fix: grant delete-capable ACLs in Windows sandbox

2026-06-04 12:22:15 +00:00 · 2026-05-11 09:12:43 -07:00
1397 changed files with 46063 additions and 108104 deletions
--- a/.codex/skills/codex-issue-digest/SKILL.md
+++ b/.codex/skills/codex-issue-digest/SKILL.md
@@ -53,7 +53,7 @@ Use `--window "past week"` or `--window-hours 168` when the user asks for a non-
 ## Summary
 No major issues reported by users.

-Source: collector v5, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
+Source: collector v4, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
 Want details? I can expand this into the issue table.
 ```

@@ -65,7 +65,7 @@ Two issues are being surfaced by users:
 🔥🔥 Terminal launch hangs on startup [1](https://github.com/openai/codex/issues/123)
 🔥 Resume switches model providers unexpectedly [2](https://github.com/openai/codex/issues/456)

-Source: collector v5, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
+Source: collector v4, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
 Want details? I can expand this into the issue table.
 ```
 5. In `## Details`, when details are requested, include a compact table only when useful:
@@ -76,7 +76,7 @@ Want details? I can expand this into the issue table.
   - A clear quiet/no-concern sentence when there is no meaningful signal.
 6. Use the JSON `attention_marker` exactly. It is empty for normal rows, `🔥` for elevated rows, and `🔥🔥` for very high-attention rows. The actual cutoffs are in `attention_thresholds`.
 7. Use inline numbered references where a row or bullet points to issues, for example `Compaction bugs [1](https://github.com/openai/codex/issues/123), [2](https://github.com/openai/codex/issues/456)`. Do not add a separate footnotes section.
-8. Label `interactions` as `Interactions`; it counts unique human GitHub users who created a new issue, added a new comment, or reacted during the requested window. Multiple posts/reactions from the same user on the same issue count once.
+8. Label `interactions` as `Interactions`; it counts posts/comments/reactions during the requested window, not unique people.
 9. Mention the collector `script_version`, repo checkout `git_head`, and time window in one compact source line. In default mode, put this before the details prompt so the final line still asks whether the user wants details. In details-upfront mode, it can be the footer.

 ## Reaction Handling
@@ -89,7 +89,7 @@ GitHub issue search is still seeded by issue `updated_at`, so a purely reaction-

 ## Attention Markers

-The collector scales attention markers by the requested time window. The baseline is 5 unique human users for `🔥` and 10 unique human users for `🔥🔥` over 24 hours; longer or shorter windows scale those cutoffs linearly and round up. For example, a one-week report uses 35 and 70 interactions. Unique human users are users who authored a new issue, authored a new comment, or reacted during the window, including upvotes. Multiple actions from the same user on the same issue count once. Bot posts and bot reactions are excluded. In prose, explain this as high user interaction rather than naming the emoji.
+The collector scales attention markers by the requested time window. The baseline is 5 human user interactions for `🔥` and 10 for `🔥🔥` over 24 hours; longer or shorter windows scale those cutoffs linearly and round up. For example, a one-week report uses 35 and 70 interactions. Human user interactions are human-authored new issue posts, human-authored new comments, and human reactions created during the window, including upvotes. Bot posts and bot reactions are excluded. In prose, explain this as high user interaction rather than naming the emoji.

 ## Freshness

--- a/.codex/skills/codex-issue-digest/scripts/collect_issue_digest.py
+++ b/.codex/skills/codex-issue-digest/scripts/collect_issue_digest.py
@@ -11,7 +11,7 @@ from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from urllib.parse import quote

-SCRIPT_VERSION = 5
+SCRIPT_VERSION = 4
 QUALIFYING_KIND_LABELS = ("bug", "enhancement")
 REACTION_KEYS = ("+1", "-1", "laugh", "hooray", "confused", "heart", "rocket", "eyes")
 BASE_ATTENTION_WINDOW_HOURS = 24.0
@@ -393,15 +393,9 @@ def is_bot_login(login):
    return bool(login) and login.lower().endswith("[bot]")


-def human_login_key(user_obj):
-    login = extract_login(user_obj)
-    if not login or is_bot_login(login):
-        return ""
-    return login.casefold()
-
-
 def is_human_user(user_obj):
-    return bool(human_login_key(user_obj))
+    login = extract_login(user_obj)
+    return bool(login) and not is_bot_login(login)


 def label_names(issue):
@@ -473,26 +467,22 @@ def reaction_summary(item):
 def reaction_event_summary(reactions, since, until):
    counts = {}
    total = 0
-    users = set()
    for reaction in reactions or []:
        if not isinstance(reaction, dict):
            continue
        if not is_in_window(str(reaction.get("created_at") or ""), since, until):
            continue
-        user_key = human_login_key(reaction.get("user"))
-        if not user_key:
+        if not is_human_user(reaction.get("user")):
            continue
        content = str(reaction.get("content") or "")
        if not content:
            continue
        counts[content] = counts.get(content, 0) + 1
        total += 1
-        users.add(user_key)
    return {
        "total": total,
        "counts": counts,
        "upvotes": counts.get("+1", 0),
-        "users": sorted(users, key=str.casefold),
    }


@@ -628,21 +618,13 @@ def summarize_issue(
    new_comment_reaction_total = sum(
        comment["reaction_total"] for comment in new_comments
    )
-    new_issue_user_key = human_login_key(issue.get("user")) if new_issue else ""
-    new_issue_user_interaction = bool(new_issue_user_key)
+    new_issue_user_interaction = new_issue and is_human_user(issue.get("user"))
    new_comment_user_interactions = sum(
        1 for comment in new_comments if comment["human_user_interaction"]
    )
-    interaction_user_keys = set(issue_reaction_events_summary["users"])
-    interaction_user_keys.update(comment_reaction_events_summary["users"])
-    if new_issue_user_key:
-        interaction_user_keys.add(new_issue_user_key)
-    interaction_user_keys.update(
-        comment["author"].casefold()
-        for comment in new_comments
-        if comment["human_user_interaction"]
+    user_interactions = (
+        int(new_issue_user_interaction) + new_comment_user_interactions + new_reactions
    )
-    user_interactions = len(interaction_user_keys)
    attention_level = attention_level_for(user_interactions, attention_thresholds)
    attention_marker = attention_marker_for(user_interactions, attention_thresholds)
    updated_without_visible_new_post = (
@@ -975,7 +957,6 @@ def collect_digest(args):
            "New issue comments are filtered by comment creation time within the window from the fetched comment set.",
            "Reaction events are counted by GitHub reaction created_at timestamps for hydrated issues and fetched comments.",
            "Current reaction totals are standing engagement signals; new_reactions and new_upvotes are windowed activity.",
-            "user_interactions counts unique human users per issue across new issues, new comments, and new reactions; repeated actions by the same user count once.",
            "The collector does not assign semantic clusters; use summary_inputs as model-ready evidence for report-time clustering.",
            "Pure reaction-only issues may be missed if GitHub issue search does not surface them via updated_at.",
            "Issues updated during the window without a new issue body or new comment are retained because label/status edits can still be useful owner signals.",
--- a/.codex/skills/codex-issue-digest/scripts/test_collect_issue_digest.py
+++ b/.codex/skills/codex-issue-digest/scripts/test_collect_issue_digest.py
@@ -494,70 +494,6 @@ def test_reactions_count_toward_attention_markers():
    assert summary["new_comments"][0]["new_upvotes"] == 0


-def test_user_interactions_are_deduped_by_human_login():
-    since = collect_issue_digest.parse_timestamp("2026-04-25T00:00:00Z", "--since")
-    until = collect_issue_digest.parse_timestamp("2026-04-26T00:00:00Z", "--until")
-
-    def comment(comment_id, login):
-        return {
-            "id": comment_id,
-            "created_at": f"2026-04-25T0{comment_id + 1}:00:00Z",
-            "updated_at": f"2026-04-25T0{comment_id + 1}:00:00Z",
-            "user": {"login": login},
-            "body": "same issue",
-        }
-
-    def reaction(content, login, created_at="2026-04-25T10:00:00Z"):
-        return {
-            "content": content,
-            "created_at": created_at,
-            "user": {"login": login},
-        }
-
-    issue = {
-        "number": 790,
-        "title": "Repeated pings should not boost attention",
-        "html_url": "https://github.com/openai/codex/issues/790",
-        "state": "open",
-        "created_at": "2026-04-25T01:00:00Z",
-        "updated_at": "2026-04-25T12:00:00Z",
-        "user": {"login": "Alice"},
-        "labels": [{"name": "bug"}, {"name": "tui"}],
-    }
-    comments = [comment(1, "alice"), comment(2, "ALICE"), comment(3, "bob")]
-    comments.append(comment(4, "github-actions[bot]"))
-    issue_reactions = [
-        reaction("+1", "alice"),
-        reaction("rocket", "Alice"),
-        reaction("+1", "bob"),
-        reaction("+1", "github-actions[bot]"),
-        reaction("+1", "carol", created_at="2026-04-24T23:00:00Z"),
-    ]
-    comment_reactions_by_id = {
-        1: [reaction("heart", "alice")],
-        2: [reaction("+1", "bob")],
-        3: [reaction("eyes", "carol")],
-    }
-
-    summary = collect_issue_digest.summarize_issue(
-        issue,
-        comments,
-        ["tui"],
-        since,
-        until,
-        body_chars=100,
-        comment_chars=100,
-        issue_reaction_events=issue_reactions,
-        comment_reactions_by_id=comment_reactions_by_id,
-    )
-
-    assert summary["activity"]["new_human_comments"] == 3
-    assert summary["new_reactions"] == 6
-    assert summary["user_interactions"] == 3
-    assert summary["attention"] is False
-    assert summary["attention_marker"] == ""
-
-
 def test_digest_rows_are_table_ready_with_concise_descriptions():
    rows = collect_issue_digest.digest_rows(
        [
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,6 +1,5 @@
 # Core crate ownership.
 /codex-rs/core/ @openai/codex-core-agent-team
-/codex-rs/ext/extension-api/ @openai/codex-core-agent-team

 # Keep ownership changes reviewed by the same team.
 /.github/CODEOWNERS @openai/codex-core-agent-team
--- a/.github/ISSUE_TEMPLATE/3-cli.yml
+++ b/.github/ISSUE_TEMPLATE/3-cli.yml
@@ -2,6 +2,7 @@ name: 💻 CLI Bug
 description: Report an issue in the Codex CLI
 labels:
  - bug
+  - needs triage
 body:
  - type: markdown
    attributes:
@@ -11,8 +12,6 @@ body:

        Make sure you are running the [latest](https://npmjs.com/package/@openai/codex) version of Codex CLI. The bug you are experiencing may already have been fixed.

-        If your version supports it, please run `codex doctor --json` and paste the output in the "Codex doctor report" field below. This helps us diagnose install, config, auth, terminal, MCP, network, and local state issues.
-
  - type: input
    id: version
    attributes:
@@ -42,19 +41,9 @@ body:
    id: terminal
    attributes:
      label: What terminal emulator and version are you using (if applicable)?
+      description: Also note any multiplexer in use (screen / tmux / zellij)
      description: |
-        Also note any multiplexer in use (screen / tmux / zellij).
-        E.g., VS Code, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
-  - type: textarea
-    id: doctor
-    attributes:
-      label: Codex doctor report
-      description: |
-        If available, run `codex doctor --json` and paste the full output here.
-
-        The report is designed to redact secrets, but please review it before submitting.
-        If your Codex version does not support `doctor`, write `not available`.
-      render: json
+        E.g, VSCode, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
  - type: textarea
    id: actual
    attributes:
--- a/.github/ISSUE_TEMPLATE/5-feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/5-feature-request.yml
@@ -10,7 +10,7 @@ body:

        Before you submit a feature:
        1. Search existing issues for similar features. If you find one, 👍 it rather than opening a new one.
-        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex/blob/main/docs/contributing.md) for more details.
+        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex#contributing) for more details.

  - type: input
    id: variant
--- a/.github/ISSUE_TEMPLATE/6-docs-issue.yml
+++ b/.github/ISSUE_TEMPLATE/6-docs-issue.yml
@@ -1,6 +1,6 @@
 name: 📗 Documentation Issue
 description: Tell us if there is missing or incorrect documentation
-labels: [documentation]
+labels: [docs]
 body:
  - type: markdown
    attributes:
@@ -24,4 +24,4 @@ body:
  - type: textarea
    attributes:
      label: Where did you find it?
-      description: If possible, please provide the URL(s) where you found this issue.
+      description: If possible, please provide the URL(s) where you found this issue.
--- a/.github/actions/prepare-bazel-ci/action.yml
+++ b/.github/actions/prepare-bazel-ci/action.yml
@@ -50,7 +50,7 @@ runs:
    - name: Restore bazel repository cache
      id: cache_bazel_repository_restore
      continue-on-error: true
-      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
      with:
        path: ${{ steps.setup_bazel.outputs.repository-cache-path }}
        key: ${{ steps.cache_bazel_repository_key.outputs.repository-cache-key }}
--- a/.github/actions/windows-code-sign/action.yml
+++ b/.github/actions/windows-code-sign/action.yml
@@ -30,7 +30,7 @@ runs:
  using: composite
  steps:
    - name: Azure login for Trusted Signing (OIDC)
-      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
      with:
        client-id: ${{ inputs.client-id }}
        tenant-id: ${{ inputs.tenant-id }}
@@ -54,7 +54,7 @@ runs:
        } >> "$GITHUB_OUTPUT"

    - name: Sign Windows binaries with Azure Trusted Signing
-      uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0.5.11
+      uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0
      with:
        endpoint: ${{ inputs.endpoint }}
        trusted-signing-account-name: ${{ inputs.account-name }}
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -6,37 +6,25 @@ updates:
    directory: .github/actions/codex
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: cargo
    directories:
      - codex-rs
      - codex-rs/*
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: devcontainers
    directory: /
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: docker
    directory: codex-cli
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: rust-toolchain
    directory: codex-rs
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -17,10 +17,10 @@ concurrency:
  cancel-in-progress: ${{ github.ref_name != 'main' }}
 jobs:
  test:
-    # PRs use the sharded Windows cross-compiled test jobs below. Post-merge
-    # pushes to main also run the native Windows test job for broader Windows
-    # signal without putting PR latency back on the critical path. Cargo CI
-    # owns V8/code-mode test coverage for now.
+    # PRs use a fast Windows cross-compiled test leg for pre-merge signal.
+    # Post-merge pushes to main also run the native Windows test job below for
+    # broader Windows signal without putting PR latency back on the critical
+    # path. Cargo CI owns V8/code-mode test coverage for now.
    timeout-minutes: 30
    strategy:
      fail-fast: false
@@ -44,16 +44,19 @@ jobs:
          # - os: ubuntu-24.04-arm
          #   target: aarch64-unknown-linux-gnu

+          # Windows fast path: build the windows-gnullvm binaries with Linux
+          # RBE, then run the resulting Windows tests on the Windows runner.
+          # Cargo CI preserves V8/code-mode coverage while Bazel CI keeps broad
+          # non-code-mode signal.
+          - os: windows-latest
+            target: x86_64-pc-windows-gnullvm
    runs-on: ${{ matrix.os }}

    # Configure a human readable name for each job
    name: Bazel test on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Check rusty_v8 MODULE.bazel checksums
        if: matrix.os == 'ubuntu-24.04' && matrix.target == 'x86_64-unknown-linux-gnu'
@@ -102,6 +105,13 @@ jobs:
            --test_verbose_timeout_warnings
            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
          )
+          if [[ "${RUNNER_OS}" == "Windows" ]]; then
+            bazel_wrapper_args+=(
+              --windows-cross-compile
+              --remote-download-toplevel
+            )
+          fi
+
          ./.github/scripts/run-bazel-ci.sh \
            "${bazel_wrapper_args[@]}" \
            -- \
@@ -112,7 +122,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: bazel-execution-logs-test-${{ matrix.target }}
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -123,123 +133,11 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}

-  test-windows-shard:
-    # Split the Windows Bazel test leg across separate Windows
-    # hosts. Each shard still uses Linux RBE for build actions, but the test
-    # execution itself happens on its own Windows runner.
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        shard:
-          - 1
-          - 2
-          - 3
-          - 4
-    runs-on: windows-latest
-    name: Bazel test on windows-latest for x86_64-pc-windows-gnullvm shard ${{ matrix.shard }}/4
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
-
-      - name: Prepare Bazel CI
-        id: prepare_bazel
-        uses: ./.github/actions/prepare-bazel-ci
-        with:
-          target: x86_64-pc-windows-gnullvm
-          # Reuse the former monolithic Windows test cache for restores. Do
-          # not save it from every shard below; duplicate uploads would sit on
-          # the PR-blocking critical path after the useful test work is done.
-          cache-scope: bazel-test
-          install-test-prereqs: "true"
-
-      - name: bazel test shard
-        env:
-          BAZEL_TEST_SHARD: ${{ matrix.shard }}
-          BAZEL_TEST_SHARD_COUNT: 4
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          bazel_test_query='tests(//...) except tests(//third_party/v8:all) except //codex-rs/code-mode:code-mode-unit-tests except //codex-rs/v8-poc:v8-poc-unit-tests except attr(tags, "manual", tests(//...))'
-          mapfile -t bazel_targets < <(
-            MSYS2_ARG_CONV_EXCL='*' bazel query --output=label "${bazel_test_query}" \
-              | LC_ALL=C sort
-          )
-
-          selected_targets=()
-          for bazel_target in "${bazel_targets[@]}"; do
-            target_bucket="$(
-              printf '%s\n' "${bazel_target}" \
-                | cksum \
-                | awk -v shard_count="${BAZEL_TEST_SHARD_COUNT}" '{ print ($1 % shard_count) + 1 }'
-            )"
-            if [[ "${target_bucket}" == "${BAZEL_TEST_SHARD}" ]]; then
-              selected_targets+=("${bazel_target}")
-            fi
-          done
-
-          if [[ ${#selected_targets[@]} -eq 0 ]]; then
-            echo "No Bazel test targets selected for Windows shard ${BAZEL_TEST_SHARD}/${BAZEL_TEST_SHARD_COUNT}." >&2
-            exit 1
-          fi
-
-          echo "Selected ${#selected_targets[@]} of ${#bazel_targets[@]} Bazel test targets for Windows shard ${BAZEL_TEST_SHARD}/${BAZEL_TEST_SHARD_COUNT}."
-
-          bazel_test_args=(
-            test
-            --skip_incompatible_explicit_targets
-            --test_tag_filters=-argument-comment-lint
-            --test_verbose_timeout_warnings
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
-            --build_metadata=TAG_windows_test_shard=${BAZEL_TEST_SHARD}
-          )
-
-          ./.github/scripts/run-bazel-ci.sh \
-            --print-failed-action-summary \
-            --print-failed-test-logs \
-            --windows-cross-compile \
-            --remote-download-toplevel \
-            -- \
-            "${bazel_test_args[@]}" \
-            -- \
-            "${selected_targets[@]}"
-
-      - name: Upload Bazel execution logs
-        if: always() && !cancelled()
-        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: bazel-execution-logs-test-x86_64-pc-windows-gnullvm-shard-${{ matrix.shard }}
-          path: ${{ runner.temp }}/bazel-execution-logs
-          if-no-files-found: ignore
-
-  test-windows:
-    # Preserve the existing required-check surface while the real work happens
-    # in the sharded Windows jobs above.
-    if: always()
-    needs: test-windows-shard
-    runs-on: ubuntu-24.04
-    name: Bazel test on windows-latest for x86_64-pc-windows-gnullvm
-
-    steps:
-      - name: Confirm Windows Bazel test shards passed
-        shell: bash
-        run: |
-          if [[ "${{ needs.test-windows-shard.result }}" != "success" ]]; then
-            echo "Windows Bazel test shards finished with result: ${{ needs.test-windows-shard.result }}" >&2
-            exit 1
-          fi
-
  test-windows-native-main:
    # Native Windows Bazel tests are slower and frequently approach the
    # 30-minute PR budget. Run this only for post-merge commits to main and give
@@ -250,10 +148,7 @@ jobs:
    name: Bazel test on windows-latest for x86_64-pc-windows-gnullvm (native main)

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -300,7 +195,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: bazel-execution-logs-test-windows-native-x86_64-pc-windows-gnullvm
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -311,7 +206,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
@@ -336,10 +231,7 @@ jobs:
    name: Bazel clippy on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -394,7 +286,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: bazel-execution-logs-clippy-${{ matrix.target }}
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -405,7 +297,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
@@ -426,10 +318,7 @@ jobs:
    name: Verify release build on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -501,7 +390,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: bazel-execution-logs-verify-release-build-${{ matrix.target }}
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -512,7 +401,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
--- a/.github/workflows/blob-size-policy.yml
+++ b/.github/workflows/blob-size-policy.yml
@@ -8,19 +8,17 @@ jobs:
    name: Blob size policy
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
-          persist-credentials: false

      - name: Determine PR comparison range
        id: range
        shell: bash
        run: |
          set -euo pipefail
-          echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          echo "head=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
+          echo "base=$(git rev-parse HEAD^1)" >> "$GITHUB_OUTPUT"
+          echo "head=$(git rev-parse HEAD^2)" >> "$GITHUB_OUTPUT"

      - name: Check changed blob sizes
        env:
--- a/.github/workflows/cargo-deny.yml
+++ b/.github/workflows/cargo-deny.yml
@@ -14,10 +14,7 @@ jobs:
        working-directory: ./codex-rs
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,10 +12,7 @@ jobs:
      NODE_OPTIONS: --max-old-space-size=4096
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Verify codex-rs Cargo manifests inherit workspace settings
        run: python3 .github/scripts/verify_cargo_workspace_manifests.py
@@ -32,7 +29,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: 22

@@ -66,7 +63,7 @@ jobs:
          echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"

      - name: Upload staged npm package artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: codex-npm-staging
          path: ${{ steps.stage_npm_package.outputs.pack_output }}
--- a/.github/workflows/close-stale-contributor-prs.yml
+++ b/.github/workflows/close-stale-contributor-prs.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Close inactive PRs from contributors
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -18,12 +18,9 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Annotate locations with typos
-        uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1.1.0
+        uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1
      - name: Codespell
        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
        with:
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -15,8 +15,12 @@ jobs:
    permissions:
      contents: read
    outputs:
-      codex_output: ${{ steps.codex-all.outputs.final-message }}
+      issues_json: ${{ steps.normalize-all.outputs.issues_json }}
+      reason: ${{ steps.normalize-all.outputs.reason }}
+      has_matches: ${{ steps.normalize-all.outputs.has_matches }}
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
      - name: Prepare Codex inputs
        env:
          GH_TOKEN: ${{ github.token }}
@@ -61,8 +65,6 @@ jobs:
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
-          safety-strategy: drop-sudo
-          sandbox: read-only
          prompt: |
            You are an assistant that triages new GitHub issues by identifying potential duplicates.

