fix: close non-stdio fds before exec

chore: verify boolean values can be parsed as config overrides (#6516 )
This is important to ensure that this: ``` codex --enable unified_exec ``` and this: ``` codex --config features.unified_exec=true ``` are equivalent. Also that when it is passed programmatically: 807e2c27f0/codex-rs/app-server-protocol/src/protocol/v1.rs (L55) then this should work for `config`: ```json {"features": {"shell_command_tool": true}} ``` though I believe also this: ```json {"features.shell_command_tool": true} ```
2026-02-04 07:53:43 +00:00 · 2025-11-12 11:46:14 -08:00 · 2025-11-12 08:19:16 -08:00 · 2025-11-12 08:18:57 -08:00 · 2025-11-12 11:13:37 +00:00 · 2025-11-11 21:30:01 -05:00
51 changed files with 1967 additions and 390 deletions
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -295,6 +295,15 @@ jobs:
          # ${{ matrix.target }}
          dest="dist/${{ matrix.target }}"

+          # We want to ship the raw Windows executables in the GitHub Release
+          # in addition to the compressed archives. Keep the originals for
+          # Windows targets; remove them elsewhere to limit the number of
+          # artifacts that end up in the GitHub Release.
+          keep_originals=false
+          if [[ "${{ matrix.runner }}" == windows* ]]; then
+            keep_originals=true
+          fi
+
          # For compatibility with environments that lack the `zstd` tool we
          # additionally create a `.tar.gz` for all platforms and `.zip` for
          # Windows alongside every single binary that we publish. The end result is:
@@ -324,7 +333,11 @@ jobs:

            # Also create .zst (existing behaviour) *and* remove the original
            # uncompressed binary to keep the directory small.
-            zstd -T0 -19 --rm "$dest/$base"
+            zstd_args=(-T0 -19)
+            if [[ "${keep_originals}" == false ]]; then
+              zstd_args+=(--rm)
+            fi
+            zstd "${zstd_args[@]}" "$dest/$base"
          done

      - name: Remove signing keychain
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -211,6 +211,7 @@ dependencies = [
 "parking_lot",
 "percent-encoding",
 "windows-sys 0.59.0",
+ "wl-clipboard-rs",
 "x11rb",
 ]

@@ -985,14 +986,17 @@ dependencies = [
 "codex-tui",
 "codex-windows-sandbox",
 "ctor 0.5.0",
+ "libc",
 "owo-colors",
 "predicates",
 "pretty_assertions",
+ "regex-lite",
 "serde_json",
 "supports-color",
 "tempfile",
 "tokio",
 "toml",
+ "tracing",
 ]

 [[package]]
@@ -1063,6 +1067,7 @@ dependencies = [
 "chrono",
 "codex-app-server-protocol",
 "codex-apply-patch",
+ "codex-arg0",
 "codex-async-utils",
 "codex-file-search",
 "codex-git",
@@ -1077,6 +1082,7 @@ dependencies = [
 "codex-windows-sandbox",
 "core-foundation 0.9.4",
 "core_test_support",
+ "ctor 0.5.0",
 "dirs",
 "dunce",
 "env-flags",
@@ -4287,6 +4293,16 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

+[[package]]
+name = "os_pipe"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db335f4760b14ead6290116f2427bf33a14d4f0617d49f78a246de10c1831224"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "owo-colors"
 version = "4.2.2"
@@ -4434,7 +4450,7 @@ checksum = "3af6b589e163c5a788fab00ce0c0366f6efbb9959c2f9874b224936af7fce7e1"
 dependencies = [
 "base64",
 "indexmap 2.12.0",
- "quick-xml",
+ "quick-xml 0.38.0",
 "serde",
 "time",
 ]
@@ -4663,6 +4679,15 @@ version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3"

+[[package]]
+name = "quick-xml"
+version = "0.37.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "331e97a1af0bf59823e6eadffe373d7b27f485be8748f71471c662c1f269b7fb"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "quick-xml"
 version = "0.38.0"
@@ -6700,6 +6725,18 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8"

+[[package]]
+name = "tree_magic_mini"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f943391d896cdfe8eec03a04d7110332d445be7df856db382dd96a730667562c"
+dependencies = [
+ "memchr",
+ "nom",
+ "once_cell",
+ "petgraph",
+]
+
 [[package]]
 name = "try-lock"
 version = "0.2.5"
@@ -7037,6 +7074,76 @@ dependencies = [
 "web-sys",
 ]

+[[package]]
+name = "wayland-backend"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673a33c33048a5ade91a6b139580fa174e19fb0d23f396dca9fa15f2e1e49b35"
+dependencies = [
+ "cc",
+ "downcast-rs",
+ "rustix 1.0.8",
+ "smallvec",
+ "wayland-sys",
+]
+
+[[package]]
+name = "wayland-client"
+version = "0.31.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c66a47e840dc20793f2264eb4b3e4ecb4b75d91c0dd4af04b456128e0bdd449d"
+dependencies = [
+ "bitflags 2.10.0",
+ "rustix 1.0.8",
+ "wayland-backend",
+ "wayland-scanner",
+]
+
+[[package]]
+name = "wayland-protocols"
+version = "0.32.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "efa790ed75fbfd71283bd2521a1cfdc022aabcc28bdcff00851f9e4ae88d9901"
+dependencies = [
+ "bitflags 2.10.0",
+ "wayland-backend",
+ "wayland-client",
+ "wayland-scanner",
+]
+
+[[package]]
+name = "wayland-protocols-wlr"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "efd94963ed43cf9938a090ca4f7da58eb55325ec8200c3848963e98dc25b78ec"
+dependencies = [
+ "bitflags 2.10.0",
+ "wayland-backend",
+ "wayland-client",
+ "wayland-protocols",
+ "wayland-scanner",
+]
+
+[[package]]
+name = "wayland-scanner"
+version = "0.31.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "54cb1e9dc49da91950bdfd8b848c49330536d9d1fb03d4bfec8cae50caa50ae3"
+dependencies = [
+ "proc-macro2",
+ "quick-xml 0.37.5",
+ "quote",
+]
+
+[[package]]
+name = "wayland-sys"
+version = "0.31.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34949b42822155826b41db8e5d0c1be3a2bd296c747577a43a3e6daefc296142"
+dependencies = [
+ "pkg-config",
+]
+
 [[package]]
 name = "web-sys"
 version = "0.3.77"
@@ -7608,6 +7715,25 @@ dependencies = [
 "bitflags 2.10.0",
 ]

+[[package]]
+name = "wl-clipboard-rs"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e5ff8d0e60065f549fafd9d6cb626203ea64a798186c80d8e7df4f8af56baeb"
+dependencies = [
+ "libc",
+ "log",
+ "os_pipe",
+ "rustix 0.38.44",
+ "tempfile",
+ "thiserror 2.0.17",
+ "tree_magic_mini",
+ "wayland-backend",
+ "wayland-client",
+ "wayland-protocols",
+ "wayland-protocols-wlr",
+]
+
 [[package]]
 name = "writeable"
 version = "0.6.2"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -94,7 +94,7 @@ mcp_test_support = { path = "mcp-server/tests/common" }
 allocative = "0.3.3"
 ansi-to-tui = "7.0.0"
 anyhow = "1"
-arboard = "3"
+arboard = { version = "3", features = ["wayland-data-control"] }
 askama = "0.14"
 assert_cmd = "2"
 assert_matches = "1.5.0"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -58,7 +58,7 @@ To test to see what happens when a command is run under the sandbox provided by

 ```
 # macOS
-codex sandbox macos [--full-auto] [COMMAND]...
+codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...

 # Linux
 codex sandbox linux [--full-auto] [COMMAND]...
@@ -67,7 +67,7 @@ codex sandbox linux [--full-auto] [COMMAND]...
 codex sandbox windows [--full-auto] [COMMAND]...

 # Legacy aliases
-codex debug seatbelt [--full-auto] [COMMAND]...
+codex debug seatbelt [--full-auto] [--log-denials] [COMMAND]...
 codex debug landlock [--full-auto] [COMMAND]...
 ```

--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -92,6 +92,8 @@ pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
    {
        let status = Command::new(prettier_bin)
            .arg("--write")
+            .arg("--log-level")
+            .arg("warn")
            .args(ts_files.iter().map(|p| p.as_os_str()))
            .status()
            .with_context(|| format!("Failed to invoke Prettier at {}", prettier_bin.display()))?;
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -46,7 +46,7 @@ macro_rules! client_request_definitions {
    (
        $(
            $(#[$variant_meta:meta])*
-            $variant:ident {
+            $variant:ident $(=> $wire:literal)? {
                params: $(#[$params_meta:meta])* $params:ty,
                response: $response:ty,
            }
@@ -58,6 +58,7 @@ macro_rules! client_request_definitions {
        pub enum ClientRequest {
            $(
                $(#[$variant_meta])*
+                $(#[serde(rename = $wire)] #[ts(rename = $wire)])?
                $variant {
                    #[serde(rename = "id")]
                    request_id: RequestId,
@@ -101,105 +102,78 @@ macro_rules! client_request_definitions {
 }

 client_request_definitions! {
+    Initialize {
+        params: v1::InitializeParams,
+        response: v1::InitializeResponse,
+    },
+
    /// NEW APIs
    // Thread lifecycle
-    #[serde(rename = "thread/start")]
-    #[ts(rename = "thread/start")]
-    ThreadStart {
+    ThreadStart => "thread/start" {
        params: v2::ThreadStartParams,
        response: v2::ThreadStartResponse,
    },
-    #[serde(rename = "thread/resume")]
-    #[ts(rename = "thread/resume")]
-    ThreadResume {
+    ThreadResume => "thread/resume" {
        params: v2::ThreadResumeParams,
        response: v2::ThreadResumeResponse,
    },
-    #[serde(rename = "thread/archive")]
-    #[ts(rename = "thread/archive")]
-    ThreadArchive {
+    ThreadArchive => "thread/archive" {
        params: v2::ThreadArchiveParams,
        response: v2::ThreadArchiveResponse,
    },
-    #[serde(rename = "thread/list")]
-    #[ts(rename = "thread/list")]
-    ThreadList {
+    ThreadList => "thread/list" {
        params: v2::ThreadListParams,
        response: v2::ThreadListResponse,
    },
-    #[serde(rename = "thread/compact")]
-    #[ts(rename = "thread/compact")]
-    ThreadCompact {
+    ThreadCompact => "thread/compact" {
        params: v2::ThreadCompactParams,
        response: v2::ThreadCompactResponse,
    },
-    #[serde(rename = "turn/start")]
-    #[ts(rename = "turn/start")]
-    TurnStart {
+    TurnStart => "turn/start" {
        params: v2::TurnStartParams,
        response: v2::TurnStartResponse,
    },
-    #[serde(rename = "turn/interrupt")]
-    #[ts(rename = "turn/interrupt")]
-    TurnInterrupt {
+    TurnInterrupt => "turn/interrupt" {
        params: v2::TurnInterruptParams,
        response: v2::TurnInterruptResponse,
    },

-    #[serde(rename = "model/list")]
-    #[ts(rename = "model/list")]
-    ModelList {
+    ModelList => "model/list" {
        params: v2::ModelListParams,
        response: v2::ModelListResponse,
    },

-    #[serde(rename = "account/login/start")]
-    #[ts(rename = "account/login/start")]
-    LoginAccount {
+    LoginAccount => "account/login/start" {
        params: v2::LoginAccountParams,
        response: v2::LoginAccountResponse,
    },

-    #[serde(rename = "account/login/cancel")]
-    #[ts(rename = "account/login/cancel")]
-    CancelLoginAccount {
+    CancelLoginAccount => "account/login/cancel" {
        params: v2::CancelLoginAccountParams,
        response: v2::CancelLoginAccountResponse,
    },

-    #[serde(rename = "account/logout")]
-    #[ts(rename = "account/logout")]
-    LogoutAccount {
+    LogoutAccount => "account/logout" {
        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
        response: v2::LogoutAccountResponse,
    },

-    #[serde(rename = "account/rateLimits/read")]
-    #[ts(rename = "account/rateLimits/read")]
-    GetAccountRateLimits {
+    GetAccountRateLimits => "account/rateLimits/read" {
        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
        response: v2::GetAccountRateLimitsResponse,
    },

-    #[serde(rename = "feedback/upload")]
-    #[ts(rename = "feedback/upload")]
-    FeedbackUpload {
+    FeedbackUpload => "feedback/upload" {
        params: v2::FeedbackUploadParams,
        response: v2::FeedbackUploadResponse,
    },

-    #[serde(rename = "account/read")]
-    #[ts(rename = "account/read")]
-    GetAccount {
+    GetAccount => "account/read" {
        params: v2::GetAccountParams,
        response: v2::GetAccountResponse,
    },

    /// DEPRECATED APIs below
-    Initialize {
-        params: v1::InitializeParams,
-        response: v1::InitializeResponse,
-    },
    NewConversation {
        params: v1::NewConversationParams,
        response: v1::NewConversationResponse,
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -6,6 +6,8 @@ use codex_protocol::ConversationId;
 use codex_protocol::account::PlanType;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
+use codex_protocol::items::AgentMessageContent as CoreAgentMessageContent;
+use codex_protocol::items::TurnItem as CoreTurnItem;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
 use codex_protocol::user_input::UserInput as CoreUserInput;
@@ -457,6 +459,17 @@ impl UserInput {
    }
 }

+impl From<CoreUserInput> for UserInput {
+    fn from(value: CoreUserInput) -> Self {
+        match value {
+            CoreUserInput::Text { text } => UserInput::Text { text },
+            CoreUserInput::Image { image_url } => UserInput::Image { url: image_url },
+            CoreUserInput::LocalImage { path } => UserInput::LocalImage { path },
+            _ => unreachable!("unsupported user input variant"),
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(tag = "type", rename_all = "camelCase")]
 #[ts(tag = "type")]
@@ -514,6 +527,42 @@ pub enum ThreadItem {
    },
 }

+impl From<CoreTurnItem> for ThreadItem {
+    fn from(value: CoreTurnItem) -> Self {
+        match value {
+            CoreTurnItem::UserMessage(user) => ThreadItem::UserMessage {
+                id: user.id,
+                content: user.content.into_iter().map(UserInput::from).collect(),
+            },
+            CoreTurnItem::AgentMessage(agent) => {
+                let text = agent
+                    .content
+                    .into_iter()
+                    .map(|entry| match entry {
+                        CoreAgentMessageContent::Text { text } => text,
+                    })
+                    .collect::<String>();
+                ThreadItem::AgentMessage { id: agent.id, text }
+            }
+            CoreTurnItem::Reasoning(reasoning) => {
+                let text = if !reasoning.summary_text.is_empty() {
+                    reasoning.summary_text.join("\n")
+                } else {
+                    reasoning.raw_content.join("\n")
+                };
+                ThreadItem::Reasoning {
+                    id: reasoning.id,
+                    text,
+                }
+            }
+            CoreTurnItem::WebSearch(search) => ThreadItem::WebSearch {
+                id: search.id,
+                query: search.query,
+            },
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -708,3 +757,100 @@ pub struct AccountLoginCompletedNotification {
    pub success: bool,
    pub error: Option<String>,
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_protocol::items::AgentMessageContent;
+    use codex_protocol::items::AgentMessageItem;
+    use codex_protocol::items::ReasoningItem;
+    use codex_protocol::items::TurnItem;
+    use codex_protocol::items::UserMessageItem;
+    use codex_protocol::items::WebSearchItem;
+    use codex_protocol::user_input::UserInput as CoreUserInput;
+    use pretty_assertions::assert_eq;
+    use std::path::PathBuf;
+
+    #[test]
+    fn core_turn_item_into_thread_item_converts_supported_variants() {
+        let user_item = TurnItem::UserMessage(UserMessageItem {
+            id: "user-1".to_string(),
+            content: vec![
+                CoreUserInput::Text {
+                    text: "hello".to_string(),
+                },
+                CoreUserInput::Image {
+                    image_url: "https://example.com/image.png".to_string(),
+                },
+                CoreUserInput::LocalImage {
+                    path: PathBuf::from("local/image.png"),
+                },
+            ],
+        });
+
+        assert_eq!(
+            ThreadItem::from(user_item),
+            ThreadItem::UserMessage {
+                id: "user-1".to_string(),
+                content: vec![
+                    UserInput::Text {
+                        text: "hello".to_string(),
+                    },
+                    UserInput::Image {
+                        url: "https://example.com/image.png".to_string(),
+                    },
+                    UserInput::LocalImage {
+                        path: PathBuf::from("local/image.png"),
+                    },
+                ],
+            }
+        );
+
+        let agent_item = TurnItem::AgentMessage(AgentMessageItem {
+            id: "agent-1".to_string(),
+            content: vec![
+                AgentMessageContent::Text {
+                    text: "Hello ".to_string(),
+                },
+                AgentMessageContent::Text {
+                    text: "world".to_string(),
+                },
+            ],
+        });
+
+        assert_eq!(
+            ThreadItem::from(agent_item),
+            ThreadItem::AgentMessage {
+                id: "agent-1".to_string(),
+                text: "Hello world".to_string(),
+            }
+        );
+
+        let reasoning_item = TurnItem::Reasoning(ReasoningItem {
+            id: "reasoning-1".to_string(),
+            summary_text: vec!["line one".to_string(), "line two".to_string()],
+            raw_content: vec![],
+        });
+
+        assert_eq!(
+            ThreadItem::from(reasoning_item),
+            ThreadItem::Reasoning {
+                id: "reasoning-1".to_string(),
+                text: "line one\nline two".to_string(),
+            }
+        );
+
+        let search_item = TurnItem::WebSearch(WebSearchItem {
+            id: "search-1".to_string(),
+            query: "docs".to_string(),
+        });
+
+        assert_eq!(
+            ThreadItem::from(search_item),
+            ThreadItem::WebSearch {
+                id: "search-1".to_string(),
+                query: "docs".to_string(),
+            }
+        );
+    }
+}
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -46,6 +46,8 @@ use codex_app_server_protocol::GitDiffToRemoteResponse;
 use codex_app_server_protocol::InputItem as WireInputItem;
 use codex_app_server_protocol::InterruptConversationParams;
 use codex_app_server_protocol::InterruptConversationResponse;
+use codex_app_server_protocol::ItemCompletedNotification;
+use codex_app_server_protocol::ItemStartedNotification;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::ListConversationsParams;
 use codex_app_server_protocol::ListConversationsResponse;
@@ -198,6 +200,30 @@ enum ApiVersion {
 }

 impl CodexMessageProcessor {
+    async fn conversation_from_thread_id(
+        &self,
+        thread_id: &str,
+    ) -> Result<(ConversationId, Arc<CodexConversation>), JSONRPCErrorError> {
+        // Resolve conversation id from v2 thread id string.
+        let conversation_id =
+            ConversationId::from_string(thread_id).map_err(|err| JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: format!("invalid thread id: {err}"),
+                data: None,
+            })?;
+
+        let conversation = self
+            .conversation_manager
+            .get_conversation(conversation_id)
+            .await
+            .map_err(|_| JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: format!("conversation not found: {conversation_id}"),
+                data: None,
+            })?;
+
+        Ok((conversation_id, conversation))
+    }
    pub fn new(
        auth_manager: Arc<AuthManager>,
        conversation_manager: Arc<ConversationManager>,
@@ -2145,34 +2171,14 @@ impl CodexMessageProcessor {
    }

    async fn turn_start(&self, request_id: RequestId, params: TurnStartParams) {
-        // Resolve conversation id from v2 thread id string.
-        let conversation_id = match ConversationId::from_string(&params.thread_id) {
-            Ok(id) => id,
-            Err(err) => {
-                let error = JSONRPCErrorError {
-                    code: INVALID_REQUEST_ERROR_CODE,
-                    message: format!("invalid thread id: {err}"),
-                    data: None,
-                };
+        let (_, conversation) = match self.conversation_from_thread_id(&params.thread_id).await {
+            Ok(v) => v,
+            Err(error) => {
                self.outgoing.send_error(request_id, error).await;
                return;
            }
        };

