Use realtime transcript for handoff context

## Summary
Alternative to #14061 - we need to use a child process on windows to
correctly validate Powershell behavior.

## Testing
- [x] These are tests

.devcontainer/Dockerfile

@@ -11,7 +11,7 @@ RUN apt-get update && \
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     build-essential curl git ca-certificates \
-    pkg-config clang musl-tools libssl-dev just && \
+    pkg-config libcap-dev clang musl-tools libssl-dev just && \
     rm -rf /var/lib/apt/lists/*
 
 # Ubuntu 24.04 ships with user 'ubuntu' already created with UID 1000.

BUILD.bazel

@@ -28,4 +28,8 @@ alias(
     actual = "@rbe_platform",
 )
 
-exports_files(["AGENTS.md"])
+exports_files([
+    "AGENTS.md",
+    "workspace_root_test_launcher.bat.tpl",
+    "workspace_root_test_launcher.sh.tpl",
+])

codex-rs/Cargo.lock

@@ -1436,6 +1436,7 @@ dependencies = [
  "codex-utils-cargo-bin",
  "codex-utils-cli",
  "codex-utils-json-to-toml",
+ "codex-utils-pty",
  "core_test_support",
  "futures",
  "owo-colors",
@@ -1457,6 +1458,24 @@ dependencies = [
  "wiremock",
 ]
 
+[[package]]
+name = "codex-app-server-client"
+version = "0.0.0"
+dependencies = [
+ "codex-app-server",
+ "codex-app-server-protocol",
+ "codex-arg0",
+ "codex-core",
+ "codex-feedback",
+ "codex-protocol",
+ "pretty_assertions",
+ "serde",
+ "serde_json",
+ "tokio",
+ "toml 0.9.11+spec-1.1.0",
+ "tracing",
+]
+
 [[package]]
 name = "codex-app-server-protocol"
 version = "0.0.0"
@@ -1647,6 +1666,8 @@ dependencies = [
  "tokio",
  "toml 0.9.11+spec-1.1.0",
  "tracing",
+ "tracing-appender",
+ "tracing-subscriber",
 ]
 
 [[package]]
@@ -1896,10 +1917,13 @@ dependencies = [
  "anyhow",
  "assert_cmd",
  "clap",
+ "codex-app-server-client",
+ "codex-app-server-protocol",
  "codex-apply-patch",
  "codex-arg0",
  "codex-cloud-requirements",
  "codex-core",
+ "codex-feedback",
  "codex-otel",
  "codex-protocol",
  "codex-utils-absolute-path",
@@ -2088,6 +2112,7 @@ dependencies = [
  "codex-app-server-protocol",
  "codex-core",
  "core_test_support",
+ "pretty_assertions",
  "rand 0.9.2",
  "reqwest",
  "serde",
@@ -2096,6 +2121,7 @@ dependencies = [
  "tempfile",
  "tiny_http",
  "tokio",
+ "tracing",
  "url",
  "urlencoding",
  "webbrowser",
@@ -2390,7 +2416,6 @@ dependencies = [
  "anyhow",
  "chrono",
  "clap",
- "codex-otel",
  "codex-protocol",
  "dirs",
  "log",

codex-rs/Cargo.toml

@@ -4,6 +4,7 @@ members = [
     "ansi-escape",
     "async-utils",
     "app-server",
+    "app-server-client",
     "app-server-protocol",
     "app-server-test-client",
     "debug-client",
@@ -86,6 +87,7 @@ codex-api = { path = "codex-api" }
 codex-artifacts = { path = "artifacts" }
 codex-package-manager = { path = "package-manager" }
 codex-app-server = { path = "app-server" }
+codex-app-server-client = { path = "app-server-client" }
 codex-app-server-protocol = { path = "app-server-protocol" }
 codex-app-server-test-client = { path = "app-server-test-client" }
 codex-apply-patch = { path = "apply-patch" }

codex-rs/app-server-client/BUILD.bazel

@@ -0,0 +1,6 @@
+load("//:defs.bzl", "codex_rust_crate")
+
+codex_rust_crate(
+    name = "app-server-client",
+    crate_name = "codex_app_server_client",
+)

codex-rs/app-server-client/Cargo.toml

@@ -0,0 +1,30 @@
+[package]
+name = "codex-app-server-client"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[lib]
+name = "codex_app_server_client"
+path = "src/lib.rs"
+
+[lints]
+workspace = true
+
+[dependencies]
+codex-app-server = { workspace = true }
+codex-app-server-protocol = { workspace = true }
+codex-arg0 = { workspace = true }
+codex-core = { workspace = true }
+codex-feedback = { workspace = true }
+codex-protocol = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+tokio = { workspace = true, features = ["sync", "time", "rt"] }
+toml = { workspace = true }
+tracing = { workspace = true }
+
+[dev-dependencies]
+pretty_assertions = { workspace = true }
+serde_json = { workspace = true }
+tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }

codex-rs/app-server-client/README.md

@@ -0,0 +1,67 @@
+# codex-app-server-client
+
+Shared in-process app-server client used by conversational CLI surfaces:
+
+- `codex-exec`
+- `codex-tui`
+
+## Purpose
+
+This crate centralizes startup and lifecycle management for an in-process
+`codex-app-server` runtime, so CLI clients do not need to duplicate:
+
+- app-server bootstrap and initialize handshake
+- in-memory request/event transport wiring
+- lifecycle orchestration around caller-provided startup identity
+- graceful shutdown behavior
+
+## Startup identity
+
+Callers pass both the app-server `SessionSource` and the initialize
+`client_info.name` explicitly when starting the facade.
+
+That keeps thread metadata (for example in `thread/list` and `thread/read`)
+aligned with the originating runtime without baking TUI/exec-specific policy
+into the shared client layer.
+
+## Transport model
+
+The in-process path uses typed channels:
+
+- client -> server: `ClientRequest` / `ClientNotification`
+- server -> client: `InProcessServerEvent`
+  - `ServerRequest`
+  - `ServerNotification`
+  - `LegacyNotification`
+
+JSON serialization is still used at external transport boundaries
+(stdio/websocket), but the in-process hot path is typed.
+
+Typed requests still receive app-server responses through the JSON-RPC
+result envelope internally. That is intentional: the in-process path is
+meant to preserve app-server semantics while removing the process
+boundary, not to introduce a second response contract.
+
+## Bootstrap behavior
+
+The client facade starts an already-initialized in-process runtime, but
+thread bootstrap still follows normal app-server flow:
+
+- caller sends `thread/start` or `thread/resume`
+- app-server returns the immediate typed response
+- richer session metadata may arrive later as a `SessionConfigured`
+  legacy event
+
+Surfaces such as TUI and exec may therefore need a short bootstrap
+phase where they reconcile startup response data with later events.
+
+## Backpressure and shutdown
+
+- Queues are bounded and use `DEFAULT_IN_PROCESS_CHANNEL_CAPACITY` by default.
+- Full queues return explicit overload behavior instead of unbounded growth.
+- `shutdown()` performs a bounded graceful shutdown and then aborts if timeout
+  is exceeded.
+
+If the client falls behind on event consumption, the worker emits
+`InProcessServerEvent::Lagged` and may reject pending server requests so
+approval flows do not hang indefinitely behind a saturated queue.

codex-rs/app-server-client/src/lib.rs

@@ -0,0 +1,801 @@
+//! Shared in-process app-server client facade for CLI surfaces.
+//!
+//! This crate wraps [`codex_app_server::in_process`] behind a single async API
+//! used by surfaces like TUI and exec. It centralizes:
+//!
+//! - Runtime startup and initialize-capabilities handshake.
+//! - Typed caller-provided startup identity (`SessionSource` + client name).
+//! - Typed and raw request/notification dispatch.
+//! - Server request resolution and rejection.
+//! - Event consumption with backpressure signaling ([`InProcessServerEvent::Lagged`]).
+//! - Bounded graceful shutdown with abort fallback.
+//!
+//! The facade interposes a worker task between the caller and the underlying
+//! [`InProcessClientHandle`](codex_app_server::in_process::InProcessClientHandle),
+//! bridging async `mpsc` channels on both sides. Queues are bounded so overload
+//! surfaces as channel-full errors rather than unbounded memory growth.
+
+use std::error::Error;
+use std::fmt;
+use std::io::Error as IoError;
+use std::io::ErrorKind;
+use std::io::Result as IoResult;
+use std::sync::Arc;
+use std::time::Duration;
+
+pub use codex_app_server::in_process::DEFAULT_IN_PROCESS_CHANNEL_CAPACITY;
+pub use codex_app_server::in_process::InProcessServerEvent;
+use codex_app_server::in_process::InProcessStartArgs;
+use codex_app_server_protocol::ClientInfo;
+use codex_app_server_protocol::ClientNotification;
+use codex_app_server_protocol::ClientRequest;
+use codex_app_server_protocol::ConfigWarningNotification;
+use codex_app_server_protocol::InitializeCapabilities;
+use codex_app_server_protocol::InitializeParams;
+use codex_app_server_protocol::JSONRPCErrorError;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::Result as JsonRpcResult;
+use codex_arg0::Arg0DispatchPaths;
+use codex_core::config::Config;
+use codex_core::config_loader::CloudRequirementsLoader;
+use codex_core::config_loader::LoaderOverrides;
+use codex_feedback::CodexFeedback;
+use codex_protocol::protocol::SessionSource;
+use serde::de::DeserializeOwned;
+use tokio::sync::mpsc;
+use tokio::sync::oneshot;
+use tokio::time::timeout;
+use toml::Value as TomlValue;
+use tracing::warn;
+
+const SHUTDOWN_TIMEOUT: Duration = Duration::from_secs(5);
+
+/// Raw app-server request result for typed in-process requests.
+///
+/// Even on the in-process path, successful responses still travel back through
+/// the same JSON-RPC result envelope used by socket/stdio transports because
+/// `MessageProcessor` continues to produce that shape internally.
+pub type RequestResult = std::result::Result<JsonRpcResult, JSONRPCErrorError>;
+
+fn event_requires_delivery(event: &InProcessServerEvent) -> bool {
+    // These terminal events drive surface shutdown/completion state. Dropping
+    // them under backpressure can leave exec/TUI waiting forever even though
+    // the underlying turn has already ended.
+    match event {
+        InProcessServerEvent::ServerNotification(
+            codex_app_server_protocol::ServerNotification::TurnCompleted(_),
+        ) => true,
+        InProcessServerEvent::LegacyNotification(notification) => matches!(
+            notification
+                .method
+                .strip_prefix("codex/event/")
+                .unwrap_or(&notification.method),
+            "task_complete" | "turn_aborted" | "shutdown_complete"
+        ),
+        _ => false,
+    }
+}
+
+/// Layered error for [`InProcessAppServerClient::request_typed`].
+///
+/// This keeps transport failures, server-side JSON-RPC failures, and response
+/// decode failures distinct so callers can decide whether to retry, surface a
+/// server error, or treat the response as an internal request/response mismatch.
+#[derive(Debug)]
+pub enum TypedRequestError {
+    Transport {
+        method: String,
+        source: IoError,
+    },
+    Server {
+        method: String,
+        source: JSONRPCErrorError,
+    },
+    Deserialize {
+        method: String,
+        source: serde_json::Error,
+    },
+}
+
+impl fmt::Display for TypedRequestError {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Self::Transport { method, source } => {
+                write!(f, "{method} transport error: {source}")
+            }
+            Self::Server { method, source } => {
+                write!(f, "{method} failed: {}", source.message)
+            }
+            Self::Deserialize { method, source } => {
+                write!(f, "{method} response decode error: {source}")
+            }
+        }
+    }
+}
+
+impl Error for TypedRequestError {
+    fn source(&self) -> Option<&(dyn Error + 'static)> {
+        match self {
+            Self::Transport { source, .. } => Some(source),
+            Self::Server { .. } => None,
+            Self::Deserialize { source, .. } => Some(source),
+        }
+    }
+}
+
+#[derive(Clone)]
+pub struct InProcessClientStartArgs {
+    /// Resolved argv0 dispatch paths used by command execution internals.
+    pub arg0_paths: Arg0DispatchPaths,
+    /// Shared config used to initialize app-server runtime.
+    pub config: Arc<Config>,
+    /// CLI config overrides that are already parsed into TOML values.
+    pub cli_overrides: Vec<(String, TomlValue)>,
+    /// Loader override knobs used by config API paths.
+    pub loader_overrides: LoaderOverrides,
+    /// Preloaded cloud requirements provider.
+    pub cloud_requirements: CloudRequirementsLoader,
+    /// Feedback sink used by app-server/core telemetry and logs.
+    pub feedback: CodexFeedback,
+    /// Startup warnings emitted after initialize succeeds.
+    pub config_warnings: Vec<ConfigWarningNotification>,
+    /// Session source recorded in app-server thread metadata.
+    pub session_source: SessionSource,
+    /// Whether auth loading should honor the `CODEX_API_KEY` environment variable.
+    pub enable_codex_api_key_env: bool,
+    /// Client name reported during initialize.
+    pub client_name: String,
+    /// Client version reported during initialize.
+    pub client_version: String,
+    /// Whether experimental APIs are requested at initialize time.
+    pub experimental_api: bool,
+    /// Notification methods this client opts out of receiving.
+    pub opt_out_notification_methods: Vec<String>,
+    /// Queue capacity for command/event channels (clamped to at least 1).
+    pub channel_capacity: usize,
+}
+
+impl InProcessClientStartArgs {
+    /// Builds initialize params from caller-provided metadata.
+    pub fn initialize_params(&self) -> InitializeParams {
+        let capabilities = InitializeCapabilities {
+            experimental_api: self.experimental_api,
+            opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
+                None
+            } else {
+                Some(self.opt_out_notification_methods.clone())
+            },
+        };
+
+        InitializeParams {
+            client_info: ClientInfo {
+                name: self.client_name.clone(),
+                title: None,
+                version: self.client_version.clone(),
+            },
+            capabilities: Some(capabilities),
+        }
+    }
+
+    fn into_runtime_start_args(self) -> InProcessStartArgs {
+        let initialize = self.initialize_params();
+        InProcessStartArgs {
+            arg0_paths: self.arg0_paths,
+            config: self.config,
+            cli_overrides: self.cli_overrides,
+            loader_overrides: self.loader_overrides,
+            cloud_requirements: self.cloud_requirements,
+            feedback: self.feedback,
+            config_warnings: self.config_warnings,
+            session_source: self.session_source,
+            enable_codex_api_key_env: self.enable_codex_api_key_env,
+            initialize,
+            channel_capacity: self.channel_capacity,
+        }
+    }
+}
+
+/// Internal command sent from public facade methods to the worker task.
+///
+/// Each variant carries a oneshot sender so the caller can `await` the
+/// result without holding a mutable reference to the client.
+enum ClientCommand {
+    Request {
+        request: Box<ClientRequest>,
+        response_tx: oneshot::Sender<IoResult<RequestResult>>,
+    },
+    Notify {
+        notification: ClientNotification,
+        response_tx: oneshot::Sender<IoResult<()>>,
+    },
+    ResolveServerRequest {
+        request_id: RequestId,
+        result: JsonRpcResult,
+        response_tx: oneshot::Sender<IoResult<()>>,
+    },
+    RejectServerRequest {
+        request_id: RequestId,
+        error: JSONRPCErrorError,
+        response_tx: oneshot::Sender<IoResult<()>>,
+    },
+    Shutdown {
+        response_tx: oneshot::Sender<IoResult<()>>,
+    },
+}
+
+/// Async facade over the in-process app-server runtime.
+///
+/// This type owns a worker task that bridges between:
+/// - caller-facing async `mpsc` channels used by TUI/exec
+/// - [`codex_app_server::in_process::InProcessClientHandle`], which speaks to
+///   the embedded `MessageProcessor`
+///
+/// The facade intentionally preserves the server's request/notification/event
+/// model instead of exposing direct core runtime handles. That keeps in-process
+/// callers aligned with app-server behavior while still avoiding a process
+/// boundary.
+pub struct InProcessAppServerClient {
+    command_tx: mpsc::Sender<ClientCommand>,
+    event_rx: mpsc::Receiver<InProcessServerEvent>,
+    worker_handle: tokio::task::JoinHandle<()>,
+}
+
+impl InProcessAppServerClient {
+    /// Starts the in-process runtime and facade worker task.
+    ///
+    /// The returned client is ready for requests and event consumption. If the
+    /// internal event queue is saturated later, server requests are rejected
+    /// with overload error instead of being silently dropped.
+    pub async fn start(args: InProcessClientStartArgs) -> IoResult<Self> {
+        let channel_capacity = args.channel_capacity.max(1);
+        let mut handle =
+            codex_app_server::in_process::start(args.into_runtime_start_args()).await?;
+        let request_sender = handle.sender();
+        let (command_tx, mut command_rx) = mpsc::channel::<ClientCommand>(channel_capacity);
+        let (event_tx, event_rx) = mpsc::channel::<InProcessServerEvent>(channel_capacity);
+
+        let worker_handle = tokio::spawn(async move {
+            let mut event_stream_enabled = true;
+            let mut skipped_events = 0usize;
+            loop {
+                tokio::select! {
+                    command = command_rx.recv() => {
+                        match command {
+                            Some(ClientCommand::Request { request, response_tx }) => {
+                                let request_sender = request_sender.clone();
+                                // Request waits happen on a detached task so
+                                // this loop can keep draining runtime events
+                                // while the request is blocked on client input.
+                                tokio::spawn(async move {
+                                    let result = request_sender.request(*request).await;
+                                    let _ = response_tx.send(result);
+                                });
+                            }
+                            Some(ClientCommand::Notify {
+                                notification,
+                                response_tx,
+                            }) => {
+                                let result = request_sender.notify(notification);
+                                let _ = response_tx.send(result);
+                            }
+                            Some(ClientCommand::ResolveServerRequest {
+                                request_id,
+                                result,
+                                response_tx,
+                            }) => {
+                                let send_result =
+                                    request_sender.respond_to_server_request(request_id, result);
+                                let _ = response_tx.send(send_result);
+                            }
+                            Some(ClientCommand::RejectServerRequest {
+                                request_id,
+                                error,
+                                response_tx,
+                            }) => {
+                                let send_result = request_sender.fail_server_request(request_id, error);
+                                let _ = response_tx.send(send_result);
+                            }
+                            Some(ClientCommand::Shutdown { response_tx }) => {
+                                let shutdown_result = handle.shutdown().await;
+                                let _ = response_tx.send(shutdown_result);
+                                break;
+                            }
+                            None => {
+                                let _ = handle.shutdown().await;
+                                break;
+                            }
+                        }
+                    }
+                    event = handle.next_event(), if event_stream_enabled => {
+                        let Some(event) = event else {
+                            break;
+                        };
+
+                        if skipped_events > 0 {
+                            if event_requires_delivery(&event) {
+                                // Surface lag before the terminal event, but
+                                // do not let the lag marker itself cause us to
+                                // drop the completion/abort notification that
+                                // the caller is blocked on.
+                                if event_tx
+                                    .send(InProcessServerEvent::Lagged {
+                                        skipped: skipped_events,
+                                    })
+                                    .await
+                                    .is_err()
+                                {
+                                    event_stream_enabled = false;
+                                    continue;
+                                }
+                                skipped_events = 0;
+                            } else {
+                                match event_tx.try_send(InProcessServerEvent::Lagged {
+                                    skipped: skipped_events,
+                                }) {
+                                    Ok(()) => {
+                                        skipped_events = 0;
+                                    }
+                                    Err(mpsc::error::TrySendError::Full(_)) => {
+                                        skipped_events = skipped_events.saturating_add(1);
+                                        warn!(
+                                            "dropping in-process app-server event because consumer queue is full"
+                                        );
+                                        if let InProcessServerEvent::ServerRequest(request) = event {
+                                            let _ = request_sender.fail_server_request(
+                                                request.id().clone(),
+                                                JSONRPCErrorError {
+                                                    code: -32001,
+                                                    message: "in-process app-server event queue is full".to_string(),
+                                                    data: None,
+                                                },
+                                            );
+                                        }
+                                        continue;
+                                    }
+                                    Err(mpsc::error::TrySendError::Closed(_)) => {
+                                        event_stream_enabled = false;
+                                        continue;
+                                    }
+                                }
+                            }
+                        }
+
+                        if event_requires_delivery(&event) {
+                            // Block until the consumer catches up for
+                            // terminal notifications; this preserves the
+                            // completion signal even when the queue is
+                            // otherwise saturated.
+                            if event_tx.send(event).await.is_err() {
+                                event_stream_enabled = false;
+                            }
+                            continue;
+                        }
+
+                        match event_tx.try_send(event) {
+                            Ok(()) => {}
+                            Err(mpsc::error::TrySendError::Full(event)) => {
+                                skipped_events = skipped_events.saturating_add(1);
+                                warn!("dropping in-process app-server event because consumer queue is full");
+                                if let InProcessServerEvent::ServerRequest(request) = event {
+                                    let _ = request_sender.fail_server_request(
+                                        request.id().clone(),
+                                        JSONRPCErrorError {
+                                            code: -32001,
+                                            message: "in-process app-server event queue is full".to_string(),
+                                            data: None,
+                                        },
+                                    );
+                                }
+                            }
+                            Err(mpsc::error::TrySendError::Closed(_)) => {
+                                event_stream_enabled = false;
+                            }
+                        }
+                    }
+                }
+            }
+        });
+
+        Ok(Self {
+            command_tx,
+            event_rx,
+            worker_handle,
+        })
+    }
+
+    /// Sends a typed client request and returns raw JSON-RPC result.
+    ///
+    /// Callers that expect a concrete response type should usually prefer
+    /// [`request_typed`](Self::request_typed).
+    pub async fn request(&self, request: ClientRequest) -> IoResult<RequestResult> {
+        let (response_tx, response_rx) = oneshot::channel();
+        self.command_tx
+            .send(ClientCommand::Request {
+                request: Box::new(request),
+                response_tx,
+            })
+            .await
+            .map_err(|_| {
+                IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "in-process app-server worker channel is closed",
+                )
+            })?;
+        response_rx.await.map_err(|_| {
+            IoError::new(
+                ErrorKind::BrokenPipe,
+                "in-process app-server request channel is closed",
+            )
+        })?
+    }
+
+    /// Sends a typed client request and decodes the successful response body.
+    ///
+    /// This still deserializes from a JSON value produced by app-server's
+    /// JSON-RPC result envelope. Because the caller chooses `T`, `Deserialize`
+    /// failures indicate an internal request/response mismatch at the call site
+    /// (or an in-process bug), not transport skew from an external client.
+    pub async fn request_typed<T>(&self, request: ClientRequest) -> Result<T, TypedRequestError>
+    where
+        T: DeserializeOwned,
+    {
+        let method = request_method_name(&request);
+        let response =
+            self.request(request)
+                .await
+                .map_err(|source| TypedRequestError::Transport {
+                    method: method.clone(),
+                    source,
+                })?;
+        let result = response.map_err(|source| TypedRequestError::Server {
+            method: method.clone(),
+            source,
+        })?;
+        serde_json::from_value(result)
+            .map_err(|source| TypedRequestError::Deserialize { method, source })
+    }
+
+    /// Sends a typed client notification.
+    pub async fn notify(&self, notification: ClientNotification) -> IoResult<()> {
+        let (response_tx, response_rx) = oneshot::channel();
+        self.command_tx
+            .send(ClientCommand::Notify {
+                notification,
+                response_tx,
+            })
+            .await
+            .map_err(|_| {
+                IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "in-process app-server worker channel is closed",
+                )
+            })?;
+        response_rx.await.map_err(|_| {
+            IoError::new(
+                ErrorKind::BrokenPipe,
+                "in-process app-server notify channel is closed",
+            )
+        })?
+    }
+
+    /// Resolves a pending server request.
+    ///
+    /// This should only be called with request IDs obtained from the current
+    /// client's event stream.
+    pub async fn resolve_server_request(
+        &self,
+        request_id: RequestId,
+        result: JsonRpcResult,
+    ) -> IoResult<()> {
+        let (response_tx, response_rx) = oneshot::channel();
+        self.command_tx
+            .send(ClientCommand::ResolveServerRequest {
+                request_id,
+                result,
+                response_tx,
+            })
+            .await
+            .map_err(|_| {
+                IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "in-process app-server worker channel is closed",
+                )
+            })?;
+        response_rx.await.map_err(|_| {
+            IoError::new(
+                ErrorKind::BrokenPipe,
+                "in-process app-server resolve channel is closed",
+            )
+        })?
+    }
+
+    /// Rejects a pending server request with JSON-RPC error payload.
+    pub async fn reject_server_request(
+        &self,
+        request_id: RequestId,
+        error: JSONRPCErrorError,
+    ) -> IoResult<()> {
+        let (response_tx, response_rx) = oneshot::channel();
+        self.command_tx
+            .send(ClientCommand::RejectServerRequest {
+                request_id,
+                error,
+                response_tx,
+            })
+            .await
+            .map_err(|_| {
+                IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "in-process app-server worker channel is closed",
+                )
+            })?;
+        response_rx.await.map_err(|_| {
+            IoError::new(
+                ErrorKind::BrokenPipe,
+                "in-process app-server reject channel is closed",
+            )
+        })?
+    }
+
+    /// Returns the next in-process event, or `None` when worker exits.
+    ///
+    /// Callers are expected to drain this stream promptly. If they fall behind,
+    /// the worker emits [`InProcessServerEvent::Lagged`] markers and may reject
+    /// pending server requests rather than letting approval flows hang.
+    pub async fn next_event(&mut self) -> Option<InProcessServerEvent> {
+        self.event_rx.recv().await
+    }
+
+    /// Shuts down worker and in-process runtime with bounded wait.
+    ///
+    /// If graceful shutdown exceeds timeout, the worker task is aborted to
+    /// avoid leaking background tasks in embedding callers.
+    pub async fn shutdown(self) -> IoResult<()> {
+        let Self {
+            command_tx,
+            event_rx,
+            worker_handle,
+        } = self;
+        let mut worker_handle = worker_handle;
+        // Drop the caller-facing receiver before asking the worker to shut
+        // down. That unblocks any pending must-deliver `event_tx.send(..)`
+        // so the worker can reach `handle.shutdown()` instead of timing out
+        // and getting aborted with the runtime still attached.
+        drop(event_rx);
+        let (response_tx, response_rx) = oneshot::channel();
+        if command_tx
+            .send(ClientCommand::Shutdown { response_tx })
+            .await
+            .is_ok()
+            && let Ok(command_result) = timeout(SHUTDOWN_TIMEOUT, response_rx).await
+        {
+            command_result.map_err(|_| {
+                IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "in-process app-server shutdown channel is closed",
+                )
+            })??;
+        }
+
+        if let Err(_elapsed) = timeout(SHUTDOWN_TIMEOUT, &mut worker_handle).await {
+            worker_handle.abort();
+            let _ = worker_handle.await;
+        }
+        Ok(())
+    }
+}
+
+/// Extracts the JSON-RPC method name for diagnostics without extending the
+/// protocol crate with in-process-only helpers.
+fn request_method_name(request: &ClientRequest) -> String {
+    serde_json::to_value(request)
+        .ok()
+        .and_then(|value| {
+            value
+                .get("method")
+                .and_then(serde_json::Value::as_str)
+                .map(ToOwned::to_owned)
+        })
+        .unwrap_or_else(|| "<unknown>".to_string())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_app_server_protocol::ConfigRequirementsReadResponse;
+    use codex_app_server_protocol::SessionSource as ApiSessionSource;
+    use codex_app_server_protocol::ThreadStartParams;
+    use codex_app_server_protocol::ThreadStartResponse;
+    use codex_core::config::ConfigBuilder;
+    use pretty_assertions::assert_eq;
+    use tokio::time::Duration;
+    use tokio::time::timeout;
+
+    async fn build_test_config() -> Config {
+        match ConfigBuilder::default().build().await {
+            Ok(config) => config,
+            Err(_) => Config::load_default_with_cli_overrides(Vec::new())
+                .expect("default config should load"),
+        }
+    }
+
+    async fn start_test_client_with_capacity(
+        session_source: SessionSource,
+        channel_capacity: usize,
+    ) -> InProcessAppServerClient {
+        InProcessAppServerClient::start(InProcessClientStartArgs {
+            arg0_paths: Arg0DispatchPaths::default(),
+            config: Arc::new(build_test_config().await),
+            cli_overrides: Vec::new(),
+            loader_overrides: LoaderOverrides::default(),
+            cloud_requirements: CloudRequirementsLoader::default(),
+            feedback: CodexFeedback::new(),
+            config_warnings: Vec::new(),
+            session_source,
+            enable_codex_api_key_env: false,
+            client_name: "codex-app-server-client-test".to_string(),
+            client_version: "0.0.0-test".to_string(),
+            experimental_api: true,
+            opt_out_notification_methods: Vec::new(),
+            channel_capacity,
+        })
+        .await
+        .expect("in-process app-server client should start")
+    }
+
+    async fn start_test_client(session_source: SessionSource) -> InProcessAppServerClient {
+        start_test_client_with_capacity(session_source, DEFAULT_IN_PROCESS_CHANNEL_CAPACITY).await
+    }
+
+    #[tokio::test]
+    async fn typed_request_roundtrip_works() {
+        let client = start_test_client(SessionSource::Exec).await;
+        let _response: ConfigRequirementsReadResponse = client
+            .request_typed(ClientRequest::ConfigRequirementsRead {
+                request_id: RequestId::Integer(1),
+                params: None,
+            })
+            .await
+            .expect("typed request should succeed");
+        client.shutdown().await.expect("shutdown should complete");
+    }
+
+    #[tokio::test]
+    async fn typed_request_reports_json_rpc_errors() {
+        let client = start_test_client(SessionSource::Exec).await;
+        let err = client
+            .request_typed::<ConfigRequirementsReadResponse>(ClientRequest::ThreadRead {
+                request_id: RequestId::Integer(99),
+                params: codex_app_server_protocol::ThreadReadParams {
+                    thread_id: "missing-thread".to_string(),
+                    include_turns: false,
+                },
+            })
+            .await
+            .expect_err("missing thread should return a JSON-RPC error");
+        assert!(
+            err.to_string().starts_with("thread/read failed:"),
+            "expected method-qualified JSON-RPC failure message"
+        );
+        client.shutdown().await.expect("shutdown should complete");
+    }
+
+    #[tokio::test]
+    async fn caller_provided_session_source_is_applied() {
+        for (session_source, expected_source) in [
+            (SessionSource::Exec, ApiSessionSource::Exec),
+            (SessionSource::Cli, ApiSessionSource::Cli),
+        ] {
+            let client = start_test_client(session_source).await;
+            let parsed: ThreadStartResponse = client
+                .request_typed(ClientRequest::ThreadStart {
+                    request_id: RequestId::Integer(2),
+                    params: ThreadStartParams {
+                        ephemeral: Some(true),
+                        ..ThreadStartParams::default()
+                    },
+                })
+                .await
+                .expect("thread/start should succeed");
+            assert_eq!(parsed.thread.source, expected_source);
+            client.shutdown().await.expect("shutdown should complete");
+        }
+    }
+
+    #[tokio::test]
+    async fn tiny_channel_capacity_still_supports_request_roundtrip() {
+        let client = start_test_client_with_capacity(SessionSource::Exec, 1).await;
+        let _response: ConfigRequirementsReadResponse = client
+            .request_typed(ClientRequest::ConfigRequirementsRead {
+                request_id: RequestId::Integer(1),
+                params: None,
+            })
+            .await
+            .expect("typed request should succeed");
+        client.shutdown().await.expect("shutdown should complete");
+    }
+
+    #[test]
+    fn typed_request_error_exposes_sources() {
+        let transport = TypedRequestError::Transport {
+            method: "config/read".to_string(),
+            source: IoError::new(ErrorKind::BrokenPipe, "closed"),
+        };
+        assert_eq!(std::error::Error::source(&transport).is_some(), true);
+
+        let server = TypedRequestError::Server {
+            method: "thread/read".to_string(),
+            source: JSONRPCErrorError {
+                code: -32603,
+                data: None,
+                message: "internal".to_string(),
+            },
+        };
+        assert_eq!(std::error::Error::source(&server).is_some(), false);
+
+        let deserialize = TypedRequestError::Deserialize {
+            method: "thread/start".to_string(),
+            source: serde_json::from_str::<u32>("\"nope\"")
+                .expect_err("invalid integer should return deserialize error"),
+        };
+        assert_eq!(std::error::Error::source(&deserialize).is_some(), true);
+    }
+
+    #[tokio::test]
+    async fn next_event_surfaces_lagged_markers() {
+        let (command_tx, _command_rx) = mpsc::channel(1);
+        let (event_tx, event_rx) = mpsc::channel(1);
+        let worker_handle = tokio::spawn(async {});
+        event_tx
+            .send(InProcessServerEvent::Lagged { skipped: 3 })
+            .await
+            .expect("lagged marker should enqueue");
+        drop(event_tx);
+
+        let mut client = InProcessAppServerClient {
+            command_tx,
+            event_rx,
+            worker_handle,
+        };
+
+        let event = timeout(Duration::from_secs(2), client.next_event())
+            .await
+            .expect("lagged marker should arrive before timeout");
+        assert!(matches!(
+            event,
+            Some(InProcessServerEvent::Lagged { skipped: 3 })
+        ));
+
+        client.shutdown().await.expect("shutdown should complete");
+    }
+
+    #[test]
+    fn event_requires_delivery_marks_terminal_events() {
+        assert!(event_requires_delivery(
+            &InProcessServerEvent::ServerNotification(
+                codex_app_server_protocol::ServerNotification::TurnCompleted(
+                    codex_app_server_protocol::TurnCompletedNotification {
+                        thread_id: "thread".to_string(),
+                        turn: codex_app_server_protocol::Turn {
+                            id: "turn".to_string(),
+                            items: Vec::new(),
+                            status: codex_app_server_protocol::TurnStatus::Completed,
+                            error: None,
+                        },
+                    }
+                )
+            )
+        ));
+        assert!(event_requires_delivery(
+            &InProcessServerEvent::LegacyNotification(
+                codex_app_server_protocol::JSONRPCNotification {
+                    method: "codex/event/turn_aborted".to_string(),
+                    params: None,
+                }
+            )
+        ));
+        assert!(!event_requires_delivery(&InProcessServerEvent::Lagged {
+            skipped: 1
+        }));
+    }
+}