@@ -96,21 +98,10 @@ jobs:
              "additionalProperties": false
            }

-  normalize-duplicates-all:
-    name: Normalize pass 1 output
-    needs: gather-duplicates-all
-    if: ${{ needs.gather-duplicates-all.result == 'success' }}
-    runs-on: ubuntu-latest
-    permissions: {}
-    outputs:
-      issues_json: ${{ steps.normalize-all.outputs.issues_json }}
-      reason: ${{ steps.normalize-all.outputs.reason }}
-      has_matches: ${{ steps.normalize-all.outputs.has_matches }}
-    steps:
      - id: normalize-all
        name: Normalize pass 1 output
        env:
-          CODEX_OUTPUT: ${{ needs.gather-duplicates-all.outputs.codex_output }}
+          CODEX_OUTPUT: ${{ steps.codex-all.outputs.final-message }}
          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail
@@ -153,15 +144,19 @@ jobs:

  gather-duplicates-open:
    name: Identify potential duplicates (open issues fallback)
-    # Pass 1 Codex execution drops sudo on its runner, so run the fallback in a fresh job.
-    needs: normalize-duplicates-all
-    if: ${{ needs.normalize-duplicates-all.result == 'success' && needs.normalize-duplicates-all.outputs.has_matches != 'true' }}
+    # Pass 1 may drop sudo on the runner, so run the fallback in a fresh job.
+    needs: gather-duplicates-all
+    if: ${{ needs.gather-duplicates-all.result == 'success' && needs.gather-duplicates-all.outputs.has_matches != 'true' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
-      codex_output: ${{ steps.codex-open.outputs.final-message }}
+      issues_json: ${{ steps.normalize-open.outputs.issues_json }}
+      reason: ${{ steps.normalize-open.outputs.reason }}
+      has_matches: ${{ steps.normalize-open.outputs.has_matches }}
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
      - name: Prepare Codex inputs
        env:
          GH_TOKEN: ${{ github.token }}
@@ -204,8 +199,6 @@ jobs:
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
-          safety-strategy: drop-sudo
-          sandbox: read-only
          prompt: |
            You are an assistant that triages new GitHub issues by identifying potential duplicates.

@@ -239,21 +232,10 @@ jobs:
              "additionalProperties": false
            }

-  normalize-duplicates-open:
-    name: Normalize pass 2 output
-    needs: gather-duplicates-open
-    if: ${{ needs.gather-duplicates-open.result == 'success' }}
-    runs-on: ubuntu-latest
-    permissions: {}
-    outputs:
-      issues_json: ${{ steps.normalize-open.outputs.issues_json }}
-      reason: ${{ steps.normalize-open.outputs.reason }}
-      has_matches: ${{ steps.normalize-open.outputs.has_matches }}
-    steps:
      - id: normalize-open
        name: Normalize pass 2 output
        env:
-          CODEX_OUTPUT: ${{ needs.gather-duplicates-open.outputs.codex_output }}
+          CODEX_OUTPUT: ${{ steps.codex-open.outputs.final-message }}
          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail
@@ -297,9 +279,9 @@ jobs:
  select-final:
    name: Select final duplicate set
    needs:
-      - normalize-duplicates-all
-      - normalize-duplicates-open
-    if: ${{ always() && needs.normalize-duplicates-all.result == 'success' && (needs.normalize-duplicates-open.result == 'success' || needs.normalize-duplicates-open.result == 'skipped') }}
+      - gather-duplicates-all
+      - gather-duplicates-open
+    if: ${{ always() && needs.gather-duplicates-all.result == 'success' && (needs.gather-duplicates-open.result == 'success' || needs.gather-duplicates-open.result == 'skipped') }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -309,12 +291,12 @@ jobs:
      - id: select-final
        name: Select final duplicate set
        env:
-          PASS1_ISSUES: ${{ needs.normalize-duplicates-all.outputs.issues_json }}
-          PASS1_REASON: ${{ needs.normalize-duplicates-all.outputs.reason }}
-          PASS2_ISSUES: ${{ needs.normalize-duplicates-open.outputs.issues_json }}
-          PASS2_REASON: ${{ needs.normalize-duplicates-open.outputs.reason }}
-          PASS1_HAS_MATCHES: ${{ needs.normalize-duplicates-all.outputs.has_matches }}
-          PASS2_HAS_MATCHES: ${{ needs.normalize-duplicates-open.outputs.has_matches }}
+          PASS1_ISSUES: ${{ needs.gather-duplicates-all.outputs.issues_json }}
+          PASS1_REASON: ${{ needs.gather-duplicates-all.outputs.reason }}
+          PASS2_ISSUES: ${{ needs.gather-duplicates-open.outputs.issues_json }}
+          PASS2_REASON: ${{ needs.gather-duplicates-open.outputs.reason }}
+          PASS1_HAS_MATCHES: ${{ needs.gather-duplicates-all.outputs.has_matches }}
+          PASS2_HAS_MATCHES: ${{ needs.gather-duplicates-open.outputs.has_matches }}
        run: |
          set -eo pipefail

@@ -360,7 +342,7 @@ jobs:
      issues: write
    steps:
      - name: Comment on issue
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        env:
          CODEX_OUTPUT: ${{ needs.select-final.outputs.codex_output }}
        with:
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -17,13 +17,13 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
      - id: codex
        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
-          safety-strategy: drop-sudo
-          sandbox: read-only
          prompt: |
            You are an assistant that reviews GitHub issues for the repository.

--- a/.github/workflows/rust-ci-full.yml
+++ b/.github/workflows/rust-ci-full.yml
@@ -7,11 +7,6 @@ on:
  workflow_dispatch:

 # CI builds in debug (dev) for faster signal.
-env:
-  # Cargo's libgit2 transport has been flaky on macOS when fetching git
-  # dependencies with nested submodules. Use the system git CLI, which has
-  # better network/proxy behavior and matches Cargo's own suggested fallback.
-  CARGO_NET_GIT_FETCH_WITH_CLI: "true"

 jobs:
  # --- CI that doesn't need specific targets ---------------------------------
@@ -22,9 +17,7 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          components: rustfmt
@@ -38,15 +31,14 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
-          tool: cargo-shear@1.11.2
+          tool: cargo-shear
+          version: 1.5.1
      - name: cargo shear
-        run: cargo shear --deny-warnings
+        run: cargo shear

  argument_comment_lint_package:
    name: Argument comment lint package
@@ -55,16 +47,14 @@ jobs:
      CARGO_DYLINT_VERSION: 5.0.0
      DYLINT_LINK_VERSION: 5.0.0
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          toolchain: nightly-2025-09-18
          components: llvm-tools-preview, rustc-dev, rust-src
      - name: Cache cargo-dylint tooling
        id: cargo_dylint_cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cargo/bin/cargo-dylint
@@ -107,9 +97,7 @@ jobs:
              group: codex-runners
              labels: codex-windows-x64
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: ./.github/actions/setup-bazel-ci
        with:
          target: ${{ runner.os }}
@@ -245,9 +233,7 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -290,7 +276,7 @@ jobs:
      # avoid caching the large target dir on the gnu-dev job.
      - name: Restore cargo home cache
        id: cache_cargo_home_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cargo/bin/
@@ -308,7 +294,7 @@ jobs:
      # Install and restore sccache cache
      - name: Install sccache
        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
          tool: sccache
          version: 0.7.5
@@ -335,7 +321,7 @@ jobs:
      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -362,7 +348,7 @@ jobs:
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Restore APT cache (musl)
        id: cache_apt_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            /var/cache/apt
@@ -370,7 +356,7 @@ jobs:

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install Zig
-        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
        with:
          version: 0.14.0

@@ -444,7 +430,7 @@ jobs:

      - name: Install cargo-chef
        if: ${{ matrix.profile == 'release' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
          tool: cargo-chef
          version: 0.1.71
@@ -463,7 +449,7 @@ jobs:

      - name: Upload Cargo timings (clippy)
        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: cargo-timings-rust-ci-clippy-${{ matrix.target }}-${{ matrix.profile }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
@@ -474,7 +460,7 @@ jobs:
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cargo/bin/
@@ -490,7 +476,7 @@ jobs:
      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -515,7 +501,7 @@ jobs:
      - name: Save APT cache (musl)
        if: always() && !cancelled() && (matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl') && steps.cache_apt_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            /var/cache/apt
@@ -573,9 +559,7 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -583,7 +567,7 @@ jobs:
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev bubblewrap
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
          fi

      # Some integration tests rely on DotSlash being installed.
@@ -606,7 +590,7 @@ jobs:

      - name: Restore cargo home cache
        id: cache_cargo_home_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cargo/bin/
@@ -619,7 +603,7 @@ jobs:

      - name: Install sccache
        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
          tool: sccache
          version: 0.7.5
@@ -646,7 +630,7 @@ jobs:
      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -654,7 +638,7 @@ jobs:
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
          tool: nextest
          version: 0.9.103
@@ -690,7 +674,7 @@ jobs:

      - name: Upload Cargo timings (nextest)
        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
@@ -699,7 +683,7 @@ jobs:
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cargo/bin/
@@ -711,7 +695,7 @@ jobs:
      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -738,12 +722,10 @@ jobs:
        shell: bash
        run: |
          set +e
-          if [[ "${STEPS_TEST_OUTCOME}" != "success" ]]; then
+          if [[ "${{ steps.test.outcome }}" != "success" ]]; then
            docker logs codex-remote-test-env || true
          fi
          docker rm -f codex-remote-test-env >/dev/null 2>&1 || true
-        env:
-          STEPS_TEST_OUTCOME: ${{ steps.test.outcome }}

      - name: verify tests passed
        if: steps.test.outcome == 'failure'
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -14,11 +14,9 @@ jobs:
      codex: ${{ steps.detect.outputs.codex }}
      workflows: ${{ steps.detect.outputs.workflows }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
-          persist-credentials: false
      - name: Detect changed paths (no external action)
        id: detect
        shell: bash
@@ -63,10 +61,7 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          components: rustfmt
@@ -82,16 +77,14 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
-          tool: cargo-shear@1.11.2
+          tool: cargo-shear
+          version: 1.5.1
      - name: cargo shear
-        run: cargo shear --deny-warnings
+        run: cargo shear

  argument_comment_lint_package:
    name: Argument comment lint package
@@ -102,10 +95,7 @@ jobs:
      CARGO_DYLINT_VERSION: 5.0.0
      DYLINT_LINK_VERSION: 5.0.0
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - name: Install nightly argument-comment-lint toolchain
        shell: bash
@@ -119,7 +109,7 @@ jobs:
          rustup default nightly-2025-09-18
      - name: Cache cargo-dylint tooling
        id: cargo_dylint_cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cargo/bin/cargo-dylint
@@ -180,11 +170,8 @@ jobs:

          echo "No argument-comment-lint relevant changes."
          echo "run=false" >> "$GITHUB_OUTPUT"
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
      - name: Run argument comment lint on codex-rs via Bazel
        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
        uses: ./.github/actions/run-argument-comment-lint
@@ -216,25 +203,20 @@ jobs:

          # If nothing relevant changed (PR touching only root README, etc.),
          # declare success regardless of other jobs.
-          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT}" != 'true' && "${NEEDS_CHANGED_OUTPUTS_CODEX}" != 'true' && "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" != 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' != 'true' && '${{ needs.changed.outputs.codex }}' != 'true' && '${{ needs.changed.outputs.workflows }}' != 'true' ]]; then
            echo 'No relevant changes -> CI not required.'
            exit 0
          fi

-          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT_PACKAGE}" == 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.argument_comment_lint_package }}' == 'true' ]]; then
            [[ '${{ needs.argument_comment_lint_package.result }}' == 'success' ]] || { echo 'argument_comment_lint_package failed'; exit 1; }
          fi

-          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT}" == 'true' || "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" == 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
            [[ '${{ needs.argument_comment_lint_prebuilt.result }}' == 'success' ]] || { echo 'argument_comment_lint_prebuilt failed'; exit 1; }
          fi

-          if [[ "${NEEDS_CHANGED_OUTPUTS_CODEX}" == 'true' || "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" == 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.codex }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
            [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
            [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
          fi
-        env:
-          NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT: ${{ needs.changed.outputs.argument_comment_lint }}
-          NEEDS_CHANGED_OUTPUTS_CODEX: ${{ needs.changed.outputs.codex }}
-          NEEDS_CHANGED_OUTPUTS_WORKFLOWS: ${{ needs.changed.outputs.workflows }}
-          NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT_PACKAGE: ${{ needs.changed.outputs.argument_comment_lint_package }}
--- a/.github/workflows/rust-release-argument-comment-lint.yml
+++ b/.github/workflows/rust-release-argument-comment-lint.yml
@@ -56,9 +56,7 @@ jobs:
              labels: codex-windows-x64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
@@ -102,7 +100,7 @@ jobs:
            (cd "${RUNNER_TEMP}" && tar -czf "$GITHUB_WORKSPACE/$archive_path" argument-comment-lint)
          fi

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: argument-comment-lint-${{ matrix.target }}
          path: dist/argument-comment-lint/${{ matrix.target }}/*
--- a/.github/workflows/rust-release-prepare.yml
+++ b/.github/workflows/rust-release-prepare.yml
@@ -16,16 +16,12 @@ jobs:
  prepare:
    # Prevent scheduled runs on forks (no secrets, wastes Actions minutes)
    if: github.repository == 'openai/codex'
-    environment:
-      name: rust-release-prepare
-      deployment: false
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: main
          fetch-depth: 0
-          persist-credentials: false

      - name: Update models.json
        env:
@@ -47,7 +43,7 @@ jobs:
          curl --http1.1 --fail --show-error --location "${headers[@]}" "${url}" | jq '.' > codex-rs/models-manager/models.json

      - name: Open pull request (if changed)
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
        with:
          commit-message: "Update models.json"
          title: "Update models.json"
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -83,9 +83,7 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Print runner specs (Windows)
        shell: powershell
        run: |
@@ -114,7 +112,7 @@ jobs:
          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"

      - name: Upload Cargo timings
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: cargo-timings-rust-release-windows-${{ matrix.target }}-${{ matrix.bundle }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
@@ -130,7 +128,7 @@ jobs:
          done

      - name: Upload Windows binaries
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: windows-binaries-${{ matrix.target }}-${{ matrix.bundle }}
          path: |
@@ -167,24 +165,22 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Download prebuilt Windows primary binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: windows-binaries-${{ matrix.target }}-primary
          path: codex-rs/target/${{ matrix.target }}/release

      - name: Download prebuilt Windows helper binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: windows-binaries-${{ matrix.target }}-helpers
          path: codex-rs/target/${{ matrix.target }}/release

      - name: Download prebuilt Windows app-server binary
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: windows-binaries-${{ matrix.target }}-app-server
          path: codex-rs/target/${{ matrix.target }}/release
@@ -220,48 +216,6 @@ jobs:
              "$dest/${binary}-${{ matrix.target }}.exe"
          done

-      - name: Build Python runtime wheel
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          case "${{ matrix.target }}" in
-            aarch64-pc-windows-msvc)
-              platform_tag="win_arm64"
-              ;;
-            x86_64-pc-windows-msvc)
-              platform_tag="win_amd64"
-              ;;
-            *)
-              echo "No Python runtime wheel platform tag for ${{ matrix.target }}"
-              exit 1
-              ;;
-          esac
-
-          python -m venv "${RUNNER_TEMP}/python-runtime-build-venv"
-          "${RUNNER_TEMP}/python-runtime-build-venv/Scripts/python.exe" -m pip install build
-
-          stage_dir="${RUNNER_TEMP}/openai-codex-cli-bin-${{ matrix.target }}"
-          wheel_dir="${GITHUB_WORKSPACE}/python-runtime-dist/${{ matrix.target }}"
-          # Keep the helpers next to codex.exe in the runtime wheel so Windows
-          # sandbox/elevation lookup matches the standalone release zip.
-          python "${GITHUB_WORKSPACE}/sdk/python/scripts/update_sdk_artifacts.py" \
-            stage-runtime \
-            "$stage_dir" \
-            "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex.exe" \
-            --codex-version "${GITHUB_REF_NAME}" \
-            --platform-tag "$platform_tag" \
-            --resource-binary "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex-command-runner.exe" \
-            --resource-binary "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe"
-          "${RUNNER_TEMP}/python-runtime-build-venv/Scripts/python.exe" -m build --wheel --outdir "$wheel_dir" "$stage_dir"
-
-      - name: Upload Python runtime wheel
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: python-runtime-wheel-${{ matrix.target }}
-          path: python-runtime-dist/${{ matrix.target }}/*.whl
-          if-no-files-found: error
-
      - name: Install DotSlash
        uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2

@@ -327,7 +281,7 @@ jobs:
            "${GITHUB_WORKSPACE}/.github/workflows/zstd" -T0 -19 "$dest/$base"
          done

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: ${{ matrix.target }}
          path: |
--- a/.github/workflows/rust-release-zsh.yml
+++ b/.github/workflows/rust-release-zsh.yml
@@ -45,9 +45,7 @@ jobs:
            git \
            libncursesw5-dev

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Build, smoke-test, and stage zsh artifact
        shell: bash
@@ -55,7 +53,7 @@ jobs:
          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: codex-zsh-${{ matrix.target }}
          path: dist/zsh/${{ matrix.target }}/*
@@ -83,9 +81,7 @@ jobs:
            brew install autoconf
          fi

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Build, smoke-test, and stage zsh artifact
        shell: bash
@@ -93,7 +89,7 @@ jobs:
          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: codex-zsh-${{ matrix.target }}
          path: dist/zsh/${{ matrix.target }}/*
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -4,46 +4,12 @@
 # git tag -a rust-v0.1.0 -m "Release 0.1.0"
 # git push origin rust-v0.1.0
 # ```
-#
-# To use external macOS signing, manually dispatch `release_mode=build_unsigned`,
-# sign the unsigned macOS artifacts in a secure enclave, upload the signed handoff
-# archive as a GitHub Release asset, then manually dispatch
-# `release_mode=promote_signed` with `unsigned_run_id` and `signed_macos_asset`.
-# The signed handoff archive should contain target or artifact directories such
-# as `aarch64-apple-darwin/` with signed binaries.

 name: rust-release
 on:
  push:
    tags:
      - "rust-v*.*.*"
-  workflow_dispatch:
-    inputs:
-      release_mode:
-        description: "build_unsigned creates unsigned macOS handoff artifacts; promote_signed finishes a release from signed macOS handoff artifacts."
-        required: false
-        type: choice
-        default: build_unsigned
-        options:
-          - build_unsigned
-          - promote_signed
-      sign_macos:
-        description: "Deprecated compatibility input; use release_mode instead."
-        required: false
-        type: boolean
-        default: false
-      unsigned_run_id:
-        description: "For promote_signed: workflow run id from the build_unsigned run."
-        required: false
-        type: string
-      signed_macos_asset:
-        description: "For promote_signed: exact GitHub Release asset name containing signed macOS handoff artifacts."
-        required: false
-        type: string
-      signed_macos_sha256:
-        description: "For promote_signed: optional SHA-256 of signed_macos_asset."
-        required: false
-        type: string

 concurrency:
  group: ${{ github.workflow }}
@@ -53,66 +19,14 @@ jobs:
  tag-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - name: Validate tag matches Cargo.toml version
        shell: bash
-        env:
-          RELEASE_MODE: ${{ github.event_name == 'workflow_dispatch' && inputs.release_mode || 'signed' }}
-          REQUESTED_SIGN_MACOS: ${{ inputs.sign_macos }}
-          SIGNED_MACOS_ASSET: ${{ inputs.signed_macos_asset }}
-          UNSIGNED_RUN_ID: ${{ inputs.unsigned_run_id }}
        run: |
          set -euo pipefail
          echo "::group::Tag validation"

-          case "${RELEASE_MODE}" in
-            signed)
-              if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
-                echo "❌  Manual rust-release runs must use release_mode=build_unsigned or release_mode=promote_signed"
-                exit 1
-              fi
-              ;;
-            build_unsigned)
-              if [[ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then
-                echo "❌  release_mode=build_unsigned is only valid for manual runs"
-                exit 1
-              fi
-              ;;
-            promote_signed)
-              if [[ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then
-                echo "❌  release_mode=promote_signed is only valid for manual runs"
-                exit 1
-              fi
-              if [[ ! "${UNSIGNED_RUN_ID}" =~ ^[0-9]+$ ]]; then
-                echo "❌  release_mode=promote_signed requires unsigned_run_id to be a workflow run id"
-                exit 1
-              fi
-              if [[ -z "${SIGNED_MACOS_ASSET}" ]]; then
-                echo "❌  release_mode=promote_signed requires signed_macos_asset"
-                exit 1
-              fi
-              if [[ "${SIGNED_MACOS_ASSET}" == */* || "${SIGNED_MACOS_ASSET}" == *"*"* || "${SIGNED_MACOS_ASSET}" == *"?"* || "${SIGNED_MACOS_ASSET}" == *"["* ]]; then
-                echo "❌  signed_macos_asset must be an exact release asset name, not a path or glob"
-                exit 1
-              fi
-              if [[ "${UNSIGNED_RUN_ID}" == "${GITHUB_RUN_ID}" ]]; then
-                echo "❌  unsigned_run_id must refer to the earlier build_unsigned run, not this run"
-                exit 1
-              fi
-              ;;
-            *)
-              echo "❌  Unknown release_mode '${RELEASE_MODE}'"
-              exit 1
-              ;;
-          esac
-
-          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && "${REQUESTED_SIGN_MACOS}" == "true" ]]; then
-            echo "::warning title=Deprecated sign_macos input ignored::Use release_mode=build_unsigned or release_mode=promote_signed instead."
-          fi
-
          # 1. Must be a tag and match the regex
          [[ "${GITHUB_REF_TYPE}" == "tag" ]] \
            || { echo "❌  Not a tag push"; exit 1; }
@@ -132,7 +46,6 @@ jobs:
          echo "::endgroup::"

  build:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    needs: tag-check
    name: Build - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
@@ -149,7 +62,6 @@ jobs:
      # 2026-03-04: temporarily change releases to use thin LTO because
      # Ubuntu ARM is timing out at 60 minutes.
      CARGO_PROFILE_RELEASE_LTO: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'thin' }}
-      SIGN_MACOS: ${{ github.event_name != 'workflow_dispatch' }}

    strategy:
      fail-fast: false
@@ -206,9 +118,7 @@ jobs:
            build_dmg: "false"

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Print runner specs (Linux)
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -271,10 +181,9 @@ jobs:

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install Zig
-        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
        with:
          version: 0.14.0
-          use-cache: false

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install musl build tools
@@ -375,45 +284,12 @@ jobs:
          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"

      - name: Upload Cargo timings
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: cargo-timings-rust-release-${{ matrix.target }}-${{ matrix.bundle }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
          if-no-files-found: warn

