRateLimitsUpdated(RateLimitSnapshot {
-            primary: Some(RateLimitWindow {
-                used_percent: 25.0,
-                window_minutes: Some(15),
-                resets_at: Some(123),
-            }),
-            secondary: None,
-        });
-
-        let jsonrpc_notification = OutgoingMessage::AppServerNotification(notification);
-        assert_eq!(
-            json!({
-                "method": "account/rateLimits/updated",
-                "params": {
-                    "primary": {
-                        "used_percent": 25.0,
-                        "window_minutes": 15,
-                        "resets_at": 123,
-                    },
-                    "secondary": null,
-                },
-            }),
-            serde_json::to_value(jsonrpc_notification)
-                .expect("ensure the notification serializes correctly"),
-            "ensure the notification serializes correctly"
-        );
-    }
 }

codex-rs/app-server/tests/common/Cargo.toml

@@ -9,10 +9,7 @@ path = "lib.rs"
 [dependencies]
 anyhow = { workspace = true }
 assert_cmd = { workspace = true }
-base64 = { workspace = true }
-chrono = { workspace = true }
 codex-app-server-protocol = { workspace = true }
-codex-core = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [

codex-rs/app-server/tests/common/auth_fixtures.rs

@@ -1,131 +0,0 @@
-use std::path::Path;
-
-use anyhow::Context;
-use anyhow::Result;
-use base64::Engine;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
-use chrono::DateTime;
-use chrono::Utc;
-use codex_core::auth::AuthDotJson;
-use codex_core::auth::get_auth_file;
-use codex_core::auth::write_auth_json;
-use codex_core::token_data::TokenData;
-use codex_core::token_data::parse_id_token;
-use serde_json::json;
-
-/// Builder for writing a fake ChatGPT auth.json in tests.
-#[derive(Debug, Clone)]
-pub struct ChatGptAuthFixture {
-    access_token: String,
-    refresh_token: String,
-    account_id: Option<String>,
-    claims: ChatGptIdTokenClaims,
-    last_refresh: Option<Option<DateTime<Utc>>>,
-}
-
-impl ChatGptAuthFixture {
-    pub fn new(access_token: impl Into<String>) -> Self {
-        Self {
-            access_token: access_token.into(),
-            refresh_token: "refresh-token".to_string(),
-            account_id: None,
-            claims: ChatGptIdTokenClaims::default(),
-            last_refresh: None,
-        }
-    }
-
-    pub fn refresh_token(mut self, refresh_token: impl Into<String>) -> Self {
-        self.refresh_token = refresh_token.into();
-        self
-    }
-
-    pub fn account_id(mut self, account_id: impl Into<String>) -> Self {
-        self.account_id = Some(account_id.into());
-        self
-    }
-
-    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
-        self.claims.plan_type = Some(plan_type.into());
-        self
-    }
-
-    pub fn email(mut self, email: impl Into<String>) -> Self {
-        self.claims.email = Some(email.into());
-        self
-    }
-
-    pub fn last_refresh(mut self, last_refresh: Option<DateTime<Utc>>) -> Self {
-        self.last_refresh = Some(last_refresh);
-        self
-    }
-
-    pub fn claims(mut self, claims: ChatGptIdTokenClaims) -> Self {
-        self.claims = claims;
-        self
-    }
-}
-
-#[derive(Debug, Clone, Default)]
-pub struct ChatGptIdTokenClaims {
-    pub email: Option<String>,
-    pub plan_type: Option<String>,
-}
-
-impl ChatGptIdTokenClaims {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn email(mut self, email: impl Into<String>) -> Self {
-        self.email = Some(email.into());
-        self
-    }
-
-    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
-        self.plan_type = Some(plan_type.into());
-        self
-    }
-}
-
-pub fn encode_id_token(claims: &ChatGptIdTokenClaims) -> Result<String> {
-    let header = json!({ "alg": "none", "typ": "JWT" });
-    let mut payload = serde_json::Map::new();
-    if let Some(email) = &claims.email {
-        payload.insert("email".to_string(), json!(email));
-    }
-    if let Some(plan_type) = &claims.plan_type {
-        payload.insert(
-            "https://api.openai.com/auth".to_string(),
-            json!({ "chatgpt_plan_type": plan_type }),
-        );
-    }
-    let payload = serde_json::Value::Object(payload);
-
-    let header_b64 =
-        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&header).context("serialize jwt header")?);
-    let payload_b64 =
-        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&payload).context("serialize jwt payload")?);
-    let signature_b64 = URL_SAFE_NO_PAD.encode(b"signature");
-    Ok(format!("{header_b64}.{payload_b64}.{signature_b64}"))
-}
-
-pub fn write_chatgpt_auth(codex_home: &Path, fixture: ChatGptAuthFixture) -> Result<()> {
-    let id_token_raw = encode_id_token(&fixture.claims)?;
-    let id_token = parse_id_token(&id_token_raw).context("parse id token")?;
-    let tokens = TokenData {
-        id_token,
-        access_token: fixture.access_token,
-        refresh_token: fixture.refresh_token,
-        account_id: fixture.account_id,
-    };
-
-    let last_refresh = fixture.last_refresh.unwrap_or_else(|| Some(Utc::now()));
-
-    let auth = AuthDotJson {
-        openai_api_key: None,
-        tokens: Some(tokens),
-        last_refresh,
-    };
-
-    write_auth_json(&get_auth_file(codex_home), &auth).context("write auth.json")
-}

codex-rs/app-server/tests/common/lib.rs

@@ -1,12 +1,7 @@
-mod auth_fixtures;
 mod mcp_process;
 mod mock_model_server;
 mod responses;
 
-pub use auth_fixtures::ChatGptAuthFixture;
-pub use auth_fixtures::ChatGptIdTokenClaims;
-pub use auth_fixtures::encode_id_token;
-pub use auth_fixtures::write_chatgpt_auth;
 use codex_app_server_protocol::JSONRPCResponse;
 pub use mcp_process::McpProcess;
 pub use mock_model_server::create_mock_chat_completions_server;

codex-rs/app-server/tests/common/mcp_process.rs

@@ -21,7 +21,6 @@ use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::InterruptConversationParams;
 use codex_app_server_protocol::ListConversationsParams;
-use codex_app_server_protocol::ListModelsParams;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::NewConversationParams;
 use codex_app_server_protocol::RemoveConversationListenerParams;
@@ -237,11 +236,6 @@ impl McpProcess {
         self.send_request("getUserAgent", None).await
     }
 
-    /// Send an `account/rateLimits/read` JSON-RPC request.
-    pub async fn send_get_account_rate_limits_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("account/rateLimits/read", None).await
-    }
-
     /// Send a `userInfo` JSON-RPC request.
     pub async fn send_user_info_request(&mut self) -> anyhow::Result<i64> {
         self.send_request("userInfo", None).await
@@ -265,15 +259,6 @@ impl McpProcess {
         self.send_request("listConversations", params).await
     }
 
-    /// Send a `model/list` JSON-RPC request.
-    pub async fn send_list_models_request(
-        &mut self,
-        params: ListModelsParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("model/list", params).await
-    }
-
     /// Send a `resumeConversation` JSON-RPC request.
     pub async fn send_resume_conversation_request(
         &mut self,

codex-rs/app-server/tests/suite/codex_message_processor_flow.rs

@@ -30,6 +30,7 @@ use codex_protocol::config_types::SandboxMode;
 use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::Event;
 use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::InputMessageKind;
 use pretty_assertions::assert_eq;
 use std::env;
 use tempfile::TempDir;
@@ -527,6 +528,43 @@ async fn test_send_user_turn_updates_sandbox_and_cwd_between_turns() {
     .expect("sendUserTurn 2 timeout")
     .expect("sendUserTurn 2 resp");
 
+    let mut env_message: Option<String> = None;
+    let second_cwd_str = second_cwd.to_string_lossy().into_owned();
+    for _ in 0..10 {
+        let notification = timeout(
+            DEFAULT_READ_TIMEOUT,
+            mcp.read_stream_until_notification_message("codex/event/user_message"),
+        )
+        .await
+        .expect("user_message timeout")
+        .expect("user_message notification");
+        let params = notification
+            .params
+            .clone()
+            .expect("user_message should include params");
+        let event: Event = serde_json::from_value(params).expect("deserialize user_message event");
+        if let EventMsg::UserMessage(user) = event.msg
+            && matches!(user.kind, Some(InputMessageKind::EnvironmentContext))
+            && user.message.contains(&second_cwd_str)
+        {
+            env_message = Some(user.message);
+            break;
+        }
+    }
+    let env_message = env_message.expect("expected environment context update");
+    assert!(
+        env_message.contains("<sandbox_mode>danger-full-access</sandbox_mode>"),
+        "env context should reflect new sandbox mode: {env_message}"
+    );
+    assert!(
+        env_message.contains("<network_access>enabled</network_access>"),
+        "env context should enable network access for danger-full-access policy: {env_message}"
+    );
+    assert!(
+        env_message.contains(&second_cwd_str),
+        "env context should include updated cwd: {env_message}"
+    );
+
     let exec_begin_notification = timeout(
         DEFAULT_READ_TIMEOUT,
         mcp.read_stream_until_notification_message("codex/event/exec_command_begin"),

codex-rs/app-server/tests/suite/mod.rs

@@ -7,8 +7,6 @@ mod fuzzy_file_search;
 mod interrupt;
 mod list_resume;
 mod login;
-mod model_list;
-mod rate_limits;
 mod send_message;
 mod set_default_model;
 mod user_agent;

codex-rs/app-server/tests/suite/model_list.rs

@@ -1,183 +0,0 @@
-use std::time::Duration;
-
-use anyhow::Result;
-use anyhow::anyhow;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::ListModelsResponse;
-use codex_app_server_protocol::Model;
-use codex_app_server_protocol::ReasoningEffortOption;
-use codex_app_server_protocol::RequestId;
-use codex_protocol::config_types::ReasoningEffort;
-use pretty_assertions::assert_eq;
-use tempfile::TempDir;
-use tokio::time::timeout;
-
-const DEFAULT_TIMEOUT: Duration = Duration::from_secs(10);
-const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(100),
-            cursor: None,
-        })
-        .await?;
-
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-
-    let ListModelsResponse { items, next_cursor } = to_response::<ListModelsResponse>(response)?;
-
-    let expected_models = vec![
-        Model {
-            id: "gpt-5-codex".to_string(),
-            model: "gpt-5-codex".to_string(),
-            display_name: "gpt-5-codex".to_string(),
-            description: "Optimized for coding tasks with many tools.".to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Fastest responses with limited reasoning".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Dynamically adjusts reasoning based on the task".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex or ambiguous problems"
-                        .to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: true,
-        },
-        Model {
-            id: "gpt-5".to_string(),
-            model: "gpt-5".to_string(),
-            display_name: "gpt-5".to_string(),
-            description: "Broad world knowledge with strong general reasoning.".to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Minimal,
-                    description: "Fastest responses with little reasoning".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Balances speed with some reasoning; useful for straightforward \
-                                   queries and short explanations"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Provides a solid balance of reasoning depth and latency for \
-                         general-purpose tasks"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex or ambiguous problems"
-                        .to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: false,
-        },
-    ];
-
-    assert_eq!(items, expected_models);
-    assert!(next_cursor.is_none());
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_pagination_works() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let first_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
-            cursor: None,
-        })
-        .await?;
-
-    let first_response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(first_request)),
-    )
-    .await??;
-
-    let ListModelsResponse {
-        items: first_items,
-        next_cursor: first_cursor,
-    } = to_response::<ListModelsResponse>(first_response)?;
-
-    assert_eq!(first_items.len(), 1);
-    assert_eq!(first_items[0].id, "gpt-5-codex");
-    let next_cursor = first_cursor.ok_or_else(|| anyhow!("cursor for second page"))?;
-
-    let second_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
-            cursor: Some(next_cursor.clone()),
-        })
-        .await?;
-
-    let second_response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(second_request)),
-    )
-    .await??;
-
-    let ListModelsResponse {
-        items: second_items,
-        next_cursor: second_cursor,
-    } = to_response::<ListModelsResponse>(second_response)?;
-
-    assert_eq!(second_items.len(), 1);
-    assert_eq!(second_items[0].id, "gpt-5");
-    assert!(second_cursor.is_none());
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_rejects_invalid_cursor() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: None,
-            cursor: Some("invalid".to_string()),
-        })
-        .await?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(error.error.message, "invalid cursor: invalid");
-    Ok(())
-}

codex-rs/app-server/tests/suite/rate_limits.rs

@@ -1,215 +0,0 @@
-use anyhow::Context;
-use anyhow::Result;
-use app_test_support::ChatGptAuthFixture;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use app_test_support::write_chatgpt_auth;
-use codex_app_server_protocol::GetAccountRateLimitsResponse;
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::LoginApiKeyParams;
-use codex_app_server_protocol::RequestId;
-use codex_protocol::protocol::RateLimitSnapshot;
-use codex_protocol::protocol::RateLimitWindow;
-use pretty_assertions::assert_eq;
-use serde_json::json;
-use std::path::Path;
-use tempfile::TempDir;
-use tokio::time::timeout;
-use wiremock::Mock;
-use wiremock::MockServer;
-use wiremock::ResponseTemplate;
-use wiremock::matchers::header;
-use wiremock::matchers::method;
-use wiremock::matchers::path;
-
-const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
-const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_requires_auth() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-
-    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read error")?;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(
-        error.error.message,
-        "codex account authentication required to read rate limits"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_requires_chatgpt_auth() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-
-    let mut mcp = McpProcess::new(codex_home.path())
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    login_with_api_key(&mut mcp, "sk-test-key").await?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read error")?;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(
-        error.error.message,
-        "chatgpt authentication required to read rate limits"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-    write_chatgpt_auth(
-        codex_home.path(),
-        ChatGptAuthFixture::new("chatgpt-token")
-            .account_id("account-123")
-            .plan_type("pro"),
-    )
-    .context("write chatgpt auth")?;
-
-    let server = MockServer::start().await;
-    let server_url = server.uri();
-    write_chatgpt_base_url(codex_home.path(), &server_url).context("write chatgpt base url")?;
-
-    let primary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T00:02:00Z")
-        .expect("parse primary reset timestamp")
-        .timestamp();
-    let secondary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T01:00:00Z")
-        .expect("parse secondary reset timestamp")
-        .timestamp();
-    let response_body = json!({
-        "plan_type": "pro",
-        "rate_limit": {
-            "allowed": true,
-            "limit_reached": false,
-            "primary_window": {
-                "used_percent": 42,
-                "limit_window_seconds": 3600,
-                "reset_after_seconds": 120,
-                "reset_at": primary_reset_timestamp,
-            },
-            "secondary_window": {
-                "used_percent": 5,
-                "limit_window_seconds": 86400,
-                "reset_after_seconds": 43200,
-                "reset_at": secondary_reset_timestamp,
-            }
-        }
-    });
-
-    Mock::given(method("GET"))
-        .and(path("/api/codex/usage"))
-        .and(header("authorization", "Bearer chatgpt-token"))
-        .and(header("chatgpt-account-id", "account-123"))
-        .respond_with(ResponseTemplate::new(200).set_body_json(response_body))
-        .mount(&server)
-        .await;
-
-    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read response")?;
-
-    let received: GetAccountRateLimitsResponse =
-        to_response(response).context("deserialize rate limit response")?;
-
-    let expected = GetAccountRateLimitsResponse {
-        rate_limits: RateLimitSnapshot {
-            primary: Some(RateLimitWindow {
-                used_percent: 42.0,
-                window_minutes: Some(60),
-                resets_at: Some(primary_reset_timestamp),
-            }),
-            secondary: Some(RateLimitWindow {
-                used_percent: 5.0,
-                window_minutes: Some(1440),
-                resets_at: Some(secondary_reset_timestamp),
-            }),
-        },
-    };
-    assert_eq!(received, expected);
-
-    Ok(())
-}
-
-async fn login_with_api_key(mcp: &mut McpProcess, api_key: &str) -> Result<()> {
-    let request_id = mcp
-        .send_login_api_key_request(LoginApiKeyParams {
-            api_key: api_key.to_string(),
-        })
-        .await
-        .context("send loginApiKey")?;
-
-    timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("loginApiKey timeout")?
-    .context("loginApiKey response")?;
-
-    Ok(())
-}
-
-fn write_chatgpt_base_url(codex_home: &Path, base_url: &str) -> std::io::Result<()> {
-    let config_toml = codex_home.join("config.toml");
-    std::fs::write(config_toml, format!("chatgpt_base_url = \"{base_url}\"\n"))
-}

codex-rs/app-server/tests/suite/user_info.rs

@@ -1,13 +1,20 @@
 use std::time::Duration;
 
-use app_test_support::ChatGptAuthFixture;
+use anyhow::Context;
 use app_test_support::McpProcess;
 use app_test_support::to_response;
-use app_test_support::write_chatgpt_auth;
+use base64::Engine;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::UserInfoResponse;
+use codex_core::auth::AuthDotJson;
+use codex_core::auth::get_auth_file;
+use codex_core::auth::write_auth_json;
+use codex_core::token_data::IdTokenInfo;
+use codex_core::token_data::TokenData;
 use pretty_assertions::assert_eq;
+use serde_json::json;
 use tempfile::TempDir;
 use tokio::time::timeout;
 
@@ -17,13 +24,22 @@ const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(10);
 async fn user_info_returns_email_from_auth_json() {
     let codex_home = TempDir::new().expect("create tempdir");
 
-    write_chatgpt_auth(
-        codex_home.path(),
-        ChatGptAuthFixture::new("access")
-            .refresh_token("refresh")
-            .email("user@example.com"),
-    )
-    .expect("write chatgpt auth");
+    let auth_path = get_auth_file(codex_home.path());
+    let mut id_token = IdTokenInfo::default();
+    id_token.email = Some("user@example.com".to_string());
+    id_token.raw_jwt = encode_id_token_with_email("user@example.com").expect("encode id token");
+
+    let auth = AuthDotJson {
+        openai_api_key: None,
+        tokens: Some(TokenData {
+            id_token,
+            access_token: "access".to_string(),
+            refresh_token: "refresh".to_string(),
+            account_id: None,
+        }),
+        last_refresh: None,
+    };
+    write_auth_json(&auth_path, &auth).expect("write auth.json");
 
     let mut mcp = McpProcess::new(codex_home.path())
         .await
@@ -49,3 +65,14 @@ async fn user_info_returns_email_from_auth_json() {
 
     assert_eq!(received, expected);
 }
+
+fn encode_id_token_with_email(email: &str) -> anyhow::Result<String> {
+    let header_b64 = URL_SAFE_NO_PAD.encode(
+        serde_json::to_vec(&json!({ "alg": "none", "typ": "JWT" }))
+            .context("serialize jwt header")?,
+    );
+    let payload =
+        serde_json::to_vec(&json!({ "email": email })).context("serialize jwt payload")?;
+    let payload_b64 = URL_SAFE_NO_PAD.encode(payload);
+    Ok(format!("{header_b64}.{payload_b64}.signature"))
+}

codex-rs/apply-patch/tests/suite/mod.rs

@@ -1,3 +1 @@
 mod cli;
-#[cfg(not(target_os = "windows"))]
-mod tool;

codex-rs/apply-patch/tests/suite/tool.rs

@@ -1,257 +0,0 @@
-use assert_cmd::Command;
-use pretty_assertions::assert_eq;
-use std::fs;
-use std::path::Path;
-use tempfile::tempdir;
-
-fn run_apply_patch_in_dir(dir: &Path, patch: &str) -> anyhow::Result<assert_cmd::assert::Assert> {
-    let mut cmd = Command::cargo_bin("apply_patch")?;
-    cmd.current_dir(dir);
-    Ok(cmd.arg(patch).assert())
-}
-
-fn apply_patch_command(dir: &Path) -> anyhow::Result<Command> {
-    let mut cmd = Command::cargo_bin("apply_patch")?;
-    cmd.current_dir(dir);
-    Ok(cmd)
-}
-
-#[test]
-fn test_apply_patch_cli_applies_multiple_operations() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let modify_path = tmp.path().join("modify.txt");
-    let delete_path = tmp.path().join("delete.txt");
-
-    fs::write(&modify_path, "line1\nline2\n")?;
-    fs::write(&delete_path, "obsolete\n")?;
-
-    let patch = "*** Begin Patch\n*** Add File: nested/new.txt\n+created\n*** Delete File: delete.txt\n*** Update File: modify.txt\n@@\n-line2\n+changed\n*** End Patch";
-
-    run_apply_patch_in_dir(tmp.path(), patch)?.success().stdout(
-        "Success. Updated the following files:\nA nested/new.txt\nM modify.txt\nD delete.txt\n",
-    );
-
-    assert_eq!(
-        fs::read_to_string(tmp.path().join("nested/new.txt"))?,
-        "created\n"
-    );
-    assert_eq!(fs::read_to_string(&modify_path)?, "line1\nchanged\n");
-    assert!(!delete_path.exists());
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_applies_multiple_chunks() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let target_path = tmp.path().join("multi.txt");
-    fs::write(&target_path, "line1\nline2\nline3\nline4\n")?;
-
-    let patch = "*** Begin Patch\n*** Update File: multi.txt\n@@\n-line2\n+changed2\n@@\n-line4\n+changed4\n*** End Patch";
-
-    run_apply_patch_in_dir(tmp.path(), patch)?
-        .success()
-        .stdout("Success. Updated the following files:\nM multi.txt\n");
-
-    assert_eq!(
-        fs::read_to_string(&target_path)?,
-        "line1\nchanged2\nline3\nchanged4\n"
-    );
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_moves_file_to_new_directory() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let original_path = tmp.path().join("old/name.txt");
-    let new_path = tmp.path().join("renamed/dir/name.txt");
-    fs::create_dir_all(original_path.parent().expect("parent should exist"))?;
-    fs::write(&original_path, "old content\n")?;
-
-    let patch = "*** Begin Patch\n*** Update File: old/name.txt\n*** Move to: renamed/dir/name.txt\n@@\n-old content\n+new content\n*** End Patch";
-
-    run_apply_patch_in_dir(tmp.path(), patch)?
-        .success()
-        .stdout("Success. Updated the following files:\nM renamed/dir/name.txt\n");
-
-    assert!(!original_path.exists());
-    assert_eq!(fs::read_to_string(&new_path)?, "new content\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_empty_patch() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("No files were modified.\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_reports_missing_context() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let target_path = tmp.path().join("modify.txt");
-    fs::write(&target_path, "line1\nline2\n")?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Update File: modify.txt\n@@\n-missing\n+changed\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Failed to find expected lines in modify.txt:\nmissing\n");
-    assert_eq!(fs::read_to_string(&target_path)?, "line1\nline2\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_missing_file_delete() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Delete File: missing.txt\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Failed to delete file missing.txt\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_empty_update_hunk() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Update File: foo.txt\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Invalid patch hunk on line 2: Update file hunk for path 'foo.txt' is empty\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_requires_existing_file_for_update() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Update File: missing.txt\n@@\n-old\n+new\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr(
-            "Failed to read file to update missing.txt: No such file or directory (os error 2)\n",
-        );
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_move_overwrites_existing_destination() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let original_path = tmp.path().join("old/name.txt");
-    let destination = tmp.path().join("renamed/dir/name.txt");
-    fs::create_dir_all(original_path.parent().expect("parent should exist"))?;
-    fs::create_dir_all(destination.parent().expect("parent should exist"))?;
-    fs::write(&original_path, "from\n")?;
-    fs::write(&destination, "existing\n")?;
-
-    run_apply_patch_in_dir(
-        tmp.path(),
-        "*** Begin Patch\n*** Update File: old/name.txt\n*** Move to: renamed/dir/name.txt\n@@\n-from\n+new\n*** End Patch",
-    )?
-    .success()
-    .stdout("Success. Updated the following files:\nM renamed/dir/name.txt\n");
-
-    assert!(!original_path.exists());
-    assert_eq!(fs::read_to_string(&destination)?, "new\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_add_overwrites_existing_file() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let path = tmp.path().join("duplicate.txt");
-    fs::write(&path, "old content\n")?;
-
-    run_apply_patch_in_dir(
-        tmp.path(),
-        "*** Begin Patch\n*** Add File: duplicate.txt\n+new content\n*** End Patch",
-    )?
-    .success()
-    .stdout("Success. Updated the following files:\nA duplicate.txt\n");
-
-    assert_eq!(fs::read_to_string(&path)?, "new content\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_delete_directory_fails() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    fs::create_dir(tmp.path().join("dir"))?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Delete File: dir\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Failed to delete file dir\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_invalid_hunk_header() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Frobnicate File: foo\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Invalid patch hunk on line 2: '*** Frobnicate File: foo' is not a valid hunk header. Valid hunk headers: '*** Add File: {path}', '*** Delete File: {path}', '*** Update File: {path}'\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_updates_file_appends_trailing_newline() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let target_path = tmp.path().join("no_newline.txt");
-    fs::write(&target_path, "no newline at end")?;
-
-    run_apply_patch_in_dir(
-        tmp.path(),
-        "*** Begin Patch\n*** Update File: no_newline.txt\n@@\n-no newline at end\n+first line\n+second line\n*** End Patch",
-    )?
-    .success()
-    .stdout("Success. Updated the following files:\nM no_newline.txt\n");
-
-    let contents = fs::read_to_string(&target_path)?;
-    assert!(contents.ends_with('\n'));
-    assert_eq!(contents, "first line\nsecond line\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_failure_after_partial_success_leaves_changes() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let new_file = tmp.path().join("created.txt");
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Add File: created.txt\n+hello\n*** Update File: missing.txt\n@@\n-old\n+new\n*** End Patch")
-        .assert()
-        .failure()
-        .stdout("")
-        .stderr("Failed to read file to update missing.txt: No such file or directory (os error 2)\n");
-
-    assert_eq!(fs::read_to_string(&new_file)?, "hello\n");
-
-    Ok(())
-}

codex-rs/backend-client/Cargo.toml

@@ -13,8 +13,6 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 codex-backend-openapi-models = { path = "../codex-backend-openapi-models" }
-codex-protocol = { workspace = true }
-codex-core = { workspace = true }
 
 [dev-dependencies]
 pretty_assertions = "1"

codex-rs/backend-client/src/client.rs

@@ -1,13 +1,7 @@
 use crate::types::CodeTaskDetailsResponse;
 use crate::types::PaginatedListTaskListItem;
-use crate::types::RateLimitStatusPayload;
-use crate::types::RateLimitWindowSnapshot;
 use crate::types::TurnAttemptsSiblingTurnsResponse;
 use anyhow::Result;
-use codex_core::auth::CodexAuth;
-use codex_core::default_client::get_codex_user_agent;
-use codex_protocol::protocol::RateLimitSnapshot;
-use codex_protocol::protocol::RateLimitWindow;
 use reqwest::header::AUTHORIZATION;
 use reqwest::header::CONTENT_TYPE;
 use reqwest::header::HeaderMap;
@@ -70,17 +64,6 @@ impl Client {
         })
     }
 
-    pub async fn from_auth(base_url: impl Into<String>, auth: &CodexAuth) -> Result<Self> {
-        let token = auth.get_token().await.map_err(anyhow::Error::from)?;
-        let mut client = Self::new(base_url)?
-            .with_user_agent(get_codex_user_agent())
-            .with_bearer_token(token);
-        if let Some(account_id) = auth.get_account_id() {
-            client = client.with_chatgpt_account_id(account_id);
-        }
-        Ok(client)
-    }
-
     pub fn with_bearer_token(mut self, token: impl Into<String>) -> Self {
         self.bearer_token = Some(token.into());
         self
@@ -155,17 +138,6 @@ impl Client {
         }
     }
 
-    pub async fn get_rate_limits(&self) -> Result<RateLimitSnapshot> {
-        let url = match self.path_style {
-            PathStyle::CodexApi => format!("{}/api/codex/usage", self.base_url),
-            PathStyle::ChatGptApi => format!("{}/wham/usage", self.base_url),
-        };
-        let req = self.http.get(&url).headers(self.headers());
-        let (body, ct) = self.exec_request(req, "GET", &url).await?;
-        let payload: RateLimitStatusPayload = self.decode_json(&url, &ct, &body)?;
-        Ok(Self::rate_limit_snapshot_from_payload(payload))
-    }
-
     pub async fn list_tasks(
         &self,
         limit: Option<i32>,
@@ -269,49 +241,4 @@ impl Client {
             Err(e) => anyhow::bail!("Decode error for {url}: {e}; content-type={ct}; body={body}"),
         }
     }
-
-    // rate limit helpers
-    fn rate_limit_snapshot_from_payload(payload: RateLimitStatusPayload) -> RateLimitSnapshot {
-        let Some(details) = payload
-            .rate_limit
-            .and_then(|inner| inner.map(|boxed| *boxed))
-        else {
-            return RateLimitSnapshot {
-                primary: None,
-                secondary: None,
-            };
-        };
-
-        RateLimitSnapshot {
-            primary: Self::map_rate_limit_window(details.primary_window),
-            secondary: Self::map_rate_limit_window(details.secondary_window),
-        }
-    }
-
-    fn map_rate_limit_window(
-        window: Option<Option<Box<RateLimitWindowSnapshot>>>,
-    ) -> Option<RateLimitWindow> {
-        let snapshot = match window {
-            Some(Some(snapshot)) => *snapshot,
-            _ => return None,
-        };
-
-        let used_percent = f64::from(snapshot.used_percent);
-        let window_minutes = Self::window_minutes_from_seconds(snapshot.limit_window_seconds);
-        let resets_at = Some(i64::from(snapshot.reset_at));
-        Some(RateLimitWindow {
-            used_percent,
-            window_minutes,
-            resets_at,
-        })
-    }
-
-    fn window_minutes_from_seconds(seconds: i32) -> Option<i64> {
-        if seconds <= 0 {
-            return None;
-        }
-
-        let seconds_i64 = i64::from(seconds);
-        Some((seconds_i64 + 59) / 60)
-    }
 }

codex-rs/backend-client/src/types.rs

@@ -1,8 +1,4 @@
 pub use codex_backend_openapi_models::models::PaginatedListTaskListItem;
-pub use codex_backend_openapi_models::models::PlanType;
-pub use codex_backend_openapi_models::models::RateLimitStatusDetails;
-pub use codex_backend_openapi_models::models::RateLimitStatusPayload;
-pub use codex_backend_openapi_models::models::RateLimitWindowSnapshot;
 pub use codex_backend_openapi_models::models::TaskListItem;
 
 use serde::Deserialize;

codex-rs/cli/src/main.rs

@@ -19,7 +19,7 @@ use codex_exec::Cli as ExecCli;
 use codex_responses_api_proxy::Args as ResponsesApiProxyArgs;
 use codex_tui::AppExitInfo;
 use codex_tui::Cli as TuiCli;
-use codex_tui::updates::UpdateAction;
+use codex_tui::UpdateAction;
 use owo_colors::OwoColorize;
 use std::path::PathBuf;
 use supports_color::Stream;

codex-rs/cli/src/mcp_cmd.rs

@@ -150,10 +150,6 @@ pub struct RemoveArgs {
 pub struct LoginArgs {
     /// Name of the MCP server to authenticate with oauth.
     pub name: String,
-
-    /// Comma-separated list of OAuth scopes to request.
-    #[arg(long, value_delimiter = ',', value_name = "SCOPE,SCOPE")]
-    pub scopes: Vec<String>,
 }
 
 #[derive(Debug, clap::Parser)]
@@ -257,8 +253,6 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
         enabled: true,
         startup_timeout_sec: None,
         tool_timeout_sec: None,
-        enabled_tools: None,
-        disabled_tools: None,
     };
 
     servers.insert(name.clone(), new_entry);
@@ -283,7 +277,6 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
             config.mcp_oauth_credentials_store_mode,
             http_headers.clone(),
             env_http_headers.clone(),
-            &Vec::new(),
         )
         .await?;
         println!("Successfully logged in.");
@@ -332,7 +325,7 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
         );
     }
 
-    let LoginArgs { name, scopes } = login_args;
+    let LoginArgs { name } = login_args;
 
     let Some(server) = config.mcp_servers.get(&name) else {
         bail!("No MCP server named '{name}' found.");
@@ -354,7 +347,6 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
         config.mcp_oauth_credentials_store_mode,
         http_headers,
         env_http_headers,
-        &scopes,
     )
     .await?;
     println!("Successfully logged in to MCP server '{name}'.");
@@ -408,7 +400,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
             .map(|(name, cfg)| {
                 let auth_status = auth_statuses
                     .get(name.as_str())
-                    .map(|entry| entry.auth_status)
+                    .copied()
                     .unwrap_or(McpAuthStatus::Unsupported);
                 let transport = match &cfg.transport {
                     McpServerTransportConfig::Stdio {
@@ -495,7 +487,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
                 };
                 let auth_status = auth_statuses
                     .get(name.as_str())
-                    .map(|entry| entry.auth_status)
+                    .copied()
                     .unwrap_or(McpAuthStatus::Unsupported)
                     .to_string();
                 stdio_rows.push([
@@ -520,7 +512,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
                 };
                 let auth_status = auth_statuses
                     .get(name.as_str())
-                    .map(|entry| entry.auth_status)
+                    .copied()
                     .unwrap_or(McpAuthStatus::Unsupported)
                     .to_string();
                 http_rows.push([
@@ -684,8 +676,6 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
             "name": get_args.name,
             "enabled": server.enabled,
             "transport": transport,
-            "enabled_tools": server.enabled_tools.clone(),
-            "disabled_tools": server.disabled_tools.clone(),
             "startup_timeout_sec": server
                 .startup_timeout_sec
                 .map(|timeout| timeout.as_secs_f64()),
@@ -697,28 +687,8 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
         return Ok(());
     }
 
-    if !server.enabled {
-        println!("{} (disabled)", get_args.name);
-        return Ok(());
-    }
-
     println!("{}", get_args.name);
     println!("  enabled: {}", server.enabled);
-    let format_tool_list = |tools: &Option<Vec<String>>| -> String {
-        match tools {
-            Some(list) if list.is_empty() => "[]".to_string(),
-            Some(list) => list.join(", "),
-            None => "-".to_string(),
-        }
-    };
-    if server.enabled_tools.is_some() {
-        let enabled_tools_display = format_tool_list(&server.enabled_tools);
-        println!("  enabled_tools: {enabled_tools_display}");
-    }
-    if server.disabled_tools.is_some() {
-        let disabled_tools_display = format_tool_list(&server.disabled_tools);
-        println!("  disabled_tools: {disabled_tools_display}");
-    }
     match &server.transport {
         McpServerTransportConfig::Stdio {
             command,

codex-rs/cli/tests/mcp_list.rs

@@ -134,28 +134,3 @@ async fn list_and_get_render_expected_output() -> Result<()> {
 
     Ok(())
 }
-
-#[tokio::test]
-async fn get_disabled_server_shows_single_line() -> Result<()> {
-    let codex_home = TempDir::new()?;
-
-    let mut add = codex_command(codex_home.path())?;
-    add.args(["mcp", "add", "docs", "--", "docs-server"])
-        .assert()
-        .success();
-
-    let mut servers = load_global_mcp_servers(codex_home.path()).await?;
-    let docs = servers
-        .get_mut("docs")
-        .expect("docs server should exist after add");
-    docs.enabled = false;
-    write_global_mcp_servers(codex_home.path(), &servers)?;
-
-    let mut get_cmd = codex_command(codex_home.path())?;
-    let get_output = get_cmd.args(["mcp", "get", "docs"]).output()?;
-    assert!(get_output.status.success());
-    let stdout = String::from_utf8(get_output.stdout)?;
-    assert_eq!(stdout.trim_end(), "docs (disabled)");
-
-    Ok(())
-}

codex-rs/codex-backend-openapi-models/Cargo.toml

@@ -15,4 +15,3 @@ path = "src/lib.rs"
 [dependencies]
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-serde_with = "3"

codex-rs/codex-backend-openapi-models/src/models/mod.rs

@@ -3,7 +3,6 @@
 // Currently export only the types referenced by the workspace
 // The process for this will change
 
-// Cloud Tasks
 pub mod code_task_details_response;
 pub use self::code_task_details_response::CodeTaskDetailsResponse;
 
@@ -21,14 +20,3 @@ pub use self::task_list_item::TaskListItem;
 
 pub mod paginated_list_task_list_item_;
 pub use self::paginated_list_task_list_item_::PaginatedListTaskListItem;
-
-// Rate Limits
-pub mod rate_limit_status_payload;
-pub use self::rate_limit_status_payload::PlanType;
-pub use self::rate_limit_status_payload::RateLimitStatusPayload;
-
-pub mod rate_limit_status_details;
-pub use self::rate_limit_status_details::RateLimitStatusDetails;
-
-pub mod rate_limit_window_snapshot;
-pub use self::rate_limit_window_snapshot::RateLimitWindowSnapshot;

codex-rs/codex-backend-openapi-models/src/models/rate_limit_status_details.rs

@@ -1,46 +0,0 @@
-/*
- * codex-backend
- *
- * codex-backend
- *
- * The version of the OpenAPI document: 0.0.1
- *
- * Generated by: https://openapi-generator.tech
- */
-
-use crate::models;
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
-pub struct RateLimitStatusDetails {
-    #[serde(rename = "allowed")]
-    pub allowed: bool,
-    #[serde(rename = "limit_reached")]
-    pub limit_reached: bool,
-    #[serde(
-        rename = "primary_window",
-        default,
-        with = "::serde_with::rust::double_option",
-        skip_serializing_if = "Option::is_none"
-    )]
-    pub primary_window: Option<Option<Box<models::RateLimitWindowSnapshot>>>,
-    #[serde(
-        rename = "secondary_window",
-        default,
-        with = "::serde_with::rust::double_option",
-        skip_serializing_if = "Option::is_none"
-    )]
-    pub secondary_window: Option<Option<Box<models::RateLimitWindowSnapshot>>>,
-}
-
-impl RateLimitStatusDetails {
-    pub fn new(allowed: bool, limit_reached: bool) -> RateLimitStatusDetails {
-        RateLimitStatusDetails {
-            allowed,
-            limit_reached,
-            primary_window: None,
-            secondary_window: None,
-        }
-    }
-}

codex-rs/codex-backend-openapi-models/src/models/rate_limit_status_payload.rs

@@ -1,65 +0,0 @@
-/*
- * codex-backend
- *
- * codex-backend
- *
- * The version of the OpenAPI document: 0.0.1
- *
- * Generated by: https://openapi-generator.tech
- */
-
-use crate::models;
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
-pub struct RateLimitStatusPayload {
-    #[serde(rename = "plan_type")]
-    pub plan_type: PlanType,
-    #[serde(
-        rename = "rate_limit",
-        default,
-        with = "::serde_with::rust::double_option",
-        skip_serializing_if = "Option::is_none"
-    )]
-    pub rate_limit: Option<Option<Box<models::RateLimitStatusDetails>>>,
-}
-
-impl RateLimitStatusPayload {
-    pub fn new(plan_type: PlanType) -> RateLimitStatusPayload {
-        RateLimitStatusPayload {
-            plan_type,
-            rate_limit: None,
-        }
-    }
-}
-
-#[derive(Clone, Copy, Debug, Eq, PartialEq, Ord, PartialOrd, Hash, Serialize, Deserialize)]
-pub enum PlanType {
-    #[serde(rename = "free")]
-    Free,
-    #[serde(rename = "go")]
-    Go,
-    #[serde(rename = "plus")]
-    Plus,
-    #[serde(rename = "pro")]
-    Pro,
-    #[serde(rename = "team")]
-    Team,
-    #[serde(rename = "business")]
-    Business,
-    #[serde(rename = "education")]
-    Education,
-    #[serde(rename = "quorum")]
-    Quorum,
-    #[serde(rename = "enterprise")]
-    Enterprise,
-    #[serde(rename = "edu")]
-    Edu,
-}
-
-impl Default for PlanType {
-    fn default() -> PlanType {
-        Self::Free
-    }
-}

codex-rs/codex-backend-openapi-models/src/models/rate_limit_window_snapshot.rs

@@ -1,40 +0,0 @@
-/*
- * codex-backend
- *
- * codex-backend
- *
- * The version of the OpenAPI document: 0.0.1
- *
- * Generated by: https://openapi-generator.tech
- */
-
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
-pub struct RateLimitWindowSnapshot {
-    #[serde(rename = "used_percent")]
-    pub used_percent: i32,
-    #[serde(rename = "limit_window_seconds")]
-    pub limit_window_seconds: i32,
-    #[serde(rename = "reset_after_seconds")]
-    pub reset_after_seconds: i32,
-    #[serde(rename = "reset_at")]
-    pub reset_at: i32,
-}
-
-impl RateLimitWindowSnapshot {
-    pub fn new(
-        used_percent: i32,
-        limit_window_seconds: i32,
-        reset_after_seconds: i32,
-        reset_at: i32,
-    ) -> RateLimitWindowSnapshot {
-        RateLimitWindowSnapshot {
-            used_percent,
-            limit_window_seconds,
-            reset_after_seconds,
-            reset_at,
-        }
-    }
-}

codex-rs/common/src/model_presets.rs

@@ -1,96 +1,73 @@
 use codex_app_server_protocol::AuthMode;
 use codex_core::protocol_config_types::ReasoningEffort;
 