codex-rs/app-server-protocol/schema/json/ApplyPatchApprovalResponse.json

@@ -33,31 +33,6 @@
           ],
           "type": "string"
         },
-        {
-          "additionalProperties": false,
-          "description": "User has approved this command, but wants the agent to execute a replacement command instead of the originally proposed one.",
-          "properties": {
-            "approved_with_command_override": {
-              "properties": {
-                "command": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "command"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "approved_with_command_override"
-          ],
-          "title": "ApprovedWithCommandOverrideReviewDecision",
-          "type": "object"
-        },
         {
           "additionalProperties": false,
           "description": "User has approved this command and wants to apply the proposed execpolicy amendment so future matching commands are permitted.",

codex-rs/app-server-protocol/schema/json/ClientRequest.json

@@ -148,14 +148,54 @@
       "type": "object"
     },
     "CommandExecParams": {
+      "description": "Run a standalone command (argv vector) in the server sandbox without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
       "properties": {
         "command": {
+          "description": "Command argv vector. Empty arrays are rejected.",
           "items": {
             "type": "string"
           },
           "type": "array"
         },
         "cwd": {
+          "description": "Optional working directory. Defaults to the server cwd.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "disableOutputCap": {
+          "description": "Disable stdout/stderr capture truncation for this request.\n\nCannot be combined with `outputBytesCap`.",
+          "type": "boolean"
+        },
+        "disableTimeout": {
+          "description": "Disable the timeout entirely for this request.\n\nCannot be combined with `timeoutMs`.",
+          "type": "boolean"
+        },
+        "env": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "description": "Optional environment overrides merged into the server-computed environment.\n\nMatching names override inherited values. Set a key to `null` to unset an inherited variable.",
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "outputBytesCap": {
+          "description": "Optional per-stream stdout/stderr capture cap in bytes.\n\nWhen omitted, the server default applies. Cannot be combined with `disableOutputCap`.",
+          "format": "uint",
+          "minimum": 0.0,
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "processId": {
+          "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
           "type": [
             "string",
             "null"
@@ -169,14 +209,39 @@
             {
               "type": "null"
             }
-          ]
+          ],
+          "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted."
+        },
+        "size": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/CommandExecTerminalSize"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Optional initial PTY size in character cells. Only valid when `tty` is true."
+        },
+        "streamStdin": {
+          "description": "Allow follow-up `command/exec/write` requests to write stdin bytes.\n\nRequires a client-supplied `processId`.",
+          "type": "boolean"
+        },
+        "streamStdoutStderr": {
+          "description": "Stream stdout/stderr via `command/exec/outputDelta` notifications.\n\nStreamed bytes are not duplicated into the final response and require a client-supplied `processId`.",
+          "type": "boolean"
         },
         "timeoutMs": {
+          "description": "Optional timeout in milliseconds.\n\nWhen omitted, the server default applies. Cannot be combined with `disableTimeout`.",
           "format": "int64",
           "type": [
             "integer",
             "null"
           ]
+        },
+        "tty": {
+          "description": "Enable PTY mode.\n\nThis implies `streamStdin` and `streamStdoutStderr`.",
+          "type": "boolean"
         }
       },
       "required": [
@@ -184,6 +249,87 @@
       ],
       "type": "object"
     },
+    "CommandExecResizeParams": {
+      "description": "Resize a running PTY-backed `command/exec` session.",
+      "properties": {
+        "processId": {
+          "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+          "type": "string"
+        },
+        "size": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/CommandExecTerminalSize"
+            }
+          ],
+          "description": "New PTY size in character cells."
+        }
+      },
+      "required": [
+        "processId",
+        "size"
+      ],
+      "type": "object"
+    },
+    "CommandExecTerminalSize": {
+      "description": "PTY size in character cells for `command/exec` PTY sessions.",
+      "properties": {
+        "cols": {
+          "description": "Terminal width in character cells.",
+          "format": "uint16",
+          "minimum": 0.0,
+          "type": "integer"
+        },
+        "rows": {
+          "description": "Terminal height in character cells.",
+          "format": "uint16",
+          "minimum": 0.0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "cols",
+        "rows"
+      ],
+      "type": "object"
+    },
+    "CommandExecTerminateParams": {
+      "description": "Terminate a running `command/exec` session.",
+      "properties": {
+        "processId": {
+          "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "processId"
+      ],
+      "type": "object"
+    },
+    "CommandExecWriteParams": {
+      "description": "Write stdin bytes to a running `command/exec` session, close stdin, or both.",
+      "properties": {
+        "closeStdin": {
+          "description": "Close stdin after writing `deltaBase64`, if present.",
+          "type": "boolean"
+        },
+        "deltaBase64": {
+          "description": "Optional base64-encoded stdin bytes to write.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "processId": {
+          "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "processId"
+      ],
+      "type": "object"
+    },
     "ConfigBatchWriteParams": {
       "properties": {
         "edits": {
@@ -204,6 +350,10 @@
             "string",
             "null"
           ]
+        },
+        "reloadUserConfig": {
+          "description": "When true, hot-reload the updated user config into all loaded threads after writing.",
+          "type": "boolean"
         }
       },
       "required": [
@@ -969,7 +1119,7 @@
     "PluginListParams": {
       "properties": {
         "cwds": {
-          "description": "Optional working directories used to discover repo marketplaces. When omitted, only home-scoped marketplaces are considered.",
+          "description": "Optional working directories used to discover repo marketplaces. When omitted, only home-scoped marketplaces and the official curated marketplace are considered.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -1412,7 +1562,7 @@
             "action": {
               "anyOf": [
                 {
-                  "$ref": "#/definitions/WebSearchAction"
+                  "$ref": "#/definitions/ResponsesApiWebSearchAction"
                 },
                 {
                   "type": "null"
@@ -1538,6 +1688,107 @@
         }
       ]
     },
+    "ResponsesApiWebSearchAction": {
+      "oneOf": [
+        {
+          "properties": {
+            "queries": {
+              "items": {
+                "type": "string"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "query": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "search"
+              ],
+              "title": "SearchResponsesApiWebSearchActionType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "SearchResponsesApiWebSearchAction",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "open_page"
+              ],
+              "title": "OpenPageResponsesApiWebSearchActionType",
+              "type": "string"
+            },
+            "url": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "OpenPageResponsesApiWebSearchAction",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "find_in_page"
+              ],
+              "title": "FindInPageResponsesApiWebSearchActionType",
+              "type": "string"
+            },
+            "url": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FindInPageResponsesApiWebSearchAction",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "other"
+              ],
+              "title": "OtherResponsesApiWebSearchActionType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "OtherResponsesApiWebSearchAction",
+          "type": "object"
+        }
+      ]
+    },
     "ReviewDelivery": {
       "enum": [
         "inline",
@@ -1790,34 +2041,6 @@
         }
       ]
     },
-    "SdkDelegationConfig": {
-      "properties": {
-        "bridgeUrl": {
-          "description": "Base URL for the host-managed Responses bridge reachable by the Codex runtime.",
-          "type": "string"
-        },
-        "modelProviderId": {
-          "description": "Optional model-provider id to register for this thread. Defaults to `codex-sdk-v2`.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "streamIdleTimeoutMs": {
-          "description": "Optional stream idle timeout override for the delegated provider.",
-          "format": "uint64",
-          "minimum": 0.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "bridgeUrl"
-      ],
-      "type": "object"
-    },
     "ServiceTier": {
       "enum": [
         "fast",
@@ -2812,107 +3035,6 @@
         }
       ]
     },
-    "WebSearchAction": {
-      "oneOf": [
-        {
-          "properties": {
-            "queries": {
-              "items": {
-                "type": "string"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
-            "query": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "search"
-              ],
-              "title": "SearchWebSearchActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "SearchWebSearchAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "open_page"
-              ],
-              "title": "OpenPageWebSearchActionType",
-              "type": "string"
-            },
-            "url": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "OpenPageWebSearchAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "find_in_page"
-              ],
-              "title": "FindInPageWebSearchActionType",
-              "type": "string"
-            },
-            "url": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "FindInPageWebSearchAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "other"
-              ],
-              "title": "OtherWebSearchActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "OtherWebSearchAction",
-          "type": "object"
-        }
-      ]
-    },
     "WindowsSandboxSetupMode": {
       "enum": [
         "elevated",
@@ -2923,9 +3045,13 @@
     "WindowsSandboxSetupStartParams": {
       "properties": {
         "cwd": {
-          "type": [
-            "string",
-            "null"
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            {
+              "type": "null"
+            }
           ]
         },
         "mode": {
@@ -3803,7 +3929,7 @@
       "type": "object"
     },
     {
-      "description": "Execute a command (argv vector) under the server's sandbox.",
+      "description": "Execute a standalone command (argv vector) under the server's sandbox.",
       "properties": {
         "id": {
           "$ref": "#/definitions/RequestId"
@@ -3827,6 +3953,81 @@
       "title": "Command/execRequest",
       "type": "object"
     },
+    {
+      "description": "Write stdin bytes to a running `command/exec` session or close stdin.",
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "command/exec/write"
+          ],
+          "title": "Command/exec/writeRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/CommandExecWriteParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Command/exec/writeRequest",
+      "type": "object"
+    },
+    {
+      "description": "Terminate a running `command/exec` session by client-supplied `processId`.",
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "command/exec/terminate"
+          ],
+          "title": "Command/exec/terminateRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/CommandExecTerminateParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Command/exec/terminateRequest",
+      "type": "object"
+    },
+    {
+      "description": "Resize a running PTY-backed `command/exec` session by client-supplied `processId`.",
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "command/exec/resize"
+          ],
+          "title": "Command/exec/resizeRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/CommandExecResizeParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Command/exec/resizeRequest",
+      "type": "object"
+    },
     {
       "properties": {
         "id": {

codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json

@@ -216,31 +216,6 @@
           ],
           "type": "string"
         },
-        {
-          "additionalProperties": false,
-          "description": "User approved execution, but wants to replace the command before it runs.",
-          "properties": {
-            "acceptWithCommandOverride": {
-              "properties": {
-                "command": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "command"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "acceptWithCommandOverride"
-          ],
-          "title": "AcceptWithCommandOverrideCommandExecutionApprovalDecision",
-          "type": "object"
-        },
         {
           "description": "User approved the command and future prompts in the same session-scoped approval cache should run without prompting.",
           "enum": [
@@ -311,6 +286,17 @@
         }
       ]
     },
+    "CommandExecutionRequestApprovalSkillMetadata": {
+      "properties": {
+        "pathToSkillsMd": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "pathToSkillsMd"
+      ],
+      "type": "object"
+    },
     "MacOsAutomationPermission": {
       "oneOf": [
         {

codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalResponse.json

@@ -10,31 +10,6 @@
           ],
           "type": "string"
         },
-        {
-          "additionalProperties": false,
-          "description": "User approved execution, but wants to replace the command before it runs.",
-          "properties": {
-            "acceptWithCommandOverride": {
-              "properties": {
-                "command": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "command"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "acceptWithCommandOverride"
-          ],
-          "title": "AcceptWithCommandOverrideCommandExecutionApprovalDecision",
-          "type": "object"
-        },
         {
           "description": "User approved the command and future prompts in the same session-scoped approval cache should run without prompting.",
           "enum": [

codex-rs/app-server-protocol/schema/json/EventMsg.json

@@ -1414,7 +1414,7 @@
         {
           "properties": {
             "action": {
-              "$ref": "#/definitions/WebSearchAction"
+              "$ref": "#/definitions/ResponsesApiWebSearchAction"
             },
             "call_id": {
               "type": "string"
@@ -1866,6 +1866,17 @@
                 "null"
               ]
             },
+            "skill_metadata": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/ExecApprovalRequestSkillMetadata"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Optional skill metadata when the approval was triggered by a skill script."
+            },
             "turn_id": {
               "default": "",
               "description": "Turn ID that this command belongs to. Uses `#[serde(default)]` for backwards compatibility.",
@@ -1889,6 +1900,42 @@
           "title": "ExecApprovalRequestEventMsg",
           "type": "object"
         },
+        {
+          "properties": {
+            "call_id": {
+              "description": "Responses API call id for the associated tool call, if available.",
+              "type": "string"
+            },
+            "permissions": {
+              "$ref": "#/definitions/PermissionProfile"
+            },
+            "reason": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "turn_id": {
+              "default": "",
+              "description": "Turn ID that this request belongs to. Uses `#[serde(default)]` for backwards compatibility.",
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "request_permissions"
+              ],
+              "title": "RequestPermissionsEventMsgType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "call_id",
+            "permissions",
+            "type"
+          ],
+          "title": "RequestPermissionsEventMsg",
+          "type": "object"
+        },
         {
           "properties": {
             "call_id": {
@@ -3442,6 +3489,17 @@
         }
       ]
     },
+    "ExecApprovalRequestSkillMetadata": {
+      "properties": {
+        "path_to_skills_md": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "path_to_skills_md"
+      ],
+      "type": "object"
+    },
     "ExecCommandSource": {
       "enum": [
         "agent",
@@ -4425,6 +4483,32 @@
           "title": "SessionUpdatedRealtimeEvent",
           "type": "object"
         },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "InputTranscriptDelta": {
+              "$ref": "#/definitions/RealtimeTranscriptDelta"
+            }
+          },
+          "required": [
+            "InputTranscriptDelta"
+          ],
+          "title": "InputTranscriptDeltaRealtimeEvent",
+          "type": "object"
+        },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "OutputTranscriptDelta": {
+              "$ref": "#/definitions/RealtimeTranscriptDelta"
+            }
+          },
+          "required": [
+            "OutputTranscriptDelta"
+          ],
+          "title": "OutputTranscriptDeltaRealtimeEvent",
+          "type": "object"
+        },
         {
           "additionalProperties": false,
           "properties": {
@@ -4498,7 +4582,44 @@
         }
       ]
     },
-    "RealtimeHandoffMessage": {
+    "RealtimeHandoffRequested": {
+      "properties": {
+        "active_transcript": {
+          "items": {
+            "$ref": "#/definitions/RealtimeTranscriptEntry"
+          },
+          "type": "array"
+        },
+        "handoff_id": {
+          "type": "string"
+        },
+        "input_transcript": {
+          "type": "string"
+        },
+        "item_id": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "active_transcript",
+        "handoff_id",
+        "input_transcript",
+        "item_id"
+      ],
+      "type": "object"
+    },
+    "RealtimeTranscriptDelta": {
+      "properties": {
+        "delta": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "delta"
+      ],
+      "type": "object"
+    },
+    "RealtimeTranscriptEntry": {
       "properties": {
         "role": {
           "type": "string"
@@ -4513,32 +4634,6 @@
       ],
       "type": "object"
     },
-    "RealtimeHandoffRequested": {
-      "properties": {
-        "handoff_id": {
-          "type": "string"
-        },
-        "input_transcript": {
-          "type": "string"
-        },
-        "item_id": {
-          "type": "string"
-        },
-        "messages": {
-          "items": {
-            "$ref": "#/definitions/RealtimeHandoffMessage"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "handoff_id",
-        "input_transcript",
-        "item_id",
-        "messages"
-      ],
-      "type": "object"
-    },
     "ReasoningEffort": {
       "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
       "enum": [
@@ -5072,7 +5167,7 @@
             "action": {
               "anyOf": [
                 {
-                  "$ref": "#/definitions/WebSearchAction"
+                  "$ref": "#/definitions/ResponsesApiWebSearchAction"
                 },
                 {
                   "type": "null"
@@ -5198,6 +5293,107 @@
         }
       ]
     },
+    "ResponsesApiWebSearchAction": {
+      "oneOf": [
+        {
+          "properties": {
+            "queries": {
+              "items": {
+                "type": "string"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "query": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "search"
+              ],
+              "title": "SearchResponsesApiWebSearchActionType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "SearchResponsesApiWebSearchAction",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "open_page"
+              ],
+              "title": "OpenPageResponsesApiWebSearchActionType",
+              "type": "string"
+            },
+            "url": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "OpenPageResponsesApiWebSearchAction",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "find_in_page"
+              ],
+              "title": "FindInPageResponsesApiWebSearchActionType",
+              "type": "string"
+            },
+            "url": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FindInPageResponsesApiWebSearchAction",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "other"
+              ],
+              "title": "OtherResponsesApiWebSearchActionType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "OtherResponsesApiWebSearchAction",
+          "type": "object"
+        }
+      ]
+    },
     "Result_of_CallToolResult_or_String": {
       "oneOf": [
         {
@@ -5252,31 +5448,6 @@
           ],
           "type": "string"
         },
-        {
-          "additionalProperties": false,
-          "description": "User has approved this command, but wants the agent to execute a replacement command instead of the originally proposed one.",
-          "properties": {
-            "approved_with_command_override": {
-              "properties": {
-                "command": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "command"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "approved_with_command_override"
-          ],
-          "title": "ApprovedWithCommandOverrideReviewDecision",
-          "type": "object"
-        },
         {
           "additionalProperties": false,
           "description": "User has approved this command and wants to apply the proposed execpolicy amendment so future matching commands are permitted.",
@@ -6120,7 +6291,7 @@
         {
           "properties": {
             "action": {
-              "$ref": "#/definitions/WebSearchAction"
+              "$ref": "#/definitions/ResponsesApiWebSearchAction"
             },
             "id": {
               "type": "string"
@@ -6331,107 +6502,6 @@
           "type": "object"
         }
       ]
-    },
-    "WebSearchAction": {
-      "oneOf": [
-        {
-          "properties": {
-            "queries": {
-              "items": {
-                "type": "string"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
-            "query": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "search"
-              ],
-              "title": "SearchWebSearchActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "SearchWebSearchAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "open_page"
-              ],
-              "title": "OpenPageWebSearchActionType",
-              "type": "string"
-            },
-            "url": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "OpenPageWebSearchAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "find_in_page"
-              ],
-              "title": "FindInPageWebSearchActionType",
-              "type": "string"
-            },
-            "url": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "FindInPageWebSearchAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "other"
-              ],
-              "title": "OtherWebSearchActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "OtherWebSearchAction",
-          "type": "object"
-        }
-      ]
     }
   },
   "description": "Response event from the agent NOTE: Make sure none of these values have optional types, as it will mess up the extension code-gen.",
@@ -7251,7 +7321,7 @@
     {
       "properties": {
         "action": {
-          "$ref": "#/definitions/WebSearchAction"
+          "$ref": "#/definitions/ResponsesApiWebSearchAction"
         },
         "call_id": {
           "type": "string"
@@ -7703,6 +7773,17 @@
             "null"
           ]
         },
+        "skill_metadata": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ExecApprovalRequestSkillMetadata"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Optional skill metadata when the approval was triggered by a skill script."
+        },
         "turn_id": {
           "default": "",
           "description": "Turn ID that this command belongs to. Uses `#[serde(default)]` for backwards compatibility.",
@@ -7726,6 +7807,42 @@
       "title": "ExecApprovalRequestEventMsg",
       "type": "object"
     },
+    {
+      "properties": {
+        "call_id": {
+          "description": "Responses API call id for the associated tool call, if available.",
+          "type": "string"
+        },
+        "permissions": {
+          "$ref": "#/definitions/PermissionProfile"
+        },
+        "reason": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "turn_id": {
+          "default": "",
+          "description": "Turn ID that this request belongs to. Uses `#[serde(default)]` for backwards compatibility.",
+          "type": "string"
+        },
+        "type": {
+          "enum": [
+            "request_permissions"
+          ],
+          "title": "RequestPermissionsEventMsgType",
+          "type": "string"
+        }
+      },
+      "required": [
+        "call_id",
+        "permissions",
+        "type"
+      ],
+      "title": "RequestPermissionsEventMsg",
+      "type": "object"
+    },
     {
       "properties": {
         "call_id": {

codex-rs/app-server-protocol/schema/json/ExecCommandApprovalResponse.json

@@ -33,31 +33,6 @@
           ],
           "type": "string"
         },
-        {
-          "additionalProperties": false,
-          "description": "User has approved this command, but wants the agent to execute a replacement command instead of the originally proposed one.",
-          "properties": {
-            "approved_with_command_override": {
-              "properties": {
-                "command": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "command"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "approved_with_command_override"
-          ],
-          "title": "ApprovedWithCommandOverrideReviewDecision",
-          "type": "object"
-        },
         {
           "additionalProperties": false,
           "description": "User has approved this command and wants to apply the proposed execpolicy amendment so future matching commands are permitted.",

codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json

@@ -0,0 +1,164 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
+    "AdditionalFileSystemPermissions": {
+      "properties": {
+        "read": {
+          "items": {
+            "$ref": "#/definitions/AbsolutePathBuf"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "write": {
+          "items": {
+            "$ref": "#/definitions/AbsolutePathBuf"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "AdditionalMacOsPermissions": {
+      "properties": {
+        "accessibility": {
+          "type": "boolean"
+        },
+        "automations": {
+          "$ref": "#/definitions/MacOsAutomationPermission"
+        },
+        "calendar": {
+          "type": "boolean"
+        },
+        "preferences": {
+          "$ref": "#/definitions/MacOsPreferencesPermission"
+        }
+      },
+      "required": [
+        "accessibility",
+        "automations",
+        "calendar",
+        "preferences"
+      ],
+      "type": "object"
+    },
+    "AdditionalNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "AdditionalPermissionProfile": {
+      "properties": {
+        "fileSystem": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AdditionalFileSystemPermissions"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "macos": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AdditionalMacOsPermissions"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "network": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AdditionalNetworkPermissions"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "MacOsAutomationPermission": {
+      "oneOf": [
+        {
+          "enum": [
+            "none",
+            "all"
+          ],
+          "type": "string"
+        },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "bundle_ids": {
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            }
+          },
+          "required": [
+            "bundle_ids"
+          ],
+          "title": "BundleIdsMacOsAutomationPermission",
+          "type": "object"
+        }
+      ]
+    },
+    "MacOsPreferencesPermission": {
+      "enum": [
+        "none",
+        "read_only",
+        "read_write"
+      ],
+      "type": "string"
+    }
+  },
+  "properties": {
+    "itemId": {
+      "type": "string"
+    },
+    "permissions": {
+      "$ref": "#/definitions/AdditionalPermissionProfile"
+    },
+    "reason": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "threadId": {
+      "type": "string"
+    },
+    "turnId": {
+      "type": "string"
+    }
+  },
+  "required": [
+    "itemId",
+    "permissions",
+    "threadId",
+    "turnId"
+  ],
+  "title": "PermissionsRequestApprovalParams",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json

@@ -0,0 +1,160 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
+    "AdditionalFileSystemPermissions": {
+      "properties": {
+        "read": {
+          "items": {
+            "$ref": "#/definitions/AbsolutePathBuf"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "write": {
+          "items": {
+            "$ref": "#/definitions/AbsolutePathBuf"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "AdditionalNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "GrantedMacOsPermissions": {
+      "properties": {
+        "accessibility": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
+        "automations": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/MacOsAutomationPermission"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "calendar": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
+        "preferences": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/MacOsPreferencesPermission"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "GrantedPermissionProfile": {
+      "properties": {
+        "fileSystem": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AdditionalFileSystemPermissions"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "macos": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/GrantedMacOsPermissions"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "network": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AdditionalNetworkPermissions"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "MacOsAutomationPermission": {
+      "oneOf": [
+        {
+          "enum": [
+            "none",
+            "all"
+          ],
+          "type": "string"
+        },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "bundle_ids": {
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            }
+          },
+          "required": [
+            "bundle_ids"
+          ],
+          "title": "BundleIdsMacOsAutomationPermission",
+          "type": "object"
+        }
+      ]
+    },
+    "MacOsPreferencesPermission": {
+      "enum": [
+        "none",
+        "read_only",
+        "read_write"
+      ],
+      "type": "string"
+    }
+  },
+  "properties": {
+    "permissions": {
+      "$ref": "#/definitions/GrantedPermissionProfile"
+    }
+  },
+  "required": [
+    "permissions"
+  ],
+  "title": "PermissionsRequestApprovalResponse",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/ServerNotification.json

@@ -670,6 +670,57 @@
         }
       ]
     },
+    "CommandExecOutputDeltaNotification": {
+      "description": "Base64-encoded output chunk emitted for a streaming `command/exec` request.\n\nThese notifications are connection-scoped. If the originating connection closes, the server terminates the process.",
+      "properties": {
+        "capReached": {
+          "description": "`true` on the final streamed chunk for a stream when `outputBytesCap` truncated later output on that stream.",
+          "type": "boolean"
+        },
+        "deltaBase64": {
+          "description": "Base64-encoded output bytes.",
+          "type": "string"
+        },
+        "processId": {
+          "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+          "type": "string"
+        },
+        "stream": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/CommandExecOutputStream"
+            }
+          ],
+          "description": "Output stream for this chunk."
+        }
+      },
+      "required": [
+        "capReached",
+        "deltaBase64",
+        "processId",
+        "stream"
+      ],
+      "type": "object"
+    },
+    "CommandExecOutputStream": {
+      "description": "Stream label for `command/exec/outputDelta` notifications.",
+      "oneOf": [
+        {
+          "description": "stdout stream. PTY mode multiplexes terminal output here.",
+          "enum": [
+            "stdout"
+          ],
+          "type": "string"
+        },
+        {
+          "description": "stderr stream.",
+          "enum": [
+            "stderr"
+          ],
+          "type": "string"
+        }
+      ]
+    },
     "CommandExecutionOutputDeltaNotification": {
       "properties": {
         "delta": {
@@ -1450,25 +1501,6 @@
         }
       ]
     },
-    "SdkDelegationConfiguredNotification": {
-      "properties": {
-        "bridgeUrl": {
-          "type": "string"
-        },
-        "modelProvider": {
-          "type": "string"
-        },
-        "threadId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "bridgeUrl",
-        "modelProvider",
-        "threadId"
-      ],
-      "type": "object"
-    },
     "ServerRequestResolvedNotification": {
       "properties": {
         "requestId": {
@@ -3487,6 +3519,27 @@
       "title": "Item/plan/deltaNotification",
       "type": "object"
     },
+    {
+      "description": "Stream base64-encoded stdout/stderr chunks for a running `command/exec` session.",
+      "properties": {
+        "method": {
+          "enum": [
+            "command/exec/outputDelta"
+          ],
+          "title": "Command/exec/outputDeltaNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/CommandExecOutputDeltaNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "Command/exec/outputDeltaNotification",
+      "type": "object"
+    },
     {
       "properties": {
         "method": {
@@ -3667,26 +3720,6 @@
       "title": "App/list/updatedNotification",
       "type": "object"
     },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "codexSdk/delegationConfigured"
-          ],
-          "title": "CodexSdk/delegationConfiguredNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/SdkDelegationConfiguredNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "CodexSdk/delegationConfiguredNotification",
-      "type": "object"
-    },
     {
       "properties": {
         "method": {

codex-rs/app-server-protocol/schema/json/ServerRequest.json

@@ -282,31 +282,6 @@
           ],
           "type": "string"
         },
-        {
-          "additionalProperties": false,
-          "description": "User approved execution, but wants to replace the command before it runs.",
-          "properties": {
-            "acceptWithCommandOverride": {
-              "properties": {
-                "command": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "command"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "acceptWithCommandOverride"
-          ],
-          "title": "AcceptWithCommandOverrideCommandExecutionApprovalDecision",
-          "type": "object"
-        },
         {
           "description": "User approved the command and future prompts in the same session-scoped approval cache should run without prompting.",
           "enum": [
@@ -465,6 +440,17 @@
       ],
       "type": "object"
     },
+    "CommandExecutionRequestApprovalSkillMetadata": {
+      "properties": {
+        "pathToSkillsMd": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "pathToSkillsMd"
+      ],
+      "type": "object"
+    },
     "DynamicToolCallParams": {
       "properties": {
         "arguments": true,
@@ -1437,6 +1423,35 @@
         }
       ]
     },
+    "PermissionsRequestApprovalParams": {
+      "properties": {
+        "itemId": {
+          "type": "string"
+        },
+        "permissions": {
+          "$ref": "#/definitions/AdditionalPermissionProfile"
+        },
+        "reason": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "threadId": {
+          "type": "string"
+        },
+        "turnId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "itemId",
+        "permissions",
+        "threadId",
+        "turnId"
+      ],
+      "type": "object"
+    },
     "RequestId": {
       "anyOf": [
         {
@@ -1634,6 +1649,31 @@
       "title": "McpServer/elicitation/requestRequest",
       "type": "object"
     },
+    {
+      "description": "Request approval for additional permissions from the user.",
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "item/permissions/requestApproval"
+          ],
+          "title": "Item/permissions/requestApprovalRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/PermissionsRequestApprovalParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Item/permissions/requestApprovalRequest",
+      "type": "object"
+    },
     {
       "description": "Execute a dynamic tool call on the client.",
       "properties": {

codex-rs/app-server-protocol/schema/json/v2/CommandExecOutputDeltaNotification.json

@@ -0,0 +1,55 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "CommandExecOutputStream": {
+      "description": "Stream label for `command/exec/outputDelta` notifications.",
+      "oneOf": [
+        {
+          "description": "stdout stream. PTY mode multiplexes terminal output here.",
+          "enum": [
+            "stdout"
+          ],
+          "type": "string"
+        },
+        {
+          "description": "stderr stream.",
+          "enum": [
+            "stderr"
+          ],
+          "type": "string"
+        }
+      ]
+    }
+  },
+  "description": "Base64-encoded output chunk emitted for a streaming `command/exec` request.\n\nThese notifications are connection-scoped. If the originating connection closes, the server terminates the process.",
+  "properties": {
+    "capReached": {
+      "description": "`true` on the final streamed chunk for a stream when `outputBytesCap` truncated later output on that stream.",
+      "type": "boolean"
+    },
+    "deltaBase64": {
+      "description": "Base64-encoded output bytes.",
+      "type": "string"
+    },
+    "processId": {
+      "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+      "type": "string"
+    },
+    "stream": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/CommandExecOutputStream"
+        }
+      ],
+      "description": "Output stream for this chunk."
+    }
+  },
+  "required": [
+    "capReached",
+    "deltaBase64",
+    "processId",
+    "stream"
+  ],
+  "title": "CommandExecOutputDeltaNotification",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json