-      - if: ${{ runner.os == 'macOS' && env.SIGN_MACOS != 'true' }}
-        name: Stage unsigned macOS artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          target="${{ matrix.target }}"
-          release_dir="target/${target}/release"
-          dest="unsigned-dist/${target}"
-          mkdir -p "$dest"
-
-          for binary in ${{ matrix.binaries }}; do
-            binary_path="${release_dir}/${binary}"
-            unsigned_name="${binary}-${target}-unsigned"
-            unsigned_path="${dest}/${unsigned_name}"
-            if [[ ! -f "${binary_path}" ]]; then
-              echo "Binary ${binary_path} not found"
-              exit 1
-            fi
-
-            cp "${binary_path}" "${unsigned_path}"
-            tar -C "$dest" -czf "${unsigned_path}.tar.gz" "${unsigned_name}"
-            zstd -T0 -19 --rm "${unsigned_path}"
-          done
-
-      - if: ${{ runner.os == 'macOS' && env.SIGN_MACOS != 'true' }}
-        name: Upload unsigned macOS artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: ${{ matrix.artifact_name }}-unsigned
-          path: codex-rs/unsigned-dist/${{ matrix.target }}/*
-          if-no-files-found: error
-
      - if: ${{ contains(matrix.target, 'linux') }}
        name: Cosign Linux artifacts
        uses: ./.github/actions/linux-code-sign
@@ -422,7 +298,7 @@ jobs:
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
          binaries: ${{ matrix.binaries }}

-      - if: ${{ runner.os == 'macOS' && env.SIGN_MACOS == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
        uses: ./.github/actions/macos-code-sign
        with:
@@ -436,7 +312,7 @@ jobs:
          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' && env.SIGN_MACOS == 'true' }}
+      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
        name: Build macOS dmg
        shell: bash
        run: |
@@ -476,7 +352,7 @@ jobs:
            exit 1
          fi

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' && env.SIGN_MACOS == 'true' }}
+      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
        name: MacOS code signing (dmg)
        uses: ./.github/actions/macos-code-sign
        with:
@@ -490,7 +366,6 @@ jobs:
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

      - name: Stage artifacts
-        if: ${{ runner.os != 'macOS' || env.SIGN_MACOS == 'true' }}
        shell: bash
        run: |
          dest="dist/${{ matrix.target }}"
@@ -519,67 +394,7 @@ jobs:
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi

-      - name: Build Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' && (runner.os != 'macOS' || env.SIGN_MACOS == 'true') }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          case "${{ matrix.target }}" in
-            aarch64-apple-darwin)
-              platform_tag="macosx_11_0_arm64"
-              ;;
-            x86_64-apple-darwin)
-              platform_tag="macosx_10_9_x86_64"
-              ;;
-            aarch64-unknown-linux-musl)
-              platform_tag="musllinux_1_1_aarch64"
-              ;;
-            x86_64-unknown-linux-musl)
-              platform_tag="musllinux_1_1_x86_64"
-              ;;
-            *)
-              echo "No Python runtime wheel platform tag for ${{ matrix.target }}"
-              exit 1
-              ;;
-          esac
-
-          python3 -m venv "${RUNNER_TEMP}/python-runtime-build-venv"
-          # Do not install into the runner's system Python; macOS runners mark
-          # the Homebrew Python as externally managed under PEP 668.
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m pip install build
-
-          stage_dir="${RUNNER_TEMP}/openai-codex-cli-bin-${{ matrix.target }}"
-          wheel_dir="${GITHUB_WORKSPACE}/python-runtime-dist/${{ matrix.target }}"
-          stage_runtime_args=(
-            "${GITHUB_WORKSPACE}/sdk/python/scripts/update_sdk_artifacts.py"
-            stage-runtime
-            "$stage_dir"
-            "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex"
-            --codex-version "${GITHUB_REF_NAME}"
-            --platform-tag "$platform_tag"
-          )
-          if [[ "${{ matrix.target }}" == *linux* ]]; then
-            # Keep bwrap in the runtime wheel so Linux sandbox fallback behavior
-            # matches the standalone release bundle on hosts without system bwrap.
-            stage_runtime_args+=(
-              --resource-binary
-              "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/bwrap"
-            )
-          fi
-          python3 "${stage_runtime_args[@]}"
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m build --wheel --outdir "$wheel_dir" "$stage_dir"
-
-      - name: Upload Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' && (runner.os != 'macOS' || env.SIGN_MACOS == 'true') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: python-runtime-wheel-${{ matrix.target }}
-          path: python-runtime-dist/${{ matrix.target }}/*.whl
-          if-no-files-found: error
-
      - name: Compress artifacts
-        if: ${{ runner.os != 'macOS' || env.SIGN_MACOS == 'true' }}
        shell: bash
        run: |
          # Path that contains the uncompressed binaries for the current
@@ -615,8 +430,7 @@ jobs:
            zstd -T0 -19 --rm "$dest/$base"
          done

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        if: ${{ runner.os != 'macOS' || env.SIGN_MACOS == 'true' }}
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: ${{ matrix.artifact_name }}
          # Upload the per-binary .zst files, .tar.gz equivalents, and any
@@ -624,233 +438,7 @@ jobs:
          path: |
            codex-rs/dist/${{ matrix.target }}/*

-  stage-signed-macos:
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.release_mode == 'promote_signed' }}
-    needs: tag-check
-    name: Stage signed macOS handoff - ${{ matrix.target }} - ${{ matrix.bundle }}
-    runs-on: macos-15-xlarge
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: codex-rs
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - target: aarch64-apple-darwin
-            bundle: primary
-            artifact_name: aarch64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
-          - target: aarch64-apple-darwin
-            bundle: app-server
-            artifact_name: aarch64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
-          - target: x86_64-apple-darwin
-            bundle: primary
-            artifact_name: x86_64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
-          - target: x86_64-apple-darwin
-            bundle: app-server
-            artifact_name: x86_64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Download signed macOS handoff
-        shell: bash
-        env:
-          GH_TOKEN: ${{ github.token }}
-          SIGNED_MACOS_ASSET: ${{ inputs.signed_macos_asset }}
-          SIGNED_MACOS_SHA256: ${{ inputs.signed_macos_sha256 }}
-        run: |
-          set -euo pipefail
-
-          download_dir="${RUNNER_TEMP}/signed-macos-download"
-          handoff_dir="${RUNNER_TEMP}/signed-macos-handoff"
-          rm -rf "$download_dir" "$handoff_dir"
-          mkdir -p "$download_dir" "$handoff_dir"
-
-          gh release download "$GITHUB_REF_NAME" \
-            --repo "$GITHUB_REPOSITORY" \
-            --pattern "$SIGNED_MACOS_ASSET" \
-            --dir "$download_dir"
-
-          asset_count="$(find "$download_dir" -maxdepth 1 -type f | wc -l | tr -d '[:space:]')"
-          if [[ "$asset_count" != "1" ]]; then
-            echo "Expected exactly one signed macOS handoff asset named ${SIGNED_MACOS_ASSET}; found ${asset_count}"
-            find "$download_dir" -maxdepth 1 -type f -print
-            exit 1
-          fi
-
-          asset_path="$(find "$download_dir" -maxdepth 1 -type f -print -quit)"
-          if [[ -n "${SIGNED_MACOS_SHA256}" ]]; then
-            expected_sha="$(printf '%s' "$SIGNED_MACOS_SHA256" | tr '[:upper:]' '[:lower:]')"
-            actual_sha="$(shasum -a 256 "$asset_path" | awk '{print $1}')"
-            if [[ "$actual_sha" != "$expected_sha" ]]; then
-              echo "signed_macos_sha256 mismatch for ${SIGNED_MACOS_ASSET}"
-              echo "expected: ${expected_sha}"
-              echo "actual:   ${actual_sha}"
-              exit 1
-            fi
-          fi
-
-          asset_name="$(basename "$asset_path")"
-          case "$asset_name" in
-            *.tar.zst)
-              zstd -dc "$asset_path" | tar -C "$handoff_dir" -xf -
-              ;;
-            *.tar.gz|*.tgz)
-              tar -C "$handoff_dir" -xzf "$asset_path"
-              ;;
-            *.zip)
-              ditto -x -k "$asset_path" "$handoff_dir"
-              ;;
-            *)
-              echo "Unsupported signed macOS handoff archive format: ${asset_name}"
-              exit 1
-              ;;
-          esac
-
-          echo "SIGNED_MACOS_HANDOFF_DIR=$handoff_dir" >> "$GITHUB_ENV"
-
-      - name: Stage signed macOS artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          target="${{ matrix.target }}"
-          artifact_name="${{ matrix.artifact_name }}"
-          source_dir="${SIGNED_MACOS_HANDOFF_DIR}/${artifact_name}"
-          if [[ ! -d "$source_dir" && -d "${SIGNED_MACOS_HANDOFF_DIR}/dist/${artifact_name}" ]]; then
-            source_dir="${SIGNED_MACOS_HANDOFF_DIR}/dist/${artifact_name}"
-          fi
-          if [[ ! -d "$source_dir" && -d "${SIGNED_MACOS_HANDOFF_DIR}/${target}" ]]; then
-            source_dir="${SIGNED_MACOS_HANDOFF_DIR}/${target}"
-          fi
-          if [[ ! -d "$source_dir" && -d "${SIGNED_MACOS_HANDOFF_DIR}/dist/${target}" ]]; then
-            source_dir="${SIGNED_MACOS_HANDOFF_DIR}/dist/${target}"
-          fi
-          if [[ ! -d "$source_dir" ]]; then
-            echo "Signed macOS handoff is missing ${artifact_name}/"
-            echo "Expected either:"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/${artifact_name}"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/dist/${artifact_name}"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/${target}"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/dist/${target}"
-            find "$SIGNED_MACOS_HANDOFF_DIR" -maxdepth 3 -type f -print
-            exit 1
-          fi
-
-          dest="dist/${target}"
-          mkdir -p "$dest"
-
-          for binary in ${{ matrix.binaries }}; do
-            source_path="${source_dir}/${binary}"
-            if [[ ! -f "$source_path" ]]; then
-              source_path="${source_dir}/${binary}-${target}"
-            fi
-            if [[ ! -f "$source_path" ]]; then
-              echo "Signed macOS handoff is missing ${binary} for ${artifact_name}"
-              exit 1
-            fi
-
-            release_path="${dest}/${binary}-${target}"
-            ditto "$source_path" "$release_path"
-            chmod 0755 "$release_path"
-            codesign --verify --strict --verbose=2 "$release_path"
-          done
-
-          # DMG staging is disabled for signed promotion because we no longer
-          # distribute DMGs from this release path. Keep the branch here so the
-          # handoff can opt back in by flipping matrix.build_dmg if needed.
-          if [[ "${{ matrix.build_dmg }}" == "true" ]]; then
-            dmg_name="codex-${target}.dmg"
-            dmg_source="${source_dir}/${dmg_name}"
-            if [[ ! -f "$dmg_source" ]]; then
-              echo "Signed macOS handoff is missing ${dmg_name} for ${artifact_name}"
-              exit 1
-            fi
-
-            codesign --verify --strict --verbose=2 "$dmg_source"
-            xcrun stapler validate "$dmg_source"
-            cp "$dmg_source" "$dest/$dmg_name"
-          fi
-
-      - name: Build Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          case "${{ matrix.target }}" in
-            aarch64-apple-darwin)
-              platform_tag="macosx_11_0_arm64"
-              ;;
-            x86_64-apple-darwin)
-              platform_tag="macosx_10_9_x86_64"
-              ;;
-            *)
-              echo "No Python runtime wheel platform tag for ${{ matrix.target }}"
-              exit 1
-              ;;
-          esac
-
-          python3 -m venv "${RUNNER_TEMP}/python-runtime-build-venv"
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m pip install build
-
-          stage_dir="${RUNNER_TEMP}/openai-codex-cli-bin-${{ matrix.target }}"
-          wheel_dir="${GITHUB_WORKSPACE}/python-runtime-dist/${{ matrix.target }}"
-          python3 \
-            "${GITHUB_WORKSPACE}/sdk/python/scripts/update_sdk_artifacts.py" \
-            stage-runtime \
-            "$stage_dir" \
-            "${GITHUB_WORKSPACE}/codex-rs/dist/${{ matrix.target }}/codex-${{ matrix.target }}" \
-            --codex-version "${GITHUB_REF_NAME}" \
-            --platform-tag "$platform_tag"
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m build --wheel --outdir "$wheel_dir" "$stage_dir"
-
-      - name: Upload Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: python-runtime-wheel-${{ matrix.target }}
-          path: python-runtime-dist/${{ matrix.target }}/*.whl
-          if-no-files-found: error
-
-      - name: Compress artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          dest="dist/${{ matrix.target }}"
-          for f in "$dest"/*; do
-            base="$(basename "$f")"
-            if [[ "$base" == *.tar.gz || "$base" == *.tar.zst || "$base" == *.zip || "$base" == *.dmg ]]; then
-              continue
-            fi
-
-            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
-            zstd -T0 -19 --rm "$dest/$base"
-          done
-
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: ${{ matrix.artifact_name }}
-          path: |
-            codex-rs/dist/${{ matrix.target }}/*
-
  build-windows:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    needs: tag-check
    uses: ./.github/workflows/rust-release-windows.yml
    with:
@@ -858,7 +446,6 @@ jobs:
    secrets: inherit

  argument-comment-lint-release-assets:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    name: argument-comment-lint release assets
    needs: tag-check
    uses: ./.github/workflows/rust-release-argument-comment-lint.yml
@@ -866,72 +453,30 @@ jobs:
      publish: true

  zsh-release-assets:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    name: zsh release assets
    needs: tag-check
    uses: ./.github/workflows/rust-release-zsh.yml

  release:
    needs:
-      - tag-check
      - build
-      - stage-signed-macos
      - build-windows
      - argument-comment-lint-release-assets
      - zsh-release-assets
-    if: >-
-      ${{
-        always() &&
-        needs.tag-check.result == 'success' &&
-        (
-          (
-            github.event_name == 'workflow_dispatch' &&
-            inputs.release_mode == 'promote_signed' &&
-            needs.stage-signed-macos.result == 'success' &&
-            needs.build.result == 'skipped' &&
-            needs.build-windows.result == 'skipped' &&
-            needs.argument-comment-lint-release-assets.result == 'skipped' &&
-            needs.zsh-release-assets.result == 'skipped'
-          ) ||
-          (
-            (github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed') &&
-            needs.build.result == 'success' &&
-            needs.stage-signed-macos.result == 'skipped' &&
-            needs.build-windows.result == 'success' &&
-            needs.argument-comment-lint-release-assets.result == 'success' &&
-            needs.zsh-release-assets.result == 'success'
-          )
-        )
-      }}
    name: release
    runs-on: ubuntu-latest
    permissions:
      contents: write
      actions: read
-    env:
-      RELEASE_MODE: ${{ github.event_name == 'workflow_dispatch' && inputs.release_mode || 'signed' }}
-      SIGN_MACOS: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode == 'promote_signed' }}
-      SIGNED_MACOS_ASSET: ${{ inputs.signed_macos_asset }}
-      UNSIGNED_RUN_ID: ${{ inputs.unsigned_run_id }}
    outputs:
      version: ${{ steps.release_name.outputs.name }}
      tag: ${{ github.ref_name }}
-      sign_macos: ${{ steps.release_mode.outputs.sign_macos }}
      should_publish_npm: ${{ steps.npm_publish_settings.outputs.should_publish }}
      npm_tag: ${{ steps.npm_publish_settings.outputs.npm_tag }}
-      should_publish_python_runtime: ${{ steps.python_runtime_publish_settings.outputs.should_publish }}

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Define release mode
-        id: release_mode
-        run: |
-          echo "release_mode=${RELEASE_MODE}" >> "$GITHUB_OUTPUT"
-          echo "sign_macos=${SIGN_MACOS}" >> "$GITHUB_OUTPUT"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Generate release notes from tag commit message
        id: release_notes
@@ -953,125 +498,13 @@ jobs:

          echo "path=${notes_path}" >> "${GITHUB_OUTPUT}"

-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          path: dist

-      - name: Validate unsigned build run
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          run_summary="$(gh run view "$UNSIGNED_RUN_ID" \
-            --repo "$GITHUB_REPOSITORY" \
-            --json conclusion,event,headBranch,headSha,status,workflowName,url \
-            --jq '[.workflowName, .event, .headBranch, .headSha, .status, .conclusion, .url] | @tsv')"
-          IFS=$'\t' read -r workflow_name event head_branch head_sha status conclusion run_url <<< "$run_summary"
-          expected_head_sha="$(git rev-parse "${GITHUB_SHA}^{commit}")"
-
-          if [[ "$workflow_name" != "$GITHUB_WORKFLOW" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} is for workflow '${workflow_name}', expected '${GITHUB_WORKFLOW}'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$event" != "workflow_dispatch" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} was triggered by '${event}', expected 'workflow_dispatch'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$head_branch" != "$GITHUB_REF_NAME" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} used ref '${head_branch}', expected '${GITHUB_REF_NAME}'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$head_sha" != "$expected_head_sha" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} used head SHA '${head_sha}', expected '${expected_head_sha}'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$status" != "completed" || "$conclusion" != "success" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} is ${status}/${conclusion}, expected completed/success"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-      - name: Download artifacts from unsigned build run
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-          gh run download "$UNSIGNED_RUN_ID" \
-            --repo "$GITHUB_REPOSITORY" \
-            --dir dist
-
-      - name: Remove unsigned macOS staging artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        run: |
-          set -euo pipefail
-          find dist -mindepth 1 -maxdepth 1 -type d \
-            -name '*-apple-darwin*-unsigned' \
-            -exec rm -rf {} +
-
-      - name: Re-upload promoted Linux x64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: x86_64-unknown-linux-musl
-          path: dist/x86_64-unknown-linux-musl/*
-          if-no-files-found: error
-
-      - name: Re-upload promoted Linux arm64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: aarch64-unknown-linux-musl
-          path: dist/aarch64-unknown-linux-musl/*
-          if-no-files-found: error
-
-      - name: Re-upload promoted Windows x64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: x86_64-pc-windows-msvc
-          path: dist/x86_64-pc-windows-msvc/*
-          if-no-files-found: error
-
-      - name: Re-upload promoted Windows arm64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: aarch64-pc-windows-msvc
-          path: dist/aarch64-pc-windows-msvc/*
-          if-no-files-found: error
-
      - name: List
        run: ls -R dist/

-      - name: Prune artifacts excluded from unsigned macOS release
-        if: ${{ env.SIGN_MACOS == 'false' }}
-        run: |
-          find dist -mindepth 1 -maxdepth 1 -type d \
-            ! -name '*-apple-darwin*-unsigned' \
-            ! -name 'aarch64-unknown-linux-musl' \
-            ! -name 'aarch64-unknown-linux-musl-app-server' \
-            ! -name 'x86_64-unknown-linux-musl' \
-            ! -name 'x86_64-unknown-linux-musl-app-server' \
-            ! -name 'aarch64-pc-windows-msvc' \
-            ! -name 'x86_64-pc-windows-msvc' \
-            -exec rm -rf {} +
-
-          if ! find dist -type f -name '*-apple-darwin*-unsigned*' | grep -q .; then
-            echo "No unsigned macOS artifacts found in downloaded workflow artifacts."
-            exit 1
-          fi
-
      - name: Delete entries from dist/ that should not go in the release
        run: |
          rm -rf dist/windows-binaries*
@@ -1103,12 +536,6 @@ jobs:
          set -euo pipefail
          version="${VERSION}"

-          if [[ "${SIGN_MACOS}" != "true" ]]; then
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            echo "npm_tag=" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
          if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "should_publish=true" >> "$GITHUB_OUTPUT"
            echo "npm_tag=" >> "$GITHUB_OUTPUT"
@@ -1120,122 +547,63 @@ jobs:
            echo "npm_tag=" >> "$GITHUB_OUTPUT"
          fi

-      - name: Determine Python runtime publish settings
-        id: python_runtime_publish_settings
-        env:
-          VERSION: ${{ steps.release_name.outputs.name }}
-        run: |
-          set -euo pipefail
-          version="${VERSION}"
-
-          if [[ "${SIGN_MACOS}" != "true" ]]; then
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "should_publish=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
-            echo "should_publish=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-          fi
-
      - name: Setup pnpm
-        if: ${{ env.SIGN_MACOS == 'true' }}
        uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
        with:
          run_install: false

      - name: Setup Node.js for npm packaging
-        if: ${{ env.SIGN_MACOS == 'true' }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: 22

      - name: Install dependencies
-        if: ${{ env.SIGN_MACOS == 'true' }}
        run: pnpm install --frozen-lockfile

      # stage_npm_packages.py requires DotSlash when staging releases.
      - uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
      - name: Stage npm packages
-        if: ${{ env.SIGN_MACOS == 'true' }}
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_VERSION: ${{ steps.release_name.outputs.name }}
        run: |
-          workflow_url="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
          ./scripts/stage_npm_packages.py \
            --release-version "$RELEASE_VERSION" \
-            --workflow-url "$workflow_url" \
            --package codex \
            --package codex-responses-api-proxy \
            --package codex-sdk

      - name: Stage installer scripts
-        if: ${{ env.SIGN_MACOS == 'true' }}
        run: |
          cp scripts/install/install.sh dist/install.sh
          cp scripts/install/install.ps1 dist/install.ps1

      - name: Create GitHub Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
        with:
          name: ${{ steps.release_name.outputs.name }}
          tag_name: ${{ github.ref_name }}
          body_path: ${{ steps.release_notes.outputs.path }}
          files: dist/**
-          overwrite_files: true
-          make_latest: ${{ env.SIGN_MACOS == 'true' && !contains(steps.release_name.outputs.name, '-') }}
          # Mark as prerelease only when the version has a suffix after x.y.z
          # (e.g. -alpha, -beta). Otherwise publish a normal release.
          prerelease: ${{ contains(steps.release_name.outputs.name, '-') }}

-      - name: Clean up signed promotion handoff assets
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          release_id="$(gh api "repos/${GITHUB_REPOSITORY}/releases/tags/${GITHUB_REF_NAME}" --jq '.id')"
-          gh api --paginate "repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets" \
-            --jq '.[] | [.id, .name] | @tsv' |
-            while IFS=$'\t' read -r asset_id asset_name; do
-              if [[ -z "$asset_id" || -z "$asset_name" ]]; then
-                continue
-              fi
-
-              delete_asset=false
-              if [[ "$asset_name" == *unsigned* || "$asset_name" == "$SIGNED_MACOS_ASSET" ]]; then
-                delete_asset=true
-              fi
-
-              if [[ "$delete_asset" == "true" ]]; then
-                echo "Deleting release asset ${asset_name}"
-                gh api -X DELETE "repos/${GITHUB_REPOSITORY}/releases/assets/${asset_id}"
-              fi
-            done
-
-      - if: ${{ env.SIGN_MACOS == 'true' }}
-        uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
+      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag: ${{ github.ref_name }}
          config: .github/dotslash-config.json

-      - if: ${{ env.SIGN_MACOS == 'true' }}
-        uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
+      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag: ${{ github.ref_name }}
          config: .github/dotslash-zsh-config.json