-/// A reasoning effort option that can be surfaced for a model.
-#[derive(Debug, Clone, Copy)]
-pub struct ReasoningEffortPreset {
-    /// Effort level that the model supports.
-    pub effort: ReasoningEffort,
-    /// Short human description shown next to the effort in UIs.
-    pub description: &'static str,
-}
-
-/// Metadata describing a Codex-supported model.
+/// A simple preset pairing a model slug with a reasoning effort.
 #[derive(Debug, Clone, Copy)]
 pub struct ModelPreset {
     /// Stable identifier for the preset.
     pub id: &'static str,
+    /// Display label shown in UIs.
+    pub label: &'static str,
+    /// Short human description shown next to the label in UIs.
+    pub description: &'static str,
     /// Model slug (e.g., "gpt-5").
     pub model: &'static str,
-    /// Display name shown in UIs.
-    pub display_name: &'static str,
-    /// Short human description shown in UIs.
-    pub description: &'static str,
-    /// Reasoning effort applied when none is explicitly chosen.
-    pub default_reasoning_effort: ReasoningEffort,
-    /// Supported reasoning effort options.
-    pub supported_reasoning_efforts: &'static [ReasoningEffortPreset],
-    /// Whether this is the default model for new users.
-    pub is_default: bool,
+    /// Reasoning effort to apply for this preset.
+    pub effort: Option<ReasoningEffort>,
 }
 
 const PRESETS: &[ModelPreset] = &[
     ModelPreset {
-        id: "gpt-5-codex",
+        id: "gpt-5-codex-low",
+        label: "gpt-5-codex low",
+        description: "Fastest responses with limited reasoning",
         model: "gpt-5-codex",
-        display_name: "gpt-5-codex",
-        description: "Optimized for coding tasks with many tools.",
-        default_reasoning_effort: ReasoningEffort::Medium,
-        supported_reasoning_efforts: &[
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Low,
-                description: "Fastest responses with limited reasoning",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Medium,
-                description: "Dynamically adjusts reasoning based on the task",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::High,
-                description: "Maximizes reasoning depth for complex or ambiguous problems",
-            },
-        ],
-        is_default: true,
+        effort: Some(ReasoningEffort::Low),
     },
     ModelPreset {
-        id: "gpt-5",
+        id: "gpt-5-codex-medium",
+        label: "gpt-5-codex medium",
+        description: "Dynamically adjusts reasoning based on the task",
+        model: "gpt-5-codex",
+        effort: Some(ReasoningEffort::Medium),
+    },
+    ModelPreset {
+        id: "gpt-5-codex-high",
+        label: "gpt-5-codex high",
+        description: "Maximizes reasoning depth for complex or ambiguous problems",
+        model: "gpt-5-codex",
+        effort: Some(ReasoningEffort::High),
+    },
+    ModelPreset {
+        id: "gpt-5-minimal",
+        label: "gpt-5 minimal",
+        description: "Fastest responses with little reasoning",
         model: "gpt-5",
-        display_name: "gpt-5",
-        description: "Broad world knowledge with strong general reasoning.",
-        default_reasoning_effort: ReasoningEffort::Medium,
-        supported_reasoning_efforts: &[
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Minimal,
-                description: "Fastest responses with little reasoning",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Low,
-                description: "Balances speed with some reasoning; useful for straightforward queries and short explanations",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Medium,
-                description: "Provides a solid balance of reasoning depth and latency for general-purpose tasks",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::High,
-                description: "Maximizes reasoning depth for complex or ambiguous problems",
-            },
-        ],
-        is_default: false,
+        effort: Some(ReasoningEffort::Minimal),
+    },
+    ModelPreset {
+        id: "gpt-5-low",
+        label: "gpt-5 low",
+        description: "Balances speed with some reasoning; useful for straightforward queries and short explanations",
+        model: "gpt-5",
+        effort: Some(ReasoningEffort::Low),
+    },
+    ModelPreset {
+        id: "gpt-5-medium",
+        label: "gpt-5 medium",
+        description: "Provides a solid balance of reasoning depth and latency for general-purpose tasks",
+        model: "gpt-5",
+        effort: Some(ReasoningEffort::Medium),
+    },
+    ModelPreset {
+        id: "gpt-5-high",
+        label: "gpt-5 high",
+        description: "Maximizes reasoning depth for complex or ambiguous problems",
+        model: "gpt-5",
+        effort: Some(ReasoningEffort::High),
     },
 ];
 
 pub fn builtin_model_presets(_auth_mode: Option<AuthMode>) -> Vec<ModelPreset> {
     PRESETS.to_vec()
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn only_one_default_model_is_configured() {
-        let default_models = PRESETS.iter().filter(|preset| preset.is_default).count();
-        assert!(default_models == 1);
-    }
-}

codex-rs/core/Cargo.toml

@@ -22,19 +22,18 @@ chrono = { workspace = true, features = ["serde"] }
 codex-app-server-protocol = { workspace = true }
 codex-apply-patch = { workspace = true }
 codex-file-search = { workspace = true }
+codex-mcp-client = { workspace = true }
 codex-otel = { workspace = true, features = ["otel"] }
 codex-protocol = { workspace = true }
 codex-rmcp-client = { workspace = true }
 codex-async-utils = { workspace = true }
 codex-utils-string = { workspace = true }
 codex-utils-pty = { workspace = true }
-codex-utils-tokenizer = { workspace = true }
 dirs = { workspace = true }
 dunce = { workspace = true }
 env-flags = { workspace = true }
 eventsource-stream = { workspace = true }
 futures = { workspace = true }
-http = { workspace = true }
 indexmap = { workspace = true }
 libc = { workspace = true }
 mcp-types = { workspace = true }

codex-rs/core/src/apply_patch.rs

@@ -36,6 +36,7 @@ pub(crate) struct ApplyPatchExec {
 pub(crate) async fn apply_patch(
     sess: &Session,
     turn_context: &TurnContext,
+    sub_id: &str,
     call_id: &str,
     action: ApplyPatchAction,
 ) -> InternalApplyPatchInvocation {
@@ -61,7 +62,7 @@ pub(crate) async fn apply_patch(
             // that similar patches can be auto-approved in the future during
             // this session.
             let rx_approve = sess
-                .request_patch_approval(turn_context, call_id.to_owned(), &action, None, None)
+                .request_patch_approval(sub_id.to_owned(), call_id.to_owned(), &action, None, None)
                 .await;
             match rx_approve.await.unwrap_or_default() {
                 ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {

codex-rs/core/src/auth.rs

@@ -21,7 +21,6 @@ use codex_app_server_protocol::AuthMode;
 use codex_protocol::config_types::ForcedLoginMethod;
 
 use crate::config::Config;
-use crate::default_client::CodexHttpClient;
 use crate::token_data::PlanType;
 use crate::token_data::TokenData;
 use crate::token_data::parse_id_token;
@@ -33,7 +32,7 @@ pub struct CodexAuth {
     pub(crate) api_key: Option<String>,
     pub(crate) auth_dot_json: Arc<Mutex<Option<AuthDotJson>>>,
     pub(crate) auth_file: PathBuf,
-    pub(crate) client: CodexHttpClient,
+    pub(crate) client: reqwest::Client,
 }
 
 impl PartialEq for CodexAuth {
@@ -44,8 +43,6 @@ impl PartialEq for CodexAuth {
 
 impl CodexAuth {
     pub async fn refresh_token(&self) -> Result<String, std::io::Error> {
-        tracing::info!("Refreshing token");
-
         let token_data = self
             .get_current_token_data()
             .ok_or(std::io::Error::other("Token data is not available."))?;
@@ -183,7 +180,7 @@ impl CodexAuth {
         }
     }
 
-    fn from_api_key_with_client(api_key: &str, client: CodexHttpClient) -> Self {
+    fn from_api_key_with_client(api_key: &str, client: reqwest::Client) -> Self {
         Self {
             api_key: Some(api_key.to_owned()),
             mode: AuthMode::ApiKey,
@@ -403,7 +400,7 @@ async fn update_tokens(
 
 async fn try_refresh_token(
     refresh_token: String,
-    client: &CodexHttpClient,
+    client: &reqwest::Client,
 ) -> std::io::Result<RefreshResponse> {
     let refresh_request = RefreshRequest {
         client_id: CLIENT_ID,
@@ -545,7 +542,6 @@ mod tests {
     }
 
     #[tokio::test]
-    #[serial(codex_api_key)]
     async fn pro_account_with_no_api_key_uses_chatgpt_auth() {
         let codex_home = tempdir().unwrap();
         let fake_jwt = write_auth_file(
@@ -595,7 +591,6 @@ mod tests {
     }
 
     #[tokio::test]
-    #[serial(codex_api_key)]
     async fn loads_api_key_from_auth_json() {
         let dir = tempdir().unwrap();
         let auth_file = dir.path().join("auth.json");
@@ -747,7 +742,6 @@ mod tests {
     }
 
     #[tokio::test]
-    #[serial(codex_api_key)]
     async fn enforce_login_restrictions_logs_out_for_workspace_mismatch() {
         let codex_home = tempdir().unwrap();
         let _jwt = write_auth_file(
@@ -773,7 +767,6 @@ mod tests {
     }
 
     #[tokio::test]
-    #[serial(codex_api_key)]
     async fn enforce_login_restrictions_allows_matching_workspace() {
         let codex_home = tempdir().unwrap();
         let _jwt = write_auth_file(
@@ -919,10 +912,7 @@ impl AuthManager {
                 self.reload();
                 Ok(Some(token))
             }
-            Err(e) => {
-                tracing::error!("Failed to refresh token: {}", e);
-                Err(e)
-            }
+            Err(e) => Err(e),
         }
     }
 

codex-rs/core/src/bash.rs

@@ -5,13 +5,13 @@ use tree_sitter_bash::LANGUAGE as BASH;
 
 /// Parse the provided bash source using tree-sitter-bash, returning a Tree on
 /// success or None if parsing failed.
-pub fn try_parse_shell(shell_lc_arg: &str) -> Option<Tree> {
+pub fn try_parse_bash(bash_lc_arg: &str) -> Option<Tree> {
     let lang = BASH.into();
     let mut parser = Parser::new();
     #[expect(clippy::expect_used)]
     parser.set_language(&lang).expect("load bash grammar");
     let old_tree: Option<&Tree> = None;
-    parser.parse(shell_lc_arg, old_tree)
+    parser.parse(bash_lc_arg, old_tree)
 }
 
 /// Parse a script which may contain multiple simple commands joined only by
@@ -88,19 +88,18 @@ pub fn try_parse_word_only_commands_sequence(tree: &Tree, src: &str) -> Option<V
     Some(commands)
 }
 
-/// Returns the sequence of plain commands within a `bash -lc "..."` or
-/// `zsh -lc "..."` invocation when the script only contains word-only commands
-/// joined by safe operators.
-pub fn parse_shell_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
-    let [shell, flag, script] = command else {
+/// Returns the sequence of plain commands within a `bash -lc "..."` invocation
+/// when the script only contains word-only commands joined by safe operators.
+pub fn parse_bash_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
+    let [bash, flag, script] = command else {
         return None;
     };
 
-    if flag != "-lc" || !(shell == "bash" || shell == "zsh") {
+    if bash != "bash" || flag != "-lc" {
         return None;
     }
 
-    let tree = try_parse_shell(script)?;
+    let tree = try_parse_bash(script)?;
     try_parse_word_only_commands_sequence(&tree, script)
 }
 
@@ -155,7 +154,7 @@ mod tests {
     use super::*;
 
     fn parse_seq(src: &str) -> Option<Vec<Vec<String>>> {
-        let tree = try_parse_shell(src)?;
+        let tree = try_parse_bash(src)?;
         try_parse_word_only_commands_sequence(&tree, src)
     }
 
@@ -235,11 +234,4 @@ mod tests {
     fn rejects_trailing_operator_parse_error() {
         assert!(parse_seq("ls &&").is_none());
     }
-
-    #[test]
-    fn parse_zsh_lc_plain_commands() {
-        let command = vec!["zsh".to_string(), "-lc".to_string(), "ls".to_string()];
-        let parsed = parse_shell_lc_plain_commands(&command).unwrap();
-        assert_eq!(parsed, vec![vec!["ls".to_string()]]);
-    }
 }

codex-rs/core/src/chat_completions.rs

@@ -4,7 +4,6 @@ use crate::ModelProviderInfo;
 use crate::client_common::Prompt;
 use crate::client_common::ResponseEvent;
 use crate::client_common::ResponseStream;
-use crate::default_client::CodexHttpClient;
 use crate::error::CodexErr;
 use crate::error::ConnectionFailedError;
 use crate::error::ResponseStreamFailed;
@@ -37,7 +36,7 @@ use tracing::trace;
 pub(crate) async fn stream_chat_completions(
     prompt: &Prompt,
     model_family: &ModelFamily,
-    client: &CodexHttpClient,
+    client: &reqwest::Client,
     provider: &ModelProviderInfo,
     otel_event_manager: &OtelEventManager,
 ) -> Result<ResponseStream> {
@@ -105,10 +104,10 @@ pub(crate) async fn stream_chat_completions(
             } = item
             {
                 let mut text = String::new();
-                for entry in items {
-                    match entry {
-                        ReasoningItemContent::ReasoningText { text: segment }
-                        | ReasoningItemContent::Text { text: segment } => text.push_str(segment),
+                for c in items {
+                    match c {
+                        ReasoningItemContent::ReasoningText { text: t }
+                        | ReasoningItemContent::Text { text: t } => text.push_str(t),
                     }
                 }
                 if text.trim().is_empty() {

codex-rs/core/src/client.rs

@@ -1,18 +1,17 @@
 use std::io::BufRead;
 use std::path::Path;
-use std::sync::Arc;
 use std::sync::OnceLock;
 use std::time::Duration;
 
+use crate::AuthManager;
+use crate::auth::CodexAuth;
+use crate::error::ConnectionFailedError;
+use crate::error::ResponseStreamFailed;
+use crate::error::RetryLimitReachedError;
+use crate::error::UnexpectedResponseError;
 use bytes::Bytes;
-use chrono::DateTime;
-use chrono::Utc;
 use codex_app_server_protocol::AuthMode;
-use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::ConversationId;
-use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
-use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
-use codex_protocol::models::ResponseItem;
 use eventsource_stream::Eventsource;
 use futures::prelude::*;
 use regex_lite::Regex;
@@ -28,8 +27,6 @@ use tracing::debug;
 use tracing::trace;
 use tracing::warn;
 
-use crate::AuthManager;
-use crate::auth::CodexAuth;
 use crate::chat_completions::AggregateStreamExt;
 use crate::chat_completions::stream_chat_completions;
 use crate::client_common::Prompt;
@@ -39,14 +36,9 @@ use crate::client_common::ResponsesApiRequest;
 use crate::client_common::create_reasoning_param_for_request;
 use crate::client_common::create_text_param_for_request;
 use crate::config::Config;
-use crate::default_client::CodexHttpClient;
 use crate::default_client::create_client;
 use crate::error::CodexErr;
-use crate::error::ConnectionFailedError;
-use crate::error::ResponseStreamFailed;
 use crate::error::Result;
-use crate::error::RetryLimitReachedError;
-use crate::error::UnexpectedResponseError;
 use crate::error::UsageLimitReachedError;
 use crate::flags::CODEX_RS_SSE_FIXTURE;
 use crate::model_family::ModelFamily;
@@ -60,6 +52,13 @@ use crate::state::TaskKind;
 use crate::token_data::PlanType;
 use crate::tools::spec::create_tools_json_for_responses_api;
 use crate::util::backoff;
+use chrono::DateTime;
+use chrono::Utc;
+use codex_otel::otel_event_manager::OtelEventManager;
+use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
+use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
+use codex_protocol::models::ResponseItem;
+use std::sync::Arc;
 
 #[derive(Debug, Deserialize)]
 struct ErrorResponse {
@@ -82,7 +81,7 @@ pub struct ModelClient {
     config: Arc<Config>,
     auth_manager: Option<Arc<AuthManager>>,
     otel_event_manager: OtelEventManager,
-    client: CodexHttpClient,
+    client: reqwest::Client,
     provider: ModelProviderInfo,
     conversation_id: ConversationId,
     effort: Option<ReasoningEffortConfig>,
@@ -301,7 +300,6 @@ impl ModelClient {
             "POST to {}: {:?}",
             self.provider.get_full_url(&auth),
             serde_json::to_string(payload_json)
-                .unwrap_or("<unable to serialize payload>".to_string())
         );
 
         let mut req_builder = self
@@ -337,6 +335,12 @@ impl ModelClient {
                 .headers()
                 .get("cf-ray")
                 .map(|v| v.to_str().unwrap_or_default().to_string());
+
+            trace!(
+                "Response status: {}, cf-ray: {:?}",
+                resp.status(),
+                request_id
+            );
         }
 
         match res {
@@ -624,13 +628,13 @@ fn parse_rate_limit_window(
     headers: &HeaderMap,
     used_percent_header: &str,
     window_minutes_header: &str,
-    resets_at_header: &str,
+    resets_header: &str,
 ) -> Option<RateLimitWindow> {
     let used_percent: Option<f64> = parse_header_f64(headers, used_percent_header);
 
     used_percent.and_then(|used_percent| {
         let window_minutes = parse_header_i64(headers, window_minutes_header);
-        let resets_at = parse_header_i64(headers, resets_at_header);
+        let resets_at = parse_header_i64(headers, resets_header);
 
         let has_data = used_percent != 0.0
             || window_minutes.is_some_and(|minutes| minutes != 0)
@@ -1089,7 +1093,6 @@ mod tests {
             base_url: Some("https://test.com".to_string()),
             env_key: Some("TEST_API_KEY".to_string()),
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Responses,
             query_params: None,
             http_headers: None,
@@ -1153,7 +1156,6 @@ mod tests {
             base_url: Some("https://test.com".to_string()),
             env_key: Some("TEST_API_KEY".to_string()),
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Responses,
             query_params: None,
             http_headers: None,
@@ -1190,7 +1192,6 @@ mod tests {
             base_url: Some("https://test.com".to_string()),
             env_key: Some("TEST_API_KEY".to_string()),
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Responses,
             query_params: None,
             http_headers: None,
@@ -1229,7 +1230,6 @@ mod tests {
             base_url: Some("https://test.com".to_string()),
             env_key: Some("TEST_API_KEY".to_string()),
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Responses,
             query_params: None,
             http_headers: None,
@@ -1264,7 +1264,6 @@ mod tests {
             base_url: Some("https://test.com".to_string()),
             env_key: Some("TEST_API_KEY".to_string()),
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Responses,
             query_params: None,
             http_headers: None,
@@ -1368,7 +1367,6 @@ mod tests {
                 base_url: Some("https://test.com".to_string()),
                 env_key: Some("TEST_API_KEY".to_string()),
                 env_key_instructions: None,
-                experimental_bearer_token: None,
                 wire_api: WireApi::Responses,
                 query_params: None,
                 http_headers: None,

codex-rs/core/src/codex/compact.rs

@@ -10,21 +10,21 @@ use crate::error::Result as CodexResult;
 use crate::protocol::AgentMessageEvent;
 use crate::protocol::CompactedItem;
 use crate::protocol::ErrorEvent;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use crate::protocol::InputItem;
+use crate::protocol::InputMessageKind;
 use crate::protocol::TaskStartedEvent;
 use crate::protocol::TurnContextItem;
 use crate::state::TaskKind;
 use crate::truncate::truncate_middle;
 use crate::util::backoff;
 use askama::Template;
-use codex_protocol::items::TurnItem;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseInputItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::user_input::UserInput;
 use futures::prelude::*;
-use tracing::error;
 
 pub const SUMMARIZATION_PROMPT: &str = include_str!("../../templates/compact/prompt.md");
 const COMPACT_USER_MESSAGE_MAX_TOKENS: usize = 20_000;
@@ -40,35 +40,40 @@ pub(crate) async fn run_inline_auto_compact_task(
     sess: Arc<Session>,
     turn_context: Arc<TurnContext>,
 ) {
-    let input = vec![UserInput::Text {
+    let sub_id = sess.next_internal_sub_id();
+    let input = vec![InputItem::Text {
         text: SUMMARIZATION_PROMPT.to_string(),
     }];
-    run_compact_task_inner(sess, turn_context, input).await;
+    run_compact_task_inner(sess, turn_context, sub_id, input).await;
 }
 
 pub(crate) async fn run_compact_task(
     sess: Arc<Session>,
     turn_context: Arc<TurnContext>,
-    input: Vec<UserInput>,
+    sub_id: String,
+    input: Vec<InputItem>,
 ) -> Option<String> {
-    let start_event = EventMsg::TaskStarted(TaskStartedEvent {
-        model_context_window: turn_context.client.get_model_context_window(),
-    });
-    sess.send_event(&turn_context, start_event).await;
-    run_compact_task_inner(sess.clone(), turn_context, input).await;
+    let start_event = Event {
+        id: sub_id.clone(),
+        msg: EventMsg::TaskStarted(TaskStartedEvent {
+            model_context_window: turn_context.client.get_model_context_window(),
+        }),
+    };
+    sess.send_event(start_event).await;
+    run_compact_task_inner(sess.clone(), turn_context, sub_id.clone(), input).await;
     None
 }
 
 async fn run_compact_task_inner(
     sess: Arc<Session>,
     turn_context: Arc<TurnContext>,
-    input: Vec<UserInput>,
+    sub_id: String,
+    input: Vec<InputItem>,
 ) {
     let initial_input_for_turn: ResponseInputItem = ResponseInputItem::from(input);
-
-    let mut history = sess.clone_history().await;
-    history.record_items(&[initial_input_for_turn.into()]);
-
+    let mut turn_input = sess
+        .turn_input_with_history(vec![initial_input_for_turn.clone().into()])
+        .await;
     let mut truncated_count = 0usize;
 
     let max_retries = turn_context.client.get_provider().stream_max_retries();
@@ -85,18 +90,18 @@ async fn run_compact_task_inner(
     sess.persist_rollout_items(&[rollout_item]).await;
 
     loop {
-        let turn_input = history.get_history();
         let prompt = Prompt {
             input: turn_input.clone(),
             ..Default::default()
         };
-        let attempt_result = drain_to_completed(&sess, turn_context.as_ref(), &prompt).await;
+        let attempt_result =
+            drain_to_completed(&sess, turn_context.as_ref(), &sub_id, &prompt).await;
 
         match attempt_result {
             Ok(()) => {
                 if truncated_count > 0 {
                     sess.notify_background_event(
-                        turn_context.as_ref(),
+                        &sub_id,
                         format!(
                             "Trimmed {truncated_count} older conversation item(s) before compacting so the prompt fits the model context window."
                         ),
@@ -110,20 +115,20 @@ async fn run_compact_task_inner(
             }
             Err(e @ CodexErr::ContextWindowExceeded) => {
                 if turn_input.len() > 1 {
-                    // Trim from the beginning to preserve cache (prefix-based) and keep recent messages intact.
-                    error!(
-                        "Context window exceeded while compacting; removing oldest history item. Error: {e}"
-                    );
-                    history.remove_first_item();
+                    turn_input.remove(0);
                     truncated_count += 1;
                     retries = 0;
                     continue;
                 }
-                sess.set_total_tokens_full(turn_context.as_ref()).await;
-                let event = EventMsg::Error(ErrorEvent {
-                    message: e.to_string(),
-                });
-                sess.send_event(&turn_context, event).await;
+                sess.set_total_tokens_full(&sub_id, turn_context.as_ref())
+                    .await;
+                let event = Event {
+                    id: sub_id.clone(),
+                    msg: EventMsg::Error(ErrorEvent {
+                        message: e.to_string(),
+                    }),
+                };
+                sess.send_event(event).await;
                 return;
             }
             Err(e) => {
@@ -131,17 +136,20 @@ async fn run_compact_task_inner(
                     retries += 1;
                     let delay = backoff(retries);
                     sess.notify_stream_error(
-                        turn_context.as_ref(),
+                        &sub_id,
                         format!("Re-connecting... {retries}/{max_retries}"),
                     )
                     .await;
                     tokio::time::sleep(delay).await;
                     continue;
                 } else {
-                    let event = EventMsg::Error(ErrorEvent {
-                        message: e.to_string(),
-                    });
-                    sess.send_event(&turn_context, event).await;
+                    let event = Event {
+                        id: sub_id.clone(),
+                        msg: EventMsg::Error(ErrorEvent {
+                            message: e.to_string(),
+                        }),
+                    };
+                    sess.send_event(event).await;
                     return;
                 }
             }
@@ -160,10 +168,13 @@ async fn run_compact_task_inner(
     });
     sess.persist_rollout_items(&[rollout_item]).await;
 
-    let event = EventMsg::AgentMessage(AgentMessageEvent {
-        message: "Compact task completed".to_string(),
-    });
-    sess.send_event(&turn_context, event).await;
+    let event = Event {
+        id: sub_id.clone(),
+        msg: EventMsg::AgentMessage(AgentMessageEvent {
+            message: "Compact task completed".to_string(),
+        }),
+    };
+    sess.send_event(event).await;
 }
 
 pub fn content_items_to_text(content: &[ContentItem]) -> Option<String> {
@@ -188,13 +199,23 @@ pub fn content_items_to_text(content: &[ContentItem]) -> Option<String> {
 pub(crate) fn collect_user_messages(items: &[ResponseItem]) -> Vec<String> {
     items
         .iter()
-        .filter_map(|item| match crate::event_mapping::parse_turn_item(item) {
-            Some(TurnItem::UserMessage(user)) => Some(user.message()),
+        .filter_map(|item| match item {
+            ResponseItem::Message { role, content, .. } if role == "user" => {
+                content_items_to_text(content)
+            }
             _ => None,
         })
+        .filter(|text| !is_session_prefix_message(text))
         .collect()
 }
 
+pub fn is_session_prefix_message(text: &str) -> bool {
+    matches!(
+        InputMessageKind::from(("user", text)),
+        InputMessageKind::UserInstructions | InputMessageKind::EnvironmentContext
+    )
+}
+
 pub(crate) fn build_compacted_history(
     initial_context: Vec<ResponseItem>,
     user_messages: &[String],
@@ -235,6 +256,7 @@ pub(crate) fn build_compacted_history(
 async fn drain_to_completed(
     sess: &Session,
     turn_context: &TurnContext,
+    sub_id: &str,
     prompt: &Prompt,
 ) -> CodexResult<()> {
     let mut stream = turn_context
@@ -255,10 +277,10 @@ async fn drain_to_completed(
                 sess.record_into_history(std::slice::from_ref(&item)).await;
             }
             Ok(ResponseEvent::RateLimits(snapshot)) => {
-                sess.update_rate_limits(turn_context, snapshot).await;
+                sess.update_rate_limits(sub_id, snapshot).await;
             }
             Ok(ResponseEvent::Completed { token_usage, .. }) => {
-                sess.update_token_usage_info(turn_context, token_usage.as_ref())
+                sess.update_token_usage_info(sub_id, turn_context, token_usage.as_ref())
                     .await;
                 return Ok(());
             }
@@ -316,16 +338,21 @@ mod tests {
             ResponseItem::Message {
                 id: Some("user".to_string()),
                 role: "user".to_string(),
-                content: vec![ContentItem::InputText {
-                    text: "first".to_string(),
-                }],
+                content: vec![
+                    ContentItem::InputText {
+                        text: "first".to_string(),
+                    },
+                    ContentItem::OutputText {
+                        text: "second".to_string(),
+                    },
+                ],
             },
             ResponseItem::Other,
         ];
 
         let collected = collect_user_messages(&items);
 
-        assert_eq!(vec!["first".to_string()], collected);
+        assert_eq!(vec!["first\nsecond".to_string()], collected);
     }
 
     #[test]

codex-rs/core/src/command_safety/is_dangerous_command.rs

@@ -1,4 +1,4 @@
-use crate::bash::parse_shell_lc_plain_commands;
+use crate::bash::parse_bash_lc_plain_commands;
 
 pub fn command_might_be_dangerous(command: &[String]) -> bool {
     if is_dangerous_to_call_with_exec(command) {
@@ -6,7 +6,7 @@ pub fn command_might_be_dangerous(command: &[String]) -> bool {
     }
 
     // Support `bash -lc "<script>"` where the any part of the script might contain a dangerous command.
-    if let Some(all_commands) = parse_shell_lc_plain_commands(command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(command)
         && all_commands
             .iter()
             .any(|cmd| is_dangerous_to_call_with_exec(cmd))
@@ -57,15 +57,6 @@ mod tests {
         ])));
     }
 
-    #[test]
-    fn zsh_git_reset_is_dangerous() {
-        assert!(command_might_be_dangerous(&vec_str(&[
-            "zsh",
-            "-lc",
-            "git reset --hard"
-        ])));
-    }
-
     #[test]
     fn git_status_is_not_dangerous() {
         assert!(!command_might_be_dangerous(&vec_str(&["git", "status"])));

codex-rs/core/src/command_safety/is_safe_command.rs

@@ -1,4 +1,4 @@
-use crate::bash::parse_shell_lc_plain_commands;
+use crate::bash::parse_bash_lc_plain_commands;
 
 pub fn is_known_safe_command(command: &[String]) -> bool {
     let command: Vec<String> = command
@@ -29,7 +29,7 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
     // introduce side effects ( "&&", "||", ";", and "|" ). If every
     // individual command in the script is itself a known‑safe command, then
     // the composite expression is considered safe.
-    if let Some(all_commands) = parse_shell_lc_plain_commands(&command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(&command)
         && !all_commands.is_empty()
         && all_commands
             .iter()
@@ -201,11 +201,6 @@ mod tests {
         ])));
     }
 
-    #[test]
-    fn zsh_lc_safe_command_sequence() {
-        assert!(is_known_safe_command(&vec_str(&["zsh", "-lc", "ls"])));
-    }
-
     #[test]
     fn unknown_or_partial() {
         assert!(!is_safe_to_call_with_exec(&vec_str(&["foo"])));

codex-rs/core/src/config.rs

@@ -216,6 +216,9 @@ pub struct Config {
     /// When set, restricts the login mechanism users may use.
     pub forced_login_method: Option<ForcedLoginMethod>,
 
+    /// Include an experimental plan tool that the model can use to update its current plan and status of each step.
+    pub include_plan_tool: bool,
+
     /// Include the `apply_patch` tool for models that benefit from invoking
     /// file edits as a structured tool call. When unset, this falls back to the
     /// model family's default preference.
@@ -481,16 +484,6 @@ pub fn write_global_mcp_servers(
                 entry["tool_timeout_sec"] = toml_edit::value(timeout.as_secs_f64());
             }
 
-            if let Some(enabled_tools) = &config.enabled_tools {
-                entry["enabled_tools"] =
-                    TomlItem::Value(enabled_tools.iter().collect::<TomlArray>().into());
-            }
-
-            if let Some(disabled_tools) = &config.disabled_tools {
-                entry["disabled_tools"] =
-                    TomlItem::Value(disabled_tools.iter().collect::<TomlArray>().into());
-            }
-
             doc["mcp_servers"][name.as_str()] = TomlItem::Table(entry);
         }
     }
@@ -1114,6 +1107,7 @@ pub struct ConfigOverrides {
     pub config_profile: Option<String>,
     pub codex_linux_sandbox_exe: Option<PathBuf>,
     pub base_instructions: Option<String>,
+    pub include_plan_tool: Option<bool>,
     pub include_apply_patch_tool: Option<bool>,
     pub include_view_image_tool: Option<bool>,
     pub show_raw_agent_reasoning: Option<bool>,
@@ -1143,6 +1137,7 @@ impl Config {
             config_profile: config_profile_key,
             codex_linux_sandbox_exe,
             base_instructions,
+            include_plan_tool: include_plan_tool_override,
             include_apply_patch_tool: include_apply_patch_tool_override,
             include_view_image_tool: include_view_image_tool_override,
             show_raw_agent_reasoning,
@@ -1169,6 +1164,7 @@ impl Config {
         };
 
         let feature_overrides = FeatureOverrides {
+            include_plan_tool: include_plan_tool_override,
             include_apply_patch_tool: include_apply_patch_tool_override,
             include_view_image_tool: include_view_image_tool_override,
             web_search_request: override_tools_web_search_request,
@@ -1220,7 +1216,7 @@ impl Config {
                 }
             }
         }
-        let approval_policy = approval_policy_override
+        let mut approval_policy = approval_policy_override
             .or(config_profile.approval_policy)
             .or(cfg.approval_policy)
             .unwrap_or_else(|| {
@@ -1263,6 +1259,7 @@ impl Config {
 
         let history = cfg.history.unwrap_or_default();
 
+        let include_plan_tool_flag = features.enabled(Feature::PlanTool);
         let include_apply_patch_tool_flag = features.enabled(Feature::ApplyPatchFreeform);
         let include_view_image_tool_flag = features.enabled(Feature::ViewImageTool);
         let tools_web_search_request = features.enabled(Feature::WebSearchRequest);
@@ -1328,6 +1325,10 @@ impl Config {
             .or(cfg.review_model)
             .unwrap_or_else(default_review_model);
 
+        if features.enabled(Feature::ApproveAll) {
+            approval_policy = AskForApproval::OnRequest;
+        }
+
         let config = Self {
             model,
             review_model,
@@ -1388,6 +1389,7 @@ impl Config {
                 .unwrap_or("https://chatgpt.com/backend-api/".to_string()),
             forced_chatgpt_workspace_id,
             forced_login_method,
+            include_plan_tool: include_plan_tool_flag,
             include_apply_patch_tool: include_apply_patch_tool_flag,
             tools_web_search_request,
             use_experimental_streamable_shell_tool,
@@ -1707,6 +1709,26 @@ trust_level = "trusted"
         Ok(())
     }
 
+    #[test]
+    fn approve_all_feature_forces_on_request_policy() -> std::io::Result<()> {
+        let cfg = r#"
+[features]
+approve_all = true
+"#;
+        let parsed = toml::from_str::<ConfigToml>(cfg)
+            .expect("TOML deserialization should succeed for approve_all feature");
+        let temp_dir = TempDir::new()?;
+        let config = Config::load_from_base_config_with_overrides(
+            parsed,
+            ConfigOverrides::default(),
+            temp_dir.path().to_path_buf(),
+        )?;
+
+        assert!(config.features.enabled(Feature::ApproveAll));
+        assert_eq!(config.approval_policy, AskForApproval::OnRequest);
+        Ok(())
+    }
+
     #[test]
     fn config_defaults_to_auto_oauth_store_mode() -> std::io::Result<()> {
         let codex_home = TempDir::new()?;
@@ -1733,6 +1755,7 @@ trust_level = "trusted"
         profiles.insert(
             "work".to_string(),
             ConfigProfile {
+                include_plan_tool: Some(true),
                 include_view_image_tool: Some(false),
                 ..Default::default()
             },
@@ -1749,7 +1772,9 @@ trust_level = "trusted"
             codex_home.path().to_path_buf(),
         )?;
 
+        assert!(config.features.enabled(Feature::PlanTool));
         assert!(!config.features.enabled(Feature::ViewImageTool));
+        assert!(config.include_plan_tool);
         assert!(!config.include_view_image_tool);
 
         Ok(())
@@ -1759,6 +1784,7 @@ trust_level = "trusted"
     fn feature_table_overrides_legacy_flags() -> std::io::Result<()> {
         let codex_home = TempDir::new()?;
         let mut entries = BTreeMap::new();
+        entries.insert("plan_tool".to_string(), false);
         entries.insert("apply_patch_freeform".to_string(), false);
         let cfg = ConfigToml {
             features: Some(crate::features::FeaturesToml { entries }),
@@ -1771,7 +1797,9 @@ trust_level = "trusted"
             codex_home.path().to_path_buf(),
         )?;
 
+        assert!(!config.features.enabled(Feature::PlanTool));
         assert!(!config.features.enabled(Feature::ApplyPatchFreeform));
+        assert!(!config.include_plan_tool);
         assert!(!config.include_apply_patch_tool);
 
         Ok(())
@@ -1895,8 +1923,6 @@ trust_level = "trusted"
                 enabled: true,
                 startup_timeout_sec: Some(Duration::from_secs(3)),
                 tool_timeout_sec: Some(Duration::from_secs(5)),
-                enabled_tools: None,
-                disabled_tools: None,
             },
         );
 
@@ -2033,8 +2059,6 @@ bearer_token = "secret"
                 enabled: true,
                 startup_timeout_sec: None,
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         )]);
 
@@ -2097,8 +2121,6 @@ ZIG_VAR = "3"
                 enabled: true,
                 startup_timeout_sec: None,
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         )]);
 
@@ -2141,8 +2163,6 @@ ZIG_VAR = "3"
                 enabled: true,
                 startup_timeout_sec: None,
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         )]);
 
@@ -2184,8 +2204,6 @@ ZIG_VAR = "3"
                 enabled: true,
                 startup_timeout_sec: Some(Duration::from_secs(2)),
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         )]);
 
@@ -2243,8 +2261,6 @@ startup_timeout_sec = 2.0
                 enabled: true,
                 startup_timeout_sec: Some(Duration::from_secs(2)),
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         )]);
         write_global_mcp_servers(codex_home.path(), &servers)?;
@@ -2314,8 +2330,6 @@ X-Auth = "DOCS_AUTH"
                 enabled: true,
                 startup_timeout_sec: Some(Duration::from_secs(2)),
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         )]);
 
@@ -2337,8 +2351,6 @@ X-Auth = "DOCS_AUTH"
                 enabled: true,
                 startup_timeout_sec: None,
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         );
         write_global_mcp_servers(codex_home.path(), &servers)?;
@@ -2398,8 +2410,6 @@ url = "https://example.com/mcp"
                     enabled: true,
                     startup_timeout_sec: Some(Duration::from_secs(2)),
                     tool_timeout_sec: None,
-                    enabled_tools: None,
-                    disabled_tools: None,
                 },
             ),
             (
@@ -2415,8 +2425,6 @@ url = "https://example.com/mcp"
                     enabled: true,
                     startup_timeout_sec: None,
                     tool_timeout_sec: None,
-                    enabled_tools: None,
-                    disabled_tools: None,
                 },
             ),
         ]);
@@ -2491,8 +2499,6 @@ url = "https://example.com/mcp"
                 enabled: false,
                 startup_timeout_sec: None,
                 tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
             },
         )]);
 