-        let Ok(conversation) = self
-            .conversation_manager
-            .get_conversation(conversation_id)
-            .await
-        else {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: format!("conversation not found: {conversation_id}"),
-                data: None,
-            };
-            self.outgoing.send_error(request_id, error).await;
-            return;
-        };
-
        // Keep a copy of v2 inputs for the notification payload.
        let v2_inputs_for_notif = params.input.clone();

@@ -2246,33 +2252,14 @@ impl CodexMessageProcessor {
    async fn turn_interrupt(&mut self, request_id: RequestId, params: TurnInterruptParams) {
        let TurnInterruptParams { thread_id, .. } = params;

-        // Resolve conversation id from v2 thread id string.
-        let conversation_id = match ConversationId::from_string(&thread_id) {
-            Ok(id) => id,
-            Err(err) => {
-                let error = JSONRPCErrorError {
-                    code: INVALID_REQUEST_ERROR_CODE,
-                    message: format!("invalid thread id: {err}"),
-                    data: None,
-                };
-                self.outgoing.send_error(request_id, error).await;
-                return;
-            }
-        };
-
-        let Ok(conversation) = self
-            .conversation_manager
-            .get_conversation(conversation_id)
-            .await
-        else {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: format!("conversation not found: {conversation_id}"),
-                data: None,
+        let (conversation_id, conversation) =
+            match self.conversation_from_thread_id(&thread_id).await {
+                Ok(v) => v,
+                Err(error) => {
+                    self.outgoing.send_error(request_id, error).await;
+                    return;
+                }
            };
-            self.outgoing.send_error(request_id, error).await;
-            return;
-        };

        // Record the pending interrupt so we can reply when TurnAborted arrives.
        {
@@ -2624,6 +2611,20 @@ async fn apply_bespoke_event_handling(
                    .await;
            }
        }
+        EventMsg::ItemStarted(item_started_event) => {
+            let item: ThreadItem = item_started_event.item.clone().into();
+            let notification = ItemStartedNotification { item };
+            outgoing
+                .send_server_notification(ServerNotification::ItemStarted(notification))
+                .await;
+        }
+        EventMsg::ItemCompleted(item_completed_event) => {
+            let item: ThreadItem = item_completed_event.item.clone().into();
+            let notification = ItemCompletedNotification { item };
+            outgoing
+                .send_server_notification(ServerNotification::ItemCompleted(notification))
+                .await;
+        }
        // If this is a TurnAborted, reply to any pending interrupt requests.
        EventMsg::TurnAborted(turn_aborted_event) => {
            let pending = {
--- a/codex-rs/arg0/src/lib.rs
+++ b/codex-rs/arg0/src/lib.rs
@@ -11,32 +11,7 @@ const LINUX_SANDBOX_ARG0: &str = "codex-linux-sandbox";
 const APPLY_PATCH_ARG0: &str = "apply_patch";
 const MISSPELLED_APPLY_PATCH_ARG0: &str = "applypatch";

-/// While we want to deploy the Codex CLI as a single executable for simplicity,
-/// we also want to expose some of its functionality as distinct CLIs, so we use
-/// the "arg0 trick" to determine which CLI to dispatch. This effectively allows
-/// us to simulate deploying multiple executables as a single binary on Mac and
-/// Linux (but not Windows).
-///
-/// When the current executable is invoked through the hard-link or alias named
-/// `codex-linux-sandbox` we *directly* execute
-/// [`codex_linux_sandbox::run_main`] (which never returns). Otherwise we:
-///
-/// 1.  Load `.env` values from `~/.codex/.env` before creating any threads.
-/// 2.  Construct a Tokio multi-thread runtime.
-/// 3.  Derive the path to the current executable (so children can re-invoke the
-///     sandbox) when running on Linux.
-/// 4.  Execute the provided async `main_fn` inside that runtime, forwarding any
-///     error. Note that `main_fn` receives `codex_linux_sandbox_exe:
-///     Option<PathBuf>`, as an argument, which is generally needed as part of
-///     constructing [`codex_core::config::Config`].
-///
-/// This function should be used to wrap any `main()` function in binary crates
-/// in this workspace that depends on these helper CLIs.
-pub fn arg0_dispatch_or_else<F, Fut>(main_fn: F) -> anyhow::Result<()>
-where
-    F: FnOnce(Option<PathBuf>) -> Fut,
-    Fut: Future<Output = anyhow::Result<()>>,
-{
+pub fn arg0_dispatch() -> Option<TempDir> {
    // Determine if we were invoked via the special alias.
    let mut args = std::env::args_os();
    let argv0 = args.next().unwrap_or_default();
@@ -76,10 +51,7 @@ where
    // before creating any threads/the Tokio runtime.
    load_dotenv();

-    // Retain the TempDir so it exists for the lifetime of the invocation of
-    // this executable. Admittedly, we could invoke `keep()` on it, but it
-    // would be nice to avoid leaving temporary directories behind, if possible.
-    let _path_entry = match prepend_path_entry_for_apply_patch() {
+    match prepend_path_entry_for_codex_aliases() {
        Ok(path_entry) => Some(path_entry),
        Err(err) => {
            // It is possible that Codex will proceed successfully even if
@@ -87,7 +59,39 @@ where
            eprintln!("WARNING: proceeding, even though we could not update PATH: {err}");
            None
        }
-    };
+    }
+}
+
+/// While we want to deploy the Codex CLI as a single executable for simplicity,
+/// we also want to expose some of its functionality as distinct CLIs, so we use
+/// the "arg0 trick" to determine which CLI to dispatch. This effectively allows
+/// us to simulate deploying multiple executables as a single binary on Mac and
+/// Linux (but not Windows).
+///
+/// When the current executable is invoked through the hard-link or alias named
+/// `codex-linux-sandbox` we *directly* execute
+/// [`codex_linux_sandbox::run_main`] (which never returns). Otherwise we:
+///
+/// 1.  Load `.env` values from `~/.codex/.env` before creating any threads.
+/// 2.  Construct a Tokio multi-thread runtime.
+/// 3.  Derive the path to the current executable (so children can re-invoke the
+///     sandbox) when running on Linux.
+/// 4.  Execute the provided async `main_fn` inside that runtime, forwarding any
+///     error. Note that `main_fn` receives `codex_linux_sandbox_exe:
+///     Option<PathBuf>`, as an argument, which is generally needed as part of
+///     constructing [`codex_core::config::Config`].
+///
+/// This function should be used to wrap any `main()` function in binary crates
+/// in this workspace that depends on these helper CLIs.
+pub fn arg0_dispatch_or_else<F, Fut>(main_fn: F) -> anyhow::Result<()>
+where
+    F: FnOnce(Option<PathBuf>) -> Fut,
+    Fut: Future<Output = anyhow::Result<()>>,
+{
+    // Retain the TempDir so it exists for the lifetime of the invocation of
+    // this executable. Admittedly, we could invoke `keep()` on it, but it
+    // would be nice to avoid leaving temporary directories behind, if possible.
+    let _path_entry = arg0_dispatch();

    // Regular invocation – create a Tokio runtime and execute the provided
    // async entry-point.
@@ -144,11 +148,16 @@ where
 ///
 /// IMPORTANT: This function modifies the PATH environment variable, so it MUST
 /// be called before multiple threads are spawned.
-fn prepend_path_entry_for_apply_patch() -> std::io::Result<TempDir> {
+pub fn prepend_path_entry_for_codex_aliases() -> std::io::Result<TempDir> {
    let temp_dir = TempDir::new()?;
    let path = temp_dir.path();

-    for filename in &[APPLY_PATCH_ARG0, MISSPELLED_APPLY_PATCH_ARG0] {
+    for filename in &[
+        APPLY_PATCH_ARG0,
+        MISSPELLED_APPLY_PATCH_ARG0,
+        #[cfg(target_os = "linux")]
+        LINUX_SANDBOX_ARG0,
+    ] {
        let exe = std::env::current_exe()?;

        #[cfg(unix)]
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -35,7 +35,9 @@ codex-rmcp-client = { workspace = true }
 codex-stdio-to-uds = { workspace = true }
 codex-tui = { workspace = true }
 ctor = { workspace = true }
+libc = { workspace = true }
 owo-colors = { workspace = true }
+regex-lite = { workspace = true}
 serde_json = { workspace = true }
 supports-color = { workspace = true }
 toml = { workspace = true }
@@ -46,6 +48,7 @@ tokio = { workspace = true, features = [
    "rt-multi-thread",
    "signal",
 ] }
+tracing = { workspace = true }

 [target.'cfg(target_os = "windows")'.dependencies]
 codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -1,3 +1,8 @@
+#[cfg(target_os = "macos")]
+mod pid_tracker;
+#[cfg(target_os = "macos")]
+mod seatbelt;
+
 use std::path::PathBuf;

 use codex_common::CliConfigOverrides;
@@ -15,6 +20,9 @@ use crate::SeatbeltCommand;
 use crate::WindowsCommand;
 use crate::exit_status::handle_exit_status;

+#[cfg(target_os = "macos")]
+use seatbelt::DenialLogger;
+
 #[cfg(target_os = "macos")]
 pub async fn run_command_under_seatbelt(
    command: SeatbeltCommand,
@@ -22,6 +30,7 @@ pub async fn run_command_under_seatbelt(
 ) -> anyhow::Result<()> {
    let SeatbeltCommand {
        full_auto,
+        log_denials,
        config_overrides,
        command,
    } = command;
@@ -31,6 +40,7 @@ pub async fn run_command_under_seatbelt(
        config_overrides,
        codex_linux_sandbox_exe,
        SandboxType::Seatbelt,
+        log_denials,
    )
    .await
 }
@@ -58,6 +68,7 @@ pub async fn run_command_under_landlock(
        config_overrides,
        codex_linux_sandbox_exe,
        SandboxType::Landlock,
+        false,
    )
    .await
 }
@@ -77,6 +88,7 @@ pub async fn run_command_under_windows(
        config_overrides,
        codex_linux_sandbox_exe,
        SandboxType::Windows,
+        false,
    )
    .await
 }
@@ -94,6 +106,7 @@ async fn run_command_under_sandbox(
    config_overrides: CliConfigOverrides,
    codex_linux_sandbox_exe: Option<PathBuf>,
    sandbox_type: SandboxType,
+    log_denials: bool,
 ) -> anyhow::Result<()> {
    let sandbox_mode = create_sandbox_mode(full_auto);
    let config = Config::load_with_cli_overrides(
@@ -180,6 +193,11 @@ async fn run_command_under_sandbox(
        }
    }

+    #[cfg(target_os = "macos")]
+    let mut denial_logger = log_denials.then(DenialLogger::new).flatten();
+    #[cfg(not(target_os = "macos"))]
+    let _ = log_denials;
+
    let mut child = match sandbox_type {
        #[cfg(target_os = "macos")]
        SandboxType::Seatbelt => {
@@ -213,8 +231,27 @@ async fn run_command_under_sandbox(
            unreachable!("Windows sandbox should have been handled above");
        }
    };
+
+    #[cfg(target_os = "macos")]
+    if let Some(denial_logger) = &mut denial_logger {
+        denial_logger.on_child_spawn(&child);
+    }
+
    let status = child.wait().await?;

+    #[cfg(target_os = "macos")]
+    if let Some(denial_logger) = denial_logger {
+        let denials = denial_logger.finish().await;
+        eprintln!("\n=== Sandbox denials ===");
+        if denials.is_empty() {
+            eprintln!("None found.");
+        } else {
+            for seatbelt::SandboxDenial { name, capability } in denials {
+                eprintln!("({name}) {capability}");
+            }
+        }
+    }
+
    handle_exit_status(status);
 }