-      - if: ${{ env.SIGN_MACOS == 'true' }}
-        uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
+      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -1245,7 +613,7 @@ jobs:
      - name: Trigger developers.openai.com deploy
        # Only trigger the deploy if the release is not a pre-release.
        # The deploy is used to update the developers.openai.com website with the new config schema json file.
-        if: ${{ env.SIGN_MACOS == 'true' && !contains(steps.release_name.outputs.name, '-') }}
+        if: ${{ !contains(steps.release_name.outputs.name, '-') }}
        continue-on-error: true
        env:
          DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL: ${{ secrets.DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL }}
@@ -1260,15 +628,7 @@ jobs:
  # npm docs: https://docs.npmjs.com/trusted-publishers
  publish-npm:
    # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
-    # promote_signed intentionally skips build jobs that are ancestors of release;
-    # include the !cancelled() status function so Actions does not apply its implicit
-    # success() check to the whole dependency chain before evaluating release outputs.
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.should_publish_npm == 'true'
-      }}
+    if: ${{ needs.release.outputs.should_publish_npm == 'true' }}
    name: publish-npm
    needs: release
    runs-on: ubuntu-latest
@@ -1278,7 +638,7 @@ jobs:

    steps:
      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          # Node 24 bundles npm >= 11.5.1, which trusted publishing requires.
          node-version: 24
@@ -1420,65 +780,12 @@ jobs:
            exit "${publish_status}"
          done

-  # Publish the platform-specific Python runtime wheels using PyPI trusted publishing.
-  # PyPI project configuration must trust this workflow and job. Keep this
-  # non-blocking while the Python runtime publishing path is new; failures still
-  # need release follow-up, but should not invalidate the Rust release itself.
-  publish-python-runtime:
-    # Publish to PyPI for stable releases and alpha pre-releases with numeric suffixes.
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.should_publish_python_runtime == 'true'
-      }}
-    name: publish-python-runtime
-    needs: release
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    environment: pypi
-    permissions:
-      id-token: write # Required for PyPI trusted publishing.
-      contents: read
-
-    steps:
-      - name: Download Python runtime wheels from release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          RELEASE_TAG: ${{ needs.release.outputs.tag }}
-          RELEASE_VERSION: ${{ needs.release.outputs.version }}
-        run: |
-          set -euo pipefail
-          python_version="$RELEASE_VERSION"
-          python_version="${python_version/-alpha./a}"
-          python_version="${python_version/-beta./b}"
-          python_version="${python_version/-rc./rc}"
-
-          mkdir -p dist/python-runtime
-          gh release download "$RELEASE_TAG" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "openai_codex_cli_bin-${python_version}-*.whl" \
-            --dir dist/python-runtime
-          ls -lh dist/python-runtime
-
-      - name: Publish Python runtime wheels to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          packages-dir: dist/python-runtime
-          skip-existing: true
-
  winget:
    name: winget
    needs: release
    # Only publish stable/mainline releases to WinGet; pre-releases include a
    # '-' in the semver string (e.g., 1.2.3-alpha.1).
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.sign_macos == 'true' &&
-        !contains(needs.release.outputs.version, '-')
-      }}
+    if: ${{ !contains(needs.release.outputs.version, '-') }}
    # This job only invokes a GitHub Action to open/update the winget-pkgs PR;
    # it does not execute Windows-only tooling, so Linux is sufficient.
    runs-on: ubuntu-latest
@@ -1498,12 +805,6 @@ jobs:

  update-branch:
    name: Update latest-alpha-cli branch
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.sign_macos == 'true'
-      }}
    permissions:
      contents: write
    needs: release
--- a/.github/workflows/rusty-v8-release.yml
+++ b/.github/workflows/rusty-v8-release.yml
@@ -17,12 +17,10 @@ jobs:
      v8_version: ${{ steps.v8_version.outputs.version }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.12"

@@ -71,9 +69,7 @@ jobs:
            target: aarch64-unknown-linux-musl

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Bazel
        uses: ./.github/actions/setup-bazel-ci
@@ -81,7 +77,7 @@ jobs:
          target: ${{ matrix.target }}

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.12"

@@ -137,7 +133,7 @@ jobs:
            --output-dir "dist/${TARGET}"

      - name: Upload staged musl artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: rusty-v8-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
          path: dist/${{ matrix.target }}/*
@@ -165,12 +161,12 @@ jobs:
            exit 1
          fi

-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          path: dist

      - name: Create GitHub Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
        with:
          tag_name: ${{ needs.metadata.outputs.release_tag }}
          name: ${{ needs.metadata.outputs.release_tag }}
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -6,41 +6,6 @@ on:
  pull_request: {}

 jobs:
-  python-sdk:
-    runs-on:
-      group: codex-runners
-      labels: codex-linux-x64
-    timeout-minutes: 10
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
-
-      - name: Test Python SDK
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          # Run inside Alpine so dependency resolution exercises the pinned
-          # runtime wheel on the same Linux wheel family that CI installs.
-          docker run --rm \
-            --user "$(id -u):$(id -g)" \
-            -e HOME=/tmp/codex-python-sdk-home \
-            -e UV_LINK_MODE=copy \
-            -v "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \
-            -w "${GITHUB_WORKSPACE}/sdk/python" \
-            python:3.12-alpine \
-            sh -euxc '
-              python -m venv /tmp/uv
-              /tmp/uv/bin/python -m pip install uv==0.11.3
-              /tmp/uv/bin/uv sync --extra dev --frozen
-              /tmp/uv/bin/uv run --extra dev ruff check --output-format=github .
-              /tmp/uv/bin/uv run --extra dev ruff format --check .
-              /tmp/uv/bin/uv run --extra dev pytest
-            '
-
  sdks:
    runs-on:
      group: codex-runners
@@ -48,10 +13,7 @@ jobs:
    timeout-minutes: 10
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install Linux bwrap build dependencies
        shell: bash
@@ -66,7 +28,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: 22
          cache: pnpm
@@ -153,7 +115,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.setup_bazel.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cache/bazel-repo-cache
--- a/.github/workflows/v8-canary.yml
+++ b/.github/workflows/v8-canary.yml
@@ -40,13 +40,10 @@ jobs:
      v8_version: ${{ steps.v8_version.outputs.version }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.12"

@@ -77,10 +74,7 @@ jobs:
            target: aarch64-unknown-linux-musl

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Bazel
        uses: ./.github/actions/setup-bazel-ci
@@ -88,7 +82,7 @@ jobs:
          target: ${{ matrix.target }}

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.12"

@@ -138,7 +132,7 @@ jobs:
            --output-dir "dist/${TARGET}"

      - name: Upload staged musl artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: v8-canary-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
          path: dist/${{ matrix.target }}/*
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,7 +1,6 @@
 {
    "recommendations": [
        "rust-lang.rust-analyzer",
-        "charliermarsh.ruff",
        "tamasfe.even-better-toml",
        "vadimcn.vscode-lldb",

--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -12,14 +12,6 @@
        "editor.defaultFormatter": "tamasfe.even-better-toml",
        "editor.formatOnSave": true,
    },
-    "[python]": {
-        "editor.defaultFormatter": "charliermarsh.ruff",
-        "editor.formatOnSave": true,
-        "editor.codeActionsOnSave": {
-            "source.fixAll.ruff": "explicit",
-            "source.organizeImports.ruff": "explicit",
-        },
-    },
    // Array order for options in ~/.codex/config.toml such as `notify` and the
    // `args` for an MCP server is significant, so we disable reordering.
    "evenBetterToml.formatter.reorderArrays": false,
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -26,7 +26,7 @@ In the codex-rs folder where the rust code lives:
  - Implementations may still use `async fn foo(&self, ...) -> T` when they satisfy that contract.
  - Do not use `#[allow(async_fn_in_trait)]` as a shortcut around spelling the future contract explicitly.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
- Do not add general product or user-facing documentation to the `docs/` folder. The official Codex documentation lives elsewhere. The exception is app-server API documentation, which is covered by the app-server guidance below.
+- When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
 - Prefer private modules and explicitly exported public crate API.
 - If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
 - When working with MCP tool calls, prefer using `codex-rs/codex-mcp/src/mcp_connection_manager.rs` to handle mutation of tools and tool calls. Aim to minimize the footprint of changes and leverage existing abstractions rather than plumbing code through multiple levels of function calls.
@@ -130,7 +130,7 @@ When UI or text output changes intentionally, update the snapshots as follows:

 If you don’t have the tool:

- `cargo install --locked cargo-insta`
+- `cargo install cargo-insta`

 ### Test assertions

@@ -210,7 +210,7 @@ These guidelines apply to app-server protocol work in `codex-rs`, especially:

 ### Development Workflow

- Update app-server docs/examples when API behavior changes (at minimum `app-server/README.md`).
+- Update docs/examples when API behavior changes (at minimum `app-server/README.md`).
 - Regenerate schema fixtures when API shapes change:
  `just write-app-server-schema`
  (and `just write-app-server-schema --experimental` when experimental API fixtures are affected).
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -665,7 +665,6 @@
      "aws-lc-rs_1.16.2": "{\"dependencies\":[{\"name\":\"aws-lc-fips-sys\",\"optional\":true,\"req\":\"^0.13.1\"},{\"default_features\":false,\"name\":\"aws-lc-sys\",\"optional\":true,\"req\":\"^0.39.0\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"clap\",\"req\":\"^4.4\"},{\"kind\":\"dev\",\"name\":\"hex\",\"req\":\"^0.4.3\"},{\"kind\":\"dev\",\"name\":\"lazy_static\",\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"paste\",\"req\":\"^1.0.15\"},{\"kind\":\"dev\",\"name\":\"regex\",\"req\":\"^1.11.1\"},{\"name\":\"untrusted\",\"optional\":true,\"req\":\"^0.7.1\"},{\"name\":\"zeroize\",\"req\":\"^1.8.1\"}],\"features\":{\"alloc\":[],\"asan\":[\"aws-lc-sys?/asan\",\"aws-lc-fips-sys?/asan\"],\"bindgen\":[\"aws-lc-sys?/bindgen\",\"aws-lc-fips-sys?/bindgen\"],\"default\":[\"aws-lc-sys\",\"alloc\",\"ring-io\",\"ring-sig-verify\"],\"dev-tests-only\":[],\"fips\":[\"dep:aws-lc-fips-sys\"],\"non-fips\":[\"aws-lc-sys\"],\"prebuilt-nasm\":[\"aws-lc-sys?/prebuilt-nasm\"],\"ring-io\":[\"dep:untrusted\"],\"ring-sig-verify\":[\"dep:untrusted\"],\"test_logging\":[],\"unstable\":[]}}",
      "aws-lc-sys_0.39.0": "{\"dependencies\":[{\"kind\":\"build\",\"name\":\"bindgen\",\"optional\":true,\"req\":\"^0.72.0\"},{\"features\":[\"parallel\"],\"kind\":\"build\",\"name\":\"cc\",\"req\":\"^1.2.26\"},{\"kind\":\"build\",\"name\":\"cmake\",\"req\":\"^0.1.54\"},{\"kind\":\"build\",\"name\":\"dunce\",\"req\":\"^1.0.5\"},{\"kind\":\"build\",\"name\":\"fs_extra\",\"req\":\"^1.3.0\"}],\"features\":{\"all-bindings\":[],\"asan\":[],\"bindgen\":[\"dep:bindgen\"],\"default\":[\"all-bindings\"],\"disable-prebuilt-nasm\":[],\"fips\":[\"dep:bindgen\"],\"prebuilt-nasm\":[],\"ssl\":[\"bindgen\",\"all-bindings\"]}}",
      "aws-runtime_1.5.17": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"arbitrary\",\"req\":\"^1.3\"},{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"http0-compat\"],\"name\":\"aws-sigv4\",\"req\":\"^1.3.7\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-eventstream\",\"optional\":true,\"req\":\"^0.60.14\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"kind\":\"dev\",\"name\":\"aws-smithy-protocol-test\",\"req\":\"^0.63.7\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.10.0\"},{\"kind\":\"dev\",\"name\":\"bytes-utils\",\"req\":\"^0.1.2\"},{\"kind\":\"dev\",\"name\":\"convert_case\",\"req\":\"^0.6.0\"},{\"name\":\"fastrand\",\"req\":\"^2.3.0\"},{\"default_features\":false,\"kind\":\"dev\",\"name\":\"futures-util\",\"req\":\"^0.3.29\"},{\"name\":\"http-02x\",\"package\":\"http\",\"req\":\"^0.2.9\"},{\"name\":\"http-1x\",\"optional\":true,\"package\":\"http\",\"req\":\"^1.1.0\"},{\"name\":\"http-body-04x\",\"package\":\"http-body\",\"req\":\"^0.4.5\"},{\"name\":\"http-body-1x\",\"optional\":true,\"package\":\"http-body\",\"req\":\"^1.0.0\"},{\"name\":\"percent-encoding\",\"req\":\"^2.3.1\"},{\"name\":\"pin-project-lite\",\"req\":\"^0.2.14\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1.2\"},{\"name\":\"regex-lite\",\"optional\":true,\"req\":\"^0.1.5\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1\"},{\"features\":[\"macros\",\"rt\",\"time\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1.40\"},{\"features\":[\"env-filter\"],\"kind\":\"dev\",\"name\":\"tracing-subscriber\",\"req\":\"^0.3.17\"},{\"kind\":\"dev\",\"name\":\"tracing-test\",\"req\":\"^0.2.4\"},{\"name\":\"uuid\",\"req\":\"^1\"}],\"features\":{\"event-stream\":[\"dep:aws-smithy-eventstream\",\"aws-sigv4/sign-eventstream\"],\"http-02x\":[],\"http-1x\":[\"dep:http-1x\",\"dep:http-body-1x\"],\"sigv4a\":[\"aws-sigv4/sigv4a\"],\"test-util\":[\"dep:regex-lite\"]}}",
-      "aws-sdk-signin_1.2.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-sso_1.91.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-ssooidc_1.93.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-sts_1.95.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"features\":[\"test-util\",\"wire-mock\"],\"kind\":\"dev\",\"name\":\"aws-smithy-http-client\",\"req\":\"^1.1.5\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"kind\":\"dev\",\"name\":\"aws-smithy-protocol-test\",\"req\":\"^0.63.7\"},{\"name\":\"aws-smithy-query\",\"req\":\"^0.60.9\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-smithy-xml\",\"req\":\"^0.60.13\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"default_features\":false,\"features\":[\"alloc\"],\"kind\":\"dev\",\"name\":\"futures-util\",\"req\":\"^0.3.25\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"http-1x\",\"package\":\"http\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1.0.0\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"},{\"features\":[\"env-filter\",\"json\"],\"kind\":\"dev\",\"name\":\"tracing-subscriber\",\"req\":\"^0.3.16\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
@@ -887,6 +886,7 @@
      "enum-as-inner_0.6.1": "{\"dependencies\":[{\"name\":\"heck\",\"req\":\"^0.5\"},{\"name\":\"proc-macro2\",\"req\":\"^1.0\"},{\"name\":\"quote\",\"req\":\"^1.0\"},{\"name\":\"syn\",\"req\":\"^2.0\"}],\"features\":{}}",
      "enumflags2_0.7.12": "{\"dependencies\":[{\"name\":\"enumflags2_derive\",\"req\":\"=0.7.12\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0.0\"}],\"features\":{\"std\":[]}}",
      "enumflags2_derive_0.7.12": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0\"},{\"name\":\"quote\",\"req\":\"^1.0\"},{\"default_features\":false,\"features\":[\"parsing\",\"printing\",\"derive\",\"proc-macro\"],\"name\":\"syn\",\"req\":\"^2.0\"}],\"features\":{}}",
+      "env-flags_0.1.1": "{\"dependencies\":[],\"features\":{}}",
      "env_filter_1.0.0": "{\"dependencies\":[{\"features\":[\"std\"],\"name\":\"log\",\"req\":\"^0.4.8\"},{\"default_features\":false,\"features\":[\"std\",\"perf\"],\"name\":\"regex\",\"optional\":true,\"req\":\"^1.0.3\"},{\"kind\":\"dev\",\"name\":\"snapbox\",\"req\":\"^0.6\"}],\"features\":{\"default\":[\"regex\"],\"regex\":[\"dep:regex\"]}}",
      "env_filter_1.0.1": "{\"dependencies\":[{\"features\":[\"std\"],\"name\":\"log\",\"req\":\"^0.4.29\"},{\"default_features\":false,\"features\":[\"std\",\"perf\"],\"name\":\"regex\",\"optional\":true,\"req\":\"^1.12.3\"},{\"kind\":\"dev\",\"name\":\"snapbox\",\"req\":\"^1.0\"}],\"features\":{\"default\":[\"regex\"],\"regex\":[\"dep:regex\"]}}",
      "env_home_0.1.0": "{\"dependencies\":[],\"features\":{}}",
@@ -1482,7 +1482,6 @@
      "serde_derive_1.0.228": "{\"dependencies\":[{\"default_features\":false,\"features\":[\"proc-macro\"],\"name\":\"proc-macro2\",\"req\":\"^1.0.74\"},{\"default_features\":false,\"features\":[\"proc-macro\"],\"name\":\"quote\",\"req\":\"^1.0.35\"},{\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1\"},{\"default_features\":false,\"features\":[\"clone-impls\",\"derive\",\"parsing\",\"printing\",\"proc-macro\"],\"name\":\"syn\",\"req\":\"^2.0.81\"}],\"features\":{\"default\":[],\"deserialize_in_place\":[]}}",
      "serde_derive_internals_0.29.1": "{\"dependencies\":[{\"default_features\":false,\"name\":\"proc-macro2\",\"req\":\"^1.0.74\"},{\"default_features\":false,\"name\":\"quote\",\"req\":\"^1.0.35\"},{\"default_features\":false,\"features\":[\"clone-impls\",\"derive\",\"parsing\",\"printing\"],\"name\":\"syn\",\"req\":\"^2.0.46\"}],\"features\":{}}",
      "serde_html_form_0.3.2": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"assert_matches2\",\"req\":\"^0.1.0\"},{\"kind\":\"dev\",\"name\":\"divan\",\"req\":\"^0.1.11\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"form_urlencoded\",\"req\":\"^1.0.1\"},{\"default_features\":false,\"name\":\"indexmap\",\"req\":\"^2.0.0\"},{\"kind\":\"dev\",\"name\":\"insta\",\"req\":\"^1.45.0\"},{\"name\":\"itoa\",\"req\":\"^1.0.1\"},{\"name\":\"ryu\",\"optional\":true,\"req\":\"^1.0.9\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1.0.221\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"serde_core\",\"req\":\"^1.0.221\"},{\"kind\":\"dev\",\"name\":\"serde_urlencoded\",\"req\":\"^0.7.1\"}],\"features\":{\"default\":[\"ryu\",\"std\"],\"std\":[]}}",
-      "serde_ignored_0.1.14": "{\"dependencies\":[{\"default_features\":false,\"name\":\"serde\",\"req\":\"^1.0.220\",\"target\":\"cfg(any())\"},{\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1.0.220\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"serde_core\",\"req\":\"^1.0.220\"},{\"kind\":\"dev\",\"name\":\"serde_derive\",\"req\":\"^1.0.220\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1.0.110\"}],\"features\":{}}",
      "serde_json_1.0.149": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"automod\",\"req\":\"^1.0.11\"},{\"name\":\"indexmap\",\"optional\":true,\"req\":\"^2.2.3\"},{\"kind\":\"dev\",\"name\":\"indoc\",\"req\":\"^2.0.2\"},{\"name\":\"itoa\",\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"memchr\",\"req\":\"^2\"},{\"kind\":\"dev\",\"name\":\"ref-cast\",\"req\":\"^1.0.18\"},{\"kind\":\"dev\",\"name\":\"rustversion\",\"req\":\"^1.0.13\"},{\"default_features\":false,\"name\":\"serde\",\"req\":\"^1.0.220\",\"target\":\"cfg(any())\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1.0.194\"},{\"kind\":\"dev\",\"name\":\"serde_bytes\",\"req\":\"^0.11.10\"},{\"default_features\":false,\"name\":\"serde_core\",\"req\":\"^1.0.220\"},{\"kind\":\"dev\",\"name\":\"serde_derive\",\"req\":\"^1.0.166\"},{\"kind\":\"dev\",\"name\":\"serde_stacker\",\"req\":\"^0.1.8\"},{\"features\":[\"diff\"],\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0.108\"},{\"name\":\"zmij\",\"req\":\"^1.0\"}],\"features\":{\"alloc\":[\"serde_core/alloc\"],\"arbitrary_precision\":[],\"default\":[\"std\"],\"float_roundtrip\":[],\"preserve_order\":[\"indexmap\",\"std\"],\"raw_value\":[],\"std\":[\"memchr/std\",\"serde_core/std\"],\"unbounded_depth\":[]}}",
      "serde_path_to_error_0.1.20": "{\"dependencies\":[{\"name\":\"itoa\",\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"serde\",\"req\":\"^1.0.220\",\"target\":\"cfg(any())\"},{\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1.0.220\"},{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"serde_core\",\"req\":\"^1.0.220\"},{\"kind\":\"dev\",\"name\":\"serde_derive\",\"req\":\"^1.0.220\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1.0.100\"}],\"features\":{}}",
      "serde_repr_0.1.20": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0.74\"},{\"name\":\"quote\",\"req\":\"^1.0.35\"},{\"kind\":\"dev\",\"name\":\"rustversion\",\"req\":\"^1.0.13\"},{\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1.0.166\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1.0.100\"},{\"name\":\"syn\",\"req\":\"^2.0.46\"},{\"features\":[\"diff\"],\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0.81\"}],\"features\":{}}",
--- a/codex-cli/bin/codex.js
+++ b/codex-cli/bin/codex.js
@@ -2,7 +2,7 @@
 // Unified entry point for the Codex CLI.

 import { spawn } from "node:child_process";
-import { existsSync, realpathSync } from "fs";
+import { existsSync } from "fs";
 import { createRequire } from "node:module";
 import path from "path";
 import { fileURLToPath } from "url";
@@ -171,7 +171,6 @@ const packageManagerEnvVar =
    ? "CODEX_MANAGED_BY_BUN"
    : "CODEX_MANAGED_BY_NPM";
 env[packageManagerEnvVar] = "1";
-env.CODEX_MANAGED_PACKAGE_ROOT = realpathSync(path.join(__dirname, ".."));

 const child = spawn(binaryPath, process.argv.slice(2), {
  stdio: "inherit",
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -757,7 +757,6 @@ checksum = "96571e6996817bf3d58f6b569e4b9fd2e9d2fcf9f7424eed07b2ce9bb87535e5"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
- "aws-sdk-signin",
 "aws-sdk-sso",
 "aws-sdk-ssooidc",
 "aws-sdk-sts",
@@ -768,20 +767,15 @@ dependencies = [
 "aws-smithy-runtime-api",
 "aws-smithy-types",
 "aws-types",
- "base64-simd",
 "bytes",
 "fastrand",
 "hex",
 "http 1.4.0",
- "p256",
- "rand 0.8.5",
 "ring",
- "sha2",
 "time",
 "tokio",
 "tracing",
 "url",
- "uuid",
 "zeroize",
 ]