@@ -5,6 +5,28 @@
       "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
       "type": "string"
     },
+    "CommandExecTerminalSize": {
+      "description": "PTY size in character cells for `command/exec` PTY sessions.",
+      "properties": {
+        "cols": {
+          "description": "Terminal width in character cells.",
+          "format": "uint16",
+          "minimum": 0.0,
+          "type": "integer"
+        },
+        "rows": {
+          "description": "Terminal height in character cells.",
+          "format": "uint16",
+          "minimum": 0.0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "cols",
+        "rows"
+      ],
+      "type": "object"
+    },
     "NetworkAccess": {
       "enum": [
         "restricted",
@@ -179,14 +201,54 @@
       ]
     }
   },
+  "description": "Run a standalone command (argv vector) in the server sandbox without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
   "properties": {
     "command": {
+      "description": "Command argv vector. Empty arrays are rejected.",
       "items": {
         "type": "string"
       },
       "type": "array"
     },
     "cwd": {
+      "description": "Optional working directory. Defaults to the server cwd.",
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "disableOutputCap": {
+      "description": "Disable stdout/stderr capture truncation for this request.\n\nCannot be combined with `outputBytesCap`.",
+      "type": "boolean"
+    },
+    "disableTimeout": {
+      "description": "Disable the timeout entirely for this request.\n\nCannot be combined with `timeoutMs`.",
+      "type": "boolean"
+    },
+    "env": {
+      "additionalProperties": {
+        "type": [
+          "string",
+          "null"
+        ]
+      },
+      "description": "Optional environment overrides merged into the server-computed environment.\n\nMatching names override inherited values. Set a key to `null` to unset an inherited variable.",
+      "type": [
+        "object",
+        "null"
+      ]
+    },
+    "outputBytesCap": {
+      "description": "Optional per-stream stdout/stderr capture cap in bytes.\n\nWhen omitted, the server default applies. Cannot be combined with `disableOutputCap`.",
+      "format": "uint",
+      "minimum": 0.0,
+      "type": [
+        "integer",
+        "null"
+      ]
+    },
+    "processId": {
+      "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
       "type": [
         "string",
         "null"
@@ -200,14 +262,39 @@
         {
           "type": "null"
         }
-      ]
+      ],
+      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted."
+    },
+    "size": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/CommandExecTerminalSize"
+        },
+        {
+          "type": "null"
+        }
+      ],
+      "description": "Optional initial PTY size in character cells. Only valid when `tty` is true."
+    },
+    "streamStdin": {
+      "description": "Allow follow-up `command/exec/write` requests to write stdin bytes.\n\nRequires a client-supplied `processId`.",
+      "type": "boolean"
+    },
+    "streamStdoutStderr": {
+      "description": "Stream stdout/stderr via `command/exec/outputDelta` notifications.\n\nStreamed bytes are not duplicated into the final response and require a client-supplied `processId`.",
+      "type": "boolean"
     },
     "timeoutMs": {
+      "description": "Optional timeout in milliseconds.\n\nWhen omitted, the server default applies. Cannot be combined with `disableTimeout`.",
       "format": "int64",
       "type": [
         "integer",
         "null"
       ]
+    },
+    "tty": {
+      "description": "Enable PTY mode.\n\nThis implies `streamStdin` and `streamStdoutStderr`.",
+      "type": "boolean"
     }
   },
   "required": [

codex-rs/app-server-protocol/schema/json/v2/CommandExecResizeParams.json

@@ -0,0 +1,48 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "CommandExecTerminalSize": {
+      "description": "PTY size in character cells for `command/exec` PTY sessions.",
+      "properties": {
+        "cols": {
+          "description": "Terminal width in character cells.",
+          "format": "uint16",
+          "minimum": 0.0,
+          "type": "integer"
+        },
+        "rows": {
+          "description": "Terminal height in character cells.",
+          "format": "uint16",
+          "minimum": 0.0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "cols",
+        "rows"
+      ],
+      "type": "object"
+    }
+  },
+  "description": "Resize a running PTY-backed `command/exec` session.",
+  "properties": {
+    "processId": {
+      "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+      "type": "string"
+    },
+    "size": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/CommandExecTerminalSize"
+        }
+      ],
+      "description": "New PTY size in character cells."
+    }
+  },
+  "required": [
+    "processId",
+    "size"
+  ],
+  "title": "CommandExecResizeParams",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/CommandExecResizeResponse.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Empty success response for `command/exec/resize`.",
+  "title": "CommandExecResizeResponse",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/CommandExecResponse.json

@@ -1,14 +1,18 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Final buffered result for `command/exec`.",
   "properties": {
     "exitCode": {
+      "description": "Process exit code.",
       "format": "int32",
       "type": "integer"
     },
     "stderr": {
+      "description": "Buffered stderr capture.\n\nEmpty when stderr was streamed via `command/exec/outputDelta`.",
       "type": "string"
     },
     "stdout": {
+      "description": "Buffered stdout capture.\n\nEmpty when stdout was streamed via `command/exec/outputDelta`.",
       "type": "string"
     }
   },

codex-rs/app-server-protocol/schema/json/v2/CommandExecTerminateParams.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Terminate a running `command/exec` session.",
+  "properties": {
+    "processId": {
+      "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+      "type": "string"
+    }
+  },
+  "required": [
+    "processId"
+  ],
+  "title": "CommandExecTerminateParams",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/CommandExecTerminateResponse.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Empty success response for `command/exec/terminate`.",
+  "title": "CommandExecTerminateResponse",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/CommandExecWriteParams.json

@@ -0,0 +1,26 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Write stdin bytes to a running `command/exec` session, close stdin, or both.",
+  "properties": {
+    "closeStdin": {
+      "description": "Close stdin after writing `deltaBase64`, if present.",
+      "type": "boolean"
+    },
+    "deltaBase64": {
+      "description": "Optional base64-encoded stdin bytes to write.",
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "processId": {
+      "description": "Client-supplied, connection-scoped `processId` from the original `command/exec` request.",
+      "type": "string"
+    }
+  },
+  "required": [
+    "processId"
+  ],
+  "title": "CommandExecWriteParams",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/CommandExecWriteResponse.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Empty success response for `command/exec/write`.",
+  "title": "CommandExecWriteResponse",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/ConfigBatchWriteParams.json

@@ -45,6 +45,10 @@
         "string",
         "null"
       ]
+    },
+    "reloadUserConfig": {
+      "description": "When true, hot-reload the updated user config into all loaded threads after writing.",
+      "type": "boolean"
     }
   },
   "required": [

codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json

@@ -628,6 +628,16 @@
             }
           ]
         },
+        "tools": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ToolsV2"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
         "web_search": {
           "anyOf": [
             {
@@ -721,9 +731,13 @@
           ]
         },
         "web_search": {
-          "type": [
-            "boolean",
-            "null"
+          "anyOf": [
+            {
+              "$ref": "#/definitions/WebSearchToolConfig"
+            },
+            {
+              "type": "null"
+            }
           ]
         }
       },
@@ -738,6 +752,44 @@
       ],
       "type": "string"
     },
+    "WebSearchContextSize": {
+      "enum": [
+        "low",
+        "medium",
+        "high"
+      ],
+      "type": "string"
+    },
+    "WebSearchLocation": {
+      "additionalProperties": false,
+      "properties": {
+        "city": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "country": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "region": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "timezone": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
     "WebSearchMode": {
       "enum": [
         "disabled",
@@ -745,6 +797,41 @@
         "live"
       ],
       "type": "string"
+    },
+    "WebSearchToolConfig": {
+      "additionalProperties": false,
+      "properties": {
+        "allowed_domains": {
+          "items": {
+            "type": "string"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "context_size": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/WebSearchContextSize"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "location": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/WebSearchLocation"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        }
+      },
+      "type": "object"
     }
   },
   "properties": {

codex-rs/app-server-protocol/schema/json/v2/PluginListParams.json

@@ -8,7 +8,7 @@
   },
   "properties": {
     "cwds": {
-      "description": "Optional working directories used to discover repo marketplaces. When omitted, only home-scoped marketplaces are considered.",
+      "description": "Optional working directories used to discover repo marketplaces. When omitted, only home-scoped marketplaces and the official curated marketplace are considered.",
       "items": {
         "$ref": "#/definitions/AbsolutePathBuf"
       },

codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json

@@ -1,13 +1,118 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
+    "PluginInterface": {
+      "properties": {
+        "brandColor": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "capabilities": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "category": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "composerIcon": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "defaultPrompt": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "developerName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "displayName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "logo": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "longDescription": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "privacyPolicyUrl": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "screenshots": {
+          "items": {
+            "$ref": "#/definitions/AbsolutePathBuf"
+          },
+          "type": "array"
+        },
+        "shortDescription": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "termsOfServiceUrl": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "websiteUrl": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "capabilities",
+        "screenshots"
+      ],
+      "type": "object"
+    },
     "PluginMarketplaceEntry": {
       "properties": {
         "name": {
           "type": "string"
         },
         "path": {
-          "type": "string"
+          "$ref": "#/definitions/AbsolutePathBuf"
         },
         "plugins": {
           "items": {
@@ -28,7 +133,7 @@
         {
           "properties": {
             "path": {
-              "type": "string"
+              "$ref": "#/definitions/AbsolutePathBuf"
             },
             "type": {
               "enum": [
@@ -52,6 +157,22 @@
         "enabled": {
           "type": "boolean"
         },
+        "id": {
+          "type": "string"
+        },
+        "installed": {
+          "type": "boolean"
+        },
+        "interface": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/PluginInterface"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
         "name": {
           "type": "string"
         },
@@ -61,6 +182,8 @@
       },
       "required": [
         "enabled",
+        "id",
+        "installed",
         "name",
         "source"
       ],

codex-rs/app-server-protocol/schema/json/v2/RawResponseItemCompletedNotification.json

@@ -607,7 +607,7 @@
             "action": {
               "anyOf": [
                 {
-                  "$ref": "#/definitions/WebSearchAction"
+                  "$ref": "#/definitions/ResponsesApiWebSearchAction"
                 },
                 {
                   "type": "null"
@@ -733,7 +733,7 @@
         }
       ]
     },
-    "WebSearchAction": {
+    "ResponsesApiWebSearchAction": {
       "oneOf": [
         {
           "properties": {
@@ -756,14 +756,14 @@
               "enum": [
                 "search"
               ],
-              "title": "SearchWebSearchActionType",
+              "title": "SearchResponsesApiWebSearchActionType",
               "type": "string"
             }
           },
           "required": [
             "type"
           ],
-          "title": "SearchWebSearchAction",
+          "title": "SearchResponsesApiWebSearchAction",
           "type": "object"
         },
         {
@@ -772,7 +772,7 @@
               "enum": [
                 "open_page"
               ],
-              "title": "OpenPageWebSearchActionType",
+              "title": "OpenPageResponsesApiWebSearchActionType",
               "type": "string"
             },
             "url": {
@@ -785,7 +785,7 @@
           "required": [
             "type"
           ],
-          "title": "OpenPageWebSearchAction",
+          "title": "OpenPageResponsesApiWebSearchAction",
           "type": "object"
         },
         {
@@ -800,7 +800,7 @@
               "enum": [
                 "find_in_page"
               ],
-              "title": "FindInPageWebSearchActionType",
+              "title": "FindInPageResponsesApiWebSearchActionType",
               "type": "string"
             },
             "url": {
@@ -813,7 +813,7 @@
           "required": [
             "type"
           ],
-          "title": "FindInPageWebSearchAction",
+          "title": "FindInPageResponsesApiWebSearchAction",
           "type": "object"
         },
         {
@@ -822,14 +822,14 @@
               "enum": [
                 "other"
               ],
-              "title": "OtherWebSearchActionType",
+              "title": "OtherResponsesApiWebSearchActionType",
               "type": "string"
             }
           },
           "required": [
             "type"
           ],
-          "title": "OtherWebSearchAction",
+          "title": "OtherResponsesApiWebSearchAction",
           "type": "object"
         }
       ]

codex-rs/app-server-protocol/schema/json/v2/SdkDelegationConfiguredNotification.json

@@ -1,21 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "bridgeUrl": {
-      "type": "string"
-    },
-    "modelProvider": {
-      "type": "string"
-    },
-    "threadId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "bridgeUrl",
-    "modelProvider",
-    "threadId"
-  ],
-  "title": "SdkDelegationConfiguredNotification",
-  "type": "object"
-}

codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json

@@ -657,7 +657,7 @@
             "action": {
               "anyOf": [
                 {
-                  "$ref": "#/definitions/WebSearchAction"
+                  "$ref": "#/definitions/ResponsesApiWebSearchAction"
                 },
                 {
                   "type": "null"
@@ -783,22 +783,7 @@
         }
       ]
     },
-    "SandboxMode": {
-      "enum": [
-        "read-only",
-        "workspace-write",
-        "danger-full-access"
-      ],
-      "type": "string"
-    },
-    "ServiceTier": {
-      "enum": [
-        "fast",
-        "flex"
-      ],
-      "type": "string"
-    },
-    "WebSearchAction": {
+    "ResponsesApiWebSearchAction": {
       "oneOf": [
         {
           "properties": {
@@ -821,14 +806,14 @@
               "enum": [
                 "search"
               ],
-              "title": "SearchWebSearchActionType",
+              "title": "SearchResponsesApiWebSearchActionType",
               "type": "string"
             }
           },
           "required": [
             "type"
           ],
-          "title": "SearchWebSearchAction",
+          "title": "SearchResponsesApiWebSearchAction",
           "type": "object"
         },
         {
@@ -837,7 +822,7 @@
               "enum": [
                 "open_page"
               ],
-              "title": "OpenPageWebSearchActionType",
+              "title": "OpenPageResponsesApiWebSearchActionType",
               "type": "string"
             },
             "url": {
@@ -850,7 +835,7 @@
           "required": [
             "type"
           ],
-          "title": "OpenPageWebSearchAction",
+          "title": "OpenPageResponsesApiWebSearchAction",
           "type": "object"
         },
         {
@@ -865,7 +850,7 @@
               "enum": [
                 "find_in_page"
               ],
-              "title": "FindInPageWebSearchActionType",
+              "title": "FindInPageResponsesApiWebSearchActionType",
               "type": "string"
             },
             "url": {
@@ -878,7 +863,7 @@
           "required": [
             "type"
           ],
-          "title": "FindInPageWebSearchAction",
+          "title": "FindInPageResponsesApiWebSearchAction",
           "type": "object"
         },
         {
@@ -887,17 +872,32 @@
               "enum": [
                 "other"
               ],
-              "title": "OtherWebSearchActionType",
+              "title": "OtherResponsesApiWebSearchActionType",
               "type": "string"
             }
           },
           "required": [
             "type"
           ],
-          "title": "OtherWebSearchAction",
+          "title": "OtherResponsesApiWebSearchAction",
           "type": "object"
         }
       ]
+    },
+    "SandboxMode": {
+      "enum": [
+        "read-only",
+        "workspace-write",
+        "danger-full-access"
+      ],
+      "type": "string"
+    },
+    "ServiceTier": {
+      "enum": [
+        "fast",
+        "flex"
+      ],
+      "type": "string"
     }
   },
   "description": "There are three ways to resume a thread: 1. By thread_id: load the thread from disk by thread_id and resume it. 2. By history: instantiate the thread from memory and resume it. 3. By path: load the thread from disk by path and resume it.\n\nThe precedence is: history > path > thread_id. If using history or path, the thread_id param will be ignored.\n\nPrefer using thread_id whenever possible.",

codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json

@@ -76,34 +76,6 @@
       ],
       "type": "string"
     },
-    "SdkDelegationConfig": {
-      "properties": {
-        "bridgeUrl": {
-          "description": "Base URL for the host-managed Responses bridge reachable by the Codex runtime.",
-          "type": "string"
-        },
-        "modelProviderId": {
-          "description": "Optional model-provider id to register for this thread. Defaults to `codex-sdk-v2`.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "streamIdleTimeoutMs": {
-          "description": "Optional stream idle timeout override for the delegated provider.",
-          "format": "uint64",
-          "minimum": 0.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "bridgeUrl"
-      ],
-      "type": "object"
-    },
     "ServiceTier": {
       "enum": [
         "fast",

codex-rs/app-server-protocol/schema/json/v2/WindowsSandboxSetupStartParams.json

@@ -1,6 +1,10 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
     "WindowsSandboxSetupMode": {
       "enum": [
         "elevated",
@@ -11,9 +15,13 @@
   },
   "properties": {
     "cwd": {
-      "type": [
-        "string",
-        "null"
+      "anyOf": [
+        {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        },
+        {
+          "type": "null"
+        }
       ]
     },
     "mode": {

codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts

@@ -10,6 +10,9 @@ import type { RequestId } from "./RequestId";
 import type { AppsListParams } from "./v2/AppsListParams";
 import type { CancelLoginAccountParams } from "./v2/CancelLoginAccountParams";
 import type { CommandExecParams } from "./v2/CommandExecParams";
+import type { CommandExecResizeParams } from "./v2/CommandExecResizeParams";
+import type { CommandExecTerminateParams } from "./v2/CommandExecTerminateParams";
+import type { CommandExecWriteParams } from "./v2/CommandExecWriteParams";
 import type { ConfigBatchWriteParams } from "./v2/ConfigBatchWriteParams";
 import type { ConfigReadParams } from "./v2/ConfigReadParams";
 import type { ConfigValueWriteParams } from "./v2/ConfigValueWriteParams";
@@ -50,4 +53,4 @@ import type { WindowsSandboxSetupStartParams } from "./v2/WindowsSandboxSetupSta
 /**
  * Request from the client to the server.
  */
-export type ClientRequest ={ "method": "initialize", id: RequestId, params: InitializeParams, } | { "method": "thread/start", id: RequestId, params: ThreadStartParams, } | { "method": "thread/resume", id: RequestId, params: ThreadResumeParams, } | { "method": "thread/fork", id: RequestId, params: ThreadForkParams, } | { "method": "thread/archive", id: RequestId, params: ThreadArchiveParams, } | { "method": "thread/unsubscribe", id: RequestId, params: ThreadUnsubscribeParams, } | { "method": "thread/name/set", id: RequestId, params: ThreadSetNameParams, } | { "method": "thread/metadata/update", id: RequestId, params: ThreadMetadataUpdateParams, } | { "method": "thread/unarchive", id: RequestId, params: ThreadUnarchiveParams, } | { "method": "thread/compact/start", id: RequestId, params: ThreadCompactStartParams, } | { "method": "thread/rollback", id: RequestId, params: ThreadRollbackParams, } | { "method": "thread/list", id: RequestId, params: ThreadListParams, } | { "method": "thread/loaded/list", id: RequestId, params: ThreadLoadedListParams, } | { "method": "thread/read", id: RequestId, params: ThreadReadParams, } | { "method": "skills/list", id: RequestId, params: SkillsListParams, } | { "method": "plugin/list", id: RequestId, params: PluginListParams, } | { "method": "skills/remote/list", id: RequestId, params: SkillsRemoteReadParams, } | { "method": "skills/remote/export", id: RequestId, params: SkillsRemoteWriteParams, } | { "method": "app/list", id: RequestId, params: AppsListParams, } | { "method": "skills/config/write", id: RequestId, params: SkillsConfigWriteParams, } | { "method": "plugin/install", id: RequestId, params: PluginInstallParams, } | { "method": "turn/start", id: RequestId, params: TurnStartParams, } | { "method": "turn/steer", id: RequestId, params: TurnSteerParams, } | { "method": "turn/interrupt", id: RequestId, params: TurnInterruptParams, } | { "method": "review/start", id: RequestId, params: ReviewStartParams, } | { "method": "model/list", id: RequestId, params: ModelListParams, } | { "method": "experimentalFeature/list", id: RequestId, params: ExperimentalFeatureListParams, } | { "method": "mcpServer/oauth/login", id: RequestId, params: McpServerOauthLoginParams, } | { "method": "config/mcpServer/reload", id: RequestId, params: undefined, } | { "method": "mcpServerStatus/list", id: RequestId, params: ListMcpServerStatusParams, } | { "method": "windowsSandbox/setupStart", id: RequestId, params: WindowsSandboxSetupStartParams, } | { "method": "account/login/start", id: RequestId, params: LoginAccountParams, } | { "method": "account/login/cancel", id: RequestId, params: CancelLoginAccountParams, } | { "method": "account/logout", id: RequestId, params: undefined, } | { "method": "account/rateLimits/read", id: RequestId, params: undefined, } | { "method": "feedback/upload", id: RequestId, params: FeedbackUploadParams, } | { "method": "command/exec", id: RequestId, params: CommandExecParams, } | { "method": "config/read", id: RequestId, params: ConfigReadParams, } | { "method": "externalAgentConfig/detect", id: RequestId, params: ExternalAgentConfigDetectParams, } | { "method": "externalAgentConfig/import", id: RequestId, params: ExternalAgentConfigImportParams, } | { "method": "config/value/write", id: RequestId, params: ConfigValueWriteParams, } | { "method": "config/batchWrite", id: RequestId, params: ConfigBatchWriteParams, } | { "method": "configRequirements/read", id: RequestId, params: undefined, } | { "method": "account/read", id: RequestId, params: GetAccountParams, } | { "method": "getConversationSummary", id: RequestId, params: GetConversationSummaryParams, } | { "method": "gitDiffToRemote", id: RequestId, params: GitDiffToRemoteParams, } | { "method": "getAuthStatus", id: RequestId, params: GetAuthStatusParams, } | { "method": "fuzzyFileSearch", id: RequestId, params: FuzzyFileSearchParams, };
+export type ClientRequest ={ "method": "initialize", id: RequestId, params: InitializeParams, } | { "method": "thread/start", id: RequestId, params: ThreadStartParams, } | { "method": "thread/resume", id: RequestId, params: ThreadResumeParams, } | { "method": "thread/fork", id: RequestId, params: ThreadForkParams, } | { "method": "thread/archive", id: RequestId, params: ThreadArchiveParams, } | { "method": "thread/unsubscribe", id: RequestId, params: ThreadUnsubscribeParams, } | { "method": "thread/name/set", id: RequestId, params: ThreadSetNameParams, } | { "method": "thread/metadata/update", id: RequestId, params: ThreadMetadataUpdateParams, } | { "method": "thread/unarchive", id: RequestId, params: ThreadUnarchiveParams, } | { "method": "thread/compact/start", id: RequestId, params: ThreadCompactStartParams, } | { "method": "thread/rollback", id: RequestId, params: ThreadRollbackParams, } | { "method": "thread/list", id: RequestId, params: ThreadListParams, } | { "method": "thread/loaded/list", id: RequestId, params: ThreadLoadedListParams, } | { "method": "thread/read", id: RequestId, params: ThreadReadParams, } | { "method": "skills/list", id: RequestId, params: SkillsListParams, } | { "method": "plugin/list", id: RequestId, params: PluginListParams, } | { "method": "skills/remote/list", id: RequestId, params: SkillsRemoteReadParams, } | { "method": "skills/remote/export", id: RequestId, params: SkillsRemoteWriteParams, } | { "method": "app/list", id: RequestId, params: AppsListParams, } | { "method": "skills/config/write", id: RequestId, params: SkillsConfigWriteParams, } | { "method": "plugin/install", id: RequestId, params: PluginInstallParams, } | { "method": "turn/start", id: RequestId, params: TurnStartParams, } | { "method": "turn/steer", id: RequestId, params: TurnSteerParams, } | { "method": "turn/interrupt", id: RequestId, params: TurnInterruptParams, } | { "method": "review/start", id: RequestId, params: ReviewStartParams, } | { "method": "model/list", id: RequestId, params: ModelListParams, } | { "method": "experimentalFeature/list", id: RequestId, params: ExperimentalFeatureListParams, } | { "method": "mcpServer/oauth/login", id: RequestId, params: McpServerOauthLoginParams, } | { "method": "config/mcpServer/reload", id: RequestId, params: undefined, } | { "method": "mcpServerStatus/list", id: RequestId, params: ListMcpServerStatusParams, } | { "method": "windowsSandbox/setupStart", id: RequestId, params: WindowsSandboxSetupStartParams, } | { "method": "account/login/start", id: RequestId, params: LoginAccountParams, } | { "method": "account/login/cancel", id: RequestId, params: CancelLoginAccountParams, } | { "method": "account/logout", id: RequestId, params: undefined, } | { "method": "account/rateLimits/read", id: RequestId, params: undefined, } | { "method": "feedback/upload", id: RequestId, params: FeedbackUploadParams, } | { "method": "command/exec", id: RequestId, params: CommandExecParams, } | { "method": "command/exec/write", id: RequestId, params: CommandExecWriteParams, } | { "method": "command/exec/terminate", id: RequestId, params: CommandExecTerminateParams, } | { "method": "command/exec/resize", id: RequestId, params: CommandExecResizeParams, } | { "method": "config/read", id: RequestId, params: ConfigReadParams, } | { "method": "externalAgentConfig/detect", id: RequestId, params: ExternalAgentConfigDetectParams, } | { "method": "externalAgentConfig/import", id: RequestId, params: ExternalAgentConfigImportParams, } | { "method": "config/value/write", id: RequestId, params: ConfigValueWriteParams, } | { "method": "config/batchWrite", id: RequestId, params: ConfigBatchWriteParams, } | { "method": "configRequirements/read", id: RequestId, params: undefined, } | { "method": "account/read", id: RequestId, params: GetAccountParams, } | { "method": "getConversationSummary", id: RequestId, params: GetConversationSummaryParams, } | { "method": "gitDiffToRemote", id: RequestId, params: GitDiffToRemoteParams, } | { "method": "getAuthStatus", id: RequestId, params: GetAuthStatusParams, } | { "method": "fuzzyFileSearch", id: RequestId, params: FuzzyFileSearchParams, };

codex-rs/app-server-protocol/schema/typescript/EventMsg.ts

@@ -56,6 +56,7 @@ import type { RealtimeConversationStartedEvent } from "./RealtimeConversationSta
 import type { ReasoningContentDeltaEvent } from "./ReasoningContentDeltaEvent";
 import type { ReasoningRawContentDeltaEvent } from "./ReasoningRawContentDeltaEvent";
 import type { RemoteSkillDownloadedEvent } from "./RemoteSkillDownloadedEvent";
+import type { RequestPermissionsEvent } from "./RequestPermissionsEvent";
 import type { RequestUserInputEvent } from "./RequestUserInputEvent";
 import type { ReviewRequest } from "./ReviewRequest";
 import type { SessionConfiguredEvent } from "./SessionConfiguredEvent";
@@ -81,4 +82,4 @@ import type { WebSearchEndEvent } from "./WebSearchEndEvent";
  * Response event from the agent
  * NOTE: Make sure none of these values have optional types, as it will mess up the extension code-gen.
  */
-export type EventMsg = { "type": "error" } & ErrorEvent | { "type": "warning" } & WarningEvent | { "type": "realtime_conversation_started" } & RealtimeConversationStartedEvent | { "type": "realtime_conversation_realtime" } & RealtimeConversationRealtimeEvent | { "type": "realtime_conversation_closed" } & RealtimeConversationClosedEvent | { "type": "model_reroute" } & ModelRerouteEvent | { "type": "context_compacted" } & ContextCompactedEvent | { "type": "thread_rolled_back" } & ThreadRolledBackEvent | { "type": "task_started" } & TurnStartedEvent | { "type": "task_complete" } & TurnCompleteEvent | { "type": "token_count" } & TokenCountEvent | { "type": "agent_message" } & AgentMessageEvent | { "type": "user_message" } & UserMessageEvent | { "type": "agent_message_delta" } & AgentMessageDeltaEvent | { "type": "agent_reasoning" } & AgentReasoningEvent | { "type": "agent_reasoning_delta" } & AgentReasoningDeltaEvent | { "type": "agent_reasoning_raw_content" } & AgentReasoningRawContentEvent | { "type": "agent_reasoning_raw_content_delta" } & AgentReasoningRawContentDeltaEvent | { "type": "agent_reasoning_section_break" } & AgentReasoningSectionBreakEvent | { "type": "session_configured" } & SessionConfiguredEvent | { "type": "thread_name_updated" } & ThreadNameUpdatedEvent | { "type": "mcp_startup_update" } & McpStartupUpdateEvent | { "type": "mcp_startup_complete" } & McpStartupCompleteEvent | { "type": "mcp_tool_call_begin" } & McpToolCallBeginEvent | { "type": "mcp_tool_call_end" } & McpToolCallEndEvent | { "type": "web_search_begin" } & WebSearchBeginEvent | { "type": "web_search_end" } & WebSearchEndEvent | { "type": "image_generation_begin" } & ImageGenerationBeginEvent | { "type": "image_generation_end" } & ImageGenerationEndEvent | { "type": "exec_command_begin" } & ExecCommandBeginEvent | { "type": "exec_command_output_delta" } & ExecCommandOutputDeltaEvent | { "type": "terminal_interaction" } & TerminalInteractionEvent | { "type": "exec_command_end" } & ExecCommandEndEvent | { "type": "view_image_tool_call" } & ViewImageToolCallEvent | { "type": "exec_approval_request" } & ExecApprovalRequestEvent | { "type": "request_user_input" } & RequestUserInputEvent | { "type": "dynamic_tool_call_request" } & DynamicToolCallRequest | { "type": "dynamic_tool_call_response" } & DynamicToolCallResponseEvent | { "type": "elicitation_request" } & ElicitationRequestEvent | { "type": "apply_patch_approval_request" } & ApplyPatchApprovalRequestEvent | { "type": "deprecation_notice" } & DeprecationNoticeEvent | { "type": "background_event" } & BackgroundEventEvent | { "type": "undo_started" } & UndoStartedEvent | { "type": "undo_completed" } & UndoCompletedEvent | { "type": "stream_error" } & StreamErrorEvent | { "type": "patch_apply_begin" } & PatchApplyBeginEvent | { "type": "patch_apply_end" } & PatchApplyEndEvent | { "type": "turn_diff" } & TurnDiffEvent | { "type": "get_history_entry_response" } & GetHistoryEntryResponseEvent | { "type": "mcp_list_tools_response" } & McpListToolsResponseEvent | { "type": "list_custom_prompts_response" } & ListCustomPromptsResponseEvent | { "type": "list_skills_response" } & ListSkillsResponseEvent | { "type": "list_remote_skills_response" } & ListRemoteSkillsResponseEvent | { "type": "remote_skill_downloaded" } & RemoteSkillDownloadedEvent | { "type": "skills_update_available" } | { "type": "plan_update" } & UpdatePlanArgs | { "type": "turn_aborted" } & TurnAbortedEvent | { "type": "shutdown_complete" } | { "type": "entered_review_mode" } & ReviewRequest | { "type": "exited_review_mode" } & ExitedReviewModeEvent | { "type": "raw_response_item" } & RawResponseItemEvent | { "type": "item_started" } & ItemStartedEvent | { "type": "item_completed" } & ItemCompletedEvent | { "type": "agent_message_content_delta" } & AgentMessageContentDeltaEvent | { "type": "plan_delta" } & PlanDeltaEvent | { "type": "reasoning_content_delta" } & ReasoningContentDeltaEvent | { "type": "reasoning_raw_content_delta" } & ReasoningRawContentDeltaEvent | { "type": "collab_agent_spawn_begin" } & CollabAgentSpawnBeginEvent | { "type": "collab_agent_spawn_end" } & CollabAgentSpawnEndEvent | { "type": "collab_agent_interaction_begin" } & CollabAgentInteractionBeginEvent | { "type": "collab_agent_interaction_end" } & CollabAgentInteractionEndEvent | { "type": "collab_waiting_begin" } & CollabWaitingBeginEvent | { "type": "collab_waiting_end" } & CollabWaitingEndEvent | { "type": "collab_close_begin" } & CollabCloseBeginEvent | { "type": "collab_close_end" } & CollabCloseEndEvent | { "type": "collab_resume_begin" } & CollabResumeBeginEvent | { "type": "collab_resume_end" } & CollabResumeEndEvent;
+export type EventMsg = { "type": "error" } & ErrorEvent | { "type": "warning" } & WarningEvent | { "type": "realtime_conversation_started" } & RealtimeConversationStartedEvent | { "type": "realtime_conversation_realtime" } & RealtimeConversationRealtimeEvent | { "type": "realtime_conversation_closed" } & RealtimeConversationClosedEvent | { "type": "model_reroute" } & ModelRerouteEvent | { "type": "context_compacted" } & ContextCompactedEvent | { "type": "thread_rolled_back" } & ThreadRolledBackEvent | { "type": "task_started" } & TurnStartedEvent | { "type": "task_complete" } & TurnCompleteEvent | { "type": "token_count" } & TokenCountEvent | { "type": "agent_message" } & AgentMessageEvent | { "type": "user_message" } & UserMessageEvent | { "type": "agent_message_delta" } & AgentMessageDeltaEvent | { "type": "agent_reasoning" } & AgentReasoningEvent | { "type": "agent_reasoning_delta" } & AgentReasoningDeltaEvent | { "type": "agent_reasoning_raw_content" } & AgentReasoningRawContentEvent | { "type": "agent_reasoning_raw_content_delta" } & AgentReasoningRawContentDeltaEvent | { "type": "agent_reasoning_section_break" } & AgentReasoningSectionBreakEvent | { "type": "session_configured" } & SessionConfiguredEvent | { "type": "thread_name_updated" } & ThreadNameUpdatedEvent | { "type": "mcp_startup_update" } & McpStartupUpdateEvent | { "type": "mcp_startup_complete" } & McpStartupCompleteEvent | { "type": "mcp_tool_call_begin" } & McpToolCallBeginEvent | { "type": "mcp_tool_call_end" } & McpToolCallEndEvent | { "type": "web_search_begin" } & WebSearchBeginEvent | { "type": "web_search_end" } & WebSearchEndEvent | { "type": "image_generation_begin" } & ImageGenerationBeginEvent | { "type": "image_generation_end" } & ImageGenerationEndEvent | { "type": "exec_command_begin" } & ExecCommandBeginEvent | { "type": "exec_command_output_delta" } & ExecCommandOutputDeltaEvent | { "type": "terminal_interaction" } & TerminalInteractionEvent | { "type": "exec_command_end" } & ExecCommandEndEvent | { "type": "view_image_tool_call" } & ViewImageToolCallEvent | { "type": "exec_approval_request" } & ExecApprovalRequestEvent | { "type": "request_permissions" } & RequestPermissionsEvent | { "type": "request_user_input" } & RequestUserInputEvent | { "type": "dynamic_tool_call_request" } & DynamicToolCallRequest | { "type": "dynamic_tool_call_response" } & DynamicToolCallResponseEvent | { "type": "elicitation_request" } & ElicitationRequestEvent | { "type": "apply_patch_approval_request" } & ApplyPatchApprovalRequestEvent | { "type": "deprecation_notice" } & DeprecationNoticeEvent | { "type": "background_event" } & BackgroundEventEvent | { "type": "undo_started" } & UndoStartedEvent | { "type": "undo_completed" } & UndoCompletedEvent | { "type": "stream_error" } & StreamErrorEvent | { "type": "patch_apply_begin" } & PatchApplyBeginEvent | { "type": "patch_apply_end" } & PatchApplyEndEvent | { "type": "turn_diff" } & TurnDiffEvent | { "type": "get_history_entry_response" } & GetHistoryEntryResponseEvent | { "type": "mcp_list_tools_response" } & McpListToolsResponseEvent | { "type": "list_custom_prompts_response" } & ListCustomPromptsResponseEvent | { "type": "list_skills_response" } & ListSkillsResponseEvent | { "type": "list_remote_skills_response" } & ListRemoteSkillsResponseEvent | { "type": "remote_skill_downloaded" } & RemoteSkillDownloadedEvent | { "type": "skills_update_available" } | { "type": "plan_update" } & UpdatePlanArgs | { "type": "turn_aborted" } & TurnAbortedEvent | { "type": "shutdown_complete" } | { "type": "entered_review_mode" } & ReviewRequest | { "type": "exited_review_mode" } & ExitedReviewModeEvent | { "type": "raw_response_item" } & RawResponseItemEvent | { "type": "item_started" } & ItemStartedEvent | { "type": "item_completed" } & ItemCompletedEvent | { "type": "agent_message_content_delta" } & AgentMessageContentDeltaEvent | { "type": "plan_delta" } & PlanDeltaEvent | { "type": "reasoning_content_delta" } & ReasoningContentDeltaEvent | { "type": "reasoning_raw_content_delta" } & ReasoningRawContentDeltaEvent | { "type": "collab_agent_spawn_begin" } & CollabAgentSpawnBeginEvent | { "type": "collab_agent_spawn_end" } & CollabAgentSpawnEndEvent | { "type": "collab_agent_interaction_begin" } & CollabAgentInteractionBeginEvent | { "type": "collab_agent_interaction_end" } & CollabAgentInteractionEndEvent | { "type": "collab_waiting_begin" } & CollabWaitingBeginEvent | { "type": "collab_waiting_end" } & CollabWaitingEndEvent | { "type": "collab_close_begin" } & CollabCloseBeginEvent | { "type": "collab_close_end" } & CollabCloseEndEvent | { "type": "collab_resume_begin" } & CollabResumeBeginEvent | { "type": "collab_resume_end" } & CollabResumeEndEvent;