@@ -2512,49 +2518,6 @@ url = "https://example.com/mcp"
         Ok(())
     }
 
-    #[tokio::test]
-    async fn write_global_mcp_servers_serializes_tool_filters() -> anyhow::Result<()> {
-        let codex_home = TempDir::new()?;
-
-        let servers = BTreeMap::from([(
-            "docs".to_string(),
-            McpServerConfig {
-                transport: McpServerTransportConfig::Stdio {
-                    command: "docs-server".to_string(),
-                    args: Vec::new(),
-                    env: None,
-                    env_vars: Vec::new(),
-                    cwd: None,
-                },
-                enabled: true,
-                startup_timeout_sec: None,
-                tool_timeout_sec: None,
-                enabled_tools: Some(vec!["allowed".to_string()]),
-                disabled_tools: Some(vec!["blocked".to_string()]),
-            },
-        )]);
-
-        write_global_mcp_servers(codex_home.path(), &servers)?;
-
-        let config_path = codex_home.path().join(CONFIG_TOML_FILE);
-        let serialized = std::fs::read_to_string(&config_path)?;
-        assert!(serialized.contains(r#"enabled_tools = ["allowed"]"#));
-        assert!(serialized.contains(r#"disabled_tools = ["blocked"]"#));
-
-        let loaded = load_global_mcp_servers(codex_home.path()).await?;
-        let docs = loaded.get("docs").expect("docs entry");
-        assert_eq!(
-            docs.enabled_tools.as_ref(),
-            Some(&vec!["allowed".to_string()])
-        );
-        assert_eq!(
-            docs.disabled_tools.as_ref(),
-            Some(&vec!["blocked".to_string()])
-        );
-
-        Ok(())
-    }
-
     #[tokio::test]
     async fn persist_model_selection_updates_defaults() -> anyhow::Result<()> {
         let codex_home = TempDir::new()?;
@@ -2777,7 +2740,6 @@ model_verbosity = "high"
             env_key: Some("OPENAI_API_KEY".to_string()),
             wire_api: crate::WireApi::Chat,
             env_key_instructions: None,
-            experimental_bearer_token: None,
             query_params: None,
             http_headers: None,
             env_http_headers: None,
@@ -2871,6 +2833,7 @@ model_verbosity = "high"
                 base_instructions: None,
                 forced_chatgpt_workspace_id: None,
                 forced_login_method: None,
+                include_plan_tool: false,
                 include_apply_patch_tool: false,
                 tools_web_search_request: false,
                 use_experimental_streamable_shell_tool: false,
@@ -2939,6 +2902,7 @@ model_verbosity = "high"
             base_instructions: None,
             forced_chatgpt_workspace_id: None,
             forced_login_method: None,
+            include_plan_tool: false,
             include_apply_patch_tool: false,
             tools_web_search_request: false,
             use_experimental_streamable_shell_tool: false,
@@ -3022,6 +2986,7 @@ model_verbosity = "high"
             base_instructions: None,
             forced_chatgpt_workspace_id: None,
             forced_login_method: None,
+            include_plan_tool: false,
             include_apply_patch_tool: false,
             tools_web_search_request: false,
             use_experimental_streamable_shell_tool: false,
@@ -3091,6 +3056,7 @@ model_verbosity = "high"
             base_instructions: None,
             forced_chatgpt_workspace_id: None,
             forced_login_method: None,
+            include_plan_tool: false,
             include_apply_patch_tool: false,
             tools_web_search_request: false,
             use_experimental_streamable_shell_tool: false,

codex-rs/core/src/config_profile.rs

@@ -20,6 +20,7 @@ pub struct ConfigProfile {
     pub model_verbosity: Option<Verbosity>,
     pub chatgpt_base_url: Option<String>,
     pub experimental_instructions_file: Option<PathBuf>,
+    pub include_plan_tool: Option<bool>,
     pub include_apply_patch_tool: Option<bool>,
     pub include_view_image_tool: Option<bool>,
     pub experimental_use_unified_exec_tool: Option<bool>,

codex-rs/core/src/config_types.rs

@@ -35,14 +35,6 @@ pub struct McpServerConfig {
     /// Default timeout for MCP tool calls initiated via this server.
     #[serde(default, with = "option_duration_secs")]
     pub tool_timeout_sec: Option<Duration>,
-
-    /// Explicit allow-list of tools exposed from this server. When set, only these tools will be registered.
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub enabled_tools: Option<Vec<String>>,
-
-    /// Explicit deny-list of tools. These tools will be removed after applying `enabled_tools`.
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub disabled_tools: Option<Vec<String>>,
 }
 
 impl<'de> Deserialize<'de> for McpServerConfig {
@@ -50,7 +42,7 @@ impl<'de> Deserialize<'de> for McpServerConfig {
     where
         D: Deserializer<'de>,
     {
-        #[derive(Deserialize, Clone)]
+        #[derive(Deserialize)]
         struct RawMcpServerConfig {
             // stdio
             command: Option<String>,
@@ -80,13 +72,9 @@ impl<'de> Deserialize<'de> for McpServerConfig {
             tool_timeout_sec: Option<Duration>,
             #[serde(default)]
             enabled: Option<bool>,
-            #[serde(default)]
-            enabled_tools: Option<Vec<String>>,
-            #[serde(default)]
-            disabled_tools: Option<Vec<String>>,
         }
 
-        let mut raw = RawMcpServerConfig::deserialize(deserializer)?;
+        let raw = RawMcpServerConfig::deserialize(deserializer)?;
 
         let startup_timeout_sec = match (raw.startup_timeout_sec, raw.startup_timeout_ms) {
             (Some(sec), _) => {
@@ -96,10 +84,6 @@ impl<'de> Deserialize<'de> for McpServerConfig {
             (None, Some(ms)) => Some(Duration::from_millis(ms)),
             (None, None) => None,
         };
-        let tool_timeout_sec = raw.tool_timeout_sec;
-        let enabled = raw.enabled.unwrap_or_else(default_enabled);
-        let enabled_tools = raw.enabled_tools.clone();
-        let disabled_tools = raw.disabled_tools.clone();
 
         fn throw_if_set<E, T>(transport: &str, field: &str, value: Option<&T>) -> Result<(), E>
         where
@@ -113,46 +97,72 @@ impl<'de> Deserialize<'de> for McpServerConfig {
             )))
         }
 
-        let transport = if let Some(command) = raw.command.clone() {
-            throw_if_set("stdio", "url", raw.url.as_ref())?;
-            throw_if_set(
-                "stdio",
-                "bearer_token_env_var",
-                raw.bearer_token_env_var.as_ref(),
-            )?;
-            throw_if_set("stdio", "bearer_token", raw.bearer_token.as_ref())?;
-            throw_if_set("stdio", "http_headers", raw.http_headers.as_ref())?;
-            throw_if_set("stdio", "env_http_headers", raw.env_http_headers.as_ref())?;
-            McpServerTransportConfig::Stdio {
-                command,
-                args: raw.args.clone().unwrap_or_default(),
-                env: raw.env.clone(),
-                env_vars: raw.env_vars.clone().unwrap_or_default(),
-                cwd: raw.cwd.take(),
-            }
-        } else if let Some(url) = raw.url.clone() {
-            throw_if_set("streamable_http", "args", raw.args.as_ref())?;
-            throw_if_set("streamable_http", "env", raw.env.as_ref())?;
-            throw_if_set("streamable_http", "env_vars", raw.env_vars.as_ref())?;
-            throw_if_set("streamable_http", "cwd", raw.cwd.as_ref())?;
-            throw_if_set("streamable_http", "bearer_token", raw.bearer_token.as_ref())?;
-            McpServerTransportConfig::StreamableHttp {
+        let transport = match raw {
+            RawMcpServerConfig {
+                command: Some(command),
+                args,
+                env,
+                env_vars,
+                cwd,
                 url,
-                bearer_token_env_var: raw.bearer_token_env_var.clone(),
-                http_headers: raw.http_headers.clone(),
-                env_http_headers: raw.env_http_headers.take(),
+                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
+                ..
+            } => {
+                throw_if_set("stdio", "url", url.as_ref())?;
+                throw_if_set(
+                    "stdio",
+                    "bearer_token_env_var",
+                    bearer_token_env_var.as_ref(),
+                )?;
+                throw_if_set("stdio", "http_headers", http_headers.as_ref())?;
+                throw_if_set("stdio", "env_http_headers", env_http_headers.as_ref())?;
+                McpServerTransportConfig::Stdio {
+                    command,
+                    args: args.unwrap_or_default(),
+                    env,
+                    env_vars: env_vars.unwrap_or_default(),
+                    cwd,
+                }
             }
-        } else {
-            return Err(SerdeError::custom("invalid transport"));
+            RawMcpServerConfig {
+                url: Some(url),
+                bearer_token,
+                bearer_token_env_var,
+                command,
+                args,
+                env,
+                env_vars,
+                cwd,
+                http_headers,
+                env_http_headers,
+                startup_timeout_sec: _,
+                tool_timeout_sec: _,
+                startup_timeout_ms: _,
+                enabled: _,
+            } => {
+                throw_if_set("streamable_http", "command", command.as_ref())?;
+                throw_if_set("streamable_http", "args", args.as_ref())?;
+                throw_if_set("streamable_http", "env", env.as_ref())?;
+                throw_if_set("streamable_http", "env_vars", env_vars.as_ref())?;
+                throw_if_set("streamable_http", "cwd", cwd.as_ref())?;
+                throw_if_set("streamable_http", "bearer_token", bearer_token.as_ref())?;
+                McpServerTransportConfig::StreamableHttp {
+                    url,
+                    bearer_token_env_var,
+                    http_headers,
+                    env_http_headers,
+                }
+            }
+            _ => return Err(SerdeError::custom("invalid transport")),
         };
 
         Ok(Self {
             transport,
             startup_timeout_sec,
-            tool_timeout_sec,
-            enabled,
-            enabled_tools,
-            disabled_tools,
+            tool_timeout_sec: raw.tool_timeout_sec,
+            enabled: raw.enabled.unwrap_or_else(default_enabled),
         })
     }
 }
@@ -517,8 +527,6 @@ mod tests {
             }
         );
         assert!(cfg.enabled);
-        assert!(cfg.enabled_tools.is_none());
-        assert!(cfg.disabled_tools.is_none());
     }
 
     #[test]
@@ -693,21 +701,6 @@ mod tests {
         );
     }
 
-    #[test]
-    fn deserialize_server_config_with_tool_filters() {
-        let cfg: McpServerConfig = toml::from_str(
-            r#"
-            command = "echo"
-            enabled_tools = ["allowed"]
-            disabled_tools = ["blocked"]
-        "#,
-        )
-        .expect("should deserialize tool filters");
-
-        assert_eq!(cfg.enabled_tools, Some(vec!["allowed".to_string()]));
-        assert_eq!(cfg.disabled_tools, Some(vec!["blocked".to_string()]));
-    }
-
     #[test]
     fn deserialize_rejects_command_and_url() {
         toml::from_str::<McpServerConfig>(

codex-rs/core/src/context_manager/manager.rs

@@ -1,970 +0,0 @@
-use crate::context_manager::truncation::truncate_context_output;
-use codex_protocol::models::FunctionCallOutputPayload;
-use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::TokenUsage;
-use codex_protocol::protocol::TokenUsageInfo;
-use tracing::error;
-
-/// Transcript of conversation history
-#[derive(Debug, Clone, Default)]
-pub(crate) struct ContextManager {
-    /// The oldest items are at the beginning of the vector.
-    items: Vec<ResponseItem>,
-    token_info: Option<TokenUsageInfo>,
-}
-
-impl ContextManager {
-    pub(crate) fn new() -> Self {
-        Self {
-            items: Vec::new(),
-            token_info: TokenUsageInfo::new_or_append(&None, &None, None),
-        }
-    }
-
-    pub(crate) fn token_info(&self) -> Option<TokenUsageInfo> {
-        self.token_info.clone()
-    }
-
-    pub(crate) fn set_token_usage_full(&mut self, context_window: i64) {
-        match &mut self.token_info {
-            Some(info) => info.fill_to_context_window(context_window),
-            None => {
-                self.token_info = Some(TokenUsageInfo::full_context_window(context_window));
-            }
-        }
-    }
-
-    /// `items` is ordered from oldest to newest.
-    pub(crate) fn record_items<I>(&mut self, items: I)
-    where
-        I: IntoIterator,
-        I::Item: std::ops::Deref<Target = ResponseItem>,
-    {
-        for item in items {
-            if !is_api_message(&item) {
-                continue;
-            }
-
-            let processed = Self::process_item(&item);
-            self.items.push(processed);
-        }
-    }
-
-    pub(crate) fn get_history(&mut self) -> Vec<ResponseItem> {
-        self.normalize_history();
-        self.contents()
-    }
-
-    pub(crate) fn remove_first_item(&mut self) {
-        if !self.items.is_empty() {
-            // Remove the oldest item (front of the list). Items are ordered from
-            // oldest → newest, so index 0 is the first entry recorded.
-            let removed = self.items.remove(0);
-            // If the removed item participates in a call/output pair, also remove
-            // its corresponding counterpart to keep the invariants intact without
-            // running a full normalization pass.
-            self.remove_corresponding_for(&removed);
-        }
-    }
-
-    /// This function enforces a couple of invariants on the in-memory history:
-    /// 1. every call (function/custom) has a corresponding output entry
-    /// 2. every output has a corresponding call entry
-    fn normalize_history(&mut self) {
-        // all function/tool calls must have a corresponding output
-        self.ensure_call_outputs_present();
-
-        // all outputs must have a corresponding function/tool call
-        self.remove_orphan_outputs();
-    }
-
-    fn process_item(item: &ResponseItem) -> ResponseItem {
-        match item {
-            ResponseItem::FunctionCallOutput { call_id, output } => {
-                let truncated_content = truncate_context_output(output.content.as_str());
-                ResponseItem::FunctionCallOutput {
-                    call_id: call_id.clone(),
-                    output: FunctionCallOutputPayload {
-                        content: truncated_content,
-                        success: output.success,
-                    },
-                }
-            }
-            ResponseItem::CustomToolCallOutput { call_id, output } => {
-                let truncated = truncate_context_output(output);
-                ResponseItem::CustomToolCallOutput {
-                    call_id: call_id.clone(),
-                    output: truncated,
-                }
-            }
-            _ => item.clone(),
-        }
-    }
-
-    /// Returns a clone of the contents in the transcript.
-    fn contents(&self) -> Vec<ResponseItem> {
-        self.items.clone()
-    }
-
-    fn ensure_call_outputs_present(&mut self) {
-        // Collect synthetic outputs to insert immediately after their calls.
-        // Store the insertion position (index of call) alongside the item so
-        // we can insert in reverse order and avoid index shifting.
-        let mut missing_outputs_to_insert: Vec<(usize, ResponseItem)> = Vec::new();
-
-        for (idx, item) in self.items.iter().enumerate() {
-            match item {
-                ResponseItem::FunctionCall { call_id, .. } => {
-                    let has_output = self.items.iter().any(|i| match i {
-                        ResponseItem::FunctionCallOutput {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_output {
-                        error_or_panic(format!(
-                            "Function call output is missing for call id: {call_id}"
-                        ));
-                        missing_outputs_to_insert.push((
-                            idx,
-                            ResponseItem::FunctionCallOutput {
-                                call_id: call_id.clone(),
-                                output: FunctionCallOutputPayload {
-                                    content: truncate_context_output("aborted"),
-                                    success: None,
-                                },
-                            },
-                        ));
-                    }
-                }
-                ResponseItem::CustomToolCall { call_id, .. } => {
-                    let has_output = self.items.iter().any(|i| match i {
-                        ResponseItem::CustomToolCallOutput {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_output {
-                        error_or_panic(format!(
-                            "Custom tool call output is missing for call id: {call_id}"
-                        ));
-                        missing_outputs_to_insert.push((
-                            idx,
-                            ResponseItem::CustomToolCallOutput {
-                                call_id: call_id.clone(),
-                                output: truncate_context_output("aborted"),
-                            },
-                        ));
-                    }
-                }
-                // LocalShellCall is represented in upstream streams by a FunctionCallOutput
-                ResponseItem::LocalShellCall { call_id, .. } => {
-                    if let Some(call_id) = call_id.as_ref() {
-                        let has_output = self.items.iter().any(|i| match i {
-                            ResponseItem::FunctionCallOutput {
-                                call_id: existing, ..
-                            } => existing == call_id,
-                            _ => false,
-                        });
-
-                        if !has_output {
-                            error_or_panic(format!(
-                                "Local shell call output is missing for call id: {call_id}"
-                            ));
-                            missing_outputs_to_insert.push((
-                                idx,
-                                ResponseItem::FunctionCallOutput {
-                                    call_id: call_id.clone(),
-                                    output: FunctionCallOutputPayload {
-                                        content: truncate_context_output("aborted"),
-                                        success: None,
-                                    },
-                                },
-                            ));
-                        }
-                    }
-                }
-                ResponseItem::Reasoning { .. }
-                | ResponseItem::WebSearchCall { .. }
-                | ResponseItem::FunctionCallOutput { .. }
-                | ResponseItem::CustomToolCallOutput { .. }
-                | ResponseItem::Other
-                | ResponseItem::Message { .. } => {
-                    // nothing to do for these variants
-                }
-            }
-        }
-
-        if !missing_outputs_to_insert.is_empty() {
-            // Insert from the end to avoid shifting subsequent indices.
-            missing_outputs_to_insert.sort_by_key(|(i, _)| *i);
-            for (idx, item) in missing_outputs_to_insert.into_iter().rev() {
-                let insert_pos = idx + 1; // place immediately after the call
-                if insert_pos <= self.items.len() {
-                    self.items.insert(insert_pos, item);
-                } else {
-                    self.items.push(item);
-                }
-            }
-        }
-    }
-
-    fn remove_orphan_outputs(&mut self) {
-        // Work on a snapshot to avoid borrowing `self.items` while mutating it.
-        let snapshot = self.items.clone();
-        let mut orphan_output_call_ids: std::collections::HashSet<String> =
-            std::collections::HashSet::new();
-
-        for item in &snapshot {
-            match item {
-                ResponseItem::FunctionCallOutput { call_id, .. } => {
-                    let has_call = snapshot.iter().any(|i| match i {
-                        ResponseItem::FunctionCall {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        ResponseItem::LocalShellCall {
-                            call_id: Some(existing),
-                            ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_call {
-                        error_or_panic(format!("Function call is missing for call id: {call_id}"));
-                        orphan_output_call_ids.insert(call_id.clone());
-                    }
-                }
-                ResponseItem::CustomToolCallOutput { call_id, .. } => {
-                    let has_call = snapshot.iter().any(|i| match i {
-                        ResponseItem::CustomToolCall {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_call {
-                        error_or_panic(format!(
-                            "Custom tool call is missing for call id: {call_id}"
-                        ));
-                        orphan_output_call_ids.insert(call_id.clone());
-                    }
-                }
-                ResponseItem::FunctionCall { .. }
-                | ResponseItem::CustomToolCall { .. }
-                | ResponseItem::LocalShellCall { .. }
-                | ResponseItem::Reasoning { .. }
-                | ResponseItem::WebSearchCall { .. }
-                | ResponseItem::Other
-                | ResponseItem::Message { .. } => {
-                    // nothing to do for these variants
-                }
-            }
-        }
-
-        if !orphan_output_call_ids.is_empty() {
-            let ids = orphan_output_call_ids;
-            self.items.retain(|i| match i {
-                ResponseItem::FunctionCallOutput { call_id, .. }
-                | ResponseItem::CustomToolCallOutput { call_id, .. } => !ids.contains(call_id),
-                _ => true,
-            });
-        }
-    }
-
-    pub(crate) fn replace(&mut self, items: Vec<ResponseItem>) {
-        self.items = items
-            .into_iter()
-            .map(|item| Self::process_item(&item))
-            .collect();
-    }
-
-    /// Removes the corresponding paired item for the provided `item`, if any.
-    ///
-    /// Pairs:
-    /// - FunctionCall <-> FunctionCallOutput
-    /// - CustomToolCall <-> CustomToolCallOutput
-    /// - LocalShellCall(call_id: Some) <-> FunctionCallOutput
-    fn remove_corresponding_for(&mut self, item: &ResponseItem) {
-        match item {
-            ResponseItem::FunctionCall { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::FunctionCallOutput {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::CustomToolCall { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::CustomToolCallOutput {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::LocalShellCall {
-                call_id: Some(call_id),
-                ..
-            } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::FunctionCallOutput {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::FunctionCallOutput { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::FunctionCall {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    ResponseItem::LocalShellCall {
-                        call_id: Some(existing),
-                        ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::CustomToolCallOutput { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::CustomToolCall {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            _ => {}
-        }
-    }
-
-    /// Remove the first item matching the predicate.
-    fn remove_first_matching<F>(&mut self, predicate: F)
-    where
-        F: FnMut(&ResponseItem) -> bool,
-    {
-        if let Some(pos) = self.items.iter().position(predicate) {
-            self.items.remove(pos);
-        }
-    }
-
-    pub(crate) fn update_token_info(
-        &mut self,
-        usage: &TokenUsage,
-        model_context_window: Option<i64>,
-    ) {
-        self.token_info = TokenUsageInfo::new_or_append(
-            &self.token_info,
-            &Some(usage.clone()),
-            model_context_window,
-        );
-    }
-}
-
-#[inline]
-fn error_or_panic(message: String) {
-    if cfg!(debug_assertions) || env!("CARGO_PKG_VERSION").contains("alpha") {
-        panic!("{message}");
-    } else {
-        error!("{message}");
-    }
-}
-
-/// Anything that is not a system message or "reasoning" message is considered
-/// an API message.
-fn is_api_message(message: &ResponseItem) -> bool {
-    match message {
-        ResponseItem::Message { role, .. } => role.as_str() != "system",
-        ResponseItem::FunctionCallOutput { .. }
-        | ResponseItem::FunctionCall { .. }
-        | ResponseItem::CustomToolCall { .. }
-        | ResponseItem::CustomToolCallOutput { .. }
-        | ResponseItem::LocalShellCall { .. }
-        | ResponseItem::Reasoning { .. }
-        | ResponseItem::WebSearchCall { .. } => true,
-        ResponseItem::Other => false,
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::context_manager::truncation::TELEMETRY_PREVIEW_MAX_BYTES;
-    use crate::context_manager::truncation::TELEMETRY_PREVIEW_TRUNCATION_NOTICE;
-    use codex_protocol::models::ContentItem;
-    use codex_protocol::models::FunctionCallOutputPayload;
-    use codex_protocol::models::LocalShellAction;
-    use codex_protocol::models::LocalShellExecAction;
-    use codex_protocol::models::LocalShellStatus;
-    use pretty_assertions::assert_eq;
-
-    fn assistant_msg(text: &str) -> ResponseItem {
-        ResponseItem::Message {
-            id: None,
-            role: "assistant".to_string(),
-            content: vec![ContentItem::OutputText {
-                text: text.to_string(),
-            }],
-        }
-    }
-
-    fn create_history_with_items(items: Vec<ResponseItem>) -> ContextManager {
-        let mut h = ContextManager::new();
-        h.record_items(items.iter());
-        h
-    }
-
-    fn user_msg(text: &str) -> ResponseItem {
-        ResponseItem::Message {
-            id: None,
-            role: "user".to_string(),
-            content: vec![ContentItem::OutputText {
-                text: text.to_string(),
-            }],
-        }
-    }
-
-    #[test]
-    fn filters_non_api_messages() {
-        let mut h = ContextManager::default();
-        // System message is not an API message; Other is ignored.
-        let system = ResponseItem::Message {
-            id: None,
-            role: "system".to_string(),
-            content: vec![ContentItem::OutputText {
-                text: "ignored".to_string(),
-            }],
-        };
-        h.record_items([&system, &ResponseItem::Other]);
-
-        // User and assistant should be retained.
-        let u = user_msg("hi");
-        let a = assistant_msg("hello");
-        h.record_items([&u, &a]);
-
-        let items = h.contents();
-        assert_eq!(
-            items,
-            vec![
-                ResponseItem::Message {
-                    id: None,
-                    role: "user".to_string(),
-                    content: vec![ContentItem::OutputText {
-                        text: "hi".to_string()
-                    }]
-                },
-                ResponseItem::Message {
-                    id: None,
-                    role: "assistant".to_string(),
-                    content: vec![ContentItem::OutputText {
-                        text: "hello".to_string()
-                    }]
-                }
-            ]
-        );
-    }
-
-    #[test]
-    fn record_items_truncates_function_call_output() {
-        let mut h = ContextManager::new();
-        let long_content = "a".repeat(TELEMETRY_PREVIEW_MAX_BYTES + 32);
-        let item = ResponseItem::FunctionCallOutput {
-            call_id: "call-long".to_string(),
-            output: FunctionCallOutputPayload {
-                content: long_content.clone(),
-                success: Some(true),
-            },
-        };
-
-        h.record_items([&item]);
-
-        let stored = h.contents();
-        let ResponseItem::FunctionCallOutput { output, .. } = &stored[0] else {
-            panic!("expected FunctionCallOutput variant");
-        };
-        assert!(
-            output
-                .content
-                .ends_with(TELEMETRY_PREVIEW_TRUNCATION_NOTICE),
-            "truncated content should end with notice"
-        );
-        assert!(
-            output.content.len() < long_content.len(),
-            "content should shrink after truncation"
-        );
-    }
-
-    #[test]
-    fn record_items_truncates_custom_tool_output() {
-        let mut h = ContextManager::new();
-        let long_content = "b".repeat(TELEMETRY_PREVIEW_MAX_BYTES + 64);
-        let item = ResponseItem::CustomToolCallOutput {
-            call_id: "custom-long".to_string(),
-            output: long_content.clone(),
-        };
-
-        h.record_items([&item]);
-
-        let stored = h.contents();
-        let ResponseItem::CustomToolCallOutput { output, .. } = &stored[0] else {
-            panic!("expected CustomToolCallOutput variant");
-        };
-        assert!(
-            output.ends_with(TELEMETRY_PREVIEW_TRUNCATION_NOTICE),
-            "truncated output should end with notice"
-        );
-        assert!(
-            output.len() < long_content.len(),
-            "output should shrink after truncation"
-        );
-    }
-
-    #[test]
-    fn remove_first_item_removes_matching_output_for_function_call() {
-        let items = vec![
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "do_it".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "call-1".to_string(),
-            },
-            ResponseItem::FunctionCallOutput {
-                call_id: "call-1".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[test]
-    fn remove_first_item_removes_matching_call_for_output() {
-        let items = vec![
-            ResponseItem::FunctionCallOutput {
-                call_id: "call-2".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "do_it".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "call-2".to_string(),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[test]
-    fn remove_first_item_handles_local_shell_pair() {
-        let items = vec![
-            ResponseItem::LocalShellCall {
-                id: None,
-                call_id: Some("call-3".to_string()),
-                status: LocalShellStatus::Completed,
-                action: LocalShellAction::Exec(LocalShellExecAction {
-                    command: vec!["echo".to_string(), "hi".to_string()],
-                    timeout_ms: None,
-                    working_directory: None,
-                    env: None,
-                    user: None,
-                }),
-            },
-            ResponseItem::FunctionCallOutput {
-                call_id: "call-3".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[test]
-    fn remove_first_item_handles_custom_tool_pair() {
-        let items = vec![
-            ResponseItem::CustomToolCall {
-                id: None,
-                status: None,
-                call_id: "tool-1".to_string(),
-                name: "my_tool".to_string(),
-                input: "{}".to_string(),
-            },
-            ResponseItem::CustomToolCallOutput {
-                call_id: "tool-1".to_string(),
-                output: "ok".to_string(),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    //TODO(aibrahim): run CI in release mode.
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_adds_missing_output_for_function_call() {
-        let items = vec![ResponseItem::FunctionCall {
-            id: None,
-            name: "do_it".to_string(),
-            arguments: "{}".to_string(),
-            call_id: "call-x".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::FunctionCall {
-                    id: None,
-                    name: "do_it".to_string(),
-                    arguments: "{}".to_string(),
-                    call_id: "call-x".to_string(),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "call-x".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-            ]
-        );
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_adds_missing_output_for_custom_tool_call() {
-        let items = vec![ResponseItem::CustomToolCall {
-            id: None,
-            status: None,
-            call_id: "tool-x".to_string(),
-            name: "custom".to_string(),
-            input: "{}".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::CustomToolCall {
-                    id: None,
-                    status: None,
-                    call_id: "tool-x".to_string(),
-                    name: "custom".to_string(),
-                    input: "{}".to_string(),
-                },
-                ResponseItem::CustomToolCallOutput {
-                    call_id: "tool-x".to_string(),
-                    output: "aborted".to_string(),
-                },
-            ]
-        );
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_adds_missing_output_for_local_shell_call_with_id() {
-        let items = vec![ResponseItem::LocalShellCall {
-            id: None,
-            call_id: Some("shell-1".to_string()),
-            status: LocalShellStatus::Completed,
-            action: LocalShellAction::Exec(LocalShellExecAction {
-                command: vec!["echo".to_string(), "hi".to_string()],
-                timeout_ms: None,
-                working_directory: None,
-                env: None,
-                user: None,
-            }),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::LocalShellCall {
-                    id: None,
-                    call_id: Some("shell-1".to_string()),
-                    status: LocalShellStatus::Completed,
-                    action: LocalShellAction::Exec(LocalShellExecAction {
-                        command: vec!["echo".to_string(), "hi".to_string()],
-                        timeout_ms: None,
-                        working_directory: None,
-                        env: None,
-                        user: None,
-                    }),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "shell-1".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-            ]
-        );
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_removes_orphan_function_call_output() {
-        let items = vec![ResponseItem::FunctionCallOutput {
-            call_id: "orphan-1".to_string(),
-            output: FunctionCallOutputPayload {
-                content: "ok".to_string(),
-                success: None,
-            },
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_removes_orphan_custom_tool_call_output() {
-        let items = vec![ResponseItem::CustomToolCallOutput {
-            call_id: "orphan-2".to_string(),
-            output: "ok".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_mixed_inserts_and_removals() {
-        let items = vec![
-            // Will get an inserted output
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "f1".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "c1".to_string(),
-            },
-            // Orphan output that should be removed
-            ResponseItem::FunctionCallOutput {
-                call_id: "c2".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-            // Will get an inserted custom tool output
-            ResponseItem::CustomToolCall {
-                id: None,
-                status: None,
-                call_id: "t1".to_string(),
-                name: "tool".to_string(),
-                input: "{}".to_string(),
-            },
-            // Local shell call also gets an inserted function call output
-            ResponseItem::LocalShellCall {
-                id: None,
-                call_id: Some("s1".to_string()),
-                status: LocalShellStatus::Completed,
-                action: LocalShellAction::Exec(LocalShellExecAction {
-                    command: vec!["echo".to_string()],
-                    timeout_ms: None,
-                    working_directory: None,
-                    env: None,
-                    user: None,
-                }),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::FunctionCall {
-                    id: None,
-                    name: "f1".to_string(),
-                    arguments: "{}".to_string(),
-                    call_id: "c1".to_string(),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "c1".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-                ResponseItem::CustomToolCall {
-                    id: None,
-                    status: None,
-                    call_id: "t1".to_string(),
-                    name: "tool".to_string(),
-                    input: "{}".to_string(),
-                },
-                ResponseItem::CustomToolCallOutput {
-                    call_id: "t1".to_string(),
-                    output: "aborted".to_string(),
-                },
-                ResponseItem::LocalShellCall {
-                    id: None,
-                    call_id: Some("s1".to_string()),
-                    status: LocalShellStatus::Completed,
-                    action: LocalShellAction::Exec(LocalShellExecAction {
-                        command: vec!["echo".to_string()],
-                        timeout_ms: None,
-                        working_directory: None,
-                        env: None,
-                        user: None,
-                    }),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "s1".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-            ]
-        );
-    }
-
-    // In debug builds we panic on normalization errors instead of silently fixing them.
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_adds_missing_output_for_function_call_panics_in_debug() {
-        let items = vec![ResponseItem::FunctionCall {
-            id: None,
-            name: "do_it".to_string(),
-            arguments: "{}".to_string(),
-            call_id: "call-x".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_adds_missing_output_for_custom_tool_call_panics_in_debug() {
-        let items = vec![ResponseItem::CustomToolCall {
-            id: None,
-            status: None,
-            call_id: "tool-x".to_string(),
-            name: "custom".to_string(),
-            input: "{}".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_adds_missing_output_for_local_shell_call_with_id_panics_in_debug() {
-        let items = vec![ResponseItem::LocalShellCall {
-            id: None,
-            call_id: Some("shell-1".to_string()),
-            status: LocalShellStatus::Completed,
-            action: LocalShellAction::Exec(LocalShellExecAction {
-                command: vec!["echo".to_string(), "hi".to_string()],
-                timeout_ms: None,
-                working_directory: None,
-                env: None,
-                user: None,
-            }),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_removes_orphan_function_call_output_panics_in_debug() {
-        let items = vec![ResponseItem::FunctionCallOutput {
-            call_id: "orphan-1".to_string(),
-            output: FunctionCallOutputPayload {
-                content: "ok".to_string(),
-                success: None,
-            },
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_removes_orphan_custom_tool_call_output_panics_in_debug() {
-        let items = vec![ResponseItem::CustomToolCallOutput {
-            call_id: "orphan-2".to_string(),
-            output: "ok".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_mixed_inserts_and_removals_panics_in_debug() {
-        let items = vec![
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "f1".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "c1".to_string(),
-            },
-            ResponseItem::FunctionCallOutput {
-                call_id: "c2".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-            ResponseItem::CustomToolCall {
-                id: None,
-                status: None,
-                call_id: "t1".to_string(),
-                name: "tool".to_string(),
-                input: "{}".to_string(),
-            },
-            ResponseItem::LocalShellCall {
-                id: None,
-                call_id: Some("s1".to_string()),
-                status: LocalShellStatus::Completed,
-                action: LocalShellAction::Exec(LocalShellExecAction {
-                    command: vec!["echo".to_string()],
-                    timeout_ms: None,
-                    working_directory: None,
-                    env: None,
-                    user: None,
-                }),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-}

codex-rs/core/src/context_manager/mod.rs

@@ -1,3 +0,0 @@
-mod manager;
-pub(crate) use manager::ContextManager;
-pub mod truncation;

codex-rs/core/src/context_manager/truncation.rs

@@ -1,159 +0,0 @@
-use codex_utils_string::take_bytes_at_char_boundary;
-
-#[derive(Clone, Copy)]
-pub(crate) struct TruncationConfig {
-    pub max_bytes: usize,
-    pub max_lines: usize,
-    pub truncation_notice: &'static str,
-}
-
-// Telemetry preview limits: keep log events smaller than model budgets.
-pub(crate) const TELEMETRY_PREVIEW_MAX_BYTES: usize = 2 * 1024; // 2 KiB
-pub(crate) const TELEMETRY_PREVIEW_MAX_LINES: usize = 64; // lines
-pub(crate) const TELEMETRY_PREVIEW_TRUNCATION_NOTICE: &str =
-    "[... telemetry preview truncated ...]";
-
-pub(crate) const CONTEXT_OUTPUT_TRUNCATION: TruncationConfig = TruncationConfig {
-    max_bytes: TELEMETRY_PREVIEW_MAX_BYTES,
-    max_lines: TELEMETRY_PREVIEW_MAX_LINES,
-    truncation_notice: TELEMETRY_PREVIEW_TRUNCATION_NOTICE,
-};
-
-pub(crate) fn truncate_with_config(content: &str, config: TruncationConfig) -> String {
-    let TruncationConfig {
-        max_bytes,
-        max_lines,
-        truncation_notice,
-    } = config;
-
-    let truncated_slice = take_bytes_at_char_boundary(content, max_bytes);
-    let truncated_by_bytes = truncated_slice.len() < content.len();
-
-    let mut preview = String::new();
-    let mut lines_iter = truncated_slice.lines();
-    for idx in 0..max_lines {
-        match lines_iter.next() {
-            Some(line) => {
-                if idx > 0 {
-                    preview.push('\n');
-                }
-                preview.push_str(line);
-            }
-            None => break,
-        }
-    }
-    let truncated_by_lines = lines_iter.next().is_some();
-
-    if !truncated_by_bytes && !truncated_by_lines {
-        return content.to_string();
-    }
-
-    if preview.len() < truncated_slice.len()
-        && truncated_slice
-            .as_bytes()
-            .get(preview.len())
-            .is_some_and(|byte| *byte == b'\n')
-    {
-        preview.push('\n');
-    }
-
-    if !preview.is_empty() && !preview.ends_with('\n') {
-        preview.push('\n');
-    }
-
-    preview.push_str(truncation_notice);
-    preview
-}
-
-pub(crate) fn truncate_context_output(content: &str) -> String {
-    truncate_with_config(content, CONTEXT_OUTPUT_TRUNCATION)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use pretty_assertions::assert_eq;
-
-    #[test]
-    fn truncate_with_config_returns_original_within_limits() {
-        let content = "short output";
-        let config = TruncationConfig {
-            max_bytes: 64,
-            max_lines: 5,
-            truncation_notice: "[notice]",
-        };
-        assert_eq!(truncate_with_config(content, config), content);
-    }
-
-    #[test]
-    fn truncate_with_config_truncates_by_bytes() {
-        let config = TruncationConfig {
-            max_bytes: 16,
-            max_lines: 10,
-            truncation_notice: "[notice]",
-        };
-        let content = "abcdefghijklmnopqrstuvwxyz";
-        let truncated = truncate_with_config(content, config);
-        assert!(truncated.contains("[notice]"));
-    }
-
-    #[test]
-    fn truncate_with_config_truncates_by_lines() {
-        let config = TruncationConfig {
-            max_bytes: 1024,
-            max_lines: 2,
-            truncation_notice: "[notice]",
-        };
-        let content = "l1\nl2\nl3\nl4";
-        let truncated = truncate_with_config(content, config);
-        assert!(truncated.lines().count() <= 3);
-        assert!(truncated.contains("[notice]"));
-    }
-
-    #[test]
-    fn telemetry_preview_returns_original_within_limits() {
-        let content = "short output";
-        let config = TruncationConfig {
-            max_bytes: TELEMETRY_PREVIEW_MAX_BYTES,
-            max_lines: TELEMETRY_PREVIEW_MAX_LINES,
-            truncation_notice: TELEMETRY_PREVIEW_TRUNCATION_NOTICE,
-        };
-        assert_eq!(truncate_with_config(content, config), content);
-    }
-
-    #[test]
-    fn telemetry_preview_truncates_by_bytes() {
-        let config = TruncationConfig {
-            max_bytes: TELEMETRY_PREVIEW_MAX_BYTES,
-            max_lines: TELEMETRY_PREVIEW_MAX_LINES,
-            truncation_notice: TELEMETRY_PREVIEW_TRUNCATION_NOTICE,
-        };
-        let content = "x".repeat(TELEMETRY_PREVIEW_MAX_BYTES + 8);
-        let preview = truncate_with_config(&content, config);
-
-        assert!(preview.contains(TELEMETRY_PREVIEW_TRUNCATION_NOTICE));
-        assert!(
-            preview.len()
-                <= TELEMETRY_PREVIEW_MAX_BYTES + TELEMETRY_PREVIEW_TRUNCATION_NOTICE.len() + 1
-        );
-    }
-
-    #[test]
-    fn telemetry_preview_truncates_by_lines() {
-        let config = TruncationConfig {
-            max_bytes: TELEMETRY_PREVIEW_MAX_BYTES,
-            max_lines: TELEMETRY_PREVIEW_MAX_LINES,
-            truncation_notice: TELEMETRY_PREVIEW_TRUNCATION_NOTICE,
-        };
-        let content = (0..(TELEMETRY_PREVIEW_MAX_LINES + 5))
-            .map(|idx| format!("line {idx}"))
-            .collect::<Vec<_>>()
-            .join("\n");
-
-        let preview = truncate_with_config(&content, config);
-        let lines: Vec<&str> = preview.lines().collect();
-
-        assert!(lines.len() <= TELEMETRY_PREVIEW_MAX_LINES + 1);
-        assert_eq!(lines.last(), Some(&TELEMETRY_PREVIEW_TRUNCATION_NOTICE));
-    }
-}

codex-rs/core/src/conversation_history.rs

@@ -0,0 +1,120 @@
+use codex_protocol::models::ResponseItem;
+
+/// Transcript of conversation history
+#[derive(Debug, Clone, Default)]
+pub(crate) struct ConversationHistory {
+    /// The oldest items are at the beginning of the vector.
+    items: Vec<ResponseItem>,
+}
+
+impl ConversationHistory {
+    pub(crate) fn new() -> Self {
+        Self { items: Vec::new() }
+    }
+
+    /// Returns a clone of the contents in the transcript.
+    pub(crate) fn contents(&self) -> Vec<ResponseItem> {
+        self.items.clone()
+    }
+
+    /// `items` is ordered from oldest to newest.
+    pub(crate) fn record_items<I>(&mut self, items: I)
+    where
+        I: IntoIterator,
+        I::Item: std::ops::Deref<Target = ResponseItem>,
+    {
+        for item in items {
+            if !is_api_message(&item) {
+                continue;
+            }
+
+            self.items.push(item.clone());
+        }
+    }
+
+    pub(crate) fn replace(&mut self, items: Vec<ResponseItem>) {
+        self.items = items;
+    }
+}
+
+/// Anything that is not a system message or "reasoning" message is considered
+/// an API message.
+fn is_api_message(message: &ResponseItem) -> bool {
+    match message {
+        ResponseItem::Message { role, .. } => role.as_str() != "system",
+        ResponseItem::FunctionCallOutput { .. }
+        | ResponseItem::FunctionCall { .. }
+        | ResponseItem::CustomToolCall { .. }
+        | ResponseItem::CustomToolCallOutput { .. }
+        | ResponseItem::LocalShellCall { .. }
+        | ResponseItem::Reasoning { .. }
+        | ResponseItem::WebSearchCall { .. } => true,
+        ResponseItem::Other => false,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_protocol::models::ContentItem;
+
+    fn assistant_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "assistant".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+
+    fn user_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "user".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+
+    #[test]
+    fn filters_non_api_messages() {
+        let mut h = ConversationHistory::default();
+        // System message is not an API message; Other is ignored.
+        let system = ResponseItem::Message {
+            id: None,
+            role: "system".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: "ignored".to_string(),
+            }],
+        };
+        h.record_items([&system, &ResponseItem::Other]);
+
+        // User and assistant should be retained.
+        let u = user_msg("hi");
+        let a = assistant_msg("hello");
+        h.record_items([&u, &a]);
+
+        let items = h.contents();
+        assert_eq!(
+            items,
+            vec![
+                ResponseItem::Message {
+                    id: None,
+                    role: "user".to_string(),
+                    content: vec![ContentItem::OutputText {
+                        text: "hi".to_string()
+                    }]
+                },
+                ResponseItem::Message {
+                    id: None,
+                    role: "assistant".to_string(),
+                    content: vec![ContentItem::OutputText {
+                        text: "hello".to_string()
+                    }]
+                }
+            ]
+        );
+    }
+}