@@ -844,28 +838,6 @@ dependencies = [
 "uuid",
 ]

-[[package]]
-name = "aws-sdk-signin"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c084bd63941916e1348cb8d9e05ac2e49bdd40a380e9167702683184c6c6be53"
-dependencies = [
- "aws-credential-types",
- "aws-runtime",
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-json",
- "aws-smithy-runtime",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "aws-types",
- "bytes",
- "fastrand",
- "http 0.2.12",
- "regex-lite",
- "tracing",
-]
-
 [[package]]
 name = "aws-sdk-sso"
 version = "1.91.0"
@@ -1895,19 +1867,15 @@ dependencies = [
 "codex-core",
 "codex-core-plugins",
 "codex-exec-server",
- "codex-extension-api",
 "codex-external-agent-migration",
 "codex-external-agent-sessions",
 "codex-features",
 "codex-feedback",
 "codex-file-search",
- "codex-file-watcher",
 "codex-git-utils",
- "codex-guardian",
 "codex-hooks",
 "codex-login",
 "codex-mcp",
- "codex-memories-extension",
 "codex-memories-write",
 "codex-model-provider",
 "codex-model-provider-info",
@@ -1970,8 +1938,6 @@ dependencies = [
 "codex-exec-server",
 "codex-feedback",
 "codex-protocol",
- "codex-uds",
- "codex-utils-absolute-path",
 "codex-utils-rustls-provider",
 "futures",
 "pretty_assertions",
@@ -1985,27 +1951,6 @@ dependencies = [
 "url",
 ]

-[[package]]
-name = "codex-app-server-daemon"
-version = "0.0.0"
-dependencies = [
- "anyhow",
- "codex-app-server-protocol",
- "codex-app-server-transport",
- "codex-uds",
- "codex-utils-home-dir",
- "futures",
- "libc",
- "pretty_assertions",
- "reqwest",
- "serde",
- "serde_json",
- "sha2",
- "tempfile",
- "tokio",
- "tokio-tungstenite",
-]
-
 [[package]]
 name = "codex-app-server-protocol"
 version = "0.0.0"
@@ -2180,6 +2125,17 @@ dependencies = [
 "serde_with",
 ]

+[[package]]
+name = "codex-builtin-mcps"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "codex-memories-mcp",
+ "codex-utils-absolute-path",
+ "pretty_assertions",
+ "tokio",
+]
+
 [[package]]
 name = "codex-bwrap"
 version = "0.0.0"
@@ -2221,9 +2177,7 @@ dependencies = [
 "assert_matches",
 "clap",
 "clap_complete",
- "codex-api",
 "codex-app-server",
- "codex-app-server-daemon",
 "codex-app-server-protocol",
 "codex-app-server-test-client",
 "codex-arg0",
@@ -2236,14 +2190,11 @@ dependencies = [
 "codex-exec-server",
 "codex-execpolicy",
 "codex-features",
- "codex-install-context",
 "codex-login",
 "codex-mcp",
 "codex-mcp-server",
 "codex-memories-write",
- "codex-model-provider",
 "codex-models-manager",
- "codex-plugin",
 "codex-protocol",
 "codex-responses-api-proxy",
 "codex-rmcp-client",
@@ -2258,14 +2209,11 @@ dependencies = [
 "codex-utils-cli",
 "codex-utils-path",
 "codex-windows-sandbox",
- "crossterm",
- "http 1.4.0",
 "libc",
 "owo-colors",
 "predicates",
 "pretty_assertions",
 "regex-lite",
- "serde",
 "serde_json",
 "sqlx",
 "supports-color 3.0.2",
@@ -2439,7 +2387,6 @@ dependencies = [
 "prost 0.14.3",
 "schemars 0.8.22",
 "serde",
- "serde_ignored",
 "serde_json",
 "serde_path_to_error",
 "sha2",
@@ -2466,11 +2413,7 @@ dependencies = [
 "codex-app-server-protocol",
 "pretty_assertions",
 "serde",
- "serde_json",
- "sha1",
- "tempfile",
 "tokio",
- "tracing",
 "urlencoding",
 ]

@@ -2500,7 +2443,6 @@ dependencies = [
 "codex-core-skills",
 "codex-exec-server",
 "codex-execpolicy",
- "codex-extension-api",
 "codex-features",
 "codex-feedback",
 "codex-git-utils",
@@ -2536,6 +2478,7 @@ dependencies = [
 "codex-utils-path",
 "codex-utils-plugins",
 "codex-utils-pty",
+ "codex-utils-readiness",
 "codex-utils-stream-parser",
 "codex-utils-string",
 "codex-utils-template",
@@ -2545,6 +2488,7 @@ dependencies = [
 "ctor 0.6.3",
 "dirs",
 "dunce",
+ "env-flags",
 "eventsource-stream",
 "futures",
 "http 1.4.0",
@@ -2554,6 +2498,7 @@ dependencies = [
 "insta",
 "libc",
 "maplit",
+ "notify",
 "once_cell",
 "openssl-sys",
 "opentelemetry",
@@ -2602,7 +2547,6 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-exec-server",
- "codex-extension-api",
 "codex-features",
 "codex-login",
 "codex-model-provider-info",
@@ -2716,7 +2660,6 @@ dependencies = [
 "codex-utils-cargo-bin",
 "codex-utils-cli",
 "codex-utils-oss",
- "codex-utils-sandbox-summary",
 "core_test_support",
 "libc",
 "opentelemetry",
@@ -2745,7 +2688,6 @@ dependencies = [
 "anyhow",
 "arc-swap",
 "async-trait",
- "axum",
 "base64 0.22.1",
 "bytes",
 "codex-app-server-protocol",
@@ -2756,22 +2698,20 @@ dependencies = [
 "codex-test-binary-support",
 "codex-utils-absolute-path",
 "codex-utils-pty",
- "codex-utils-rustls-provider",
 "ctor 0.6.3",
 "futures",
 "pretty_assertions",
- "prost 0.14.3",
 "reqwest",
 "serde",
 "serde_json",
 "serial_test",
+ "sha2",
 "tempfile",
 "test-case",
 "thiserror 2.0.18",
 "tokio",
 "tokio-tungstenite",
 "tokio-util",
- "toml 0.9.11+spec-1.1.0",
 "tracing",
 "uuid",
 "wiremock",
@@ -2823,14 +2763,6 @@ dependencies = [
 "syn 2.0.114",
 ]

-[[package]]
-name = "codex-extension-api"
-version = "0.0.0"
-dependencies = [
- "codex-protocol",
- "codex-tools",
-]
-
 [[package]]
 name = "codex-external-agent-migration"
 version = "0.0.0"
@@ -2909,17 +2841,6 @@ dependencies = [
 "serde",
 ]

-[[package]]
-name = "codex-file-watcher"
-version = "0.0.0"
-dependencies = [
- "notify",
- "pretty_assertions",
- "tempfile",
- "tokio",
- "tracing",
-]
-
 [[package]]
 name = "codex-git-utils"
 version = "0.0.0"
@@ -2944,15 +2865,6 @@ dependencies = [
 "walkdir",
 ]

-[[package]]
-name = "codex-guardian"
-version = "0.0.0"
-dependencies = [
- "codex-core",
- "codex-extension-api",
- "codex-protocol",
-]
-
 [[package]]
 name = "codex-hooks"
 version = "0.0.0"
@@ -3080,6 +2992,7 @@ dependencies = [
 "async-channel",
 "codex-api",
 "codex-async-utils",
+ "codex-builtin-mcps",
 "codex-config",
 "codex-exec-server",
 "codex-login",
@@ -3113,7 +3026,6 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-exec-server",
- "codex-extension-api",
 "codex-login",
 "codex-protocol",
 "codex-shell-command",
@@ -3136,27 +3048,6 @@ dependencies = [
 "wiremock",
 ]

-[[package]]
-name = "codex-memories-extension"
-version = "0.0.0"
-dependencies = [
- "async-trait",
- "codex-core",
- "codex-extension-api",
- "codex-features",
- "codex-memories-read",
- "codex-tools",
- "codex-utils-absolute-path",
- "codex-utils-output-truncation",
- "pretty_assertions",
- "schemars 0.8.22",
- "serde",
- "serde_json",
- "tempfile",
- "thiserror 2.0.18",
- "tokio",
-]
-
 [[package]]
 name = "codex-memories-mcp"
 version = "0.0.0"
@@ -3411,6 +3302,7 @@ dependencies = [
 "codex-utils-absolute-path",
 "codex-utils-image",
 "codex-utils-string",
+ "codex-utils-template",
 "encoding_rs",
 "globset",
 "http 1.4.0",
@@ -3481,7 +3373,6 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "axum",
- "base64 0.22.1",
 "bytes",
 "codex-api",
 "codex-client",
@@ -3545,7 +3436,6 @@ dependencies = [
 "anyhow",
 "codex-code-mode",
 "codex-protocol",
- "http 1.4.0",
 "pretty_assertions",
 "serde",
 "serde_json",
@@ -3718,13 +3608,17 @@ dependencies = [
 "codex-protocol",
 "codex-rollout",
 "codex-state",
- "codex-utils-path",
 "pretty_assertions",
+ "prost 0.14.3",
 "serde",
 "serde_json",
 "tempfile",
 "thiserror 2.0.18",
 "tokio",
+ "tokio-stream",
+ "tonic",
+ "tonic-prost",
+ "tonic-prost-build",
 "tracing",
 "uuid",
 ]
@@ -3733,19 +3627,16 @@ dependencies = [
 name = "codex-tools"
 version = "0.0.0"
 dependencies = [
- "async-trait",
 "codex-app-server-protocol",
 "codex-code-mode",
 "codex-features",
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-pty",
- "codex-utils-string",
 "pretty_assertions",
 "rmcp",
 "serde",
 "serde_json",
- "thiserror 2.0.18",
 "tracing",
 ]

@@ -3787,7 +3678,6 @@ dependencies = [
 "codex-protocol",
 "codex-realtime-webrtc",
 "codex-rollout",
- "codex-sandboxing",
 "codex-shell-command",
 "codex-state",
 "codex-terminal-detection",
@@ -3797,16 +3687,15 @@ dependencies = [
 "codex-utils-cli",
 "codex-utils-elapsed",
 "codex-utils-fuzzy-match",
- "codex-utils-home-dir",
 "codex-utils-oss",
 "codex-utils-path",
 "codex-utils-plugins",
+ "codex-utils-pty",
 "codex-utils-sandbox-summary",
 "codex-utils-sleep-inhibitor",
 "codex-utils-string",
 "codex-windows-sandbox",
 "color-eyre",
- "core_test_support",
 "cpal",
 "crossterm",
 "derive_more 2.1.1",
@@ -3830,7 +3719,6 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test",
- "sha2",
 "shlex",
 "strum 0.27.2",
 "strum_macros 0.28.0",
@@ -3857,7 +3745,6 @@ dependencies = [
 "which 8.0.0",
 "windows-sys 0.52.0",
 "winsplit",
- "wiremock",
 ]

 [[package]]
@@ -3917,7 +3804,6 @@ version = "0.0.0"
 dependencies = [
 "clap",
 "codex-protocol",
- "codex-shell-command",
 "pretty_assertions",
 "serde",
 "toml 0.9.11+spec-1.1.0",
@@ -4353,7 +4239,6 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-exec-server",
- "codex-extension-api",
 "codex-features",
 "codex-hooks",
 "codex-login",
@@ -5407,6 +5292,12 @@ dependencies = [
 "syn 2.0.114",
 ]

+[[package]]
+name = "env-flags"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbfd0e7fc632dec5e6c9396a27bc9f9975b4e039720e1fd3e34021d3ce28c415"
+
 [[package]]
 name = "env_filter"
 version = "1.0.0"
@@ -5458,7 +5349,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
 "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -9006,7 +8897,7 @@ version = "5.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d"
 dependencies = [
- "base64 0.22.1",
+ "base64 0.21.7",
 "chrono",
 "getrandom 0.2.17",
 "http 1.4.0",
@@ -9474,7 +9365,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
 "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.45.0",
 ]

 [[package]]
@@ -11645,16 +11536,6 @@ dependencies = [
 "serde_core",
 ]

-[[package]]
-name = "serde_ignored"
-version = "0.1.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "115dffd5f3853e06e746965a20dcbae6ee747ae30b543d91b0e089668bb07798"
-dependencies = [
- "serde",
- "serde_core",
-]
-
 [[package]]
 name = "serde_json"
 version = "1.0.149"
@@ -14128,7 +14009,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.48.0",
 ]

 [[package]]
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -5,12 +5,12 @@ members = [
    "agent-graph-store",
    "agent-identity",
    "backend-client",
+    "builtin-mcps",
    "bwrap",
    "ansi-escape",
    "async-utils",
    "app-server",
    "app-server-transport",
-    "app-server-daemon",
    "app-server-client",
    "app-server-protocol",
    "app-server-test-client",
@@ -44,14 +44,10 @@ members = [
    "exec-server",
    "execpolicy",
    "execpolicy-legacy",
-    "ext/extension-api",
-    "ext/guardian",
-    "ext/memories",
    "external-agent-migration",
    "external-agent-sessions",
    "keyring-store",
    "file-search",
-    "file-watcher",
    "linux-sandbox",
    "lmstudio",
    "login",
@@ -135,7 +131,6 @@ codex-api = { path = "codex-api" }
 codex-aws-auth = { path = "aws-auth" }
 codex-app-server = { path = "app-server" }
 codex-app-server-transport = { path = "app-server-transport" }
-codex-app-server-daemon = { path = "app-server-daemon" }
 codex-app-server-client = { path = "app-server-client" }
 codex-app-server-protocol = { path = "app-server-protocol" }
 codex-app-server-test-client = { path = "app-server-test-client" }
@@ -143,6 +138,7 @@ codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
 codex-backend-client = { path = "backend-client" }
+codex-builtin-mcps = { path = "builtin-mcps" }
 codex-chatgpt = { path = "chatgpt" }
 codex-cli = { path = "cli" }
 codex-client = { path = "codex-client" }
@@ -161,8 +157,6 @@ codex-exec = { path = "exec" }
 codex-file-system = { path = "file-system" }
 codex-exec-server = { path = "exec-server" }
 codex-execpolicy = { path = "execpolicy" }
-codex-extension-api = { path = "ext/extension-api" }
-codex-guardian = { path = "ext/guardian" }
 codex-external-agent-migration = { path = "external-agent-migration" }
 codex-external-agent-sessions = { path = "external-agent-sessions" }
 codex-experimental-api-macros = { path = "codex-experimental-api-macros" }
@@ -170,7 +164,6 @@ codex-features = { path = "features" }
 codex-feedback = { path = "feedback" }
 codex-install-context = { path = "install-context" }
 codex-file-search = { path = "file-search" }
-codex-file-watcher = { path = "file-watcher" }
 codex-git-utils = { path = "git-utils" }
 codex-hooks = { path = "hooks" }
 codex-keyring-store = { path = "keyring-store" }
@@ -178,7 +171,7 @@ codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
 codex-login = { path = "login" }
 codex-message-history = { path = "message-history" }
-codex-memories-extension = { path = "ext/memories" }
+codex-memories-mcp = { path = "memories/mcp" }
 codex-memories-read = { path = "memories/read" }
 codex-memories-write = { path = "memories/write" }
 codex-mcp = { path = "codex-mcp" }
@@ -226,6 +219,7 @@ codex-utils-output-truncation = { path = "utils/output-truncation" }
 codex-utils-path = { path = "utils/path-utils" }
 codex-utils-plugins = { path = "utils/plugins" }
 codex-utils-pty = { path = "utils/pty" }
+codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-rustls-provider = { path = "utils/rustls-provider" }
 codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
 codex-utils-sleep-inhibitor = { path = "utils/sleep-inhibitor" }
@@ -278,6 +272,7 @@ dotenvy = "0.15.7"
 dunce = "1.0.4"
 ed25519-dalek = { version = "2.2.0", features = ["pkcs8"] }
 encoding_rs = "0.8.35"
+env-flags = "0.1.1"
 env_logger = "0.11.9"
 eventsource-stream = "0.2.3"
 flate2 = "1.1.8"
@@ -350,7 +345,6 @@ seccompiler = "0.5.0"
 semver = "1.0"
 sentry = "0.46.0"
 serde = "1"
-serde_ignored = "0.1.14"
 serde_json = "1"
 serde_path_to_error = "0.1.20"
 serde_with = "3.17"
@@ -470,21 +464,24 @@ unwrap_used = "deny"
 [workspace.metadata.cargo-shear]
 ignored = [
    "codex-agent-graph-store",
+    "codex-memories-mcp",
    "icu_provider",
    "openssl-sys",
+    "codex-utils-readiness",
+    "codex-utils-template",
    "codex-v8-poc",
 ]

 [profile.dev]
 # Keep line tables/backtraces while avoiding expensive full variable debug info
 # across local dev builds.
-debug = "limited"
+debug = 1

 [profile.dev-small]
 inherits = "dev"
 opt-level = 0
-debug = "none"
-strip = "symbols"
+debug = 0
+strip = true

 [profile.release]
 lto = "fat"
@@ -496,15 +493,8 @@ strip = "symbols"
 # See https://github.com/openai/codex/issues/1411 for details.
 codegen-units = 1

-[profile.profiling]
-inherits = "release"
-debug = "full"
-lto = false
-strip = false
-
 [profile.ci-test]
-# Reduce binary size to reduce disk pressure.
-debug = "limited"
+debug = 1         # Reduce debug symbol size
 inherits = "test"
 opt-level = 0

--- a/codex-rs/agent-graph-store/Cargo.toml
+++ b/codex-rs/agent-graph-store/Cargo.toml
@@ -7,7 +7,6 @@ version.workspace = true
 [lib]
 name = "codex_agent_graph_store"
 path = "src/lib.rs"
-doctest = false

 [lints]
 workspace = true
--- a/codex-rs/analytics/src/accepted_lines.rs
+++ b/codex-rs/analytics/src/accepted_lines.rs
@@ -1,256 +0,0 @@
-use crate::events::CodexAcceptedLineFingerprintsEventParams;
-use crate::events::CodexAcceptedLineFingerprintsEventRequest;
-use crate::events::TrackEventRequest;
-use crate::facts::AcceptedLineFingerprint;
-use codex_git_utils::canonicalize_git_remote_url;
-use codex_git_utils::get_git_remote_urls_assume_git_repo;
-use sha1::Digest;
-use std::path::Path;
-
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub struct AcceptedLineFingerprintSummary {
-    pub accepted_added_lines: u64,
-    pub accepted_deleted_lines: u64,
-    pub line_fingerprints: Vec<AcceptedLineFingerprint>,
-}
-
-pub(crate) struct AcceptedLineFingerprintEventInput {
-    pub(crate) event_type: &'static str,
-    pub(crate) turn_id: String,
-    pub(crate) thread_id: String,
-    pub(crate) product_surface: Option<String>,
-    pub(crate) model_slug: Option<String>,
-    pub(crate) completed_at: u64,
-    pub(crate) repo_hash: Option<String>,
-    pub(crate) accepted_added_lines: u64,
-    pub(crate) accepted_deleted_lines: u64,
-    pub(crate) line_fingerprints: Vec<AcceptedLineFingerprint>,
-}
-
-pub fn accepted_line_fingerprints_from_unified_diff(
-    unified_diff: &str,
-) -> AcceptedLineFingerprintSummary {
-    let mut current_path: Option<String> = None;
-    let mut in_hunk = false;
-    let mut accepted_added_lines = 0;
-    let mut accepted_deleted_lines = 0;
-    let mut line_fingerprints = Vec::new();
-
-    for line in unified_diff.lines() {
-        if line.starts_with("diff --git ") {
-            current_path = None;
-            in_hunk = false;
-            continue;
-        }
-
-        if line.starts_with("@@ ") {
-            in_hunk = true;
-            continue;
-        }
-
-        if !in_hunk && let Some(path) = line.strip_prefix("+++ ") {
-            current_path = normalize_diff_path(path);
-            continue;
-        }
-
-        if !in_hunk && line.starts_with("--- ") {
-            continue;
-        }
-
-        if let Some(added_line) = line.strip_prefix('+') {
-            accepted_added_lines += 1;
-            if let Some(path) = current_path.as_deref()
-                && let Some(normalized_line) = normalize_effective_line(added_line)
-            {
-                line_fingerprints.push(AcceptedLineFingerprint {
-                    path_hash: fingerprint_hash("path", path),
-                    line_hash: fingerprint_hash("line", &normalized_line),
-                });
-            }
-            continue;
-        }
-
-        if line.starts_with('-') {
-            accepted_deleted_lines += 1;
-        }
-    }
-
-    AcceptedLineFingerprintSummary {
-        accepted_added_lines,
-        accepted_deleted_lines,
-        line_fingerprints,
-    }
-}
-
-pub fn fingerprint_hash(domain: &str, value: &str) -> String {
-    let mut hasher = sha1::Sha1::new();
-    hasher.update(b"file-line-v1\0");
-    hasher.update(domain.as_bytes());
-    hasher.update(b"\0");
-    hasher.update(value.as_bytes());
-    format!("{:x}", hasher.finalize())
-}
-
-pub(crate) fn accepted_line_fingerprint_event_requests(
-    input: AcceptedLineFingerprintEventInput,
-) -> Vec<TrackEventRequest> {
-    let AcceptedLineFingerprintEventInput {
-        event_type,
-        turn_id,
-        thread_id,
-        product_surface,
-        model_slug,
-        completed_at,
-        repo_hash,
-        accepted_added_lines,
-        accepted_deleted_lines,
-        line_fingerprints: _line_fingerprints,
-    } = input;
-
-    vec![TrackEventRequest::AcceptedLineFingerprints(Box::new(
-        CodexAcceptedLineFingerprintsEventRequest {
-            event_type: "codex_accepted_line_fingerprints",
-            event_params: CodexAcceptedLineFingerprintsEventParams {
-                event_type,
-                turn_id,
-                thread_id,
-                product_surface,
-                model_slug,
-                completed_at,
-                repo_hash,
-                accepted_added_lines,
-                accepted_deleted_lines,
-                // Keep computing local fingerprints for parsing tests and future attribution,
-                // but do not upload path/line hashes in the analytics event payload.
-                line_fingerprints: Vec::new(),
-            },
-        },
-    ))]
-}
-
-pub async fn accepted_line_repo_hash_for_cwd(cwd: &Path) -> Option<String> {
-    let remotes = get_git_remote_urls_assume_git_repo(cwd).await?;
-    remotes
-        .get("origin")
-        .or_else(|| remotes.values().next())
-        .map(|remote_url| {
-            let canonical_remote_url =
-                canonicalize_git_remote_url(remote_url).unwrap_or_else(|| remote_url.to_string());
-            fingerprint_hash("repo", &canonical_remote_url)
-        })
-}
-
-fn normalize_diff_path(path: &str) -> Option<String> {
-    let path = path.trim();
-    if path == "/dev/null" {
-        return None;
-    }
-
-    Some(
-        path.strip_prefix("b/")
-            .or_else(|| path.strip_prefix("a/"))
-            .unwrap_or(path)
-            .to_string(),
-    )
-}
-
-fn normalize_effective_line(line: &str) -> Option<String> {
-    let normalized = line.split_whitespace().collect::<Vec<_>>().join(" ");
-    if normalized.len() <= 3 {
-        return None;
-    }
-    if !normalized
-        .chars()
-        .any(|ch| ch.is_alphanumeric() || ch == '_')
-    {
-        return None;
-    }
-    Some(normalized)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn parses_counts_and_effective_added_fingerprints() {
-        let diff = "\
-diff --git a/src/lib.rs b/src/lib.rs
-index 1111111..2222222
--- a/src/lib.rs
-+++ b/src/lib.rs
-@@ -1,3 +1,5 @@
-old line
-+fn useful() {
-+}
-+    return user.id;
- context
-";
-
-        let summary = accepted_line_fingerprints_from_unified_diff(diff);
-
-        assert_eq!(
-            summary,
-            AcceptedLineFingerprintSummary {
-                accepted_added_lines: 3,
-                accepted_deleted_lines: 1,
-                line_fingerprints: vec![
-                    AcceptedLineFingerprint {
-                        path_hash: fingerprint_hash("path", "src/lib.rs"),
-                        line_hash: fingerprint_hash("line", "fn useful() {"),
-                    },
-                    AcceptedLineFingerprint {
-                        path_hash: fingerprint_hash("path", "src/lib.rs"),
-                        line_hash: fingerprint_hash("line", "return user.id;"),
-                    },
-                ],
-            }
-        );
-    }
-
-    #[test]
-    fn skips_added_file_metadata_headers() {
-        let diff = "\
-diff --git a/new.py b/new.py
-new file mode 100644
-index 0000000..1111111
--- /dev/null
-+++ b/new.py
-@@ -0,0 +1 @@
-+print('hello')
-";
-
-        let summary = accepted_line_fingerprints_from_unified_diff(diff);
-
-        assert_eq!(summary.accepted_added_lines, 1);
-        assert_eq!(summary.accepted_deleted_lines, 0);
-        assert_eq!(summary.line_fingerprints.len(), 1);
-    }
-
-    #[test]
-    fn parses_hunk_lines_that_look_like_file_headers() {
-        let diff = "\
-diff --git a/src/lib.rs b/src/lib.rs
-index 1111111..2222222
--- a/src/lib.rs
-+++ b/src/lib.rs
-@@ -1,2 +1,2 @@
--- old value
-+++ new value
-";
-
-        let summary = accepted_line_fingerprints_from_unified_diff(diff);
-
-        assert_eq!(
-            summary,
-            AcceptedLineFingerprintSummary {
-                accepted_added_lines: 1,
-                accepted_deleted_lines: 1,
-                line_fingerprints: vec![AcceptedLineFingerprint {
-                    path_hash: fingerprint_hash("path", "src/lib.rs"),
-                    line_hash: fingerprint_hash("line", "++ new value"),
-                }],
-            }
-        );
-    }
-}
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -30,10 +30,8 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_app_server_protocol::ServerResponse;
 use codex_login::AuthManager;
-use codex_login::CodexAuth;
 use codex_login::default_client::create_client;
 use codex_plugin::PluginTelemetryMetadata;
-use codex_protocol::request_permissions::RequestPermissionsResponse;
 use std::collections::HashSet;
 use std::sync::Arc;
 use std::sync::Mutex;
@@ -173,10 +171,9 @@ impl AnalyticsEventsClient {
        &self,
        tracking: &GuardianReviewTrackContext,
        result: GuardianReviewAnalyticsResult,
-        completed_at_ms: u64,
    ) {
        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::GuardianReview(
-            Box::new(tracking.event_params(result, completed_at_ms)),
+            Box::new(tracking.event_params(result)),
        )));
    }