--- a/codex-rs/cli/src/debug_sandbox/pid_tracker.rs
+++ b/codex-rs/cli/src/debug_sandbox/pid_tracker.rs
@@ -0,0 +1,372 @@
+use std::collections::HashSet;
+use tokio::task::JoinHandle;
+use tracing::warn;
+
+/// Tracks the (recursive) descendants of a process by using `kqueue` to watch for fork events, and
+/// `proc_listchildpids` to list the children of a process.
+pub(crate) struct PidTracker {
+    kq: libc::c_int,
+    handle: JoinHandle<HashSet<i32>>,
+}
+
+impl PidTracker {
+    pub(crate) fn new(root_pid: i32) -> Option<Self> {
+        if root_pid <= 0 {
+            return None;
+        }
+
+        let kq = unsafe { libc::kqueue() };
+        let handle = tokio::task::spawn_blocking(move || track_descendants(kq, root_pid));
+
+        Some(Self { kq, handle })
+    }
+
+    pub(crate) async fn stop(self) -> HashSet<i32> {
+        trigger_stop_event(self.kq);
+        self.handle.await.unwrap_or_default()
+    }
+}
+
+unsafe extern "C" {
+    fn proc_listchildpids(
+        ppid: libc::c_int,
+        buffer: *mut libc::c_void,
+        buffersize: libc::c_int,
+    ) -> libc::c_int;
+}
+
+/// Wrap proc_listchildpids.
+fn list_child_pids(parent: i32) -> Vec<i32> {
+    unsafe {
+        let mut capacity: usize = 16;
+        loop {
+            let mut buf: Vec<i32> = vec![0; capacity];
+            let count = proc_listchildpids(
+                parent as libc::c_int,
+                buf.as_mut_ptr() as *mut libc::c_void,
+                (buf.len() * std::mem::size_of::<i32>()) as libc::c_int,
+            );
+            if count <= 0 {
+                return Vec::new();
+            }
+            let returned = count as usize;
+            if returned < capacity {
+                buf.truncate(returned);
+                return buf;
+            }
+            capacity = capacity.saturating_mul(2).max(returned + 16);
+        }
+    }
+}
+
+fn pid_is_alive(pid: i32) -> bool {
+    if pid <= 0 {
+        return false;
+    }
+    let res = unsafe { libc::kill(pid as libc::pid_t, 0) };
+    if res == 0 {
+        true
+    } else {
+        matches!(
+            std::io::Error::last_os_error().raw_os_error(),
+            Some(libc::EPERM)
+        )
+    }
+}
+
+enum WatchPidError {
+    ProcessGone,
+    Other(std::io::Error),
+}
+
+/// Add `pid` to the watch list in `kq`.
+fn watch_pid(kq: libc::c_int, pid: i32) -> Result<(), WatchPidError> {
+    if pid <= 0 {
+        return Err(WatchPidError::ProcessGone);
+    }
+
+    let kev = libc::kevent {
+        ident: pid as libc::uintptr_t,
+        filter: libc::EVFILT_PROC,
+        flags: libc::EV_ADD | libc::EV_CLEAR,
+        fflags: libc::NOTE_FORK | libc::NOTE_EXEC | libc::NOTE_EXIT,
+        data: 0,
+        udata: std::ptr::null_mut(),
+    };
+
+    let res = unsafe { libc::kevent(kq, &kev, 1, std::ptr::null_mut(), 0, std::ptr::null()) };
+    if res < 0 {
+        let err = std::io::Error::last_os_error();
+        if err.raw_os_error() == Some(libc::ESRCH) {
+            Err(WatchPidError::ProcessGone)
+        } else {
+            Err(WatchPidError::Other(err))
+        }
+    } else {
+        Ok(())
+    }
+}
+
+fn watch_children(
+    kq: libc::c_int,
+    parent: i32,
+    seen: &mut HashSet<i32>,
+    active: &mut HashSet<i32>,
+) {
+    for child_pid in list_child_pids(parent) {
+        add_pid_watch(kq, child_pid, seen, active);
+    }
+}
+
+/// Watch `pid` and its children, updating `seen` and `active` sets.
+fn add_pid_watch(kq: libc::c_int, pid: i32, seen: &mut HashSet<i32>, active: &mut HashSet<i32>) {
+    if pid <= 0 {
+        return;
+    }
+
+    let newly_seen = seen.insert(pid);
+    let mut should_recurse = newly_seen;
+
+    if active.insert(pid) {
+        match watch_pid(kq, pid) {
+            Ok(()) => {
+                should_recurse = true;
+            }
+            Err(WatchPidError::ProcessGone) => {
+                active.remove(&pid);
+                return;
+            }
+            Err(WatchPidError::Other(err)) => {
+                warn!("failed to watch pid {pid}: {err}");
+                active.remove(&pid);
+                return;
+            }
+        }
+    }
+
+    if should_recurse {
+        watch_children(kq, pid, seen, active);
+    }
+}
+const STOP_IDENT: libc::uintptr_t = 1;
+
+fn register_stop_event(kq: libc::c_int) -> bool {
+    let kev = libc::kevent {
+        ident: STOP_IDENT,
+        filter: libc::EVFILT_USER,
+        flags: libc::EV_ADD | libc::EV_CLEAR,
+        fflags: 0,
+        data: 0,
+        udata: std::ptr::null_mut(),
+    };
+
+    let res = unsafe { libc::kevent(kq, &kev, 1, std::ptr::null_mut(), 0, std::ptr::null()) };
+    res >= 0
+}
+
+fn trigger_stop_event(kq: libc::c_int) {
+    if kq < 0 {
+        return;
+    }
+
+    let kev = libc::kevent {
+        ident: STOP_IDENT,
+        filter: libc::EVFILT_USER,
+        flags: 0,
+        fflags: libc::NOTE_TRIGGER,
+        data: 0,
+        udata: std::ptr::null_mut(),
+    };
+
+    let _ = unsafe { libc::kevent(kq, &kev, 1, std::ptr::null_mut(), 0, std::ptr::null()) };
+}
+
+/// Put all of the above together to track all the descendants of `root_pid`.
+fn track_descendants(kq: libc::c_int, root_pid: i32) -> HashSet<i32> {
+    if kq < 0 {
+        let mut seen = HashSet::new();
+        seen.insert(root_pid);
+        return seen;
+    }
+
+    if !register_stop_event(kq) {
+        let mut seen = HashSet::new();
+        seen.insert(root_pid);
+        let _ = unsafe { libc::close(kq) };
+        return seen;
+    }
+
+    let mut seen: HashSet<i32> = HashSet::new();
+    let mut active: HashSet<i32> = HashSet::new();
+
+    add_pid_watch(kq, root_pid, &mut seen, &mut active);
+
+    const EVENTS_CAP: usize = 32;
+    let mut events: [libc::kevent; EVENTS_CAP] =
+        unsafe { std::mem::MaybeUninit::zeroed().assume_init() };
+
+    let mut stop_requested = false;
+    loop {
+        if active.is_empty() {
+            if !pid_is_alive(root_pid) {
+                break;
+            }
+            add_pid_watch(kq, root_pid, &mut seen, &mut active);
+            if active.is_empty() {
+                continue;
+            }
+        }
+
+        let nev = unsafe {
+            libc::kevent(
+                kq,
+                std::ptr::null::<libc::kevent>(),
+                0,
+                events.as_mut_ptr(),
+                EVENTS_CAP as libc::c_int,
+                std::ptr::null(),
+            )
+        };
+
+        if nev < 0 {
+            let err = std::io::Error::last_os_error();
+            if err.kind() == std::io::ErrorKind::Interrupted {
+                continue;
+            }
+            break;
+        }
+
+        if nev == 0 {
+            continue;
+        }
+
+        for ev in events.iter().take(nev as usize) {
+            let pid = ev.ident as i32;
+
+            if ev.filter == libc::EVFILT_USER && ev.ident == STOP_IDENT {
+                stop_requested = true;
+                break;
+            }
+
+            if (ev.flags & libc::EV_ERROR) != 0 {
+                if ev.data == libc::ESRCH as isize {
+                    active.remove(&pid);
+                }
+                continue;
+            }
+
+            if (ev.fflags & libc::NOTE_FORK) != 0 {
+                watch_children(kq, pid, &mut seen, &mut active);
+            }
+
+            if (ev.fflags & libc::NOTE_EXIT) != 0 {
+                active.remove(&pid);
+            }
+        }
+
+        if stop_requested {
+            break;
+        }
+    }
+
+    let _ = unsafe { libc::close(kq) };
+
+    seen
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::process::Command;
+    use std::process::Stdio;
+    use std::time::Duration;
+
+    #[test]
+    fn pid_is_alive_detects_current_process() {
+        let pid = std::process::id() as i32;
+        assert!(pid_is_alive(pid));
+    }
+
+    #[cfg(target_os = "macos")]
+    #[test]
+    fn list_child_pids_includes_spawned_child() {
+        let mut child = Command::new("/bin/sleep")
+            .arg("5")
+            .stdin(Stdio::null())
+            .spawn()
+            .expect("failed to spawn child process");
+
+        let child_pid = child.id() as i32;
+        let parent_pid = std::process::id() as i32;
+
+        let mut found = false;
+        for _ in 0..100 {
+            if list_child_pids(parent_pid).contains(&child_pid) {
+                found = true;
+                break;
+            }
+            std::thread::sleep(Duration::from_millis(10));
+        }
+
+        let _ = child.kill();
+        let _ = child.wait();
+
+        assert!(found, "expected to find child pid {child_pid} in list");
+    }
+
+    #[cfg(target_os = "macos")]
+    #[tokio::test]
+    async fn pid_tracker_collects_spawned_children() {
+        let tracker = PidTracker::new(std::process::id() as i32).expect("failed to create tracker");
+
+        let mut child = Command::new("/bin/sleep")
+            .arg("0.1")
+            .stdin(Stdio::null())
+            .spawn()
+            .expect("failed to spawn child process");
+
+        let child_pid = child.id() as i32;
+        let parent_pid = std::process::id() as i32;
+
+        let _ = child.wait();
+
+        let seen = tracker.stop().await;
+
+        assert!(
+            seen.contains(&parent_pid),
+            "expected tracker to include parent pid {parent_pid}"
+        );
+        assert!(
+            seen.contains(&child_pid),
+            "expected tracker to include child pid {child_pid}"
+        );
+    }
+
+    #[cfg(target_os = "macos")]
+    #[tokio::test]
+    async fn pid_tracker_collects_bash_subshell_descendants() {
+        let tracker = PidTracker::new(std::process::id() as i32).expect("failed to create tracker");
+
+        let child = Command::new("/bin/bash")
+            .arg("-c")
+            .arg("(sleep 0.1 & echo $!; wait)")
+            .stdin(Stdio::null())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::null())
+            .spawn()
+            .expect("failed to spawn bash");
+
+        let output = child.wait_with_output().unwrap().stdout;
+        let subshell_pid = String::from_utf8_lossy(&output)
+            .trim()
+            .parse::<i32>()
+            .expect("failed to parse subshell pid");
+
+        let seen = tracker.stop().await;
+
+        assert!(
+            seen.contains(&subshell_pid),
+            "expected tracker to include subshell pid {subshell_pid}"
+        );
+    }
+}
--- a/codex-rs/cli/src/debug_sandbox/seatbelt.rs
+++ b/codex-rs/cli/src/debug_sandbox/seatbelt.rs
@@ -0,0 +1,114 @@
+use std::collections::HashSet;
+use tokio::io::AsyncBufReadExt;
+use tokio::process::Child;
+use tokio::task::JoinHandle;
+
+use super::pid_tracker::PidTracker;
+
+pub struct SandboxDenial {
+    pub name: String,
+    pub capability: String,
+}
+
+pub struct DenialLogger {
+    log_stream: Child,
+    pid_tracker: Option<PidTracker>,
+    log_reader: Option<JoinHandle<Vec<u8>>>,
+}
+
+impl DenialLogger {
+    pub(crate) fn new() -> Option<Self> {
+        let mut log_stream = start_log_stream()?;
+        let stdout = log_stream.stdout.take()?;
+        let log_reader = tokio::spawn(async move {
+            let mut reader = tokio::io::BufReader::new(stdout);
+            let mut logs = Vec::new();
+            let mut chunk = Vec::new();
+            loop {
+                match reader.read_until(b'\n', &mut chunk).await {
+                    Ok(0) | Err(_) => break,
+                    Ok(_) => {
+                        logs.extend_from_slice(&chunk);
+                        chunk.clear();
+                    }
+                }
+            }
+            logs
+        });
+
+        Some(Self {
+            log_stream,
+            pid_tracker: None,
+            log_reader: Some(log_reader),
+        })
+    }
+
+    pub(crate) fn on_child_spawn(&mut self, child: &Child) {
+        if let Some(root_pid) = child.id() {
+            self.pid_tracker = PidTracker::new(root_pid as i32);
+        }
+    }
+
+    pub(crate) async fn finish(mut self) -> Vec<SandboxDenial> {
+        let pid_set = match self.pid_tracker {
+            Some(tracker) => tracker.stop().await,
+            None => Default::default(),
+        };
+
+        if pid_set.is_empty() {
+            return Vec::new();
+        }
+
+        let _ = self.log_stream.kill().await;
+        let _ = self.log_stream.wait().await;
+
+        let logs_bytes = match self.log_reader.take() {
+            Some(handle) => handle.await.unwrap_or_default(),
+            None => Vec::new(),
+        };
+        let logs = String::from_utf8_lossy(&logs_bytes);
+
+        let mut seen: HashSet<(String, String)> = HashSet::new();
+        let mut denials: Vec<SandboxDenial> = Vec::new();
+        for line in logs.lines() {
+            if let Ok(json) = serde_json::from_str::<serde_json::Value>(line)
+                && let Some(msg) = json.get("eventMessage").and_then(|v| v.as_str())
+                && let Some((pid, name, capability)) = parse_message(msg)
+                && pid_set.contains(&pid)
+                && seen.insert((name.clone(), capability.clone()))
+            {
+                denials.push(SandboxDenial { name, capability });
+            }
+        }
+        denials
+    }
+}
+
+fn start_log_stream() -> Option<Child> {
+    use std::process::Stdio;
+
+    const PREDICATE: &str = r#"(((processID == 0) AND (senderImagePath CONTAINS "/Sandbox")) OR (subsystem == "com.apple.sandbox.reporting"))"#;
+
+    tokio::process::Command::new("log")
+        .args(["stream", "--style", "ndjson", "--predicate", PREDICATE])
+        .stdin(Stdio::null())
+        .stdout(Stdio::piped())
+        .stderr(Stdio::null())
+        .kill_on_drop(true)
+        .spawn()
+        .ok()
+}
+
+fn parse_message(msg: &str) -> Option<(i32, String, String)> {
+    // Example message:
+    // Sandbox: processname(1234) deny(1) capability-name args...
+    static RE: std::sync::OnceLock<regex_lite::Regex> = std::sync::OnceLock::new();
+    let re = RE.get_or_init(|| {
+        #[expect(clippy::unwrap_used)]
+        regex_lite::Regex::new(r"^Sandbox:\s*(.+?)\((\d+)\)\s+deny\(.*?\)\s*(.+)$").unwrap()
+    });
+
+    let (_, [name, pid_str, capability]) = re.captures(msg)?.extract();
+    let pid = pid_str.trim().parse::<i32>().ok()?;
+    Some((pid, name.to_string(), capability.to_string()))
+}
--- a/codex-rs/cli/src/lib.rs
+++ b/codex-rs/cli/src/lib.rs
@@ -11,6 +11,10 @@ pub struct SeatbeltCommand {
    #[arg(long = "full-auto", default_value_t = false)]
    pub full_auto: bool,

+    /// While the command runs, capture macOS sandbox denials via `log stream` and print them after exit
+    #[arg(long = "log-denials", default_value_t = false)]
+    pub log_denials: bool,
+
    #[clap(skip)]
    pub config_overrides: CliConfigOverrides,

--- a/codex-rs/common/src/config_override.rs
+++ b/codex-rs/common/src/config_override.rs
@@ -151,6 +151,15 @@ mod tests {
        assert_eq!(v.as_integer(), Some(42));
    }

+    #[test]
+    fn parses_bool() {
+        let true_literal = parse_toml_value("true").expect("parse");
+        assert_eq!(true_literal.as_bool(), Some(true));
+
+        let false_literal = parse_toml_value("false").expect("parse");
+        assert_eq!(false_literal.as_bool(), Some(false));
+    }
+
    #[test]
    fn fails_on_unquoted_string() {
        assert!(parse_toml_value("hello").is_err());
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -32,6 +32,7 @@ codex-utils-pty = { workspace = true }
 codex-utils-readiness = { workspace = true }
 codex-utils-string = { workspace = true }
 codex-utils-tokenizer = { workspace = true }
+codex-windows-sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
 dirs = { workspace = true }
 dunce = { workspace = true }
 env-flags = { workspace = true }
@@ -83,7 +84,6 @@ tree-sitter-bash = { workspace = true }
 uuid = { workspace = true, features = ["serde", "v4", "v5"] }
 which = { workspace = true }
 wildmatch = { workspace = true }
-codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }


 [target.'cfg(target_os = "linux")'.dependencies]
@@ -104,7 +104,9 @@ openssl-sys = { workspace = true, features = ["vendored"] }
 [dev-dependencies]
 assert_cmd = { workspace = true }
 assert_matches = { workspace = true }
+codex-arg0 = { workspace = true }
 core_test_support = { workspace = true }
+ctor = { workspace = true }
 escargot = { workspace = true }
 image = { workspace = true, features = ["jpeg", "png"] }
 maplit = { workspace = true }
--- a/codex-rs/core/gpt_5_codex_prompt.md
+++ b/codex-rs/core/gpt_5_codex_prompt.md
@@ -2,6 +2,8 @@ You are Codex, based on GPT-5. You are running as a coding agent in the Codex CL

 ## General

+- The arguments to `shell` will be passed to execvp(). Most terminal commands should be prefixed with ["bash", "-lc"].
+- Always set the `workdir` param when using the shell function. Do not use `cd` unless absolutely necessary.
 - When searching for text or files, prefer using `rg` or `rg --files` respectively because `rg` is much faster than alternatives like `grep`. (If the `rg` command is not found, then use alternatives.)