codex-rs/app-server-protocol/schema/typescript/ExecApprovalRequestEvent.ts

@@ -1,6 +1,7 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { ExecApprovalRequestSkillMetadata } from "./ExecApprovalRequestSkillMetadata";
 import type { ExecPolicyAmendment } from "./ExecPolicyAmendment";
 import type { NetworkApprovalContext } from "./NetworkApprovalContext";
 import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";
@@ -53,6 +54,10 @@ proposed_network_policy_amendments?: Array<NetworkPolicyAmendment>,
  * Optional additional filesystem permissions requested for this command.
  */
 additional_permissions?: PermissionProfile, 
+/**
+ * Optional skill metadata when the approval was triggered by a skill script.
+ */
+skill_metadata?: ExecApprovalRequestSkillMetadata, 
 /**
  * Ordered list of decisions the client may present for this prompt.
  *

codex-rs/app-server-protocol/schema/typescript/ExecApprovalRequestSkillMetadata.ts

@@ -2,4 +2,4 @@
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 
-export type SdkDelegationConfiguredNotification = { threadId: string, modelProvider: string, bridgeUrl: string, };
+export type ExecApprovalRequestSkillMetadata = { path_to_skills_md: string, };

codex-rs/app-server-protocol/schema/typescript/RealtimeEvent.ts

@@ -3,6 +3,7 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { RealtimeAudioFrame } from "./RealtimeAudioFrame";
 import type { RealtimeHandoffRequested } from "./RealtimeHandoffRequested";
+import type { RealtimeTranscriptDelta } from "./RealtimeTranscriptDelta";
 import type { JsonValue } from "./serde_json/JsonValue";
 
-export type RealtimeEvent = { "SessionUpdated": { session_id: string, instructions: string | null, } } | { "AudioOut": RealtimeAudioFrame } | { "ConversationItemAdded": JsonValue } | { "ConversationItemDone": { item_id: string, } } | { "HandoffRequested": RealtimeHandoffRequested } | { "Error": string };
+export type RealtimeEvent = { "SessionUpdated": { session_id: string, instructions: string | null, } } | { "InputTranscriptDelta": RealtimeTranscriptDelta } | { "OutputTranscriptDelta": RealtimeTranscriptDelta } | { "AudioOut": RealtimeAudioFrame } | { "ConversationItemAdded": JsonValue } | { "ConversationItemDone": { item_id: string, } } | { "HandoffRequested": RealtimeHandoffRequested } | { "Error": string };

codex-rs/app-server-protocol/schema/typescript/RealtimeHandoffRequested.ts

@@ -1,6 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { RealtimeHandoffMessage } from "./RealtimeHandoffMessage";
+import type { RealtimeTranscriptEntry } from "./RealtimeTranscriptEntry";
 
-export type RealtimeHandoffRequested = { handoff_id: string, item_id: string, input_transcript: string, messages: Array<RealtimeHandoffMessage>, };
+export type RealtimeHandoffRequested = { handoff_id: string, item_id: string, input_transcript: string, active_transcript: Array<RealtimeTranscriptEntry>, };

codex-rs/app-server-protocol/schema/typescript/RealtimeTranscriptDelta.ts

@@ -2,4 +2,4 @@
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 
-export type RealtimeHandoffMessage = { role: string, text: string, };
+export type RealtimeTranscriptDelta = { delta: string, };

codex-rs/app-server-protocol/schema/typescript/RealtimeTranscriptEntry.ts

@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type RealtimeTranscriptEntry = { role: string, text: string, };

codex-rs/app-server-protocol/schema/typescript/RequestPermissionsEvent.ts

@@ -0,0 +1,15 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { PermissionProfile } from "./PermissionProfile";
+
+export type RequestPermissionsEvent = { 
+/**
+ * Responses API call id for the associated tool call, if available.
+ */
+call_id: string, 
+/**
+ * Turn ID that this request belongs to.
+ * Uses `#[serde(default)]` for backwards compatibility.
+ */
+turn_id: string, reason: string | null, permissions: PermissionProfile, };

codex-rs/app-server-protocol/schema/typescript/ReviewDecision.ts

@@ -7,4 +7,4 @@ import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";
 /**
  * User's decision in response to an ExecApprovalRequest.
  */
-export type ReviewDecision = "approved" | { "approved_with_command_override": { command: Array<string>, } } | { "approved_execpolicy_amendment": { proposed_execpolicy_amendment: ExecPolicyAmendment, } } | "approved_for_session" | { "network_policy_amendment": { network_policy_amendment: NetworkPolicyAmendment, } } | "denied" | "abort";
+export type ReviewDecision = "approved" | { "approved_execpolicy_amendment": { proposed_execpolicy_amendment: ExecPolicyAmendment, } } | "approved_for_session" | { "network_policy_amendment": { network_policy_amendment: NetworkPolicyAmendment, } } | "denied" | "abort";

codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts

@@ -8,6 +8,7 @@ import type { AccountRateLimitsUpdatedNotification } from "./v2/AccountRateLimit
 import type { AccountUpdatedNotification } from "./v2/AccountUpdatedNotification";
 import type { AgentMessageDeltaNotification } from "./v2/AgentMessageDeltaNotification";
 import type { AppListUpdatedNotification } from "./v2/AppListUpdatedNotification";
+import type { CommandExecOutputDeltaNotification } from "./v2/CommandExecOutputDeltaNotification";
 import type { CommandExecutionOutputDeltaNotification } from "./v2/CommandExecutionOutputDeltaNotification";
 import type { ConfigWarningNotification } from "./v2/ConfigWarningNotification";
 import type { ContextCompactedNotification } from "./v2/ContextCompactedNotification";
@@ -24,7 +25,6 @@ import type { RawResponseItemCompletedNotification } from "./v2/RawResponseItemC
 import type { ReasoningSummaryPartAddedNotification } from "./v2/ReasoningSummaryPartAddedNotification";
 import type { ReasoningSummaryTextDeltaNotification } from "./v2/ReasoningSummaryTextDeltaNotification";
 import type { ReasoningTextDeltaNotification } from "./v2/ReasoningTextDeltaNotification";
-import type { SdkDelegationConfiguredNotification } from "./v2/SdkDelegationConfiguredNotification";
 import type { ServerRequestResolvedNotification } from "./v2/ServerRequestResolvedNotification";
 import type { SkillsChangedNotification } from "./v2/SkillsChangedNotification";
 import type { TerminalInteractionNotification } from "./v2/TerminalInteractionNotification";
@@ -50,4 +50,4 @@ import type { WindowsWorldWritableWarningNotification } from "./v2/WindowsWorldW
 /**
  * Notification sent from the server to the client.
  */
-export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/status/changed", "params": ThreadStatusChangedNotification } | { "method": "thread/archived", "params": ThreadArchivedNotification } | { "method": "thread/unarchived", "params": ThreadUnarchivedNotification } | { "method": "thread/closed", "params": ThreadClosedNotification } | { "method": "skills/changed", "params": SkillsChangedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "serverRequest/resolved", "params": ServerRequestResolvedNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "codexSdk/delegationConfigured", "params": SdkDelegationConfiguredNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "model/rerouted", "params": ModelReroutedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "fuzzyFileSearch/sessionUpdated", "params": FuzzyFileSearchSessionUpdatedNotification } | { "method": "fuzzyFileSearch/sessionCompleted", "params": FuzzyFileSearchSessionCompletedNotification } | { "method": "thread/realtime/started", "params": ThreadRealtimeStartedNotification } | { "method": "thread/realtime/itemAdded", "params": ThreadRealtimeItemAddedNotification } | { "method": "thread/realtime/outputAudio/delta", "params": ThreadRealtimeOutputAudioDeltaNotification } | { "method": "thread/realtime/error", "params": ThreadRealtimeErrorNotification } | { "method": "thread/realtime/closed", "params": ThreadRealtimeClosedNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "windowsSandbox/setupCompleted", "params": WindowsSandboxSetupCompletedNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification };
+export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/status/changed", "params": ThreadStatusChangedNotification } | { "method": "thread/archived", "params": ThreadArchivedNotification } | { "method": "thread/unarchived", "params": ThreadUnarchivedNotification } | { "method": "thread/closed", "params": ThreadClosedNotification } | { "method": "skills/changed", "params": SkillsChangedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "command/exec/outputDelta", "params": CommandExecOutputDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "serverRequest/resolved", "params": ServerRequestResolvedNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "model/rerouted", "params": ModelReroutedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "fuzzyFileSearch/sessionUpdated", "params": FuzzyFileSearchSessionUpdatedNotification } | { "method": "fuzzyFileSearch/sessionCompleted", "params": FuzzyFileSearchSessionCompletedNotification } | { "method": "thread/realtime/started", "params": ThreadRealtimeStartedNotification } | { "method": "thread/realtime/itemAdded", "params": ThreadRealtimeItemAddedNotification } | { "method": "thread/realtime/outputAudio/delta", "params": ThreadRealtimeOutputAudioDeltaNotification } | { "method": "thread/realtime/error", "params": ThreadRealtimeErrorNotification } | { "method": "thread/realtime/closed", "params": ThreadRealtimeClosedNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "windowsSandbox/setupCompleted", "params": WindowsSandboxSetupCompletedNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification };

codex-rs/app-server-protocol/schema/typescript/ServerRequest.ts

@@ -9,9 +9,10 @@ import type { CommandExecutionRequestApprovalParams } from "./v2/CommandExecutio
 import type { DynamicToolCallParams } from "./v2/DynamicToolCallParams";
 import type { FileChangeRequestApprovalParams } from "./v2/FileChangeRequestApprovalParams";
 import type { McpServerElicitationRequestParams } from "./v2/McpServerElicitationRequestParams";
+import type { PermissionsRequestApprovalParams } from "./v2/PermissionsRequestApprovalParams";
 import type { ToolRequestUserInputParams } from "./v2/ToolRequestUserInputParams";
 
 /**
  * Request initiated from the server and sent to the client.
  */
-export type ServerRequest = { "method": "item/commandExecution/requestApproval", id: RequestId, params: CommandExecutionRequestApprovalParams, } | { "method": "item/fileChange/requestApproval", id: RequestId, params: FileChangeRequestApprovalParams, } | { "method": "item/tool/requestUserInput", id: RequestId, params: ToolRequestUserInputParams, } | { "method": "mcpServer/elicitation/request", id: RequestId, params: McpServerElicitationRequestParams, } | { "method": "item/tool/call", id: RequestId, params: DynamicToolCallParams, } | { "method": "account/chatgptAuthTokens/refresh", id: RequestId, params: ChatgptAuthTokensRefreshParams, } | { "method": "applyPatchApproval", id: RequestId, params: ApplyPatchApprovalParams, } | { "method": "execCommandApproval", id: RequestId, params: ExecCommandApprovalParams, };
+export type ServerRequest = { "method": "item/commandExecution/requestApproval", id: RequestId, params: CommandExecutionRequestApprovalParams, } | { "method": "item/fileChange/requestApproval", id: RequestId, params: FileChangeRequestApprovalParams, } | { "method": "item/tool/requestUserInput", id: RequestId, params: ToolRequestUserInputParams, } | { "method": "mcpServer/elicitation/request", id: RequestId, params: McpServerElicitationRequestParams, } | { "method": "item/permissions/requestApproval", id: RequestId, params: PermissionsRequestApprovalParams, } | { "method": "item/tool/call", id: RequestId, params: DynamicToolCallParams, } | { "method": "account/chatgptAuthTokens/refresh", id: RequestId, params: ChatgptAuthTokensRefreshParams, } | { "method": "applyPatchApproval", id: RequestId, params: ApplyPatchApprovalParams, } | { "method": "execCommandApproval", id: RequestId, params: ExecCommandApprovalParams, };

codex-rs/app-server-protocol/schema/typescript/WebSearchContextSize.ts

@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type WebSearchContextSize = "low" | "medium" | "high";

codex-rs/app-server-protocol/schema/typescript/WebSearchLocation.ts

@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type WebSearchLocation = { country: string | null, region: string | null, city: string | null, timezone: string | null, };

codex-rs/app-server-protocol/schema/typescript/WebSearchToolConfig.ts

@@ -0,0 +1,7 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { WebSearchContextSize } from "./WebSearchContextSize";
+import type { WebSearchLocation } from "./WebSearchLocation";
+
+export type WebSearchToolConfig = { context_size: WebSearchContextSize | null, allowed_domains: Array<string> | null, location: WebSearchLocation | null, };

codex-rs/app-server-protocol/schema/typescript/index.ts

@@ -53,6 +53,7 @@ export type { ElicitationRequestEvent } from "./ElicitationRequestEvent";
 export type { ErrorEvent } from "./ErrorEvent";
 export type { EventMsg } from "./EventMsg";
 export type { ExecApprovalRequestEvent } from "./ExecApprovalRequestEvent";
+export type { ExecApprovalRequestSkillMetadata } from "./ExecApprovalRequestSkillMetadata";
 export type { ExecCommandApprovalParams } from "./ExecCommandApprovalParams";
 export type { ExecCommandApprovalResponse } from "./ExecCommandApprovalResponse";
 export type { ExecCommandBeginEvent } from "./ExecCommandBeginEvent";
@@ -141,8 +142,9 @@ export type { RealtimeConversationClosedEvent } from "./RealtimeConversationClos
 export type { RealtimeConversationRealtimeEvent } from "./RealtimeConversationRealtimeEvent";
 export type { RealtimeConversationStartedEvent } from "./RealtimeConversationStartedEvent";
 export type { RealtimeEvent } from "./RealtimeEvent";
-export type { RealtimeHandoffMessage } from "./RealtimeHandoffMessage";
 export type { RealtimeHandoffRequested } from "./RealtimeHandoffRequested";
+export type { RealtimeTranscriptDelta } from "./RealtimeTranscriptDelta";
+export type { RealtimeTranscriptEntry } from "./RealtimeTranscriptEntry";
 export type { ReasoningContentDeltaEvent } from "./ReasoningContentDeltaEvent";
 export type { ReasoningEffort } from "./ReasoningEffort";
 export type { ReasoningItem } from "./ReasoningItem";
@@ -154,6 +156,7 @@ export type { RejectConfig } from "./RejectConfig";
 export type { RemoteSkillDownloadedEvent } from "./RemoteSkillDownloadedEvent";
 export type { RemoteSkillSummary } from "./RemoteSkillSummary";
 export type { RequestId } from "./RequestId";
+export type { RequestPermissionsEvent } from "./RequestPermissionsEvent";
 export type { RequestUserInputEvent } from "./RequestUserInputEvent";
 export type { RequestUserInputQuestion } from "./RequestUserInputQuestion";
 export type { RequestUserInputQuestionOption } from "./RequestUserInputQuestionOption";
@@ -211,7 +214,10 @@ export type { ViewImageToolCallEvent } from "./ViewImageToolCallEvent";
 export type { WarningEvent } from "./WarningEvent";
 export type { WebSearchAction } from "./WebSearchAction";
 export type { WebSearchBeginEvent } from "./WebSearchBeginEvent";
+export type { WebSearchContextSize } from "./WebSearchContextSize";
 export type { WebSearchEndEvent } from "./WebSearchEndEvent";
 export type { WebSearchItem } from "./WebSearchItem";
+export type { WebSearchLocation } from "./WebSearchLocation";
 export type { WebSearchMode } from "./WebSearchMode";
+export type { WebSearchToolConfig } from "./WebSearchToolConfig";
 export * as v2 from "./v2";

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecOutputDeltaNotification.ts

@@ -0,0 +1,30 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { CommandExecOutputStream } from "./CommandExecOutputStream";
+
+/**
+ * Base64-encoded output chunk emitted for a streaming `command/exec` request.
+ *
+ * These notifications are connection-scoped. If the originating connection
+ * closes, the server terminates the process.
+ */
+export type CommandExecOutputDeltaNotification = { 
+/**
+ * Client-supplied, connection-scoped `processId` from the original
+ * `command/exec` request.
+ */
+processId: string, 
+/**
+ * Output stream for this chunk.
+ */
+stream: CommandExecOutputStream, 
+/**
+ * Base64-encoded output bytes.
+ */
+deltaBase64: string, 
+/**
+ * `true` on the final streamed chunk for a stream when `outputBytesCap`
+ * truncated later output on that stream.
+ */
+capReached: boolean, };

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecOutputStream.ts

@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Stream label for `command/exec/outputDelta` notifications.
+ */
+export type CommandExecOutputStream = "stdout" | "stderr";

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecParams.ts

@@ -1,6 +1,97 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { CommandExecTerminalSize } from "./CommandExecTerminalSize";
 import type { SandboxPolicy } from "./SandboxPolicy";
 
-export type CommandExecParams = { command: Array<string>, timeoutMs?: number | null, cwd?: string | null, sandboxPolicy?: SandboxPolicy | null, };
+/**
+ * Run a standalone command (argv vector) in the server sandbox without
+ * creating a thread or turn.
+ *
+ * The final `command/exec` response is deferred until the process exits and is
+ * sent only after all `command/exec/outputDelta` notifications for that
+ * connection have been emitted.
+ */
+export type CommandExecParams = { 
+/**
+ * Command argv vector. Empty arrays are rejected.
+ */
+command: Array<string>, 
+/**
+ * Optional client-supplied, connection-scoped process id.
+ *
+ * Required for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up
+ * `command/exec/write`, `command/exec/resize`, and
+ * `command/exec/terminate` calls. When omitted, buffered execution gets an
+ * internal id that is not exposed to the client.
+ */
+processId?: string | null, 
+/**
+ * Enable PTY mode.
+ *
+ * This implies `streamStdin` and `streamStdoutStderr`.
+ */
+tty?: boolean, 
+/**
+ * Allow follow-up `command/exec/write` requests to write stdin bytes.
+ *
+ * Requires a client-supplied `processId`.
+ */
+streamStdin?: boolean, 
+/**
+ * Stream stdout/stderr via `command/exec/outputDelta` notifications.
+ *
+ * Streamed bytes are not duplicated into the final response and require a
+ * client-supplied `processId`.
+ */
+streamStdoutStderr?: boolean, 
+/**
+ * Optional per-stream stdout/stderr capture cap in bytes.
+ *
+ * When omitted, the server default applies. Cannot be combined with
+ * `disableOutputCap`.
+ */
+outputBytesCap?: number | null, 
+/**
+ * Disable stdout/stderr capture truncation for this request.
+ *
+ * Cannot be combined with `outputBytesCap`.
+ */
+disableOutputCap?: boolean, 
+/**
+ * Disable the timeout entirely for this request.
+ *
+ * Cannot be combined with `timeoutMs`.
+ */
+disableTimeout?: boolean, 
+/**
+ * Optional timeout in milliseconds.
+ *
+ * When omitted, the server default applies. Cannot be combined with
+ * `disableTimeout`.
+ */
+timeoutMs?: number | null, 
+/**
+ * Optional working directory. Defaults to the server cwd.
+ */
+cwd?: string | null, 
+/**
+ * Optional environment overrides merged into the server-computed
+ * environment.
+ *
+ * Matching names override inherited values. Set a key to `null` to unset
+ * an inherited variable.
+ */
+env?: { [key in string]?: string | null } | null, 
+/**
+ * Optional initial PTY size in character cells. Only valid when `tty` is
+ * true.
+ */
+size?: CommandExecTerminalSize | null, 
+/**
+ * Optional sandbox policy for this command.
+ *
+ * Uses the same shape as thread/turn execution sandbox configuration and
+ * defaults to the user's configured policy when omitted.
+ */
+sandboxPolicy?: SandboxPolicy | null, };

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecResizeParams.ts

@@ -0,0 +1,18 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { CommandExecTerminalSize } from "./CommandExecTerminalSize";
+
+/**
+ * Resize a running PTY-backed `command/exec` session.
+ */
+export type CommandExecResizeParams = { 
+/**
+ * Client-supplied, connection-scoped `processId` from the original
+ * `command/exec` request.
+ */
+processId: string, 
+/**
+ * New PTY size in character cells.
+ */
+size: CommandExecTerminalSize, };

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecResizeResponse.ts

@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Empty success response for `command/exec/resize`.
+ */
+export type CommandExecResizeResponse = Record<string, never>;

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecResponse.ts

@@ -2,4 +2,23 @@
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 
-export type CommandExecResponse = { exitCode: number, stdout: string, stderr: string, };
+/**
+ * Final buffered result for `command/exec`.
+ */
+export type CommandExecResponse = { 
+/**
+ * Process exit code.
+ */
+exitCode: number, 
+/**
+ * Buffered stdout capture.
+ *
+ * Empty when stdout was streamed via `command/exec/outputDelta`.
+ */
+stdout: string, 
+/**
+ * Buffered stderr capture.
+ *
+ * Empty when stderr was streamed via `command/exec/outputDelta`.
+ */
+stderr: string, };

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecTerminalSize.ts

@@ -0,0 +1,16 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * PTY size in character cells for `command/exec` PTY sessions.
+ */
+export type CommandExecTerminalSize = { 
+/**
+ * Terminal height in character cells.
+ */
+rows: number, 
+/**
+ * Terminal width in character cells.
+ */
+cols: number, };

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecTerminateParams.ts

@@ -0,0 +1,13 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Terminate a running `command/exec` session.
+ */
+export type CommandExecTerminateParams = { 
+/**
+ * Client-supplied, connection-scoped `processId` from the original
+ * `command/exec` request.
+ */
+processId: string, };

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecTerminateResponse.ts

@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Empty success response for `command/exec/terminate`.
+ */
+export type CommandExecTerminateResponse = Record<string, never>;

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecWriteParams.ts

@@ -0,0 +1,22 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Write stdin bytes to a running `command/exec` session, close stdin, or
+ * both.
+ */
+export type CommandExecWriteParams = { 
+/**
+ * Client-supplied, connection-scoped `processId` from the original
+ * `command/exec` request.
+ */
+processId: string, 
+/**
+ * Optional base64-encoded stdin bytes to write.
+ */
+deltaBase64?: string | null, 
+/**
+ * Close stdin after writing `deltaBase64`, if present.
+ */
+closeStdin?: boolean, };

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecWriteResponse.ts

@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Empty success response for `command/exec/write`.
+ */
+export type CommandExecWriteResponse = Record<string, never>;

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionApprovalDecision.ts

@@ -4,4 +4,4 @@
 import type { ExecPolicyAmendment } from "./ExecPolicyAmendment";
 import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";
 
-export type CommandExecutionApprovalDecision = "accept" | { "acceptWithCommandOverride": { command: Array<string>, } } | "acceptForSession" | { "acceptWithExecpolicyAmendment": { execpolicy_amendment: ExecPolicyAmendment, } } | { "applyNetworkPolicyAmendment": { network_policy_amendment: NetworkPolicyAmendment, } } | "decline" | "cancel";
+export type CommandExecutionApprovalDecision = "accept" | "acceptForSession" | { "acceptWithExecpolicyAmendment": { execpolicy_amendment: ExecPolicyAmendment, } } | { "applyNetworkPolicyAmendment": { network_policy_amendment: NetworkPolicyAmendment, } } | "decline" | "cancel";

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalParams.ts

@@ -4,6 +4,7 @@
 import type { AdditionalPermissionProfile } from "./AdditionalPermissionProfile";
 import type { CommandAction } from "./CommandAction";
 import type { CommandExecutionApprovalDecision } from "./CommandExecutionApprovalDecision";
+import type { CommandExecutionRequestApprovalSkillMetadata } from "./CommandExecutionRequestApprovalSkillMetadata";
 import type { ExecPolicyAmendment } from "./ExecPolicyAmendment";
 import type { NetworkApprovalContext } from "./NetworkApprovalContext";
 import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";
@@ -43,6 +44,10 @@ commandActions?: Array<CommandAction> | null,
  * Optional additional permissions requested for this command.
  */
 additionalPermissions?: AdditionalPermissionProfile | null, 
+/**
+ * Optional skill metadata when the approval was triggered by a skill script.
+ */
+skillMetadata?: CommandExecutionRequestApprovalSkillMetadata | null, 
 /**
  * Optional proposed execpolicy amendment to allow similar commands without prompting.
  */

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalSkillMetadata.ts

@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type CommandExecutionRequestApprovalSkillMetadata = { pathToSkillsMd: string, };

codex-rs/app-server-protocol/schema/typescript/v2/ConfigBatchWriteParams.ts

@@ -7,4 +7,8 @@ export type ConfigBatchWriteParams = { edits: Array<ConfigEdit>,
 /**
  * Path to the config file to write; defaults to the user's `config.toml` when omitted.
  */
-filePath?: string | null, expectedVersion?: string | null, };
+filePath?: string | null, expectedVersion?: string | null, 
+/**
+ * When true, hot-reload the updated user config into all loaded threads after writing.
+ */
+reloadUserConfig?: boolean, };

codex-rs/app-server-protocol/schema/typescript/v2/GrantedMacOsPermissions.ts

@@ -0,0 +1,7 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { MacOsAutomationPermission } from "../MacOsAutomationPermission";
+import type { MacOsPreferencesPermission } from "../MacOsPreferencesPermission";
+
+export type GrantedMacOsPermissions = { preferences?: MacOsPreferencesPermission, automations?: MacOsAutomationPermission, accessibility?: boolean, calendar?: boolean, };

codex-rs/app-server-protocol/schema/typescript/v2/GrantedPermissionProfile.ts

@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AdditionalFileSystemPermissions } from "./AdditionalFileSystemPermissions";
+import type { AdditionalNetworkPermissions } from "./AdditionalNetworkPermissions";
+import type { GrantedMacOsPermissions } from "./GrantedMacOsPermissions";
+
+export type GrantedPermissionProfile = { network?: AdditionalNetworkPermissions, fileSystem?: AdditionalFileSystemPermissions, macos?: GrantedMacOsPermissions, };

codex-rs/app-server-protocol/schema/typescript/v2/PermissionsRequestApprovalParams.ts

@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AdditionalPermissionProfile } from "./AdditionalPermissionProfile";
+
+export type PermissionsRequestApprovalParams = { threadId: string, turnId: string, itemId: string, reason: string | null, permissions: AdditionalPermissionProfile, };

codex-rs/app-server-protocol/schema/typescript/v2/PermissionsRequestApprovalResponse.ts