@@ -343,39 +340,17 @@ impl AnalyticsEventsClient {
        });
    }

-    pub fn track_server_response(&self, completed_at_ms: u64, response: ServerResponse) {
+    pub fn track_server_response(&self, response: ServerResponse) {
        self.record_fact(AnalyticsFact::ServerResponse {
-            completed_at_ms,
            response: Box::new(response),
        });
    }

-    pub fn track_effective_permissions_approval_response(
-        &self,
-        completed_at_ms: u64,
-        request_id: RequestId,
-        response: RequestPermissionsResponse,
-    ) {
-        self.record_fact(AnalyticsFact::EffectivePermissionsApprovalResponse {
-            completed_at_ms,
-            request_id,
-            response: Box::new(response),
-        });
-    }
-
-    pub fn track_server_request_aborted(&self, completed_at_ms: u64, request_id: RequestId) {
-        self.record_fact(AnalyticsFact::ServerRequestAborted {
-            completed_at_ms,
-            request_id,
-        });
-    }
-
    pub fn track_notification(&self, notification: ServerNotification) {
        if !matches!(
            notification,
            ServerNotification::TurnStarted(_)
                | ServerNotification::TurnCompleted(_)
-                | ServerNotification::TurnDiffUpdated(_)
                | ServerNotification::ItemStarted(_)
                | ServerNotification::ItemCompleted(_)
                | ServerNotification::ItemGuardianApprovalReviewStarted(_)
@@ -395,7 +370,6 @@ async fn send_track_events(
    if events.is_empty() {
        return;
    }
-
    let Some(auth) = auth_manager.auth().await else {
        return;
    };
@@ -405,45 +379,12 @@ async fn send_track_events(

    let base_url = base_url.trim_end_matches('/');
    let url = format!("{base_url}/codex/analytics-events/events");
-    for events in track_event_request_batches(events) {
-        send_track_events_request(&auth, &url, events).await;
-    }
-}
-
-fn track_event_request_batches(events: Vec<TrackEventRequest>) -> Vec<Vec<TrackEventRequest>> {
-    let mut batches = Vec::new();
-    let mut current_batch = Vec::new();
-
-    for event in events {
-        if event.should_send_in_isolated_request() {
-            if !current_batch.is_empty() {
-                batches.push(current_batch);
-                current_batch = Vec::new();
-            }
-            batches.push(vec![event]);
-        } else {
-            current_batch.push(event);
-        }
-    }
-
-    if !current_batch.is_empty() {
-        batches.push(current_batch);
-    }
-
-    batches
-}
-
-async fn send_track_events_request(auth: &CodexAuth, url: &str, events: Vec<TrackEventRequest>) {
-    if events.is_empty() {
-        return;
-    }
-
    let payload = TrackEventsRequest { events };

    let response = create_client()
-        .post(url)
+        .post(&url)
        .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .headers(codex_model_provider::auth_provider_from_auth(auth).to_auth_headers())
+        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
        .header("Content-Type", "application/json")
        .json(&payload)
        .send()
--- a/codex-rs/analytics/src/client_tests.rs
+++ b/codex-rs/analytics/src/client_tests.rs
@@ -1,17 +1,11 @@
 use super::AnalyticsEventsClient;
 use super::AnalyticsEventsQueue;
-use super::track_event_request_batches;
-use crate::events::CodexAcceptedLineFingerprintsEventParams;
-use crate::events::CodexAcceptedLineFingerprintsEventRequest;
-use crate::events::SkillInvocationEventParams;
-use crate::events::SkillInvocationEventRequest;
-use crate::events::TrackEventRequest;
 use crate::facts::AnalyticsFact;
-use crate::facts::InvocationType;
 use codex_app_server_protocol::ApprovalsReviewer as AppServerApprovalsReviewer;
 use codex_app_server_protocol::AskForApproval as AppServerAskForApproval;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ClientResponsePayload;
+use codex_app_server_protocol::PermissionProfile as AppServerPermissionProfile;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SandboxPolicy as AppServerSandboxPolicy;
 use codex_app_server_protocol::SessionSource as AppServerSessionSource;
@@ -28,6 +22,7 @@ use codex_app_server_protocol::TurnStartResponse;
 use codex_app_server_protocol::TurnStatus as AppServerTurnStatus;
 use codex_app_server_protocol::TurnSteerParams;
 use codex_app_server_protocol::TurnSteerResponse;
+use codex_protocol::models::PermissionProfile as CorePermissionProfile;
 use codex_utils_absolute_path::test_support::PathBufExt;
 use codex_utils_absolute_path::test_support::test_path_buf;
 use std::collections::HashSet;
@@ -36,44 +31,6 @@ use std::sync::Mutex;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::error::TryRecvError;

-fn sample_accepted_line_fingerprint_event(thread_id: &str) -> TrackEventRequest {
-    TrackEventRequest::AcceptedLineFingerprints(Box::new(
-        CodexAcceptedLineFingerprintsEventRequest {
-            event_type: "codex_accepted_line_fingerprints",
-            event_params: CodexAcceptedLineFingerprintsEventParams {
-                event_type: "codex.accepted_line_fingerprints",
-                turn_id: "turn-1".to_string(),
-                thread_id: thread_id.to_string(),
-                product_surface: Some("codex".to_string()),
-                model_slug: Some("gpt-5.1-codex".to_string()),
-                completed_at: 1,
-                repo_hash: None,
-                accepted_added_lines: 1,
-                accepted_deleted_lines: 0,
-                line_fingerprints: Vec::new(),
-            },
-        },
-    ))
-}
-
-fn sample_regular_track_event(thread_id: &str) -> TrackEventRequest {
-    TrackEventRequest::SkillInvocation(SkillInvocationEventRequest {
-        event_type: "skill_invocation",
-        skill_id: format!("skill-{thread_id}"),
-        skill_name: "doc".to_string(),
-        event_params: SkillInvocationEventParams {
-            product_client_id: None,
-            skill_scope: None,
-            plugin_id: None,
-            repo_url: None,
-            thread_id: Some(thread_id.to_string()),
-            turn_id: Some("turn-1".to_string()),
-            invoke_type: Some(InvocationType::Explicit),
-            model_slug: Some("gpt-5.1-codex".to_string()),
-        },
-    })
-}
-
 fn client_with_receiver() -> (AnalyticsEventsClient, mpsc::Receiver<AnalyticsFact>) {
    let (sender, receiver) = mpsc::channel(8);
    let queue = AnalyticsEventsQueue {
@@ -140,6 +97,10 @@ fn sample_thread(thread_id: &str) -> Thread {
    }
 }

+fn sample_permission_profile() -> AppServerPermissionProfile {
+    CorePermissionProfile::Disabled.into()
+}
+
 fn sample_thread_start_response() -> ClientResponsePayload {
    ClientResponsePayload::ThreadStart(ThreadStartResponse {
        thread: sample_thread("thread-1"),
@@ -147,11 +108,11 @@ fn sample_thread_start_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
-        runtime_workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
        sandbox: AppServerSandboxPolicy::DangerFullAccess,
+        permission_profile: Some(sample_permission_profile()),
        active_permission_profile: None,
        reasoning_effort: None,
    })
@@ -164,11 +125,11 @@ fn sample_thread_resume_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
-        runtime_workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
        sandbox: AppServerSandboxPolicy::DangerFullAccess,
+        permission_profile: Some(sample_permission_profile()),
        active_permission_profile: None,
        reasoning_effort: None,
    })
@@ -181,11 +142,11 @@ fn sample_thread_fork_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
-        runtime_workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
        sandbox: AppServerSandboxPolicy::DangerFullAccess,
+        permission_profile: Some(sample_permission_profile()),
        active_permission_profile: None,
        reasoning_effort: None,
    })
@@ -261,23 +222,3 @@ fn track_response_only_enqueues_analytics_relevant_responses() {
    );
    assert!(matches!(receiver.try_recv(), Err(TryRecvError::Empty)));
 }
-
-#[test]
-fn track_event_request_batches_only_isolates_accepted_line_fingerprint_events() {
-    let batches = track_event_request_batches(vec![
-        sample_regular_track_event("thread-1"),
-        sample_regular_track_event("thread-2"),
-        sample_accepted_line_fingerprint_event("thread-3"),
-        sample_accepted_line_fingerprint_event("thread-4"),
-        sample_regular_track_event("thread-5"),
-        sample_regular_track_event("thread-6"),
-    ]);
-
-    assert_eq!(batches.len(), 4);
-    assert_eq!(batches[0].len(), 2);
-    assert_eq!(batches[1].len(), 1);
-    assert_eq!(batches[2].len(), 1);
-    assert_eq!(batches[3].len(), 2);
-    assert!(batches[1][0].should_send_in_isolated_request());
-    assert!(batches[2][0].should_send_in_isolated_request());
-}
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -1,6 +1,5 @@
 use std::time::Instant;

-use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AppInvocation;
 use crate::facts::CodexCompactionEvent;
 use crate::facts::CompactionImplementation;
@@ -19,7 +18,7 @@ use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRejectionReason;
 use crate::facts::TurnSteerResult;
 use crate::facts::TurnSubmissionType;
-use crate::now_unix_millis;
+use crate::now_unix_seconds;
 use codex_app_server_protocol::CodexErrorInfo;
 use codex_app_server_protocol::CommandExecutionSource;
 use codex_login::default_client::originator;
@@ -71,9 +70,6 @@ pub(crate) enum TrackEventRequest {
    CollabAgentToolCall(CodexCollabAgentToolCallEventRequest),
    WebSearch(CodexWebSearchEventRequest),
    ImageGeneration(CodexImageGenerationEventRequest),
-    AcceptedLineFingerprints(Box<CodexAcceptedLineFingerprintsEventRequest>),
-    #[allow(dead_code)]
-    ReviewEvent(CodexReviewEventRequest),
    PluginUsed(CodexPluginUsedEventRequest),
    PluginInstalled(CodexPluginEventRequest),
    PluginUninstalled(CodexPluginEventRequest),
@@ -81,32 +77,6 @@ pub(crate) enum TrackEventRequest {
    PluginDisabled(CodexPluginEventRequest),
 }

-impl TrackEventRequest {
-    pub(crate) fn should_send_in_isolated_request(&self) -> bool {
-        matches!(self, Self::AcceptedLineFingerprints(_))
-    }
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexAcceptedLineFingerprintsEventParams {
-    pub(crate) event_type: &'static str,
-    pub(crate) turn_id: String,
-    pub(crate) thread_id: String,
-    pub(crate) product_surface: Option<String>,
-    pub(crate) model_slug: Option<String>,
-    pub(crate) completed_at: u64,
-    pub(crate) repo_hash: Option<String>,
-    pub(crate) accepted_added_lines: u64,
-    pub(crate) accepted_deleted_lines: u64,
-    pub(crate) line_fingerprints: Vec<AcceptedLineFingerprint>,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexAcceptedLineFingerprintsEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexAcceptedLineFingerprintsEventParams,
-}
-
 #[derive(Serialize)]
 pub(crate) struct SkillInvocationEventRequest {
    pub(crate) event_type: &'static str,
@@ -289,7 +259,7 @@ pub struct GuardianReviewTrackContext {
    approval_request_source: GuardianApprovalRequestSource,
    reviewed_action: GuardianReviewedAction,
    review_timeout_ms: u64,
-    pub started_at_ms: u64,
+    started_at: u64,
    started_instant: Instant,
 }

@@ -311,7 +281,7 @@ impl GuardianReviewTrackContext {
            approval_request_source,
            reviewed_action,
            review_timeout_ms,
-            started_at_ms: now_unix_millis(),
+            started_at: now_unix_seconds(),
            started_instant: Instant::now(),
        }
    }
@@ -319,7 +289,6 @@ impl GuardianReviewTrackContext {
    pub(crate) fn event_params(
        &self,
        result: GuardianReviewAnalyticsResult,
-        completed_at_ms: u64,
    ) -> GuardianReviewEventParams {
        GuardianReviewEventParams {
            thread_id: self.thread_id.clone(),
@@ -345,8 +314,8 @@ impl GuardianReviewTrackContext {
            tool_call_count: None,
            time_to_first_token_ms: result.time_to_first_token_ms,
            completion_latency_ms: Some(self.started_instant.elapsed().as_millis() as u64),
-            started_at: self.started_at_ms / 1_000,
-            completed_at: Some(completed_at_ms / 1_000),
+            started_at: self.started_at,
+            completed_at: Some(now_unix_seconds()),
            input_tokens: result.token_usage.as_ref().map(|usage| usage.input_tokens),
            cached_input_tokens: result
                .token_usage
@@ -429,7 +398,7 @@ pub(crate) struct GuardianReviewEventPayload {
 #[allow(dead_code)]
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "snake_case")]
-pub(crate) enum FinalApprovalOutcome {
+pub(crate) enum ToolItemFinalApprovalOutcome {
    Unknown,
    NotNeeded,
    ConfigAllowed,
@@ -473,7 +442,7 @@ pub(crate) struct CodexToolItemEventBase {
    pub(crate) item_id: String,
    pub(crate) app_server_client: CodexAppServerClientMetadata,
    pub(crate) runtime: CodexRuntimeMetadata,
-    pub(crate) thread_source: Option<ThreadSource>,
+    pub(crate) thread_source: Option<&'static str>,
    pub(crate) subagent_source: Option<String>,
    pub(crate) parent_thread_id: Option<String>,
    pub(crate) tool_name: String,
@@ -486,90 +455,13 @@ pub(crate) struct CodexToolItemEventBase {
    pub(crate) review_count: u64,
    pub(crate) guardian_review_count: u64,
    pub(crate) user_review_count: u64,
-    pub(crate) final_approval_outcome: FinalApprovalOutcome,
+    pub(crate) final_approval_outcome: ToolItemFinalApprovalOutcome,
    pub(crate) terminal_status: ToolItemTerminalStatus,
    pub(crate) failure_kind: Option<ToolItemFailureKind>,
    pub(crate) requested_additional_permissions: bool,
    pub(crate) requested_network_access: bool,
 }

-#[allow(dead_code)]
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub(crate) enum ReviewSubjectKind {
-    CommandExecution,
-    FileChange,
-    McpToolCall,
-    Permissions,
-    NetworkAccess,
-}
-
-#[allow(dead_code)]
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub(crate) enum Reviewer {
-    Guardian,
-    User,
-}
-
-#[allow(dead_code)]
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub(crate) enum ReviewTrigger {
-    Initial,
-    SandboxDenial,
-    NetworkPolicyDenial,
-    ExecveIntercept,
-}
-
-#[allow(dead_code)]
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub(crate) enum ReviewStatus {
-    Approved,
-    Denied,
-    Aborted,
-    TimedOut,
-}
-
-#[allow(dead_code)]
-#[derive(Clone, Copy, Debug, Serialize)]
-#[serde(rename_all = "snake_case")]
-pub(crate) enum ReviewResolution {
-    None,
-    SessionApproval,
-    ExecPolicyAmendment,
-    NetworkPolicyAmendment,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexReviewEventParams {
-    pub(crate) thread_id: String,
-    pub(crate) turn_id: String,
-    pub(crate) item_id: Option<String>,
-    pub(crate) review_id: String,
-    pub(crate) app_server_client: CodexAppServerClientMetadata,
-    pub(crate) runtime: CodexRuntimeMetadata,
-    pub(crate) thread_source: Option<ThreadSource>,
-    pub(crate) subagent_source: Option<String>,
-    pub(crate) parent_thread_id: Option<String>,
-    pub(crate) subject_kind: ReviewSubjectKind,
-    pub(crate) subject_name: String,
-    pub(crate) reviewer: Reviewer,
-    pub(crate) trigger: ReviewTrigger,
-    pub(crate) status: ReviewStatus,
-    pub(crate) resolution: ReviewResolution,
-    pub(crate) started_at_ms: u64,
-    pub(crate) completed_at_ms: u64,
-    pub(crate) duration_ms: Option<u64>,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexReviewEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexReviewEventParams,
-}
-#[allow(dead_code)]
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "snake_case")]
 pub(crate) enum WebSearchActionKind {
@@ -794,6 +686,8 @@ pub(crate) struct CodexTurnEventParams {
    pub(crate) status: Option<TurnStatus>,
    pub(crate) turn_error: Option<CodexErrorInfo>,
    pub(crate) steer_count: Option<usize>,
+    // TODO(rhan-oai): Populate these once tool-call accounting is emitted from
+    // core; the schema is reserved but these fields are currently always None.
    pub(crate) total_tool_call_count: Option<usize>,
    pub(crate) shell_command_count: Option<usize>,
    pub(crate) file_change_count: Option<usize>,
--- a/codex-rs/analytics/src/facts.rs
+++ b/codex-rs/analytics/src/facts.rs
@@ -25,16 +25,9 @@ use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SkillScope;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
-use codex_protocol::request_permissions::RequestPermissionsResponse;
 use serde::Serialize;
 use std::path::PathBuf;

-#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
-pub struct AcceptedLineFingerprint {
-    pub path_hash: String,
-    pub line_hash: String,
-}
-
 #[derive(Clone)]
 pub struct TrackEventsContext {
    pub model_slug: String,
@@ -303,18 +296,8 @@ pub(crate) enum AnalyticsFact {
        request: Box<ServerRequest>,
    },
    ServerResponse {
-        completed_at_ms: u64,
        response: Box<ServerResponse>,
    },
-    EffectivePermissionsApprovalResponse {
-        completed_at_ms: u64,
-        request_id: RequestId,
-        response: Box<RequestPermissionsResponse>,
-    },
-    ServerRequestAborted {
-        completed_at_ms: u64,
-        request_id: RequestId,
-    },
    Notification(Box<ServerNotification>),
    // Facts that do not naturally exist on the app-server protocol surface, or
    // would require non-trivial protocol reshaping on this branch.
--- a/codex-rs/analytics/src/lib.rs
+++ b/codex-rs/analytics/src/lib.rs
@@ -1,4 +1,3 @@
-mod accepted_lines;
 mod client;
 mod events;
 mod facts;
@@ -7,8 +6,6 @@ mod reducer;
 use std::time::SystemTime;
 use std::time::UNIX_EPOCH;

-pub use accepted_lines::accepted_line_fingerprints_from_unified_diff;
-pub use accepted_lines::fingerprint_hash;
 pub use client::AnalyticsEventsClient;
 pub use events::AppServerRpcTransport;
 pub use events::GuardianApprovalRequestSource;
@@ -20,7 +17,6 @@ pub use events::GuardianReviewSessionKind;
 pub use events::GuardianReviewTerminalStatus;
 pub use events::GuardianReviewTrackContext;
 pub use events::GuardianReviewedAction;
-pub use facts::AcceptedLineFingerprint;
 pub use facts::AnalyticsJsonRpcError;
 pub use facts::AppInvocation;
 pub use facts::CodexCompactionEvent;
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
--- a/codex-rs/ansi-escape/Cargo.toml
+++ b/codex-rs/ansi-escape/Cargo.toml
@@ -7,8 +7,6 @@ license.workspace = true
 [lib]
 name = "codex_ansi_escape"
 path = "src/lib.rs"
-test = false
-doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-client/Cargo.toml
+++ b/codex-rs/app-server-client/Cargo.toml
@@ -7,7 +7,6 @@ license.workspace = true
 [lib]
 name = "codex_app_server_client"
 path = "src/lib.rs"
-doctest = false