 ## Editing constraints
--- a/codex-rs/core/src/bash.rs
+++ b/codex-rs/core/src/bash.rs
@@ -88,17 +88,33 @@ pub fn try_parse_word_only_commands_sequence(tree: &Tree, src: &str) -> Option<V
    Some(commands)
 }

+pub fn is_well_known_sh_shell(shell: &str) -> bool {
+    if shell == "bash" || shell == "zsh" {
+        return true;
+    }
+
+    let shell_name = std::path::Path::new(shell)
+        .file_name()
+        .and_then(|s| s.to_str())
+        .unwrap_or(shell);
+    matches!(shell_name, "bash" | "zsh")
+}
+
+pub fn extract_bash_command(command: &[String]) -> Option<(&str, &str)> {
+    let [shell, flag, script] = command else {
+        return None;
+    };
+    if !matches!(flag.as_str(), "-lc" | "-c") || !is_well_known_sh_shell(shell) {
+        return None;
+    }
+    Some((shell, script))
+}
+
 /// Returns the sequence of plain commands within a `bash -lc "..."` or
 /// `zsh -lc "..."` invocation when the script only contains word-only commands
 /// joined by safe operators.
 pub fn parse_shell_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
-    let [shell, flag, script] = command else {
-        return None;
-    };
-
-    if flag != "-lc" || !(shell == "bash" || shell == "zsh") {
-        return None;
-    }
+    let (_, script) = extract_bash_command(command)?;

    let tree = try_parse_shell(script)?;
    try_parse_word_only_commands_sequence(&tree, script)
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -97,6 +97,7 @@ use crate::protocol::Submission;
 use crate::protocol::TokenCountEvent;
 use crate::protocol::TokenUsage;
 use crate::protocol::TurnDiffEvent;
+use crate::protocol::WarningEvent;
 use crate::rollout::RolloutRecorder;
 use crate::rollout::RolloutRecorderParams;
 use crate::shell;
@@ -674,6 +675,34 @@ impl Session {
                let rollout_items = conversation_history.get_rollout_items();
                let persist = matches!(conversation_history, InitialHistory::Forked(_));

+                // If resuming, warn when the last recorded model differs from the current one.
+                if let InitialHistory::Resumed(_) = conversation_history
+                    && let Some(prev) = rollout_items.iter().rev().find_map(|it| {
+                        if let RolloutItem::TurnContext(ctx) = it {
+                            Some(ctx.model.as_str())
+                        } else {
+                            None
+                        }
+                    })
+                {
+                    let curr = turn_context.client.get_model();
+                    if prev != curr {
+                        warn!(
+                            "resuming session with different model: previous={prev}, current={curr}"
+                        );
+                        self.send_event(
+                                &turn_context,
+                                EventMsg::Warning(WarningEvent {
+                                    message: format!(
+                                        "This session was recorded with model `{prev}` but is resuming with `{curr}`. \
+                         Consider switching back to `{prev}` as it may affect Codex performance."
+                                    ),
+                                }),
+                            )
+                                .await;
+                    }
+                }
+
                // Always add response items to conversation history
                let reconstructed_history =
                    self.reconstruct_history_from_rollout(&turn_context, &rollout_items);
@@ -2323,6 +2352,7 @@ mod tests {
    use crate::tools::context::ToolOutput;
    use crate::tools::context::ToolPayload;
    use crate::tools::handlers::ShellHandler;
+    use crate::tools::handlers::UnifiedExecHandler;
    use crate::tools::registry::ToolHandler;
    use crate::turn_diff_tracker::TurnDiffTracker;
    use codex_app_server_protocol::AuthMode;
@@ -3062,6 +3092,48 @@ mod tests {
        assert!(exec_output.output.contains("hi"));
    }

+    #[tokio::test]
+    async fn unified_exec_rejects_escalated_permissions_when_policy_not_on_request() {
+        use crate::protocol::AskForApproval;
+        use crate::turn_diff_tracker::TurnDiffTracker;
+
+        let (session, mut turn_context_raw) = make_session_and_context();
+        turn_context_raw.approval_policy = AskForApproval::OnFailure;
+        let session = Arc::new(session);
+        let turn_context = Arc::new(turn_context_raw);
+        let tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::new()));
+
+        let handler = UnifiedExecHandler;
+        let resp = handler
+            .handle(ToolInvocation {
+                session: Arc::clone(&session),
+                turn: Arc::clone(&turn_context),
+                tracker: Arc::clone(&tracker),
+                call_id: "exec-call".to_string(),
+                tool_name: "exec_command".to_string(),
+                payload: ToolPayload::Function {
+                    arguments: serde_json::json!({
+                        "cmd": "echo hi",
+                        "with_escalated_permissions": true,
+                        "justification": "need unsandboxed execution",
+                    })
+                    .to_string(),
+                },
+            })
+            .await;
+
+        let Err(FunctionCallError::RespondToModel(output)) = resp else {
+            panic!("expected error result");
+        };
+
+        let expected = format!(
+            "approval policy is {policy:?}; reject command — you cannot ask for escalated permissions if the approval policy is {policy:?}",
+            policy = turn_context.approval_policy
+        );
+
+        pretty_assertions::assert_eq!(output, expected);
+    }
+
    #[test]
    fn mcp_init_error_display_prompts_for_github_pat() {
        let server_name = "github";
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -29,6 +29,9 @@ pub enum Stage {
 pub enum Feature {
    /// Use the single unified PTY-backed exec tool.
    UnifiedExec,
+    /// Use the shell command tool that takes `command` as a single string of
+    /// shell instead of an array of args passed to `execvp(3)`.
+    ShellCommandTool,
    /// Enable experimental RMCP features such as OAuth login.
    RmcpClient,
    /// Include the freeform apply_patch tool.
@@ -250,6 +253,12 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Experimental,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::ShellCommandTool,
+        key: "shell_command_tool",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
    FeatureSpec {
        id: Feature::RmcpClient,
        key: "rmcp_client",
@@ -284,7 +293,7 @@ pub const FEATURES: &[FeatureSpec] = &[
        id: Feature::GhostCommit,
        key: "ghost_commit",
        stage: Stage::Experimental,
-        default_enabled: false,
+        default_enabled: true,
    },
    FeatureSpec {
        id: Feature::WindowsSandbox,
--- a/codex-rs/core/src/parse_command.rs
+++ b/codex-rs/core/src/parse_command.rs
@@ -1,3 +1,4 @@
+use crate::bash::extract_bash_command;
 use crate::bash::try_parse_shell;
 use crate::bash::try_parse_word_only_commands_sequence;
 use codex_protocol::parse_command::ParsedCommand;
@@ -853,6 +854,29 @@ mod tests {
            }],
        );
    }
+
+    #[test]
+    fn bin_bash_lc_sed() {
+        assert_parsed(
+            &shlex_split_safe("/bin/bash -lc 'sed -n '1,10p' Cargo.toml'"),
+            vec![ParsedCommand::Read {
+                cmd: "sed -n '1,10p' Cargo.toml".to_string(),
+                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
+            }],
+        );
+    }
+    #[test]
+    fn bin_zsh_lc_sed() {
+        assert_parsed(
+            &shlex_split_safe("/bin/zsh -lc 'sed -n '1,10p' Cargo.toml'"),
+            vec![ParsedCommand::Read {
+                cmd: "sed -n '1,10p' Cargo.toml".to_string(),
+                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
+            }],
+        );
+    }
 }

 pub fn parse_command_impl(command: &[String]) -> Vec<ParsedCommand> {
@@ -1166,18 +1190,13 @@ fn parse_find_query_and_path(tail: &[String]) -> (Option<String>, Option<String>
 }

 fn parse_shell_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
-    let [shell, flag, script] = original else {
-        return None;
-    };
-    if flag != "-lc" || !(shell == "bash" || shell == "zsh") {
-        return None;
-    }
+    let (_, script) = extract_bash_command(original)?;
+
    if let Some(tree) = try_parse_shell(script)
        && let Some(all_commands) = try_parse_word_only_commands_sequence(&tree, script)
        && !all_commands.is_empty()
    {
-        let script_tokens = shlex_split(script)
-            .unwrap_or_else(|| vec![shell.clone(), flag.clone(), script.clone()]);
+        let script_tokens = shlex_split(script).unwrap_or_else(|| vec![script.to_string()]);
        // Strip small formatting helpers (e.g., head/tail/awk/wc/etc) so we
        // bias toward the primary command when pipelines are present.
        // First, drop obvious small formatting helpers (e.g., wc/awk/etc).
@@ -1186,7 +1205,7 @@ fn parse_shell_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
        let filtered_commands = drop_small_formatting_commands(all_commands);
        if filtered_commands.is_empty() {
            return Some(vec![ParsedCommand::Unknown {
-                cmd: script.clone(),
+                cmd: script.to_string(),
            }]);
        }
        // Build parsed commands, tracking `cd` segments to compute effective file paths.
@@ -1250,7 +1269,7 @@ fn parse_shell_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
                            });
                            if has_pipe && has_sed_n {
                                ParsedCommand::Read {
-                                    cmd: script.clone(),
+                                    cmd: script.to_string(),
                                    name,
                                    path,
                                }
@@ -1295,7 +1314,7 @@ fn parse_shell_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
        return Some(commands);
    }
    Some(vec![ParsedCommand::Unknown {
-        cmd: script.clone(),
+        cmd: script.to_string(),
    }])
 }

--- a/codex-rs/core/src/shell.rs
+++ b/codex-rs/core/src/shell.rs
@@ -31,16 +31,37 @@ pub enum Shell {
 impl Shell {
    pub fn name(&self) -> Option<String> {
        match self {
-            Shell::Zsh(zsh) => std::path::Path::new(&zsh.shell_path)
-                .file_name()
-                .map(|s| s.to_string_lossy().to_string()),
-            Shell::Bash(bash) => std::path::Path::new(&bash.shell_path)
-                .file_name()
-                .map(|s| s.to_string_lossy().to_string()),
+            Shell::Zsh(ZshShell { shell_path, .. }) | Shell::Bash(BashShell { shell_path, .. }) => {
+                std::path::Path::new(shell_path)
+                    .file_name()
+                    .map(|s| s.to_string_lossy().to_string())
+            }
            Shell::PowerShell(ps) => Some(ps.exe.clone()),
            Shell::Unknown => None,
        }
    }
+
+    /// Takes a string of shell and returns the full list of command args to
+    /// use with `exec()` to run the shell command.
+    pub fn derive_exec_args(&self, command: &str, use_login_shell: bool) -> Vec<String> {
+        match self {
+            Shell::Zsh(ZshShell { shell_path, .. }) | Shell::Bash(BashShell { shell_path, .. }) => {
+                let arg = if use_login_shell { "-lc" } else { "-c" };
+                vec![shell_path.clone(), arg.to_string(), command.to_string()]
+            }
+            Shell::PowerShell(ps) => {
+                let mut args = vec![ps.exe.clone(), "-NoLogo".to_string()];
+                if !use_login_shell {
+                    args.push("-NoProfile".to_string());
+                }
+
+                args.push("-Command".to_string());
+                args.push(command.to_string());
+                args
+            }
+            Shell::Unknown => shlex::split(command).unwrap_or_else(|| vec![command.to_string()]),
+        }
+    }
 }

 #[cfg(unix)]
--- a/codex-rs/core/src/spawn.rs
+++ b/codex-rs/core/src/spawn.rs
@@ -73,6 +73,44 @@ pub(crate) async fn spawn_child_async(
                return Err(std::io::Error::last_os_error());
            }

+            #[cfg(target_os = "macos")]
+            {
+                // macOS network stack (via reqwest/hyper) opens PF_SYSTEM control sockets
+                // such as com.apple.netsrc without setting FD_CLOEXEC. Those descriptors
+                // get inherited by shell tool children, which is surprising and lets the
+                // child talk to that kernel control socket. Close everything above stdio
+                // to keep those sockets (and any similar long-lived fds) out of subshells.
+                // We bound the sweep by min(RLIMIT_NOFILE, 128) because netsrc fds are
+                // low and this avoids a pathological case where another thread lowers
+                // the rlimit between opening the socket and spawning the child. If we ever
+                // move the reqwest traffic into a helper process, leaking these fds would
+                // be less concerning.
+                let mut max_fd = 128_i64;
+                let mut limit = libc::rlimit {
+                    rlim_cur: 0,
+                    rlim_max: 0,
+                };
+                if libc::getrlimit(libc::RLIMIT_NOFILE, &mut limit) == 0
+                    && limit.rlim_cur != libc::RLIM_INFINITY
+                {
+                    let soft_limit = limit.rlim_cur.min(i64::MAX as libc::rlim_t) as i64;
+                    max_fd = max_fd.min(soft_limit);
+                }
+
+                let bound = max_fd.max(3);
+                let mut fd = 3;
+                while (fd as i64) < bound {
+                    let flags = libc::fcntl(fd, libc::F_GETFD);
+                    // We leave CLOEXEC fds alone (for example, the stdlib
+                    // error-reporting pipe used when exec fails) and only close
+                    // descriptors that would have been inherited.
+                    if flags != -1 && (flags & libc::FD_CLOEXEC) == 0 {
+                        libc::close(fd);
+                    }
+                    fd += 1;
+                }
+            }
+
            // This relies on prctl(2), so it only works on Linux.
            #[cfg(target_os = "linux")]
            {
--- a/codex-rs/core/src/tasks/user_shell.rs
+++ b/codex-rs/core/src/tasks/user_shell.rs
@@ -63,27 +63,10 @@ impl SessionTask for UserShellCommandTask {
        // Execute the user's script under their default shell when known; this
        // allows commands that use shell features (pipes, &&, redirects, etc.).
        // We do not source rc files or otherwise reformat the script.
-        let shell_invocation = match session.user_shell() {
-            crate::shell::Shell::Zsh(zsh) => vec![
-                zsh.shell_path.clone(),
-                "-lc".to_string(),
-                self.command.clone(),
-            ],
-            crate::shell::Shell::Bash(bash) => vec![
-                bash.shell_path.clone(),
-                "-lc".to_string(),
-                self.command.clone(),
-            ],
-            crate::shell::Shell::PowerShell(ps) => vec![
-                ps.exe.clone(),
-                "-NoProfile".to_string(),
-                "-Command".to_string(),
-                self.command.clone(),
-            ],
-            crate::shell::Shell::Unknown => {
-                shlex::split(&self.command).unwrap_or_else(|| vec![self.command.clone()])
-            }
-        };
+        let use_login_shell = true;
+        let shell_invocation = session
+            .user_shell()
+            .derive_exec_args(&self.command, use_login_shell);

        let call_id = Uuid::new_v4().to_string();
        let raw_command = self.command.clone();
--- a/codex-rs/core/src/tools/handlers/mod.rs
+++ b/codex-rs/core/src/tools/handlers/mod.rs
@@ -19,6 +19,7 @@ pub use mcp::McpHandler;
 pub use mcp_resource::McpResourceHandler;
 pub use plan::PlanHandler;
 pub use read_file::ReadFileHandler;
+pub use shell::ShellCommandHandler;
 pub use shell::ShellHandler;
 pub use test_sync::TestSyncHandler;
 pub use unified_exec::UnifiedExecHandler;
--- a/codex-rs/core/src/tools/handlers/shell.rs
+++ b/codex-rs/core/src/tools/handlers/shell.rs
@@ -1,4 +1,5 @@
 use async_trait::async_trait;
+use codex_protocol::models::ShellCommandToolCallParams;
 use codex_protocol::models::ShellToolCallParams;
 use std::sync::Arc;

@@ -25,6 +26,8 @@ use crate::tools::sandboxing::ToolCtx;

 pub struct ShellHandler;

+pub struct ShellCommandHandler;
+
 impl ShellHandler {
    fn to_exec_params(params: ShellToolCallParams, turn_context: &TurnContext) -> ExecParams {
        ExecParams {
@@ -39,6 +42,28 @@ impl ShellHandler {
    }
 }

+impl ShellCommandHandler {
+    fn to_exec_params(
+        params: ShellCommandToolCallParams,
+        session: &crate::codex::Session,
+        turn_context: &TurnContext,
+    ) -> ExecParams {
+        let shell = session.user_shell();
+        let use_login_shell = true;
+        let command = shell.derive_exec_args(&params.command, use_login_shell);
+
+        ExecParams {
+            command,
+            cwd: turn_context.resolve_path(params.workdir.clone()),
+            timeout_ms: params.timeout_ms,
+            env: create_env(&turn_context.shell_environment_policy),
+            with_escalated_permissions: params.with_escalated_permissions,
+            justification: params.justification,
+            arg0: None,
+        }
+    }
+}
+
 #[async_trait]
 impl ToolHandler for ShellHandler {
    fn kind(&self) -> ToolKind {
@@ -102,6 +127,49 @@ impl ToolHandler for ShellHandler {
    }
 }

+#[async_trait]
+impl ToolHandler for ShellCommandHandler {
+    fn kind(&self) -> ToolKind {
+        ToolKind::Function
+    }
+
+    fn matches_kind(&self, payload: &ToolPayload) -> bool {
+        matches!(payload, ToolPayload::Function { .. })
+    }
+
+    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
+        let ToolInvocation {
+            session,
+            turn,
+            tracker,
+            call_id,
+            tool_name,
+            payload,
+        } = invocation;
+
+        let ToolPayload::Function { arguments } = payload else {
+            return Err(FunctionCallError::RespondToModel(format!(
+                "unsupported payload for shell_command handler: {tool_name}"
+            )));
+        };
+
+        let params: ShellCommandToolCallParams = serde_json::from_str(&arguments).map_err(|e| {
+            FunctionCallError::RespondToModel(format!("failed to parse function arguments: {e:?}"))
+        })?;
+        let exec_params = Self::to_exec_params(params, session.as_ref(), turn.as_ref());
+        ShellHandler::run_exec_like(
+            tool_name.as_str(),
+            exec_params,
+            session,
+            turn,
+            tracker,
+            call_id,
+            false,
+        )
+        .await
+    }
+}
+
 impl ShellHandler {
    async fn run_exec_like(
        tool_name: &str,
@@ -240,3 +308,49 @@ impl ShellHandler {
        })
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::is_safe_command::is_known_safe_command;
+    use crate::shell::BashShell;
+    use crate::shell::Shell;
+    use crate::shell::ZshShell;
+
+    /// The logic for is_known_safe_command() has heuristics for known shells,
+    /// so we must ensure the commands generated by [ShellCommandHandler] can be
+    /// recognized as safe if the `command` is safe.
+    #[test]
+    fn commands_generated_by_shell_command_handler_can_be_matched_by_is_known_safe_command() {
+        let bash_shell = Shell::Bash(BashShell {
+            shell_path: "/bin/bash".to_string(),
+            bashrc_path: "/home/user/.bashrc".to_string(),
+        });
+        assert_safe(&bash_shell, "ls -la");
+
+        let zsh_shell = Shell::Zsh(ZshShell {
+            shell_path: "/bin/zsh".to_string(),
+            zshrc_path: "/home/user/.zshrc".to_string(),
+        });
+        assert_safe(&zsh_shell, "ls -la");
+
+        #[cfg(target_os = "windows")]
+        {
+            use crate::shell::PowerShellConfig;
+
+            let powershell = Shell::PowerShell(PowerShellConfig {
+                exe: "pwsh.exe".to_string(),
+                bash_exe_fallback: None,
+            });
+            assert_safe(&powershell, "ls -Name");
+        }
+    }
+
+    fn assert_safe(shell: &Shell, command: &str) {
+        assert!(is_known_safe_command(
+            &shell.derive_exec_args(command, /* use_login_shell */ true)
+        ));
+        assert!(is_known_safe_command(
+            &shell.derive_exec_args(command, /* use_login_shell */ false)
+        ));
+    }
+}
--- a/codex-rs/core/src/tools/handlers/unified_exec.rs
+++ b/codex-rs/core/src/tools/handlers/unified_exec.rs
@@ -36,6 +36,10 @@ struct ExecCommandArgs {
    yield_time_ms: Option<u64>,
    #[serde(default)]
    max_output_tokens: Option<usize>,
+    #[serde(default)]
+    with_escalated_permissions: Option<bool>,
+    #[serde(default)]
+    justification: Option<String>,
 }