@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { GrantedPermissionProfile } from "./GrantedPermissionProfile";
+
+export type PermissionsRequestApprovalResponse = { permissions: GrantedPermissionProfile, };

codex-rs/app-server-protocol/schema/typescript/v2/PluginInterface.ts

@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+export type PluginInterface = { displayName: string | null, shortDescription: string | null, longDescription: string | null, developerName: string | null, category: string | null, capabilities: Array<string>, websiteUrl: string | null, privacyPolicyUrl: string | null, termsOfServiceUrl: string | null, defaultPrompt: string | null, brandColor: string | null, composerIcon: AbsolutePathBuf | null, logo: AbsolutePathBuf | null, screenshots: Array<AbsolutePathBuf>, };

codex-rs/app-server-protocol/schema/typescript/v2/PluginListParams.ts

@@ -6,6 +6,6 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 export type PluginListParams = { 
 /**
  * Optional working directories used to discover repo marketplaces. When omitted,
- * only home-scoped marketplaces are considered.
+ * only home-scoped marketplaces and the official curated marketplace are considered.
  */
 cwds?: Array<AbsolutePathBuf> | null, };

codex-rs/app-server-protocol/schema/typescript/v2/PluginMarketplaceEntry.ts

@@ -1,6 +1,7 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { PluginSummary } from "./PluginSummary";
 
-export type PluginMarketplaceEntry = { name: string, path: string, plugins: Array<PluginSummary>, };
+export type PluginMarketplaceEntry = { name: string, path: AbsolutePathBuf, plugins: Array<PluginSummary>, };

codex-rs/app-server-protocol/schema/typescript/v2/PluginSource.ts

@@ -1,5 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 
-export type PluginSource = { "type": "local", path: string, };
+export type PluginSource = { "type": "local", path: AbsolutePathBuf, };

codex-rs/app-server-protocol/schema/typescript/v2/PluginSummary.ts

@@ -1,6 +1,7 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { PluginInterface } from "./PluginInterface";
 import type { PluginSource } from "./PluginSource";
 
-export type PluginSummary = { name: string, source: PluginSource, enabled: boolean, };
+export type PluginSummary = { id: string, name: string, source: PluginSource, installed: boolean, enabled: boolean, interface: PluginInterface | null, };

codex-rs/app-server-protocol/schema/typescript/v2/ProfileV2.ts

@@ -8,5 +8,6 @@ import type { Verbosity } from "../Verbosity";
 import type { WebSearchMode } from "../WebSearchMode";
 import type { JsonValue } from "../serde_json/JsonValue";
 import type { AskForApproval } from "./AskForApproval";
+import type { ToolsV2 } from "./ToolsV2";
 
-export type ProfileV2 = { model: string | null, model_provider: string | null, approval_policy: AskForApproval | null, service_tier: ServiceTier | null, model_reasoning_effort: ReasoningEffort | null, model_reasoning_summary: ReasoningSummary | null, model_verbosity: Verbosity | null, web_search: WebSearchMode | null, chatgpt_base_url: string | null, } & ({ [key in string]?: number | string | boolean | Array<JsonValue> | { [key in string]?: JsonValue } | null });
+export type ProfileV2 = { model: string | null, model_provider: string | null, approval_policy: AskForApproval | null, service_tier: ServiceTier | null, model_reasoning_effort: ReasoningEffort | null, model_reasoning_summary: ReasoningSummary | null, model_verbosity: Verbosity | null, web_search: WebSearchMode | null, tools: ToolsV2 | null, chatgpt_base_url: string | null, } & ({ [key in string]?: number | string | boolean | Array<JsonValue> | { [key in string]?: JsonValue } | null });

codex-rs/app-server-protocol/schema/typescript/v2/SdkDelegationConfig.ts

@@ -1,18 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type SdkDelegationConfig = { 
-/**
- * Base URL for the host-managed Responses bridge reachable by the Codex runtime.
- */
-bridgeUrl: string, 
-/**
- * Optional model-provider id to register for this thread.
- * Defaults to `codex-sdk-v2`.
- */
-modelProviderId: string | null, 
-/**
- * Optional stream idle timeout override for the delegated provider.
- */
-streamIdleTimeoutMs: bigint | null, };

codex-rs/app-server-protocol/schema/typescript/v2/ThreadStartParams.ts

@@ -8,9 +8,6 @@ import type { AskForApproval } from "./AskForApproval";
 import type { SandboxMode } from "./SandboxMode";
 
 export type ThreadStartParams = {model?: string | null, modelProvider?: string | null, serviceTier?: ServiceTier | null | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, serviceName?: string | null, baseInstructions?: string | null, developerInstructions?: string | null, personality?: Personality | null, ephemeral?: boolean | null, /**
- * If true, require host-visible approval before executing built-in tools.
- */
-manualToolExecution?: boolean, /**
  * If true, opt into emitting raw Responses API items on the event stream.
  * This is for internal use only (e.g. Codex Cloud).
  */

codex-rs/app-server-protocol/schema/typescript/v2/ToolsV2.ts

@@ -1,5 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { WebSearchToolConfig } from "../WebSearchToolConfig";
 
-export type ToolsV2 = { web_search: boolean | null, view_image: boolean | null, };
+export type ToolsV2 = { web_search: WebSearchToolConfig | null, view_image: boolean | null, };

codex-rs/app-server-protocol/schema/typescript/v2/TurnStartParams.ts

@@ -36,7 +36,8 @@ summary?: ReasoningSummary | null, /**
  * Override the personality for this turn and subsequent turns.
  */
 personality?: Personality | null, /**
- * Optional JSON Schema used to constrain the final assistant message for this turn.
+ * Optional JSON Schema used to constrain the final assistant message for
+ * this turn.
  */
 outputSchema?: JsonValue | null, /**
  * EXPERIMENTAL - Set a pre-set collaboration mode.

codex-rs/app-server-protocol/schema/typescript/v2/WindowsSandboxSetupStartParams.ts

@@ -1,6 +1,7 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { WindowsSandboxSetupMode } from "./WindowsSandboxSetupMode";
 
-export type WindowsSandboxSetupStartParams = { mode: WindowsSandboxSetupMode, cwd?: string | null, };
+export type WindowsSandboxSetupStartParams = { mode: WindowsSandboxSetupMode, cwd?: AbsolutePathBuf | null, };

codex-rs/app-server-protocol/schema/typescript/v2/index.ts

@@ -38,12 +38,22 @@ export type { CollabAgentTool } from "./CollabAgentTool";
 export type { CollabAgentToolCallStatus } from "./CollabAgentToolCallStatus";
 export type { CollaborationModeMask } from "./CollaborationModeMask";
 export type { CommandAction } from "./CommandAction";
+export type { CommandExecOutputDeltaNotification } from "./CommandExecOutputDeltaNotification";
+export type { CommandExecOutputStream } from "./CommandExecOutputStream";
 export type { CommandExecParams } from "./CommandExecParams";
+export type { CommandExecResizeParams } from "./CommandExecResizeParams";
+export type { CommandExecResizeResponse } from "./CommandExecResizeResponse";
 export type { CommandExecResponse } from "./CommandExecResponse";
+export type { CommandExecTerminalSize } from "./CommandExecTerminalSize";
+export type { CommandExecTerminateParams } from "./CommandExecTerminateParams";
+export type { CommandExecTerminateResponse } from "./CommandExecTerminateResponse";
+export type { CommandExecWriteParams } from "./CommandExecWriteParams";
+export type { CommandExecWriteResponse } from "./CommandExecWriteResponse";
 export type { CommandExecutionApprovalDecision } from "./CommandExecutionApprovalDecision";
 export type { CommandExecutionOutputDeltaNotification } from "./CommandExecutionOutputDeltaNotification";
 export type { CommandExecutionRequestApprovalParams } from "./CommandExecutionRequestApprovalParams";
 export type { CommandExecutionRequestApprovalResponse } from "./CommandExecutionRequestApprovalResponse";
+export type { CommandExecutionRequestApprovalSkillMetadata } from "./CommandExecutionRequestApprovalSkillMetadata";
 export type { CommandExecutionStatus } from "./CommandExecutionStatus";
 export type { Config } from "./Config";
 export type { ConfigBatchWriteParams } from "./ConfigBatchWriteParams";
@@ -89,6 +99,8 @@ export type { GetAccountParams } from "./GetAccountParams";
 export type { GetAccountRateLimitsResponse } from "./GetAccountRateLimitsResponse";
 export type { GetAccountResponse } from "./GetAccountResponse";
 export type { GitInfo } from "./GitInfo";
+export type { GrantedMacOsPermissions } from "./GrantedMacOsPermissions";
+export type { GrantedPermissionProfile } from "./GrantedPermissionProfile";
 export type { HazelnutScope } from "./HazelnutScope";
 export type { ItemCompletedNotification } from "./ItemCompletedNotification";
 export type { ItemStartedNotification } from "./ItemStartedNotification";
@@ -149,9 +161,12 @@ export type { NetworkRequirements } from "./NetworkRequirements";
 export type { OverriddenMetadata } from "./OverriddenMetadata";
 export type { PatchApplyStatus } from "./PatchApplyStatus";
 export type { PatchChangeKind } from "./PatchChangeKind";
+export type { PermissionsRequestApprovalParams } from "./PermissionsRequestApprovalParams";
+export type { PermissionsRequestApprovalResponse } from "./PermissionsRequestApprovalResponse";
 export type { PlanDeltaNotification } from "./PlanDeltaNotification";
 export type { PluginInstallParams } from "./PluginInstallParams";
 export type { PluginInstallResponse } from "./PluginInstallResponse";
+export type { PluginInterface } from "./PluginInterface";
 export type { PluginListParams } from "./PluginListParams";
 export type { PluginListResponse } from "./PluginListResponse";
 export type { PluginMarketplaceEntry } from "./PluginMarketplaceEntry";
@@ -176,8 +191,6 @@ export type { ReviewTarget } from "./ReviewTarget";
 export type { SandboxMode } from "./SandboxMode";
 export type { SandboxPolicy } from "./SandboxPolicy";
 export type { SandboxWorkspaceWrite } from "./SandboxWorkspaceWrite";
-export type { SdkDelegationConfig } from "./SdkDelegationConfig";
-export type { SdkDelegationConfiguredNotification } from "./SdkDelegationConfiguredNotification";
 export type { ServerRequestResolvedNotification } from "./ServerRequestResolvedNotification";
 export type { SessionSource } from "./SessionSource";
 export type { SkillDependencies } from "./SkillDependencies";

codex-rs/app-server-protocol/src/export.rs

@@ -1154,13 +1154,40 @@ fn insert_into_namespace(
         .or_insert_with(|| Value::Object(Map::new()));
     match entry {
         Value::Object(map) => {
-            map.insert(name, schema);
-            Ok(())
+            insert_definition(map, name, schema, &format!("namespace `{namespace}`"))
         }
         _ => Err(anyhow!("expected namespace {namespace} to be an object")),
     }
 }
 
+fn insert_definition(
+    definitions: &mut Map<String, Value>,
+    name: String,
+    schema: Value,
+    location: &str,
+) -> Result<()> {
+    if let Some(existing) = definitions.get(&name) {
+        if existing == &schema {
+            return Ok(());
+        }
+
+        let existing_title = existing
+            .get("title")
+            .and_then(Value::as_str)
+            .unwrap_or("<untitled>");
+        let new_title = schema
+            .get("title")
+            .and_then(Value::as_str)
+            .unwrap_or("<untitled>");
+        return Err(anyhow!(
+            "schema definition collision in {location}: {name} (existing title: {existing_title}, new title: {new_title}); use #[schemars(rename = \"...\")] to rename one of the conflicting schema definitions"
+        ));
+    }
+
+    definitions.insert(name, schema);
+    Ok(())
+}
+
 fn write_json_schema_with_return<T>(out_dir: &Path, name: &str) -> Result<GeneratedSchema>
 where
     T: JsonSchema,
@@ -2179,6 +2206,10 @@ mod tests {
             command_execution_request_approval_ts.contains("additionalPermissions"),
             true
         );
+        assert_eq!(
+            command_execution_request_approval_ts.contains("skillMetadata"),
+            true
+        );
 
         Ok(())
     }
@@ -2291,6 +2322,48 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn build_schema_bundle_rejects_conflicting_duplicate_definitions() {
+        let err = build_schema_bundle(vec![
+            GeneratedSchema {
+                namespace: Some("v2".to_string()),
+                logical_name: "First".to_string(),
+                in_v1_dir: false,
+                value: serde_json::json!({
+                    "title": "First",
+                    "type": "object",
+                    "definitions": {
+                        "Shared": {
+                            "title": "SharedString",
+                            "type": "string"
+                        }
+                    }
+                }),
+            },
+            GeneratedSchema {
+                namespace: Some("v2".to_string()),
+                logical_name: "Second".to_string(),
+                in_v1_dir: false,
+                value: serde_json::json!({
+                    "title": "Second",
+                    "type": "object",
+                    "definitions": {
+                        "Shared": {
+                            "title": "SharedInteger",
+                            "type": "integer"
+                        }
+                    }
+                }),
+            },
+        ])
+        .expect_err("conflicting schema definitions should be rejected");
+
+        assert_eq!(
+            err.to_string(),
+            "schema definition collision in namespace `v2`: Shared (existing title: SharedString, new title: SharedInteger); use #[schemars(rename = \"...\")] to rename one of the conflicting schema definitions"
+        );
+    }
+
     #[test]
     fn build_flat_v2_schema_keeps_shared_root_schemas_and_dependencies() -> Result<()> {
         let bundle = serde_json::json!({
@@ -2599,6 +2672,10 @@ export type Config = { stableField: Keep, unstableField: string | null } & ({ [k
             command_execution_request_approval_json.contains("additionalPermissions"),
             false
         );
+        assert_eq!(
+            command_execution_request_approval_json.contains("skillMetadata"),
+            false
+        );
 
         let client_request_json = fs::read_to_string(output_dir.join("ClientRequest.json"))?;
         assert_eq!(
@@ -2610,6 +2687,7 @@ export type Config = { stableField: Keep, unstableField: string | null } & ({ [k
             fs::read_to_string(output_dir.join("codex_app_server_protocol.schemas.json"))?;
         assert_eq!(bundle_json.contains("mockExperimentalField"), false);
         assert_eq!(bundle_json.contains("additionalPermissions"), false);
+        assert_eq!(bundle_json.contains("skillMetadata"), false);
         assert_eq!(bundle_json.contains("MockExperimentalMethodParams"), false);
         assert_eq!(
             bundle_json.contains("MockExperimentalMethodResponse"),
@@ -2619,6 +2697,7 @@ export type Config = { stableField: Keep, unstableField: string | null } & ({ [k
             fs::read_to_string(output_dir.join("codex_app_server_protocol.v2.schemas.json"))?;
         assert_eq!(flat_v2_bundle_json.contains("mockExperimentalField"), false);
         assert_eq!(flat_v2_bundle_json.contains("additionalPermissions"), false);
+        assert_eq!(flat_v2_bundle_json.contains("skillMetadata"), false);
         assert_eq!(
             flat_v2_bundle_json.contains("MockExperimentalMethodParams"),
             false

codex-rs/app-server-protocol/src/protocol/common.rs

@@ -110,6 +110,26 @@ macro_rules! client_request_definitions {
             )*
         }
 
+        impl ClientRequest {
+            pub fn id(&self) -> &RequestId {
+                match self {
+                    $(Self::$variant { request_id, .. } => request_id,)*
+                }
+            }
+
+            pub fn method(&self) -> String {
+                serde_json::to_value(self)
+                    .ok()
+                    .and_then(|value| {
+                        value
+                            .get("method")
+                            .and_then(serde_json::Value::as_str)
+                            .map(str::to_owned)
+                    })
+                    .unwrap_or_else(|| "<unknown>".to_string())
+            }
+        }
+
         impl crate::experimental_api::ExperimentalApi for ClientRequest {
             fn experimental_reason(&self) -> Option<&'static str> {
                 match self {
@@ -377,11 +397,26 @@ client_request_definitions! {
         response: v2::FeedbackUploadResponse,
     },
 
-    /// Execute a command (argv vector) under the server's sandbox.
+    /// Execute a standalone command (argv vector) under the server's sandbox.
     OneOffCommandExec => "command/exec" {
         params: v2::CommandExecParams,
         response: v2::CommandExecResponse,
     },
+    /// Write stdin bytes to a running `command/exec` session or close stdin.
+    CommandExecWrite => "command/exec/write" {
+        params: v2::CommandExecWriteParams,
+        response: v2::CommandExecWriteResponse,
+    },
+    /// Terminate a running `command/exec` session by client-supplied `processId`.
+    CommandExecTerminate => "command/exec/terminate" {
+        params: v2::CommandExecTerminateParams,
+        response: v2::CommandExecTerminateResponse,
+    },
+    /// Resize a running PTY-backed `command/exec` session by client-supplied `processId`.
+    CommandExecResize => "command/exec/resize" {
+        params: v2::CommandExecResizeParams,
+        response: v2::CommandExecResizeResponse,
+    },
 
     ConfigRead => "config/read" {
         params: v2::ConfigReadParams,
@@ -660,6 +695,12 @@ server_request_definitions! {
         response: v2::McpServerElicitationRequestResponse,
     },
 
+    /// Request approval for additional permissions from the user.
+    PermissionsRequestApproval => "item/permissions/requestApproval" {
+        params: v2::PermissionsRequestApprovalParams,
+        response: v2::PermissionsRequestApprovalResponse,
+    },
+
     /// Execute a dynamic tool call on the client.
     DynamicToolCall => "item/tool/call" {
         params: v2::DynamicToolCallParams,
@@ -781,6 +822,8 @@ server_notification_definitions! {
     AgentMessageDelta => "item/agentMessage/delta" (v2::AgentMessageDeltaNotification),
     /// EXPERIMENTAL - proposed plan streaming deltas for plan items.
     PlanDelta => "item/plan/delta" (v2::PlanDeltaNotification),
+    /// Stream base64-encoded stdout/stderr chunks for a running `command/exec` session.
+    CommandExecOutputDelta => "command/exec/outputDelta" (v2::CommandExecOutputDeltaNotification),
     CommandExecutionOutputDelta => "item/commandExecution/outputDelta" (v2::CommandExecutionOutputDeltaNotification),
     TerminalInteraction => "item/commandExecution/terminalInteraction" (v2::TerminalInteractionNotification),
     FileChangeOutputDelta => "item/fileChange/outputDelta" (v2::FileChangeOutputDeltaNotification),
@@ -790,8 +833,6 @@ server_notification_definitions! {
     AccountUpdated => "account/updated" (v2::AccountUpdatedNotification),
     AccountRateLimitsUpdated => "account/rateLimits/updated" (v2::AccountRateLimitsUpdatedNotification),
     AppListUpdated => "app/list/updated" (v2::AppListUpdatedNotification),
-    #[experimental("thread/start.sdkDelegation")]
-    SdkDelegationConfigured => "codexSdk/delegationConfigured" (v2::SdkDelegationConfiguredNotification),
     ReasoningSummaryTextDelta => "item/reasoning/summaryTextDelta" (v2::ReasoningSummaryTextDeltaNotification),
     ReasoningSummaryPartAdded => "item/reasoning/summaryPartAdded" (v2::ReasoningSummaryPartAddedNotification),
     ReasoningTextDelta => "item/reasoning/textDelta" (v2::ReasoningTextDeltaNotification),
@@ -1121,6 +1162,8 @@ mod tests {
             request_id: RequestId::Integer(1),
             params: None,
         };
+        assert_eq!(request.id(), &RequestId::Integer(1));
+        assert_eq!(request.method(), "account/rateLimits/read");
         assert_eq!(
             json!({
                 "method": "account/rateLimits/read",
@@ -1525,6 +1568,7 @@ mod tests {
                 }),
                 macos: None,
             }),
+            skill_metadata: None,
             proposed_execpolicy_amendment: None,
             proposed_network_policy_amendments: None,
             available_decisions: None,
@@ -1535,4 +1579,31 @@ mod tests {
             Some("item/commandExecution/requestApproval.additionalPermissions")
         );
     }
+
+    #[test]
+    fn command_execution_request_approval_skill_metadata_is_marked_experimental() {
+        let params = v2::CommandExecutionRequestApprovalParams {
+            thread_id: "thr_123".to_string(),
+            turn_id: "turn_123".to_string(),
+            item_id: "call_123".to_string(),
+            approval_id: None,
+            reason: None,
+            network_approval_context: None,
+            command: Some("cat file".to_string()),
+            cwd: None,
+            command_actions: None,
+            additional_permissions: None,
+            skill_metadata: Some(v2::CommandExecutionRequestApprovalSkillMetadata {
+                path_to_skills_md: PathBuf::from("/tmp/SKILLS.md"),
+            }),
+            proposed_execpolicy_amendment: None,
+            proposed_network_policy_amendments: None,
+            available_decisions: None,
+        };
+        let reason = crate::experimental_api::ExperimentalApi::experimental_reason(&params);
+        assert_eq!(
+            reason,
+            Some("item/commandExecution/requestApproval.skillMetadata")
+        );
+    }
 }

codex-rs/app-server-protocol/src/protocol/mappers.rs

@@ -1,14 +1,22 @@
 use crate::protocol::v1;
 use crate::protocol::v2;
-
 impl From<v1::ExecOneOffCommandParams> for v2::CommandExecParams {
     fn from(value: v1::ExecOneOffCommandParams) -> Self {
         Self {
             command: value.command,
+            process_id: None,
+            tty: false,
+            stream_stdin: false,
+            stream_stdout_stderr: false,
+            output_bytes_cap: None,
+            disable_output_cap: false,
+            disable_timeout: false,
             timeout_ms: value
                 .timeout_ms
                 .map(|timeout| i64::try_from(timeout).unwrap_or(60_000)),
             cwd: value.cwd,
+            env: None,
+            size: None,
             sandbox_policy: value.sandbox_policy.map(std::convert::Into::into),
         }
     }

codex-rs/app-server-protocol/src/protocol/v1.rs

@@ -429,7 +429,8 @@ pub struct SendUserTurnParams {
     pub service_tier: Option<Option<ServiceTier>>,
     pub effort: Option<ReasoningEffort>,
     pub summary: ReasoningSummary,
-    /// Optional JSON Schema used to constrain the final assistant message for this turn.
+    /// Optional JSON Schema used to constrain the final assistant message for
+    /// this turn.
     pub output_schema: Option<serde_json::Value>,
 }
 

codex-rs/app-server-test-client/src/lib.rs

@@ -96,6 +96,7 @@ const NOTIFICATIONS_TO_OPT_OUT: &[&str] = &[
     "codex/event/item_started",
     "codex/event/item_completed",
     // v2 item deltas.
+    "command/exec/outputDelta",
     "item/agentMessage/delta",
     "item/plan/delta",
     "item/commandExecution/outputDelta",
@@ -1506,6 +1507,7 @@ impl CodexClient {
             cwd,
             command_actions,
             additional_permissions,
+            skill_metadata,
             proposed_execpolicy_amendment,
             proposed_network_policy_amendments,
             available_decisions,
@@ -1540,6 +1542,9 @@ impl CodexClient {
         if let Some(additional_permissions) = additional_permissions.as_ref() {
             println!("< additional permissions: {additional_permissions:?}");
         }
+        if let Some(skill_metadata) = skill_metadata.as_ref() {
+            println!("< skill metadata: {skill_metadata:?}");
+        }
         if let Some(execpolicy_amendment) = proposed_execpolicy_amendment.as_ref() {
             println!("< proposed execpolicy amendment: {execpolicy_amendment:?}");
         }

codex-rs/app-server/Cargo.toml

@@ -18,12 +18,14 @@ workspace = true
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
+base64 = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-cloud-requirements = { workspace = true }
 codex-core = { workspace = true }
 codex-otel = { workspace = true }
 codex-shell-command = { workspace = true }
 codex-utils-cli = { workspace = true }
+codex-utils-pty = { workspace = true }
 codex-backend-client = { workspace = true }
 codex-file-search = { workspace = true }
 codex-chatgpt = { workspace = true }
@@ -64,7 +66,6 @@ axum = { workspace = true, default-features = false, features = [
     "json",
     "tokio",
 ] }
-base64 = { workspace = true }
 core_test_support = { workspace = true }
 codex-utils-cargo-bin = { workspace = true }
 pretty_assertions = { workspace = true }

codex-rs/app-server/README.md

@@ -120,7 +120,7 @@ Example with notification opt-out:
 
 ## API Overview
 
-- `thread/start` — create a new thread; emits `thread/started` (including the current `thread.status`) and auto-subscribes you to turn/item events for that thread. Experimental: `thread/start.sdkDelegation` lets a host integration register a per-thread delegated Responses provider that points Codex at a host-managed bridge. In the current prototype shape, Codex sends the raw Responses request body to that bridge and the host bridge injects upstream authorization before forwarding the request. Experimental: `thread/start.builtinTools` lets a client provide an exact allowlist of built-in Codex tool names for that thread. Experimental: `thread/start.manualToolExecution` forces built-in tool executions to pause for host approval before Codex invokes them.
+- `thread/start` — create a new thread; emits `thread/started` (including the current `thread.status`) and auto-subscribes you to turn/item events for that thread.
 - `thread/resume` — reopen an existing thread by id so subsequent `turn/start` calls append to it.
 - `thread/fork` — fork an existing thread into a new thread id by copying the stored history; emits `thread/started` (including the current `thread.status`) and auto-subscribes you to turn/item events for the new thread.
 - `thread/list` — page through stored rollouts; supports cursor-based pagination and optional `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Each returned `thread` includes `status` (`ThreadStatus`), defaulting to `notLoaded` when the thread is not currently loaded.
@@ -128,7 +128,6 @@ Example with notification opt-out:
 - `thread/read` — read a stored thread by id without resuming it; optionally include turns via `includeTurns`. The returned `thread` includes `status` (`ThreadStatus`), defaulting to `notLoaded` when the thread is not currently loaded.
 - `thread/metadata/update` — patch stored thread metadata in sqlite; currently supports updating persisted `gitInfo` fields and returns the refreshed `thread`.
 - `thread/status/changed` — notification emitted when a loaded thread’s status changes (`threadId` + new `status`).
-- `codexSdk/delegationConfigured` — experimental notification emitted after `thread/start` when `sdkDelegation` is active for that thread.
 - `thread/archive` — move a thread’s rollout file into the archived directory; returns `{}` on success and emits `thread/archived`.
 - `thread/unsubscribe` — unsubscribe this connection from thread turn/item events. If this was the last subscriber, the server shuts down and unloads the thread, then emits `thread/closed`.
 - `thread/name/set` — set or update a thread’s user-facing name for either a loaded thread or a persisted rollout; returns `{}` on success and emits `thread/name/updated` to initialized, opted-in clients. Thread names are not required to be unique; name lookups resolve to the most recently updated thread.
@@ -145,29 +144,32 @@ Example with notification opt-out:
 - `thread/realtime/stop` — stop the active realtime session for the thread (experimental); returns `{}`.
 - `review/start` — kick off Codex’s automated reviewer for a thread; responds like `turn/start` and emits `item/started`/`item/completed` notifications with `enteredReviewMode` and `exitedReviewMode` items, plus a final assistant `agentMessage` containing the review.
 - `command/exec` — run a single command under the server sandbox without starting a thread/turn (handy for utilities and validation).
+- `command/exec/write` — write base64-decoded stdin bytes to a running `command/exec` session or close stdin; returns `{}`.
+- `command/exec/resize` — resize a running PTY-backed `command/exec` session by `processId`; returns `{}`.
+- `command/exec/terminate` — terminate a running `command/exec` session by `processId`; returns `{}`.
+- `command/exec/outputDelta` — notification emitted for base64-encoded stdout/stderr chunks from a streaming `command/exec` session.
 - `model/list` — list available models (set `includeHidden: true` to include entries with `hidden: true`), with reasoning effort options, optional legacy `upgrade` model ids, optional `upgradeInfo` metadata (`model`, `upgradeCopy`, `modelLink`, `migrationMarkdown`), and optional `availabilityNux` metadata.
 - `experimentalFeature/list` — list feature flags with stage metadata (`beta`, `underDevelopment`, `stable`, etc.), enabled/default-enabled state, and cursor pagination. For non-beta flags, `displayName`/`description`/`announcement` are `null`.
 - `collaborationMode/list` — list available collaboration mode presets (experimental, no pagination). This response omits built-in developer instructions; clients should either pass `settings.developer_instructions: null` when setting a mode to use Codex's built-in instructions, or provide their own instructions explicitly.
 - `skills/list` — list skills for one or more `cwd` values (optional `forceReload`).
-- `plugin/list` — list discovered marketplaces reachable from optional `cwds` (unioned into a single list). When `cwds` is omitted, only home-scoped marketplaces are considered. Includes each plugin's current `enabled` state from config (**under development; do not call from production clients yet**).
+- `plugin/list` — list discovered plugin marketplaces, including plugin id, installed/enabled state, and optional interface metadata (**under development; do not call from production clients yet**).
 - `skills/changed` — notification emitted when watched local skill files change.
 - `skills/remote/list` — list public remote skills (**under development; do not call from production clients yet**).
 - `skills/remote/export` — download a remote skill by `hazelnutId` into `skills` under `codex_home` (**under development; do not call from production clients yet**).
 - `app/list` — list available apps.
 - `skills/config/write` — write user-level skill config by path.
-- `plugin/install` — install a plugin from a discovered marketplace entry by `pluginName` and `marketplacePath`; on success it returns `appsNeedingAuth` for any plugin-declared apps that still are not accessible in the current ChatGPT auth context (**under development; do not call from production clients yet**).
+- `plugin/install` — install a plugin from a discovered marketplace entry and return any apps that still need auth (**under development; do not call from production clients yet**).
 - `mcpServer/oauth/login` — start an OAuth login for a configured MCP server; returns an `authorization_url` and later emits `mcpServer/oauthLogin/completed` once the browser flow finishes.
 - `tool/requestUserInput` — prompt the user with 1–3 short questions for a tool call and return their answers (experimental).
 - `config/mcpServer/reload` — reload MCP server config from disk and queue a refresh for loaded threads (applied on each thread's next active turn); returns `{}`. Use this after editing `config.toml` without restarting the server.
 - `mcpServerStatus/list` — enumerate configured MCP servers with their tools, resources, resource templates, and auth status; supports cursor+limit pagination.
-- `windowsSandbox/setupStart` — start Windows sandbox setup for the selected mode (`elevated` or `unelevated`); accepts an optional `cwd` to target setup for a specific workspace, returns `{ started: true }` immediately, and later emits `windowsSandbox/setupCompleted`.
+- `windowsSandbox/setupStart` — start Windows sandbox setup for the selected mode (`elevated` or `unelevated`); accepts an optional absolute `cwd` to target setup for a specific workspace, returns `{ started: true }` immediately, and later emits `windowsSandbox/setupCompleted`.
 - `feedback/upload` — submit a feedback report (classification + optional reason/logs, conversation_id, and optional `extraLogFiles` attachments array); returns the tracking thread id.
-- `command/exec` — run a single command under the server sandbox without starting a thread/turn (handy for utilities and validation).
 - `config/read` — fetch the effective config on disk after resolving config layering.
 - `externalAgentConfig/detect` — detect migratable external-agent artifacts with `includeHome` and optional `cwds`; each detected item includes `cwd` (`null` for home).
 - `externalAgentConfig/import` — apply selected external-agent migration items by passing explicit `migrationItems` with `cwd` (`null` for home).
 - `config/value/write` — write a single config key/value to the user's config.toml on disk.
-- `config/batchWrite` — apply multiple config edits atomically to the user's config.toml on disk.
+- `config/batchWrite` — apply multiple config edits atomically to the user's config.toml on disk, with optional `reloadUserConfig: true` to hot-reload loaded threads.
 - `configRequirements/read` — fetch loaded requirements constraints from `requirements.toml` and/or MDM (or `null` if none are configured), including allow-lists (`allowedApprovalPolicies`, `allowedSandboxModes`, `allowedWebSearchModes`), pinned feature values (`featureRequirements`), `enforceResidency`, and `network` constraints.
 