codex-rs/core/src/conversation_manager.rs

@@ -3,6 +3,8 @@ use crate::CodexAuth;
 use crate::codex::Codex;
 use crate::codex::CodexSpawnOk;
 use crate::codex::INITIAL_SUBMIT_ID;
+use crate::codex::compact::content_items_to_text;
+use crate::codex::compact::is_session_prefix_message;
 use crate::codex_conversation::CodexConversation;
 use crate::config::Config;
 use crate::error::CodexErr;
@@ -12,7 +14,6 @@ use crate::protocol::EventMsg;
 use crate::protocol::SessionConfiguredEvent;
 use crate::rollout::RolloutRecorder;
 use codex_protocol::ConversationId;
-use codex_protocol::items::TurnItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::protocol::RolloutItem;
@@ -181,11 +182,9 @@ fn truncate_before_nth_user_message(history: InitialHistory, n: usize) -> Initia
     // Find indices of user message inputs in rollout order.
     let mut user_positions: Vec<usize> = Vec::new();
     for (idx, item) in items.iter().enumerate() {
-        if let RolloutItem::ResponseItem(item @ ResponseItem::Message { .. }) = item
-            && matches!(
-                crate::event_mapping::parse_turn_item(item),
-                Some(TurnItem::UserMessage(_))
-            )
+        if let RolloutItem::ResponseItem(ResponseItem::Message { role, content, .. }) = item
+            && role == "user"
+            && content_items_to_text(content).is_some_and(|text| !is_session_prefix_message(&text))
         {
             user_positions.push(idx);
         }

codex-rs/core/src/default_client.rs

@@ -1,13 +1,5 @@
 use crate::spawn::CODEX_SANDBOX_ENV_VAR;
-use http::Error as HttpError;
-use reqwest::IntoUrl;
-use reqwest::Method;
-use reqwest::Response;
-use reqwest::header::HeaderName;
 use reqwest::header::HeaderValue;
-use serde::Serialize;
-use std::collections::HashMap;
-use std::fmt::Display;
 use std::sync::LazyLock;
 use std::sync::Mutex;
 use std::sync::OnceLock;
@@ -30,130 +22,6 @@ use std::sync::OnceLock;
 pub static USER_AGENT_SUFFIX: LazyLock<Mutex<Option<String>>> = LazyLock::new(|| Mutex::new(None));
 pub const DEFAULT_ORIGINATOR: &str = "codex_cli_rs";
 pub const CODEX_INTERNAL_ORIGINATOR_OVERRIDE_ENV_VAR: &str = "CODEX_INTERNAL_ORIGINATOR_OVERRIDE";
-
-#[derive(Clone, Debug)]
-pub struct CodexHttpClient {
-    inner: reqwest::Client,
-}
-
-impl CodexHttpClient {
-    fn new(inner: reqwest::Client) -> Self {
-        Self { inner }
-    }
-
-    pub fn get<U>(&self, url: U) -> CodexRequestBuilder
-    where
-        U: IntoUrl,
-    {
-        self.request(Method::GET, url)
-    }
-
-    pub fn post<U>(&self, url: U) -> CodexRequestBuilder
-    where
-        U: IntoUrl,
-    {
-        self.request(Method::POST, url)
-    }
-
-    pub fn request<U>(&self, method: Method, url: U) -> CodexRequestBuilder
-    where
-        U: IntoUrl,
-    {
-        let url_str = url.as_str().to_string();
-        CodexRequestBuilder::new(self.inner.request(method.clone(), url), method, url_str)
-    }
-}
-
-#[must_use = "requests are not sent unless `send` is awaited"]
-#[derive(Debug)]
-pub struct CodexRequestBuilder {
-    builder: reqwest::RequestBuilder,
-    method: Method,
-    url: String,
-}
-
-impl CodexRequestBuilder {
-    fn new(builder: reqwest::RequestBuilder, method: Method, url: String) -> Self {
-        Self {
-            builder,
-            method,
-            url,
-        }
-    }
-
-    fn map(self, f: impl FnOnce(reqwest::RequestBuilder) -> reqwest::RequestBuilder) -> Self {
-        Self {
-            builder: f(self.builder),
-            method: self.method,
-            url: self.url,
-        }
-    }
-
-    pub fn header<K, V>(self, key: K, value: V) -> Self
-    where
-        HeaderName: TryFrom<K>,
-        <HeaderName as TryFrom<K>>::Error: Into<HttpError>,
-        HeaderValue: TryFrom<V>,
-        <HeaderValue as TryFrom<V>>::Error: Into<HttpError>,
-    {
-        self.map(|builder| builder.header(key, value))
-    }
-
-    pub fn bearer_auth<T>(self, token: T) -> Self
-    where
-        T: Display,
-    {
-        self.map(|builder| builder.bearer_auth(token))
-    }
-
-    pub fn json<T>(self, value: &T) -> Self
-    where
-        T: ?Sized + Serialize,
-    {
-        self.map(|builder| builder.json(value))
-    }
-
-    pub async fn send(self) -> Result<Response, reqwest::Error> {
-        match self.builder.send().await {
-            Ok(response) => {
-                let request_ids = Self::extract_request_ids(&response);
-                tracing::debug!(
-                    method = %self.method,
-                    url = %self.url,
-                    status = %response.status(),
-                    request_ids = ?request_ids,
-                    version = ?response.version(),
-                    "Request completed"
-                );
-
-                Ok(response)
-            }
-            Err(error) => {
-                let status = error.status();
-                tracing::debug!(
-                    method = %self.method,
-                    url = %self.url,
-                    status = status.map(|s| s.as_u16()),
-                    error = %error,
-                    "Request failed"
-                );
-                Err(error)
-            }
-        }
-    }
-
-    fn extract_request_ids(response: &Response) -> HashMap<String, String> {
-        ["cf-ray", "x-request-id", "x-oai-request-id"]
-            .iter()
-            .filter_map(|&name| {
-                let header_name = HeaderName::from_static(name);
-                let value = response.headers().get(header_name)?;
-                let value = value.to_str().ok()?.to_owned();
-                Some((name.to_owned(), value))
-            })
-            .collect()
-    }
-}
 #[derive(Debug, Clone)]
 pub struct Originator {
     pub value: String,
@@ -256,8 +124,8 @@ fn sanitize_user_agent(candidate: String, fallback: &str) -> String {
     }
 }
 
-/// Create an HTTP client with default `originator` and `User-Agent` headers set.
-pub fn create_client() -> CodexHttpClient {
+/// Create a reqwest client with default `originator` and `User-Agent` headers set.
+pub fn create_client() -> reqwest::Client {
     use reqwest::header::HeaderMap;
 
     let mut headers = HeaderMap::new();
@@ -272,8 +140,7 @@ pub fn create_client() -> CodexHttpClient {
         builder = builder.no_proxy();
     }
 
-    let inner = builder.build().unwrap_or_else(|_| reqwest::Client::new());
-    CodexHttpClient::new(inner)
+    builder.build().unwrap_or_else(|_| reqwest::Client::new())
 }
 
 fn is_sandboxed() -> bool {

codex-rs/core/src/error.rs

@@ -1,4 +1,3 @@
-use crate::codex::ProcessedResponseItem;
 use crate::exec::ExecToolCallOutput;
 use crate::token_data::KnownPlan;
 use crate::token_data::PlanType;
@@ -54,11 +53,8 @@ pub enum SandboxErr {
 
 #[derive(Error, Debug)]
 pub enum CodexErr {
-    // todo(aibrahim): git rid of this error carrying the dangling artifacts
     #[error("turn aborted")]
-    TurnAborted {
-        dangling_artifacts: Vec<ProcessedResponseItem>,
-    },
+    TurnAborted,
 
     /// Returned by ResponsesClient when the SSE stream disconnects or errors out **after** the HTTP
     /// handshake has succeeded but **before** it finished emitting `response.completed`.
@@ -162,9 +158,7 @@ pub enum CodexErr {
 
 impl From<CancelErr> for CodexErr {
     fn from(_: CancelErr) -> Self {
-        CodexErr::TurnAborted {
-            dangling_artifacts: Vec::new(),
-        }
+        CodexErr::TurnAborted
     }
 }
 

codex-rs/core/src/event_mapping.rs

@@ -1,131 +1,139 @@
-use codex_protocol::items::AgentMessageContent;
-use codex_protocol::items::AgentMessageItem;
-use codex_protocol::items::ReasoningItem;
-use codex_protocol::items::TurnItem;
-use codex_protocol::items::UserMessageItem;
-use codex_protocol::items::WebSearchItem;
+use crate::protocol::AgentMessageEvent;
+use crate::protocol::AgentReasoningEvent;
+use crate::protocol::AgentReasoningRawContentEvent;
+use crate::protocol::EventMsg;
+use crate::protocol::InputMessageKind;
+use crate::protocol::UserMessageEvent;
+use crate::protocol::WebSearchEndEvent;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ReasoningItemContent;
 use codex_protocol::models::ReasoningItemReasoningSummary;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::models::WebSearchAction;
-use codex_protocol::user_input::UserInput;
-use tracing::warn;
 
-fn is_session_prefix(text: &str) -> bool {
-    let trimmed = text.trim_start();
-    let lowered = trimmed.to_ascii_lowercase();
-    lowered.starts_with("<environment_context>") || lowered.starts_with("<user_instructions>")
-}
-
-fn parse_user_message(message: &[ContentItem]) -> Option<UserMessageItem> {
-    let mut content: Vec<UserInput> = Vec::new();
-
-    for content_item in message.iter() {
-        match content_item {
-            ContentItem::InputText { text } => {
-                if is_session_prefix(text) {
-                    return None;
-                }
-                content.push(UserInput::Text { text: text.clone() });
-            }
-            ContentItem::InputImage { image_url } => {
-                content.push(UserInput::Image {
-                    image_url: image_url.clone(),
-                });
-            }
-            ContentItem::OutputText { text } => {
-                if is_session_prefix(text) {
-                    return None;
-                }
-                warn!("Output text in user message: {}", text);
-            }
-        }
-    }
-
-    Some(UserMessageItem::new(&content))
-}
-
-fn parse_agent_message(message: &[ContentItem]) -> AgentMessageItem {
-    let mut content: Vec<AgentMessageContent> = Vec::new();
-    for content_item in message.iter() {
-        match content_item {
-            ContentItem::OutputText { text } => {
-                content.push(AgentMessageContent::Text { text: text.clone() });
-            }
-            _ => {
-                warn!(
-                    "Unexpected content item in agent message: {:?}",
-                    content_item
-                );
-            }
-        }
-    }
-    AgentMessageItem::new(&content)
-}
-
-pub fn parse_turn_item(item: &ResponseItem) -> Option<TurnItem> {
+/// Convert a `ResponseItem` into zero or more `EventMsg` values that the UI can render.
+///
+/// When `show_raw_agent_reasoning` is false, raw reasoning content events are omitted.
+pub(crate) fn map_response_item_to_event_messages(
+    item: &ResponseItem,
+    show_raw_agent_reasoning: bool,
+) -> Vec<EventMsg> {
     match item {
-        ResponseItem::Message { role, content, .. } => match role.as_str() {
-            "user" => parse_user_message(content).map(TurnItem::UserMessage),
-            "assistant" => Some(TurnItem::AgentMessage(parse_agent_message(content))),
-            "system" => None,
-            _ => None,
-        },
-        ResponseItem::Reasoning {
-            id,
-            summary,
-            content,
-            ..
-        } => {
-            let summary_text = summary
-                .iter()
-                .map(|entry| match entry {
-                    ReasoningItemReasoningSummary::SummaryText { text } => text.clone(),
-                })
-                .collect();
-            let raw_content = content
-                .clone()
-                .unwrap_or_default()
-                .into_iter()
-                .map(|entry| match entry {
-                    ReasoningItemContent::ReasoningText { text }
-                    | ReasoningItemContent::Text { text } => text,
-                })
-                .collect();
-            Some(TurnItem::Reasoning(ReasoningItem {
-                id: id.clone(),
-                summary_text,
-                raw_content,
-            }))
+        ResponseItem::Message { role, content, .. } => {
+            // Do not surface system messages as user events.
+            if role == "system" {
+                return Vec::new();
+            }
+
+            let mut events: Vec<EventMsg> = Vec::new();
+            let mut message_parts: Vec<String> = Vec::new();
+            let mut images: Vec<String> = Vec::new();
+            let mut kind: Option<InputMessageKind> = None;
+
+            for content_item in content.iter() {
+                match content_item {
+                    ContentItem::InputText { text } => {
+                        if kind.is_none() {
+                            let trimmed = text.trim_start();
+                            kind = if trimmed.starts_with("<environment_context>") {
+                                Some(InputMessageKind::EnvironmentContext)
+                            } else if trimmed.starts_with("<user_instructions>") {
+                                Some(InputMessageKind::UserInstructions)
+                            } else {
+                                Some(InputMessageKind::Plain)
+                            };
+                        }
+                        message_parts.push(text.clone());
+                    }
+                    ContentItem::InputImage { image_url } => {
+                        images.push(image_url.clone());
+                    }
+                    ContentItem::OutputText { text } => {
+                        events.push(EventMsg::AgentMessage(AgentMessageEvent {
+                            message: text.clone(),
+                        }));
+                    }
+                }
+            }
+
+            if !message_parts.is_empty() || !images.is_empty() {
+                let message = if message_parts.is_empty() {
+                    String::new()
+                } else {
+                    message_parts.join("")
+                };
+                let images = if images.is_empty() {
+                    None
+                } else {
+                    Some(images)
+                };
+
+                events.push(EventMsg::UserMessage(UserMessageEvent {
+                    message,
+                    kind,
+                    images,
+                }));
+            }
+
+            events
         }
-        ResponseItem::WebSearchCall {
-            id,
-            action: WebSearchAction::Search { query },
-            ..
-        } => Some(TurnItem::WebSearch(WebSearchItem {
-            id: id.clone().unwrap_or_default(),
-            query: query.clone(),
-        })),
-        _ => None,
+
+        ResponseItem::Reasoning {
+            summary, content, ..
+        } => {
+            let mut events = Vec::new();
+            for ReasoningItemReasoningSummary::SummaryText { text } in summary {
+                events.push(EventMsg::AgentReasoning(AgentReasoningEvent {
+                    text: text.clone(),
+                }));
+            }
+            if let Some(items) = content.as_ref().filter(|_| show_raw_agent_reasoning) {
+                for c in items {
+                    let text = match c {
+                        ReasoningItemContent::ReasoningText { text }
+                        | ReasoningItemContent::Text { text } => text,
+                    };
+                    events.push(EventMsg::AgentReasoningRawContent(
+                        AgentReasoningRawContentEvent { text: text.clone() },
+                    ));
+                }
+            }
+            events
+        }
+
+        ResponseItem::WebSearchCall { id, action, .. } => match action {
+            WebSearchAction::Search { query } => {
+                let call_id = id.clone().unwrap_or_else(|| "".to_string());
+                vec![EventMsg::WebSearchEnd(WebSearchEndEvent {
+                    call_id,
+                    query: query.clone(),
+                })]
+            }
+            WebSearchAction::Other => Vec::new(),
+        },
+
+        // Variants that require side effects are handled by higher layers and do not emit events here.
+        ResponseItem::FunctionCall { .. }
+        | ResponseItem::FunctionCallOutput { .. }
+        | ResponseItem::LocalShellCall { .. }
+        | ResponseItem::CustomToolCall { .. }
+        | ResponseItem::CustomToolCallOutput { .. }
+        | ResponseItem::Other => Vec::new(),
     }
 }
 
 #[cfg(test)]
 mod tests {
-    use super::parse_turn_item;
-    use codex_protocol::items::AgentMessageContent;
-    use codex_protocol::items::TurnItem;
+    use super::map_response_item_to_event_messages;
+    use crate::protocol::EventMsg;
+    use crate::protocol::InputMessageKind;
+    use assert_matches::assert_matches;
     use codex_protocol::models::ContentItem;
-    use codex_protocol::models::ReasoningItemContent;
-    use codex_protocol::models::ReasoningItemReasoningSummary;
     use codex_protocol::models::ResponseItem;
-    use codex_protocol::models::WebSearchAction;
-    use codex_protocol::user_input::UserInput;
     use pretty_assertions::assert_eq;
 
     #[test]
-    fn parses_user_message_with_text_and_two_images() {
+    fn maps_user_message_with_text_and_two_images() {
         let img1 = "https://example.com/one.png".to_string();
         let img2 = "https://example.com/two.jpg".to_string();
 
@@ -145,128 +153,16 @@ mod tests {
             ],
         };
 
-        let turn_item = parse_turn_item(&item).expect("expected user message turn item");
+        let events = map_response_item_to_event_messages(&item, false);
+        assert_eq!(events.len(), 1, "expected a single user message event");
 
-        match turn_item {
-            TurnItem::UserMessage(user) => {
-                let expected_content = vec![
-                    UserInput::Text {
-                        text: "Hello world".to_string(),
-                    },
-                    UserInput::Image { image_url: img1 },
-                    UserInput::Image { image_url: img2 },
-                ];
-                assert_eq!(user.content, expected_content);
+        match &events[0] {
+            EventMsg::UserMessage(user) => {
+                assert_eq!(user.message, "Hello world");
+                assert_matches!(user.kind, Some(InputMessageKind::Plain));
+                assert_eq!(user.images, Some(vec![img1, img2]));
             }
-            other => panic!("expected TurnItem::UserMessage, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_agent_message() {
-        let item = ResponseItem::Message {
-            id: Some("msg-1".to_string()),
-            role: "assistant".to_string(),
-            content: vec![ContentItem::OutputText {
-                text: "Hello from Codex".to_string(),
-            }],
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected agent message turn item");
-
-        match turn_item {
-            TurnItem::AgentMessage(message) => {
-                let Some(AgentMessageContent::Text { text }) = message.content.first() else {
-                    panic!("expected agent message text content");
-                };
-                assert_eq!(text, "Hello from Codex");
-            }
-            other => panic!("expected TurnItem::AgentMessage, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_reasoning_summary_and_raw_content() {
-        let item = ResponseItem::Reasoning {
-            id: "reasoning_1".to_string(),
-            summary: vec![
-                ReasoningItemReasoningSummary::SummaryText {
-                    text: "Step 1".to_string(),
-                },
-                ReasoningItemReasoningSummary::SummaryText {
-                    text: "Step 2".to_string(),
-                },
-            ],
-            content: Some(vec![ReasoningItemContent::ReasoningText {
-                text: "raw details".to_string(),
-            }]),
-            encrypted_content: None,
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected reasoning turn item");
-
-        match turn_item {
-            TurnItem::Reasoning(reasoning) => {
-                assert_eq!(
-                    reasoning.summary_text,
-                    vec!["Step 1".to_string(), "Step 2".to_string()]
-                );
-                assert_eq!(reasoning.raw_content, vec!["raw details".to_string()]);
-            }
-            other => panic!("expected TurnItem::Reasoning, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_reasoning_including_raw_content() {
-        let item = ResponseItem::Reasoning {
-            id: "reasoning_2".to_string(),
-            summary: vec![ReasoningItemReasoningSummary::SummaryText {
-                text: "Summarized step".to_string(),
-            }],
-            content: Some(vec![
-                ReasoningItemContent::ReasoningText {
-                    text: "raw step".to_string(),
-                },
-                ReasoningItemContent::Text {
-                    text: "final thought".to_string(),
-                },
-            ]),
-            encrypted_content: None,
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected reasoning turn item");
-
-        match turn_item {
-            TurnItem::Reasoning(reasoning) => {
-                assert_eq!(reasoning.summary_text, vec!["Summarized step".to_string()]);
-                assert_eq!(
-                    reasoning.raw_content,
-                    vec!["raw step".to_string(), "final thought".to_string()]
-                );
-            }
-            other => panic!("expected TurnItem::Reasoning, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_web_search_call() {
-        let item = ResponseItem::WebSearchCall {
-            id: Some("ws_1".to_string()),
-            status: Some("completed".to_string()),
-            action: WebSearchAction::Search {
-                query: "weather".to_string(),
-            },
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected web search turn item");
-
-        match turn_item {
-            TurnItem::WebSearch(search) => {
-                assert_eq!(search.id, "ws_1");
-                assert_eq!(search.query, "weather");
-            }
-            other => panic!("expected TurnItem::WebSearch, got {other:?}"),
+            other => panic!("expected UserMessage, got {other:?}"),
         }
     }
 }

codex-rs/core/src/features.rs

@@ -31,14 +31,18 @@ pub enum Feature {
     UnifiedExec,
     /// Use the streamable exec-command/write-stdin tool pair.
     StreamableShell,
-    /// Enable experimental RMCP features such as OAuth login.
+    /// Use the official Rust MCP client (rmcp).
     RmcpClient,
+    /// Include the plan tool.
+    PlanTool,
     /// Include the freeform apply_patch tool.
     ApplyPatchFreeform,
     /// Include the view_image tool.
     ViewImageTool,
     /// Allow the model to request web searches.
     WebSearchRequest,
+    /// Automatically approve all approval requests from the harness.
+    ApproveAll,
 }
 
 impl Feature {
@@ -70,6 +74,7 @@ pub struct Features {
 
 #[derive(Debug, Clone, Default)]
 pub struct FeatureOverrides {
+    pub include_plan_tool: Option<bool>,
     pub include_apply_patch_tool: Option<bool>,
     pub include_view_image_tool: Option<bool>,
     pub web_search_request: Option<bool>,
@@ -78,6 +83,7 @@ pub struct FeatureOverrides {
 impl FeatureOverrides {
     fn apply(self, features: &mut Features) {
         LegacyFeatureToggles {
+            include_plan_tool: self.include_plan_tool,
             include_apply_patch_tool: self.include_apply_patch_tool,
             include_view_image_tool: self.include_view_image_tool,
             tools_web_search: self.web_search_request,
@@ -152,6 +158,7 @@ impl Features {
         }
 
         let profile_legacy = LegacyFeatureToggles {
+            include_plan_tool: config_profile.include_plan_tool,
             include_apply_patch_tool: config_profile.include_apply_patch_tool,
             include_view_image_tool: config_profile.include_view_image_tool,
             experimental_use_freeform_apply_patch: config_profile
@@ -218,6 +225,12 @@ pub const FEATURES: &[FeatureSpec] = &[
         stage: Stage::Experimental,
         default_enabled: false,
     },
+    FeatureSpec {
+        id: Feature::PlanTool,
+        key: "plan_tool",
+        stage: Stage::Stable,
+        default_enabled: false,
+    },
     FeatureSpec {
         id: Feature::ApplyPatchFreeform,
         key: "apply_patch_freeform",
@@ -236,4 +249,10 @@ pub const FEATURES: &[FeatureSpec] = &[
         stage: Stage::Stable,
         default_enabled: false,
     },
+    FeatureSpec {
+        id: Feature::ApproveAll,
+        key: "approve_all",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
 ];

codex-rs/core/src/features/legacy.rs

@@ -29,6 +29,10 @@ const ALIASES: &[Alias] = &[
         legacy_key: "include_apply_patch_tool",
         feature: Feature::ApplyPatchFreeform,
     },
+    Alias {
+        legacy_key: "include_plan_tool",
+        feature: Feature::PlanTool,
+    },
     Alias {
         legacy_key: "include_view_image_tool",
         feature: Feature::ViewImageTool,
@@ -51,6 +55,7 @@ pub(crate) fn feature_for_key(key: &str) -> Option<Feature> {
 
 #[derive(Debug, Default)]
 pub struct LegacyFeatureToggles {
+    pub include_plan_tool: Option<bool>,
     pub include_apply_patch_tool: Option<bool>,
     pub include_view_image_tool: Option<bool>,
     pub experimental_use_freeform_apply_patch: Option<bool>,
@@ -63,6 +68,12 @@ pub struct LegacyFeatureToggles {
 
 impl LegacyFeatureToggles {
     pub fn apply(self, features: &mut Features) {
+        set_if_some(
+            features,
+            Feature::PlanTool,
+            self.include_plan_tool,
+            "include_plan_tool",
+        );
         set_if_some(
             features,
             Feature::ApplyPatchFreeform,

codex-rs/core/src/lib.rs

@@ -20,7 +20,7 @@ pub mod config_edit;
 pub mod config_loader;
 pub mod config_profile;
 pub mod config_types;
-mod context_manager;
+mod conversation_history;
 pub mod custom_prompts;
 mod environment_context;
 pub mod error;
@@ -36,7 +36,6 @@ mod mcp_tool_call;
 mod message_history;
 mod model_provider_info;
 pub mod parse_command;
-mod response_processing;
 pub mod sandboxing;
 pub mod token_data;
 mod truncate;
@@ -99,10 +98,11 @@ pub use client_common::REVIEW_PROMPT;
 pub use client_common::ResponseEvent;
 pub use client_common::ResponseStream;
 pub use codex::compact::content_items_to_text;
+pub use codex::compact::is_session_prefix_message;
 pub use codex_protocol::models::ContentItem;
 pub use codex_protocol::models::LocalShellAction;
 pub use codex_protocol::models::LocalShellExecAction;
 pub use codex_protocol::models::LocalShellStatus;
+pub use codex_protocol::models::ReasoningItemContent;
 pub use codex_protocol::models::ResponseItem;
-pub use event_mapping::parse_turn_item;
 pub mod otel_init;

codex-rs/core/src/mcp/auth.rs

@@ -10,16 +10,10 @@ use tracing::warn;
 use crate::config_types::McpServerConfig;
 use crate::config_types::McpServerTransportConfig;
 
-#[derive(Debug, Clone)]
-pub struct McpAuthStatusEntry {
-    pub config: McpServerConfig,
-    pub auth_status: McpAuthStatus,
-}
-
 pub async fn compute_auth_statuses<'a, I>(
     servers: I,
     store_mode: OAuthCredentialsStoreMode,
-) -> HashMap<String, McpAuthStatusEntry>
+) -> HashMap<String, McpAuthStatus>
 where
     I: IntoIterator<Item = (&'a String, &'a McpServerConfig)>,
 {
@@ -27,18 +21,14 @@ where
         let name = name.clone();
         let config = config.clone();
         async move {
-            let auth_status = match compute_auth_status(&name, &config, store_mode).await {
+            let status = match compute_auth_status(&name, &config, store_mode).await {
                 Ok(status) => status,
                 Err(error) => {
                     warn!("failed to determine auth status for MCP server `{name}`: {error:?}");
                     McpAuthStatus::Unsupported
                 }
             };
-            let entry = McpAuthStatusEntry {
-                config,
-                auth_status,
-            };
-            (name, entry)
+            (name, status)
         }
     });
 

codex-rs/core/src/mcp_connection_manager.rs

@@ -1,6 +1,6 @@
 //! Connection manager for Model Context Protocol (MCP) servers.
 //!
-//! The [`McpConnectionManager`] owns one [`codex_rmcp_client::RmcpClient`] per
+//! The [`McpConnectionManager`] owns one [`codex_mcp_client::McpClient`] per
 //! configured server (keyed by the *server name*). It offers convenience
 //! helpers to query the available tools across *all* servers and returns them
 //! in a single aggregated map using the fully-qualified tool name
@@ -10,12 +10,14 @@ use std::collections::HashMap;
 use std::collections::HashSet;
 use std::env;
 use std::ffi::OsString;
+use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;
 
 use anyhow::Context;
 use anyhow::Result;
 use anyhow::anyhow;
+use codex_mcp_client::McpClient;
 use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_rmcp_client::RmcpClient;
 use mcp_types::ClientCapabilities;
@@ -49,7 +51,7 @@ const MCP_TOOL_NAME_DELIMITER: &str = "__";
 const MAX_TOOL_NAME_LENGTH: usize = 64;
 
 /// Default timeout for initializing MCP server & initially listing tools.
-pub const DEFAULT_STARTUP_TIMEOUT: Duration = Duration::from_secs(10);
+const DEFAULT_STARTUP_TIMEOUT: Duration = Duration::from_secs(10);
 
 /// Default timeout for individual tool calls.
 const DEFAULT_TOOL_TIMEOUT: Duration = Duration::from_secs(60);
@@ -97,12 +99,134 @@ struct ToolInfo {
 }
 
 struct ManagedClient {
-    client: Arc<RmcpClient>,
+    client: McpClientAdapter,
     startup_timeout: Duration,
     tool_timeout: Option<Duration>,
 }
 
-/// A thin wrapper around a set of running [`RmcpClient`] instances.
+#[derive(Clone)]
+enum McpClientAdapter {
+    Legacy(Arc<McpClient>),
+    Rmcp(Arc<RmcpClient>),
+}
+
+impl McpClientAdapter {
+    #[allow(clippy::too_many_arguments)]
+    async fn new_stdio_client(
+        use_rmcp_client: bool,
+        program: OsString,
+        args: Vec<OsString>,
+        env: Option<HashMap<String, String>>,
+        env_vars: Vec<String>,
+        cwd: Option<PathBuf>,
+        params: mcp_types::InitializeRequestParams,
+        startup_timeout: Duration,
+    ) -> Result<Self> {
+        if use_rmcp_client {
+            let client =
+                Arc::new(RmcpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
+            client.initialize(params, Some(startup_timeout)).await?;
+            Ok(McpClientAdapter::Rmcp(client))
+        } else {
+            let client =
+                Arc::new(McpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
+            client.initialize(params, Some(startup_timeout)).await?;
+            Ok(McpClientAdapter::Legacy(client))
+        }
+    }
+
+    #[allow(clippy::too_many_arguments)]
+    async fn new_streamable_http_client(
+        server_name: String,
+        url: String,
+        bearer_token: Option<String>,
+        http_headers: Option<HashMap<String, String>>,
+        env_http_headers: Option<HashMap<String, String>>,
+        params: mcp_types::InitializeRequestParams,
+        startup_timeout: Duration,
+        store_mode: OAuthCredentialsStoreMode,
+    ) -> Result<Self> {
+        let client = Arc::new(
+            RmcpClient::new_streamable_http_client(
+                &server_name,
+                &url,
+                bearer_token,
+                http_headers,
+                env_http_headers,
+                store_mode,
+            )
+            .await?,
+        );
+        client.initialize(params, Some(startup_timeout)).await?;
+        Ok(McpClientAdapter::Rmcp(client))
+    }
+
+    async fn list_tools(
+        &self,
+        params: Option<mcp_types::ListToolsRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListToolsResult> {
+        match self {
+            McpClientAdapter::Legacy(client) => client.list_tools(params, timeout).await,
+            McpClientAdapter::Rmcp(client) => client.list_tools(params, timeout).await,
+        }
+    }
+
+    async fn list_resources(
+        &self,
+        params: Option<mcp_types::ListResourcesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourcesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourcesResult {
+                next_cursor: None,
+                resources: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resources(params, timeout).await,
+        }
+    }
+
+    async fn read_resource(
+        &self,
+        params: mcp_types::ReadResourceRequestParams,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ReadResourceResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Err(anyhow!(
+                "resources/read is not supported by legacy MCP clients"
+            )),
+            McpClientAdapter::Rmcp(client) => client.read_resource(params, timeout).await,
+        }
+    }
+
+    async fn list_resource_templates(
+        &self,
+        params: Option<mcp_types::ListResourceTemplatesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourceTemplatesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourceTemplatesResult {
+                next_cursor: None,
+                resource_templates: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resource_templates(params, timeout).await,
+        }
+    }
+
+    async fn call_tool(
+        &self,
+        name: String,
+        arguments: Option<serde_json::Value>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::CallToolResult> {
+        match self {
+            McpClientAdapter::Legacy(client) => client.call_tool(name, arguments, timeout).await,
+            McpClientAdapter::Rmcp(client) => client.call_tool(name, arguments, timeout).await,
+        }
+    }
+}
+
+/// A thin wrapper around a set of running [`McpClient`] instances.
 #[derive(Default)]
 pub(crate) struct McpConnectionManager {
     /// Server-name -> client instance.
@@ -113,13 +237,10 @@ pub(crate) struct McpConnectionManager {
 
     /// Fully qualified tool name -> tool instance.
     tools: HashMap<String, ToolInfo>,
-
-    /// Server-name -> configured tool filters.
-    tool_filters: HashMap<String, ToolFilter>,
 }
 
 impl McpConnectionManager {
-    /// Spawn a [`RmcpClient`] for each configured server.
+    /// Spawn a [`McpClient`] for each configured server.
     ///
     /// * `mcp_servers` – Map loaded from the user configuration where *keys*
     ///   are human-readable server identifiers and *values* are the spawn
@@ -129,6 +250,7 @@ impl McpConnectionManager {
     /// user should be informed about these errors.
     pub async fn new(
         mcp_servers: HashMap<String, McpServerConfig>,
+        use_rmcp_client: bool,
         store_mode: OAuthCredentialsStoreMode,
     ) -> Result<(Self, ClientStartErrors)> {
         // Early exit if no servers are configured.
@@ -139,7 +261,6 @@ impl McpConnectionManager {
         // Launch all configured servers concurrently.
         let mut join_set = JoinSet::new();
         let mut errors = ClientStartErrors::new();
-        let mut tool_filters: HashMap<String, ToolFilter> = HashMap::new();
 
         for (server_name, cfg) in mcp_servers {
             // Validate server name before spawning
@@ -152,13 +273,11 @@ impl McpConnectionManager {
             }
 
             if !cfg.enabled {
-                tool_filters.insert(server_name, ToolFilter::from_config(&cfg));
                 continue;
             }
 
             let startup_timeout = cfg.startup_timeout_sec.unwrap_or(DEFAULT_STARTUP_TIMEOUT);
             let tool_timeout = cfg.tool_timeout_sec.unwrap_or(DEFAULT_TOOL_TIMEOUT);
-            tool_filters.insert(server_name.clone(), ToolFilter::from_config(&cfg));
 
             let resolved_bearer_token = match &cfg.transport {
                 McpServerTransportConfig::StreamableHttp {
@@ -191,8 +310,7 @@ impl McpConnectionManager {
                     protocol_version: mcp_types::MCP_SCHEMA_VERSION.to_owned(),
                 };
 
-                let resolved_bearer_token = resolved_bearer_token.unwrap_or_default();
-                let client_result = match transport {
+                let client = match transport {
                     McpServerTransportConfig::Stdio {
                         command,
                         args,
@@ -202,18 +320,17 @@ impl McpConnectionManager {
                     } => {
                         let command_os: OsString = command.into();
                         let args_os: Vec<OsString> = args.into_iter().map(Into::into).collect();
-                        match RmcpClient::new_stdio_client(command_os, args_os, env, &env_vars, cwd)
-                            .await
-                        {
-                            Ok(client) => {
-                                let client = Arc::new(client);
-                                client
-                                    .initialize(params.clone(), Some(startup_timeout))
-                                    .await
-                                    .map(|_| client)
-                            }
-                            Err(err) => Err(err.into()),
-                        }
+                        McpClientAdapter::new_stdio_client(
+                            use_rmcp_client,
+                            command_os,
+                            args_os,
+                            env,
+                            env_vars,
+                            cwd,
+                            params,
+                            startup_timeout,
+                        )
+                        .await
                     }
                     McpServerTransportConfig::StreamableHttp {
                         url,
@@ -221,32 +338,22 @@ impl McpConnectionManager {
                         env_http_headers,
                         ..
                     } => {
-                        match RmcpClient::new_streamable_http_client(
-                            &server_name,
-                            &url,
-                            resolved_bearer_token.clone(),
+                        McpClientAdapter::new_streamable_http_client(
+                            server_name.clone(),
+                            url,
+                            resolved_bearer_token.unwrap_or_default(),
                             http_headers,
                             env_http_headers,
+                            params,
+                            startup_timeout,
                             store_mode,
                         )
                         .await
-                        {
-                            Ok(client) => {
-                                let client = Arc::new(client);
-                                client
-                                    .initialize(params.clone(), Some(startup_timeout))
-                                    .await
-                                    .map(|_| client)
-                            }
-                            Err(err) => Err(err),
-                        }
                     }
-                };
+                }
+                .map(|c| (c, startup_timeout));
 
-                (
-                    (server_name, tool_timeout),
-                    client_result.map(|client| (client, startup_timeout)),
-                )
+                ((server_name, tool_timeout), client)
             });
         }
 
@@ -286,17 +393,9 @@ impl McpConnectionManager {
             }
         };
 
-        let filtered_tools = filter_tools(all_tools, &tool_filters);
-        let tools = qualify_tools(filtered_tools);
+        let tools = qualify_tools(all_tools);
 
-        Ok((
-            Self {
-                clients,
-                tools,
-                tool_filters,
-            },
-            errors,
-        ))
+        Ok((Self { clients, tools }, errors))
     }
 
     /// Returns a single map that contains all tools. Each key is the
@@ -442,13 +541,6 @@ impl McpConnectionManager {
         tool: &str,
         arguments: Option<serde_json::Value>,
     ) -> Result<mcp_types::CallToolResult> {
-        if let Some(filter) = self.tool_filters.get(server)
-            && !filter.allows(tool)
-        {
-            return Err(anyhow!(
-                "tool '{tool}' is disabled for MCP server '{server}'"
-            ));
-        }
         let managed = self
             .clients
             .get(server)
@@ -527,52 +619,6 @@ impl McpConnectionManager {
     }
 }
 