 #[derive(Debug, Deserialize)]
@@ -100,8 +104,30 @@ impl ToolHandler for UnifiedExecHandler {
                        "failed to parse exec_command arguments: {err:?}"
                    ))
                })?;
-                let workdir = args
-                    .workdir
+                let ExecCommandArgs {
+                    cmd,
+                    workdir,
+                    shell,
+                    login,
+                    yield_time_ms,
+                    max_output_tokens,
+                    with_escalated_permissions,
+                    justification,
+                } = args;
+
+                if with_escalated_permissions.unwrap_or(false)
+                    && !matches!(
+                        context.turn.approval_policy,
+                        codex_protocol::protocol::AskForApproval::OnRequest
+                    )
+                {
+                    return Err(FunctionCallError::RespondToModel(format!(
+                        "approval policy is {policy:?}; reject command — you cannot ask for escalated permissions if the approval policy is {policy:?}",
+                        policy = context.turn.approval_policy
+                    )));
+                }
+
+                let workdir = workdir
                    .as_deref()
                    .filter(|value| !value.is_empty())
                    .map(PathBuf::from);
@@ -113,18 +139,20 @@ impl ToolHandler for UnifiedExecHandler {
                    &context.call_id,
                    None,
                );
-                let emitter = ToolEmitter::unified_exec(args.cmd.clone(), cwd.clone(), true);
+                let emitter = ToolEmitter::unified_exec(cmd.clone(), cwd.clone(), true);
                emitter.emit(event_ctx, ToolEventStage::Begin).await;

                manager
                    .exec_command(
                        ExecCommandRequest {
-                            command: &args.cmd,
-                            shell: &args.shell,
-                            login: args.login,
-                            yield_time_ms: args.yield_time_ms,
-                            max_output_tokens: args.max_output_tokens,
+                            command: &cmd,
+                            shell: &shell,
+                            login,
+                            yield_time_ms,
+                            max_output_tokens,
                            workdir,
+                            with_escalated_permissions,
+                            justification,
                        },
                        &context,
                    )
--- a/codex-rs/core/src/tools/parallel.rs
+++ b/codex-rs/core/src/tools/parallel.rs
@@ -65,9 +65,9 @@ impl ToolCallRuntime {
                        Ok(Self::aborted_response(&call, secs))
                    },
                    res = async {
-                        tracing::info!("waiting for tool gate");
+                        tracing::trace!("waiting for tool gate");
                        readiness.wait_ready().await;
-                        tracing::info!("tool gate released");
+                        tracing::trace!("tool gate released");
                        let _guard = if supports_parallel {
                            Either::Left(lock.read().await)
                        } else {
--- a/codex-rs/core/src/tools/runtimes/unified_exec.rs
+++ b/codex-rs/core/src/tools/runtimes/unified_exec.rs
@@ -34,6 +34,8 @@ pub struct UnifiedExecRequest {
    pub command: Vec<String>,
    pub cwd: PathBuf,
    pub env: HashMap<String, String>,
+    pub with_escalated_permissions: Option<bool>,
+    pub justification: Option<String>,
 }

 impl ProvidesSandboxRetryData for UnifiedExecRequest {
@@ -49,6 +51,7 @@ impl ProvidesSandboxRetryData for UnifiedExecRequest {
 pub struct UnifiedExecApprovalKey {
    pub command: Vec<String>,
    pub cwd: PathBuf,
+    pub escalated: bool,
 }

 pub struct UnifiedExecRuntime<'a> {
@@ -56,8 +59,20 @@ pub struct UnifiedExecRuntime<'a> {
 }

 impl UnifiedExecRequest {
-    pub fn new(command: Vec<String>, cwd: PathBuf, env: HashMap<String, String>) -> Self {
-        Self { command, cwd, env }
+    pub fn new(
+        command: Vec<String>,
+        cwd: PathBuf,
+        env: HashMap<String, String>,
+        with_escalated_permissions: Option<bool>,
+        justification: Option<String>,
+    ) -> Self {
+        Self {
+            command,
+            cwd,
+            env,
+            with_escalated_permissions,
+            justification,
+        }
    }
 }

@@ -84,6 +99,7 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
        UnifiedExecApprovalKey {
            command: req.command.clone(),
            cwd: req.cwd.clone(),
+            escalated: req.with_escalated_permissions.unwrap_or(false),
        }
    }

@@ -98,7 +114,10 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
        let call_id = ctx.call_id.to_string();
        let command = req.command.clone();
        let cwd = req.cwd.clone();
-        let reason = ctx.retry_reason.clone();
+        let reason = ctx
+            .retry_reason
+            .clone()
+            .or_else(|| req.justification.clone());
        let risk = ctx.risk.clone();
        Box::pin(async move {
            with_cached_approval(&session.services, key, || async move {
@@ -116,7 +135,16 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
        policy: AskForApproval,
        sandbox_policy: &SandboxPolicy,
    ) -> bool {
-        requires_initial_appoval(policy, sandbox_policy, &req.command, false)
+        requires_initial_appoval(
+            policy,
+            sandbox_policy,
+            &req.command,
+            req.with_escalated_permissions.unwrap_or(false),
+        )
+    }
+
+    fn wants_escalated_first_attempt(&self, req: &UnifiedExecRequest) -> bool {
+        req.with_escalated_permissions.unwrap_or(false)
    }
 }

@@ -127,8 +155,15 @@ impl<'a> ToolRuntime<UnifiedExecRequest, UnifiedExecSession> for UnifiedExecRunt
        attempt: &SandboxAttempt<'_>,
        _ctx: &ToolCtx<'_>,
    ) -> Result<UnifiedExecSession, ToolError> {
-        let spec = build_command_spec(&req.command, &req.cwd, &req.env, None, None, None)
-            .map_err(|_| ToolError::Rejected("missing command line for PTY".to_string()))?;
+        let spec = build_command_spec(
+            &req.command,
+            &req.cwd,
+            &req.env,
+            None,
+            req.with_escalated_permissions,
+            req.justification.clone(),
+        )
+        .map_err(|_| ToolError::Rejected("missing command line for PTY".to_string()))?;
        let exec_env = attempt
            .env_for(&spec)
            .map_err(|err| ToolError::Codex(err.into()))?;
--- a/codex-rs/core/src/tools/spec.rs
+++ b/codex-rs/core/src/tools/spec.rs
@@ -20,6 +20,8 @@ pub enum ConfigShellToolType {
    Default,
    Local,
    UnifiedExec,
+    /// Takes a command as a single string to be run in the user's default shell.
+    ShellCommand,
 }

 #[derive(Debug, Clone)]
@@ -48,6 +50,8 @@ impl ToolsConfig {

        let shell_type = if features.enabled(Feature::UnifiedExec) {
            ConfigShellToolType::UnifiedExec
+        } else if features.enabled(Feature::ShellCommandTool) {
+            ConfigShellToolType::ShellCommand
        } else {
            model_family.shell_type.clone()
        };
@@ -177,15 +181,30 @@ fn create_exec_command_tool() -> ToolSpec {
            ),
        },
    );
+    properties.insert(
+        "with_escalated_permissions".to_string(),
+        JsonSchema::Boolean {
+            description: Some(
+                "Whether to request escalated permissions. Set to true if command needs to be run without sandbox restrictions"
+                    .to_string(),
+            ),
+        },
+    );
+    properties.insert(
+        "justification".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "Only set if with_escalated_permissions is true. 1-sentence explanation of why we want to run this command."
+                    .to_string(),
+            ),
+        },
+    );

    ToolSpec::Function(ResponsesApiTool {
        name: "exec_command".to_string(),
        description:
-            concat!(
-              "Runs a command in a PTY, returning output or a session ID for ongoing interaction.\n",
-              "- Always set the `workdir` param when using the shell function. Do not use `cd` unless absolutely necessary."
-            )
-            .to_string(),
+            "Runs a command in a PTY, returning output or a session ID for ongoing interaction."
+                .to_string(),
        strict: false,
        parameters: JsonSchema::Object {
            properties,
@@ -277,12 +296,54 @@ fn create_shell_tool() -> ToolSpec {

    ToolSpec::Function(ResponsesApiTool {
        name: "shell".to_string(),
-        description: concat!(
-            "Runs a shell command and returns its output.\n",
-            "- The value of `command` will be passed to execvp(). Most terminal commands should be prefixed with [`bash`, `-lc`].\n",
-            "- Always set the `workdir` param when using the shell function. Do not use `cd` unless absolutely necessary.",
-        )
-        .to_string(),
+        description: "Runs a shell command and returns its output.".to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: Some(vec!["command".to_string()]),
+            additional_properties: Some(false.into()),
+        },
+    })
+}
+
+fn create_shell_command_tool() -> ToolSpec {
+    let mut properties = BTreeMap::new();
+    properties.insert(
+        "command".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "The shell script to execute in the user's default shell".to_string(),
+            ),
+        },
+    );
+    properties.insert(
+        "workdir".to_string(),
+        JsonSchema::String {
+            description: Some("The working directory to execute the command in".to_string()),
+        },
+    );
+    properties.insert(
+        "timeout_ms".to_string(),
+        JsonSchema::Number {
+            description: Some("The timeout for the command in milliseconds".to_string()),
+        },
+    );
+    properties.insert(
+        "with_escalated_permissions".to_string(),
+        JsonSchema::Boolean {
+            description: Some("Whether to request escalated permissions. Set to true if command needs to be run without sandbox restrictions".to_string()),
+        },
+    );
+    properties.insert(
+        "justification".to_string(),
+        JsonSchema::String {
+            description: Some("Only set if with_escalated_permissions is true. 1-sentence explanation of why we want to run this command.".to_string()),
+        },
+    );
+
+    ToolSpec::Function(ResponsesApiTool {
+        name: "shell_command".to_string(),
+        description: "Runs a shell command string and returns its output.".to_string(),
        strict: false,
        parameters: JsonSchema::Object {
            properties,
@@ -881,6 +942,7 @@ pub(crate) fn build_specs(
    use crate::tools::handlers::McpResourceHandler;
    use crate::tools::handlers::PlanHandler;
    use crate::tools::handlers::ReadFileHandler;
+    use crate::tools::handlers::ShellCommandHandler;
    use crate::tools::handlers::ShellHandler;
    use crate::tools::handlers::TestSyncHandler;
    use crate::tools::handlers::UnifiedExecHandler;
@@ -896,6 +958,7 @@ pub(crate) fn build_specs(
    let view_image_handler = Arc::new(ViewImageHandler);
    let mcp_handler = Arc::new(McpHandler);
    let mcp_resource_handler = Arc::new(McpResourceHandler);
+    let shell_command_handler = Arc::new(ShellCommandHandler);

    match &config.shell_type {
        ConfigShellToolType::Default => {
@@ -910,12 +973,16 @@ pub(crate) fn build_specs(
            builder.register_handler("exec_command", unified_exec_handler.clone());
            builder.register_handler("write_stdin", unified_exec_handler);
        }
+        ConfigShellToolType::ShellCommand => {
+            builder.push_spec(create_shell_command_tool());
+        }
    }

    // Always register shell aliases so older prompts remain compatible.
    builder.register_handler("shell", shell_handler.clone());
    builder.register_handler("container.exec", shell_handler.clone());
    builder.register_handler("local_shell", shell_handler);
+    builder.register_handler("shell_command", shell_command_handler);

    builder.push_spec_with_parallel_support(create_list_mcp_resources_tool(), true);
    builder.push_spec_with_parallel_support(create_list_mcp_resource_templates_tool(), true);
@@ -1051,6 +1118,7 @@ mod tests {
            ConfigShellToolType::Default => Some("shell"),
            ConfigShellToolType::Local => Some("local_shell"),
            ConfigShellToolType::UnifiedExec => None,
+            ConfigShellToolType::ShellCommand => Some("shell_command"),
        }
    }

@@ -1283,6 +1351,22 @@ mod tests {
        assert_contains_tool_names(&tools, &subset);
    }

+    #[test]
+    fn test_build_specs_shell_command_present() {
+        assert_model_tools(
+            "codex-mini-latest",
+            Features::with_defaults().enable(Feature::ShellCommandTool),
+            &[
+                "shell_command",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "view_image",
+            ],
+        );
+    }
+
    #[test]
    #[ignore]
    fn test_parallel_support_flags() {
@@ -1734,7 +1818,22 @@ mod tests {
        };
        assert_eq!(name, "shell");

-        let expected = "Runs a shell command and returns its output.\n- The value of `command` will be passed to execvp(). Most terminal commands should be prefixed with [`bash`, `-lc`].\n- Always set the `workdir` param when using the shell function. Do not use `cd` unless absolutely necessary.";
+        let expected = "Runs a shell command and returns its output.";
+        assert_eq!(description, expected);
+    }
+
+    #[test]
+    fn test_shell_command_tool() {
+        let tool = super::create_shell_command_tool();
+        let ToolSpec::Function(ResponsesApiTool {
+            description, name, ..
+        }) = &tool
+        else {
+            panic!("expected function tool");
+        };
+        assert_eq!(name, "shell_command");
+
+        let expected = "Runs a shell command string and returns its output.";
        assert_eq!(description, expected);
    }

--- a/codex-rs/core/src/unified_exec/mod.rs
+++ b/codex-rs/core/src/unified_exec/mod.rs
@@ -71,6 +71,8 @@ pub(crate) struct ExecCommandRequest<'a> {
    pub yield_time_ms: Option<u64>,
    pub max_output_tokens: Option<usize>,
    pub workdir: Option<PathBuf>,
+    pub with_escalated_permissions: Option<bool>,
+    pub justification: Option<String>,
 }

 #[derive(Debug)]
@@ -201,6 +203,8 @@ mod tests {
                    yield_time_ms,
                    max_output_tokens: None,
                    workdir: None,
+                    with_escalated_permissions: None,
+                    justification: None,
                },
                &context,
            )
--- a/codex-rs/core/src/unified_exec/session_manager.rs
+++ b/codex-rs/core/src/unified_exec/session_manager.rs
@@ -51,7 +51,13 @@ impl UnifiedExecSessionManager {
        ];

        let session = self
-            .open_session_with_sandbox(command, cwd.clone(), context)
+            .open_session_with_sandbox(
+                command,
+                cwd.clone(),
+                request.with_escalated_permissions,
+                request.justification,
+                context,
+            )
            .await?;

        let max_tokens = resolve_max_tokens(request.max_output_tokens);
@@ -300,10 +306,16 @@ impl UnifiedExecSessionManager {
            .command
            .split_first()
            .ok_or(UnifiedExecError::MissingCommandLine)?;
-        let spawned =
-            codex_utils_pty::spawn_pty_process(program, args, env.cwd.as_path(), &env.env)
-                .await
-                .map_err(|err| UnifiedExecError::create_session(err.to_string()))?;
+
+        let spawned = codex_utils_pty::spawn_pty_process(
+            program,
+            args,
+            env.cwd.as_path(),
+            &env.env,
+            &env.arg0,
+        )
+        .await
+        .map_err(|err| UnifiedExecError::create_session(err.to_string()))?;
        UnifiedExecSession::from_spawned(spawned, env.sandbox).await
    }

@@ -311,6 +323,8 @@ impl UnifiedExecSessionManager {
        &self,
        command: Vec<String>,
        cwd: PathBuf,
+        with_escalated_permissions: Option<bool>,
+        justification: Option<String>,
        context: &UnifiedExecContext,
    ) -> Result<UnifiedExecSession, UnifiedExecError> {
        let mut orchestrator = ToolOrchestrator::new();
@@ -319,6 +333,8 @@ impl UnifiedExecSessionManager {
            command,
            cwd,
            create_env(&context.turn.shell_environment_policy),
+            with_escalated_permissions,
+            justification,
        );
        let tool_ctx = ToolCtx {
            session: context.session.as_ref(),
--- a/codex-rs/core/tests/suite/approvals.rs
+++ b/codex-rs/core/tests/suite/approvals.rs
@@ -75,6 +75,7 @@ enum ActionKind {
    },
    RunUnifiedExecCommand {
        command: &'static str,
+        justification: Option<&'static str>,
    },
    ApplyPatchFunction {
        target: TargetPath,
@@ -86,6 +87,9 @@ enum ActionKind {
    },
 }

+const DEFAULT_UNIFIED_EXEC_JUSTIFICATION: &str =
+    "Requires escalated permissions to bypass the sandbox in tests.";
+
 impl ActionKind {
    async fn prepare(
        &self,
@@ -139,8 +143,17 @@ impl ActionKind {
                let event = shell_event(call_id, &command, 1_000, with_escalated_permissions)?;
                Ok((event, Some(command)))
            }
-            ActionKind::RunUnifiedExecCommand { command } => {
-                let event = exec_command_event(call_id, command, Some(1000))?;
+            ActionKind::RunUnifiedExecCommand {
+                command,
+                justification,
+            } => {
+                let event = exec_command_event(
+                    call_id,
+                    command,
+                    Some(1000),
+                    with_escalated_permissions,
+                    *justification,
+                )?;
                Ok((
                    event,
                    Some(vec![
@@ -199,13 +212,24 @@ fn shell_event(
    Ok(ev_function_call(call_id, "shell", &args_str))
 }