 ### Example: Start or resume a thread
@@ -198,13 +200,6 @@ Start a fresh thread when you need a new Codex conversation.
             }
         }
     ],
-    "builtinTools": [
-        "exec_command",
-        "write_stdin",
-        "apply_patch",
-        "view_image"
-    ],
-    "manualToolExecution": true
 } }
 { "id": 10, "result": {
     "thread": {
@@ -621,11 +616,21 @@ Run a standalone command (argv vector) in the server’s sandbox without creatin
 ```json
 { "method": "command/exec", "id": 32, "params": {
     "command": ["ls", "-la"],
+    "processId": "ls-1",                           // optional string; required for streaming and ability to terminate the process
     "cwd": "/Users/me/project",                    // optional; defaults to server cwd
+    "env": { "FOO": "override" },                  // optional; merges into the server env and overrides matching names
+    "size": { "rows": 40, "cols": 120 },           // optional; PTY size in character cells, only valid with tty=true
     "sandboxPolicy": { "type": "workspaceWrite" }, // optional; defaults to user config
-    "timeoutMs": 10000                             // optional; ms timeout; defaults to server timeout
+    "outputBytesCap": 1048576,                     // optional; per-stream capture cap
+    "disableOutputCap": false,                     // optional; cannot be combined with outputBytesCap
+    "timeoutMs": 10000,                            // optional; ms timeout; defaults to server timeout
+    "disableTimeout": false                        // optional; cannot be combined with timeoutMs
+} }
+{ "id": 32, "result": {
+    "exitCode": 0,
+    "stdout": "...",
+    "stderr": ""
 } }
-{ "id": 32, "result": { "exitCode": 0, "stdout": "...", "stderr": "" } }
 ```
 
 - For clients that are already sandboxed externally, set `sandboxPolicy` to `{"type":"externalSandbox","networkAccess":"enabled"}` (or omit `networkAccess` to keep it restricted). Codex will not enforce its own sandbox in this mode; it tells the model it has full file-system access and passes the `networkAccess` state through `environment_context`.
@@ -634,7 +639,70 @@ Notes:
 
 - Empty `command` arrays are rejected.
 - `sandboxPolicy` accepts the same shape used by `turn/start` (e.g., `dangerFullAccess`, `readOnly`, `workspaceWrite` with flags, `externalSandbox` with `networkAccess` `restricted|enabled`).
+- `env` merges into the environment produced by the server's shell environment policy. Matching names are overridden; unspecified variables are left intact.
 - When omitted, `timeoutMs` falls back to the server default.
+- When omitted, `outputBytesCap` falls back to the server default of 1 MiB per stream.
+- `disableOutputCap: true` disables stdout/stderr capture truncation for that `command/exec` request. It cannot be combined with `outputBytesCap`.
+- `disableTimeout: true` disables the timeout entirely for that `command/exec` request. It cannot be combined with `timeoutMs`.
+- `processId` is optional for buffered execution. When omitted, Codex generates an internal id for lifecycle tracking, but `tty`, `streamStdin`, and `streamStdoutStderr` must stay disabled and follow-up `command/exec/write` / `command/exec/terminate` calls are not available for that command.
+- `size` is only valid when `tty: true`. It sets the initial PTY size in character cells.
+- Buffered Windows sandbox execution accepts `processId` for correlation, but `command/exec/write` and `command/exec/terminate` are still unsupported for those requests.
+- Buffered Windows sandbox execution also requires the default output cap; custom `outputBytesCap` and `disableOutputCap` are unsupported there.
+- `tty`, `streamStdin`, and `streamStdoutStderr` are optional booleans. Legacy requests that omit them continue to use buffered execution.
+- `tty: true` implies PTY mode plus `streamStdin: true` and `streamStdoutStderr: true`.
+- `tty` and `streamStdin` do not disable the timeout on their own; omit `timeoutMs` to use the server default timeout, or set `disableTimeout: true` to keep the process alive until exit or explicit termination.
+- `outputBytesCap` applies independently to `stdout` and `stderr`, and streamed bytes are not duplicated into the final response.
+- The `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.
+- `command/exec/outputDelta` notifications are connection-scoped. If the originating connection closes, the server terminates the process.
+
+Streaming stdin/stdout uses base64 so PTY sessions can carry arbitrary bytes:
+
+```json
+{ "method": "command/exec", "id": 33, "params": {
+    "command": ["bash", "-i"],
+    "processId": "bash-1",
+    "tty": true,
+    "outputBytesCap": 32768
+} }
+{ "method": "command/exec/outputDelta", "params": {
+    "processId": "bash-1",
+    "stream": "stdout",
+    "deltaBase64": "YmFzaC00LjQkIA==",
+    "capReached": false
+} }
+{ "method": "command/exec/write", "id": 34, "params": {
+    "processId": "bash-1",
+    "deltaBase64": "cHdkCg=="
+} }
+{ "id": 34, "result": {} }
+{ "method": "command/exec/write", "id": 35, "params": {
+    "processId": "bash-1",
+    "closeStdin": true
+} }
+{ "id": 35, "result": {} }
+{ "method": "command/exec/resize", "id": 36, "params": {
+    "processId": "bash-1",
+    "size": { "rows": 48, "cols": 160 }
+} }
+{ "id": 36, "result": {} }
+{ "method": "command/exec/terminate", "id": 37, "params": {
+    "processId": "bash-1"
+} }
+{ "id": 37, "result": {} }
+{ "id": 33, "result": {
+    "exitCode": 137,
+    "stdout": "",
+    "stderr": ""
+} }
+```
+
+- `command/exec/write` accepts either `deltaBase64`, `closeStdin`, or both.
+- Clients may supply a connection-scoped string `processId` in `command/exec`; `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` only accept those client-supplied string ids.
+- `command/exec/outputDelta.processId` is always the client-supplied string id from the original `command/exec` request.
+- `command/exec/outputDelta.stream` is `stdout` or `stderr`. PTY mode multiplexes terminal output through `stdout`.
+- `command/exec/outputDelta.capReached` is `true` on the final streamed chunk for a stream when `outputBytesCap` truncates that stream; later output on that stream is dropped.
+- `command/exec.params.env` overrides the server-computed environment per key; set a key to `null` to unset an inherited variable.
+- `command/exec/resize` is only supported for PTY-backed `command/exec` sessions.
 
 ## Events
 
@@ -772,7 +840,7 @@ Certain actions (shell commands or modifying files) may require explicit user ap
 Order of messages:
 
 1. `item/started` — shows the pending `commandExecution` item with `command`, `cwd`, and other fields so you can render the proposed action.
-2. `item/commandExecution/requestApproval` (request) — carries the same `itemId`, `threadId`, `turnId`, optionally `approvalId` (for subcommand callbacks), and `reason`. For normal command approvals, it also includes `command`, `cwd`, and `commandActions` for friendly display. When `initialize.params.capabilities.experimentalApi = true`, it may also include experimental `additionalPermissions` describing requested per-command sandbox access; any filesystem paths in that payload are absolute on the wire, and network access is represented as `additionalPermissions.network.enabled`. For network-only approvals, those command fields may be omitted and `networkApprovalContext` is provided instead. Optional persistence hints may also be included via `proposedExecpolicyAmendment` and `proposedNetworkPolicyAmendments`. Experimental clients may also answer with `acceptWithCommandOverride` to replace the proposed built-in command before execution. Clients can prefer `availableDecisions` when present to render the exact set of choices the server wants to expose, while still falling back to the older heuristics if it is omitted.
+2. `item/commandExecution/requestApproval` (request) — carries the same `itemId`, `threadId`, `turnId`, optionally `approvalId` (for subcommand callbacks), and `reason`. For normal command approvals, it also includes `command`, `cwd`, and `commandActions` for friendly display. When `initialize.params.capabilities.experimentalApi = true`, it may also include experimental `additionalPermissions` describing requested per-command sandbox access; any filesystem paths in that payload are absolute on the wire, and network access is represented as `additionalPermissions.network.enabled`. For network-only approvals, those command fields may be omitted and `networkApprovalContext` is provided instead. Optional persistence hints may also be included via `proposedExecpolicyAmendment` and `proposedNetworkPolicyAmendments`. Clients can prefer `availableDecisions` when present to render the exact set of choices the server wants to expose, while still falling back to the older heuristics if it is omitted.
 3. Client response — for example `{ "decision": "accept" }`, `{ "decision": "acceptForSession" }`, `{ "decision": { "acceptWithExecpolicyAmendment": { "execpolicy_amendment": [...] } } }`, `{ "decision": { "applyNetworkPolicyAmendment": { "network_policy_amendment": { "host": "example.com", "action": "allow" } } } }`, `{ "decision": "decline" }`, or `{ "decision": "cancel" }`.
 4. `serverRequest/resolved` — `{ threadId, requestId }` confirms the pending request has been resolved or cleared, including lifecycle cleanup on turn start/complete/interrupt.
 5. `item/completed` — final `commandExecution` item with `status: "completed" | "failed" | "declined"` and execution output. Render this as the authoritative result.
@@ -782,8 +850,8 @@ Order of messages:
 Order of messages:
 
 1. `item/started` — emits a `fileChange` item with `changes` (diff chunk summaries) and `status: "inProgress"`. Show the proposed edits and paths to the user.
-2. `item/fileChange/requestApproval` (request) — includes `itemId`, `threadId`, `turnId`, and an optional `reason`.
-3. Client response — `{ "decision": "accept" }` or `{ "decision": "decline" }`.
+2. `item/fileChange/requestApproval` (request) — includes `itemId`, `threadId`, `turnId`, an optional `reason`, and may include unstable `grantRoot` when the agent is asking for session-scoped write access under a specific root.
+3. Client response — `{ "decision": "accept" }`, `{ "decision": "acceptForSession" }`, `{ "decision": "decline" }`, or `{ "decision": "cancel" }`.
 4. `serverRequest/resolved` — `{ threadId, requestId }` confirms the pending request has been resolved or cleared, including lifecycle cleanup on turn start/complete/interrupt.
 5. `item/completed` — returns the same `fileChange` item with `status` updated to `completed`, `failed`, or `declined` after the patch attempt. Rely on this to show success/failure and finalize the diff state in your UI.
 
@@ -807,6 +875,52 @@ Order of messages:
 
 `turnId` is best-effort. When the elicitation is correlated with an active turn, the request includes that turn id; otherwise it is `null`.
 
+### Permission requests
+
+The built-in `request_permissions` tool sends an `item/permissions/requestApproval` JSON-RPC request to the client with the requested permission profile. Today that commonly means additional filesystem access, but the payload is intentionally general so future requests can include non-filesystem permissions too. This request is part of the v2 protocol surface.
+
+```json
+{
+  "method": "item/permissions/requestApproval",
+  "id": 61,
+  "params": {
+    "threadId": "thr_123",
+    "turnId": "turn_123",
+    "itemId": "call_123",
+    "reason": "Select a workspace root",
+    "permissions": {
+      "fileSystem": {
+        "write": [
+          "/Users/me/project",
+          "/Users/me/shared"
+        ]
+      }
+    }
+  }
+}
+```
+
+The client responds with `result.permissions`, which should be the granted subset of the requested permission profile:
+
+```json
+{
+  "id": 61,
+  "result": {
+    "permissions": {
+      "fileSystem": {
+        "write": [
+          "/Users/me/project"
+        ]
+      }
+    }
+  }
+}
+```
+
+Only the granted subset matters on the wire. Any permissions omitted from `result.permissions` are treated as denied, including omitted nested keys inside `result.permissions.macos`, so a sparse response like `{ "permissions": { "macos": { "accessibility": true } } }` grants only accessibility. Any permissions not present in the original request are ignored by the server.
+
+Within the same turn, granted permissions are sticky: later shell-like tool calls can automatically reuse the granted subset without reissuing a separate permission request.
+
 ### Dynamic tool calls (experimental)
 
 `dynamicTools` on `thread/start` and the corresponding `item/tool/call` request/response flow are experimental APIs. To enable them, set `initialize.params.capabilities.experimentalApi = true`.

codex-rs/app-server/src/app_server_tracing.rs

@@ -1,6 +1,16 @@
+//! Tracing helpers shared by socket and in-process app-server entry points.
+//!
+//! The in-process path intentionally reuses the same span shape as JSON-RPC
+//! transports so request telemetry stays comparable across stdio, websocket,
+//! and embedded callers. [`typed_request_span`] is the in-process counterpart
+//! of [`request_span`] and stamps `rpc.transport` as `"in-process"` while
+//! deriving client identity from the typed [`ClientRequest`] rather than
+//! from a parsed JSON envelope.
+
 use crate::message_processor::ConnectionSessionState;
 use crate::outgoing_message::ConnectionId;
 use crate::transport::AppServerTransport;
+use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::JSONRPCRequest;
 use codex_otel::set_parent_from_context;
@@ -65,6 +75,51 @@ pub(crate) fn request_span(
     span
 }
 
+/// Builds tracing span metadata for typed in-process requests.
+///
+/// This mirrors `request_span` semantics while stamping transport as
+/// `in-process` and deriving client info either from initialize params or
+/// from existing connection session state.
+pub(crate) fn typed_request_span(
+    request: &ClientRequest,
+    connection_id: ConnectionId,
+    session: &ConnectionSessionState,
+) -> Span {
+    let method = request.method();
+    let span = info_span!(
+        "app_server.request",
+        otel.kind = "server",
+        otel.name = method,
+        rpc.system = "jsonrpc",
+        rpc.method = method,
+        rpc.transport = "in-process",
+        rpc.request_id = ?request.id(),
+        app_server.connection_id = ?connection_id,
+        app_server.api_version = "v2",
+        app_server.client_name = field::Empty,
+        app_server.client_version = field::Empty,
+    );
+
+    if let Some((client_name, client_version)) = initialize_client_info_from_typed_request(request)
+    {
+        span.record("app_server.client_name", client_name);
+        span.record("app_server.client_version", client_version);
+    } else {
+        if let Some(client_name) = session.app_server_client_name.as_deref() {
+            span.record("app_server.client_name", client_name);
+        }
+        if let Some(client_version) = session.client_version.as_deref() {
+            span.record("app_server.client_version", client_version);
+        }
+    }
+
+    if let Some(context) = traceparent_context_from_env() {
+        set_parent_from_context(&span, context);
+    }
+
+    span
+}
+
 fn transport_name(transport: AppServerTransport) -> &'static str {
     match transport {
         AppServerTransport::Stdio => "stdio",
@@ -99,3 +154,13 @@ fn initialize_client_info(request: &JSONRPCRequest) -> Option<InitializeParams>
     let params = request.params.clone()?;
     serde_json::from_value(params).ok()
 }
+
+fn initialize_client_info_from_typed_request(request: &ClientRequest) -> Option<(&str, &str)> {
+    match request {
+        ClientRequest::Initialize { params, .. } => Some((
+            params.client_info.name.as_str(),
+            params.client_info.version.as_str(),
+        )),
+        _ => None,
+    }
+}

codex-rs/app-server/src/bespoke_event_handling.rs

@@ -26,6 +26,7 @@ use codex_app_server_protocol::CommandExecutionApprovalDecision;
 use codex_app_server_protocol::CommandExecutionOutputDeltaNotification;
 use codex_app_server_protocol::CommandExecutionRequestApprovalParams;
 use codex_app_server_protocol::CommandExecutionRequestApprovalResponse;
+use codex_app_server_protocol::CommandExecutionRequestApprovalSkillMetadata;
 use codex_app_server_protocol::CommandExecutionStatus;
 use codex_app_server_protocol::ContextCompactedNotification;
 use codex_app_server_protocol::DeprecationNoticeNotification;
@@ -41,6 +42,7 @@ use codex_app_server_protocol::FileChangeOutputDeltaNotification;
 use codex_app_server_protocol::FileChangeRequestApprovalParams;
 use codex_app_server_protocol::FileChangeRequestApprovalResponse;
 use codex_app_server_protocol::FileUpdateChange;
+use codex_app_server_protocol::GrantedPermissionProfile as V2GrantedPermissionProfile;
 use codex_app_server_protocol::InterruptConversationResponse;
 use codex_app_server_protocol::ItemCompletedNotification;
 use codex_app_server_protocol::ItemStartedNotification;
@@ -56,6 +58,8 @@ use codex_app_server_protocol::NetworkApprovalContext as V2NetworkApprovalContex
 use codex_app_server_protocol::NetworkPolicyAmendment as V2NetworkPolicyAmendment;
 use codex_app_server_protocol::NetworkPolicyRuleAction as V2NetworkPolicyRuleAction;
 use codex_app_server_protocol::PatchApplyStatus;
+use codex_app_server_protocol::PermissionsRequestApprovalParams;
+use codex_app_server_protocol::PermissionsRequestApprovalResponse;
 use codex_app_server_protocol::PlanDeltaNotification;
 use codex_app_server_protocol::RawResponseItemCompletedNotification;
 use codex_app_server_protocol::ReasoningSummaryPartAddedNotification;
@@ -96,9 +100,11 @@ use codex_core::ThreadManager;
 use codex_core::find_thread_name_by_id;
 use codex_core::review_format::format_review_findings_block;
 use codex_core::review_prompts;
+use codex_core::sandboxing::intersect_permission_profiles;
 use codex_protocol::ThreadId;
 use codex_protocol::dynamic_tools::DynamicToolCallOutputContentItem as CoreDynamicToolCallOutputContentItem;
 use codex_protocol::dynamic_tools::DynamicToolResponse as CoreDynamicToolResponse;
+use codex_protocol::models::PermissionProfile as CorePermissionProfile;
 use codex_protocol::plan_tool::UpdatePlanArgs;
 use codex_protocol::protocol::ApplyPatchApprovalRequestEvent;
 use codex_protocol::protocol::CodexErrorInfo as CoreCodexErrorInfo;
@@ -114,6 +120,7 @@ use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::ReviewOutputEvent;
 use codex_protocol::protocol::TokenCountEvent;
 use codex_protocol::protocol::TurnDiffEvent;
+use codex_protocol::request_permissions::RequestPermissionsResponse as CoreRequestPermissionsResponse;
 use codex_protocol::request_user_input::RequestUserInputAnswer as CoreRequestUserInputAnswer;
 use codex_protocol::request_user_input::RequestUserInputResponse as CoreRequestUserInputResponse;
 use codex_shell_command::parse_command::shlex_join;
@@ -265,6 +272,8 @@ pub(crate) async fn apply_bespoke_event_handling(
             if let ApiVersion::V2 = api_version {
                 match event.payload {
                     RealtimeEvent::SessionUpdated { .. } => {}
+                    RealtimeEvent::InputTranscriptDelta(_) => {}
+                    RealtimeEvent::OutputTranscriptDelta(_) => {}
                     RealtimeEvent::AudioOut(audio) => {
                         let notification = ThreadRealtimeOutputAudioDeltaNotification {
                             thread_id: conversation_id.to_string(),
@@ -296,7 +305,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                                 "handoff_id": handoff.handoff_id,
                                 "item_id": handoff.item_id,
                                 "input_transcript": handoff.input_transcript,
-                                "messages": handoff.messages,
+                                "active_transcript": handoff.active_transcript,
                             }),
                         };
                         outgoing
@@ -437,6 +446,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                 proposed_execpolicy_amendment,
                 proposed_network_policy_amendments,
                 additional_permissions,
+                skill_metadata,
                 parsed_cmd,
                 ..
             } = ev;
@@ -508,6 +518,8 @@ pub(crate) async fn apply_bespoke_event_handling(
                         });
                     let additional_permissions =
                         additional_permissions.map(V2AdditionalPermissionProfile::from);
+                    let skill_metadata =
+                        skill_metadata.map(CommandExecutionRequestApprovalSkillMetadata::from);
 
                     let params = CommandExecutionRequestApprovalParams {
                         thread_id: conversation_id.to_string(),
@@ -520,6 +532,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                         cwd,
                         command_actions,
                         additional_permissions,
+                        skill_metadata,
                         proposed_execpolicy_amendment: proposed_execpolicy_amendment_v2,
                         proposed_network_policy_amendments: proposed_network_policy_amendments_v2,
                         available_decisions: Some(available_decisions),
@@ -672,6 +685,53 @@ pub(crate) async fn apply_bespoke_event_handling(
                 });
             }
         }
+        EventMsg::RequestPermissions(request) => {
+            if matches!(api_version, ApiVersion::V2) {
+                let permission_guard = thread_watch_manager
+                    .note_permission_requested(&conversation_id.to_string())
+                    .await;
+                let requested_permissions = request.permissions.clone();
+                let params = PermissionsRequestApprovalParams {
+                    thread_id: conversation_id.to_string(),
+                    turn_id: request.turn_id.clone(),
+                    item_id: request.call_id.clone(),
+                    reason: request.reason,
+                    permissions: request.permissions.into(),
+                };
+                let (pending_request_id, rx) = outgoing
+                    .send_request(ServerRequestPayload::PermissionsRequestApproval(params))
+                    .await;
+                tokio::spawn(async move {
+                    on_request_permissions_response(
+                        request.call_id,
+                        requested_permissions,
+                        pending_request_id,
+                        rx,
+                        conversation,
+                        thread_state,
+                        permission_guard,
+                    )
+                    .await;
+                });
+            } else {
+                error!(
+                    "request_permissions is only supported on api v2 (call_id: {})",
+                    request.call_id
+                );
+                let empty = CoreRequestPermissionsResponse {
+                    permissions: Default::default(),
+                };
+                if let Err(err) = conversation
+                    .submit(Op::RequestPermissionsResponse {
+                        id: request.call_id,
+                        response: empty,
+                    })
+                    .await
+                {
+                    error!("failed to submit RequestPermissionsResponse: {err}");
+                }
+            }
+        }
         EventMsg::DynamicToolCallRequest(request) => {
             if matches!(api_version, ApiVersion::V2) {
                 let call_id = request.call_id;
@@ -2121,6 +2181,71 @@ fn mcp_server_elicitation_response_from_client_result(
     }
 }
 
+async fn on_request_permissions_response(
+    call_id: String,
+    requested_permissions: CorePermissionProfile,
+    pending_request_id: RequestId,
+    receiver: oneshot::Receiver<ClientRequestResult>,
+    conversation: Arc<CodexThread>,
+    thread_state: Arc<Mutex<ThreadState>>,
+    request_permissions_guard: ThreadWatchActiveGuard,
+) {
+    let response = receiver.await;
+    resolve_server_request_on_thread_listener(&thread_state, pending_request_id).await;
+    drop(request_permissions_guard);
+    let Some(response) =
+        request_permissions_response_from_client_result(requested_permissions, response)
+    else {
+        return;
+    };
+
+    if let Err(err) = conversation
+        .submit(Op::RequestPermissionsResponse {
+            id: call_id,
+            response,
+        })
+        .await
+    {
+        error!("failed to submit RequestPermissionsResponse: {err}");
+    }
+}
+
+fn request_permissions_response_from_client_result(
+    requested_permissions: CorePermissionProfile,
+    response: std::result::Result<ClientRequestResult, oneshot::error::RecvError>,
+) -> Option<CoreRequestPermissionsResponse> {
+    let value = match response {
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) if is_turn_transition_server_request_error(&err) => return None,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            return Some(CoreRequestPermissionsResponse {
+                permissions: Default::default(),
+            });
+        }
+        Err(err) => {
+            error!("request failed: {err:?}");
+            return Some(CoreRequestPermissionsResponse {
+                permissions: Default::default(),
+            });
+        }
+    };
+
+    let response = serde_json::from_value::<PermissionsRequestApprovalResponse>(value)
+        .unwrap_or_else(|err| {
+            error!("failed to deserialize PermissionsRequestApprovalResponse: {err}");
+            PermissionsRequestApprovalResponse {
+                permissions: V2GrantedPermissionProfile::default(),
+            }
+        });
+    Some(CoreRequestPermissionsResponse {
+        permissions: intersect_permission_profiles(
+            requested_permissions,
+            response.permissions.into(),
+        ),
+    })
+}
+
 const REVIEW_FALLBACK_MESSAGE: &str = "Reviewer failed to output a response.";
 
 fn render_review_output_text(output: &ReviewOutputEvent) -> String {
@@ -2256,10 +2381,6 @@ async fn on_command_execution_request_approval_response(
 
             let (decision, completion_status) = match decision {
                 CommandExecutionApprovalDecision::Accept => (ReviewDecision::Approved, None),
-                CommandExecutionApprovalDecision::AcceptWithCommandOverride { command } => (
-                    ReviewDecision::ApprovedWithCommandOverride { command },
-                    None,
-                ),
                 CommandExecutionApprovalDecision::AcceptForSession => {
                     (ReviewDecision::ApprovedForSession, None)
                 }
@@ -2473,6 +2594,9 @@ mod tests {
     use codex_app_server_protocol::JSONRPCErrorError;
     use codex_app_server_protocol::TurnPlanStepStatus;
     use codex_protocol::mcp::CallToolResult;
+    use codex_protocol::models::MacOsAutomationPermission;
+    use codex_protocol::models::MacOsPreferencesPermission;
+    use codex_protocol::models::MacOsSeatbeltProfileExtensions;
     use codex_protocol::plan_tool::PlanItemArg;
     use codex_protocol::plan_tool::StepStatus;
     use codex_protocol::protocol::CollabResumeBeginEvent;
@@ -2535,6 +2659,120 @@ mod tests {
         );
     }
 
+    #[test]
+    fn request_permissions_turn_transition_error_is_ignored() {
+        let error = JSONRPCErrorError {
+            code: -1,
+            message: "client request resolved because the turn state was changed".to_string(),
+            data: Some(serde_json::json!({ "reason": "turnTransition" })),
+        };
+
+        let response = request_permissions_response_from_client_result(
+            CorePermissionProfile::default(),
+            Ok(Err(error)),
+        );
+
+        assert_eq!(response, None);
+    }
+
+    #[test]
+    fn request_permissions_response_accepts_partial_macos_grants() {
+        let requested_permissions = CorePermissionProfile {
+            macos: Some(MacOsSeatbeltProfileExtensions {
+                macos_preferences: MacOsPreferencesPermission::ReadWrite,
+                macos_automation: MacOsAutomationPermission::BundleIds(vec![
+                    "com.apple.Notes".to_string(),
+                    "com.apple.Reminders".to_string(),
+                ]),
+                macos_accessibility: true,
+                macos_calendar: true,
+            }),
+            ..Default::default()
+        };
+        let cases = vec![
+            (serde_json::json!({}), CorePermissionProfile::default()),
+            (
+                serde_json::json!({
+                    "preferences": "read_only",
+                }),
+                CorePermissionProfile {
+                    macos: Some(MacOsSeatbeltProfileExtensions {
+                        macos_preferences: MacOsPreferencesPermission::ReadOnly,
+                        macos_automation: MacOsAutomationPermission::None,
+                        macos_accessibility: false,
+                        macos_calendar: false,
+                    }),
+                    ..Default::default()
+                },
+            ),
+            (
+                serde_json::json!({
+                    "automations": {
+                        "bundle_ids": ["com.apple.Notes"],
+                    },
+                }),
+                CorePermissionProfile {
+                    macos: Some(MacOsSeatbeltProfileExtensions {
+                        macos_preferences: MacOsPreferencesPermission::None,
+                        macos_automation: MacOsAutomationPermission::BundleIds(vec![
+                            "com.apple.Notes".to_string(),
+                        ]),
+                        macos_accessibility: false,
+                        macos_calendar: false,
+                    }),
+                    ..Default::default()
+                },
+            ),
+            (
+                serde_json::json!({
+                    "accessibility": true,
+                }),
+                CorePermissionProfile {
+                    macos: Some(MacOsSeatbeltProfileExtensions {
+                        macos_preferences: MacOsPreferencesPermission::None,
+                        macos_automation: MacOsAutomationPermission::None,
+                        macos_accessibility: true,
+                        macos_calendar: false,
+                    }),
+                    ..Default::default()
+                },
+            ),
+            (
+                serde_json::json!({
+                    "calendar": true,
+                }),
+                CorePermissionProfile {
+                    macos: Some(MacOsSeatbeltProfileExtensions {
+                        macos_preferences: MacOsPreferencesPermission::None,
+                        macos_automation: MacOsAutomationPermission::None,
+                        macos_accessibility: false,
+                        macos_calendar: true,
+                    }),
+                    ..Default::default()
+                },
+            ),
+        ];
+
+        for (granted_macos, expected_permissions) in cases {
+            let response = request_permissions_response_from_client_result(
+                requested_permissions.clone(),
+                Ok(Ok(serde_json::json!({
+                    "permissions": {
+                        "macos": granted_macos,
+                    },
+                }))),
+            )
+            .expect("response should be accepted");
+
+            assert_eq!(
+                response,
+                CoreRequestPermissionsResponse {
+                    permissions: expected_permissions,
+                }
+            );
+        }
+    }
+
     #[test]
     fn collab_resume_begin_maps_to_item_started_resume_agent() {
         let event = CollabResumeBeginEvent {

codex-rs/app-server/src/bin/test_notify_capture.rs

@@ -0,0 +1,23 @@
+use anyhow::Result;
+use anyhow::anyhow;
+use std::env;
+use std::path::PathBuf;
+
+fn main() -> Result<()> {
+    let mut args = env::args_os().skip(1);
+    let output_path = PathBuf::from(
+        args.next()
+            .ok_or_else(|| anyhow!("missing output path argument"))?,
+    );
+    let payload = args
+        .next()
+        .ok_or_else(|| anyhow!("missing payload argument"))?
+        .into_string()
+        .map_err(|_| anyhow!("payload must be valid UTF-8"))?;
+
+    let temp_path = output_path.with_extension("json.tmp");
+    std::fs::write(&temp_path, payload)?;
+    std::fs::rename(&temp_path, &output_path)?;
+
+    Ok(())
+}

codex-rs/app-server/src/codex_message_processor.rs

@@ -1,4 +1,6 @@
 use crate::bespoke_event_handling::apply_bespoke_event_handling;
+use crate::command_exec::CommandExecManager;
+use crate::command_exec::StartCommandExecParams;
 use crate::error_code::INPUT_TOO_LARGE_ERROR_CODE;
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_PARAMS_ERROR_CODE;
@@ -34,10 +36,12 @@ use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::CollaborationModeListParams;
 use codex_app_server_protocol::CollaborationModeListResponse;
 use codex_app_server_protocol::CommandExecParams;
+use codex_app_server_protocol::CommandExecResizeParams;
+use codex_app_server_protocol::CommandExecTerminateParams;
+use codex_app_server_protocol::CommandExecWriteParams;
 use codex_app_server_protocol::ConversationGitInfo;
 use codex_app_server_protocol::ConversationSummary;
 use codex_app_server_protocol::DynamicToolSpec as ApiDynamicToolSpec;
-use codex_app_server_protocol::ExecOneOffCommandResponse;
 use codex_app_server_protocol::ExperimentalFeature as ApiExperimentalFeature;
 use codex_app_server_protocol::ExperimentalFeatureListParams;
 use codex_app_server_protocol::ExperimentalFeatureListResponse;
@@ -80,6 +84,7 @@ use codex_app_server_protocol::ModelListParams;
 use codex_app_server_protocol::ModelListResponse;
 use codex_app_server_protocol::PluginInstallParams;
 use codex_app_server_protocol::PluginInstallResponse;
+use codex_app_server_protocol::PluginInterface;
 use codex_app_server_protocol::PluginListParams;
 use codex_app_server_protocol::PluginListResponse;
 use codex_app_server_protocol::PluginMarketplaceEntry;
@@ -92,8 +97,6 @@ use codex_app_server_protocol::ReviewStartParams;
 use codex_app_server_protocol::ReviewStartResponse;
 use codex_app_server_protocol::ReviewTarget as ApiReviewTarget;
 use codex_app_server_protocol::SandboxMode;
-use codex_app_server_protocol::SdkDelegationConfig;
-use codex_app_server_protocol::SdkDelegationConfiguredNotification;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequestResolvedNotification;
 use codex_app_server_protocol::SkillsConfigWriteParams;
@@ -194,6 +197,7 @@ use codex_core::connectors::filter_disallowed_connectors;
 use codex_core::connectors::merge_plugin_apps;
 use codex_core::default_client::set_default_client_residency_requirement;
 use codex_core::error::CodexErr;
+use codex_core::exec::ExecExpiration;
 use codex_core::exec::ExecParams;
 use codex_core::exec_env::create_env;
 use codex_core::features::FEATURES;
@@ -265,6 +269,7 @@ use codex_state::StateRuntime;
 use codex_state::ThreadMetadataBuilder;
 use codex_state::log_db::LogDbLayer;
 use codex_utils_json_to_toml::json_to_toml;
+use codex_utils_pty::DEFAULT_OUTPUT_BYTES_CAP;
 use std::collections::HashMap;
 use std::collections::HashSet;
 use std::ffi::OsStr;
@@ -283,6 +288,7 @@ use tokio::sync::Mutex;
 use tokio::sync::broadcast;
 use tokio::sync::oneshot;
 use tokio::sync::watch;
+use tokio_util::sync::CancellationToken;
 use toml::Value as TomlValue;
 use tracing::error;
 use tracing::info;
@@ -370,6 +376,7 @@ pub(crate) struct CodexMessageProcessor {
     pending_thread_unloads: Arc<Mutex<HashSet<ThreadId>>>,
     thread_state_manager: ThreadStateManager,
     thread_watch_manager: ThreadWatchManager,
+    command_exec_manager: CommandExecManager,
     pending_fuzzy_searches: Arc<Mutex<HashMap<String, Arc<AtomicBool>>>>,
     fuzzy_search_sessions: Arc<Mutex<HashMap<String, FuzzyFileSearchSession>>>,
     feedback: CodexFeedback,
@@ -413,6 +420,21 @@ pub(crate) struct CodexMessageProcessorArgs {
 }
 
 impl CodexMessageProcessor {
+    pub(crate) fn clear_plugin_related_caches(&self) {
+        self.thread_manager.plugins_manager().clear_cache();
+        self.thread_manager.skills_manager().clear_cache();
+    }
+
+    pub(crate) async fn maybe_start_curated_repo_sync_for_latest_config(&self) {
+        match self.load_latest_config(None).await {
+            Ok(config) => self
+                .thread_manager
+                .plugins_manager()
+                .maybe_start_curated_repo_sync_for_config(&config),
+            Err(err) => warn!("failed to load latest config for curated plugin sync: {err:?}"),
+        }
+    }
+
     fn current_account_updated_notification(&self) -> AccountUpdatedNotification {
         let auth = self.auth_manager.auth_cached();
         AccountUpdatedNotification {
@@ -468,6 +490,7 @@ impl CodexMessageProcessor {
             pending_thread_unloads: Arc::new(Mutex::new(HashSet::new())),
             thread_state_manager: ThreadStateManager::new(),
             thread_watch_manager: ThreadWatchManager::new_with_outgoing(outgoing),
+            command_exec_manager: CommandExecManager::default(),
             pending_fuzzy_searches: Arc::new(Mutex::new(HashMap::new())),
             fuzzy_search_sessions: Arc::new(Mutex::new(HashMap::new())),
             feedback,
@@ -817,6 +840,18 @@ impl CodexMessageProcessor {
                 self.exec_one_off_command(to_connection_request_id(request_id), params)
                     .await;
             }
+            ClientRequest::CommandExecWrite { request_id, params } => {
+                self.command_exec_write(to_connection_request_id(request_id), params)
+                    .await;
+            }
+            ClientRequest::CommandExecResize { request_id, params } => {
+                self.command_exec_resize(to_connection_request_id(request_id), params)
+                    .await;
+            }
+            ClientRequest::CommandExecTerminate { request_id, params } => {
+                self.command_exec_terminate(to_connection_request_id(request_id), params)
+                    .await;
+            }
             ClientRequest::ConfigRead { .. }
             | ClientRequest::ConfigValueWrite { .. }
             | ClientRequest::ConfigBatchWrite { .. } => {
@@ -1489,11 +1524,84 @@ impl CodexMessageProcessor {
             return;
         }
 