-/// A tool is allowed to be used if both are true:
-/// 1. enabled is None (no allowlist is set) or the tool is explicitly enabled.
-/// 2. The tool is not explicitly disabled.
-#[derive(Default, Clone)]
-struct ToolFilter {
-    enabled: Option<HashSet<String>>,
-    disabled: HashSet<String>,
-}
-
-impl ToolFilter {
-    fn from_config(cfg: &McpServerConfig) -> Self {
-        let enabled = cfg
-            .enabled_tools
-            .as_ref()
-            .map(|tools| tools.iter().cloned().collect::<HashSet<_>>());
-        let disabled = cfg
-            .disabled_tools
-            .as_ref()
-            .map(|tools| tools.iter().cloned().collect::<HashSet<_>>())
-            .unwrap_or_default();
-
-        Self { enabled, disabled }
-    }
-
-    fn allows(&self, tool_name: &str) -> bool {
-        if let Some(enabled) = &self.enabled
-            && !enabled.contains(tool_name)
-        {
-            return false;
-        }
-
-        !self.disabled.contains(tool_name)
-    }
-}
-
-fn filter_tools(tools: Vec<ToolInfo>, filters: &HashMap<String, ToolFilter>) -> Vec<ToolInfo> {
-    tools
-        .into_iter()
-        .filter(|tool| {
-            filters
-                .get(&tool.server_name)
-                .is_none_or(|filter| filter.allows(&tool.tool_name))
-        })
-        .collect()
-}
-
 fn resolve_bearer_token(
     server_name: &str,
     bearer_token_env_var: Option<&str>,
@@ -665,7 +711,6 @@ fn is_valid_mcp_server_name(server_name: &str) -> bool {
 mod tests {
     use super::*;
     use mcp_types::ToolInputSchema;
-    use std::collections::HashSet;
 
     fn create_test_tool(server_name: &str, tool_name: &str) -> ToolInfo {
         ToolInfo {
@@ -748,75 +793,4 @@ mod tests {
             "mcp__my_server__yet_anot419a82a89325c1b477274a41f8c65ea5f3a7f341"
         );
     }
-
-    #[test]
-    fn tool_filter_allows_by_default() {
-        let filter = ToolFilter::default();
-
-        assert!(filter.allows("any"));
-    }
-
-    #[test]
-    fn tool_filter_applies_enabled_list() {
-        let filter = ToolFilter {
-            enabled: Some(HashSet::from(["allowed".to_string()])),
-            disabled: HashSet::new(),
-        };
-
-        assert!(filter.allows("allowed"));
-        assert!(!filter.allows("denied"));
-    }
-
-    #[test]
-    fn tool_filter_applies_disabled_list() {
-        let filter = ToolFilter {
-            enabled: None,
-            disabled: HashSet::from(["blocked".to_string()]),
-        };
-
-        assert!(!filter.allows("blocked"));
-        assert!(filter.allows("open"));
-    }
-
-    #[test]
-    fn tool_filter_applies_enabled_then_disabled() {
-        let filter = ToolFilter {
-            enabled: Some(HashSet::from(["keep".to_string(), "remove".to_string()])),
-            disabled: HashSet::from(["remove".to_string()]),
-        };
-
-        assert!(filter.allows("keep"));
-        assert!(!filter.allows("remove"));
-        assert!(!filter.allows("unknown"));
-    }
-
-    #[test]
-    fn filter_tools_applies_per_server_filters() {
-        let tools = vec![
-            create_test_tool("server1", "tool_a"),
-            create_test_tool("server1", "tool_b"),
-            create_test_tool("server2", "tool_a"),
-        ];
-        let mut filters = HashMap::new();
-        filters.insert(
-            "server1".to_string(),
-            ToolFilter {
-                enabled: Some(HashSet::from(["tool_a".to_string(), "tool_b".to_string()])),
-                disabled: HashSet::from(["tool_b".to_string()]),
-            },
-        );
-        filters.insert(
-            "server2".to_string(),
-            ToolFilter {
-                enabled: None,
-                disabled: HashSet::from(["tool_a".to_string()]),
-            },
-        );
-
-        let filtered = filter_tools(tools, &filters);
-
-        assert_eq!(filtered.len(), 1);
-        assert_eq!(filtered[0].server_name, "server1");
-        assert_eq!(filtered[0].tool_name, "tool_a");
-    }
 }

codex-rs/core/src/mcp_tool_call.rs

@@ -3,7 +3,7 @@ use std::time::Instant;
 use tracing::error;
 
 use crate::codex::Session;
-use crate::codex::TurnContext;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
@@ -15,7 +15,7 @@ use codex_protocol::models::ResponseInputItem;
 /// `McpToolCallBegin` and `McpToolCallEnd` events to the `Session`.
 pub(crate) async fn handle_mcp_tool_call(
     sess: &Session,
-    turn_context: &TurnContext,
+    sub_id: &str,
     call_id: String,
     server: String,
     tool_name: String,
@@ -51,7 +51,7 @@ pub(crate) async fn handle_mcp_tool_call(
         call_id: call_id.clone(),
         invocation: invocation.clone(),
     });
-    notify_mcp_tool_call_event(sess, turn_context, tool_call_begin_event).await;
+    notify_mcp_tool_call_event(sess, sub_id, tool_call_begin_event).await;
 
     let start = Instant::now();
     // Perform the tool call.
@@ -69,11 +69,15 @@ pub(crate) async fn handle_mcp_tool_call(
         result: result.clone(),
     });
 
-    notify_mcp_tool_call_event(sess, turn_context, tool_call_end_event.clone()).await;
+    notify_mcp_tool_call_event(sess, sub_id, tool_call_end_event.clone()).await;
 
     ResponseInputItem::McpToolCallOutput { call_id, result }
 }
 
-async fn notify_mcp_tool_call_event(sess: &Session, turn_context: &TurnContext, event: EventMsg) {
-    sess.send_event(turn_context, event).await;
+async fn notify_mcp_tool_call_event(sess: &Session, sub_id: &str, event: EventMsg) {
+    sess.send_event(Event {
+        id: sub_id.to_string(),
+        msg: event,
+    })
+    .await;
 }

codex-rs/core/src/model_family.rs

@@ -84,7 +84,11 @@ macro_rules! model_family {
 
 /// Returns a `ModelFamily` for the given model slug, or `None` if the slug
 /// does not match any known model family.
-pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
+pub fn find_family_for_model(mut slug: &str) -> Option<ModelFamily> {
+    // TODO(jif) clean once we have proper feature flags
+    if matches!(std::env::var("CODEX_EXPERIMENTAL").as_deref(), Ok("1")) {
+        slug = "codex-experimental";
+    }
     if slug.starts_with("o3") {
         model_family!(
             slug, "o3",

codex-rs/core/src/model_provider_info.rs

@@ -6,8 +6,6 @@
 //!      key. These override or extend the defaults at runtime.
 
 use crate::CodexAuth;
-use crate::default_client::CodexHttpClient;
-use crate::default_client::CodexRequestBuilder;
 use codex_app_server_protocol::AuthMode;
 use serde::Deserialize;
 use serde::Serialize;
@@ -55,11 +53,6 @@ pub struct ModelProviderInfo {
     /// variable and set it.
     pub env_key_instructions: Option<String>,
 
-    /// Value to use with `Authorization: Bearer <token>` header. Use of this
-    /// config is discouraged in favor of `env_key` for security reasons, but
-    /// this may be necessary when using this programmatically.
-    pub experimental_bearer_token: Option<String>,
-
     /// Which wire protocol this provider expects.
     #[serde(default)]
     pub wire_api: WireApi,
@@ -97,7 +90,7 @@ pub struct ModelProviderInfo {
 
 impl ModelProviderInfo {
     /// Construct a `POST` RequestBuilder for the given URL using the provided
-    /// [`CodexHttpClient`] applying:
+    /// reqwest Client applying:
     ///   • provider-specific headers (static + env based)
     ///   • Bearer auth header when an API key is available.
     ///   • Auth token for OAuth.
@@ -106,21 +99,17 @@ impl ModelProviderInfo {
     /// one produced by [`ModelProviderInfo::api_key`].
     pub async fn create_request_builder<'a>(
         &'a self,
-        client: &'a CodexHttpClient,
+        client: &'a reqwest::Client,
         auth: &Option<CodexAuth>,
-    ) -> crate::error::Result<CodexRequestBuilder> {
-        let effective_auth = if let Some(secret_key) = &self.experimental_bearer_token {
-            Some(CodexAuth::from_api_key(secret_key))
-        } else {
-            match self.api_key() {
-                Ok(Some(key)) => Some(CodexAuth::from_api_key(&key)),
-                Ok(None) => auth.clone(),
-                Err(err) => {
-                    if auth.is_some() {
-                        auth.clone()
-                    } else {
-                        return Err(err);
-                    }
+    ) -> crate::error::Result<reqwest::RequestBuilder> {
+        let effective_auth = match self.api_key() {
+            Ok(Some(key)) => Some(CodexAuth::from_api_key(&key)),
+            Ok(None) => auth.clone(),
+            Err(err) => {
+                if auth.is_some() {
+                    auth.clone()
+                } else {
+                    return Err(err);
                 }
             }
         };
@@ -189,9 +178,9 @@ impl ModelProviderInfo {
     }
 
     /// Apply provider-specific HTTP headers (both static and environment-based)
-    /// onto an existing [`CodexRequestBuilder`] and return the updated
+    /// onto an existing `reqwest::RequestBuilder` and return the updated
     /// builder.
-    fn apply_http_headers(&self, mut builder: CodexRequestBuilder) -> CodexRequestBuilder {
+    fn apply_http_headers(&self, mut builder: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
         if let Some(extra) = &self.http_headers {
             for (k, v) in extra {
                 builder = builder.header(k, v);
@@ -285,7 +274,6 @@ pub fn built_in_model_providers() -> HashMap<String, ModelProviderInfo> {
                     .filter(|v| !v.trim().is_empty()),
                 env_key: None,
                 env_key_instructions: None,
-                experimental_bearer_token: None,
                 wire_api: WireApi::Responses,
                 query_params: None,
                 http_headers: Some(
@@ -345,7 +333,6 @@ pub fn create_oss_provider_with_base_url(base_url: &str) -> ModelProviderInfo {
         base_url: Some(base_url.into()),
         env_key: None,
         env_key_instructions: None,
-        experimental_bearer_token: None,
         wire_api: WireApi::Chat,
         query_params: None,
         http_headers: None,
@@ -385,7 +372,6 @@ base_url = "http://localhost:11434/v1"
             base_url: Some("http://localhost:11434/v1".into()),
             env_key: None,
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Chat,
             query_params: None,
             http_headers: None,
@@ -413,7 +399,6 @@ query_params = { api-version = "2025-04-01-preview" }
             base_url: Some("https://xxxxx.openai.azure.com/openai".into()),
             env_key: Some("AZURE_OPENAI_API_KEY".into()),
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Chat,
             query_params: Some(maplit::hashmap! {
                 "api-version".to_string() => "2025-04-01-preview".to_string(),
@@ -444,7 +429,6 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
             base_url: Some("https://example.com".into()),
             env_key: Some("API_KEY".into()),
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Chat,
             query_params: None,
             http_headers: Some(maplit::hashmap! {
@@ -471,7 +455,6 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
                 base_url: Some(base_url.into()),
                 env_key: None,
                 env_key_instructions: None,
-                experimental_bearer_token: None,
                 wire_api: WireApi::Responses,
                 query_params: None,
                 http_headers: None,
@@ -504,7 +487,6 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
             base_url: Some("https://example.com".into()),
             env_key: None,
             env_key_instructions: None,
-            experimental_bearer_token: None,
             wire_api: WireApi::Responses,
             query_params: None,
             http_headers: None,

codex-rs/core/src/parse_command.rs

@@ -1,4 +1,4 @@
-use crate::bash::try_parse_shell;
+use crate::bash::try_parse_bash;
 use crate::bash::try_parse_word_only_commands_sequence;
 use codex_protocol::parse_command::ParsedCommand;
 use shlex::split as shlex_split;
@@ -193,19 +193,6 @@ mod tests {
         );
     }
 
-    #[test]
-    fn zsh_lc_supports_cat() {
-        let inner = "cat README.md";
-        assert_parsed(
-            &vec_str(&["zsh", "-lc", inner]),
-            vec![ParsedCommand::Read {
-                cmd: inner.to_string(),
-                name: "README.md".to_string(),
-                path: PathBuf::from("README.md"),
-            }],
-        );
-    }
-
     #[test]
     fn cd_then_cat_is_single_read() {
         assert_parsed(
@@ -856,7 +843,7 @@ mod tests {
 }
 
 pub fn parse_command_impl(command: &[String]) -> Vec<ParsedCommand> {
-    if let Some(commands) = parse_shell_lc_commands(command) {
+    if let Some(commands) = parse_bash_lc_commands(command) {
         return commands;
     }
 
@@ -994,7 +981,7 @@ fn is_valid_sed_n_arg(arg: Option<&str>) -> bool {
 }
 
 /// Normalize a command by:
-/// - Removing `yes`/`no`/`bash -c`/`bash -lc`/`zsh -c`/`zsh -lc` prefixes.
+/// - Removing `yes`/`no`/`bash -c`/`bash -lc` prefixes.
 /// - Splitting on `|` and `&&`/`||`/`;
 fn normalize_tokens(cmd: &[String]) -> Vec<String> {
     match cmd {
@@ -1006,10 +993,9 @@ fn normalize_tokens(cmd: &[String]) -> Vec<String> {
             // Do not re-shlex already-tokenized input; just drop the prefix.
             rest.to_vec()
         }
-        [shell, flag, script]
-            if (shell == "bash" || shell == "zsh") && (flag == "-c" || flag == "-lc") =>
-        {
-            shlex_split(script).unwrap_or_else(|| vec![shell.clone(), flag.clone(), script.clone()])
+        [bash, flag, script] if bash == "bash" && (flag == "-c" || flag == "-lc") => {
+            shlex_split(script)
+                .unwrap_or_else(|| vec!["bash".to_string(), flag.clone(), script.clone()])
         }
         _ => cmd.to_vec(),
     }
@@ -1165,19 +1151,19 @@ fn parse_find_query_and_path(tail: &[String]) -> (Option<String>, Option<String>
     (query, path)
 }
 
-fn parse_shell_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
-    let [shell, flag, script] = original else {
+fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
+    let [bash, flag, script] = original else {
         return None;
     };
-    if flag != "-lc" || !(shell == "bash" || shell == "zsh") {
+    if bash != "bash" || flag != "-lc" {
         return None;
     }
-    if let Some(tree) = try_parse_shell(script)
+    if let Some(tree) = try_parse_bash(script)
         && let Some(all_commands) = try_parse_word_only_commands_sequence(&tree, script)
         && !all_commands.is_empty()
     {
         let script_tokens = shlex_split(script)
-            .unwrap_or_else(|| vec![shell.clone(), flag.clone(), script.clone()]);
+            .unwrap_or_else(|| vec!["bash".to_string(), flag.clone(), script.clone()]);
         // Strip small formatting helpers (e.g., head/tail/awk/wc/etc) so we
         // bias toward the primary command when pipelines are present.
         // First, drop obvious small formatting helpers (e.g., wc/awk/etc).

codex-rs/core/src/response_processing.rs

@@ -1,112 +0,0 @@
-use crate::codex::Session;
-use crate::context_manager::ContextManager;
-use codex_protocol::models::FunctionCallOutputPayload;
-use codex_protocol::models::ResponseInputItem;
-use codex_protocol::models::ResponseItem;
-use tracing::warn;
-
-/// Process streamed `ResponseItem`s from the model into the pair of:
-/// - items we should record in conversation history; and
-/// - `ResponseInputItem`s to send back to the model on the next turn.
-pub(crate) async fn process_items(
-    processed_items: Vec<crate::codex::ProcessedResponseItem>,
-    is_review_mode: bool,
-    review_thread_history: &mut ContextManager,
-    sess: &Session,
-) -> (Vec<ResponseInputItem>, Vec<ResponseItem>) {
-    let mut items_to_record_in_conversation_history = Vec::<ResponseItem>::new();
-    let mut responses = Vec::<ResponseInputItem>::new();
-    for processed_response_item in processed_items {
-        let crate::codex::ProcessedResponseItem { item, response } = processed_response_item;
-        match (&item, &response) {
-            (ResponseItem::Message { role, .. }, None) if role == "assistant" => {
-                // If the model returned a message, we need to record it.
-                items_to_record_in_conversation_history.push(item);
-            }
-            (
-                ResponseItem::LocalShellCall { .. },
-                Some(ResponseInputItem::FunctionCallOutput { call_id, output }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                items_to_record_in_conversation_history.push(ResponseItem::FunctionCallOutput {
-                    call_id: call_id.clone(),
-                    output: output.clone(),
-                });
-            }
-            (
-                ResponseItem::FunctionCall { .. },
-                Some(ResponseInputItem::FunctionCallOutput { call_id, output }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                items_to_record_in_conversation_history.push(ResponseItem::FunctionCallOutput {
-                    call_id: call_id.clone(),
-                    output: output.clone(),
-                });
-            }
-            (
-                ResponseItem::CustomToolCall { .. },
-                Some(ResponseInputItem::CustomToolCallOutput { call_id, output }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                items_to_record_in_conversation_history.push(ResponseItem::CustomToolCallOutput {
-                    call_id: call_id.clone(),
-                    output: output.clone(),
-                });
-            }
-            (
-                ResponseItem::FunctionCall { .. },
-                Some(ResponseInputItem::McpToolCallOutput { call_id, result }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                let output = match result {
-                    Ok(call_tool_result) => {
-                        crate::codex::convert_call_tool_result_to_function_call_output_payload(
-                            call_tool_result,
-                        )
-                    }
-                    Err(err) => FunctionCallOutputPayload {
-                        content: err.clone(),
-                        success: Some(false),
-                    },
-                };
-                items_to_record_in_conversation_history.push(ResponseItem::FunctionCallOutput {
-                    call_id: call_id.clone(),
-                    output,
-                });
-            }
-            (
-                ResponseItem::Reasoning {
-                    id,
-                    summary,
-                    content,
-                    encrypted_content,
-                },
-                None,
-            ) => {
-                items_to_record_in_conversation_history.push(ResponseItem::Reasoning {
-                    id: id.clone(),
-                    summary: summary.clone(),
-                    content: content.clone(),
-                    encrypted_content: encrypted_content.clone(),
-                });
-            }
-            _ => {
-                warn!("Unexpected response item: {item:?} with response: {response:?}");
-            }
-        };
-        if let Some(response) = response {
-            responses.push(response);
-        }
-    }
-
-    // Only attempt to take the lock if there is something to record.
-    if !items_to_record_in_conversation_history.is_empty() {
-        if is_review_mode {
-            review_thread_history.record_items(items_to_record_in_conversation_history.iter());
-        } else {
-            sess.record_conversation_items(&items_to_record_in_conversation_history)
-                .await;
-        }
-    }
-    (responses, items_to_record_in_conversation_history)
-}

codex-rs/core/src/rollout/list.rs

@@ -1,11 +1,12 @@
 use std::cmp::Reverse;
 use std::io::{self};
-use std::num::NonZero;
 use std::path::Path;
 use std::path::PathBuf;
+
+use codex_file_search as file_search;
+use std::num::NonZero;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
-
 use time::OffsetDateTime;
 use time::PrimitiveDateTime;
 use time::format_description::FormatItem;
@@ -14,7 +15,6 @@ use uuid::Uuid;
 
 use super::SESSIONS_SUBDIR;
 use crate::protocol::EventMsg;
-use codex_file_search as file_search;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::RolloutLine;
 use codex_protocol::protocol::SessionSource;
@@ -515,7 +515,6 @@ pub async fn find_conversation_path_by_id_str(
         threads,
         cancel,
         compute_indices,
-        false,
     )
     .map_err(|e| io::Error::other(format!("file search failed: {e}")))?;
 

codex-rs/core/src/rollout/policy.rs

@@ -71,8 +71,6 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
         | EventMsg::PlanUpdate(_)
         | EventMsg::ShutdownComplete
         | EventMsg::ViewImageToolCall(_)
-        | EventMsg::ConversationPath(_)
-        | EventMsg::ItemStarted(_)
-        | EventMsg::ItemCompleted(_) => false,
+        | EventMsg::ConversationPath(_) => false,
     }
 }

codex-rs/core/src/rollout/tests.rs

@@ -24,6 +24,7 @@ use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::CompactedItem;
 use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::InputMessageKind;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::RolloutLine;
 use codex_protocol::protocol::SessionMeta;
@@ -542,6 +543,7 @@ async fn test_tail_includes_last_response_items() -> Result<()> {
         timestamp: ts.to_string(),
         item: RolloutItem::EventMsg(EventMsg::UserMessage(UserMessageEvent {
             message: "hello".into(),
+            kind: Some(InputMessageKind::Plain),
             images: None,
         })),
     };
@@ -625,6 +627,7 @@ async fn test_tail_handles_short_sessions() -> Result<()> {
         timestamp: ts.to_string(),
         item: RolloutItem::EventMsg(EventMsg::UserMessage(UserMessageEvent {
             message: "hi".into(),
+            kind: Some(InputMessageKind::Plain),
             images: None,
         })),
     };
@@ -709,6 +712,7 @@ async fn test_tail_skips_trailing_non_responses() -> Result<()> {
         timestamp: ts.to_string(),
         item: RolloutItem::EventMsg(EventMsg::UserMessage(UserMessageEvent {
             message: "hello".into(),
+            kind: Some(InputMessageKind::Plain),
             images: None,
         })),
     };

codex-rs/core/src/state/session.rs

@@ -3,7 +3,7 @@
 use codex_protocol::models::ResponseItem;
 
 use crate::codex::SessionConfiguration;
-use crate::context_manager::ContextManager;
+use crate::conversation_history::ConversationHistory;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::TokenUsage;
 use crate::protocol::TokenUsageInfo;
@@ -11,7 +11,8 @@ use crate::protocol::TokenUsageInfo;
 /// Persistent, session-scoped state previously stored directly on `Session`.
 pub(crate) struct SessionState {
     pub(crate) session_configuration: SessionConfiguration,
-    pub(crate) history: ContextManager,
+    pub(crate) history: ConversationHistory,
+    pub(crate) token_info: Option<TokenUsageInfo>,
     pub(crate) latest_rate_limits: Option<RateLimitSnapshot>,
 }
 
@@ -20,7 +21,8 @@ impl SessionState {
     pub(crate) fn new(session_configuration: SessionConfiguration) -> Self {
         Self {
             session_configuration,
-            history: ContextManager::new(),
+            history: ConversationHistory::new(),
+            token_info: None,
             latest_rate_limits: None,
         }
     }
@@ -34,12 +36,8 @@ impl SessionState {
         self.history.record_items(items)
     }
 
-    pub(crate) fn history_snapshot(&mut self) -> Vec<ResponseItem> {
-        self.history.get_history()
-    }
-
-    pub(crate) fn clone_history(&self) -> ContextManager {
-        self.history.clone()
+    pub(crate) fn history_snapshot(&self) -> Vec<ResponseItem> {
+        self.history.contents()
     }
 
     pub(crate) fn replace_history(&mut self, items: Vec<ResponseItem>) {
@@ -52,11 +50,11 @@ impl SessionState {
         usage: &TokenUsage,
         model_context_window: Option<i64>,
     ) {
-        self.history.update_token_info(usage, model_context_window);
-    }
-
-    pub(crate) fn token_info(&self) -> Option<TokenUsageInfo> {
-        self.history.token_info()
+        self.token_info = TokenUsageInfo::new_or_append(
+            &self.token_info,
+            &Some(usage.clone()),
+            model_context_window,
+        );
     }
 
     pub(crate) fn set_rate_limits(&mut self, snapshot: RateLimitSnapshot) {
@@ -66,10 +64,17 @@ impl SessionState {
     pub(crate) fn token_info_and_rate_limits(
         &self,
     ) -> (Option<TokenUsageInfo>, Option<RateLimitSnapshot>) {
-        (self.token_info(), self.latest_rate_limits.clone())
+        (self.token_info.clone(), self.latest_rate_limits.clone())
     }
 
     pub(crate) fn set_token_usage_full(&mut self, context_window: i64) {
-        self.history.set_token_usage_full(context_window);
+        match &mut self.token_info {
+            Some(info) => info.fill_to_context_window(context_window),
+            None => {
+                self.token_info = Some(TokenUsageInfo::full_context_window(context_window));
+            }
+        }
     }
+
+    // Pending input/approval moved to TurnState.
 }

codex-rs/core/src/state/turn.rs

@@ -11,7 +11,6 @@ use tokio_util::task::AbortOnDropHandle;
 use codex_protocol::models::ResponseInputItem;
 use tokio::sync::oneshot;
 
-use crate::codex::TurnContext;
 use crate::protocol::ReviewDecision;
 use crate::tasks::SessionTask;
 
@@ -54,12 +53,10 @@ pub(crate) struct RunningTask {
     pub(crate) task: Arc<dyn SessionTask>,
     pub(crate) cancellation_token: CancellationToken,
     pub(crate) handle: Arc<AbortOnDropHandle<()>>,
-    pub(crate) turn_context: Arc<TurnContext>,
 }
 
 impl ActiveTurn {
-    pub(crate) fn add_task(&mut self, task: RunningTask) {
-        let sub_id = task.turn_context.sub_id.clone();
+    pub(crate) fn add_task(&mut self, sub_id: String, task: RunningTask) {
         self.tasks.insert(sub_id, task);
     }
 
@@ -68,8 +65,8 @@ impl ActiveTurn {
         self.tasks.is_empty()
     }
 
-    pub(crate) fn drain_tasks(&mut self) -> Vec<RunningTask> {
-        self.tasks.drain(..).map(|(_, task)| task).collect()
+    pub(crate) fn drain_tasks(&mut self) -> IndexMap<String, RunningTask> {
+        std::mem::take(&mut self.tasks)
     }
 }
 

codex-rs/core/src/tasks/compact.rs

@@ -5,8 +5,8 @@ use tokio_util::sync::CancellationToken;
 
 use crate::codex::TurnContext;
 use crate::codex::compact;
+use crate::protocol::InputItem;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;
 
 use super::SessionTask;
 use super::SessionTaskContext;
@@ -24,9 +24,10 @@ impl SessionTask for CompactTask {
         self: Arc<Self>,
         session: Arc<SessionTaskContext>,
         ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
         _cancellation_token: CancellationToken,
     ) -> Option<String> {
-        compact::run_compact_task(session.clone_session(), ctx, input).await
+        compact::run_compact_task(session.clone_session(), ctx, sub_id, input).await
     }
 }

codex-rs/core/src/tasks/mod.rs

@@ -15,14 +15,15 @@ use tracing::warn;
 
 use crate::codex::Session;
 use crate::codex::TurnContext;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use crate::protocol::InputItem;
 use crate::protocol::TaskCompleteEvent;
 use crate::protocol::TurnAbortReason;
 use crate::protocol::TurnAbortedEvent;
 use crate::state::ActiveTurn;
 use crate::state::RunningTask;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;
 
 pub(crate) use compact::CompactTask;
 pub(crate) use regular::RegularTask;
@@ -54,12 +55,13 @@ pub(crate) trait SessionTask: Send + Sync + 'static {
         self: Arc<Self>,
         session: Arc<SessionTaskContext>,
         ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
         cancellation_token: CancellationToken,
     ) -> Option<String>;
 
-    async fn abort(&self, session: Arc<SessionTaskContext>, ctx: Arc<TurnContext>) {
-        let _ = (session, ctx);
+    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
+        let _ = (session, sub_id);
     }
 }
 
@@ -67,7 +69,8 @@ impl Session {
     pub async fn spawn_task<T: SessionTask>(
         self: &Arc<Self>,
         turn_context: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
         task: T,
     ) {
         self.abort_all_tasks(TurnAbortReason::Replaced).await;
@@ -83,13 +86,14 @@ impl Session {
             let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
             let ctx = Arc::clone(&turn_context);
             let task_for_run = Arc::clone(&task);
+            let sub_clone = sub_id.clone();
             let task_cancellation_token = cancellation_token.child_token();
             tokio::spawn(async move {
-                let ctx_for_finish = Arc::clone(&ctx);
                 let last_agent_message = task_for_run
                     .run(
                         Arc::clone(&session_ctx),
                         ctx,
+                        sub_clone.clone(),
                         input,
                         task_cancellation_token.child_token(),
                     )
@@ -98,8 +102,7 @@ impl Session {
                 if !task_cancellation_token.is_cancelled() {
                     // Emit completion uniformly from spawn site so all tasks share the same lifecycle.
                     let sess = session_ctx.clone_session();
-                    sess.on_task_finished(ctx_for_finish, last_agent_message)
-                        .await;
+                    sess.on_task_finished(sub_clone, last_agent_message).await;
                 }
                 done_clone.notify_waiters();
             })
@@ -111,54 +114,60 @@ impl Session {
             kind: task_kind,
             task,
             cancellation_token,
-            turn_context: Arc::clone(&turn_context),
         };
-        self.register_new_active_task(running_task).await;
+        self.register_new_active_task(sub_id, running_task).await;
     }
 
     pub async fn abort_all_tasks(self: &Arc<Self>, reason: TurnAbortReason) {
-        for task in self.take_all_running_tasks().await {
-            self.handle_task_abort(task, reason.clone()).await;
+        for (sub_id, task) in self.take_all_running_tasks().await {
+            self.handle_task_abort(sub_id, task, reason.clone()).await;
         }
     }
 
     pub async fn on_task_finished(
         self: &Arc<Self>,
-        turn_context: Arc<TurnContext>,
+        sub_id: String,
         last_agent_message: Option<String>,
     ) {
         let mut active = self.active_turn.lock().await;
         if let Some(at) = active.as_mut()
-            && at.remove_task(&turn_context.sub_id)
+            && at.remove_task(&sub_id)
         {
             *active = None;
         }
         drop(active);
-        let event = EventMsg::TaskComplete(TaskCompleteEvent { last_agent_message });
-        self.send_event(turn_context.as_ref(), event).await;
+        let event = Event {
+            id: sub_id,
+            msg: EventMsg::TaskComplete(TaskCompleteEvent { last_agent_message }),
+        };
+        self.send_event(event).await;
     }
 
-    async fn register_new_active_task(&self, task: RunningTask) {
+    async fn register_new_active_task(&self, sub_id: String, task: RunningTask) {
         let mut active = self.active_turn.lock().await;
         let mut turn = ActiveTurn::default();
-        turn.add_task(task);
+        turn.add_task(sub_id, task);
         *active = Some(turn);
     }
 
-    async fn take_all_running_tasks(&self) -> Vec<RunningTask> {
+    async fn take_all_running_tasks(&self) -> Vec<(String, RunningTask)> {
         let mut active = self.active_turn.lock().await;
         match active.take() {
             Some(mut at) => {
                 at.clear_pending().await;
-
-                at.drain_tasks()
+                let tasks = at.drain_tasks();
+                tasks.into_iter().collect()
             }
             None => Vec::new(),
         }
     }
 
-    async fn handle_task_abort(self: &Arc<Self>, task: RunningTask, reason: TurnAbortReason) {
-        let sub_id = task.turn_context.sub_id.clone();
+    async fn handle_task_abort(
+        self: &Arc<Self>,
+        sub_id: String,
+        task: RunningTask,
+        reason: TurnAbortReason,
+    ) {
         if task.cancellation_token.is_cancelled() {
             return;
         }
@@ -178,12 +187,13 @@ impl Session {
         task.handle.abort();
 
         let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
-        session_task
-            .abort(session_ctx, Arc::clone(&task.turn_context))
-            .await;
+        session_task.abort(session_ctx, &sub_id).await;
 
-        let event = EventMsg::TurnAborted(TurnAbortedEvent { reason });
-        self.send_event(task.turn_context.as_ref(), event).await;
+        let event = Event {
+            id: sub_id.clone(),
+            msg: EventMsg::TurnAborted(TurnAbortedEvent { reason }),
+        };
+        self.send_event(event).await;
     }
 }
 

codex-rs/core/src/tasks/regular.rs

@@ -5,8 +5,8 @@ use tokio_util::sync::CancellationToken;
 
 use crate::codex::TurnContext;
 use crate::codex::run_task;
+use crate::protocol::InputItem;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;
 
 use super::SessionTask;
 use super::SessionTaskContext;
@@ -24,10 +24,19 @@ impl SessionTask for RegularTask {
         self: Arc<Self>,
         session: Arc<SessionTaskContext>,
         ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
         cancellation_token: CancellationToken,
     ) -> Option<String> {
         let sess = session.clone_session();
-        run_task(sess, ctx, input, TaskKind::Regular, cancellation_token).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Regular,
+            cancellation_token,
+        )
+        .await
     }
 }

codex-rs/core/src/tasks/review.rs

@@ -6,8 +6,8 @@ use tokio_util::sync::CancellationToken;
 use crate::codex::TurnContext;
 use crate::codex::exit_review_mode;
 use crate::codex::run_task;
+use crate::protocol::InputItem;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;
 
 use super::SessionTask;
 use super::SessionTaskContext;
@@ -25,14 +25,23 @@ impl SessionTask for ReviewTask {
         self: Arc<Self>,
         session: Arc<SessionTaskContext>,
         ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
         cancellation_token: CancellationToken,
     ) -> Option<String> {
         let sess = session.clone_session();
-        run_task(sess, ctx, input, TaskKind::Review, cancellation_token).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Review,
+            cancellation_token,
+        )
+        .await
     }
 
-    async fn abort(&self, session: Arc<SessionTaskContext>, ctx: Arc<TurnContext>) {
-        exit_review_mode(session.clone_session(), ctx, None).await;
+    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
+        exit_review_mode(session.clone_session(), sub_id.to_string(), None).await;
     }
 }

codex-rs/core/src/tools/context.rs

@@ -1,11 +1,15 @@
 use crate::codex::Session;
 use crate::codex::TurnContext;
+use crate::tools::TELEMETRY_PREVIEW_MAX_BYTES;
+use crate::tools::TELEMETRY_PREVIEW_MAX_LINES;
+use crate::tools::TELEMETRY_PREVIEW_TRUNCATION_NOTICE;
 use crate::turn_diff_tracker::TurnDiffTracker;
 use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseInputItem;
 use codex_protocol::models::ShellToolCallParams;
 use codex_protocol::protocol::FileChange;
+use codex_utils_string::take_bytes_at_char_boundary;
 use mcp_types::CallToolResult;
 use std::borrow::Cow;
 use std::collections::HashMap;
@@ -20,6 +24,7 @@ pub struct ToolInvocation {
     pub session: Arc<Session>,
     pub turn: Arc<TurnContext>,
     pub tracker: SharedTurnDiffTracker,
+    pub sub_id: String,
     pub call_id: String,
     pub tool_name: String,
     pub payload: ToolPayload,
@@ -72,7 +77,7 @@ pub enum ToolOutput {
 impl ToolOutput {
     pub fn log_preview(&self) -> String {
         match self {
-            ToolOutput::Function { content, .. } => content.clone(),
+            ToolOutput::Function { content, .. } => telemetry_preview(content),
             ToolOutput::Mcp { result } => format!("{result:?}"),
         }
     }
@@ -107,6 +112,46 @@ impl ToolOutput {
     }
 }
 
+fn telemetry_preview(content: &str) -> String {
+    let truncated_slice = take_bytes_at_char_boundary(content, TELEMETRY_PREVIEW_MAX_BYTES);
+    let truncated_by_bytes = truncated_slice.len() < content.len();
+
+    let mut preview = String::new();
+    let mut lines_iter = truncated_slice.lines();
+    for idx in 0..TELEMETRY_PREVIEW_MAX_LINES {
+        match lines_iter.next() {
+            Some(line) => {
+                if idx > 0 {
+                    preview.push('\n');
+                }
+                preview.push_str(line);
+            }
+            None => break,
+        }
+    }
+    let truncated_by_lines = lines_iter.next().is_some();
+
+    if !truncated_by_bytes && !truncated_by_lines {
+        return content.to_string();
+    }
+
+    if preview.len() < truncated_slice.len()
+        && truncated_slice
+            .as_bytes()
+            .get(preview.len())
+            .is_some_and(|byte| *byte == b'\n')
+    {
+        preview.push('\n');
+    }
+
+    if !preview.is_empty() && !preview.ends_with('\n') {
+        preview.push('\n');
+    }
+    preview.push_str(TELEMETRY_PREVIEW_TRUNCATION_NOTICE);
+
+    preview
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -152,12 +197,44 @@ mod tests {
             other => panic!("expected FunctionCallOutput, got {other:?}"),
         }
     }
+
+    #[test]
+    fn telemetry_preview_returns_original_within_limits() {
+        let content = "short output";
+        assert_eq!(telemetry_preview(content), content);
+    }
+
+    #[test]
+    fn telemetry_preview_truncates_by_bytes() {
+        let content = "x".repeat(TELEMETRY_PREVIEW_MAX_BYTES + 8);
+        let preview = telemetry_preview(&content);
+
+        assert!(preview.contains(TELEMETRY_PREVIEW_TRUNCATION_NOTICE));
+        assert!(
+            preview.len()
+                <= TELEMETRY_PREVIEW_MAX_BYTES + TELEMETRY_PREVIEW_TRUNCATION_NOTICE.len() + 1
+        );
+    }
+
+    #[test]
+    fn telemetry_preview_truncates_by_lines() {
+        let content = (0..(TELEMETRY_PREVIEW_MAX_LINES + 5))
+            .map(|idx| format!("line {idx}"))
+            .collect::<Vec<_>>()
+            .join("\n");
+
+        let preview = telemetry_preview(&content);
+        let lines: Vec<&str> = preview.lines().collect();
+
+        assert!(lines.len() <= TELEMETRY_PREVIEW_MAX_LINES + 1);
+        assert_eq!(lines.last(), Some(&TELEMETRY_PREVIEW_TRUNCATION_NOTICE));
+    }
 }
 
 #[derive(Clone, Debug)]
 #[allow(dead_code)]
 pub(crate) struct ExecCommandContext {
-    pub(crate) turn: Arc<TurnContext>,
+    pub(crate) sub_id: String,
     pub(crate) call_id: String,
     pub(crate) command_for_display: Vec<String>,
     pub(crate) cwd: PathBuf,

codex-rs/core/src/tools/events.rs

@@ -1,10 +1,7 @@
 use crate::codex::Session;
-use crate::codex::TurnContext;
-use crate::error::CodexErr;
-use crate::error::SandboxErr;
 use crate::exec::ExecToolCallOutput;
-use crate::function_tool::FunctionCallError;
 use crate::parse_command::parse_command;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecCommandBeginEvent;
 use crate::protocol::ExecCommandEndEvent;
@@ -13,9 +10,7 @@ use crate::protocol::PatchApplyBeginEvent;
 use crate::protocol::PatchApplyEndEvent;
 use crate::protocol::TurnDiffEvent;
 use crate::tools::context::SharedTurnDiffTracker;
-use crate::tools::sandboxing::ToolError;
 use std::collections::HashMap;
-use std::path::Path;
 use std::path::PathBuf;
 use std::time::Duration;
 