-fn exec_command_event(call_id: &str, cmd: &str, yield_time_ms: Option<u64>) -> Result<Value> {
+fn exec_command_event(
+    call_id: &str,
+    cmd: &str,
+    yield_time_ms: Option<u64>,
+    with_escalated_permissions: bool,
+    justification: Option<&str>,
+) -> Result<Value> {
    let mut args = json!({
        "cmd": cmd.to_string(),
    });
    if let Some(yield_time_ms) = yield_time_ms {
        args["yield_time_ms"] = json!(yield_time_ms);
    }
+    if with_escalated_permissions {
+        args["with_escalated_permissions"] = json!(true);
+        let reason = justification.unwrap_or(DEFAULT_UNIFIED_EXEC_JUSTIFICATION);
+        args["justification"] = json!(reason);
+    }
    let args_str = serde_json::to_string(&args)?;
    Ok(ev_function_call(call_id, "exec_command", &args_str))
 }
@@ -1109,6 +1133,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
            sandbox_policy: SandboxPolicy::DangerFullAccess,
            action: ActionKind::RunUnifiedExecCommand {
                command: "echo \"hello unified exec\"",
+                justification: None,
            },
            with_escalated_permissions: false,
            features: vec![Feature::UnifiedExec],
@@ -1118,12 +1143,34 @@ fn scenarios() -> Vec<ScenarioSpec> {
                stdout_contains: "hello unified exec",
            },
        },
+        #[cfg(not(all(target_os = "linux", target_arch = "aarch64")))]
+        // Linux sandbox arg0 test workaround doesn't work on ARM
+        ScenarioSpec {
+            name: "unified exec on request escalated requires approval",
+            approval_policy: OnRequest,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            action: ActionKind::RunUnifiedExecCommand {
+                command: "python3 -c 'print('\"'\"'escalated unified exec'\"'\"')'",
+                justification: Some(DEFAULT_UNIFIED_EXEC_JUSTIFICATION),
+            },
+            with_escalated_permissions: true,
+            features: vec![Feature::UnifiedExec],
+            model_override: None,
+            outcome: Outcome::ExecApproval {
+                decision: ReviewDecision::Approved,
+                expected_reason: Some(DEFAULT_UNIFIED_EXEC_JUSTIFICATION),
+            },
+            expectation: Expectation::CommandSuccess {
+                stdout_contains: "escalated unified exec",
+            },
+        },
        ScenarioSpec {
            name: "unified exec on request requires approval unless trusted",
            approval_policy: AskForApproval::UnlessTrusted,
            sandbox_policy: SandboxPolicy::DangerFullAccess,
            action: ActionKind::RunUnifiedExecCommand {
                command: "git reset --hard",
+                justification: None,
            },
            with_escalated_permissions: false,
            features: vec![Feature::UnifiedExec],
--- a/codex-rs/core/tests/suite/mod.rs
+++ b/codex-rs/core/tests/suite/mod.rs
@@ -1,4 +1,17 @@
 // Aggregates all former standalone integration tests as modules.
+use codex_arg0::arg0_dispatch;
+use ctor::ctor;
+use tempfile::TempDir;
+
+// This code runs before any other tests are run.
+// It allows the test binary to behave like codex and dispatch to apply_patch and codex-linux-sandbox
+// based on the arg0.
+// NOTE: this doesn't work on ARM
+#[ctor]
+pub static CODEX_ALIASES_TEMP_DIR: TempDir = unsafe {
+    #[allow(clippy::unwrap_used)]
+    arg0_dispatch().unwrap()
+};

 #[cfg(not(target_os = "windows"))]
 mod abort_tasks;
--- a/codex-rs/core/tests/suite/otel.rs
+++ b/codex-rs/core/tests/suite/otel.rs
@@ -1,3 +1,4 @@
+use codex_core::features::Feature;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::Op;
@@ -101,6 +102,7 @@ async fn process_sse_emits_failed_event_on_parse_error() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -141,6 +143,7 @@ async fn process_sse_records_failed_event_when_stream_closes_without_completed()

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -193,6 +196,7 @@ async fn process_sse_failed_event_records_response_error_message() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -243,6 +247,7 @@ async fn process_sse_failed_event_logs_parse_error() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -288,6 +293,7 @@ async fn process_sse_failed_event_logs_missing_error() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -333,6 +339,7 @@ async fn process_sse_failed_event_logs_response_completed_parse_error() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -438,6 +445,7 @@ async fn handle_response_item_records_tool_result_for_custom_tool_call() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -497,6 +505,7 @@ async fn handle_response_item_records_tool_result_for_function_call() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -566,6 +575,7 @@ async fn handle_response_item_records_tool_result_for_local_shell_missing_ids()

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
@@ -619,6 +629,7 @@ async fn handle_response_item_records_tool_result_for_local_shell_call() {

    let TestCodex { codex, .. } = test_codex()
        .with_config(move |config| {
+            config.features.disable(Feature::GhostCommit);
            config.model_provider.request_max_retries = Some(0);
            config.model_provider.stream_max_retries = Some(0);
        })
--- a/codex-rs/core/tests/suite/resume_warning.rs
+++ b/codex-rs/core/tests/suite/resume_warning.rs
@@ -0,0 +1,70 @@
+#![allow(clippy::unwrap_used, clippy::expect_used)]
+
+use codex_core::AuthManager;
+use codex_core::CodexAuth;
+use codex_core::ConversationManager;
+use codex_core::NewConversation;
+use codex_core::protocol::EventMsg;
+use codex_core::protocol::InitialHistory;
+use codex_core::protocol::ResumedHistory;
+use codex_core::protocol::RolloutItem;
+use codex_core::protocol::TurnContextItem;
+use codex_core::protocol::WarningEvent;
+use codex_protocol::ConversationId;
+use core::time::Duration;
+use core_test_support::load_default_config_for_test;
+use core_test_support::wait_for_event;
+use tempfile::TempDir;
+
+fn resume_history(config: &codex_core::config::Config, previous_model: &str, rollout_path: &std::path::Path) -> InitialHistory {
+    let turn_ctx = TurnContextItem {
+        cwd: config.cwd.clone(),
+        approval_policy: config.approval_policy,
+        sandbox_policy: config.sandbox_policy.clone(),
+        model: previous_model.to_string(),
+        effort: config.model_reasoning_effort,
+        summary: config.model_reasoning_summary,
+    };
+
+    InitialHistory::Resumed(ResumedHistory {
+        conversation_id: ConversationId::default(),
+        history: vec![RolloutItem::TurnContext(turn_ctx)],
+        rollout_path: rollout_path.to_path_buf(),
+    })
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn emits_warning_when_resumed_model_differs() {
+    // Arrange a config with a current model and a prior rollout recorded under a different model.
+    let home = TempDir::new().expect("tempdir");
+    let mut config = load_default_config_for_test(&home);
+    config.model = "current-model".to_string();
+    // Ensure cwd is absolute (the helper sets it to the temp dir already).
+    assert!(config.cwd.is_absolute());
+
+    let rollout_path = home.path().join("rollout.jsonl");
+    std::fs::write(&rollout_path, "").expect("create rollout placeholder");
+
+    let initial_history = resume_history(&config, "previous-model", &rollout_path);
+
+    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("test"));
+    let auth_manager = AuthManager::from_auth_for_testing(CodexAuth::from_api_key("test"));
+
+    // Act: resume the conversation.
+    let NewConversation { conversation, .. } = conversation_manager
+        .resume_conversation_with_history(config, initial_history, auth_manager)
+        .await
+        .expect("resume conversation");
+
+    // Assert: a Warning event is emitted describing the model mismatch.
+    let warning = wait_for_event(&conversation, |ev| matches!(ev, EventMsg::Warning(_))).await;
+    let EventMsg::Warning(WarningEvent { message }) = warning else {
+        panic!("expected warning event");
+    };
+    assert!(message.contains("previous-model"));
+    assert!(message.contains("current-model"));
+
+    // Drain the TaskComplete/Shutdown window to avoid leaking tasks between tests.
+    // The warning is emitted during initialization, so a short sleep is sufficient.
+    tokio::time::sleep(Duration::from_millis(50)).await;
+}
--- a/codex-rs/core/tests/suite/unified_exec.rs
+++ b/codex-rs/core/tests/suite/unified_exec.rs
@@ -66,7 +66,7 @@ fn parse_unified_exec_output(raw: &str) -> Result<ParsedUnifiedExecOutput> {
    let cleaned = raw.trim_matches('\r');
    let captures = regex
        .captures(cleaned)
-        .ok_or_else(|| anyhow::anyhow!("missing Output section in unified exec output"))?;
+        .ok_or_else(|| anyhow::anyhow!("missing Output section in unified exec output {raw}"))?;

    let chunk_id = captures
        .name("chunk_id")
@@ -1368,6 +1368,8 @@ async fn unified_exec_timeout_and_followup_poll() -> Result<()> {
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+// Skipped on arm because the ctor logic to handle arg0 doesn't work on ARM
+#[cfg(not(target_arch = "arm"))]
 async fn unified_exec_formats_large_output_summary() -> Result<()> {
    skip_if_no_network!(Ok(()));
    skip_if_sandbox!(Ok(()));
@@ -1451,3 +1453,75 @@ PY

    Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn unified_exec_runs_under_sandbox() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+    skip_if_sandbox!(Ok(()));
+
+    let server = start_mock_server().await;
+
+    let mut builder = test_codex().with_config(|config| {
+        config.features.enable(Feature::UnifiedExec);
+    });
+    let TestCodex {
+        codex,
+        cwd,
+        session_configured,
+        ..
+    } = builder.build(&server).await?;
+
+    let call_id = "uexec";
+    let args = serde_json::json!({
+        "cmd": "echo 'hello'",
+        "yield_time_ms": 500,
+    });
+
+    let responses = vec![
+        sse(vec![
+            ev_response_created("resp-1"),
+            ev_function_call(call_id, "exec_command", &serde_json::to_string(&args)?),
+            ev_completed("resp-1"),
+        ]),
+        sse(vec![
+            ev_assistant_message("msg-1", "done"),
+            ev_completed("resp-2"),
+        ]),
+    ];
+    mount_sse_sequence(&server, responses).await;
+
+    let session_model = session_configured.model.clone();
+
+    codex
+        .submit(Op::UserTurn {
+            items: vec![UserInput::Text {
+                text: "summarize large output".into(),
+            }],
+            final_output_json_schema: None,
+            cwd: cwd.path().to_path_buf(),
+            approval_policy: AskForApproval::Never,
+            // Important!
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            model: session_model,
+            effort: None,
+            summary: ReasoningSummary::Auto,
+        })
+        .await?;
+
+    wait_for_event(&codex, |event| matches!(event, EventMsg::TaskComplete(_))).await;
+
+    let requests = server.received_requests().await.expect("recorded requests");
+    assert!(!requests.is_empty(), "expected at least one POST request");
+
+    let bodies = requests
+        .iter()
+        .map(|req| req.body_json::<Value>().expect("request json"))
+        .collect::<Vec<_>>();
+
+    let outputs = collect_tool_outputs(&bodies)?;
+    let output = outputs.get(call_id).expect("missing output");
+
+    assert_regex_match("hello[\r\n]+", &output.output);
+
+    Ok(())
+}
--- a/codex-rs/exec/src/cli.rs
+++ b/codex-rs/exec/src/cli.rs
@@ -30,7 +30,7 @@ pub struct Cli {
    #[arg(long = "profile", short = 'p')]
    pub config_profile: Option<String>,

-    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, --sandbox workspace-write).
+    /// Convenience alias for low-friction sandboxed automatic execution (-a on-request, --sandbox workspace-write).
    #[arg(long = "full-auto", default_value_t = false)]
    pub full_auto: bool,

--- a/codex-rs/protocol/src/models.rs
+++ b/codex-rs/protocol/src/models.rs
@@ -292,7 +292,7 @@ impl From<Vec<UserInput>> for ResponseInputItem {
 }

 /// If the `name` of a `ResponseItem::FunctionCall` is either `container.exec`
-/// or shell`, the `arguments` field should deserialize to this struct.
+/// or `shell`, the `arguments` field should deserialize to this struct.
 #[derive(Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct ShellToolCallParams {
    pub command: Vec<String>,
@@ -307,6 +307,22 @@ pub struct ShellToolCallParams {
    pub justification: Option<String>,
 }

+/// If the `name` of a `ResponseItem::FunctionCall` is `shell_command`, the
+/// `arguments` field should deserialize to this struct.
+#[derive(Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct ShellCommandToolCallParams {
+    pub command: String,
+    pub workdir: Option<String>,
+
+    /// This is the maximum time in milliseconds that the command is allowed to run.
+    #[serde(alias = "timeout")]
+    pub timeout_ms: Option<u64>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub with_escalated_permissions: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub justification: Option<String>,
+}
+
 /// Responses API compatible content items that can be returned by a tool call.
 /// This is a subset of ContentItem with the types we support as function call outputs.
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, JsonSchema, TS)]
--- a/codex-rs/tui/src/chatwidget.rs
+++ b/codex-rs/tui/src/chatwidget.rs
@@ -1143,8 +1143,21 @@ impl ChatWidget {
                kind: KeyEventKind::Press,
                ..
            } if modifiers.contains(KeyModifiers::CONTROL) && c.eq_ignore_ascii_case(&'v') => {
-                if let Ok((path, info)) = paste_image_to_temp_png() {
-                    self.attach_image(path, info.width, info.height, info.encoded_format.label());
+                match paste_image_to_temp_png() {
+                    Ok((path, info)) => {
+                        self.attach_image(
+                            path,
+                            info.width,
+                            info.height,
+                            info.encoded_format.label(),
+                        );
+                    }
+                    Err(err) => {
+                        tracing::warn!("failed to paste image: {err}");
+                        self.add_to_history(history_cell::new_error_event(format!(
+                            "Failed to paste image: {err}",
+                        )));
+                    }
                }
                return;
            }
--- a/codex-rs/tui/src/cli.rs
+++ b/codex-rs/tui/src/cli.rs
@@ -51,7 +51,7 @@ pub struct Cli {
    #[arg(long = "ask-for-approval", short = 'a')]
    pub approval_policy: Option<ApprovalModeCliArg>,

-    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, --sandbox workspace-write).
+    /// Convenience alias for low-friction sandboxed automatic execution (-a on-request, --sandbox workspace-write).
    #[arg(long = "full-auto", default_value_t = false)]
    pub full_auto: bool,

--- a/codex-rs/tui/src/exec_command.rs
+++ b/codex-rs/tui/src/exec_command.rs
@@ -1,6 +1,7 @@
 use std::path::Path;
 use std::path::PathBuf;

+use codex_core::bash::extract_bash_command;
 use dirs::home_dir;
 use shlex::try_join;

@@ -8,19 +9,11 @@ pub(crate) fn escape_command(command: &[String]) -> String {
    try_join(command.iter().map(String::as_str)).unwrap_or_else(|_| command.join(" "))
 }

-fn is_login_shell_with_lc(shell: &str) -> bool {
-    let shell_name = std::path::Path::new(shell)
-        .file_name()
-        .and_then(|s| s.to_str())
-        .unwrap_or(shell);
-    matches!(shell_name, "bash" | "zsh")
-}
-
 pub(crate) fn strip_bash_lc_and_escape(command: &[String]) -> String {
-    match command {
-        [first, second, third] if is_login_shell_with_lc(first) && second == "-lc" => third.clone(),
-        _ => escape_command(command),
+    if let Some((_, script)) = extract_bash_command(command) {
+        return script.to_string();
    }
+    escape_command(command)
 }

 /// If `path` is absolute and inside $HOME, return the part *after* the home
--- a/codex-rs/tui/src/status/card.rs
+++ b/codex-rs/tui/src/status/card.rs
@@ -211,10 +211,11 @@ impl StatusHistoryCell {
        let mut lines = Vec::with_capacity(rows.len().saturating_mul(2));

        for row in rows {
+            let percent_remaining = (100.0 - row.percent_used).clamp(0.0, 100.0);
            let value_spans = vec![
-                Span::from(render_status_limit_progress_bar(row.percent_used)),
+                Span::from(render_status_limit_progress_bar(percent_remaining)),
                Span::from(" "),
-                Span::from(format_status_limit_summary(row.percent_used)),
+                Span::from(format_status_limit_summary(percent_remaining)),
            ];
            let base_spans = formatter.full_spans(row.label.as_str(), value_spans);
            let base_line = Line::from(base_spans.clone());
--- a/codex-rs/tui/src/status/rate_limits.rs
+++ b/codex-rs/tui/src/status/rate_limits.rs
@@ -124,8 +124,8 @@ pub(crate) fn compose_rate_limit_data(
    }
 }

-pub(crate) fn render_status_limit_progress_bar(percent_used: f64) -> String {
-    let ratio = (percent_used / 100.0).clamp(0.0, 1.0);
+pub(crate) fn render_status_limit_progress_bar(percent_remaining: f64) -> String {
+    let ratio = (percent_remaining / 100.0).clamp(0.0, 1.0);
    let filled = (ratio * STATUS_LIMIT_BAR_SEGMENTS as f64).round() as usize;
    let filled = filled.min(STATUS_LIMIT_BAR_SEGMENTS);
    let empty = STATUS_LIMIT_BAR_SEGMENTS.saturating_sub(filled);
@@ -136,8 +136,8 @@ pub(crate) fn render_status_limit_progress_bar(percent_used: f64) -> String {
    )
 }