 [lints]
 workspace = true
@@ -21,8 +20,6 @@ codex-core = { workspace = true }
 codex-exec-server = { workspace = true }
 codex-feedback = { workspace = true }
 codex-protocol = { workspace = true }
-codex-uds = { workspace = true }
-codex-utils-absolute-path = { workspace = true }
 codex-utils-rustls-provider = { workspace = true }
 futures = { workspace = true }
 serde = { workspace = true }
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -25,7 +25,6 @@ use std::io::Result as IoResult;
 use std::sync::Arc;
 use std::time::Duration;

-pub use codex_app_server::app_server_control_socket_path;
 pub use codex_app_server::in_process::DEFAULT_IN_PROCESS_CHANNEL_CAPACITY;
 pub use codex_app_server::in_process::InProcessServerEvent;
 use codex_app_server::in_process::InProcessStartArgs;
@@ -50,6 +49,7 @@ use codex_config::RemoteThreadConfigLoader;
 use codex_config::ThreadConfigLoader;
 use codex_core::config::Config;
 pub use codex_exec_server::EnvironmentManager;
+pub use codex_exec_server::EnvironmentManagerArgs;
 pub use codex_exec_server::ExecServerRuntimePaths;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
@@ -62,7 +62,6 @@ use tracing::warn;

 pub use crate::remote::RemoteAppServerClient;
 pub use crate::remote::RemoteAppServerConnectArgs;
-pub use crate::remote::RemoteAppServerEndpoint;

 /// Transitional access to core-only embedded app-server types.
 ///
@@ -336,8 +335,6 @@ pub struct InProcessClientStartArgs {
    pub cli_overrides: Vec<(String, TomlValue)>,
    /// Loader override knobs used by config API paths.
    pub loader_overrides: LoaderOverrides,
-    /// Whether config API paths should reject unknown config fields.
-    pub strict_config: bool,
    /// Preloaded cloud requirements provider.
    pub cloud_requirements: CloudRequirementsLoader,
    /// Feedback sink used by app-server/core telemetry and logs.
@@ -378,7 +375,6 @@ impl InProcessClientStartArgs {
    pub fn initialize_params(&self) -> InitializeParams {
        let capabilities = InitializeCapabilities {
            experimental_api: self.experimental_api,
-            request_attestation: false,
            opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                None
            } else {
@@ -404,7 +400,6 @@ impl InProcessClientStartArgs {
            config: self.config,
            cli_overrides: self.cli_overrides,
            loader_overrides: self.loader_overrides,
-            strict_config: self.strict_config,
            cloud_requirements: self.cloud_requirements,
            thread_config_loader,
            feedback: self.feedback,
@@ -957,8 +952,6 @@ mod tests {
    use codex_app_server_protocol::ToolRequestUserInputQuestion;
    use codex_core::config::ConfigBuilder;
    use codex_core::init_state_db;
-    use codex_uds::UnixListener;
-    use codex_utils_absolute_path::AbsolutePathBuf;
    use futures::SinkExt;
    use futures::StreamExt;
    use pretty_assertions::assert_eq;
@@ -968,7 +961,6 @@ mod tests {
    use tokio::net::TcpListener;
    use tokio::time::Duration;
    use tokio::time::timeout;
-    use tokio_tungstenite::accept_async;
    use tokio_tungstenite::accept_hdr_async;
    use tokio_tungstenite::tungstenite::Message;
    use tokio_tungstenite::tungstenite::handshake::server::Request as WebSocketRequest;
@@ -1033,7 +1025,6 @@ mod tests {
            config,
            cli_overrides: Vec::new(),
            loader_overrides: LoaderOverrides::default(),
-            strict_config: false,
            cloud_requirements: CloudRequirementsLoader::default(),
            feedback: CodexFeedback::new(),
            log_db: None,
@@ -1109,10 +1100,9 @@ mod tests {
        format!("ws://{addr}")
    }

-    async fn expect_remote_initialize<S>(websocket: &mut tokio_tungstenite::WebSocketStream<S>)
-    where
-        S: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin,
-    {
+    async fn expect_remote_initialize(
+        websocket: &mut tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>,
+    ) {
        let JSONRPCMessage::Request(request) = read_websocket_message(websocket).await else {
            panic!("expected initialize request");
        };
@@ -1133,12 +1123,9 @@ mod tests {
        assert_eq!(notification.method, "initialized");
    }

-    async fn read_websocket_message<S>(
-        websocket: &mut tokio_tungstenite::WebSocketStream<S>,
-    ) -> JSONRPCMessage
-    where
-        S: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin,
-    {
+    async fn read_websocket_message(
+        websocket: &mut tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>,
+    ) -> JSONRPCMessage {
        loop {
            let frame = websocket
                .next()
@@ -1158,12 +1145,10 @@ mod tests {
        }
    }

-    async fn write_websocket_message<S>(
-        websocket: &mut tokio_tungstenite::WebSocketStream<S>,
+    async fn write_websocket_message(
+        websocket: &mut tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>,
        message: JSONRPCMessage,
-    ) where
-        S: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin,
-    {
+    ) {
        websocket
            .send(Message::Text(
                serde_json::to_string(&message)
@@ -1228,10 +1213,8 @@ mod tests {

    fn test_remote_connect_args(websocket_url: String) -> RemoteAppServerConnectArgs {
        RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::WebSocket {
-                websocket_url,
-                auth_token: None,
-            },
+            websocket_url,
+            auth_token: None,
            client_name: "codex-app-server-client-test".to_string(),
            client_version: "0.0.0-test".to_string(),
            experimental_api: true,
@@ -1470,64 +1453,6 @@ mod tests {
        client.shutdown().await.expect("shutdown should complete");
    }

-    #[tokio::test]
-    async fn remote_unix_socket_typed_request_roundtrip_works() {
-        let socket_dir = TempDir::new().expect("socket dir");
-        let socket_path = AbsolutePathBuf::from_absolute_path(socket_dir.path().join("codex.sock"))
-            .expect("socket path should resolve");
-        let mut listener = UnixListener::bind(socket_path.as_path())
-            .await
-            .expect("listener should bind");
-        tokio::spawn(async move {
-            let stream = listener.accept().await.expect("accept should succeed");
-            let mut websocket = accept_async(stream)
-                .await
-                .expect("websocket upgrade should succeed");
-            expect_remote_initialize(&mut websocket).await;
-            let JSONRPCMessage::Request(request) = read_websocket_message(&mut websocket).await
-            else {
-                panic!("expected account/read request");
-            };
-            assert_eq!(request.method, "account/read");
-            write_websocket_message(
-                &mut websocket,
-                JSONRPCMessage::Response(JSONRPCResponse {
-                    id: request.id,
-                    result: serde_json::to_value(GetAccountResponse {
-                        account: None,
-                        requires_openai_auth: false,
-                    })
-                    .expect("response should serialize"),
-                }),
-            )
-            .await;
-            websocket.close(None).await.expect("close should succeed");
-        });
-        let client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::UnixSocket { socket_path },
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: 8,
-        })
-        .await
-        .expect("remote client should connect");
-
-        let response: GetAccountResponse = client
-            .request_typed(ClientRequest::GetAccount {
-                request_id: RequestId::Integer(1),
-                params: codex_app_server_protocol::GetAccountParams {
-                    refresh_token: false,
-                },
-            })
-            .await
-            .expect("typed request should succeed");
-        assert_eq!(response.account, None);
-
-        client.shutdown().await.expect("shutdown should complete");
-    }
-
    #[tokio::test]
    async fn remote_typed_request_accepts_large_single_frame_response() {
        let padding = "x".repeat((17 << 20) + 1024);
@@ -1589,15 +1514,8 @@ mod tests {
        )
        .await;
        let client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::WebSocket {
-                websocket_url,
-                auth_token: Some(auth_token),
-            },
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: 8,
+            auth_token: Some(auth_token),
+            ..test_remote_connect_args(websocket_url)
        })
        .await
        .expect("remote client should connect");
@@ -1608,15 +1526,9 @@ mod tests {
    #[tokio::test]
    async fn remote_connect_rejects_non_loopback_ws_when_auth_configured() {
        let result = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::WebSocket {
-                websocket_url: "ws://example.com:4500".to_string(),
-                auth_token: Some("remote-bearer-token".to_string()),
-            },
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: 8,
+            websocket_url: "ws://example.com:4500".to_string(),
+            auth_token: Some("remote-bearer-token".to_string()),
+            ..test_remote_connect_args("ws://127.0.0.1:1".to_string())
        })
        .await;
        let err = match result {
@@ -1794,8 +1706,13 @@ mod tests {
        })
        .await;
        let mut client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
+            websocket_url,
+            auth_token: None,
+            client_name: "codex-app-server-client-test".to_string(),
+            client_version: "0.0.0-test".to_string(),
+            experimental_api: true,
+            opt_out_notification_methods: Vec::new(),
            channel_capacity: 1,
-            ..test_remote_connect_args(websocket_url)
        })
        .await
        .expect("remote client should connect");
@@ -2192,7 +2109,6 @@ mod tests {
            config: config.clone(),
            cli_overrides: Vec::new(),
            loader_overrides: LoaderOverrides::default(),
-            strict_config: false,
            cloud_requirements: CloudRequirementsLoader::default(),
            feedback: CodexFeedback::new(),
            log_db: None,
@@ -2233,7 +2149,6 @@ mod tests {
            config: Arc::new(config),
            cli_overrides: Vec::new(),
            loader_overrides: LoaderOverrides::default(),
-            strict_config: false,
            cloud_requirements: CloudRequirementsLoader::default(),
            feedback: CodexFeedback::new(),
            log_db: None,
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -1,13 +1,11 @@
 /*
-This module implements the remote app-server client transport.
+This module implements the websocket-backed app-server client transport.

 It owns the remote connection lifecycle, including the initialize/initialized
 handshake, JSON-RPC request/response routing, server-request resolution, and
-notification streaming. Remote connections always carry WebSocket frames, over
-either TCP WebSocket URLs or local Unix sockets. The rest of the crate uses the
-same `AppServerEvent` surface for both in-process and remote transports, so
-callers such as the TUI can switch between them without changing their
-higher-level session logic.
+notification streaming. The rest of the crate uses the same `AppServerEvent`
+surface for both in-process and remote transports, so callers such as the TUI
+can switch between them without changing their higher-level session logic.
 */

 use std::collections::HashMap;
@@ -37,23 +35,17 @@ use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::Result as JsonRpcResult;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
-use codex_uds::UnixStream;
-use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_rustls_provider::ensure_rustls_crypto_provider;
 use futures::SinkExt;
 use futures::StreamExt;
 use serde::de::DeserializeOwned;
-use tokio::io::AsyncRead;
-use tokio::io::AsyncWrite;
 use tokio::net::TcpStream;
 use tokio::sync::mpsc;
 use tokio::sync::oneshot;
 use tokio::time::timeout;
 use tokio_tungstenite::MaybeTlsStream;
 use tokio_tungstenite::WebSocketStream;
-use tokio_tungstenite::client_async_with_config;
 use tokio_tungstenite::connect_async_with_config;
-use tokio_tungstenite::tungstenite::Error as TungsteniteError;
 use tokio_tungstenite::tungstenite::Message;
 use tokio_tungstenite::tungstenite::client::IntoClientRequest;
 use tokio_tungstenite::tungstenite::http::HeaderValue;
@@ -65,35 +57,22 @@ use url::Url;
 const CONNECT_TIMEOUT: Duration = Duration::from_secs(10);
 const INITIALIZE_TIMEOUT: Duration = Duration::from_secs(10);
 const REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE: usize = 128 << 20;
-// Tungstenite still needs an HTTP request URI for the WebSocket handshake;
-// the bytes travel over the Unix socket, not TCP.
-const UDS_WEBSOCKET_HANDSHAKE_URL: &str = "ws://localhost/rpc";
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub enum RemoteAppServerEndpoint {
-    WebSocket {
-        websocket_url: String,
-        auth_token: Option<String>,
-    },
-    UnixSocket {
-        socket_path: AbsolutePathBuf,
-    },
-}

 #[derive(Debug, Clone)]
 pub struct RemoteAppServerConnectArgs {
-    pub endpoint: RemoteAppServerEndpoint,
+    pub websocket_url: String,
+    pub auth_token: Option<String>,
    pub client_name: String,
    pub client_version: String,
    pub experimental_api: bool,
    pub opt_out_notification_methods: Vec<String>,
    pub channel_capacity: usize,
 }
+
 impl RemoteAppServerConnectArgs {
    fn initialize_params(&self) -> InitializeParams {
        let capabilities = InitializeCapabilities {
            experimental_api: self.experimental_api,
-            request_attestation: false,
            opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                None
            } else {
@@ -161,39 +140,69 @@ pub struct RemoteAppServerRequestHandle {
 impl RemoteAppServerClient {
    pub async fn connect(args: RemoteAppServerConnectArgs) -> IoResult<Self> {
        let channel_capacity = args.channel_capacity.max(1);
-        let initialize_params = args.initialize_params();
-        match args.endpoint {
-            RemoteAppServerEndpoint::WebSocket {
-                websocket_url,
-                auth_token,
-            } => {
-                let (endpoint, stream) =
-                    connect_websocket_endpoint(websocket_url, auth_token).await?;
-                Self::connect_with_stream(channel_capacity, endpoint, stream, initialize_params)
-                    .await
-            }
-            RemoteAppServerEndpoint::UnixSocket { socket_path } => {
-                let (endpoint, stream) = connect_unix_socket_endpoint(socket_path).await?;
-                Self::connect_with_stream(channel_capacity, endpoint, stream, initialize_params)
-                    .await
-            }
+        let websocket_url = args.websocket_url.clone();
+        let url = Url::parse(&websocket_url).map_err(|err| {
+            IoError::new(
+                ErrorKind::InvalidInput,
+                format!("invalid websocket URL `{websocket_url}`: {err}"),
+            )
+        })?;
+        if args.auth_token.is_some() && !websocket_url_supports_auth_token(&url) {
+            return Err(IoError::new(
+                ErrorKind::InvalidInput,
+                format!(
+                    "remote auth tokens require `wss://` or loopback `ws://` URLs; got `{websocket_url}`"
+                ),
+            ));
        }
-    }
-
-    async fn connect_with_stream<S>(
-        channel_capacity: usize,
-        endpoint: String,
-        stream: WebSocketStream<S>,
-        initialize_params: InitializeParams,
-    ) -> IoResult<Self>
-    where
-        S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
-    {
+        let mut request = url.as_str().into_client_request().map_err(|err| {
+            IoError::new(
+                ErrorKind::InvalidInput,
+                format!("invalid websocket URL `{websocket_url}`: {err}"),
+            )
+        })?;
+        if let Some(auth_token) = args.auth_token.as_deref() {
+            let header_value =
+                HeaderValue::from_str(&format!("Bearer {auth_token}")).map_err(|err| {
+                    IoError::new(
+                        ErrorKind::InvalidInput,
+                        format!("invalid remote authorization header value: {err}"),
+                    )
+                })?;
+            request.headers_mut().insert(AUTHORIZATION, header_value);
+        }
+        ensure_rustls_crypto_provider();
+        // Remote resume responses can legitimately carry large thread histories.
+        // Keep a bounded cap, but raise it above tungstenite's 16 MiB frame default.
+        let websocket_config = WebSocketConfig::default()
+            .max_frame_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE))
+            .max_message_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE));
+        let stream = timeout(
+            CONNECT_TIMEOUT,
+            connect_async_with_config(
+                request,
+                Some(websocket_config),
+                /*disable_nagle*/ false,
+            ),
+        )
+        .await
+        .map_err(|_| {
+            IoError::new(
+                ErrorKind::TimedOut,
+                format!("timed out connecting to remote app server at `{websocket_url}`"),
+            )
+        })?
+        .map(|(stream, _response)| stream)
+        .map_err(|err| {
+            IoError::other(format!(
+                "failed to connect to remote app server at `{websocket_url}`: {err}"
+            ))
+        })?;
        let mut stream = stream;
        let pending_events = initialize_remote_connection(
            &mut stream,
-            &endpoint,
-            initialize_params,
+            &websocket_url,
+            args.initialize_params(),
            INITIALIZE_TIMEOUT,
        )
        .await?;
@@ -225,13 +234,13 @@ impl RemoteAppServerClient {
                                if let Err(err) = write_jsonrpc_message(
                                    &mut stream,
                                    JSONRPCMessage::Request(jsonrpc_request_from_client_request(*request)),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await
                                {
                                    let err_message = err.to_string();
                                    let message = format!(
-                                        "remote app server at `{endpoint}` write failed: {err_message}"
+                                        "remote app server at `{websocket_url}` write failed: {err_message}"
                                    );
                                    if let Some(response_tx) = pending_requests.remove(&request_id) {
                                        let _ = response_tx.send(Err(err));
@@ -252,7 +261,7 @@ impl RemoteAppServerClient {
                                    JSONRPCMessage::Notification(
                                        jsonrpc_notification_from_client_notification(notification),
                                    ),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await;
                                let _ = response_tx.send(result);
@@ -268,7 +277,7 @@ impl RemoteAppServerClient {
                                        id: request_id,
                                        result,
                                    }),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await;
                                let _ = response_tx.send(result);
@@ -284,20 +293,16 @@ impl RemoteAppServerClient {
                                        error,
                                        id: request_id,
                                    }),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await;
                                let _ = response_tx.send(result);
                            }
                            RemoteClientCommand::Shutdown { response_tx } => {
-                                let close_result = stream.close(None).await.or_else(|err| {
-                                    if websocket_close_error_is_already_closed(&err) {
-                                        Ok(())
-                                    } else {
-                                        Err(IoError::other(format!(
-                                            "failed to close websocket app server `{endpoint}`: {err}"
-                                        )))
-                                    }
+                                let close_result = stream.close(None).await.map_err(|err| {
+                                    IoError::other(format!(
+                                        "failed to close websocket app server `{websocket_url}`: {err}"
+                                    ))
                                });
                                let _ = response_tx.send(close_result);
                                break;
@@ -358,13 +363,13 @@ impl RemoteAppServerClient {
                                                        },
                                                        id: request_id,
                                                    }),
-                                                    &endpoint,
+                                                    &websocket_url,
                                                )
                                                .await
                                                {
                                                    let err_message = reject_err.to_string();
                                                    let message = format!(
-                                                        "remote app server at `{endpoint}` write failed: {err_message}"
+                                                        "remote app server at `{websocket_url}` write failed: {err_message}"
                                                    );
                                                    let _ = deliver_event(
                                                        &event_tx,
@@ -381,7 +386,7 @@ impl RemoteAppServerClient {
                                    }
                                    Err(err) => {
                                        let message = format!(
-                                            "remote app server at `{endpoint}` sent invalid JSON-RPC: {err}"
+                                            "remote app server at `{websocket_url}` sent invalid JSON-RPC: {err}"
                                        );
                                        let _ = deliver_event(
                                            &event_tx,
@@ -402,7 +407,7 @@ impl RemoteAppServerClient {
                                    .filter(|reason| !reason.is_empty())
                                    .unwrap_or_else(|| "connection closed".to_string());
                                let message = format!(
-                                    "remote app server at `{endpoint}` disconnected: {reason}"
+                                    "remote app server at `{websocket_url}` disconnected: {reason}"
                                );
                                let _ = deliver_event(
                                    &event_tx,
@@ -422,7 +427,7 @@ impl RemoteAppServerClient {
                            | Some(Ok(Message::Frame(_))) => {}
                            Some(Err(err)) => {
                                let message = format!(
-                                    "remote app server at `{endpoint}` transport failed: {err}"
+                                    "remote app server at `{websocket_url}` transport failed: {err}"
                                );
                                let _ = deliver_event(
                                    &event_tx,
@@ -435,7 +440,7 @@ impl RemoteAppServerClient {
                            }
                            None => {
                                let message = format!(
-                                    "remote app server at `{endpoint}` closed the connection"
+                                    "remote app server at `{websocket_url}` closed the connection"
                                );
                                let _ = deliver_event(
                                    &event_tx,
@@ -672,131 +677,12 @@ impl RemoteAppServerRequestHandle {
    }
 }

-async fn connect_websocket_endpoint(
-    websocket_url: String,
-    auth_token: Option<String>,
-) -> IoResult<(String, WebSocketStream<MaybeTlsStream<TcpStream>>)> {
-    let url = Url::parse(&websocket_url).map_err(|err| {
-        IoError::new(
-            ErrorKind::InvalidInput,
-            format!("invalid websocket URL `{websocket_url}`: {err}"),
-        )
-    })?;
-    if auth_token.is_some() && !websocket_url_supports_auth_token(&url) {
-        return Err(IoError::new(
-            ErrorKind::InvalidInput,
-            format!(
-                "remote auth tokens require `wss://` or loopback `ws://` URLs; got `{websocket_url}`"
-            ),
-        ));
-    }
-
-    let mut request = url.as_str().into_client_request().map_err(|err| {
-        IoError::new(
-            ErrorKind::InvalidInput,
-            format!("invalid websocket URL `{websocket_url}`: {err}"),
-        )
-    })?;
-    if let Some(auth_token) = auth_token.as_deref() {
-        let header_value =
-            HeaderValue::from_str(&format!("Bearer {auth_token}")).map_err(|err| {
-                IoError::new(
-                    ErrorKind::InvalidInput,
-                    format!("invalid remote authorization header value: {err}"),
-                )
-            })?;
-        request.headers_mut().insert(AUTHORIZATION, header_value);
-    }
-
-    ensure_rustls_crypto_provider();
-    let websocket_config = remote_websocket_config();
-    let stream = timeout(
-        CONNECT_TIMEOUT,
-        connect_async_with_config(
-            request,
-            Some(websocket_config),
-            /*disable_nagle*/ false,
-        ),
-    )
-    .await
-    .map_err(|_| {
-        IoError::new(
-            ErrorKind::TimedOut,
-            format!("timed out connecting to remote app server at `{websocket_url}`"),
-        )
-    })?
-    .map(|(stream, _response)| stream)
-    .map_err(|err| {
-        IoError::other(format!(
-            "failed to connect to remote app server at `{websocket_url}`: {err}"
-        ))
-    })?;
-
-    Ok((websocket_url, stream))
-}
-
-async fn connect_unix_socket_endpoint(
-    socket_path: AbsolutePathBuf,
-) -> IoResult<(String, WebSocketStream<UnixStream>)> {
-    let endpoint = format!("unix://{}", socket_path.display());
-    let request = UDS_WEBSOCKET_HANDSHAKE_URL
-        .into_client_request()
-        .map_err(|err| {
-            IoError::new(
-                ErrorKind::InvalidInput,
-                format!("invalid UDS websocket handshake URL: {err}"),
-            )
-        })?;
-    let stream = timeout(CONNECT_TIMEOUT, UnixStream::connect(socket_path.as_path()))
-        .await
-        .map_err(|_| {
-            IoError::new(
-                ErrorKind::TimedOut,
-                format!("timed out connecting to remote app server at `{endpoint}`"),
-            )
-        })?
-        .map_err(|err| {
-            IoError::other(format!(
-                "failed to connect to remote app server at `{endpoint}`: {err}"
-            ))
-        })?;
-    let websocket_config = remote_websocket_config();
-    let stream = timeout(
-        CONNECT_TIMEOUT,
-        client_async_with_config(request, stream, Some(websocket_config)),
-    )
-    .await
-    .map_err(|_| {
-        IoError::new(
-            ErrorKind::TimedOut,
-            format!("timed out upgrading remote app server at `{endpoint}`"),
-        )
-    })?
-    .map(|(stream, _response)| stream)
-    .map_err(|err| {
-        IoError::other(format!(
-            "failed to upgrade remote app server at `{endpoint}`: {err}"
-        ))
-    })?;
-
-    Ok((endpoint, stream))
-}
-
-fn remote_websocket_config() -> WebSocketConfig {
-    WebSocketConfig::default()
-        .max_frame_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE))
-        .max_message_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE))
-}
-
-async fn initialize_remote_connection<S>(
-    stream: &mut WebSocketStream<S>,
-    endpoint: &str,
+async fn initialize_remote_connection(
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
+    websocket_url: &str,
    params: InitializeParams,
    initialize_timeout: Duration,
-) -> IoResult<Vec<AppServerEvent>>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
+) -> IoResult<Vec<AppServerEvent>> {
    let initialize_request_id = RequestId::String("initialize".to_string());
    let mut pending_events = Vec::new();
    write_jsonrpc_message(
@@ -807,7 +693,7 @@ where
                params,
            },
        )),
-        endpoint,
+        websocket_url,
    )
    .await?;