@@ -25,7 +20,7 @@ use super::format_exec_output_str;
 #[derive(Clone, Copy)]
 pub(crate) struct ToolEventCtx<'a> {
     pub session: &'a Session,
-    pub turn: &'a TurnContext,
+    pub sub_id: &'a str,
     pub call_id: &'a str,
     pub turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
 }
@@ -33,13 +28,13 @@ pub(crate) struct ToolEventCtx<'a> {
 impl<'a> ToolEventCtx<'a> {
     pub fn new(
         session: &'a Session,
-        turn: &'a TurnContext,
+        sub_id: &'a str,
         call_id: &'a str,
         turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
     ) -> Self {
         Self {
             session,
-            turn,
+            sub_id,
             call_id,
             turn_diff_tracker,
         }
@@ -56,20 +51,6 @@ pub(crate) enum ToolEventFailure {
     Output(ExecToolCallOutput),
     Message(String),
 }
-
-pub(crate) async fn emit_exec_command_begin(ctx: ToolEventCtx<'_>, command: &[String], cwd: &Path) {
-    ctx.session
-        .send_event(
-            ctx.turn,
-            EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
-                call_id: ctx.call_id.to_string(),
-                command: command.to_vec(),
-                cwd: cwd.to_path_buf(),
-                parsed_cmd: parse_command(command),
-            }),
-        )
-        .await;
-}
 // Concrete, allocation-free emitter: avoid trait objects and boxed futures.
 pub(crate) enum ToolEmitter {
     Shell {
@@ -80,13 +61,6 @@ pub(crate) enum ToolEmitter {
         changes: HashMap<PathBuf, FileChange>,
         auto_approved: bool,
     },
-    UnifiedExec {
-        command: String,
-        cwd: PathBuf,
-        // True for `exec_command` and false for `write_stdin`.
-        #[allow(dead_code)]
-        is_startup_command: bool,
-    },
 }
 
 impl ToolEmitter {
@@ -101,18 +75,20 @@ impl ToolEmitter {
         }
     }
 
-    pub fn unified_exec(command: String, cwd: PathBuf, is_startup_command: bool) -> Self {
-        Self::UnifiedExec {
-            command,
-            cwd,
-            is_startup_command,
-        }
-    }
-
     pub async fn emit(&self, ctx: ToolEventCtx<'_>, stage: ToolEventStage) {
         match (self, stage) {
             (Self::Shell { command, cwd }, ToolEventStage::Begin) => {
-                emit_exec_command_begin(ctx, command, cwd.as_path()).await;
+                ctx.session
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
+                            call_id: ctx.call_id.to_string(),
+                            command: command.clone(),
+                            cwd: cwd.clone(),
+                            parsed_cmd: parse_command(command),
+                        }),
+                    })
+                    .await;
             }
             (Self::Shell { .. }, ToolEventStage::Success(output)) => {
                 emit_exec_end(
@@ -163,14 +139,14 @@ impl ToolEmitter {
                     guard.on_patch_begin(changes);
                 }
                 ctx.session
-                    .send_event(
-                        ctx.turn,
-                        EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
                             call_id: ctx.call_id.to_string(),
                             auto_approved: *auto_approved,
                             changes: changes.clone(),
                         }),
-                    )
+                    })
                     .await;
             }
             (Self::ApplyPatch { .. }, ToolEventStage::Success(output)) => {
@@ -200,103 +176,8 @@ impl ToolEmitter {
             ) => {
                 emit_patch_end(ctx, String::new(), (*message).to_string(), false).await;
             }
-            (Self::UnifiedExec { command, cwd, .. }, ToolEventStage::Begin) => {
-                emit_exec_command_begin(ctx, &[command.to_string()], cwd.as_path()).await;
-            }
-            (Self::UnifiedExec { .. }, ToolEventStage::Success(output)) => {
-                emit_exec_end(
-                    ctx,
-                    output.stdout.text.clone(),
-                    output.stderr.text.clone(),
-                    output.aggregated_output.text.clone(),
-                    output.exit_code,
-                    output.duration,
-                    format_exec_output_str(&output),
-                )
-                .await;
-            }
-            (
-                Self::UnifiedExec { .. },
-                ToolEventStage::Failure(ToolEventFailure::Output(output)),
-            ) => {
-                emit_exec_end(
-                    ctx,
-                    output.stdout.text.clone(),
-                    output.stderr.text.clone(),
-                    output.aggregated_output.text.clone(),
-                    output.exit_code,
-                    output.duration,
-                    format_exec_output_str(&output),
-                )
-                .await;
-            }
-            (
-                Self::UnifiedExec { .. },
-                ToolEventStage::Failure(ToolEventFailure::Message(message)),
-            ) => {
-                emit_exec_end(
-                    ctx,
-                    String::new(),
-                    (*message).to_string(),
-                    (*message).to_string(),
-                    -1,
-                    Duration::ZERO,
-                    format_exec_output(&message),
-                )
-                .await;
-            }
         }
     }
-
-    pub async fn begin(&self, ctx: ToolEventCtx<'_>) {
-        self.emit(ctx, ToolEventStage::Begin).await;
-    }
-
-    pub async fn finish(
-        &self,
-        ctx: ToolEventCtx<'_>,
-        out: Result<ExecToolCallOutput, ToolError>,
-    ) -> Result<String, FunctionCallError> {
-        let event;
-        let result = match out {
-            Ok(output) => {
-                let content = super::format_exec_output_for_model(&output);
-                let exit_code = output.exit_code;
-                event = ToolEventStage::Success(output);
-                if exit_code == 0 {
-                    Ok(content)
-                } else {
-                    Err(FunctionCallError::RespondToModel(content))
-                }
-            }
-            Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output })))
-            | Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
-                let response = super::format_exec_output_for_model(&output);
-                event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
-                Err(FunctionCallError::RespondToModel(response))
-            }
-            Err(ToolError::Codex(err)) => {
-                let message = format!("execution error: {err:?}");
-                let response = super::format_exec_output(&message);
-                event = ToolEventStage::Failure(ToolEventFailure::Message(message));
-                Err(FunctionCallError::RespondToModel(response))
-            }
-            Err(ToolError::Rejected(msg)) | Err(ToolError::SandboxDenied(msg)) => {
-                // Normalize common rejection messages for exec tools so tests and
-                // users see a clear, consistent phrase.
-                let normalized = if msg == "rejected by user" {
-                    "exec command rejected by user".to_string()
-                } else {
-                    msg
-                };
-                let response = super::format_exec_output(&normalized);
-                event = ToolEventStage::Failure(ToolEventFailure::Message(normalized));
-                Err(FunctionCallError::RespondToModel(response))
-            }
-        };
-        self.emit(ctx, event).await;
-        result
-    }
 }
 
 async fn emit_exec_end(
@@ -309,9 +190,9 @@ async fn emit_exec_end(
     formatted_output: String,
 ) {
     ctx.session
-        .send_event(
-            ctx.turn,
-            EventMsg::ExecCommandEnd(ExecCommandEndEvent {
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::ExecCommandEnd(ExecCommandEndEvent {
                 call_id: ctx.call_id.to_string(),
                 stdout,
                 stderr,
@@ -320,21 +201,21 @@ async fn emit_exec_end(
                 duration,
                 formatted_output,
             }),
-        )
+        })
         .await;
 }
 
 async fn emit_patch_end(ctx: ToolEventCtx<'_>, stdout: String, stderr: String, success: bool) {
     ctx.session
-        .send_event(
-            ctx.turn,
-            EventMsg::PatchApplyEnd(PatchApplyEndEvent {
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::PatchApplyEnd(PatchApplyEndEvent {
                 call_id: ctx.call_id.to_string(),
                 stdout,
                 stderr,
                 success,
             }),
-        )
+        })
         .await;
 
     if let Some(tracker) = ctx.turn_diff_tracker {
@@ -344,7 +225,10 @@ async fn emit_patch_end(ctx: ToolEventCtx<'_>, stdout: String, stderr: String, s
         };
         if let Ok(Some(unified_diff)) = unified_diff {
             ctx.session
-                .send_event(ctx.turn, EventMsg::TurnDiff(TurnDiffEvent { unified_diff }))
+                .send_event(Event {
+                    id: ctx.sub_id.to_string(),
+                    msg: EventMsg::TurnDiff(TurnDiffEvent { unified_diff }),
+                })
                 .await;
         }
     }

codex-rs/core/src/tools/handlers/apply_patch.rs

@@ -1,24 +1,19 @@
 use std::collections::BTreeMap;
+use std::collections::HashMap;
+use std::sync::Arc;
 
-use crate::apply_patch;
-use crate::apply_patch::InternalApplyPatchInvocation;
-use crate::apply_patch::convert_apply_patch_to_protocol;
 use crate::client_common::tools::FreeformTool;
 use crate::client_common::tools::FreeformToolFormat;
 use crate::client_common::tools::ResponsesApiTool;
 use crate::client_common::tools::ToolSpec;
+use crate::exec::ExecParams;
 use crate::function_tool::FunctionCallError;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
-use crate::tools::events::ToolEmitter;
-use crate::tools::events::ToolEventCtx;
-use crate::tools::orchestrator::ToolOrchestrator;
+use crate::tools::handle_container_exec_with_params;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use crate::tools::runtimes::apply_patch::ApplyPatchRequest;
-use crate::tools::runtimes::apply_patch::ApplyPatchRuntime;
-use crate::tools::sandboxing::ToolCtx;
 use crate::tools::spec::ApplyPatchToolArgs;
 use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
@@ -47,6 +42,7 @@ impl ToolHandler for ApplyPatchHandler {
             session,
             turn,
             tracker,
+            sub_id,
             call_id,
             tool_name,
             payload,
@@ -69,85 +65,31 @@ impl ToolHandler for ApplyPatchHandler {
             }
         };
 
-        // Re-parse and verify the patch so we can compute changes and approval.
-        // Avoid building temporary ExecParams/command vectors; derive directly from inputs.
-        let cwd = turn.cwd.clone();
-        let command = vec!["apply_patch".to_string(), patch_input.clone()];
-        match codex_apply_patch::maybe_parse_apply_patch_verified(&command, &cwd) {
-            codex_apply_patch::MaybeApplyPatchVerified::Body(changes) => {
-                match apply_patch::apply_patch(session.as_ref(), turn.as_ref(), &call_id, changes)
-                    .await
-                {
-                    InternalApplyPatchInvocation::Output(item) => {
-                        let content = item?;
-                        Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        })
-                    }
-                    InternalApplyPatchInvocation::DelegateToExec(apply) => {
-                        let emitter = ToolEmitter::apply_patch(
-                            convert_apply_patch_to_protocol(&apply.action),
-                            !apply.user_explicitly_approved_this_action,
-                        );
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        emitter.begin(event_ctx).await;
+        let exec_params = ExecParams {
+            command: vec!["apply_patch".to_string(), patch_input.clone()],
+            cwd: turn.cwd.clone(),
+            timeout_ms: None,
+            env: HashMap::new(),
+            with_escalated_permissions: None,
+            justification: None,
+            arg0: None,
+        };
 
-                        let req = ApplyPatchRequest {
-                            patch: apply.action.patch.clone(),
-                            cwd: apply.action.cwd.clone(),
-                            timeout_ms: None,
-                            user_explicitly_approved: apply.user_explicitly_approved_this_action,
-                            codex_exe: turn.codex_linux_sandbox_exe.clone(),
-                        };
+        let content = handle_container_exec_with_params(
+            tool_name.as_str(),
+            exec_params,
+            Arc::clone(&session),
+            Arc::clone(&turn),
+            Arc::clone(&tracker),
+            sub_id.clone(),
+            call_id.clone(),
+        )
+        .await?;
 
-                        let mut orchestrator = ToolOrchestrator::new();
-                        let mut runtime = ApplyPatchRuntime::new();
-                        let tool_ctx = ToolCtx {
-                            session: session.as_ref(),
-                            turn: turn.as_ref(),
-                            call_id: call_id.clone(),
-                            tool_name: tool_name.to_string(),
-                        };
-                        let out = orchestrator
-                            .run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
-                            .await;
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        let content = emitter.finish(event_ctx, out).await?;
-                        Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        })
-                    }
-                }
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::CorrectnessError(parse_error) => {
-                Err(FunctionCallError::RespondToModel(format!(
-                    "apply_patch verification failed: {parse_error}"
-                )))
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::ShellParseError(error) => {
-                tracing::trace!("Failed to parse apply_patch input, {error:?}");
-                Err(FunctionCallError::RespondToModel(
-                    "apply_patch handler received invalid patch input".to_string(),
-                ))
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::NotApplyPatch => {
-                Err(FunctionCallError::RespondToModel(
-                    "apply_patch handler received non-apply_patch input".to_string(),
-                ))
-            }
-        }
+        Ok(ToolOutput::Function {
+            content,
+            success: Some(true),
+        })
     }
 }
 

codex-rs/core/src/tools/handlers/mcp.rs

@@ -19,7 +19,7 @@ impl ToolHandler for McpHandler {
     async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
         let ToolInvocation {
             session,
-            turn,
+            sub_id,
             call_id,
             payload,
             ..
@@ -43,7 +43,7 @@ impl ToolHandler for McpHandler {
 
         let response = handle_mcp_tool_call(
             session.as_ref(),
-            turn.as_ref(),
+            &sub_id,
             call_id.clone(),
             server,
             tool,

codex-rs/core/src/tools/handlers/mcp_resource.rs

@@ -21,8 +21,8 @@ use serde::de::DeserializeOwned;
 use serde_json::Value;
 
 use crate::codex::Session;
-use crate::codex::TurnContext;
 use crate::function_tool::FunctionCallError;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
@@ -189,7 +189,7 @@ impl ToolHandler for McpResourceHandler {
     async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
         let ToolInvocation {
             session,
-            turn,
+            sub_id,
             call_id,
             tool_name,
             payload,
@@ -211,7 +211,7 @@ impl ToolHandler for McpResourceHandler {
             "list_mcp_resources" => {
                 handle_list_resources(
                     Arc::clone(&session),
-                    Arc::clone(&turn),
+                    sub_id.clone(),
                     call_id.clone(),
                     arguments_value.clone(),
                 )
@@ -220,20 +220,14 @@ impl ToolHandler for McpResourceHandler {
             "list_mcp_resource_templates" => {
                 handle_list_resource_templates(
                     Arc::clone(&session),
-                    Arc::clone(&turn),
+                    sub_id.clone(),
                     call_id.clone(),
                     arguments_value.clone(),
                 )
                 .await
             }
             "read_mcp_resource" => {
-                handle_read_resource(
-                    Arc::clone(&session),
-                    Arc::clone(&turn),
-                    call_id,
-                    arguments_value,
-                )
-                .await
+                handle_read_resource(Arc::clone(&session), sub_id, call_id, arguments_value).await
             }
             other => Err(FunctionCallError::RespondToModel(format!(
                 "unsupported MCP resource tool: {other}"
@@ -244,7 +238,7 @@ impl ToolHandler for McpResourceHandler {
 
 async fn handle_list_resources(
     session: Arc<Session>,
-    turn: Arc<TurnContext>,
+    sub_id: String,
     call_id: String,
     arguments: Option<Value>,
 ) -> Result<ToolOutput, FunctionCallError> {
@@ -259,7 +253,7 @@ async fn handle_list_resources(
         arguments: arguments.clone(),
     };
 
-    emit_tool_call_begin(&session, turn.as_ref(), &call_id, invocation.clone()).await;
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
     let start = Instant::now();
 
     let payload_result: Result<ListResourcesPayload, FunctionCallError> = async {
@@ -303,7 +297,7 @@ async fn handle_list_resources(
                 let duration = start.elapsed();
                 emit_tool_call_end(
                     &session,
-                    turn.as_ref(),
+                    &sub_id,
                     &call_id,
                     invocation,
                     duration,
@@ -317,7 +311,7 @@ async fn handle_list_resources(
                 let message = err.to_string();
                 emit_tool_call_end(
                     &session,
-                    turn.as_ref(),
+                    &sub_id,
                     &call_id,
                     invocation,
                     duration,
@@ -332,7 +326,7 @@ async fn handle_list_resources(
             let message = err.to_string();
             emit_tool_call_end(
                 &session,
-                turn.as_ref(),
+                &sub_id,
                 &call_id,
                 invocation,
                 duration,
@@ -346,7 +340,7 @@ async fn handle_list_resources(
 
 async fn handle_list_resource_templates(
     session: Arc<Session>,
-    turn: Arc<TurnContext>,
+    sub_id: String,
     call_id: String,
     arguments: Option<Value>,
 ) -> Result<ToolOutput, FunctionCallError> {
@@ -361,7 +355,7 @@ async fn handle_list_resource_templates(
         arguments: arguments.clone(),
     };
 
-    emit_tool_call_begin(&session, turn.as_ref(), &call_id, invocation.clone()).await;
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
     let start = Instant::now();
 
     let payload_result: Result<ListResourceTemplatesPayload, FunctionCallError> = async {
@@ -409,7 +403,7 @@ async fn handle_list_resource_templates(
                 let duration = start.elapsed();
                 emit_tool_call_end(
                     &session,
-                    turn.as_ref(),
+                    &sub_id,
                     &call_id,
                     invocation,
                     duration,
@@ -423,7 +417,7 @@ async fn handle_list_resource_templates(
                 let message = err.to_string();
                 emit_tool_call_end(
                     &session,
-                    turn.as_ref(),
+                    &sub_id,
                     &call_id,
                     invocation,
                     duration,
@@ -438,7 +432,7 @@ async fn handle_list_resource_templates(
             let message = err.to_string();
             emit_tool_call_end(
                 &session,
-                turn.as_ref(),
+                &sub_id,
                 &call_id,
                 invocation,
                 duration,
@@ -452,7 +446,7 @@ async fn handle_list_resource_templates(
 
 async fn handle_read_resource(
     session: Arc<Session>,
-    turn: Arc<TurnContext>,
+    sub_id: String,
     call_id: String,
     arguments: Option<Value>,
 ) -> Result<ToolOutput, FunctionCallError> {
@@ -467,7 +461,7 @@ async fn handle_read_resource(
         arguments: arguments.clone(),
     };
 
-    emit_tool_call_begin(&session, turn.as_ref(), &call_id, invocation.clone()).await;
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
     let start = Instant::now();
 
     let payload_result: Result<ReadResourcePayload, FunctionCallError> = async {
@@ -495,7 +489,7 @@ async fn handle_read_resource(
                 let duration = start.elapsed();
                 emit_tool_call_end(
                     &session,
-                    turn.as_ref(),
+                    &sub_id,
                     &call_id,
                     invocation,
                     duration,
@@ -509,7 +503,7 @@ async fn handle_read_resource(
                 let message = err.to_string();
                 emit_tool_call_end(
                     &session,
-                    turn.as_ref(),
+                    &sub_id,
                     &call_id,
                     invocation,
                     duration,
@@ -524,7 +518,7 @@ async fn handle_read_resource(
             let message = err.to_string();
             emit_tool_call_end(
                 &session,
-                turn.as_ref(),
+                &sub_id,
                 &call_id,
                 invocation,
                 duration,
@@ -550,39 +544,39 @@ fn call_tool_result_from_content(content: &str, success: Option<bool>) -> CallTo
 
 async fn emit_tool_call_begin(
     session: &Arc<Session>,
-    turn: &TurnContext,
+    sub_id: &str,
     call_id: &str,
     invocation: McpInvocation,
 ) {
     session
-        .send_event(
-            turn,
-            EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
                 call_id: call_id.to_string(),
                 invocation,
             }),
-        )
+        })
         .await;
 }
 
 async fn emit_tool_call_end(
     session: &Arc<Session>,
-    turn: &TurnContext,
+    sub_id: &str,
     call_id: &str,
     invocation: McpInvocation,
     duration: Duration,
     result: Result<CallToolResult, String>,
 ) {
     session
-        .send_event(
-            turn,
-            EventMsg::McpToolCallEnd(McpToolCallEndEvent {
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallEnd(McpToolCallEndEvent {
                 call_id: call_id.to_string(),
                 invocation,
                 duration,
                 result,
             }),
-        )
+        })
         .await;
 }
 

codex-rs/core/src/tools/handlers/plan.rs

@@ -1,7 +1,6 @@
 use crate::client_common::tools::ResponsesApiTool;
 use crate::client_common::tools::ToolSpec;
 use crate::codex::Session;
-use crate::codex::TurnContext;
 use crate::function_tool::FunctionCallError;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
@@ -11,6 +10,7 @@ use crate::tools::registry::ToolKind;
 use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
 use codex_protocol::plan_tool::UpdatePlanArgs;
+use codex_protocol::protocol::Event;
 use codex_protocol::protocol::EventMsg;
 use std::collections::BTreeMap;
 use std::sync::LazyLock;
@@ -68,7 +68,7 @@ impl ToolHandler for PlanHandler {
     async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
         let ToolInvocation {
             session,
-            turn,
+            sub_id,
             call_id,
             payload,
             ..
@@ -84,7 +84,7 @@ impl ToolHandler for PlanHandler {
         };
 
         let content =
-            handle_update_plan(session.as_ref(), turn.as_ref(), arguments, call_id).await?;
+            handle_update_plan(session.as_ref(), arguments, sub_id.clone(), call_id).await?;
 
         Ok(ToolOutput::Function {
             content,
@@ -98,13 +98,16 @@ impl ToolHandler for PlanHandler {
 /// than forcing it to come up and document a plan (TBD how that affects performance).
 pub(crate) async fn handle_update_plan(
     session: &Session,
-    turn_context: &TurnContext,
     arguments: String,
+    sub_id: String,
     _call_id: String,
 ) -> Result<String, FunctionCallError> {
     let args = parse_update_plan_arguments(&arguments)?;
     session
-        .send_event(turn_context, EventMsg::PlanUpdate(args))
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::PlanUpdate(args),
+        })
         .await;
     Ok("Plan updated".to_string())
 }

codex-rs/core/src/tools/handlers/shell.rs

@@ -2,9 +2,6 @@ use async_trait::async_trait;
 use codex_protocol::models::ShellToolCallParams;
 use std::sync::Arc;
 
-use crate::apply_patch;
-use crate::apply_patch::InternalApplyPatchInvocation;
-use crate::apply_patch::convert_apply_patch_to_protocol;
 use crate::codex::TurnContext;
 use crate::exec::ExecParams;
 use crate::exec_env::create_env;
@@ -12,16 +9,9 @@ use crate::function_tool::FunctionCallError;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
-use crate::tools::events::ToolEmitter;
-use crate::tools::events::ToolEventCtx;
-use crate::tools::orchestrator::ToolOrchestrator;
+use crate::tools::handle_container_exec_with_params;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use crate::tools::runtimes::apply_patch::ApplyPatchRequest;
-use crate::tools::runtimes::apply_patch::ApplyPatchRuntime;
-use crate::tools::runtimes::shell::ShellRequest;
-use crate::tools::runtimes::shell::ShellRuntime;
-use crate::tools::sandboxing::ToolCtx;
 
 pub struct ShellHandler;
 
@@ -57,6 +47,7 @@ impl ToolHandler for ShellHandler {
             session,
             turn,
             tracker,
+            sub_id,
             call_id,
             tool_name,
             payload,
@@ -71,27 +62,37 @@ impl ToolHandler for ShellHandler {
                         ))
                     })?;
                 let exec_params = Self::to_exec_params(params, turn.as_ref());
-                Self::run_exec_like(
+                let content = handle_container_exec_with_params(
                     tool_name.as_str(),
                     exec_params,
-                    session,
-                    turn,
-                    tracker,
-                    call_id,
+                    Arc::clone(&session),
+                    Arc::clone(&turn),
+                    Arc::clone(&tracker),
+                    sub_id.clone(),
+                    call_id.clone(),
                 )
-                .await
+                .await?;
+                Ok(ToolOutput::Function {
+                    content,
+                    success: Some(true),
+                })
             }
             ToolPayload::LocalShell { params } => {
                 let exec_params = Self::to_exec_params(params, turn.as_ref());
-                Self::run_exec_like(
+                let content = handle_container_exec_with_params(
                     tool_name.as_str(),
                     exec_params,
-                    session,
-                    turn,
-                    tracker,
-                    call_id,
+                    Arc::clone(&session),
+                    Arc::clone(&turn),
+                    Arc::clone(&tracker),
+                    sub_id.clone(),
+                    call_id.clone(),
                 )
-                .await
+                .await?;
+                Ok(ToolOutput::Function {
+                    content,
+                    success: Some(true),
+                })
             }
             _ => Err(FunctionCallError::RespondToModel(format!(
                 "unsupported payload for shell handler: {tool_name}"
@@ -99,134 +100,3 @@ impl ToolHandler for ShellHandler {
         }
     }
 }
-
-impl ShellHandler {
-    async fn run_exec_like(
-        tool_name: &str,
-        exec_params: ExecParams,
-        session: Arc<crate::codex::Session>,
-        turn: Arc<TurnContext>,
-        tracker: crate::tools::context::SharedTurnDiffTracker,
-        call_id: String,
-    ) -> Result<ToolOutput, FunctionCallError> {
-        // Approval policy guard for explicit escalation in non-OnRequest modes.
-        if exec_params.with_escalated_permissions.unwrap_or(false)
-            && !matches!(
-                turn.approval_policy,
-                codex_protocol::protocol::AskForApproval::OnRequest
-            )
-        {
-            return Err(FunctionCallError::RespondToModel(format!(
-                "approval policy is {policy:?}; reject command — you should not ask for escalated permissions if the approval policy is {policy:?}",
-                policy = turn.approval_policy
-            )));
-        }
-
-        // Intercept apply_patch if present.
-        match codex_apply_patch::maybe_parse_apply_patch_verified(
-            &exec_params.command,
-            &exec_params.cwd,
-        ) {
-            codex_apply_patch::MaybeApplyPatchVerified::Body(changes) => {
-                match apply_patch::apply_patch(session.as_ref(), turn.as_ref(), &call_id, changes)
-                    .await
-                {
-                    InternalApplyPatchInvocation::Output(item) => {
-                        // Programmatic apply_patch path; return its result.
-                        let content = item?;
-                        return Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        });
-                    }
-                    InternalApplyPatchInvocation::DelegateToExec(apply) => {
-                        let emitter = ToolEmitter::apply_patch(
-                            convert_apply_patch_to_protocol(&apply.action),
-                            !apply.user_explicitly_approved_this_action,
-                        );
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        emitter.begin(event_ctx).await;
-
-                        let req = ApplyPatchRequest {
-                            patch: apply.action.patch.clone(),
-                            cwd: apply.action.cwd.clone(),
-                            timeout_ms: exec_params.timeout_ms,
-                            user_explicitly_approved: apply.user_explicitly_approved_this_action,
-                            codex_exe: turn.codex_linux_sandbox_exe.clone(),
-                        };
-                        let mut orchestrator = ToolOrchestrator::new();
-                        let mut runtime = ApplyPatchRuntime::new();
-                        let tool_ctx = ToolCtx {
-                            session: session.as_ref(),
-                            turn: turn.as_ref(),
-                            call_id: call_id.clone(),
-                            tool_name: tool_name.to_string(),
-                        };
-                        let out = orchestrator
-                            .run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
-                            .await;
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        let content = emitter.finish(event_ctx, out).await?;
-                        return Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        });
-                    }
-                }
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::CorrectnessError(parse_error) => {
-                return Err(FunctionCallError::RespondToModel(format!(
-                    "apply_patch verification failed: {parse_error}"
-                )));
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::ShellParseError(error) => {
-                tracing::trace!("Failed to parse shell command, {error:?}");
-                // Fall through to regular shell execution.
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::NotApplyPatch => {
-                // Fall through to regular shell execution.
-            }
-        }
-
-        // Regular shell execution path.
-        let emitter = ToolEmitter::shell(exec_params.command.clone(), exec_params.cwd.clone());
-        let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
-        emitter.begin(event_ctx).await;
-
-        let req = ShellRequest {
-            command: exec_params.command.clone(),
-            cwd: exec_params.cwd.clone(),
-            timeout_ms: exec_params.timeout_ms,
-            env: exec_params.env.clone(),
-            with_escalated_permissions: exec_params.with_escalated_permissions,
-            justification: exec_params.justification.clone(),
-        };
-        let mut orchestrator = ToolOrchestrator::new();
-        let mut runtime = ShellRuntime::new();
-        let tool_ctx = ToolCtx {
-            session: session.as_ref(),
-            turn: turn.as_ref(),
-            call_id: call_id.clone(),
-            tool_name: tool_name.to_string(),
-        };
-        let out = orchestrator
-            .run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
-            .await;
-        let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
-        let content = emitter.finish(event_ctx, out).await?;
-        Ok(ToolOutput::Function {
-            content,
-            success: Some(true),
-        })
-    }
-}

codex-rs/core/src/tools/handlers/unified_exec.rs

@@ -1,71 +1,35 @@
-use std::time::Duration;
-
 use async_trait::async_trait;
 use serde::Deserialize;
-use serde::Serialize;
 
 use crate::function_tool::FunctionCallError;
-use crate::protocol::EventMsg;
-use crate::protocol::ExecCommandOutputDeltaEvent;
-use crate::protocol::ExecOutputStream;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
-use crate::tools::events::ToolEmitter;
-use crate::tools::events::ToolEventCtx;
-use crate::tools::events::ToolEventStage;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use crate::unified_exec::ExecCommandRequest;
-use crate::unified_exec::UnifiedExecContext;
-use crate::unified_exec::UnifiedExecResponse;
-use crate::unified_exec::UnifiedExecSessionManager;
-use crate::unified_exec::WriteStdinRequest;
+use crate::unified_exec::UnifiedExecRequest;
 
 pub struct UnifiedExecHandler;
 
-#[derive(Debug, Deserialize)]
-struct ExecCommandArgs {
-    cmd: String,
-    #[serde(default = "default_shell")]
-    shell: String,
-    #[serde(default = "default_login")]
-    login: bool,
+#[derive(Deserialize)]
+struct UnifiedExecArgs {
+    input: Vec<String>,
     #[serde(default)]
-    yield_time_ms: Option<u64>,
+    session_id: Option<String>,
     #[serde(default)]
-    max_output_tokens: Option<usize>,
-}
-
-#[derive(Debug, Deserialize)]
-struct WriteStdinArgs {
-    session_id: i32,
-    #[serde(default)]
-    chars: String,
-    #[serde(default)]
-    yield_time_ms: Option<u64>,
-    #[serde(default)]
-    max_output_tokens: Option<usize>,
-}
-
-fn default_shell() -> String {
-    "/bin/bash".to_string()
-}
-
-fn default_login() -> bool {
-    true
+    timeout_ms: Option<u64>,
 }
 
 #[async_trait]
 impl ToolHandler for UnifiedExecHandler {
     fn kind(&self) -> ToolKind {
-        ToolKind::Function
+        ToolKind::UnifiedExec
     }
 
     fn matches_kind(&self, payload: &ToolPayload) -> bool {
         matches!(
             payload,
-            ToolPayload::Function { .. } | ToolPayload::UnifiedExec { .. }
+            ToolPayload::UnifiedExec { .. } | ToolPayload::Function { .. }
         )
     }
 
@@ -73,15 +37,21 @@ impl ToolHandler for UnifiedExecHandler {
         let ToolInvocation {
             session,
             turn,
+            sub_id,
             call_id,
-            tool_name,
+            tool_name: _tool_name,
             payload,
             ..
         } = invocation;
 
-        let arguments = match payload {
-            ToolPayload::Function { arguments } => arguments,
-            ToolPayload::UnifiedExec { arguments } => arguments,
+        let args = match payload {
+            ToolPayload::UnifiedExec { arguments } | ToolPayload::Function { arguments } => {
+                serde_json::from_str::<UnifiedExecArgs>(&arguments).map_err(|err| {
+                    FunctionCallError::RespondToModel(format!(
+                        "failed to parse function arguments: {err:?}"
+                    ))
+                })?
+            }
             _ => {
                 return Err(FunctionCallError::RespondToModel(
                     "unified_exec handler received unsupported payload".to_string(),
@@ -89,81 +59,59 @@ impl ToolHandler for UnifiedExecHandler {
             }
         };
 
-        let manager: &UnifiedExecSessionManager = &session.services.unified_exec_manager;
-        let context = UnifiedExecContext::new(session.clone(), turn.clone(), call_id.clone());
+        let UnifiedExecArgs {
+            input,
+            session_id,
+            timeout_ms,
+        } = args;
 
-        let response = match tool_name.as_str() {
-            "exec_command" => {
-                let args: ExecCommandArgs = serde_json::from_str(&arguments).map_err(|err| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse exec_command arguments: {err:?}"
-                    ))
-                })?;
-
-                let event_ctx = ToolEventCtx::new(
-                    context.session.as_ref(),
-                    context.turn.as_ref(),
-                    &context.call_id,
-                    None,
-                );
-                let emitter =
-                    ToolEmitter::unified_exec(args.cmd.clone(), context.turn.cwd.clone(), true);
-                emitter.emit(event_ctx, ToolEventStage::Begin).await;
-
-                manager
-                    .exec_command(
-                        ExecCommandRequest {
-                            command: &args.cmd,
-                            shell: &args.shell,
-                            login: args.login,
-                            yield_time_ms: args.yield_time_ms,
-                            max_output_tokens: args.max_output_tokens,
-                        },
-                        &context,
-                    )
-                    .await
-                    .map_err(|err| {
-                        FunctionCallError::RespondToModel(format!("exec_command failed: {err:?}"))
-                    })?
-            }
-            "write_stdin" => {
-                let args: WriteStdinArgs = serde_json::from_str(&arguments).map_err(|err| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse write_stdin arguments: {err:?}"
-                    ))
-                })?;
-                manager
-                    .write_stdin(WriteStdinRequest {
-                        session_id: args.session_id,
-                        input: &args.chars,
-                        yield_time_ms: args.yield_time_ms,
-                        max_output_tokens: args.max_output_tokens,
-                    })
-                    .await
-                    .map_err(|err| {
-                        FunctionCallError::RespondToModel(format!("write_stdin failed: {err:?}"))
-                    })?
-            }
-            other => {
-                return Err(FunctionCallError::RespondToModel(format!(
-                    "unsupported unified exec function {other}"
-                )));
+        let parsed_session_id = if let Some(session_id) = session_id {
+            match session_id.parse::<i32>() {
+                Ok(parsed) => Some(parsed),
+                Err(output) => {
+                    return Err(FunctionCallError::RespondToModel(format!(
+                        "invalid session_id: {session_id} due to error {output:?}"
+                    )));
+                }
             }
+        } else {
+            None
         };
 
-        // Emit a delta event with the chunk of output we just produced, if any.
-        if !response.output.is_empty() {
-            let delta = ExecCommandOutputDeltaEvent {
-                call_id: response.event_call_id.clone(),
-                stream: ExecOutputStream::Stdout,
-                chunk: response.output.as_bytes().to_vec(),
-            };
-            session
-                .send_event(turn.as_ref(), EventMsg::ExecCommandOutputDelta(delta))
-                .await;
+        let request = UnifiedExecRequest {
+            input_chunks: &input,
+            timeout_ms,
+        };
+
+        let value = session
+            .services
+            .unified_exec_manager
+            .handle_request(
+                request,
+                crate::unified_exec::UnifiedExecContext {
+                    session: &session,
+                    turn: turn.as_ref(),
+                    sub_id: &sub_id,
+                    call_id: &call_id,
+                    session_id: parsed_session_id,
+                },
+            )
+            .await
+            .map_err(|err| {
+                FunctionCallError::RespondToModel(format!("unified exec failed: {err:?}"))
+            })?;
+
+        #[derive(serde::Serialize)]
+        struct SerializedUnifiedExecResult {
+            session_id: Option<String>,
+            output: String,
         }
 
-        let content = serialize_response(&response).map_err(|err| {
+        let content = serde_json::to_string(&SerializedUnifiedExecResult {
+            session_id: value.session_id.map(|id| id.to_string()),
+            output: value.output,
+        })
+        .map_err(|err| {
             FunctionCallError::RespondToModel(format!(
                 "failed to serialize unified exec output: {err:?}"
             ))
@@ -175,33 +123,3 @@ impl ToolHandler for UnifiedExecHandler {
         })
     }
 }
-
-#[derive(Serialize)]
-struct SerializedUnifiedExecResponse<'a> {
-    chunk_id: &'a str,
-    wall_time_seconds: f64,
-    output: &'a str,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    session_id: Option<i32>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    exit_code: Option<i32>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    original_token_count: Option<usize>,
-}
-
-fn serialize_response(response: &UnifiedExecResponse) -> Result<String, serde_json::Error> {
-    let payload = SerializedUnifiedExecResponse {
-        chunk_id: &response.chunk_id,
-        wall_time_seconds: duration_to_seconds(response.wall_time),
-        output: &response.output,
-        session_id: response.session_id,
-        exit_code: response.exit_code,
-        original_token_count: response.original_token_count,
-    };
-
-    serde_json::to_string(&payload)
-}
-
-fn duration_to_seconds(duration: Duration) -> f64 {
-    duration.as_secs_f64()
-}

codex-rs/core/src/tools/handlers/view_image.rs

@@ -3,14 +3,15 @@ use serde::Deserialize;
 use tokio::fs;
 
 use crate::function_tool::FunctionCallError;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use crate::protocol::InputItem;
 use crate::protocol::ViewImageToolCallEvent;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use codex_protocol::user_input::UserInput;
 
 pub struct ViewImageHandler;
 
@@ -30,6 +31,7 @@ impl ToolHandler for ViewImageHandler {
             session,
             turn,
             payload,
+            sub_id,
             call_id,
             ..
         } = invocation;
@@ -65,7 +67,7 @@ impl ToolHandler for ViewImageHandler {
         let event_path = abs_path.clone();
 
         session
-            .inject_input(vec![UserInput::LocalImage { path: abs_path }])
+            .inject_input(vec![InputItem::LocalImage { path: abs_path }])
             .await
             .map_err(|_| {
                 FunctionCallError::RespondToModel(
@@ -74,13 +76,13 @@ impl ToolHandler for ViewImageHandler {
             })?;
 
         session
-            .send_event(
-                turn.as_ref(),
-                EventMsg::ViewImageToolCall(ViewImageToolCallEvent {
+            .send_event(Event {
+                id: sub_id.to_string(),
+                msg: EventMsg::ViewImageToolCall(ViewImageToolCallEvent {
                     call_id,
                     path: event_path,
                 }),
-            )
+            })
             .await;
 
         Ok(ToolOutput::Function {

codex-rs/core/src/tools/mod.rs

@@ -9,11 +9,37 @@ pub mod runtimes;
 pub mod sandboxing;
 pub mod spec;
 
+use crate::apply_patch;
+use crate::apply_patch::InternalApplyPatchInvocation;
+use crate::apply_patch::convert_apply_patch_to_protocol;
+use crate::codex::Session;
+use crate::codex::TurnContext;
+use crate::error::CodexErr;
+use crate::error::SandboxErr;
+use crate::exec::ExecParams;
 use crate::exec::ExecToolCallOutput;
+use crate::function_tool::FunctionCallError;
+use crate::tools::context::SharedTurnDiffTracker;
+use crate::tools::events::ToolEmitter;
+use crate::tools::events::ToolEventCtx;
+use crate::tools::events::ToolEventFailure;
+use crate::tools::events::ToolEventStage;
+use crate::tools::orchestrator::ToolOrchestrator;
+use crate::tools::runtimes::apply_patch::ApplyPatchRequest;
+use crate::tools::runtimes::apply_patch::ApplyPatchRuntime;
+use crate::tools::runtimes::shell::ShellRequest;
+use crate::tools::runtimes::shell::ShellRuntime;
+use crate::tools::sandboxing::ToolCtx;
+use crate::tools::sandboxing::ToolError;
+use codex_apply_patch::MaybeApplyPatchVerified;
+use codex_apply_patch::maybe_parse_apply_patch_verified;
+use codex_protocol::protocol::AskForApproval;
 use codex_utils_string::take_bytes_at_char_boundary;
 use codex_utils_string::take_last_bytes_at_char_boundary;
 pub use router::ToolRouter;
 use serde::Serialize;
+use std::sync::Arc;
+use tracing::trace;
 
 // Model-formatting limits: clients get full streams; only content sent to the model is truncated.
 pub(crate) const MODEL_FORMAT_MAX_BYTES: usize = 10 * 1024; // 10 KiB
@@ -22,6 +48,199 @@ pub(crate) const MODEL_FORMAT_HEAD_LINES: usize = MODEL_FORMAT_MAX_LINES / 2;
 pub(crate) const MODEL_FORMAT_TAIL_LINES: usize = MODEL_FORMAT_MAX_LINES - MODEL_FORMAT_HEAD_LINES; // 128
 pub(crate) const MODEL_FORMAT_HEAD_BYTES: usize = MODEL_FORMAT_MAX_BYTES / 2;
 