-pub(crate) fn format_status_limit_summary(percent_used: f64) -> String {
-    format!("{percent_used:.0}% used")
+pub(crate) fn format_status_limit_summary(percent_remaining: f64) -> String {
+    format!("{percent_remaining:.0}% left")
 }

 fn capitalize_first(label: &str) -> String {
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_monthly_limit.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_monthly_limit.snap
@@ -18,5 +18,5 @@ expression: sanitized
 │                                                                            │
 │  Token usage:      1.2K total  (800 input + 400 output)                    │
 │  Context window:   100% left (1.2K used / 272K)                            │
-│  Monthly limit:    [██░░░░░░░░░░░░░░░░░░] 12% used (resets 07:08 on 7 May) │
+│  Monthly limit:    [██████████████████░░] 88% left (resets 07:08 on 7 May) │
 ╰────────────────────────────────────────────────────────────────────────────╯
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_reasoning_details.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_reasoning_details.snap
@@ -18,6 +18,6 @@ expression: sanitized
 │                                                                     │
 │  Token usage:      1.9K total  (1K input + 900 output)              │
 │  Context window:   100% left (2.25K used / 272K)                    │
-│  5h limit:         [███████████████░░░░░] 72% used (resets 03:14)   │
-│  Weekly limit:     [█████████░░░░░░░░░░░] 45% used (resets 03:24)   │
+│  5h limit:         [██████░░░░░░░░░░░░░░] 28% left (resets 03:14)   │
+│  Weekly limit:     [███████████░░░░░░░░░] 55% left (resets 03:24)   │
 ╰─────────────────────────────────────────────────────────────────────╯
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_stale_limits_message.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_stale_limits_message.snap
@@ -18,7 +18,7 @@ expression: sanitized
 │                                                                     │
 │  Token usage:      1.9K total  (1K input + 900 output)              │
 │  Context window:   100% left (2.25K used / 272K)                    │
-│  5h limit:         [███████████████░░░░░] 72% used (resets 03:14)   │
-│  Weekly limit:     [████████░░░░░░░░░░░░] 40% used (resets 03:34)   │
+│  5h limit:         [██████░░░░░░░░░░░░░░] 28% left (resets 03:14)   │
+│  Weekly limit:     [████████████░░░░░░░░] 60% left (resets 03:34)   │
 │  Warning:          limits may be stale - start new turn to refresh. │
 ╰─────────────────────────────────────────────────────────────────────╯
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_truncates_in_narrow_terminal.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_truncates_in_narrow_terminal.snap
@@ -1,6 +1,5 @@
 ---
 source: tui/src/status/tests.rs
-assertion_line: 257
 expression: sanitized
 ---
 /status
@@ -20,6 +19,6 @@ expression: sanitized
 │                                            │
 │  Token usage:      1.9K total  (1K input + │
 │  Context window:   100% left (2.25K used / │
-│  5h limit:         [███████████████░░░░░]  │
+│  5h limit:         [██████░░░░░░░░░░░░░░]  │
 │                    (resets 03:14)          │
 ╰────────────────────────────────────────────╯
--- a/codex-rs/tui/src/tui.rs
+++ b/codex-rs/tui/src/tui.rs
@@ -1,29 +1,23 @@
+use std::fmt;
 use std::io::IsTerminal;
 use std::io::Result;
 use std::io::Stdout;
 use std::io::stdout;
+use std::panic;
 use std::pin::Pin;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
-#[cfg(unix)]
-use std::sync::atomic::AtomicU8;
-#[cfg(unix)]
-use std::sync::atomic::AtomicU16;
 use std::sync::atomic::Ordering;
 use std::time::Duration;
 use std::time::Instant;

 use crossterm::Command;
 use crossterm::SynchronizedUpdate;
-#[cfg(unix)]
-use crossterm::cursor::MoveTo;
 use crossterm::event::DisableBracketedPaste;
 use crossterm::event::DisableFocusChange;
 use crossterm::event::EnableBracketedPaste;
 use crossterm::event::EnableFocusChange;
 use crossterm::event::Event;
-#[cfg(unix)]
-use crossterm::event::KeyCode;
 use crossterm::event::KeyEvent;
 use crossterm::event::KeyboardEnhancementFlags;
 use crossterm::event::PopKeyboardEnhancementFlags;
@@ -38,20 +32,22 @@ use ratatui::crossterm::terminal::disable_raw_mode;
 use ratatui::crossterm::terminal::enable_raw_mode;
 use ratatui::layout::Offset;
 use ratatui::text::Line;
+use tokio::select;
+use tokio_stream::Stream;

 use crate::custom_terminal;
 use crate::custom_terminal::Terminal as CustomTerminal;
 #[cfg(unix)]
-use crate::key_hint;
-use tokio::select;
-use tokio_stream::Stream;
+use crate::tui::job_control::SUSPEND_KEY;
+#[cfg(unix)]
+use crate::tui::job_control::SuspendContext;
+
+#[cfg(unix)]
+mod job_control;

 /// A type alias for the terminal type used in this application
 pub type Terminal = CustomTerminal<CrosstermBackend<Stdout>>;

-#[cfg(unix)]
-const SUSPEND_KEY: key_hint::KeyBinding = key_hint::ctrl(KeyCode::Char('z'));
-
 pub fn set_modes() -> Result<()> {
    execute!(stdout(), EnableBracketedPaste)?;

@@ -79,12 +75,12 @@ pub fn set_modes() -> Result<()> {
 struct EnableAlternateScroll;

 impl Command for EnableAlternateScroll {
-    fn write_ansi(&self, f: &mut impl std::fmt::Write) -> std::fmt::Result {
+    fn write_ansi(&self, f: &mut impl fmt::Write) -> fmt::Result {
        write!(f, "\x1b[?1007h")
    }

    #[cfg(windows)]
-    fn execute_winapi(&self) -> std::io::Result<()> {
+    fn execute_winapi(&self) -> Result<()> {
        Err(std::io::Error::other(
            "tried to execute EnableAlternateScroll using WinAPI; use ANSI instead",
        ))
@@ -100,12 +96,12 @@ impl Command for EnableAlternateScroll {
 struct DisableAlternateScroll;

 impl Command for DisableAlternateScroll {
-    fn write_ansi(&self, f: &mut impl std::fmt::Write) -> std::fmt::Result {
+    fn write_ansi(&self, f: &mut impl fmt::Write) -> fmt::Result {
        write!(f, "\x1b[?1007l")
    }

    #[cfg(windows)]
-    fn execute_winapi(&self) -> std::io::Result<()> {
+    fn execute_winapi(&self) -> Result<()> {
        Err(std::io::Error::other(
            "tried to execute DisableAlternateScroll using WinAPI; use ANSI instead",
        ))
@@ -144,8 +140,8 @@ pub fn init() -> Result<Terminal> {
 }

 fn set_panic_hook() {
-    let hook = std::panic::take_hook();
-    std::panic::set_hook(Box::new(move |panic_info| {
+    let hook = panic::take_hook();
+    panic::set_hook(Box::new(move |panic_info| {
        let _ = restore(); // ignore any errors as we are already failing
        hook(panic_info);
    }));
@@ -165,9 +161,7 @@ pub struct Tui {
    pending_history_lines: Vec<Line<'static>>,
    alt_saved_viewport: Option<ratatui::layout::Rect>,
    #[cfg(unix)]
-    resume_pending: Arc<AtomicU8>, // Stores a ResumeAction
-    #[cfg(unix)]
-    suspend_cursor_y: Arc<AtomicU16>, // Bottom line of inline viewport
+    suspend_context: SuspendContext,
    // True when overlay alt-screen UI is active
    alt_screen_active: Arc<AtomicBool>,
    // True when terminal/tab is focused; updated internally from crossterm events
@@ -175,30 +169,6 @@ pub struct Tui {
    enhanced_keys_supported: bool,
 }

-#[cfg(unix)]
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
-#[repr(u8)]
-enum ResumeAction {
-    None = 0,
-    RealignInline = 1,
-    RestoreAlt = 2,
-}
-
-#[cfg(unix)]
-enum PreparedResumeAction {
-    RestoreAltScreen,
-    RealignViewport(ratatui::layout::Rect),
-}
-
-#[cfg(unix)]
-fn take_resume_action(pending: &AtomicU8) -> ResumeAction {
-    match pending.swap(ResumeAction::None as u8, Ordering::Relaxed) {
-        1 => ResumeAction::RealignInline,
-        2 => ResumeAction::RestoreAlt,
-        _ => ResumeAction::None,
-    }
-}
-
 #[derive(Clone, Debug)]
 pub struct FrameRequester {
    frame_schedule_tx: tokio::sync::mpsc::UnboundedSender<Instant>,
@@ -244,9 +214,7 @@ impl Tui {
            pending_history_lines: vec![],
            alt_saved_viewport: None,
            #[cfg(unix)]
-            resume_pending: Arc::new(AtomicU8::new(0)),
-            #[cfg(unix)]
-            suspend_cursor_y: Arc::new(AtomicU16::new(0)),
+            suspend_context: SuspendContext::new(),
            alt_screen_active: Arc::new(AtomicBool::new(false)),
            terminal_focused: Arc::new(AtomicBool::new(true)),
            enhanced_keys_supported,
@@ -282,26 +250,9 @@ impl Tui {

        // State for tracking how we should resume from ^Z suspend.
        #[cfg(unix)]
-        let resume_pending = self.resume_pending.clone();
+        let suspend_context = self.suspend_context.clone();
        #[cfg(unix)]
        let alt_screen_active = self.alt_screen_active.clone();
-        #[cfg(unix)]
-        let suspend_cursor_y = self.suspend_cursor_y.clone();
-
-        #[cfg(unix)]
-        let suspend = move || {
-            if alt_screen_active.load(Ordering::Relaxed) {
-                // Disable alternate scroll when suspending from alt-screen
-                let _ = execute!(stdout(), DisableAlternateScroll);
-                let _ = execute!(stdout(), LeaveAlternateScreen);
-                resume_pending.store(ResumeAction::RestoreAlt as u8, Ordering::Relaxed);
-            } else {
-                resume_pending.store(ResumeAction::RealignInline as u8, Ordering::Relaxed);
-            }
-            let y = suspend_cursor_y.load(Ordering::Relaxed);
-            let _ = execute!(stdout(), MoveTo(0, y), crossterm::cursor::Show);
-            let _ = Tui::suspend();
-        };

        let terminal_focused = self.terminal_focused.clone();
        let event_stream = async_stream::stream! {
@@ -309,10 +260,10 @@ impl Tui {
                select! {
                    Some(Ok(event)) = crossterm_events.next() => {
                        match event {
-                            crossterm::event::Event::Key(key_event) => {
+                            Event::Key(key_event) => {
                                #[cfg(unix)]
                                if SUSPEND_KEY.is_press(key_event) {
-                                    suspend();
+                                    let _ = suspend_context.suspend(&alt_screen_active);
                                    // We continue here after resume.
                                    yield TuiEvent::Draw;
                                    continue;
@@ -356,67 +307,6 @@ impl Tui {
        Box::pin(event_stream)
    }

-    #[cfg(unix)]
-    fn suspend() -> Result<()> {
-        restore()?;
-        unsafe { libc::kill(0, libc::SIGTSTP) };
-        set_modes()?;
-        Ok(())
-    }
-
-    /// When resuming from ^Z suspend, we want to put things back the way they were before suspend.
-    /// We capture the action in an object so we can pass it into the event stream, since the relevant
-    #[cfg(unix)]
-    fn prepare_resume_action(
-        &mut self,
-        action: ResumeAction,
-    ) -> Result<Option<PreparedResumeAction>> {
-        match action {
-            ResumeAction::RealignInline => {
-                let cursor_pos = self
-                    .terminal
-                    .get_cursor_position()
-                    .unwrap_or(self.terminal.last_known_cursor_pos);
-                Ok(Some(PreparedResumeAction::RealignViewport(
-                    ratatui::layout::Rect::new(0, cursor_pos.y, 0, 0),
-                )))
-            }
-            ResumeAction::RestoreAlt => {
-                if let Ok(ratatui::layout::Position { y, .. }) = self.terminal.get_cursor_position()
-                    && let Some(saved) = self.alt_saved_viewport.as_mut()
-                {
-                    saved.y = y;
-                }
-                Ok(Some(PreparedResumeAction::RestoreAltScreen))
-            }
-            ResumeAction::None => Ok(None),
-        }
-    }
-
-    #[cfg(unix)]
-    fn apply_prepared_resume_action(&mut self, prepared: PreparedResumeAction) -> Result<()> {
-        match prepared {
-            PreparedResumeAction::RealignViewport(area) => {
-                self.terminal.set_viewport_area(area);
-            }
-            PreparedResumeAction::RestoreAltScreen => {
-                execute!(self.terminal.backend_mut(), EnterAlternateScreen)?;
-                // Enable "alternate scroll" so terminals may translate wheel to arrows
-                execute!(self.terminal.backend_mut(), EnableAlternateScroll)?;
-                if let Ok(size) = self.terminal.size() {
-                    self.terminal.set_viewport_area(ratatui::layout::Rect::new(
-                        0,
-                        0,
-                        size.width,
-                        size.height,
-                    ));
-                    self.terminal.clear()?;
-                }
-            }
-        }
-        Ok(())
-    }
-
    /// Enter alternate screen and expand the viewport to full terminal size, saving the current
    /// inline viewport for restoration when leaving.
    pub fn enter_alt_screen(&mut self) -> Result<()> {
@@ -462,8 +352,9 @@ impl Tui {
        // If we are resuming from ^Z, we need to prepare the resume action now so we can apply it
        // in the synchronized update.
        #[cfg(unix)]
-        let mut prepared_resume =
-            self.prepare_resume_action(take_resume_action(&self.resume_pending))?;
+        let mut prepared_resume = self
+            .suspend_context
+            .prepare_resume_action(&mut self.terminal, &mut self.alt_saved_viewport);

        // Precompute any viewport updates that need a cursor-position query before entering
        // the synchronized update, to avoid racing with the event reader.
@@ -490,12 +381,10 @@ impl Tui {
            }
        }

-        std::io::stdout().sync_update(|_| {
+        stdout().sync_update(|_| {
            #[cfg(unix)]
-            {
-                if let Some(prepared) = prepared_resume.take() {
-                    self.apply_prepared_resume_action(prepared)?;
-                }
+            if let Some(prepared) = prepared_resume.take() {
+                prepared.apply(&mut self.terminal)?;
            }
            let terminal = &mut self.terminal;
            if let Some(new_area) = pending_viewport_area.take() {
@@ -539,8 +428,7 @@ impl Tui {
                } else {
                    area.bottom().saturating_sub(1)
                };
-                self.suspend_cursor_y
-                    .store(inline_area_bottom, Ordering::Relaxed);
+                self.suspend_context.set_cursor_y(inline_area_bottom);
            }

            terminal.draw(|frame| {
@@ -600,12 +488,12 @@ fn spawn_frame_scheduler(
 pub struct PostNotification(pub String);

 impl Command for PostNotification {
-    fn write_ansi(&self, f: &mut impl std::fmt::Write) -> std::fmt::Result {
+    fn write_ansi(&self, f: &mut impl fmt::Write) -> fmt::Result {
        write!(f, "\x1b]9;{}\x07", self.0)
    }