-        let cwd = params.cwd.unwrap_or_else(|| self.config.cwd.clone());
-        let env = create_env(&self.config.permissions.shell_environment_policy, None);
-        let timeout_ms = params
-            .timeout_ms
-            .and_then(|timeout_ms| u64::try_from(timeout_ms).ok());
+        let CommandExecParams {
+            command,
+            process_id,
+            tty,
+            stream_stdin,
+            stream_stdout_stderr,
+            output_bytes_cap,
+            disable_output_cap,
+            disable_timeout,
+            timeout_ms,
+            cwd,
+            env: env_overrides,
+            size,
+            sandbox_policy,
+        } = params;
+
+        if size.is_some() && !tty {
+            let error = JSONRPCErrorError {
+                code: INVALID_PARAMS_ERROR_CODE,
+                message: "command/exec size requires tty: true".to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request, error).await;
+            return;
+        }
+
+        if disable_output_cap && output_bytes_cap.is_some() {
+            let error = JSONRPCErrorError {
+                code: INVALID_PARAMS_ERROR_CODE,
+                message: "command/exec cannot set both outputBytesCap and disableOutputCap"
+                    .to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request, error).await;
+            return;
+        }
+
+        if disable_timeout && timeout_ms.is_some() {
+            let error = JSONRPCErrorError {
+                code: INVALID_PARAMS_ERROR_CODE,
+                message: "command/exec cannot set both timeoutMs and disableTimeout".to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request, error).await;
+            return;
+        }
+
+        let cwd = cwd.unwrap_or_else(|| self.config.cwd.clone());
+        let mut env = create_env(&self.config.permissions.shell_environment_policy, None);
+        if let Some(env_overrides) = env_overrides {
+            for (key, value) in env_overrides {
+                match value {
+                    Some(value) => {
+                        env.insert(key, value);
+                    }
+                    None => {
+                        env.remove(&key);
+                    }
+                }
+            }
+        }
+        let timeout_ms = match timeout_ms {
+            Some(timeout_ms) => match u64::try_from(timeout_ms) {
+                Ok(timeout_ms) => Some(timeout_ms),
+                Err(_) => {
+                    let error = JSONRPCErrorError {
+                        code: INVALID_PARAMS_ERROR_CODE,
+                        message: format!(
+                            "command/exec timeoutMs must be non-negative, got {timeout_ms}"
+                        ),
+                        data: None,
+                    };
+                    self.outgoing.send_error(request, error).await;
+                    return;
+                }
+            },
+            None => None,
+        };
         let managed_network_requirements_enabled =
             self.config.managed_network_requirements_enabled();
         let started_network_proxy = match self.config.permissions.network.as_ref() {
@@ -1521,10 +1629,23 @@ impl CodexMessageProcessor {
             None => None,
         };
         let windows_sandbox_level = WindowsSandboxLevel::from_config(&self.config);
+        let output_bytes_cap = if disable_output_cap {
+            None
+        } else {
+            Some(output_bytes_cap.unwrap_or(DEFAULT_OUTPUT_BYTES_CAP))
+        };
+        let expiration = if disable_timeout {
+            ExecExpiration::Cancellation(CancellationToken::new())
+        } else {
+            match timeout_ms {
+                Some(timeout_ms) => timeout_ms.into(),
+                None => ExecExpiration::DefaultTimeout,
+            }
+        };
         let exec_params = ExecParams {
-            command: params.command,
+            command,
             cwd,
-            expiration: timeout_ms.into(),
+            expiration,
             env,
             network: started_network_proxy
                 .as_ref()
@@ -1535,10 +1656,20 @@ impl CodexMessageProcessor {
             arg0: None,
         };
 
-        let requested_policy = params.sandbox_policy.map(|policy| policy.to_core());
-        let effective_policy = match requested_policy {
+        let requested_policy = sandbox_policy.map(|policy| policy.to_core());
+        let (
+            effective_policy,
+            effective_file_system_sandbox_policy,
+            effective_network_sandbox_policy,
+        ) = match requested_policy {
             Some(policy) => match self.config.permissions.sandbox_policy.can_set(&policy) {
-                Ok(()) => policy,
+                Ok(()) => {
+                    let file_system_sandbox_policy =
+                        codex_protocol::permissions::FileSystemSandboxPolicy::from(&policy);
+                    let network_sandbox_policy =
+                        codex_protocol::permissions::NetworkSandboxPolicy::from(&policy);
+                    (policy, file_system_sandbox_policy, network_sandbox_policy)
+                }
                 Err(err) => {
                     let error = JSONRPCErrorError {
                         code: INVALID_REQUEST_ERROR_CODE,
@@ -1549,46 +1680,111 @@ impl CodexMessageProcessor {
                     return;
                 }
             },
-            None => self.config.permissions.sandbox_policy.get().clone(),
+            None => (
+                self.config.permissions.sandbox_policy.get().clone(),
+                self.config.permissions.file_system_sandbox_policy.clone(),
+                self.config.permissions.network_sandbox_policy,
+            ),
         };
 
         let codex_linux_sandbox_exe = self.arg0_paths.codex_linux_sandbox_exe.clone();
         let outgoing = self.outgoing.clone();
-        let request_for_task = request;
+        let request_for_task = request.clone();
         let sandbox_cwd = self.config.cwd.clone();
         let started_network_proxy_for_task = started_network_proxy;
         let use_linux_sandbox_bwrap = self.config.features.enabled(Feature::UseLinuxSandboxBwrap);
+        let size = match size.map(crate::command_exec::terminal_size_from_protocol) {
+            Some(Ok(size)) => Some(size),
+            Some(Err(error)) => {
+                self.outgoing.send_error(request, error).await;
+                return;
+            }
+            None => None,
+        };
 
-        tokio::spawn(async move {
-            let _started_network_proxy = started_network_proxy_for_task;
-            match codex_core::exec::process_exec_tool_call(
-                exec_params,
-                &effective_policy,
-                sandbox_cwd.as_path(),
-                &codex_linux_sandbox_exe,
-                use_linux_sandbox_bwrap,
-                None,
-            )
-            .await
-            {
-                Ok(output) => {
-                    let response = ExecOneOffCommandResponse {
-                        exit_code: output.exit_code,
-                        stdout: output.stdout.text,
-                        stderr: output.stderr.text,
-                    };
-                    outgoing.send_response(request_for_task, response).await;
-                }
-                Err(err) => {
-                    let error = JSONRPCErrorError {
-                        code: INTERNAL_ERROR_CODE,
-                        message: format!("exec failed: {err}"),
-                        data: None,
-                    };
-                    outgoing.send_error(request_for_task, error).await;
+        match codex_core::exec::build_exec_request(
+            exec_params,
+            &effective_policy,
+            &effective_file_system_sandbox_policy,
+            effective_network_sandbox_policy,
+            sandbox_cwd.as_path(),
+            &codex_linux_sandbox_exe,
+            use_linux_sandbox_bwrap,
+        ) {
+            Ok(exec_request) => {
+                if let Err(error) = self
+                    .command_exec_manager
+                    .start(StartCommandExecParams {
+                        outgoing,
+                        request_id: request_for_task,
+                        process_id,
+                        exec_request,
+                        started_network_proxy: started_network_proxy_for_task,
+                        tty,
+                        stream_stdin,
+                        stream_stdout_stderr,
+                        output_bytes_cap,
+                        size,
+                    })
+                    .await
+                {
+                    self.outgoing.send_error(request, error).await;
                 }
             }
-        });
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INTERNAL_ERROR_CODE,
+                    message: format!("exec failed: {err}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request, error).await;
+            }
+        }
+    }
+
+    async fn command_exec_write(
+        &self,
+        request_id: ConnectionRequestId,
+        params: CommandExecWriteParams,
+    ) {
+        match self
+            .command_exec_manager
+            .write(request_id.clone(), params)
+            .await
+        {
+            Ok(response) => self.outgoing.send_response(request_id, response).await,
+            Err(error) => self.outgoing.send_error(request_id, error).await,
+        }
+    }
+
+    async fn command_exec_resize(
+        &self,
+        request_id: ConnectionRequestId,
+        params: CommandExecResizeParams,
+    ) {
+        match self
+            .command_exec_manager
+            .resize(request_id.clone(), params)
+            .await
+        {
+            Ok(response) => self.outgoing.send_response(request_id, response).await,
+            Err(error) => self.outgoing.send_error(request_id, error).await,
+        }
+    }
+
+    async fn command_exec_terminate(
+        &self,
+        request_id: ConnectionRequestId,
+        params: CommandExecTerminateParams,
+    ) {
+        match self
+            .command_exec_manager
+            .terminate(request_id.clone(), params)
+            .await
+        {
+            Ok(response) => self.outgoing.send_response(request_id, response).await,
+            Err(error) => self.outgoing.send_error(request_id, error).await,
+        }
     }
 
     async fn thread_start(&self, request_id: ConnectionRequestId, params: ThreadStartParams) {
@@ -1604,14 +1800,11 @@ impl CodexMessageProcessor {
             base_instructions,
             developer_instructions,
             dynamic_tools,
-            builtin_tools,
-            manual_tool_execution,
             mock_experimental_field: _mock_experimental_field,
             experimental_raw_events,
             personality,
             ephemeral,
             persist_extended_history,
-            sdk_delegation,
         } = params;
         let mut typesafe_overrides = self.build_thread_config_overrides(
             model,
@@ -1625,11 +1818,6 @@ impl CodexMessageProcessor {
             personality,
         );
         typesafe_overrides.ephemeral = ephemeral;
-        let mut config = config.unwrap_or_default();
-        let sdk_delegation = sdk_delegation.inspect(|delegation| {
-            apply_sdk_delegation_overrides(&mut config, &mut typesafe_overrides, delegation);
-        });
-        let config = (!config.is_empty()).then_some(config);
         let cli_overrides = self.cli_overrides.clone();
         let cloud_requirements = self.current_cloud_requirements();
         let listener_task_context = ListenerTaskContext {
@@ -1650,12 +1838,9 @@ impl CodexMessageProcessor {
                 config,
                 typesafe_overrides,
                 dynamic_tools,
-                builtin_tools,
-                manual_tool_execution,
                 persist_extended_history,
                 service_name,
                 experimental_raw_events,
-                sdk_delegation,
             )
             .await;
         });
@@ -1670,12 +1855,9 @@ impl CodexMessageProcessor {
         config_overrides: Option<HashMap<String, serde_json::Value>>,
         typesafe_overrides: ConfigOverrides,
         dynamic_tools: Option<Vec<ApiDynamicToolSpec>>,
-        builtin_tools: Option<Vec<String>>,
-        manual_tool_execution: bool,
         persist_extended_history: bool,
         service_name: Option<String>,
         experimental_raw_events: bool,
-        sdk_delegation: Option<SdkDelegationConfig>,
     ) {
         let config = match derive_config_from_params(
             &cli_overrides,
@@ -1701,20 +1883,6 @@ impl CodexMessageProcessor {
         };
 
         let dynamic_tools = dynamic_tools.unwrap_or_default();
-        if let Some(builtin_tools) = builtin_tools.as_ref()
-            && let Err(message) = validate_builtin_tools(builtin_tools)
-        {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message,
-                data: None,
-            };
-            listener_task_context
-                .outgoing
-                .send_error(request_id, error)
-                .await;
-            return;
-        }
         let core_dynamic_tools = if dynamic_tools.is_empty() {
             Vec::new()
         } else {
@@ -1745,8 +1913,6 @@ impl CodexMessageProcessor {
             .start_thread_with_tools_and_service_name(
                 config,
                 core_dynamic_tools,
-                builtin_tools,
-                manual_tool_execution,
                 persist_extended_history,
                 service_name,
             )
@@ -1804,36 +1970,17 @@ impl CodexMessageProcessor {
                     sandbox: config_snapshot.sandbox_policy.into(),
                     reasoning_effort: config_snapshot.reasoning_effort,
                 };
-                let response_thread_id = response.thread.id.clone();
-                let response_model_provider = response.model_provider.clone();
 
                 listener_task_context
                     .outgoing
                     .send_response(request_id, response)
                     .await;
-                info!("thread/start created thread {response_thread_id}");
 
                 let notif = ThreadStartedNotification { thread };
                 listener_task_context
                     .outgoing
                     .send_server_notification(ServerNotification::ThreadStarted(notif))
                     .await;
-                info!("thread/start sent thread/started for {response_thread_id}");
-
-                if let Some(sdk_delegation) = sdk_delegation {
-                    let notification = SdkDelegationConfiguredNotification {
-                        thread_id: response_thread_id,
-                        model_provider: response_model_provider,
-                        bridge_url: sdk_delegation.bridge_url,
-                    };
-                    listener_task_context
-                        .outgoing
-                        .send_server_notification(ServerNotification::SdkDelegationConfigured(
-                            notification,
-                        ))
-                        .await;
-                    info!("thread/start sent codexSdk/delegationConfigured");
-                }
             }
             Err(err) => {
                 let error = JSONRPCErrorError {
@@ -2058,7 +2205,7 @@ impl CodexMessageProcessor {
         let loaded_thread = self.thread_manager.get_thread(thread_uuid).await.ok();
         let mut state_db_ctx = loaded_thread.as_ref().and_then(|thread| thread.state_db());
         if state_db_ctx.is_none() {
-            state_db_ctx = get_state_db(&self.config, None).await;
+            state_db_ctx = get_state_db(&self.config).await;
         }
         let Some(state_db_ctx) = state_db_ctx else {
             self.send_internal_error(
@@ -2359,7 +2506,7 @@ impl CodexMessageProcessor {
 
         let rollout_path_display = archived_path.display().to_string();
         let fallback_provider = self.config.model_provider_id.clone();
-        let state_db_ctx = get_state_db(&self.config, None).await;
+        let state_db_ctx = get_state_db(&self.config).await;
         let archived_folder = self
             .config
             .codex_home
@@ -2907,6 +3054,9 @@ impl CodexMessageProcessor {
     }
 
     pub(crate) async fn connection_closed(&mut self, connection_id: ConnectionId) {
+        self.command_exec_manager
+            .connection_closed(connection_id)
+            .await;
         self.thread_state_manager
             .remove_connection(connection_id)
             .await;
@@ -3791,7 +3941,7 @@ impl CodexMessageProcessor {
         let fallback_provider = self.config.model_provider_id.clone();
         let (allowed_sources_vec, source_kind_filter) = compute_source_filters(source_kinds);
         let allowed_sources = allowed_sources_vec.as_slice();
-        let state_db_ctx = get_state_db(&self.config, None).await;
+        let state_db_ctx = get_state_db(&self.config).await;
 
         while remaining > 0 {
             let page_size = remaining.min(THREAD_LIST_MAX_LIMIT);
@@ -4647,7 +4797,7 @@ impl CodexMessageProcessor {
         self.finalize_thread_teardown(thread_id).await;
 
         if state_db_ctx.is_none() {
-            state_db_ctx = get_state_db(&self.config, None).await;
+            state_db_ctx = get_state_db(&self.config).await;
         }
 
         // Move the rollout file to archived.
@@ -5073,6 +5223,8 @@ impl CodexMessageProcessor {
                             .plugins
                             .into_iter()
                             .map(|plugin| PluginSummary {
+                                id: plugin.id,
+                                installed: plugin.installed,
                                 enabled: plugin.enabled,
                                 name: plugin.name,
                                 source: match plugin.source {
@@ -5080,6 +5232,22 @@ impl CodexMessageProcessor {
                                         PluginSource::Local { path }
                                     }
                                 },
+                                interface: plugin.interface.map(|interface| PluginInterface {
+                                    display_name: interface.display_name,
+                                    short_description: interface.short_description,
+                                    long_description: interface.long_description,
+                                    developer_name: interface.developer_name,
+                                    category: interface.category,
+                                    capabilities: interface.capabilities,
+                                    website_url: interface.website_url,
+                                    privacy_policy_url: interface.privacy_policy_url,
+                                    terms_of_service_url: interface.terms_of_service_url,
+                                    default_prompt: interface.default_prompt,
+                                    brand_color: interface.brand_color,
+                                    composer_icon: interface.composer_icon,
+                                    logo: interface.logo,
+                                    screenshots: interface.screenshots,
+                                }),
                             })
                             .collect(),
                     })
@@ -5241,7 +5409,7 @@ impl CodexMessageProcessor {
                         self.config.as_ref().clone()
                     }
                 };
-                let plugin_apps = load_plugin_apps(&result.installed_path);
+                let plugin_apps = load_plugin_apps(result.installed_path.as_path());
                 let apps_needing_auth = if plugin_apps.is_empty()
                     || !config.features.enabled(Feature::Apps)
                 {
@@ -5305,8 +5473,7 @@ impl CodexMessageProcessor {
                     )
                 };
 
-                plugins_manager.clear_cache();
-                self.thread_manager.skills_manager().clear_cache();
+                self.clear_plugin_related_caches();
                 self.outgoing
                     .send_response(request_id, PluginInstallResponse { apps_needing_auth })
                     .await;
@@ -6390,7 +6557,7 @@ impl CodexMessageProcessor {
             if let Some(log_db) = self.log_db.as_ref() {
                 log_db.flush().await;
             }
-            let state_db_ctx = get_state_db(&self.config, None).await;
+            let state_db_ctx = get_state_db(&self.config).await;
             match (state_db_ctx.as_ref(), conversation_id) {
                 (Some(state_db_ctx), Some(conversation_id)) => {
                     let thread_id_text = conversation_id.to_string();
@@ -6486,7 +6653,10 @@ impl CodexMessageProcessor {
         let config = Arc::clone(&self.config);
         let cli_overrides = self.cli_overrides.clone();
         let cloud_requirements = self.current_cloud_requirements();
-        let command_cwd = params.cwd.unwrap_or_else(|| config.cwd.clone());
+        let command_cwd = params
+            .cwd
+            .map(PathBuf::from)
+            .unwrap_or_else(|| config.cwd.clone());
         let outgoing = Arc::clone(&self.outgoing);
         let connection_id = request_id.connection_id;
 
@@ -6928,25 +7098,6 @@ fn validate_dynamic_tools(tools: &[ApiDynamicToolSpec]) -> Result<(), String> {
     Ok(())
 }
 
-fn validate_builtin_tools(tools: &[String]) -> Result<(), String> {
-    let mut seen = HashSet::new();
-    for tool in tools {
-        let name = tool.trim();
-        if name.is_empty() {
-            return Err("builtin tool name must not be empty".to_string());
-        }
-        if name != tool {
-            return Err(format!(
-                "builtin tool name has leading/trailing whitespace: {tool}"
-            ));
-        }
-        if !seen.insert(name.to_string()) {
-            return Err(format!("duplicate builtin tool name: {name}"));
-        }
-    }
-    Ok(())
-}
-
 fn replace_cloud_requirements_loader(
     cloud_requirements: &RwLock<CloudRequirementsLoader>,
     auth_manager: Arc<AuthManager>,
@@ -7018,47 +7169,6 @@ async fn derive_config_from_params(
         .await
 }
 
-fn apply_sdk_delegation_overrides(
-    request_overrides: &mut HashMap<String, serde_json::Value>,
-    typesafe_overrides: &mut ConfigOverrides,
-    sdk_delegation: &SdkDelegationConfig,
-) {
-    let provider_id = sdk_delegation
-        .model_provider_id
-        .clone()
-        .unwrap_or_else(|| "codex-sdk-v2".to_string());
-    typesafe_overrides.model_provider = Some(provider_id.clone());
-
-    let provider_prefix = format!("model_providers.{provider_id}");
-    request_overrides.insert(
-        format!("{provider_prefix}.name"),
-        serde_json::Value::String("Codex SDK v2 Delegated Provider".to_string()),
-    );
-    request_overrides.insert(
-        format!("{provider_prefix}.base_url"),
-        serde_json::Value::String(sdk_delegation.bridge_url.clone()),
-    );
-    request_overrides.insert(
-        format!("{provider_prefix}.wire_api"),
-        serde_json::Value::String("responses".to_string()),
-    );
-    request_overrides.insert(
-        format!("{provider_prefix}.supports_websockets"),
-        serde_json::Value::Bool(false),
-    );
-    request_overrides.insert(
-        format!("{provider_prefix}.requires_openai_auth"),
-        serde_json::Value::Bool(false),
-    );
-
-    if let Some(stream_idle_timeout_ms) = sdk_delegation.stream_idle_timeout_ms {
-        request_overrides.insert(
-            format!("{provider_prefix}.stream_idle_timeout_ms"),
-            serde_json::Value::Number(stream_idle_timeout_ms.into()),
-        );
-    }
-}
-
 async fn derive_config_for_cwd(
     cli_overrides: &[(String, TomlValue)],
     request_overrides: Option<HashMap<String, serde_json::Value>>,
@@ -7091,7 +7201,7 @@ async fn read_history_cwd_from_state_db(
     thread_id: Option<ThreadId>,
     rollout_path: &Path,
 ) -> Option<PathBuf> {
-    if let Some(state_db_ctx) = get_state_db(config, None).await
+    if let Some(state_db_ctx) = get_state_db(config).await
         && let Some(thread_id) = thread_id
         && let Ok(Some(metadata)) = state_db_ctx.get_thread(thread_id).await
     {
@@ -7112,7 +7222,7 @@ async fn read_summary_from_state_db_by_thread_id(
     config: &Config,
     thread_id: ThreadId,
 ) -> Option<ConversationSummary> {
-    let state_db_ctx = get_state_db(config, None).await;
+    let state_db_ctx = get_state_db(config).await;
     read_summary_from_state_db_context_by_thread_id(state_db_ctx.as_ref(), thread_id).await
 }
 

codex-rs/app-server/src/config_api.rs

@@ -1,5 +1,6 @@
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
+use async_trait::async_trait;
 use codex_app_server_protocol::ConfigBatchWriteParams;
 use codex_app_server_protocol::ConfigReadParams;
 use codex_app_server_protocol::ConfigReadResponse;
@@ -11,6 +12,7 @@ use codex_app_server_protocol::ConfigWriteResponse;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::NetworkRequirements;
 use codex_app_server_protocol::SandboxMode;
+use codex_core::ThreadManager;
 use codex_core::config::ConfigService;
 use codex_core::config::ConfigServiceError;
 use codex_core::config_loader::CloudRequirementsLoader;
@@ -19,11 +21,33 @@ use codex_core::config_loader::LoaderOverrides;
 use codex_core::config_loader::ResidencyRequirement as CoreResidencyRequirement;
 use codex_core::config_loader::SandboxModeRequirement as CoreSandboxModeRequirement;
 use codex_protocol::config_types::WebSearchMode;
+use codex_protocol::protocol::Op;
 use serde_json::json;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::RwLock;
 use toml::Value as TomlValue;
+use tracing::warn;
+
+#[async_trait]
+pub(crate) trait UserConfigReloader: Send + Sync {
+    async fn reload_user_config(&self);
+}
+
+#[async_trait]
+impl UserConfigReloader for ThreadManager {
+    async fn reload_user_config(&self) {
+        let thread_ids = self.list_thread_ids().await;
+        for thread_id in thread_ids {
+            let Ok(thread) = self.get_thread(thread_id).await else {
+                continue;
+            };
+            if let Err(err) = thread.submit(Op::ReloadUserConfig).await {
+                warn!("failed to request user config reload: {err}");
+            }
+        }
+    }
+}
 
 #[derive(Clone)]
 pub(crate) struct ConfigApi {
@@ -31,6 +55,7 @@ pub(crate) struct ConfigApi {
     cli_overrides: Vec<(String, TomlValue)>,
     loader_overrides: LoaderOverrides,
     cloud_requirements: Arc<RwLock<CloudRequirementsLoader>>,
+    user_config_reloader: Arc<dyn UserConfigReloader>,
 }
 
 impl ConfigApi {
@@ -39,12 +64,14 @@ impl ConfigApi {
         cli_overrides: Vec<(String, TomlValue)>,
         loader_overrides: LoaderOverrides,
         cloud_requirements: Arc<RwLock<CloudRequirementsLoader>>,
+        user_config_reloader: Arc<dyn UserConfigReloader>,
     ) -> Self {
         Self {
             codex_home,
             cli_overrides,
             loader_overrides,
             cloud_requirements,
+            user_config_reloader,
         }
     }
 
@@ -96,10 +123,16 @@ impl ConfigApi {
         &self,
         params: ConfigBatchWriteParams,
     ) -> Result<ConfigWriteResponse, JSONRPCErrorError> {
-        self.config_service()
+        let reload_user_config = params.reload_user_config;
+        let response = self
+            .config_service()
             .batch_write(params)
             .await
-            .map_err(map_error)
+            .map_err(map_error)?;
+        if reload_user_config {
+            self.user_config_reloader.reload_user_config().await;
+        }
+        Ok(response)
     }
 }
 
@@ -199,6 +232,22 @@ mod tests {
     use codex_core::config_loader::NetworkRequirementsToml as CoreNetworkRequirementsToml;
     use codex_protocol::protocol::AskForApproval as CoreAskForApproval;
     use pretty_assertions::assert_eq;
+    use serde_json::json;
+    use std::sync::atomic::AtomicUsize;
+    use std::sync::atomic::Ordering;
+    use tempfile::TempDir;
+
+    #[derive(Default)]
+    struct RecordingUserConfigReloader {
+        call_count: AtomicUsize,
+    }
+
+    #[async_trait]
+    impl UserConfigReloader for RecordingUserConfigReloader {
+        async fn reload_user_config(&self) {
+            self.call_count.fetch_add(1, Ordering::Relaxed);
+        }
+    }
 