+// Telemetry preview limits: keep log events smaller than model budgets.
+pub(crate) const TELEMETRY_PREVIEW_MAX_BYTES: usize = 2 * 1024; // 2 KiB
+pub(crate) const TELEMETRY_PREVIEW_MAX_LINES: usize = 64; // lines
+pub(crate) const TELEMETRY_PREVIEW_TRUNCATION_NOTICE: &str =
+    "[... telemetry preview truncated ...]";
+
+// TODO(jif) break this down
+pub(crate) async fn handle_container_exec_with_params(
+    tool_name: &str,
+    params: ExecParams,
+    sess: Arc<Session>,
+    turn_context: Arc<TurnContext>,
+    turn_diff_tracker: SharedTurnDiffTracker,
+    sub_id: String,
+    call_id: String,
+) -> Result<String, FunctionCallError> {
+    let _otel_event_manager = turn_context.client.get_otel_event_manager();
+
+    if params.with_escalated_permissions.unwrap_or(false)
+        && !matches!(turn_context.approval_policy, AskForApproval::OnRequest)
+    {
+        return Err(FunctionCallError::RespondToModel(format!(
+            "approval policy is {policy:?}; reject command — you should not ask for escalated permissions if the approval policy is {policy:?}",
+            policy = turn_context.approval_policy
+        )));
+    }
+
+    // check if this was a patch, and apply it if so
+    let apply_patch_exec = match maybe_parse_apply_patch_verified(&params.command, &params.cwd) {
+        MaybeApplyPatchVerified::Body(changes) => {
+            match apply_patch::apply_patch(
+                sess.as_ref(),
+                turn_context.as_ref(),
+                &sub_id,
+                &call_id,
+                changes,
+            )
+            .await
+            {
+                InternalApplyPatchInvocation::Output(item) => return item,
+                InternalApplyPatchInvocation::DelegateToExec(apply_patch_exec) => {
+                    Some(apply_patch_exec)
+                }
+            }
+        }
+        MaybeApplyPatchVerified::CorrectnessError(parse_error) => {
+            // It looks like an invocation of `apply_patch`, but we
+            // could not resolve it into a patch that would apply
+            // cleanly. Return to model for resample.
+            return Err(FunctionCallError::RespondToModel(format!(
+                "apply_patch verification failed: {parse_error}"
+            )));
+        }
+        MaybeApplyPatchVerified::ShellParseError(error) => {
+            trace!("Failed to parse shell command, {error:?}");
+            None
+        }
+        MaybeApplyPatchVerified::NotApplyPatch => None,
+    };
+
+    let (event_emitter, diff_opt) = match apply_patch_exec.as_ref() {
+        Some(exec) => (
+            ToolEmitter::apply_patch(
+                convert_apply_patch_to_protocol(&exec.action),
+                !exec.user_explicitly_approved_this_action,
+            ),
+            Some(&turn_diff_tracker),
+        ),
+        None => (
+            ToolEmitter::shell(params.command.clone(), params.cwd.clone()),
+            None,
+        ),
+    };
+
+    let event_ctx = ToolEventCtx::new(sess.as_ref(), &sub_id, &call_id, diff_opt);
+    event_emitter.emit(event_ctx, ToolEventStage::Begin).await;
+
+    // Build runtime contexts only when needed (shell/apply_patch below).
+
+    if let Some(exec) = apply_patch_exec {
+        // Route apply_patch execution through the new orchestrator/runtime.
+        let req = ApplyPatchRequest {
+            patch: exec.action.patch.clone(),
+            cwd: params.cwd.clone(),
+            timeout_ms: params.timeout_ms,
+            user_explicitly_approved: exec.user_explicitly_approved_this_action,
+            codex_exe: turn_context.codex_linux_sandbox_exe.clone(),
+        };
+
+        let mut orchestrator = ToolOrchestrator::new();
+        let mut runtime = ApplyPatchRuntime::new();
+        let tool_ctx = ToolCtx {
+            session: sess.as_ref(),
+            sub_id: sub_id.clone(),
+            call_id: call_id.clone(),
+            tool_name: tool_name.to_string(),
+        };
+
+        let out = orchestrator
+            .run(
+                &mut runtime,
+                &req,
+                &tool_ctx,
+                &turn_context,
+                turn_context.approval_policy,
+            )
+            .await;
+
+        handle_exec_outcome(&event_emitter, event_ctx, out).await
+    } else {
+        // Route shell execution through the new orchestrator/runtime.
+        let req = ShellRequest {
+            command: params.command.clone(),
+            cwd: params.cwd.clone(),
+            timeout_ms: params.timeout_ms,
+            env: params.env.clone(),
+            with_escalated_permissions: params.with_escalated_permissions,
+            justification: params.justification.clone(),
+        };
+
+        let mut orchestrator = ToolOrchestrator::new();
+        let mut runtime = ShellRuntime::new();
+        let tool_ctx = ToolCtx {
+            session: sess.as_ref(),
+            sub_id: sub_id.clone(),
+            call_id: call_id.clone(),
+            tool_name: tool_name.to_string(),
+        };
+
+        let out = orchestrator
+            .run(
+                &mut runtime,
+                &req,
+                &tool_ctx,
+                &turn_context,
+                turn_context.approval_policy,
+            )
+            .await;
+
+        handle_exec_outcome(&event_emitter, event_ctx, out).await
+    }
+}
+
+async fn handle_exec_outcome(
+    event_emitter: &ToolEmitter,
+    event_ctx: ToolEventCtx<'_>,
+    out: Result<ExecToolCallOutput, ToolError>,
+) -> Result<String, FunctionCallError> {
+    let event;
+    let result = match out {
+        Ok(output) => {
+            let content = format_exec_output_for_model(&output);
+            let exit_code = output.exit_code;
+            event = ToolEventStage::Success(output);
+            if exit_code == 0 {
+                Ok(content)
+            } else {
+                Err(FunctionCallError::RespondToModel(content))
+            }
+        }
+        Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output })))
+        | Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
+            let response = format_exec_output_for_model(&output);
+            event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
+            Err(FunctionCallError::RespondToModel(response))
+        }
+        Err(ToolError::Codex(err)) => {
+            let message = format!("execution error: {err:?}");
+            let response = format_exec_output(&message);
+            event = ToolEventStage::Failure(ToolEventFailure::Message(message));
+            Err(FunctionCallError::RespondToModel(format_exec_output(
+                &response,
+            )))
+        }
+        Err(ToolError::Rejected(msg)) | Err(ToolError::SandboxDenied(msg)) => {
+            // Normalize common rejection messages for exec tools so tests and
+            // users see a clear, consistent phrase.
+            let normalized = if msg == "rejected by user" {
+                "exec command rejected by user".to_string()
+            } else {
+                msg
+            };
+            let response = format_exec_output(&normalized);
+            event = ToolEventStage::Failure(ToolEventFailure::Message(normalized));
+            Err(FunctionCallError::RespondToModel(format_exec_output(
+                &response,
+            )))
+        }
+    };
+    event_emitter.emit(event_ctx, event).await;
+    result
+}
+
 /// Format the combined exec output for sending back to the model.
 /// Includes exit code and duration metadata; truncates large bodies safely.
 pub fn format_exec_output_for_model(exec_output: &ExecToolCallOutput) -> String {
@@ -111,37 +330,33 @@ fn truncate_formatted_exec_output(content: &str, total_lines: usize) -> String {
                 .map(|segment| segment.len())
                 .sum::<usize>()
     };
-    let head_slice = &content[..head_slice_end];
-    let tail_slice = &content[tail_slice_start..];
-    let truncated_by_bytes = content.len() > MODEL_FORMAT_MAX_BYTES;
-    let marker = if omitted > 0 {
-        Some(format!(
-            "\n[... omitted {omitted} of {total_lines} lines ...]\n\n"
-        ))
-    } else if truncated_by_bytes {
-        Some(format!(
-            "\n[... output truncated to fit {MODEL_FORMAT_MAX_BYTES} bytes ...]\n\n"
-        ))
-    } else {
-        None
-    };
+    let marker = format!("\n[... omitted {omitted} of {total_lines} lines ...]\n\n");
 
-    let marker_len = marker.as_ref().map_or(0, String::len);
-    let base_head_budget = MODEL_FORMAT_HEAD_BYTES.min(MODEL_FORMAT_MAX_BYTES);
-    let head_budget = base_head_budget.min(MODEL_FORMAT_MAX_BYTES.saturating_sub(marker_len));
+    // Byte budgets for head/tail around the marker
+    let mut head_budget = MODEL_FORMAT_HEAD_BYTES.min(MODEL_FORMAT_MAX_BYTES);
+    let tail_budget = MODEL_FORMAT_MAX_BYTES.saturating_sub(head_budget + marker.len());
+    if tail_budget == 0 && marker.len() >= MODEL_FORMAT_MAX_BYTES {
+        // Degenerate case: marker alone exceeds budget; return a clipped marker
+        return take_bytes_at_char_boundary(&marker, MODEL_FORMAT_MAX_BYTES).to_string();
+    }
+    if tail_budget == 0 {
+        // Make room for the marker by shrinking head
+        head_budget = MODEL_FORMAT_MAX_BYTES.saturating_sub(marker.len());
+    }
+
+    let head_slice = &content[..head_slice_end];
     let head_part = take_bytes_at_char_boundary(head_slice, head_budget);
     let mut result = String::with_capacity(MODEL_FORMAT_MAX_BYTES.min(content.len()));
 
     result.push_str(head_part);
-    if let Some(marker_text) = marker.as_ref() {
-        result.push_str(marker_text);
-    }
+    result.push_str(&marker);
 
     let remaining = MODEL_FORMAT_MAX_BYTES.saturating_sub(result.len());
     if remaining == 0 {
         return result;
     }
 
+    let tail_slice = &content[tail_slice_start..];
     let tail_part = take_last_bytes_at_char_boundary(tail_slice, remaining);
     result.push_str(tail_part);
 
@@ -151,7 +366,6 @@ fn truncate_formatted_exec_output(content: &str, total_lines: usize) -> String {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::function_tool::FunctionCallError;
     use regex_lite::Regex;
 
     fn truncate_function_error(err: FunctionCallError) -> FunctionCallError {
@@ -189,11 +403,6 @@ mod tests {
         let tail_take = MODEL_FORMAT_TAIL_LINES.min(total_lines.saturating_sub(head_take));
         let omitted = total_lines.saturating_sub(head_take + tail_take);
         let escaped_line = regex_lite::escape(line);
-        if omitted == 0 {
-            return format!(
-                r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} output truncated to fit {MODEL_FORMAT_MAX_BYTES} bytes \.{{3}}]\n\n.*)$",
-            );
-        }
         format!(
             r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} omitted {omitted} of {total_lines} lines \.{{3}}]\n\n.*)$",
         )
@@ -240,76 +449,4 @@ mod tests {
             other => panic!("unexpected error variant: {other:?}"),
         }
     }
-
-    #[test]
-    fn truncate_formatted_exec_output_marks_byte_truncation_without_omitted_lines() {
-        let long_line = "a".repeat(MODEL_FORMAT_MAX_BYTES + 50);
-        let truncated = format_exec_output(&long_line);
-
-        assert_ne!(truncated, long_line);
-        let marker_line =
-            format!("[... output truncated to fit {MODEL_FORMAT_MAX_BYTES} bytes ...]");
-        assert!(
-            truncated.contains(&marker_line),
-            "missing byte truncation marker: {truncated}"
-        );
-        assert!(
-            !truncated.contains("omitted"),
-            "line omission marker should not appear when no lines were dropped: {truncated}"
-        );
-    }
-
-    #[test]
-    fn truncate_formatted_exec_output_returns_original_when_within_limits() {
-        let content = "example output\n".repeat(10);
-
-        assert_eq!(format_exec_output(&content), content);
-    }
-
-    #[test]
-    fn truncate_formatted_exec_output_reports_omitted_lines_and_keeps_head_and_tail() {
-        let total_lines = MODEL_FORMAT_MAX_LINES + 100;
-        let content: String = (0..total_lines)
-            .map(|idx| format!("line-{idx}\n"))
-            .collect();
-
-        let truncated = format_exec_output(&content);
-        let omitted = total_lines - MODEL_FORMAT_MAX_LINES;
-        let expected_marker = format!("[... omitted {omitted} of {total_lines} lines ...]");
-
-        assert!(
-            truncated.contains(&expected_marker),
-            "missing omitted marker: {truncated}"
-        );
-        assert!(
-            truncated.contains("line-0\n"),
-            "expected head line to remain: {truncated}"
-        );
-
-        let last_line = format!("line-{}\n", total_lines - 1);
-        assert!(
-            truncated.contains(&last_line),
-            "expected tail line to remain: {truncated}"
-        );
-    }
-
-    #[test]
-    fn truncate_formatted_exec_output_prefers_line_marker_when_both_limits_exceeded() {
-        let total_lines = MODEL_FORMAT_MAX_LINES + 42;
-        let long_line = "x".repeat(256);
-        let content: String = (0..total_lines)
-            .map(|idx| format!("line-{idx}-{long_line}\n"))
-            .collect();
-
-        let truncated = format_exec_output(&content);
-
-        assert!(
-            truncated.contains("[... omitted 42 of 298 lines ...]"),
-            "expected omitted marker when line count exceeds limit: {truncated}"
-        );
-        assert!(
-            !truncated.contains("output truncated to fit"),
-            "line omission marker should take precedence over byte marker: {truncated}"
-        );
-    }
 }

codex-rs/core/src/tools/orchestrator.rs

@@ -53,7 +53,7 @@ impl ToolOrchestrator {
         if needs_initial_approval {
             let approval_ctx = ApprovalCtx {
                 session: tool_ctx.session,
-                turn: turn_ctx,
+                sub_id: &tool_ctx.sub_id,
                 call_id: &tool_ctx.call_id,
                 retry_reason: None,
             };
@@ -98,9 +98,9 @@ impl ToolOrchestrator {
                         "sandbox denied and no retry".to_string(),
                     ));
                 }
-                // Under `Never` or `OnRequest`, do not retry without sandbox; surface a concise message
+                // Under `Never`, do not retry without sandbox; surface a concise message
                 // derived from the actual output (platform-agnostic).
-                if !tool.wants_no_sandbox_approval(approval_policy) {
+                if matches!(approval_policy, AskForApproval::Never) {
                     let msg = build_never_denied_message_from_output(output.as_ref());
                     return Err(ToolError::SandboxDenied(msg));
                 }
@@ -110,7 +110,7 @@ impl ToolOrchestrator {
                     let reason_msg = build_denial_reason_from_output(output.as_ref());
                     let approval_ctx = ApprovalCtx {
                         session: tool_ctx.session,
-                        turn: turn_ctx,
+                        sub_id: &tool_ctx.sub_id,
                         call_id: &tool_ctx.call_id,
                         retry_reason: Some(reason_msg),
                     };

codex-rs/core/src/tools/parallel.rs

@@ -2,7 +2,6 @@ use std::sync::Arc;
 
 use tokio::sync::RwLock;
 use tokio_util::either::Either;
-use tokio_util::sync::CancellationToken;
 use tokio_util::task::AbortOnDropHandle;
 
 use crate::codex::Session;
@@ -10,10 +9,8 @@ use crate::codex::TurnContext;
 use crate::error::CodexErr;
 use crate::function_tool::FunctionCallError;
 use crate::tools::context::SharedTurnDiffTracker;
-use crate::tools::context::ToolPayload;
 use crate::tools::router::ToolCall;
 use crate::tools::router::ToolRouter;
-use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseInputItem;
 
 pub(crate) struct ToolCallRuntime {
@@ -21,6 +18,7 @@ pub(crate) struct ToolCallRuntime {
     session: Arc<Session>,
     turn_context: Arc<TurnContext>,
     tracker: SharedTurnDiffTracker,
+    sub_id: String,
     parallel_execution: Arc<RwLock<()>>,
 }
 
@@ -30,12 +28,14 @@ impl ToolCallRuntime {
         session: Arc<Session>,
         turn_context: Arc<TurnContext>,
         tracker: SharedTurnDiffTracker,
+        sub_id: String,
     ) -> Self {
         Self {
             router,
             session,
             turn_context,
             tracker,
+            sub_id,
             parallel_execution: Arc::new(RwLock::new(())),
         }
     }
@@ -43,7 +43,6 @@ impl ToolCallRuntime {
     pub(crate) fn handle_tool_call(
         &self,
         call: ToolCall,
-        cancellation_token: CancellationToken,
     ) -> impl std::future::Future<Output = Result<ResponseInputItem, CodexErr>> {
         let supports_parallel = self.router.tool_supports_parallel(&call.tool_name);
 
@@ -51,25 +50,20 @@ impl ToolCallRuntime {
         let session = Arc::clone(&self.session);
         let turn = Arc::clone(&self.turn_context);
         let tracker = Arc::clone(&self.tracker);
+        let sub_id = self.sub_id.clone();
         let lock = Arc::clone(&self.parallel_execution);
-        let aborted_response = Self::aborted_response(&call);
 
         let handle: AbortOnDropHandle<Result<ResponseInputItem, FunctionCallError>> =
             AbortOnDropHandle::new(tokio::spawn(async move {
-                tokio::select! {
-                    _ = cancellation_token.cancelled() => Ok(aborted_response),
-                    res = async {
-                        let _guard = if supports_parallel {
-                            Either::Left(lock.read().await)
-                        } else {
-                            Either::Right(lock.write().await)
-                        };
+                let _guard = if supports_parallel {
+                    Either::Left(lock.read().await)
+                } else {
+                    Either::Right(lock.write().await)
+                };
 
-                        router
-                            .dispatch_tool_call(session, turn, tracker, call)
-                            .await
-                    } => res,
-                }
+                router
+                    .dispatch_tool_call(session, turn, tracker, sub_id, call)
+                    .await
             }));
 
         async move {
@@ -84,25 +78,3 @@ impl ToolCallRuntime {
         }
     }
 }
-
-impl ToolCallRuntime {
-    fn aborted_response(call: &ToolCall) -> ResponseInputItem {
-        match &call.payload {
-            ToolPayload::Custom { .. } => ResponseInputItem::CustomToolCallOutput {
-                call_id: call.call_id.clone(),
-                output: "aborted".to_string(),
-            },
-            ToolPayload::Mcp { .. } => ResponseInputItem::McpToolCallOutput {
-                call_id: call.call_id.clone(),
-                result: Err("aborted".to_string()),
-            },
-            _ => ResponseInputItem::FunctionCallOutput {
-                call_id: call.call_id.clone(),
-                output: FunctionCallOutputPayload {
-                    content: "aborted".to_string(),
-                    success: None,
-                },
-            },
-        }
-    }
-}

codex-rs/core/src/tools/registry.rs

@@ -15,6 +15,7 @@ use crate::tools::context::ToolPayload;
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
 pub enum ToolKind {
     Function,
+    UnifiedExec,
     Mcp,
 }
 
@@ -26,6 +27,7 @@ pub trait ToolHandler: Send + Sync {
         matches!(
             (self.kind(), payload),
             (ToolKind::Function, ToolPayload::Function { .. })
+                | (ToolKind::UnifiedExec, ToolPayload::UnifiedExec { .. })
                 | (ToolKind::Mcp, ToolPayload::Mcp { .. })
         )
     }

codex-rs/core/src/tools/router.rs

@@ -134,6 +134,7 @@ impl ToolRouter {
         session: Arc<Session>,
         turn: Arc<TurnContext>,
         tracker: SharedTurnDiffTracker,
+        sub_id: String,
         call: ToolCall,
     ) -> Result<ResponseInputItem, FunctionCallError> {
         let ToolCall {
@@ -148,6 +149,7 @@ impl ToolRouter {
             session,
             turn,
             tracker,
+            sub_id,
             call_id,
             tool_name,
             payload,

codex-rs/core/src/tools/runtimes/apply_patch.rs

@@ -17,7 +17,6 @@ use crate::tools::sandboxing::ToolCtx;
 use crate::tools::sandboxing::ToolError;
 use crate::tools::sandboxing::ToolRuntime;
 use crate::tools::sandboxing::with_cached_approval;
-use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::ReviewDecision;
 use futures::future::BoxFuture;
 use std::collections::HashMap;
@@ -69,7 +68,7 @@ impl ApplyPatchRuntime {
 
     fn stdout_stream(ctx: &ToolCtx<'_>) -> Option<crate::exec::StdoutStream> {
         Some(crate::exec::StdoutStream {
-            sub_id: ctx.turn.sub_id.clone(),
+            sub_id: ctx.sub_id.clone(),
             call_id: ctx.call_id.clone(),
             tx_event: ctx.session.get_tx_event(),
         })
@@ -102,7 +101,7 @@ impl Approvable<ApplyPatchRequest> for ApplyPatchRuntime {
     ) -> BoxFuture<'a, ReviewDecision> {
         let key = self.approval_key(req);
         let session = ctx.session;
-        let turn = ctx.turn;
+        let sub_id = ctx.sub_id.to_string();
         let call_id = ctx.call_id.to_string();
         let cwd = req.cwd.clone();
         let retry_reason = ctx.retry_reason.clone();
@@ -112,7 +111,7 @@ impl Approvable<ApplyPatchRequest> for ApplyPatchRuntime {
                 if let Some(reason) = retry_reason {
                     session
                         .request_command_approval(
-                            turn,
+                            sub_id,
                             call_id,
                             vec!["apply_patch".to_string()],
                             cwd,
@@ -128,10 +127,6 @@ impl Approvable<ApplyPatchRequest> for ApplyPatchRuntime {
             .await
         })
     }
-
-    fn wants_no_sandbox_approval(&self, policy: AskForApproval) -> bool {
-        !matches!(policy, AskForApproval::Never)
-    }
 }
 
 impl ToolRuntime<ApplyPatchRequest, ExecToolCallOutput> for ApplyPatchRuntime {

codex-rs/core/src/tools/runtimes/shell.rs

@@ -51,7 +51,7 @@ impl ShellRuntime {
 
     fn stdout_stream(ctx: &ToolCtx<'_>) -> Option<crate::exec::StdoutStream> {
         Some(crate::exec::StdoutStream {
-            sub_id: ctx.turn.sub_id.clone(),
+            sub_id: ctx.sub_id.clone(),
             call_id: ctx.call_id.clone(),
             tx_event: ctx.session.get_tx_event(),
         })
@@ -91,12 +91,12 @@ impl Approvable<ShellRequest> for ShellRuntime {
             .clone()
             .or_else(|| req.justification.clone());
         let session = ctx.session;
-        let turn = ctx.turn;
+        let sub_id = ctx.sub_id.to_string();
         let call_id = ctx.call_id.to_string();
         Box::pin(async move {
             with_cached_approval(&session.services, key, || async move {
                 session
-                    .request_command_approval(turn, call_id, command, cwd, reason)
+                    .request_command_approval(sub_id, call_id, command, cwd, reason)
                     .await
             })
             .await

codex-rs/core/src/tools/runtimes/unified_exec.rs

@@ -80,7 +80,7 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
     ) -> BoxFuture<'b, ReviewDecision> {
         let key = self.approval_key(req);
         let session = ctx.session;
-        let turn = ctx.turn;
+        let sub_id = ctx.sub_id.to_string();
         let call_id = ctx.call_id.to_string();
         let command = req.command.clone();
         let cwd = req.cwd.clone();
@@ -88,7 +88,7 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
         Box::pin(async move {
             with_cached_approval(&session.services, key, || async move {
                 session
-                    .request_command_approval(turn, call_id, command, cwd, reason)
+                    .request_command_approval(sub_id, call_id, command, cwd, reason)
                     .await
             })
             .await

codex-rs/core/src/tools/sandboxing.rs

@@ -5,7 +5,6 @@
 //! and helpers (`Sandboxable`, `ToolRuntime`, `SandboxAttempt`, etc.).
 
 use crate::codex::Session;
-use crate::codex::TurnContext;
 use crate::error::CodexErr;
 use crate::protocol::SandboxPolicy;
 use crate::sandboxing::CommandSpec;
@@ -78,7 +77,7 @@ where
 #[derive(Clone)]
 pub(crate) struct ApprovalCtx<'a> {
     pub session: &'a Session,
-    pub turn: &'a TurnContext,
+    pub sub_id: &'a str,
     pub call_id: &'a str,
     pub retry_reason: Option<String>,
 }
@@ -121,11 +120,6 @@ pub(crate) trait Approvable<Req> {
         }
     }
 
-    /// Decide we can request an approval for no-sandbox execution.
-    fn wants_no_sandbox_approval(&self, policy: AskForApproval) -> bool {
-        !matches!(policy, AskForApproval::Never | AskForApproval::OnRequest)
-    }
-
     fn start_approval_async<'a>(
         &'a mut self,
         req: &'a Req,
@@ -151,7 +145,7 @@ pub(crate) trait Sandboxable {
 
 pub(crate) struct ToolCtx<'a> {
     pub session: &'a Session,
-    pub turn: &'a TurnContext,
+    pub sub_id: String,
     pub call_id: String,
     pub tool_name: String,
 }

codex-rs/core/src/tools/spec.rs

@@ -25,6 +25,7 @@ pub enum ConfigShellToolType {
 #[derive(Debug, Clone)]
 pub(crate) struct ToolsConfig {
     pub shell_type: ConfigShellToolType,
+    pub plan_tool: bool,
     pub apply_patch_tool_type: Option<ApplyPatchToolType>,
     pub web_search_request: bool,
     pub include_view_image_tool: bool,
@@ -45,6 +46,7 @@ impl ToolsConfig {
         } = params;
         let use_streamable_shell_tool = features.enabled(Feature::StreamableShell);
         let experimental_unified_exec_tool = features.enabled(Feature::UnifiedExec);
+        let include_plan_tool = features.enabled(Feature::PlanTool);
         let include_apply_patch_tool = features.enabled(Feature::ApplyPatchFreeform);
         let include_web_search_request = features.enabled(Feature::WebSearchRequest);
         let include_view_image_tool = features.enabled(Feature::ViewImageTool);
@@ -71,6 +73,7 @@ impl ToolsConfig {
 
         Self {
             shell_type,
+            plan_tool: include_plan_tool,
             apply_patch_tool_type,
             web_search_request: include_web_search_request,
             include_view_image_tool,
@@ -136,99 +139,48 @@ impl From<JsonSchema> for AdditionalProperties {
     }
 }
 
-fn create_exec_command_tool() -> ToolSpec {
+fn create_unified_exec_tool() -> ToolSpec {
     let mut properties = BTreeMap::new();
     properties.insert(
-        "cmd".to_string(),
-        JsonSchema::String {
-            description: Some("Shell command to execute.".to_string()),
-        },
-    );
-    properties.insert(
-        "shell".to_string(),
-        JsonSchema::String {
-            description: Some("Shell binary to launch. Defaults to /bin/bash.".to_string()),
-        },
-    );
-    properties.insert(
-        "login".to_string(),
-        JsonSchema::Boolean {
+        "input".to_string(),
+        JsonSchema::Array {
+            items: Box::new(JsonSchema::String { description: None }),
             description: Some(
-                "Whether to run the shell with -l/-i semantics. Defaults to true.".to_string(),
+                "When no session_id is provided, treat the array as the command and arguments \
+                 to launch. When session_id is set, concatenate the strings (in order) and write \
+                 them to the session's stdin."
+                    .to_string(),
             ),
         },
     );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
-            description: Some(
-                "How long to wait (in milliseconds) for output before yielding.".to_string(),
-            ),
-        },
-    );
-    properties.insert(
-        "max_output_tokens".to_string(),
-        JsonSchema::Number {
-            description: Some(
-                "Maximum number of tokens to return. Excess output will be truncated.".to_string(),
-            ),
-        },
-    );
-
-    ToolSpec::Function(ResponsesApiTool {
-        name: "exec_command".to_string(),
-        description:
-            "Runs a command in a PTY, returning output or a session ID for ongoing interaction."
-                .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["cmd".to_string()]),
-            additional_properties: Some(false.into()),
-        },
-    })
-}
-
-fn create_write_stdin_tool() -> ToolSpec {
-    let mut properties = BTreeMap::new();
     properties.insert(
         "session_id".to_string(),
-        JsonSchema::Number {
-            description: Some("Identifier of the running unified exec session.".to_string()),
-        },
-    );
-    properties.insert(
-        "chars".to_string(),
         JsonSchema::String {
-            description: Some("Bytes to write to stdin (may be empty to poll).".to_string()),
-        },
-    );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
             description: Some(
-                "How long to wait (in milliseconds) for output before yielding.".to_string(),
+                "Identifier for an existing interactive session. If omitted, a new command \
+                 is spawned."
+                    .to_string(),
             ),
         },
     );
     properties.insert(
-        "max_output_tokens".to_string(),
+        "timeout_ms".to_string(),
         JsonSchema::Number {
             description: Some(
-                "Maximum number of tokens to return. Excess output will be truncated.".to_string(),
+                "Maximum time in milliseconds to wait for output after writing the input."
+                    .to_string(),
             ),
         },
     );
 
     ToolSpec::Function(ResponsesApiTool {
-        name: "write_stdin".to_string(),
+        name: "unified_exec".to_string(),
         description:
-            "Writes characters to an existing unified exec session and returns recent output."
-                .to_string(),
+            "Runs a command in a PTY. Provide a session_id to reuse an existing interactive session.".to_string(),
         strict: false,
         parameters: JsonSchema::Object {
             properties,
-            required: Some(vec!["session_id".to_string()]),
+            required: Some(vec!["input".to_string()]),
             additional_properties: Some(false.into()),
         },
     })
@@ -890,20 +842,19 @@ pub(crate) fn build_specs(
         || matches!(config.shell_type, ConfigShellToolType::Streamable);
 
     if use_unified_exec {
-        builder.push_spec(create_exec_command_tool());
-        builder.push_spec(create_write_stdin_tool());
-        builder.register_handler("exec_command", unified_exec_handler.clone());
-        builder.register_handler("write_stdin", unified_exec_handler);
-    }
-    match &config.shell_type {
-        ConfigShellToolType::Default => {
-            builder.push_spec(create_shell_tool());
-        }
-        ConfigShellToolType::Local => {
-            builder.push_spec(ToolSpec::LocalShell {});
-        }
-        ConfigShellToolType::Streamable => {
-            // Already handled by use_unified_exec.
+        builder.push_spec(create_unified_exec_tool());
+        builder.register_handler("unified_exec", unified_exec_handler);
+    } else {
+        match &config.shell_type {
+            ConfigShellToolType::Default => {
+                builder.push_spec(create_shell_tool());
+            }
+            ConfigShellToolType::Local => {
+                builder.push_spec(ToolSpec::LocalShell {});
+            }
+            ConfigShellToolType::Streamable => {
+                // Already handled by use_unified_exec.
+            }
         }
     }
 
@@ -919,8 +870,10 @@ pub(crate) fn build_specs(
     builder.register_handler("list_mcp_resource_templates", mcp_resource_handler.clone());
     builder.register_handler("read_mcp_resource", mcp_resource_handler);
 
-    builder.push_spec(PLAN_TOOL.clone());
-    builder.register_handler("update_plan", plan_handler);
+    if config.plan_tool {
+        builder.push_spec(PLAN_TOOL.clone());
+        builder.register_handler("update_plan", plan_handler);
+    }
 
     if let Some(apply_patch_tool_type) = &config.apply_patch_tool_type {
         match apply_patch_tool_type {
@@ -1019,33 +972,22 @@ mod tests {
         }
     }
 
-    // Avoid order-based assertions; compare via set containment instead.
-    fn assert_contains_tool_names(tools: &[ConfiguredToolSpec], expected_subset: &[&str]) {
-        use std::collections::HashSet;
-        let mut names = HashSet::new();
-        let mut duplicates = Vec::new();
-        for name in tools.iter().map(|t| tool_name(&t.spec)) {
-            if !names.insert(name) {
-                duplicates.push(name);
-            }
-        }
-        assert!(
-            duplicates.is_empty(),
-            "duplicate tool entries detected: {duplicates:?}"
-        );
-        for expected in expected_subset {
-            assert!(
-                names.contains(expected),
-                "expected tool {expected} to be present; had: {names:?}"
-            );
-        }
-    }
+    fn assert_eq_tool_names(tools: &[ConfiguredToolSpec], expected_names: &[&str]) {
+        let tool_names = tools
+            .iter()
+            .map(|tool| tool_name(&tool.spec))
+            .collect::<Vec<_>>();
 
-    fn shell_tool_name(config: &ToolsConfig) -> Option<&'static str> {
-        match config.shell_type {
-            ConfigShellToolType::Default => Some("shell"),
-            ConfigShellToolType::Local => Some("local_shell"),
-            ConfigShellToolType::Streamable => None,
+        assert_eq!(
+            tool_names.len(),
+            expected_names.len(),
+            "tool_name mismatch, {tool_names:?}, {expected_names:?}",
+        );
+        for (name, expected_name) in tool_names.iter().zip(expected_names.iter()) {
+            assert_eq!(
+                name, expected_name,
+                "tool_name mismatch, {name:?}, {expected_name:?}"
+            );
         }
     }
 
@@ -1059,108 +1001,12 @@ mod tests {
             .unwrap_or_else(|| panic!("expected tool {expected_name}"))
     }
 
-    fn strip_descriptions_schema(schema: &mut JsonSchema) {
-        match schema {
-            JsonSchema::Boolean { description }
-            | JsonSchema::String { description }
-            | JsonSchema::Number { description } => {
-                *description = None;
-            }
-            JsonSchema::Array { items, description } => {
-                strip_descriptions_schema(items);
-                *description = None;
-            }
-            JsonSchema::Object {
-                properties,
-                required: _,
-                additional_properties,
-            } => {
-                for v in properties.values_mut() {
-                    strip_descriptions_schema(v);
-                }
-                if let Some(AdditionalProperties::Schema(s)) = additional_properties {
-                    strip_descriptions_schema(s);
-                }
-            }
-        }
-    }
-
-    fn strip_descriptions_tool(spec: &mut ToolSpec) {
-        match spec {
-            ToolSpec::Function(ResponsesApiTool { parameters, .. }) => {
-                strip_descriptions_schema(parameters);
-            }
-            ToolSpec::Freeform(_) | ToolSpec::LocalShell {} | ToolSpec::WebSearch {} => {}
-        }
-    }
-
     #[test]
-    fn test_full_toolset_specs_for_gpt5_codex() {
-        let model_family = find_family_for_model("gpt-5-codex")
-            .expect("gpt-5-codex should be a valid model family");
-        let mut features = Features::with_defaults();
-        features.enable(Feature::UnifiedExec);
-        features.enable(Feature::WebSearchRequest);
-        features.enable(Feature::ViewImageTool);
-        let config = ToolsConfig::new(&ToolsConfigParams {
-            model_family: &model_family,
-            features: &features,
-        });
-        let (tools, _) = build_specs(&config, None).build();
-
-        // Build actual map name -> spec
-        use std::collections::BTreeMap;
-        use std::collections::HashSet;
-        let mut actual: BTreeMap<String, ToolSpec> = BTreeMap::new();
-        let mut duplicate_names = Vec::new();
-        for t in &tools {
-            let name = tool_name(&t.spec).to_string();
-            if actual.insert(name.clone(), t.spec.clone()).is_some() {
-                duplicate_names.push(name);
-            }
-        }
-        assert!(
-            duplicate_names.is_empty(),
-            "duplicate tool entries detected: {duplicate_names:?}"
-        );
-
-        // Build expected from the same helpers used by the builder.
-        let mut expected: BTreeMap<String, ToolSpec> = BTreeMap::new();
-        for spec in [
-            create_exec_command_tool(),
-            create_write_stdin_tool(),
-            create_shell_tool(),
-            create_list_mcp_resources_tool(),
-            create_list_mcp_resource_templates_tool(),
-            create_read_mcp_resource_tool(),
-            PLAN_TOOL.clone(),
-            create_apply_patch_freeform_tool(),
-            ToolSpec::WebSearch {},
-            create_view_image_tool(),
-        ] {
-            expected.insert(tool_name(&spec).to_string(), spec);
-        }
-
-        // Exact name set match — this is the only test allowed to fail when tools change.
-        let actual_names: HashSet<_> = actual.keys().cloned().collect();
-        let expected_names: HashSet<_> = expected.keys().cloned().collect();
-        assert_eq!(actual_names, expected_names, "tool name set mismatch");
-
-        // Compare specs ignoring human-readable descriptions.
-        for name in expected.keys() {
-            let mut a = actual.get(name).expect("present").clone();
-            let mut e = expected.get(name).expect("present").clone();
-            strip_descriptions_tool(&mut a);
-            strip_descriptions_tool(&mut e);
-            assert_eq!(a, e, "spec mismatch for {name}");
-        }
-    }
-
-    #[test]
-    fn test_build_specs_contains_expected_basics() {
+    fn test_build_specs() {
         let model_family = find_family_for_model("codex-mini-latest")
             .expect("codex-mini-latest should be a valid model family");
         let mut features = Features::with_defaults();
+        features.enable(Feature::PlanTool);
         features.enable(Feature::WebSearchRequest);
         features.enable(Feature::UnifiedExec);
         let config = ToolsConfig::new(&ToolsConfigParams {
@@ -1168,27 +1014,26 @@ mod tests {
             features: &features,
         });
         let (tools, _) = build_specs(&config, Some(HashMap::new())).build();
-        let tool_names = tools.iter().map(|t| t.spec.name()).collect::<Vec<_>>();
-        assert_eq!(
-            &tool_names,
+
+        assert_eq_tool_names(
+            &tools,
             &[
-                "exec_command",
-                "write_stdin",
-                "local_shell",
+                "unified_exec",
                 "list_mcp_resources",
                 "list_mcp_resource_templates",
                 "read_mcp_resource",
                 "update_plan",
                 "web_search",
                 "view_image",
-            ]
+            ],
         );
     }
 
     #[test]
-    fn test_build_specs_default_shell_present() {
+    fn test_build_specs_default_shell() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
         let mut features = Features::with_defaults();
+        features.enable(Feature::PlanTool);
         features.enable(Feature::WebSearchRequest);
         features.enable(Feature::UnifiedExec);
         let config = ToolsConfig::new(&ToolsConfigParams {
@@ -1197,12 +1042,18 @@ mod tests {
         });
         let (tools, _) = build_specs(&config, Some(HashMap::new())).build();
 
-        // Only check the shell variant and a couple of core tools.
-        let mut subset = vec!["exec_command", "write_stdin", "update_plan"];
-        if let Some(shell_tool) = shell_tool_name(&config) {
-            subset.push(shell_tool);
-        }
-        assert_contains_tool_names(&tools, &subset);
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "web_search",
+                "view_image",
+            ],
+        );
     }
 
     #[test]
@@ -1219,8 +1070,7 @@ mod tests {
         });
         let (tools, _) = build_specs(&config, None).build();
 
-        assert!(!find_tool(&tools, "exec_command").supports_parallel_tool_calls);
-        assert!(!find_tool(&tools, "write_stdin").supports_parallel_tool_calls);
+        assert!(!find_tool(&tools, "unified_exec").supports_parallel_tool_calls);
         assert!(find_tool(&tools, "grep_files").supports_parallel_tool_calls);
         assert!(find_tool(&tools, "list_dir").supports_parallel_tool_calls);
         assert!(find_tool(&tools, "read_file").supports_parallel_tool_calls);
@@ -1257,7 +1107,7 @@ mod tests {
     }
 
     #[test]
-    fn test_build_specs_mcp_tools_converted() {
+    fn test_build_specs_mcp_tools() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
         let mut features = Features::with_defaults();
         features.enable(Feature::UnifiedExec);
@@ -1305,6 +1155,19 @@ mod tests {
         )
         .build();
 
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "web_search",
+                "view_image",
+                "test_server/do_something_cool",
+            ],
+        );
+
         let tool = find_tool(&tools, "test_server/do_something_cool");
         assert_eq!(
             &tool.spec,
@@ -1410,19 +1273,20 @@ mod tests {
         ]);
 
         let (tools, _) = build_specs(&config, Some(tools_map)).build();
-
-        // Only assert that the MCP tools themselves are sorted by fully-qualified name.
-        let mcp_names: Vec<_> = tools
-            .iter()
-            .map(|t| tool_name(&t.spec).to_string())
-            .filter(|n| n.starts_with("test_server/"))
-            .collect();
-        let expected = vec![
-            "test_server/cool".to_string(),
-            "test_server/do".to_string(),
-            "test_server/something".to_string(),
-        ];
-        assert_eq!(mcp_names, expected);
+        // Expect unified_exec first, followed by MCP tools sorted by fully-qualified name.
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "view_image",
+                "test_server/cool",
+                "test_server/do",
+                "test_server/something",
+            ],
+        );
     }
 
     #[test]
@@ -1461,9 +1325,22 @@ mod tests {
         )
         .build();
 
-        let tool = find_tool(&tools, "dash/search");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/search",
+            ],
+        );
+
         assert_eq!(
-            tool.spec,
+            tools[7].spec,
             ToolSpec::Function(ResponsesApiTool {
                 name: "dash/search".to_string(),
                 parameters: JsonSchema::Object {
@@ -1516,9 +1393,21 @@ mod tests {
         )
         .build();
 
-        let tool = find_tool(&tools, "dash/paginate");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/paginate",
+            ],
+        );
         assert_eq!(
-            tool.spec,
+            tools[7].spec,
             ToolSpec::Function(ResponsesApiTool {
                 name: "dash/paginate".to_string(),
                 parameters: JsonSchema::Object {
@@ -1570,9 +1459,21 @@ mod tests {
         )
         .build();
 
-        let tool = find_tool(&tools, "dash/tags");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/tags",
+            ],
+        );
         assert_eq!(
-            tool.spec,
+            tools[7].spec,
             ToolSpec::Function(ResponsesApiTool {
                 name: "dash/tags".to_string(),
                 parameters: JsonSchema::Object {
@@ -1626,9 +1527,21 @@ mod tests {
         )
         .build();
 
-        let tool = find_tool(&tools, "dash/value");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/value",
+            ],
+        );
         assert_eq!(
-            tool.spec,
+            tools[7].spec,
             ToolSpec::Function(ResponsesApiTool {
                 name: "dash/value".to_string(),
                 parameters: JsonSchema::Object {
@@ -1719,9 +1632,22 @@ mod tests {
         )
         .build();
 
-        let tool = find_tool(&tools, "test_server/do_something_cool");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "test_server/do_something_cool",
+            ],
+        );
+
         assert_eq!(
-            tool.spec,
+            tools[7].spec,
             ToolSpec::Function(ResponsesApiTool {
                 name: "test_server/do_something_cool".to_string(),
                 parameters: JsonSchema::Object {

codex-rs/core/src/truncate.rs

@@ -1,35 +1,18 @@
 //! Utilities for truncating large chunks of output while preserving a prefix
 //! and suffix on UTF-8 boundaries.
 