    #[cfg(windows)]
-    fn execute_winapi(&self) -> std::io::Result<()> {
+    fn execute_winapi(&self) -> Result<()> {
        Err(std::io::Error::other(
            "tried to execute PostNotification using WinAPI; use ANSI instead",
        ))
--- a/codex-rs/tui/src/tui/job_control.rs
+++ b/codex-rs/tui/src/tui/job_control.rs
@@ -0,0 +1,182 @@
+use std::io::Result;
+use std::io::stdout;
+use std::sync::Arc;
+use std::sync::Mutex;
+use std::sync::PoisonError;
+use std::sync::atomic::AtomicBool;
+use std::sync::atomic::AtomicU16;
+use std::sync::atomic::Ordering;
+
+use crossterm::cursor::MoveTo;
+use crossterm::cursor::Show;
+use crossterm::event::KeyCode;
+use crossterm::terminal::EnterAlternateScreen;
+use crossterm::terminal::LeaveAlternateScreen;
+use ratatui::crossterm::execute;
+use ratatui::layout::Position;
+use ratatui::layout::Rect;
+
+use crate::key_hint;
+
+use super::DisableAlternateScroll;
+use super::EnableAlternateScroll;
+use super::Terminal;
+
+pub const SUSPEND_KEY: key_hint::KeyBinding = key_hint::ctrl(KeyCode::Char('z'));
+
+/// Coordinates suspend/resume handling so the TUI can restore terminal context after SIGTSTP.
+///
+/// On suspend, it records which resume path to take (realign inline viewport vs. restore alt
+/// screen) and caches the inline cursor row so the cursor can be placed meaningfully before
+/// yielding.
+///
+/// After resume, `prepare_resume_action` consumes the pending intent and returns a
+/// `PreparedResumeAction` describing any viewport adjustments to apply inside the synchronized
+/// draw.
+///
+/// Callers keep `suspend_cursor_y` up to date during normal drawing so the suspend step always
+/// has the latest cursor position.
+///
+/// The type is `Clone`, using Arc/atomic internals so bookkeeping can be shared across tasks
+/// and moved into the boxed `'static` event stream without borrowing `self`.
+#[derive(Clone)]
+pub struct SuspendContext {
+    /// Resume intent captured at suspend time; cleared once applied after resume.
+    resume_pending: Arc<Mutex<Option<ResumeAction>>>,
+    /// Inline viewport cursor row used to place the cursor before yielding during suspend.
+    suspend_cursor_y: Arc<AtomicU16>,
+}
+
+impl SuspendContext {
+    pub(crate) fn new() -> Self {
+        Self {
+            resume_pending: Arc::new(Mutex::new(None)),
+            suspend_cursor_y: Arc::new(AtomicU16::new(0)),
+        }
+    }
+
+    /// Capture how to resume, stash cursor position, and temporarily yield during SIGTSTP.
+    ///
+    /// - If the alt screen is active, exit alt-scroll/alt-screen and record `RestoreAlt`;
+    ///   otherwise record `RealignInline`.
+    /// - Update the cached inline cursor row so suspend can place the cursor meaningfully.
+    /// - Trigger SIGTSTP so the process can be resumed and continue drawing with the saved state.
+    pub(crate) fn suspend(&self, alt_screen_active: &Arc<AtomicBool>) -> Result<()> {
+        if alt_screen_active.load(Ordering::Relaxed) {
+            // Leave alt-screen so the terminal returns to the normal buffer while suspended; also turn off alt-scroll.
+            let _ = execute!(stdout(), DisableAlternateScroll);
+            let _ = execute!(stdout(), LeaveAlternateScreen);
+            self.set_resume_action(ResumeAction::RestoreAlt);
+        } else {
+            self.set_resume_action(ResumeAction::RealignInline);
+        }
+        let y = self.suspend_cursor_y.load(Ordering::Relaxed);
+        let _ = execute!(stdout(), MoveTo(0, y), Show);
+        suspend_process()
+    }
+
+    /// Consume the pending resume intent and precompute any viewport changes needed post-resume.
+    ///
+    /// Returns a `PreparedResumeAction` describing how to realign the viewport once drawing
+    /// resumes; returns `None` when there was no pending suspend intent.
+    pub(crate) fn prepare_resume_action(
+        &self,
+        terminal: &mut Terminal,
+        alt_saved_viewport: &mut Option<Rect>,
+    ) -> Option<PreparedResumeAction> {
+        let action = self.take_resume_action()?;
+        match action {
+            ResumeAction::RealignInline => {
+                let cursor_pos = terminal
+                    .get_cursor_position()
+                    .unwrap_or(terminal.last_known_cursor_pos);
+                let viewport = Rect::new(0, cursor_pos.y, 0, 0);
+                Some(PreparedResumeAction::RealignViewport(viewport))
+            }
+            ResumeAction::RestoreAlt => {
+                if let Ok(Position { y, .. }) = terminal.get_cursor_position()
+                    && let Some(saved) = alt_saved_viewport.as_mut()
+                {
+                    saved.y = y;
+                }
+                Some(PreparedResumeAction::RestoreAltScreen)
+            }
+        }
+    }
+
+    /// Set the cached inline cursor row so suspend can place the cursor meaningfully.
+    ///
+    /// Call during normal drawing when the inline viewport moves so suspend has a fresh cursor
+    /// position to restore before yielding.
+    pub(crate) fn set_cursor_y(&self, value: u16) {
+        self.suspend_cursor_y.store(value, Ordering::Relaxed);
+    }
+
+    /// Record a pending resume action to apply after SIGTSTP returns control.
+    fn set_resume_action(&self, value: ResumeAction) {
+        *self
+            .resume_pending
+            .lock()
+            .unwrap_or_else(PoisonError::into_inner) = Some(value);
+    }
+
+    /// Take and clear any pending resume action captured at suspend time.
+    fn take_resume_action(&self) -> Option<ResumeAction> {
+        self.resume_pending
+            .lock()
+            .unwrap_or_else(PoisonError::into_inner)
+            .take()
+    }
+}
+
+/// Captures what should happen when returning from suspend.
+///
+/// Either realign the inline viewport to keep the cursor position, or re-enter the alt screen
+/// to restore the overlay UI.
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub(crate) enum ResumeAction {
+    /// Shift the inline viewport to keep the cursor anchored after resume.
+    RealignInline,
+    /// Re-enter the alt screen and restore the overlay UI.
+    RestoreAlt,
+}
+
+/// Describes the viewport change to apply when resuming from suspend during the synchronized draw.
+///
+/// Either restore the alt screen (with viewport reset) or realign the inline viewport.
+#[derive(Clone, Debug)]
+pub(crate) enum PreparedResumeAction {
+    /// Re-enter the alt screen and reset the viewport to the terminal dimensions.
+    RestoreAltScreen,
+    /// Apply a viewport shift to keep the inline cursor position stable.
+    RealignViewport(Rect),
+}
+
+impl PreparedResumeAction {
+    pub(crate) fn apply(self, terminal: &mut Terminal) -> Result<()> {
+        match self {
+            PreparedResumeAction::RealignViewport(area) => {
+                terminal.set_viewport_area(area);
+            }
+            PreparedResumeAction::RestoreAltScreen => {
+                execute!(terminal.backend_mut(), EnterAlternateScreen)?;
+                // Enable "alternate scroll" so terminals may translate wheel to arrows
+                execute!(terminal.backend_mut(), EnableAlternateScroll)?;
+                if let Ok(size) = terminal.size() {
+                    terminal.set_viewport_area(Rect::new(0, 0, size.width, size.height));
+                    terminal.clear()?;
+                }
+            }
+        }
+        Ok(())
+    }
+}
+
+/// Deliver SIGTSTP after restoring terminal state, then re-applies terminal modes once resumed.
+fn suspend_process() -> Result<()> {
+    super::restore()?;
+    unsafe { libc::kill(0, libc::SIGTSTP) };
+    // After the process resumes, reapply terminal modes so drawing can continue.
+    super::set_modes()?;
+    Ok(())
+}
--- a/codex-rs/utils/pty/src/lib.rs
+++ b/codex-rs/utils/pty/src/lib.rs
@@ -111,6 +111,7 @@ pub async fn spawn_pty_process(
    args: &[String],
    cwd: &Path,
    env: &HashMap<String, String>,
+    arg0: &Option<String>,
 ) -> Result<SpawnedPty> {
    if program.is_empty() {
        anyhow::bail!("missing program for PTY spawn");
@@ -124,7 +125,7 @@ pub async fn spawn_pty_process(
        pixel_height: 0,
    })?;

-    let mut command_builder = CommandBuilder::new(program);
+    let mut command_builder = CommandBuilder::new(arg0.as_ref().unwrap_or(&program.to_string()));
    command_builder.cwd(cwd);
    command_builder.env_clear();
    for arg in args {
Author	SHA1	Message	Date
Michael Bolin	e1f91433bc	fix: close non-stdio fds before exec	2025-11-12 11:46:14 -08:00
Michael Bolin	c3a710ee14	chore: verify boolean values can be parsed as config overrides (#6516 ) This is important to ensure that this: ``` codex --enable unified_exec ``` and this: ``` codex --config features.unified_exec=true ``` are equivalent. Also that when it is passed programmatically: `807e2c27f0/codex-rs/app-server-protocol/src/protocol/v1.rs (L55)` then this should work for `config`: ```json {"features": {"shell_command_tool": true}} ``` though I believe also this: ```json {"features.shell_command_tool": true} ```	2025-11-12 08:19:16 -08:00
Michael Bolin	29364f3a9b	feat: shell_command tool (#6510 ) This adds support for a new variant of the shell tool behind a flag. To test, run `codex` with `--enable shell_command_tool`, which will register the tool with Codex under the name `shell_command` that accepts the following shape: ```python { command: str workdir: str \| None, timeout_ms: int \| None, with_escalated_permissions: bool \| None, justification: str \| None, } ``` This is comparable to the existing tool registered under `shell`/`container.exec`. The primary difference is that it accepts `command` as a `str` instead of a `str[]`. The `shell_command` tool executes by running `execvp(["bash", "-lc", command])`, though the exact arguments to `execvp(3)` depend on the user's default shell. The hypothesis is that this will simplify things for the model. For example, on Windows, instead of generating: ```json {"command": ["pwsh.exe", "-NoLogo", "-Command", "ls -Name"]} ``` The model could simply generate: ```json {"command": "ls -Name"} ``` As part of this change, I extracted some logic out of `user_shell.rs` as `Shell::derive_exec_args()` so that it can be reused in `codex-rs/core/src/tools/handlers/shell.rs`. Note the original code generated exec arg lists like: ```javascript ["bash", "-lc", command] ["zsh", "-lc", command] ["pwsh.exe", "-NoProfile", "-Command", command] ``` Using `-l` for Bash and Zsh, but then specifying `-NoProfile` for PowerShell seemed inconsistent to me, so I changed this in the new implementation while also adding a `use_login_shell: bool` option to make this explicit. If we decide to add a `login: bool` to `ShellCommandToolCallParams` like we have for unified exec: `807e2c27f0/codex-rs/core/src/tools/handlers/unified_exec.rs (L33-L34)` Then this should make it straightforward to support.	2025-11-12 08:18:57 -08:00
jif-oai	530db0ad73	feat: warning switch model on resume (#6507 ) <img width="1259" height="40" alt="Screenshot 2025-11-11 at 14 01 41" src="https://github.com/user-attachments/assets/48ead3d2-d89c-4d8a-a578-82d9663dbd88" />	2025-11-12 11:13:37 +00:00
Gabriel Peal	424bfecd0b	Re-add prettier log-level=warn to generate-ts (#6528 ) I added it in https://github.com/openai/codex/pull/6342 but it was removed in https://github.com/openai/codex/pull/5063/files#diff-e2aa6dad1e886b7765158a27aefd1be5de99baa71b44f6bc5ce3fe462b9ae5d3R135 as a result of a bad diamond merge	2025-11-11 21:30:01 -05:00
Lionel Cheng	eb1c651c00	Update full-auto description with on-request (#6523 ) This PR fixes #6522 by correcting the comment for `full-auto` in both `codex-rs/exec/src/cli.rs` and `codex-rs/tui/src/cli.rs` from `-a on-failure` to `-a on-request` to make it coherent with `codex-rs/tui/src/lib.rs:97-105`: ```rust pub async fn run_main( mut cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>, ) -> std::io::Result<AppExitInfo> { let (sandbox_mode, approval_policy) = if cli.full_auto { ( Some(SandboxMode::WorkspaceWrite), Some(AskForApproval::OnRequest), ) ``` Running `just codex --help` or `just codex exec --help` should now yield the correct description of `full-auto` CLI argument. Signed-off-by: lionelchg <lionel.cheng@hotmail.fr>	2025-11-11 15:59:20 -08:00
Celia Chen	e357fc723d	[app-server] add item started/completed events for turn items (#6517 ) This one should be quite straightforward, as it's just a translation of TurnItem events we already emit to ThreadItem that app-server exposes to customers. To test, cp my change to owen/app_server_test_client and do the following: ``` cargo build -p codex-cli RUST_LOG=codex_app_server=info CODEX_BIN=target/debug/codex cargo run -p codex-app-server-test-client -- send-message-v2 "hello" ``` example event before (still kept there for backward compatibility): ``` { < "method": "codex/event/item_completed", < "params": { < "conversationId": "019a74cc-fad9-7ab3-83a3-f42827b7b074", < "id": "0", < "msg": { < "item": { < "Reasoning": { < "id": "rs_03d183492e07e20a016913a936eb8c81a1a7671a103fee8afc", < "raw_content": [], < "summary_text": [ < "Hey! What would you like to work on? I can explore the repo, run specific tests, or implement a change. Let's keep it short and straightforward. There's no need for a lengthy introduction or elaborate planning, just a friendly greeting and an open offer to help. I want to make sure the user feels welcomed and understood right from the start. It's all about keeping the tone friendly and concise!" < ] < } < }, < "thread_id": "019a74cc-fad9-7ab3-83a3-f42827b7b074", < "turn_id": "0", < "type": "item_completed" < } < } < } ``` after (v2): ``` < { < "method": "item/completed", < "params": { < "item": { < "id": "rs_03d183492e07e20a016913a936eb8c81a1a7671a103fee8afc", < "text": "Hey! What would you like to work on? I can explore the repo, run specific tests, or implement a change. Let's keep it short and straightforward. There's no need for a lengthy introduction or elaborate planning, just a friendly greeting and an open offer to help. I want to make sure the user feels welcomed and understood right from the start. It's all about keeping the tone friendly and concise!", < "type": "reasoning" < } < } < } ```	2025-11-11 22:43:24 +00:00
pakrym-oai	807e2c27f0	Add unified exec escalation handling and tests (#6492 ) Similar implementation to the shell tool	2025-11-11 08:19:35 -08:00
jif-oai	ad279eacdc	nit: logs to trace (#6503 )	2025-11-11 13:37:06 +00:00
jif-oai	052b052832	Enable ghost_commit feature by default (#6041 ) ## Summary - enable the ghost_commit feature flag by default ## Testing - just fmt ------ https://chatgpt.com/codex/tasks/task_i_6904ce2d0370832dbb3c2c09a90fb188	2025-11-11 09:20:46 +00:00
Celia Chen	6951872776	[hygiene][app-server] have a helper function for duplicate code in turn APIs (#6488 ) turn_start and turn_interrupt have some logic that can be shared. have a helper function for it.	2025-11-11 02:44:47 +00:00
pakrym-oai	bb7b0213a8	Colocate more of bash parsing (#6489 ) Move a few callsites that were detecting `bash -lc` into a shared helper.	2025-11-11 02:38:36 +00:00
pakrym-oai	6c36318bd8	Use codex-linux-sandbox in unified exec (#6480 ) Unified exec isn't working on Linux because we don't provide the correct arg0. The library we use for pty management doesn't allow setting arg0 separately from executable. Use the same aliasing strategy we use for `apply_patch` for `codex-linux-sandbox`. Use `#[ctor]` hack to dispatch codex-linux-sandbox calls. Addresses https://github.com/openai/codex/issues/6450	2025-11-10 17:17:09 -08:00
zhao-oai	930f81a17b	flip rate limit status bar (#6482 ) flipping rate limit status bar to match chat.com/codex/settings/usage <img width="848" height="420" alt="Screenshot 2025-11-10 at 4 53 41 PM" src="https://github.com/user-attachments/assets/e326db3f-4405-412d-9e62-337282ec9a35" />	2025-11-11 01:13:10 +00:00
iceweasel-oai	9aff64e017	upload Windows .exe file artifacts for CLI releases (#6478 ) This PR is to unlock future WinGet installation. WinGet struggles to create command aliases when installing from nested ZIPs on some clients, so adding raw Windows x64/Arm64 executables lets the manifest use InstallerType: portable with direct EXEs, which reliably registers the codex alias. This makes “winget install → codex” work out of the box without PATH changes. --------- Co-authored-by: Michael Bolin <mbolin@openai.com>	2025-11-10 23:31:06 +00:00
Owen Lin	3838d6739c	[app-server] update macro to make renaming methods less boilerplate-y (#6470 ) We already do this for notification definitions and it's really nice. Verified there are no changes to actual exported files by diff'ing before and after this change.	2025-11-10 15:15:08 -08:00
Josh McKinney	60deb6773a	refactor(tui): job-control for Ctrl-Z handling (#6477 ) - Moved the unix-only suspend/resume logic into a dedicated job_control module housing SuspendContext, replacing scattered cfg-gated fields and helpers in tui.rs. - Tui now holds a single suspend_context (Arc-backed) instead of multiple atomics, and the event stream uses it directly for Ctrl-Z handling. - Added detailed docs around the suspend/resume flow, cursor tracking, and the Arc/atomic ownership model for the 'static event stream. - Renamed the process-level SIGTSTP helper to suspend_process and the cursor tracker to set_cursor_y to better reflect their roles.	2025-11-10 23:13:43 +00:00
Jeremy Rose	0271c20d8f	add codex debug seatbelt --log-denials (#4098 ) This adds a debugging tool for analyzing why certain commands fail to execute under the sandbox. Example output: ``` $ codex debug seatbelt --log-denials bash -lc "(echo foo > ~/foo.txt)" bash: /Users/nornagon/foo.txt: Operation not permitted === Sandbox denials === (bash) file-write-data /dev/tty (bash) file-write-data /dev/ttys001 (bash) sysctl-read kern.ngroups (bash) file-write-create /Users/nornagon/foo.txt ``` It operates by: 1. spawning `log stream` to watch system logs, and 2. tracking all descendant PIDs using kqueue + proc_listchildpids. this is a "best-effort" technique, as `log stream` may drop logs(?), and kqueue + proc_listchildpids isn't atomic and can end up missing very short-lived processes. But it works well enough in my testing to be useful :)	2025-11-10 22:48:14 +00:00
George Nesterenok	52e97b9b6b	Fix wayland image paste error (#4824 ) ## Summary - log and surface clipboard failures instead of silently ignoring them when `Ctrl+V` pastes an image (`paste_image_to_temp_png()` now feeds an error history cell) - enable `arboard`’s `wayland-data-control` feature so native Wayland sessions can deliver image data without XWayland - keep the success path unchanged: valid images still attach and show the `[image …]` placeholder as before Fixes #4818 --------- Co-authored-by: Eric Traut <etraut@openai.com> Co-authored-by: Jeremy Rose <172423086+nornagon-openai@users.noreply.github.com>	2025-11-10 14:35:30 -08:00
Owen Lin	2ac49fea58	[app-server] chore: move initialize out of deprecated API section (#6468 ) Self-explanatory - `initialize` is not a deprecated API and works equally well with the v2 APIs.	2025-11-10 20:24:36 +00:00