     #[test]
     fn map_requirements_toml_to_api_converts_core_enums() {
@@ -231,6 +280,7 @@ mod tests {
                 dangerously_allow_non_loopback_proxy: Some(false),
                 dangerously_allow_all_unix_sockets: Some(true),
                 allowed_domains: Some(vec!["api.openai.com".to_string()]),
+                managed_allowed_domains_only: Some(false),
                 denied_domains: Some(vec!["example.com".to_string()]),
                 allow_unix_sockets: Some(vec!["/tmp/proxy.sock".to_string()]),
                 allow_local_binding: Some(true),
@@ -302,4 +352,51 @@ mod tests {
             Some(vec![WebSearchMode::Disabled])
         );
     }
+
+    #[tokio::test]
+    async fn batch_write_reloads_user_config_when_requested() {
+        let codex_home = TempDir::new().expect("create temp dir");
+        let user_config_path = codex_home.path().join("config.toml");
+        std::fs::write(&user_config_path, "").expect("write config");
+        let reloader = Arc::new(RecordingUserConfigReloader::default());
+        let config_api = ConfigApi::new(
+            codex_home.path().to_path_buf(),
+            Vec::new(),
+            LoaderOverrides::default(),
+            Arc::new(RwLock::new(CloudRequirementsLoader::default())),
+            reloader.clone(),
+        );
+
+        let response = config_api
+            .batch_write(ConfigBatchWriteParams {
+                edits: vec![codex_app_server_protocol::ConfigEdit {
+                    key_path: "model".to_string(),
+                    value: json!("gpt-5"),
+                    merge_strategy: codex_app_server_protocol::MergeStrategy::Replace,
+                }],
+                file_path: Some(user_config_path.display().to_string()),
+                expected_version: None,
+                reload_user_config: true,
+            })
+            .await
+            .expect("batch write should succeed");
+
+        assert_eq!(
+            response,
+            ConfigWriteResponse {
+                status: codex_app_server_protocol::WriteStatus::Ok,
+                version: response.version.clone(),
+                file_path: codex_utils_absolute_path::AbsolutePathBuf::try_from(
+                    user_config_path.clone()
+                )
+                .expect("absolute config path"),
+                overridden_metadata: None,
+            }
+        );
+        assert_eq!(
+            std::fs::read_to_string(user_config_path).unwrap(),
+            "model = \"gpt-5\"\n"
+        );
+        assert_eq!(reloader.call_count.load(Ordering::Relaxed), 1);
+    }
 }

codex-rs/app-server/src/in_process.rs

@@ -0,0 +1,884 @@
+//! In-process app-server runtime host for local embedders.
+//!
+//! This module runs the existing [`MessageProcessor`] and outbound routing logic
+//! on Tokio tasks, but replaces socket/stdio transports with bounded in-memory
+//! channels. The intent is to preserve app-server semantics while avoiding a
+//! process boundary for CLI surfaces that run in the same process.
+//!
+//! # Lifecycle
+//!
+//! 1. Construct runtime state with [`InProcessStartArgs`].
+//! 2. Call [`start`], which performs the `initialize` / `initialized` handshake
+//!    internally and returns a ready-to-use [`InProcessClientHandle`].
+//! 3. Send requests via [`InProcessClientHandle::request`], notifications via
+//!    [`InProcessClientHandle::notify`], and consume events via
+//!    [`InProcessClientHandle::next_event`].
+//! 4. Terminate with [`InProcessClientHandle::shutdown`].
+//!
+//! # Transport model
+//!
+//! The runtime is transport-local but not protocol-free. Incoming requests are
+//! typed [`ClientRequest`] values, yet responses still come back through the
+//! same JSON-RPC result envelope that `MessageProcessor` uses for stdio and
+//! websocket transports. This keeps in-process behavior aligned with
+//! app-server rather than creating a second execution contract.
+//!
+//! # Backpressure
+//!
+//! Command submission uses `try_send` and can return `WouldBlock`, while event
+//! fanout may drop notifications under saturation. Server requests are never
+//! silently abandoned: if they cannot be queued they are failed back into
+//! `MessageProcessor` with overload or internal errors so approval flows do
+//! not hang indefinitely.
+//!
+//! # Relationship to `codex-app-server-client`
+//!
+//! This module provides the low-level runtime handle ([`InProcessClientHandle`]).
+//! Higher-level callers (TUI, exec) should go through `codex-app-server-client`,
+//! which wraps this module behind a worker task with async request/response
+//! helpers, surface-specific startup policy, and bounded shutdown.
+
+use std::collections::HashMap;
+use std::collections::HashSet;
+use std::collections::hash_map::Entry;
+use std::io::Error as IoError;
+use std::io::ErrorKind;
+use std::io::Result as IoResult;
+use std::sync::Arc;
+use std::sync::RwLock;
+use std::sync::atomic::AtomicBool;
+use std::sync::atomic::Ordering;
+use std::time::Duration;
+
+use crate::error_code::INTERNAL_ERROR_CODE;
+use crate::error_code::INVALID_REQUEST_ERROR_CODE;
+use crate::error_code::OVERLOADED_ERROR_CODE;
+use crate::message_processor::ConnectionSessionState;
+use crate::message_processor::MessageProcessor;
+use crate::message_processor::MessageProcessorArgs;
+use crate::outgoing_message::ConnectionId;
+use crate::outgoing_message::OutgoingEnvelope;
+use crate::outgoing_message::OutgoingMessage;
+use crate::outgoing_message::OutgoingMessageSender;
+use crate::transport::CHANNEL_CAPACITY;
+use crate::transport::OutboundConnectionState;
+use crate::transport::route_outgoing_envelope;
+use codex_app_server_protocol::ClientNotification;
+use codex_app_server_protocol::ClientRequest;
+use codex_app_server_protocol::ConfigWarningNotification;
+use codex_app_server_protocol::InitializeParams;
+use codex_app_server_protocol::JSONRPCErrorError;
+use codex_app_server_protocol::JSONRPCNotification;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::Result;
+use codex_app_server_protocol::ServerNotification;
+use codex_app_server_protocol::ServerRequest;
+use codex_arg0::Arg0DispatchPaths;
+use codex_core::config::Config;
+use codex_core::config_loader::CloudRequirementsLoader;
+use codex_core::config_loader::LoaderOverrides;
+use codex_feedback::CodexFeedback;
+use codex_protocol::protocol::SessionSource;
+use tokio::sync::mpsc;
+use tokio::sync::oneshot;
+use tokio::time::timeout;
+use toml::Value as TomlValue;
+use tracing::warn;
+
+const IN_PROCESS_CONNECTION_ID: ConnectionId = ConnectionId(0);
+const SHUTDOWN_TIMEOUT: Duration = Duration::from_secs(5);
+/// Default bounded channel capacity for in-process runtime queues.
+pub const DEFAULT_IN_PROCESS_CHANNEL_CAPACITY: usize = CHANNEL_CAPACITY;
+
+type PendingClientRequestResponse = std::result::Result<Result, JSONRPCErrorError>;
+
+fn server_notification_requires_delivery(notification: &ServerNotification) -> bool {
+    matches!(notification, ServerNotification::TurnCompleted(_))
+}
+
+fn legacy_notification_requires_delivery(notification: &JSONRPCNotification) -> bool {
+    matches!(
+        notification
+            .method
+            .strip_prefix("codex/event/")
+            .unwrap_or(&notification.method),
+        "task_complete" | "turn_aborted" | "shutdown_complete"
+    )
+}
+
+/// Input needed to start an in-process app-server runtime.
+///
+/// These fields mirror the pieces of ambient process state that stdio and
+/// websocket transports normally assemble before `MessageProcessor` starts.
+#[derive(Clone)]
+pub struct InProcessStartArgs {
+    /// Resolved argv0 dispatch paths used by command execution internals.
+    pub arg0_paths: Arg0DispatchPaths,
+    /// Shared base config used to initialize core components.
+    pub config: Arc<Config>,
+    /// CLI config overrides that are already parsed into TOML values.
+    pub cli_overrides: Vec<(String, TomlValue)>,
+    /// Loader override knobs used by config API paths.
+    pub loader_overrides: LoaderOverrides,
+    /// Preloaded cloud requirements provider.
+    pub cloud_requirements: CloudRequirementsLoader,
+    /// Feedback sink used by app-server/core telemetry and logs.
+    pub feedback: CodexFeedback,
+    /// Startup warnings emitted after initialize succeeds.
+    pub config_warnings: Vec<ConfigWarningNotification>,
+    /// Session source stamped into thread/session metadata.
+    pub session_source: SessionSource,
+    /// Whether auth loading should honor the `CODEX_API_KEY` environment variable.
+    pub enable_codex_api_key_env: bool,
+    /// Initialize params used for initial handshake.
+    pub initialize: InitializeParams,
+    /// Capacity used for all runtime queues (clamped to at least 1).
+    pub channel_capacity: usize,
+}
+
+/// Event emitted from the app-server to the in-process client.
+///
+/// The stream carries three event families because CLI surfaces are mid-migration
+/// from the legacy `codex_protocol::Event` model to the typed app-server
+/// notification model. Once all surfaces consume only [`ServerNotification`],
+/// [`LegacyNotification`](Self::LegacyNotification) can be removed.
+///
+/// [`Lagged`](Self::Lagged) is a transport health marker, not an application
+/// event — it signals that the consumer fell behind and some events were dropped.
+#[derive(Debug, Clone)]
+pub enum InProcessServerEvent {
+    /// Server request that requires client response/rejection.
+    ServerRequest(ServerRequest),
+    /// App-server notification directed to the embedded client.
+    ServerNotification(ServerNotification),
+    /// Legacy JSON-RPC notification from core event bridge.
+    LegacyNotification(JSONRPCNotification),
+    /// Indicates one or more events were dropped due to backpressure.
+    Lagged { skipped: usize },
+}
+
+/// Internal message sent from [`InProcessClientHandle`] methods to the runtime task.
+///
+/// Requests carry a oneshot sender for the response; notifications and server-request
+/// replies are fire-and-forget from the caller's perspective (transport errors are
+/// caught by `try_send` on the outer channel).
+enum InProcessClientMessage {
+    Request {
+        request: Box<ClientRequest>,
+        response_tx: oneshot::Sender<PendingClientRequestResponse>,
+    },
+    Notification {
+        notification: ClientNotification,
+    },
+    ServerRequestResponse {
+        request_id: RequestId,
+        result: Result,
+    },
+    ServerRequestError {
+        request_id: RequestId,
+        error: JSONRPCErrorError,
+    },
+    Shutdown {
+        done_tx: oneshot::Sender<()>,
+    },
+}
+
+enum ProcessorCommand {
+    Request(Box<ClientRequest>),
+    Notification(ClientNotification),
+}
+
+#[derive(Clone)]
+pub struct InProcessClientSender {
+    client_tx: mpsc::Sender<InProcessClientMessage>,
+}
+
+impl InProcessClientSender {
+    pub async fn request(&self, request: ClientRequest) -> IoResult<PendingClientRequestResponse> {
+        let (response_tx, response_rx) = oneshot::channel();
+        self.try_send_client_message(InProcessClientMessage::Request {
+            request: Box::new(request),
+            response_tx,
+        })?;
+        response_rx.await.map_err(|err| {
+            IoError::new(
+                ErrorKind::BrokenPipe,
+                format!("in-process request response channel closed: {err}"),
+            )
+        })
+    }
+
+    pub fn notify(&self, notification: ClientNotification) -> IoResult<()> {
+        self.try_send_client_message(InProcessClientMessage::Notification { notification })
+    }
+
+    pub fn respond_to_server_request(&self, request_id: RequestId, result: Result) -> IoResult<()> {
+        self.try_send_client_message(InProcessClientMessage::ServerRequestResponse {
+            request_id,
+            result,
+        })
+    }
+
+    pub fn fail_server_request(
+        &self,
+        request_id: RequestId,
+        error: JSONRPCErrorError,
+    ) -> IoResult<()> {
+        self.try_send_client_message(InProcessClientMessage::ServerRequestError {
+            request_id,
+            error,
+        })
+    }
+
+    fn try_send_client_message(&self, message: InProcessClientMessage) -> IoResult<()> {
+        match self.client_tx.try_send(message) {
+            Ok(()) => Ok(()),
+            Err(mpsc::error::TrySendError::Full(_)) => Err(IoError::new(
+                ErrorKind::WouldBlock,
+                "in-process app-server client queue is full",
+            )),
+            Err(mpsc::error::TrySendError::Closed(_)) => Err(IoError::new(
+                ErrorKind::BrokenPipe,
+                "in-process app-server runtime is closed",
+            )),
+        }
+    }
+}
+
+/// Handle used by an in-process client to call app-server and consume events.
+///
+/// This is the low-level runtime handle. Higher-level callers should usually go
+/// through `codex-app-server-client`, which adds worker-task buffering,
+/// request/response helpers, and surface-specific startup policy.
+pub struct InProcessClientHandle {
+    client: InProcessClientSender,
+    event_rx: mpsc::Receiver<InProcessServerEvent>,
+    runtime_handle: tokio::task::JoinHandle<()>,
+}
+
+impl InProcessClientHandle {
+    /// Sends a typed client request into the in-process runtime.
+    ///
+    /// The returned value is a transport-level `IoResult` containing either a
+    /// JSON-RPC success payload or JSON-RPC error payload. Callers must keep
+    /// request IDs unique among concurrent requests; reusing an in-flight ID
+    /// produces an `INVALID_REQUEST` response and can make request routing
+    /// ambiguous in the caller.
+    pub async fn request(&self, request: ClientRequest) -> IoResult<PendingClientRequestResponse> {
+        self.client.request(request).await
+    }
+
+    /// Sends a typed client notification into the in-process runtime.
+    ///
+    /// Notifications do not have an application-level response. Transport
+    /// errors indicate queue saturation or closed runtime.
+    pub fn notify(&self, notification: ClientNotification) -> IoResult<()> {
+        self.client.notify(notification)
+    }
+
+    /// Resolves a pending [`ServerRequest`](InProcessServerEvent::ServerRequest).
+    ///
+    /// This should be used only with request IDs received from the current
+    /// runtime event stream; sending arbitrary IDs has no effect on app-server
+    /// state and can mask a stuck approval flow in the caller.
+    pub fn respond_to_server_request(&self, request_id: RequestId, result: Result) -> IoResult<()> {
+        self.client.respond_to_server_request(request_id, result)
+    }
+
+    /// Rejects a pending [`ServerRequest`](InProcessServerEvent::ServerRequest).
+    ///
+    /// Use this when the embedder cannot satisfy a server request; leaving
+    /// requests unanswered can stall turn progress.
+    pub fn fail_server_request(
+        &self,
+        request_id: RequestId,
+        error: JSONRPCErrorError,
+    ) -> IoResult<()> {
+        self.client.fail_server_request(request_id, error)
+    }
+
+    /// Receives the next server event from the in-process runtime.
+    ///
+    /// Returns `None` when the runtime task exits and no more events are
+    /// available.
+    pub async fn next_event(&mut self) -> Option<InProcessServerEvent> {
+        self.event_rx.recv().await
+    }
+
+    /// Requests runtime shutdown and waits for worker termination.
+    ///
+    /// Shutdown is bounded by internal timeouts and may abort background tasks
+    /// if graceful drain does not complete in time.
+    pub async fn shutdown(self) -> IoResult<()> {
+        let mut runtime_handle = self.runtime_handle;
+        let (done_tx, done_rx) = oneshot::channel();
+
+        if self
+            .client
+            .client_tx
+            .send(InProcessClientMessage::Shutdown { done_tx })
+            .await
+            .is_ok()
+        {
+            let _ = timeout(SHUTDOWN_TIMEOUT, done_rx).await;
+        }
+
+        if let Err(_elapsed) = timeout(SHUTDOWN_TIMEOUT, &mut runtime_handle).await {
+            runtime_handle.abort();
+            let _ = runtime_handle.await;
+        }
+        Ok(())
+    }
+
+    pub fn sender(&self) -> InProcessClientSender {
+        self.client.clone()
+    }
+}
+
+/// Starts an in-process app-server runtime and performs initialize handshake.
+///
+/// This function sends `initialize` followed by `initialized` before returning
+/// the handle, so callers receive a ready-to-use runtime. If initialize fails,
+/// the runtime is shut down and an `InvalidData` error is returned.
+pub async fn start(args: InProcessStartArgs) -> IoResult<InProcessClientHandle> {
+    let initialize = args.initialize.clone();
+    let client = start_uninitialized(args);
+
+    let initialize_response = client
+        .request(ClientRequest::Initialize {
+            request_id: RequestId::Integer(0),
+            params: initialize,
+        })
+        .await?;
+    if let Err(error) = initialize_response {
+        let _ = client.shutdown().await;
+        return Err(IoError::new(
+            ErrorKind::InvalidData,
+            format!("in-process initialize failed: {}", error.message),
+        ));
+    }
+    client.notify(ClientNotification::Initialized)?;
+
+    Ok(client)
+}
+
+fn start_uninitialized(args: InProcessStartArgs) -> InProcessClientHandle {
+    let channel_capacity = args.channel_capacity.max(1);
+    let (client_tx, mut client_rx) = mpsc::channel::<InProcessClientMessage>(channel_capacity);
+    let (event_tx, event_rx) = mpsc::channel::<InProcessServerEvent>(channel_capacity);
+
+    let runtime_handle = tokio::spawn(async move {
+        let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingEnvelope>(channel_capacity);
+        let outgoing_message_sender = Arc::new(OutgoingMessageSender::new(outgoing_tx));
+
+        let (writer_tx, mut writer_rx) = mpsc::channel::<OutgoingMessage>(channel_capacity);
+        let outbound_initialized = Arc::new(AtomicBool::new(false));
+        let outbound_experimental_api_enabled = Arc::new(AtomicBool::new(false));
+        let outbound_opted_out_notification_methods = Arc::new(RwLock::new(HashSet::new()));
+
+        let mut outbound_connections = HashMap::<ConnectionId, OutboundConnectionState>::new();
+        outbound_connections.insert(
+            IN_PROCESS_CONNECTION_ID,
+            OutboundConnectionState::new(
+                writer_tx,
+                Arc::clone(&outbound_initialized),
+                Arc::clone(&outbound_experimental_api_enabled),
+                Arc::clone(&outbound_opted_out_notification_methods),
+                None,
+            ),
+        );
+        let mut outbound_handle = tokio::spawn(async move {
+            while let Some(envelope) = outgoing_rx.recv().await {
+                route_outgoing_envelope(&mut outbound_connections, envelope).await;
+            }
+        });
+
+        let processor_outgoing = Arc::clone(&outgoing_message_sender);
+        let (processor_tx, mut processor_rx) = mpsc::channel::<ProcessorCommand>(channel_capacity);
+        let mut processor_handle = tokio::spawn(async move {
+            let mut processor = MessageProcessor::new(MessageProcessorArgs {
+                outgoing: Arc::clone(&processor_outgoing),
+                arg0_paths: args.arg0_paths,
+                config: args.config,
+                cli_overrides: args.cli_overrides,
+                loader_overrides: args.loader_overrides,
+                cloud_requirements: args.cloud_requirements,
+                feedback: args.feedback,
+                log_db: None,
+                config_warnings: args.config_warnings,
+                session_source: args.session_source,
+                enable_codex_api_key_env: args.enable_codex_api_key_env,
+            });
+            let mut thread_created_rx = processor.thread_created_receiver();
+            let mut session = ConnectionSessionState::default();
+            let mut listen_for_threads = true;
+
+            loop {
+                tokio::select! {
+                    command = processor_rx.recv() => {
+                        match command {
+                            Some(ProcessorCommand::Request(request)) => {
+                                let was_initialized = session.initialized;
+                                processor
+                                    .process_client_request(
+                                        IN_PROCESS_CONNECTION_ID,
+                                        *request,
+                                        &mut session,
+                                        &outbound_initialized,
+                                    )
+                                    .await;
+                                if let Ok(mut opted_out_notification_methods) =
+                                    outbound_opted_out_notification_methods.write()
+                                {
+                                    *opted_out_notification_methods =
+                                        session.opted_out_notification_methods.clone();
+                                } else {
+                                    warn!("failed to update outbound opted-out notifications");
+                                }
+                                outbound_experimental_api_enabled.store(
+                                    session.experimental_api_enabled,
+                                    Ordering::Release,
+                                );
+                                if !was_initialized && session.initialized {
+                                    processor.send_initialize_notifications().await;
+                                }
+                            }
+                            Some(ProcessorCommand::Notification(notification)) => {
+                                processor.process_client_notification(notification).await;
+                            }
+                            None => {
+                                break;
+                            }
+                        }
+                    }
+                    created = thread_created_rx.recv(), if listen_for_threads => {
+                        match created {
+                            Ok(thread_id) => {
+                                let connection_ids = if session.initialized {
+                                    vec![IN_PROCESS_CONNECTION_ID]
+                                } else {
+                                    Vec::<ConnectionId>::new()
+                                };
+                                processor
+                                    .try_attach_thread_listener(thread_id, connection_ids)
+                                    .await;
+                            }
+                            Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => {
+                                warn!("thread_created receiver lagged; skipping resync");
+                            }
+                            Err(tokio::sync::broadcast::error::RecvError::Closed) => {
+                                listen_for_threads = false;
+                            }
+                        }
+                    }
+                }
+            }
+
+            processor.connection_closed(IN_PROCESS_CONNECTION_ID).await;
+        });
+        let mut pending_request_responses =
+            HashMap::<RequestId, oneshot::Sender<PendingClientRequestResponse>>::new();
+        let mut shutdown_ack = None;
+
+        loop {
+            tokio::select! {
+                message = client_rx.recv() => {
+                    match message {
+                        Some(InProcessClientMessage::Request { request, response_tx }) => {
+                            let request = *request;
+                            let request_id = request.id().clone();
+                            match pending_request_responses.entry(request_id.clone()) {
+                                Entry::Vacant(entry) => {
+                                    entry.insert(response_tx);
+                                }
+                                Entry::Occupied(_) => {
+                                    let _ = response_tx.send(Err(JSONRPCErrorError {
+                                        code: INVALID_REQUEST_ERROR_CODE,
+                                        message: format!("duplicate request id: {request_id:?}"),
+                                        data: None,
+                                    }));
+                                    continue;
+                                }
+                            }
+
+                            match processor_tx.try_send(ProcessorCommand::Request(Box::new(request))) {
+                                Ok(()) => {}
+                                Err(mpsc::error::TrySendError::Full(_)) => {
+                                    if let Some(response_tx) =
+                                        pending_request_responses.remove(&request_id)
+                                    {
+                                        let _ = response_tx.send(Err(JSONRPCErrorError {
+                                            code: OVERLOADED_ERROR_CODE,
+                                            message: "in-process app-server request queue is full"
+                                                .to_string(),
+                                            data: None,
+                                        }));
+                                    }
+                                }
+                                Err(mpsc::error::TrySendError::Closed(_)) => {
+                                    if let Some(response_tx) =
+                                        pending_request_responses.remove(&request_id)
+                                    {
+                                        let _ = response_tx.send(Err(JSONRPCErrorError {
+                                            code: INTERNAL_ERROR_CODE,
+                                            message:
+                                                "in-process app-server request processor is closed"
+                                                    .to_string(),
+                                            data: None,
+                                        }));
+                                    }
+                                    break;
+                                }
+                            }
+                        }
+                        Some(InProcessClientMessage::Notification { notification }) => {
+                            match processor_tx.try_send(ProcessorCommand::Notification(notification)) {
+                                Ok(()) => {}
+                                Err(mpsc::error::TrySendError::Full(_)) => {
+                                    warn!("dropping in-process client notification (queue full)");
+                                }
+                                Err(mpsc::error::TrySendError::Closed(_)) => {
+                                    break;
+                                }
+                            }
+                        }
+                        Some(InProcessClientMessage::ServerRequestResponse { request_id, result }) => {
+                            outgoing_message_sender
+                                .notify_client_response(request_id, result)
+                                .await;
+                        }
+                        Some(InProcessClientMessage::ServerRequestError { request_id, error }) => {
+                            outgoing_message_sender
+                                .notify_client_error(request_id, error)
+                                .await;
+                        }
+                        Some(InProcessClientMessage::Shutdown { done_tx }) => {
+                            shutdown_ack = Some(done_tx);
+                            break;
+                        }
+                        None => {
+                            break;
+                        }
+                    }
+                }
+                outgoing_message = writer_rx.recv() => {
+                    let Some(outgoing_message) = outgoing_message else {
+                        break;
+                    };
+                    match outgoing_message {
+                        OutgoingMessage::Response(response) => {
+                            if let Some(response_tx) = pending_request_responses.remove(&response.id) {
+                                let _ = response_tx.send(Ok(response.result));
+                            } else {
+                                warn!(
+                                    request_id = ?response.id,
+                                    "dropping unmatched in-process response"
+                                );
+                            }
+                        }
+                        OutgoingMessage::Error(error) => {
+                            if let Some(response_tx) = pending_request_responses.remove(&error.id) {
+                                let _ = response_tx.send(Err(error.error));
+                            } else {
+                                warn!(
+                                    request_id = ?error.id,
+                                    "dropping unmatched in-process error response"
+                                );
+                            }
+                        }
+                        OutgoingMessage::Request(request) => {
+                            // Send directly to avoid cloning; on failure the
+                            // original value is returned inside the error.
+                            if let Err(send_error) = event_tx
+                                .try_send(InProcessServerEvent::ServerRequest(request))
+                            {
+                                let (code, message, inner) = match send_error {
+                                    mpsc::error::TrySendError::Full(inner) => (
+                                        OVERLOADED_ERROR_CODE,
+                                        "in-process server request queue is full",
+                                        inner,
+                                    ),
+                                    mpsc::error::TrySendError::Closed(inner) => (
+                                        INTERNAL_ERROR_CODE,
+                                        "in-process server request consumer is closed",
+                                        inner,
+                                    ),
+                                };
+                                let request_id = match inner {
+                                    InProcessServerEvent::ServerRequest(req) => req.id().clone(),
+                                    _ => unreachable!("we just sent a ServerRequest variant"),
+                                };
+                                outgoing_message_sender
+                                    .notify_client_error(
+                                        request_id,
+                                        JSONRPCErrorError {
+                                            code,
+                                            message: message.to_string(),
+                                            data: None,
+                                        },
+                                    )
+                                    .await;
+                            }
+                        }
+                        OutgoingMessage::AppServerNotification(notification) => {
+                            if server_notification_requires_delivery(&notification) {
+                                if event_tx
+                                    .send(InProcessServerEvent::ServerNotification(notification))
+                                    .await
+                                    .is_err()
+                                {
+                                    break;
+                                }
+                            } else if let Err(send_error) =
+                                event_tx.try_send(InProcessServerEvent::ServerNotification(notification))
+                            {
+                                match send_error {
+                                    mpsc::error::TrySendError::Full(_) => {
+                                        warn!("dropping in-process server notification (queue full)");
+                                    }
+                                    mpsc::error::TrySendError::Closed(_) => {
+                                        break;
+                                    }
+                                }
+                            }
+                        }
+                        OutgoingMessage::Notification(notification) => {
+                            let notification = JSONRPCNotification {
+                                method: notification.method,
+                                params: notification.params,
+                            };
+                            if legacy_notification_requires_delivery(&notification) {
+                                if event_tx
+                                    .send(InProcessServerEvent::LegacyNotification(notification))
+                                    .await
+                                    .is_err()
+                                {
+                                    break;
+                                }
+                            } else if let Err(send_error) =
+                                event_tx.try_send(InProcessServerEvent::LegacyNotification(notification))
+                            {
+                                match send_error {
+                                    mpsc::error::TrySendError::Full(_) => {
+                                        warn!("dropping in-process legacy notification (queue full)");
+                                    }
+                                    mpsc::error::TrySendError::Closed(_) => {
+                                        break;
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        drop(writer_rx);
+        drop(processor_tx);
+        outgoing_message_sender
+            .cancel_all_requests(Some(JSONRPCErrorError {
+                code: INTERNAL_ERROR_CODE,
+                message: "in-process app-server runtime is shutting down".to_string(),
+                data: None,
+            }))
+            .await;
+        // Drop the runtime's last sender before awaiting the router task so
+        // `outgoing_rx.recv()` can observe channel closure and exit cleanly.
+        drop(outgoing_message_sender);
+        for (_, response_tx) in pending_request_responses {
+            let _ = response_tx.send(Err(JSONRPCErrorError {
+                code: INTERNAL_ERROR_CODE,
+                message: "in-process app-server runtime is shutting down".to_string(),
+                data: None,
+            }));
+        }
+
+        if let Err(_elapsed) = timeout(SHUTDOWN_TIMEOUT, &mut processor_handle).await {
+            processor_handle.abort();
+            let _ = processor_handle.await;
+        }
+        if let Err(_elapsed) = timeout(SHUTDOWN_TIMEOUT, &mut outbound_handle).await {
+            outbound_handle.abort();
+            let _ = outbound_handle.await;
+        }
+
+        if let Some(done_tx) = shutdown_ack {
+            let _ = done_tx.send(());
+        }
+    });
+
+    InProcessClientHandle {
+        client: InProcessClientSender { client_tx },
+        event_rx,
+        runtime_handle,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_app_server_protocol::ClientInfo;
+    use codex_app_server_protocol::ConfigRequirementsReadResponse;
+    use codex_app_server_protocol::SessionSource as ApiSessionSource;
+    use codex_app_server_protocol::ThreadStartParams;
+    use codex_app_server_protocol::ThreadStartResponse;
+    use codex_app_server_protocol::Turn;
+    use codex_app_server_protocol::TurnCompletedNotification;
+    use codex_app_server_protocol::TurnStatus;
+    use codex_core::config::ConfigBuilder;
+    use pretty_assertions::assert_eq;
+
+    async fn build_test_config() -> Config {
+        match ConfigBuilder::default().build().await {
+            Ok(config) => config,
+            Err(_) => Config::load_default_with_cli_overrides(Vec::new())
+                .expect("default config should load"),
+        }
+    }
+
+    async fn start_test_client_with_capacity(
+        session_source: SessionSource,
+        channel_capacity: usize,
+    ) -> InProcessClientHandle {
+        let args = InProcessStartArgs {
+            arg0_paths: Arg0DispatchPaths::default(),
+            config: Arc::new(build_test_config().await),
+            cli_overrides: Vec::new(),
+            loader_overrides: LoaderOverrides::default(),
+            cloud_requirements: CloudRequirementsLoader::default(),
+            feedback: CodexFeedback::new(),
+            config_warnings: Vec::new(),
+            session_source,
+            enable_codex_api_key_env: false,
+            initialize: InitializeParams {
+                client_info: ClientInfo {
+                    name: "codex-in-process-test".to_string(),
+                    title: None,
+                    version: "0.0.0".to_string(),
+                },
+                capabilities: None,
+            },
+            channel_capacity,
+        };
+        start(args).await.expect("in-process runtime should start")
+    }
+
+    async fn start_test_client(session_source: SessionSource) -> InProcessClientHandle {
+        start_test_client_with_capacity(session_source, DEFAULT_IN_PROCESS_CHANNEL_CAPACITY).await
+    }
+
+    #[tokio::test]
+    async fn in_process_start_initializes_and_handles_typed_v2_request() {
+        let client = start_test_client(SessionSource::Cli).await;
+        let response = client
+            .request(ClientRequest::ConfigRequirementsRead {
+                request_id: RequestId::Integer(1),
+                params: None,
+            })
+            .await
+            .expect("request transport should work")
+            .expect("request should succeed");
+        assert!(response.is_object());
+
+        let _parsed: ConfigRequirementsReadResponse =
+            serde_json::from_value(response).expect("response should match v2 schema");
+        client
+            .shutdown()
+            .await
+            .expect("in-process runtime should shutdown cleanly");
+    }
+
+    #[tokio::test]
+    async fn in_process_start_uses_requested_session_source_for_thread_start() {
+        for (requested_source, expected_source) in [
+            (SessionSource::Cli, ApiSessionSource::Cli),
+            (SessionSource::Exec, ApiSessionSource::Exec),
+        ] {
+            let client = start_test_client(requested_source).await;
+            let response = client
+                .request(ClientRequest::ThreadStart {
+                    request_id: RequestId::Integer(2),
+                    params: ThreadStartParams {
+                        ephemeral: Some(true),
+                        ..ThreadStartParams::default()
+                    },
+                })
+                .await
+                .expect("request transport should work")
+                .expect("thread/start should succeed");
+            let parsed: ThreadStartResponse =
+                serde_json::from_value(response).expect("thread/start response should parse");
+            assert_eq!(parsed.thread.source, expected_source);
+            client
+                .shutdown()
+                .await
+                .expect("in-process runtime should shutdown cleanly");
+        }
+    }
+
+    #[tokio::test]
+    async fn in_process_start_clamps_zero_channel_capacity() {
+        let client = start_test_client_with_capacity(SessionSource::Cli, 0).await;
+        let response = loop {
+            match client
+                .request(ClientRequest::ConfigRequirementsRead {
+                    request_id: RequestId::Integer(4),
+                    params: None,
+                })
+                .await
+            {
+                Ok(response) => break response.expect("request should succeed"),
+                Err(err) if err.kind() == std::io::ErrorKind::WouldBlock => {
+                    tokio::task::yield_now().await;
+                }
+                Err(err) => panic!("request transport should work: {err}"),
+            }
+        };
+        let _parsed: ConfigRequirementsReadResponse =
+            serde_json::from_value(response).expect("response should match v2 schema");
+        client
+            .shutdown()
+            .await
+            .expect("in-process runtime should shutdown cleanly");
+    }
+
+    #[test]
+    fn guaranteed_delivery_helpers_cover_terminal_notifications() {
+        assert!(server_notification_requires_delivery(
+            &ServerNotification::TurnCompleted(TurnCompletedNotification {
+                thread_id: "thread-1".to_string(),
+                turn: Turn {
+                    id: "turn-1".to_string(),
+                    items: Vec::new(),
+                    status: TurnStatus::Completed,
+                    error: None,
+                },
+            })
+        ));
+
+        assert!(legacy_notification_requires_delivery(
+            &JSONRPCNotification {
+                method: "codex/event/task_complete".to_string(),
+                params: None,
+            }
+        ));
+        assert!(legacy_notification_requires_delivery(
+            &JSONRPCNotification {
+                method: "codex/event/turn_aborted".to_string(),
+                params: None,
+            }
+        ));
+        assert!(legacy_notification_requires_delivery(
+            &JSONRPCNotification {
+                method: "codex/event/shutdown_complete".to_string(),
+                params: None,
+            }
+        ));
+        assert!(!legacy_notification_requires_delivery(
+            &JSONRPCNotification {
+                method: "codex/event/item_started".to_string(),
+                params: None,
+            }
+        ));
+    }
+}