-use codex_utils_tokenizer::Tokenizer;
-
 /// Truncate the middle of a UTF-8 string to at most `max_bytes` bytes,
 /// preserving the beginning and the end. Returns the possibly truncated
-/// string and `Some(original_token_count)` (counted with the local tokenizer;
-/// falls back to a 4-bytes-per-token estimate if the tokenizer cannot load)
+/// string and `Some(original_token_count)` (estimated at 4 bytes/token)
 /// if truncation occurred; otherwise returns the original string and `None`.
 pub(crate) fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>) {
     if s.len() <= max_bytes {
         return (s.to_string(), None);
     }
 
-    // Build a tokenizer for counting (default to o200k_base; fall back to cl100k_base).
-    // If both fail, fall back to a 4-bytes-per-token estimate.
-    let tok = Tokenizer::try_default().ok();
-    let token_count = |text: &str| -> u64 {
-        if let Some(ref t) = tok {
-            t.count(text) as u64
-        } else {
-            (text.len() as u64).div_ceil(4)
-        }
-    };
-
-    let total_tokens = token_count(s);
+    let est_tokens = (s.len() as u64).div_ceil(4);
     if max_bytes == 0 {
-        return (
-            format!("…{total_tokens} tokens truncated…"),
-            Some(total_tokens),
-        );
+        return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
     }
 
     fn truncate_on_boundary(input: &str, max_len: usize) -> &str {
@@ -67,17 +50,13 @@ pub(crate) fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>
         idx
     }
 
-    // Iterate to stabilize marker length → keep budget → boundaries.
-    let mut guess_tokens: u64 = 1;
+    let mut guess_tokens = est_tokens;
     for _ in 0..4 {
         let marker = format!("…{guess_tokens} tokens truncated…");
         let marker_len = marker.len();
         let keep_budget = max_bytes.saturating_sub(marker_len);
         if keep_budget == 0 {
-            return (
-                format!("…{total_tokens} tokens truncated…"),
-                Some(total_tokens),
-            );
+            return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
         }
 
         let left_budget = keep_budget / 2;
@@ -88,72 +67,59 @@ pub(crate) fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>
             suffix_start = prefix_end;
         }
 
-        // Tokens actually removed (middle slice) using the real tokenizer.
-        let removed_tokens = token_count(&s[prefix_end..suffix_start]);
+        let kept_content_bytes = prefix_end + (s.len() - suffix_start);
+        let truncated_content_bytes = s.len().saturating_sub(kept_content_bytes);
+        let new_tokens = (truncated_content_bytes as u64).div_ceil(4);
 
-        // If the number of digits in the token count does not change the marker length,
-        // we can finalize output.
-        let final_marker = format!("…{removed_tokens} tokens truncated…");
-        if final_marker.len() == marker_len {
-            let kept_content_bytes = prefix_end + (s.len() - suffix_start);
-            let mut out = String::with_capacity(final_marker.len() + kept_content_bytes + 1);
+        if new_tokens == guess_tokens {
+            let mut out = String::with_capacity(marker_len + kept_content_bytes + 1);
             out.push_str(&s[..prefix_end]);
-            out.push_str(&final_marker);
+            out.push_str(&marker);
             out.push('\n');
             out.push_str(&s[suffix_start..]);
-            return (out, Some(total_tokens));
+            return (out, Some(est_tokens));
         }
 
-        guess_tokens = removed_tokens;
+        guess_tokens = new_tokens;
     }
 
-    // Fallback build after iterations: compute with the last guess.
     let marker = format!("…{guess_tokens} tokens truncated…");
     let marker_len = marker.len();
     let keep_budget = max_bytes.saturating_sub(marker_len);
     if keep_budget == 0 {
-        return (
-            format!("…{total_tokens} tokens truncated…"),
-            Some(total_tokens),
-        );
+        return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
     }
 
     let left_budget = keep_budget / 2;
     let right_budget = keep_budget - left_budget;
     let prefix_end = pick_prefix_end(s, left_budget);
-    let mut suffix_start = pick_suffix_start(s, right_budget);
-    if suffix_start < prefix_end {
-        suffix_start = prefix_end;
-    }
+    let suffix_start = pick_suffix_start(s, right_budget);
 
     let mut out = String::with_capacity(marker_len + prefix_end + (s.len() - suffix_start) + 1);
     out.push_str(&s[..prefix_end]);
     out.push_str(&marker);
     out.push('\n');
     out.push_str(&s[suffix_start..]);
-    (out, Some(total_tokens))
+    (out, Some(est_tokens))
 }
 
 #[cfg(test)]
 mod tests {
     use super::truncate_middle;
-    use codex_utils_tokenizer::Tokenizer;
 
     #[test]
     fn truncate_middle_no_newlines_fallback() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
         let s = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ*";
         let max_bytes = 32;
         let (out, original) = truncate_middle(s, max_bytes);
         assert!(out.starts_with("abc"));
         assert!(out.contains("tokens truncated"));
         assert!(out.ends_with("XYZ*"));
-        assert_eq!(original, Some(tok.count(s) as u64));
+        assert_eq!(original, Some((s.len() as u64).div_ceil(4)));
     }
 
     #[test]
     fn truncate_middle_prefers_newline_boundaries() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
         let mut s = String::new();
         for i in 1..=20 {
             s.push_str(&format!("{i:03}\n"));
@@ -165,36 +131,50 @@ mod tests {
         assert!(out.starts_with("001\n002\n003\n004\n"));
         assert!(out.contains("tokens truncated"));
         assert!(out.ends_with("017\n018\n019\n020\n"));
-        assert_eq!(tokens, Some(tok.count(&s) as u64));
+        assert_eq!(tokens, Some(20));
     }
 
     #[test]
     fn truncate_middle_handles_utf8_content() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
         let s = "😀😀😀😀😀😀😀😀😀😀\nsecond line with ascii text\n";
         let max_bytes = 32;
         let (out, tokens) = truncate_middle(s, max_bytes);
 
         assert!(out.contains("tokens truncated"));
         assert!(!out.contains('\u{fffd}'));
-        assert_eq!(tokens, Some(tok.count(s) as u64));
+        assert_eq!(tokens, Some((s.len() as u64).div_ceil(4)));
     }
 
     #[test]
     fn truncate_middle_prefers_newline_boundaries_2() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
         // Build a multi-line string of 20 numbered lines (each "NNN\n").
         let mut s = String::new();
         for i in 1..=20 {
             s.push_str(&format!("{i:03}\n"));
         }
+        // Total length: 20 lines * 4 bytes per line = 80 bytes.
         assert_eq!(s.len(), 80);
 
+        // Choose a cap that forces truncation while leaving room for
+        // a few lines on each side after accounting for the marker.
         let max_bytes = 64;
-        let (out, total) = truncate_middle(&s, max_bytes);
-        assert!(out.starts_with("001\n002\n003\n004\n"));
-        assert!(out.contains("tokens truncated"));
-        assert!(out.ends_with("017\n018\n019\n020\n"));
-        assert_eq!(total, Some(tok.count(&s) as u64));
+        // Expect exact output: first 4 lines, marker, last 4 lines, and correct token estimate (80/4 = 20).
+        assert_eq!(
+            truncate_middle(&s, max_bytes),
+            (
+                r#"001
+002
+003
+004
+…12 tokens truncated…
+017
+018
+019
+020
+"#
+                .to_string(),
+                Some(20)
+            )
+        );
     }
 }

codex-rs/core/src/unified_exec/mod.rs

@@ -22,13 +22,8 @@
 //! - `session_manager.rs`: orchestration (approvals, sandboxing, reuse) and request handling.
 
 use std::collections::HashMap;
-use std::path::PathBuf;
-use std::sync::Arc;
 use std::sync::atomic::AtomicI32;
-use std::time::Duration;
 
-use rand::Rng;
-use rand::rng;
 use tokio::sync::Mutex;
 
 use crate::codex::Session;
@@ -41,132 +36,46 @@ mod session_manager;
 pub(crate) use errors::UnifiedExecError;
 pub(crate) use session::UnifiedExecSession;
 
-pub(crate) const DEFAULT_YIELD_TIME_MS: u64 = 10_000;
-pub(crate) const MIN_YIELD_TIME_MS: u64 = 250;
-pub(crate) const MAX_YIELD_TIME_MS: u64 = 30_000;
-pub(crate) const DEFAULT_MAX_OUTPUT_TOKENS: usize = 10_000;
-pub(crate) const UNIFIED_EXEC_OUTPUT_MAX_BYTES: usize = 1024 * 1024; // 1 MiB
+const DEFAULT_TIMEOUT_MS: u64 = 1_000;
+const MAX_TIMEOUT_MS: u64 = 60_000;
+const UNIFIED_EXEC_OUTPUT_MAX_BYTES: usize = 128 * 1024; // 128 KiB
 
-pub(crate) struct UnifiedExecContext {
-    pub session: Arc<Session>,
-    pub turn: Arc<TurnContext>,
-    pub call_id: String,
-}
-
-impl UnifiedExecContext {
-    pub fn new(session: Arc<Session>, turn: Arc<TurnContext>, call_id: String) -> Self {
-        Self {
-            session,
-            turn,
-            call_id,
-        }
-    }
+pub(crate) struct UnifiedExecContext<'a> {
+    pub session: &'a Session,
+    pub turn: &'a TurnContext,
+    pub sub_id: &'a str,
+    pub call_id: &'a str,
+    pub session_id: Option<i32>,
 }
 
 #[derive(Debug)]
-pub(crate) struct ExecCommandRequest<'a> {
-    pub command: &'a str,
-    pub shell: &'a str,
-    pub login: bool,
-    pub yield_time_ms: Option<u64>,
-    pub max_output_tokens: Option<usize>,
-}
-
-#[derive(Debug)]
-pub(crate) struct WriteStdinRequest<'a> {
-    pub session_id: i32,
-    pub input: &'a str,
-    pub yield_time_ms: Option<u64>,
-    pub max_output_tokens: Option<usize>,
+pub(crate) struct UnifiedExecRequest<'a> {
+    pub input_chunks: &'a [String],
+    pub timeout_ms: Option<u64>,
 }
 
 #[derive(Debug, Clone, PartialEq)]
-pub(crate) struct UnifiedExecResponse {
-    pub event_call_id: String,
-    pub chunk_id: String,
-    pub wall_time: Duration,
-    pub output: String,
+pub(crate) struct UnifiedExecResult {
     pub session_id: Option<i32>,
-    pub exit_code: Option<i32>,
-    pub original_token_count: Option<usize>,
+    pub output: String,
 }
 
-#[derive(Default)]
+#[derive(Debug, Default)]
 pub(crate) struct UnifiedExecSessionManager {
     next_session_id: AtomicI32,
-    sessions: Mutex<HashMap<i32, SessionEntry>>,
-}
-
-struct SessionEntry {
-    session: session::UnifiedExecSession,
-    session_ref: Arc<Session>,
-    turn_ref: Arc<TurnContext>,
-    call_id: String,
-    command: String,
-    cwd: PathBuf,
-    started_at: tokio::time::Instant,
-}
-
-pub(crate) fn clamp_yield_time(yield_time_ms: Option<u64>) -> u64 {
-    match yield_time_ms {
-        Some(value) => value.clamp(MIN_YIELD_TIME_MS, MAX_YIELD_TIME_MS),
-        None => DEFAULT_YIELD_TIME_MS,
-    }
-}
-
-pub(crate) fn resolve_max_tokens(max_tokens: Option<usize>) -> usize {
-    max_tokens.unwrap_or(DEFAULT_MAX_OUTPUT_TOKENS)
-}
-
-pub(crate) fn generate_chunk_id() -> String {
-    let mut rng = rng();
-    (0..6)
-        .map(|_| format!("{:x}", rng.random_range(0..16)))
-        .collect()
-}
-
-pub(crate) fn truncate_output_to_tokens(
-    output: &str,
-    max_tokens: usize,
-) -> (String, Option<usize>) {
-    if max_tokens == 0 {
-        let total_tokens = output.chars().count();
-        let message = format!("…{total_tokens} tokens truncated…");
-        return (message, Some(total_tokens));
-    }
-
-    let tokens: Vec<char> = output.chars().collect();
-    let total_tokens = tokens.len();
-    if total_tokens <= max_tokens {
-        return (output.to_string(), None);
-    }
-
-    let half = max_tokens / 2;
-    if half == 0 {
-        let truncated = total_tokens.saturating_sub(max_tokens);
-        let message = format!("…{truncated} tokens truncated…");
-        return (message, Some(total_tokens));
-    }
-
-    let truncated = total_tokens.saturating_sub(half * 2);
-    let mut truncated_output = String::new();
-    truncated_output.extend(&tokens[..half]);
-    truncated_output.push_str(&format!("…{truncated} tokens truncated…"));
-    truncated_output.extend(&tokens[total_tokens - half..]);
-    (truncated_output, Some(total_tokens))
+    sessions: Mutex<HashMap<i32, session::UnifiedExecSession>>,
 }
 
 #[cfg(test)]
 #[cfg(unix)]
 mod tests {
     use super::*;
+
     use crate::codex::Session;
     use crate::codex::TurnContext;
     use crate::codex::make_session_and_context;
     use crate::protocol::AskForApproval;
     use crate::protocol::SandboxPolicy;
-    use crate::unified_exec::ExecCommandRequest;
-    use crate::unified_exec::WriteStdinRequest;
     use core_test_support::skip_if_sandbox;
     use std::sync::Arc;
     use tokio::time::Duration;
@@ -180,49 +89,35 @@ mod tests {
         (Arc::new(session), Arc::new(turn))
     }
 
-    async fn exec_command(
+    async fn run_unified_exec_request(
         session: &Arc<Session>,
         turn: &Arc<TurnContext>,
-        cmd: &str,
-        yield_time_ms: Option<u64>,
-    ) -> Result<UnifiedExecResponse, UnifiedExecError> {
-        let context =
-            UnifiedExecContext::new(Arc::clone(session), Arc::clone(turn), "call".to_string());
+        session_id: Option<i32>,
+        input: Vec<String>,
+        timeout_ms: Option<u64>,
+    ) -> Result<UnifiedExecResult, UnifiedExecError> {
+        let request_input = input;
+        let request = UnifiedExecRequest {
+            input_chunks: &request_input,
+            timeout_ms,
+        };
 
         session
             .services
             .unified_exec_manager
-            .exec_command(
-                ExecCommandRequest {
-                    command: cmd,
-                    shell: "/bin/bash",
-                    login: true,
-                    yield_time_ms,
-                    max_output_tokens: None,
+            .handle_request(
+                request,
+                UnifiedExecContext {
+                    session,
+                    turn: turn.as_ref(),
+                    sub_id: "sub",
+                    call_id: "call",
+                    session_id,
                 },
-                &context,
             )
             .await
     }
 
-    async fn write_stdin(
-        session: &Arc<Session>,
-        session_id: i32,
-        input: &str,
-        yield_time_ms: Option<u64>,
-    ) -> Result<UnifiedExecResponse, UnifiedExecError> {
-        session
-            .services
-            .unified_exec_manager
-            .write_stdin(WriteStdinRequest {
-                session_id,
-                input,
-                yield_time_ms,
-                max_output_tokens: None,
-            })
-            .await
-    }
-
     #[test]
     fn push_chunk_trims_only_excess_bytes() {
         let mut buffer = OutputBufferState::default();
@@ -247,28 +142,37 @@ mod tests {
 
         let (session, turn) = test_session_and_turn();
 
-        let open_shell = exec_command(&session, &turn, "bash -i", Some(2_500)).await?;
+        let open_shell = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["bash".to_string(), "-i".to_string()],
+            Some(2_500),
+        )
+        .await?;
         let session_id = open_shell.session_id.expect("expected session_id");
 
-        write_stdin(
+        run_unified_exec_request(
             &session,
-            session_id,
-            "export CODEX_INTERACTIVE_SHELL_VAR=codex\n",
+            &turn,
+            Some(session_id),
+            vec![
+                "export".to_string(),
+                "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
+            ],
             Some(2_500),
         )
         .await?;
 
-        let out_2 = write_stdin(
+        let out_2 = run_unified_exec_request(
             &session,
-            session_id,
-            "echo $CODEX_INTERACTIVE_SHELL_VAR\n",
+            &turn,
+            Some(session_id),
+            vec!["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
             Some(2_500),
         )
         .await?;
-        assert!(
-            out_2.output.contains("codex"),
-            "expected environment variable output"
-        );
+        assert!(out_2.output.contains("codex"));
 
         Ok(())
     }
@@ -279,44 +183,47 @@ mod tests {
 
         let (session, turn) = test_session_and_turn();
 
-        let shell_a = exec_command(&session, &turn, "bash -i", Some(2_500)).await?;
-        let session_a = shell_a.session_id.expect("expected session id");
-
-        write_stdin(
-            &session,
-            session_a,
-            "export CODEX_INTERACTIVE_SHELL_VAR=codex\n",
-            Some(2_500),
-        )
-        .await?;
-
-        let out_2 = exec_command(
+        let shell_a = run_unified_exec_request(
             &session,
             &turn,
-            "echo $CODEX_INTERACTIVE_SHELL_VAR",
+            None,
+            vec!["/bin/bash".to_string(), "-i".to_string()],
             Some(2_500),
         )
         .await?;
-        assert!(
-            out_2.session_id.is_none(),
-            "short command should not retain a session"
-        );
-        assert!(
-            !out_2.output.contains("codex"),
-            "short command should run in a fresh shell"
-        );
+        let session_a = shell_a.session_id.expect("expected session id");
 
-        let out_3 = write_stdin(
+        run_unified_exec_request(
             &session,
-            session_a,
-            "echo $CODEX_INTERACTIVE_SHELL_VAR\n",
+            &turn,
+            Some(session_a),
+            vec!["export CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string()],
             Some(2_500),
         )
         .await?;
-        assert!(
-            out_3.output.contains("codex"),
-            "session should preserve state"
-        );
+
+        let out_2 = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec![
+                "echo".to_string(),
+                "$CODEX_INTERACTIVE_SHELL_VAR\n".to_string(),
+            ],
+            Some(2_500),
+        )
+        .await?;
+        assert!(!out_2.output.contains("codex"));
+
+        let out_3 = run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_a),
+            vec!["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
+            Some(2_500),
+        )
+        .await?;
+        assert!(out_3.output.contains("codex"));
 
         Ok(())
     }
@@ -327,37 +234,45 @@ mod tests {
 
         let (session, turn) = test_session_and_turn();
 
-        let open_shell = exec_command(&session, &turn, "bash -i", Some(2_500)).await?;
+        let open_shell = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["bash".to_string(), "-i".to_string()],
+            Some(2_500),
+        )
+        .await?;
         let session_id = open_shell.session_id.expect("expected session id");
 
-        write_stdin(
+        run_unified_exec_request(
             &session,
-            session_id,
-            "export CODEX_INTERACTIVE_SHELL_VAR=codex\n",
+            &turn,
+            Some(session_id),
+            vec![
+                "export".to_string(),
+                "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
+            ],
             Some(2_500),
         )
         .await?;
 
-        let out_2 = write_stdin(
+        let out_2 = run_unified_exec_request(
             &session,
-            session_id,
-            "sleep 5 && echo $CODEX_INTERACTIVE_SHELL_VAR\n",
+            &turn,
+            Some(session_id),
+            vec!["sleep 5 && echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
             Some(10),
         )
         .await?;
-        assert!(
-            !out_2.output.contains("codex"),
-            "timeout too short should yield incomplete output"
-        );
+        assert!(!out_2.output.contains("codex"));
 
         tokio::time::sleep(Duration::from_secs(7)).await;
 
-        let out_3 = write_stdin(&session, session_id, "", Some(100)).await?;
+        let out_3 =
+            run_unified_exec_request(&session, &turn, Some(session_id), Vec::new(), Some(100))
+                .await?;
 
-        assert!(
-            out_3.output.contains("codex"),
-            "subsequent poll should retrieve output"
-        );
+        assert!(out_3.output.contains("codex"));
 
         Ok(())
     }
@@ -367,9 +282,18 @@ mod tests {
     async fn requests_with_large_timeout_are_capped() -> anyhow::Result<()> {
         let (session, turn) = test_session_and_turn();
 
-        let result = exec_command(&session, &turn, "echo codex", Some(120_000)).await?;
+        let result = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["echo".to_string(), "codex".to_string()],
+            Some(120_000),
+        )
+        .await?;
 
-        assert!(result.session_id.is_none());
+        assert!(result.output.starts_with(
+            "Warning: requested timeout 120000ms exceeds maximum of 60000ms; clamping to 60000ms.\n"
+        ));
         assert!(result.output.contains("codex"));
 
         Ok(())
@@ -379,12 +303,16 @@ mod tests {
     #[ignore] // Ignored while we have a better way to test this.
     async fn completed_commands_do_not_persist_sessions() -> anyhow::Result<()> {
         let (session, turn) = test_session_and_turn();
-        let result = exec_command(&session, &turn, "echo codex", Some(2_500)).await?;
+        let result = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["/bin/echo".to_string(), "codex".to_string()],
+            Some(2_500),
+        )
+        .await?;
 
-        assert!(
-            result.session_id.is_none(),
-            "completed command should not retain session"
-        );
+        assert!(result.session_id.is_none());
         assert!(result.output.contains("codex"));
 
         assert!(
@@ -406,16 +334,31 @@ mod tests {
 
         let (session, turn) = test_session_and_turn();
 
-        let open_shell = exec_command(&session, &turn, "bash -i", Some(2_500)).await?;
+        let open_shell = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["/bin/bash".to_string(), "-i".to_string()],
+            Some(2_500),
+        )
+        .await?;
         let session_id = open_shell.session_id.expect("expected session id");
 
-        write_stdin(&session, session_id, "exit\n", Some(2_500)).await?;
+        run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_id),
+            vec!["exit\n".to_string()],
+            Some(2_500),
+        )
+        .await?;
 
         tokio::time::sleep(Duration::from_millis(200)).await;
 
-        let err = write_stdin(&session, session_id, "", Some(100))
-            .await
-            .expect_err("expected unknown session error");
+        let err =
+            run_unified_exec_request(&session, &turn, Some(session_id), Vec::new(), Some(100))
+                .await
+                .expect_err("expected unknown session error");
 
         match err {
             UnifiedExecError::UnknownSessionId { session_id: err_id } => {

codex-rs/core/src/unified_exec/session_manager.rs

@@ -5,283 +5,85 @@ use tokio::sync::mpsc;
 use tokio::time::Duration;
 use tokio::time::Instant;
 
-use crate::exec::ExecToolCallOutput;
-use crate::exec::StreamOutput;
 use crate::exec_env::create_env;
 use crate::sandboxing::ExecEnv;
-use crate::tools::events::ToolEmitter;
-use crate::tools::events::ToolEventCtx;
-use crate::tools::events::ToolEventStage;
 use crate::tools::orchestrator::ToolOrchestrator;
 use crate::tools::runtimes::unified_exec::UnifiedExecRequest as UnifiedExecToolRequest;
 use crate::tools::runtimes::unified_exec::UnifiedExecRuntime;
 use crate::tools::sandboxing::ToolCtx;
+use crate::truncate::truncate_middle;
 
-use super::ExecCommandRequest;
-use super::MIN_YIELD_TIME_MS;
-use super::SessionEntry;
+use super::DEFAULT_TIMEOUT_MS;
+use super::MAX_TIMEOUT_MS;
+use super::UNIFIED_EXEC_OUTPUT_MAX_BYTES;
 use super::UnifiedExecContext;
 use super::UnifiedExecError;
-use super::UnifiedExecResponse;
+use super::UnifiedExecRequest;
+use super::UnifiedExecResult;
 use super::UnifiedExecSessionManager;
-use super::WriteStdinRequest;
-use super::clamp_yield_time;
-use super::generate_chunk_id;
-use super::resolve_max_tokens;
 use super::session::OutputBuffer;
 use super::session::UnifiedExecSession;
-use super::truncate_output_to_tokens;
+
+pub(super) struct SessionAcquisition {
+    pub(super) session_id: i32,
+    pub(super) writer_tx: mpsc::Sender<Vec<u8>>,
+    pub(super) output_buffer: OutputBuffer,
+    pub(super) output_notify: Arc<Notify>,
+    pub(super) new_session: Option<UnifiedExecSession>,
+    pub(super) reuse_requested: bool,
+}
 
 impl UnifiedExecSessionManager {
-    pub(crate) async fn exec_command(
+    pub(super) async fn acquire_session(
         &self,
-        request: ExecCommandRequest<'_>,
-        context: &UnifiedExecContext,
-    ) -> Result<UnifiedExecResponse, UnifiedExecError> {
-        let shell_flag = if request.login { "-lc" } else { "-c" };
-        let command = vec![
-            request.shell.to_string(),
-            shell_flag.to_string(),
-            request.command.to_string(),
-        ];
-
-        let session = self.open_session_with_sandbox(command, context).await?;
-
-        let max_tokens = resolve_max_tokens(request.max_output_tokens);
-        let yield_time_ms =
-            clamp_yield_time(Some(request.yield_time_ms.unwrap_or(MIN_YIELD_TIME_MS)));
-
-        let start = Instant::now();
-        let (output_buffer, output_notify) = session.output_handles();
-        let deadline = start + Duration::from_millis(yield_time_ms);
-        let collected =
-            Self::collect_output_until_deadline(&output_buffer, &output_notify, deadline).await;
-        let wall_time = Instant::now().saturating_duration_since(start);
-
-        let text = String::from_utf8_lossy(&collected).to_string();
-        let (output, original_token_count) = truncate_output_to_tokens(&text, max_tokens);
-        let chunk_id = generate_chunk_id();
-        let exit_code = session.exit_code();
-        let session_id = if session.has_exited() {
-            None
-        } else {
-            Some(
-                self.store_session(session, context, request.command, start)
-                    .await,
-            )
-        };
-
-        let response = UnifiedExecResponse {
-            event_call_id: context.call_id.clone(),
-            chunk_id,
-            wall_time,
-            output,
-            session_id,
-            exit_code,
-            original_token_count,
-        };
-
-        // If the command completed during this call, emit an ExecCommandEnd via the emitter.
-        if response.session_id.is_none() {
-            let exit = response.exit_code.unwrap_or(-1);
-            Self::emit_exec_end_from_context(
-                context,
-                request.command.to_string(),
-                response.output.clone(),
-                exit,
-                response.wall_time,
-            )
-            .await;
-        }
-
-        Ok(response)
-    }
-
-    pub(crate) async fn write_stdin(
-        &self,
-        request: WriteStdinRequest<'_>,
-    ) -> Result<UnifiedExecResponse, UnifiedExecError> {
-        let session_id = request.session_id;
-
-        let (writer_tx, output_buffer, output_notify) =
-            self.prepare_session_handles(session_id).await?;
-
-        if !request.input.is_empty() {
-            Self::send_input(&writer_tx, request.input.as_bytes()).await?;
-            tokio::time::sleep(Duration::from_millis(100)).await;
-        }
-
-        let max_tokens = resolve_max_tokens(request.max_output_tokens);
-        let yield_time_ms = clamp_yield_time(request.yield_time_ms);
-        let start = Instant::now();
-        let deadline = start + Duration::from_millis(yield_time_ms);
-        let collected =
-            Self::collect_output_until_deadline(&output_buffer, &output_notify, deadline).await;
-        let wall_time = Instant::now().saturating_duration_since(start);
-
-        let text = String::from_utf8_lossy(&collected).to_string();
-        let (output, original_token_count) = truncate_output_to_tokens(&text, max_tokens);
-        let chunk_id = generate_chunk_id();
-
-        let status = self.refresh_session_state(session_id).await;
-        let (session_id, exit_code, completion_entry, event_call_id) = match status {
-            SessionStatus::Alive { exit_code, call_id } => {
-                (Some(session_id), exit_code, None, call_id)
-            }
-            SessionStatus::Exited { exit_code, entry } => {
-                let call_id = entry.call_id.clone();
-                (None, exit_code, Some(*entry), call_id)
-            }
-            SessionStatus::Unknown => {
-                return Err(UnifiedExecError::UnknownSessionId { session_id });
-            }
-        };
-
-        let response = UnifiedExecResponse {
-            event_call_id,
-            chunk_id,
-            wall_time,
-            output,
-            session_id,
-            exit_code,
-            original_token_count,
-        };
-
-        if let (Some(exit), Some(entry)) = (response.exit_code, completion_entry) {
-            let total_duration = Instant::now().saturating_duration_since(entry.started_at);
-            Self::emit_exec_end_from_entry(entry, response.output.clone(), exit, total_duration)
-                .await;
-        }
-
-        Ok(response)
-    }
-
-    async fn refresh_session_state(&self, session_id: i32) -> SessionStatus {
-        let mut sessions = self.sessions.lock().await;
-        let Some(entry) = sessions.get(&session_id) else {
-            return SessionStatus::Unknown;
-        };
-
-        let exit_code = entry.session.exit_code();
-
-        if entry.session.has_exited() {
-            let Some(entry) = sessions.remove(&session_id) else {
-                return SessionStatus::Unknown;
-            };
-            SessionStatus::Exited {
-                exit_code,
-                entry: Box::new(entry),
+        request: &UnifiedExecRequest<'_>,
+        context: &UnifiedExecContext<'_>,
+    ) -> Result<SessionAcquisition, UnifiedExecError> {
+        if let Some(existing_id) = context.session_id {
+            let mut sessions = self.sessions.lock().await;
+            match sessions.get(&existing_id) {
+                Some(session) => {
+                    if session.has_exited() {
+                        sessions.remove(&existing_id);
+                        return Err(UnifiedExecError::UnknownSessionId {
+                            session_id: existing_id,
+                        });
+                    }
+                    let (buffer, notify) = session.output_handles();
+                    let writer_tx = session.writer_sender();
+                    Ok(SessionAcquisition {
+                        session_id: existing_id,
+                        writer_tx,
+                        output_buffer: buffer,
+                        output_notify: notify,
+                        new_session: None,
+                        reuse_requested: true,
+                    })
+                }
+                None => Err(UnifiedExecError::UnknownSessionId {
+                    session_id: existing_id,
+                }),
             }
         } else {
-            SessionStatus::Alive {
-                exit_code,
-                call_id: entry.call_id.clone(),
-            }
+            let new_id = self
+                .next_session_id
+                .fetch_add(1, std::sync::atomic::Ordering::SeqCst);
+            let managed_session = self
+                .open_session_with_sandbox(request.input_chunks.to_vec(), context)
+                .await?;
+            let (buffer, notify) = managed_session.output_handles();
+            let writer_tx = managed_session.writer_sender();
+            Ok(SessionAcquisition {
+                session_id: new_id,
+                writer_tx,
+                output_buffer: buffer,
+                output_notify: notify,
+                new_session: Some(managed_session),
+                reuse_requested: false,
+            })
         }
     }
 
-    async fn prepare_session_handles(
-        &self,
-        session_id: i32,
-    ) -> Result<(mpsc::Sender<Vec<u8>>, OutputBuffer, Arc<Notify>), UnifiedExecError> {
-        let sessions = self.sessions.lock().await;
-        let (output_buffer, output_notify, writer_tx) =
-            if let Some(entry) = sessions.get(&session_id) {
-                let (buffer, notify) = entry.session.output_handles();
-                (buffer, notify, entry.session.writer_sender())
-            } else {
-                return Err(UnifiedExecError::UnknownSessionId { session_id });
-            };
-
-        Ok((writer_tx, output_buffer, output_notify))
-    }
-
-    async fn send_input(
-        writer_tx: &mpsc::Sender<Vec<u8>>,
-        data: &[u8],
-    ) -> Result<(), UnifiedExecError> {
-        writer_tx
-            .send(data.to_vec())
-            .await
-            .map_err(|_| UnifiedExecError::WriteToStdin)
-    }
-
-    async fn store_session(
-        &self,
-        session: UnifiedExecSession,
-        context: &UnifiedExecContext,
-        command: &str,
-        started_at: Instant,
-    ) -> i32 {
-        let session_id = self
-            .next_session_id
-            .fetch_add(1, std::sync::atomic::Ordering::SeqCst);
-        let entry = SessionEntry {
-            session,
-            session_ref: Arc::clone(&context.session),
-            turn_ref: Arc::clone(&context.turn),
-            call_id: context.call_id.clone(),
-            command: command.to_string(),
-            cwd: context.turn.cwd.clone(),
-            started_at,
-        };
-        self.sessions.lock().await.insert(session_id, entry);
-        session_id
-    }
-
-    async fn emit_exec_end_from_entry(
-        entry: SessionEntry,
-        aggregated_output: String,
-        exit_code: i32,
-        duration: Duration,
-    ) {
-        let output = ExecToolCallOutput {
-            exit_code,
-            stdout: StreamOutput::new(aggregated_output.clone()),
-            stderr: StreamOutput::new(String::new()),
-            aggregated_output: StreamOutput::new(aggregated_output),
-            duration,
-            timed_out: false,
-        };
-        let event_ctx = ToolEventCtx::new(
-            entry.session_ref.as_ref(),
-            entry.turn_ref.as_ref(),
-            &entry.call_id,
-            None,
-        );
-        let emitter = ToolEmitter::unified_exec(entry.command, entry.cwd, true);
-        emitter
-            .emit(event_ctx, ToolEventStage::Success(output))
-            .await;
-    }
-
-    async fn emit_exec_end_from_context(
-        context: &UnifiedExecContext,
-        command: String,
-        aggregated_output: String,
-        exit_code: i32,
-        duration: Duration,
-    ) {
-        let output = ExecToolCallOutput {
-            exit_code,
-            stdout: StreamOutput::new(aggregated_output.clone()),
-            stderr: StreamOutput::new(String::new()),
-            aggregated_output: StreamOutput::new(aggregated_output),
-            duration,
-            timed_out: false,
-        };
-        let event_ctx = ToolEventCtx::new(
-            context.session.as_ref(),
-            context.turn.as_ref(),
-            &context.call_id,
-            None,
-        );
-        let emitter = ToolEmitter::unified_exec(command, context.turn.cwd.clone(), true);
-        emitter
-            .emit(event_ctx, ToolEventStage::Success(output))
-            .await;
-    }
-
     pub(crate) async fn open_session_with_exec_env(
         &self,
         env: &ExecEnv,
@@ -300,7 +102,7 @@ impl UnifiedExecSessionManager {
     pub(super) async fn open_session_with_sandbox(
         &self,
         command: Vec<String>,
-        context: &UnifiedExecContext,
+        context: &UnifiedExecContext<'_>,
     ) -> Result<UnifiedExecSession, UnifiedExecError> {
         let mut orchestrator = ToolOrchestrator::new();
         let mut runtime = UnifiedExecRuntime::new(self);
@@ -310,17 +112,17 @@ impl UnifiedExecSessionManager {
             create_env(&context.turn.shell_environment_policy),
         );
         let tool_ctx = ToolCtx {
-            session: context.session.as_ref(),
-            turn: context.turn.as_ref(),
-            call_id: context.call_id.clone(),
-            tool_name: "exec_command".to_string(),
+            session: context.session,
+            sub_id: context.sub_id.to_string(),
+            call_id: context.call_id.to_string(),
+            tool_name: "unified_exec".to_string(),
         };
         orchestrator
             .run(
                 &mut runtime,
                 &req,
                 &tool_ctx,
-                context.turn.as_ref(),
+                context.turn,
                 context.turn.approval_policy,
             )
             .await
@@ -370,16 +172,117 @@ impl UnifiedExecSessionManager {
 
         collected
     }
-}
 
-enum SessionStatus {
-    Alive {
-        exit_code: Option<i32>,
-        call_id: String,
-    },
-    Exited {
-        exit_code: Option<i32>,
-        entry: Box<SessionEntry>,
-    },
-    Unknown,
+    pub(super) async fn should_store_session(&self, acquisition: &SessionAcquisition) -> bool {
+        if let Some(session) = acquisition.new_session.as_ref() {
+            !session.has_exited()
+        } else if acquisition.reuse_requested {
+            let mut sessions = self.sessions.lock().await;
+            if let Some(existing) = sessions.get(&acquisition.session_id) {
+                if existing.has_exited() {
+                    sessions.remove(&acquisition.session_id);
+                    false
+                } else {
+                    true
+                }
+            } else {
+                false
+            }
+        } else {
+            true
+        }
+    }
+
+    pub(super) async fn send_input_chunks(
+        writer_tx: &mpsc::Sender<Vec<u8>>,
+        chunks: &[String],
+    ) -> Result<(), UnifiedExecError> {
+        let mut trailing_whitespace = true;
+        for chunk in chunks {
+            if chunk.is_empty() {
+                continue;
+            }
+
+            let leading_whitespace = chunk
+                .chars()
+                .next()
+                .map(char::is_whitespace)
+                .unwrap_or(true);
+
+            if !trailing_whitespace
+                && !leading_whitespace
+                && writer_tx.send(vec![b' ']).await.is_err()
+            {
+                return Err(UnifiedExecError::WriteToStdin);
+            }
+
+            if writer_tx.send(chunk.as_bytes().to_vec()).await.is_err() {
+                return Err(UnifiedExecError::WriteToStdin);
+            }
+
+            trailing_whitespace = chunk
+                .chars()
+                .next_back()
+                .map(char::is_whitespace)
+                .unwrap_or(trailing_whitespace);
+        }
+
+        Ok(())
+    }
+
+    pub async fn handle_request(
+        &self,
+        request: UnifiedExecRequest<'_>,
+        context: UnifiedExecContext<'_>,
+    ) -> Result<UnifiedExecResult, UnifiedExecError> {
+        let (timeout_ms, timeout_warning) = match request.timeout_ms {
+            Some(requested) if requested > MAX_TIMEOUT_MS => (
+                MAX_TIMEOUT_MS,
+                Some(format!(
+                    "Warning: requested timeout {requested}ms exceeds maximum of {MAX_TIMEOUT_MS}ms; clamping to {MAX_TIMEOUT_MS}ms.\n"
+                )),
+            ),
+            Some(requested) => (requested, None),
+            None => (DEFAULT_TIMEOUT_MS, None),
+        };
+
+        let mut acquisition = self.acquire_session(&request, &context).await?;
+
+        if acquisition.reuse_requested {
+            Self::send_input_chunks(&acquisition.writer_tx, request.input_chunks).await?;
+        }
+
+        let deadline = Instant::now() + Duration::from_millis(timeout_ms);
+        let collected = Self::collect_output_until_deadline(
+            &acquisition.output_buffer,
+            &acquisition.output_notify,
+            deadline,
+        )
+        .await;
+
+        let (output, _maybe_tokens) = truncate_middle(
+            &String::from_utf8_lossy(&collected),
+            UNIFIED_EXEC_OUTPUT_MAX_BYTES,
+        );
+        let output = if let Some(warning) = timeout_warning {
+            format!("{warning}{output}")
+        } else {
+            output
+        };
+
+        let should_store_session = self.should_store_session(&acquisition).await;
+        let session_id = if should_store_session {
+            if let Some(session) = acquisition.new_session.take() {
+                self.sessions
+                    .lock()
+                    .await
+                    .insert(acquisition.session_id, session);
+            }
+            Some(acquisition.session_id)
+        } else {
+            None
+        };
+
+        Ok(UnifiedExecResult { session_id, output })
+    }
 }

codex-rs/core/src/user_notification.rs

@@ -51,7 +51,6 @@ pub(crate) enum UserNotification {
     AgentTurnComplete {
         thread_id: String,
         turn_id: String,
-        cwd: String,
 
         /// Messages that the user sent to the agent to initiate the turn.
         input_messages: Vec<String>,
@@ -71,7 +70,6 @@ mod tests {
         let notification = UserNotification::AgentTurnComplete {
             thread_id: "b5f6c1c2-1111-2222-3333-444455556666".to_string(),
             turn_id: "12345".to_string(),
-            cwd: "/Users/example/project".to_string(),
             input_messages: vec!["Rename `foo` to `bar` and update the callsites.".to_string()],
             last_assistant_message: Some(
                 "Rename complete and verified `cargo build` succeeds.".to_string(),
@@ -80,7 +78,7 @@ mod tests {
         let serialized = serde_json::to_string(&notification)?;
         assert_eq!(
             serialized,
-            r#"{"type":"agent-turn-complete","thread-id":"b5f6c1c2-1111-2222-3333-444455556666","turn-id":"12345","cwd":"/Users/example/project","input-messages":["Rename `foo` to `bar` and update the callsites."],"last-assistant-message":"Rename complete and verified `cargo build` succeeds."}"#
+            r#"{"type":"agent-turn-complete","thread-id":"b5f6c1c2-1111-2222-3333-444455556666","turn-id":"12345","input-messages":["Rename `foo` to `bar` and update the callsites."],"last-assistant-message":"Rename complete and verified `cargo build` succeeds."}"#
         );
         Ok(())
     }