@@ -817,7 +703,7 @@ where
                Some(Ok(Message::Text(text))) => {
                    let message = serde_json::from_str::<JSONRPCMessage>(&text).map_err(|err| {
                        IoError::other(format!(
-                            "remote app server at `{endpoint}` sent invalid initialize response: {err}"
+                            "remote app server at `{websocket_url}` sent invalid initialize response: {err}"
                        ))
                    })?;
                    match message {
@@ -826,7 +712,7 @@ where
                        }
                        JSONRPCMessage::Error(error) if error.id == initialize_request_id => {
                            break Err(IoError::other(format!(
-                                "remote app server at `{endpoint}` rejected initialize: {}",
+                                "remote app server at `{websocket_url}` rejected initialize: {}",
                                error.error.message
                            )));
                        }
@@ -856,7 +742,7 @@ where
                                            },
                                            id: request_id,
                                        }),
-                                        endpoint,
+                                        websocket_url,
                                    )
                                    .await?;
                                }
@@ -878,19 +764,19 @@ where
                    break Err(IoError::new(
                        ErrorKind::ConnectionAborted,
                        format!(
-                            "remote app server at `{endpoint}` closed during initialize: {reason}"
+                            "remote app server at `{websocket_url}` closed during initialize: {reason}"
                        ),
                    ));
                }
                Some(Err(err)) => {
                    break Err(IoError::other(format!(
-                        "remote app server at `{endpoint}` transport failed during initialize: {err}"
+                        "remote app server at `{websocket_url}` transport failed during initialize: {err}"
                    )));
                }
                None => {
                    break Err(IoError::new(
                        ErrorKind::UnexpectedEof,
-                        format!("remote app server at `{endpoint}` closed during initialize"),
+                        format!("remote app server at `{websocket_url}` closed during initialize"),
                    ));
                }
            }
@@ -900,7 +786,7 @@ where
    .map_err(|_| {
        IoError::new(
            ErrorKind::TimedOut,
-            format!("timed out waiting for initialize response from `{endpoint}`"),
+            format!("timed out waiting for initialize response from `{websocket_url}`"),
        )
    })??;

@@ -909,7 +795,7 @@ where
        JSONRPCMessage::Notification(jsonrpc_notification_from_client_notification(
            ClientNotification::Initialized,
        )),
-        endpoint,
+        websocket_url,
    )
    .await?;

@@ -963,35 +849,21 @@ fn jsonrpc_notification_from_client_notification(
    }
 }

-async fn write_jsonrpc_message<S>(
-    stream: &mut WebSocketStream<S>,
+async fn write_jsonrpc_message(
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
    message: JSONRPCMessage,
-    endpoint: &str,
-) -> IoResult<()>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
+    websocket_url: &str,
+) -> IoResult<()> {
    let payload = serde_json::to_string(&message).map_err(IoError::other)?;
    stream
        .send(Message::Text(payload.into()))
        .await
        .map_err(|err| {
            IoError::other(format!(
-                "failed to write websocket message to `{endpoint}`: {err}"
+                "failed to write websocket message to `{websocket_url}`: {err}"
            ))
        })
 }
-
-fn websocket_close_error_is_already_closed(err: &TungsteniteError) -> bool {
-    match err {
-        TungsteniteError::ConnectionClosed | TungsteniteError::AlreadyClosed => true,
-        TungsteniteError::Io(err) => matches!(
-            err.kind(),
-            ErrorKind::BrokenPipe | ErrorKind::ConnectionReset | ErrorKind::NotConnected
-        ),
-        _ => false,
-    }
-}
 #[cfg(test)]
 mod tests {
    use super::*;
--- a/codex-rs/app-server-daemon/BUILD.bazel
+++ b/codex-rs/app-server-daemon/BUILD.bazel
@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "app-server-daemon",
-    crate_name = "codex_app_server_daemon",
-)
--- a/codex-rs/app-server-daemon/Cargo.toml
+++ b/codex-rs/app-server-daemon/Cargo.toml
@@ -1,40 +0,0 @@
-[package]
-name = "codex-app-server-daemon"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-
-[lib]
-name = "codex_app_server_daemon"
-path = "src/lib.rs"
-doctest = false
-
-[lints]
-workspace = true
-
-[dependencies]
-anyhow = { workspace = true }
-codex-app-server-protocol = { workspace = true }
-codex-app-server-transport = { workspace = true }
-codex-utils-home-dir = { workspace = true }
-codex-uds = { workspace = true }
-futures = { workspace = true }
-libc = { workspace = true }
-reqwest = { workspace = true, features = ["rustls-tls"] }
-serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
-sha2 = { workspace = true }
-tokio = { workspace = true, features = [
-    "fs",
-    "io-util",
-    "macros",
-    "process",
-    "rt-multi-thread",
-    "signal",
-    "time",
-] }
-tokio-tungstenite = { workspace = true }
-
-[dev-dependencies]
-pretty_assertions = { workspace = true }
-tempfile = { workspace = true }
--- a/codex-rs/app-server-daemon/README.md
+++ b/codex-rs/app-server-daemon/README.md
@@ -1,113 +0,0 @@
-# codex-app-server-daemon
-
-> `codex-app-server-daemon` is experimental and its lifecycle contract may
-> change while the remote-management flow is still being developed.
-
-`codex-app-server-daemon` backs the machine-readable `codex app-server`
-lifecycle commands used by remote clients such as the desktop and mobile apps.
-It is intended for Codex instances launched over SSH, including fresh developer
-machines that should expose app-server with `remote_control` enabled.
-
-## Platform support
-
-The current daemon implementation is Unix-only. It uses pidfile-backed
-daemonization plus Unix process and file-locking primitives, and does not yet
-support Windows lifecycle management.
-
-## Commands
-
-```sh
-codex app-server daemon start
-codex app-server daemon restart
-codex app-server daemon enable-remote-control
-codex app-server daemon disable-remote-control
-codex app-server daemon stop
-codex app-server daemon version
-codex app-server daemon bootstrap --remote-control
-```
-
-On success, every command writes exactly one JSON object to stdout. Consumers
-should parse that JSON rather than relying on human-readable text. Lifecycle
-responses report the resolved backend, socket path, local CLI version, and
-running app-server version when applicable.
-
-## Bootstrap flow
-
-For a new remote machine:
-
-```sh
-curl -fsSL https://chatgpt.com/codex/install.sh | sh
-$HOME/.codex/packages/standalone/current/codex app-server daemon bootstrap --remote-control
-```
-
-`bootstrap` requires the standalone managed install. It records the daemon
-settings under `CODEX_HOME/app-server-daemon/`, starts app-server as a
-pidfile-backed detached process, and launches a detached updater loop.
-
-## Installation and update cases
-
-The daemon assumes Codex is installed through `install.sh` and always launches
-the standalone managed binary under `CODEX_HOME`.
-
-| Situation | What starts | Does this daemon fetch new binaries? | Does a running app-server eventually move to a newer binary on its own? |
-| --- | --- | --- | --- |
-| `install.sh` has run, but only `start` is used | `start` uses `CODEX_HOME/packages/standalone/current/codex` | No | No. The managed path is used when starting or restarting, but no updater is installed. |
-| `install.sh` has run, then `bootstrap` is used | The pidfile backend uses `CODEX_HOME/packages/standalone/current/codex` | Yes. Bootstrap launches a detached updater loop that runs `install.sh` hourly. | Yes, while that updater process is alive and app-server is already running. After a successful fetch, the updater restarts app-server with the refreshed binary and only then replaces its own process image. |
-| Some other tool updates the managed binary path | The next fresh start or restart uses the updated file at that path | Only if `bootstrap` is active, because the updater still runs `install.sh` on its normal cadence. | Without `bootstrap`, no. With `bootstrap`, the next successful updater pass compares the managed binary contents after `install.sh` runs; if app-server is running and they differ from the updater's current image, it refreshes app-server first and then itself. |
-
-### Standalone installs
-
-For installs created by `install.sh`:
-
- lifecycle commands always use the standalone managed binary path
- `bootstrap` is supported
- `bootstrap` starts a detached pid-backed updater loop that fetches via
-  `install.sh`
- after a successful refresh, if app-server is running and the managed binary
-  contents changed, the updater restarts app-server with that binary first and
-  only then replaces its own process image
- the updater loop is not reboot-persistent; it must be started again by
-  rerunning `bootstrap` after a reboot
-
-### Out-of-band updates
-
-This daemon does not watch arbitrary executable files for replacement. If some
-other tool updates the managed binary path:
-
- without `bootstrap`, a currently running app-server remains on the old
-  executable image until an explicit `restart`
- with `bootstrap`, the detached updater loop notices the changed managed
-  binary on its next successful scheduled pass after running `install.sh`; if
-  app-server is running, it refreshes app-server first and then refreshes itself
-  once that replacement starts successfully
-
-## Lifecycle semantics
-
-`start` is idempotent and returns after app-server is ready to answer the normal
-JSON-RPC initialize handshake on the Unix control socket.
-
-`restart` stops any managed daemon and starts it again.
-
-`enable-remote-control` and `disable-remote-control` persist the launch setting
-for future starts. If a managed app-server is already running, they restart it
-so the new setting takes effect immediately.
-
-Top-level `codex remote-control` bootstraps with `--remote-control` when the
-updater loop is not running. Otherwise it enables remote control and starts the
-daemon normally.
-
-`stop` sends a graceful termination request first, then sends a second
-termination signal after the grace window if the process is still alive.
-
-All mutating lifecycle commands are serialized per `CODEX_HOME`, so a concurrent
-`start`, `restart`, `enable-remote-control`, `disable-remote-control`, `stop`,
-or `bootstrap` does not race another in-flight lifecycle operation.
-
-## State
-
-The daemon stores its local state under `CODEX_HOME/app-server-daemon/`:
-
- `settings.json` for persisted launch settings
- `app-server.pid` for the app-server process record
- `app-server-updater.pid` for the pid-backed standalone updater loop
- `daemon.lock` for daemon-wide lifecycle serialization
--- a/codex-rs/app-server-daemon/src/backend/mod.rs
+++ b/codex-rs/app-server-daemon/src/backend/mod.rs
@@ -1,33 +0,0 @@
-mod pid;
-
-use std::path::PathBuf;
-
-use serde::Serialize;
-
-pub(crate) use pid::PidBackend;
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum BackendKind {
-    Pid,
-}
-
-#[derive(Debug, Clone)]
-pub(crate) struct BackendPaths {
-    pub(crate) codex_bin: PathBuf,
-    pub(crate) pid_file: PathBuf,
-    pub(crate) update_pid_file: PathBuf,
-    pub(crate) remote_control_enabled: bool,
-}
-
-pub(crate) fn pid_backend(paths: BackendPaths) -> PidBackend {
-    PidBackend::new(
-        paths.codex_bin,
-        paths.pid_file,
-        paths.remote_control_enabled,
-    )
-}
-
-pub(crate) fn pid_update_loop_backend(paths: BackendPaths) -> PidBackend {
-    PidBackend::new_update_loop(paths.codex_bin, paths.update_pid_file)
-}
--- a/codex-rs/app-server-daemon/src/backend/pid.rs
+++ b/codex-rs/app-server-daemon/src/backend/pid.rs
@@ -1,594 +0,0 @@
-use std::path::Path;
-use std::path::PathBuf;
-#[cfg(unix)]
-use std::process::Stdio;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::bail;
-use serde::Deserialize;
-use serde::Serialize;
-use tokio::fs;
-#[cfg(unix)]
-use tokio::process::Command;
-use tokio::time::sleep;
-
-const STOP_POLL_INTERVAL: Duration = Duration::from_millis(50);
-const STOP_GRACE_PERIOD: Duration = Duration::from_secs(60);
-const STOP_TIMEOUT: Duration = Duration::from_secs(70);
-const START_TIMEOUT: Duration = Duration::from_secs(10);
-
-#[derive(Debug)]
-#[cfg_attr(not(unix), allow(dead_code))]
-pub(crate) struct PidBackend {
-    codex_bin: PathBuf,
-    pid_file: PathBuf,
-    lock_file: PathBuf,
-    command_kind: PidCommandKind,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-struct PidRecord {
-    pid: u32,
-    process_start_time: String,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-enum PidFileState {
-    Missing,
-    Starting,
-    Running(PidRecord),
-}
-
-#[derive(Debug, Clone, Copy)]
-#[cfg_attr(not(unix), allow(dead_code))]
-enum PidCommandKind {
-    AppServer { remote_control_enabled: bool },
-    UpdateLoop,
-}
-
-impl PidBackend {
-    pub(crate) fn new(codex_bin: PathBuf, pid_file: PathBuf, remote_control_enabled: bool) -> Self {
-        let lock_file = pid_file.with_extension("pid.lock");
-        Self {
-            codex_bin,
-            pid_file,
-            lock_file,
-            command_kind: PidCommandKind::AppServer {
-                remote_control_enabled,
-            },
-        }
-    }
-
-    pub(crate) fn new_update_loop(codex_bin: PathBuf, pid_file: PathBuf) -> Self {
-        let lock_file = pid_file.with_extension("pid.lock");
-        Self {
-            codex_bin,
-            pid_file,
-            lock_file,
-            command_kind: PidCommandKind::UpdateLoop,
-        }
-    }
-
-    pub(crate) async fn is_starting_or_running(&self) -> Result<bool> {
-        loop {
-            match self.read_pid_file_state().await? {
-                PidFileState::Missing => return Ok(false),
-                PidFileState::Starting => return Ok(true),
-                PidFileState::Running(record) => {
-                    if self.record_is_active(&record).await? {
-                        return Ok(true);
-                    }
-                    match self.refresh_after_stale_record(&record).await? {
-                        PidFileState::Missing => return Ok(false),
-                        PidFileState::Starting | PidFileState::Running(_) => continue,
-                    }
-                }
-            }
-        }
-    }
-
-    #[cfg(unix)]
-    pub(crate) async fn start(&self) -> Result<Option<u32>> {
-        if let Some(parent) = self.pid_file.parent() {
-            fs::create_dir_all(parent)
-                .await
-                .with_context(|| format!("failed to create pid directory {}", parent.display()))?;
-        }
-        let reservation_lock = self.acquire_reservation_lock().await?;
-        let _pid_file = loop {
-            match fs::OpenOptions::new()
-                .create_new(true)
-                .write(true)
-                .open(&self.pid_file)
-                .await
-            {
-                Ok(pid_file) => break pid_file,
-                Err(err) if err.kind() == std::io::ErrorKind::AlreadyExists => {
-                    match self.read_pid_file_state_with_lock_held().await? {
-                        PidFileState::Missing => continue,
-                        PidFileState::Running(record) => {
-                            if self.record_is_active(&record).await? {
-                                return Ok(None);
-                            }
-                            let _ = fs::remove_file(&self.pid_file).await;
-                            continue;
-                        }
-                        PidFileState::Starting => {
-                            unreachable!("lock holder cannot observe starting")
-                        }
-                    }
-                }
-                Err(err) => {
-                    return Err(err).with_context(|| {
-                        format!("failed to reserve pid file {}", self.pid_file.display())
-                    });
-                }
-            }
-        };
-        let mut command = Command::new(&self.codex_bin);
-        command
-            .args(self.command_args())
-            .stdin(Stdio::null())
-            .stdout(Stdio::null())
-            .stderr(Stdio::null());
-
-        #[cfg(unix)]
-        {
-            unsafe {
-                command.pre_exec(|| {
-                    if libc::setsid() == -1 {
-                        return Err(std::io::Error::last_os_error());
-                    }
-                    Ok(())
-                });
-            }
-        }
-
-        let child = match command.spawn() {
-            Ok(child) => child,
-            Err(err) => {
-                let _ = fs::remove_file(&self.pid_file).await;
-                return Err(err).with_context(|| {
-                    format!(
-                        "failed to spawn detached app-server process using {}",
-                        self.codex_bin.display()
-                    )
-                });
-            }
-        };
-        let pid = child
-            .id()
-            .context("spawned app-server process has no pid")?;
-        let record = match read_process_start_time(pid).await {
-            Ok(process_start_time) => PidRecord {
-                pid,
-                process_start_time,
-            },
-            Err(err) => {
-                let _ = self.terminate_process(pid);
-                let _ = fs::remove_file(&self.pid_file).await;
-                return Err(err);
-            }
-        };
-        let contents = serde_json::to_vec(&record).context("failed to serialize pid record")?;
-        let temp_pid_file = self.pid_file.with_extension("pid.tmp");
-        if let Err(err) = fs::write(&temp_pid_file, &contents).await {
-            let _ = self.terminate_process(pid);
-            let _ = fs::remove_file(&self.pid_file).await;
-            return Err(err).with_context(|| {
-                format!("failed to write pid temp file {}", temp_pid_file.display())
-            });
-        }
-        if let Err(err) = fs::rename(&temp_pid_file, &self.pid_file).await {
-            let _ = self.terminate_process(pid);
-            let _ = fs::remove_file(&temp_pid_file).await;
-            let _ = fs::remove_file(&self.pid_file).await;
-            return Err(err).with_context(|| {
-                format!("failed to publish pid file {}", self.pid_file.display())
-            });
-        }
-        drop(reservation_lock);
-        Ok(Some(pid))
-    }
-
-    #[cfg(not(unix))]
-    pub(crate) async fn start(&self) -> Result<Option<u32>> {
-        bail!("pid-managed app-server startup is unsupported on this platform")
-    }
-
-    pub(crate) async fn stop(&self) -> Result<()> {
-        loop {
-            let Some(record) = self.wait_for_pid_start().await? else {
-                return Ok(());
-            };
-            if !self.record_is_active(&record).await? {
-                match self.refresh_after_stale_record(&record).await? {
-                    PidFileState::Missing => return Ok(()),
-                    PidFileState::Starting | PidFileState::Running(_) => continue,
-                }
-            }
-
-            let pid = record.pid;
-            self.terminate_process(pid)?;
-            let started_at = tokio::time::Instant::now();
-            let deadline = tokio::time::Instant::now() + STOP_TIMEOUT;
-            let mut forced = false;
-            while tokio::time::Instant::now() < deadline {
-                if !self.record_is_active(&record).await? {
-                    match self.refresh_after_stale_record(&record).await? {
-                        PidFileState::Missing => return Ok(()),
-                        PidFileState::Starting | PidFileState::Running(_) => break,
-                    }
-                }
-                if !forced && started_at.elapsed() >= STOP_GRACE_PERIOD {
-                    self.force_terminate_process(pid)?;
-                    forced = true;
-                }
-                sleep(STOP_POLL_INTERVAL).await;
-            }
-
-            if self.record_is_active(&record).await? {
-                bail!("timed out waiting for pid-managed app server {pid} to stop");
-            }
-        }
-    }
-
-    async fn wait_for_pid_start(&self) -> Result<Option<PidRecord>> {
-        let deadline = tokio::time::Instant::now() + START_TIMEOUT;
-        loop {
-            match self.read_pid_file_state().await? {
-                PidFileState::Missing => return Ok(None),
-                PidFileState::Running(record) => return Ok(Some(record)),
-                PidFileState::Starting if tokio::time::Instant::now() < deadline => {
-                    sleep(STOP_POLL_INTERVAL).await;
-                }
-                PidFileState::Starting => {
-                    bail!(
-                        "timed out waiting for pid reservation in {} to finish initializing",
-                        self.pid_file.display()
-                    );
-                }
-            }
-        }
-    }
-
-    async fn read_pid_file_state(&self) -> Result<PidFileState> {
-        let contents = match fs::read_to_string(&self.pid_file).await {
-            Ok(contents) => contents,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-                return if reservation_lock_is_active(&self.lock_file).await? {
-                    Ok(PidFileState::Starting)
-                } else {
-                    Ok(PidFileState::Missing)
-                };
-            }
-            Err(err) => {
-                return Err(err).with_context(|| {
-                    format!("failed to read pid file {}", self.pid_file.display())
-                });
-            }
-        };
-        if contents.trim().is_empty() {
-            match inspect_empty_pid_reservation(&self.pid_file, &self.lock_file).await? {
-                EmptyPidReservation::Active => {
-                    return Ok(PidFileState::Starting);
-                }
-                EmptyPidReservation::Stale => {
-                    return Ok(PidFileState::Missing);
-                }
-                EmptyPidReservation::Record(record) => return Ok(PidFileState::Running(record)),
-            }
-        }
-        let record = serde_json::from_str(&contents)
-            .with_context(|| format!("invalid pid file contents in {}", self.pid_file.display()))?;
-        Ok(PidFileState::Running(record))
-    }
-
-    async fn read_pid_file_state_with_lock_held(&self) -> Result<PidFileState> {
-        let contents = match fs::read_to_string(&self.pid_file).await {
-            Ok(contents) => contents,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-                return Ok(PidFileState::Missing);
-            }
-            Err(err) => {
-                return Err(err).with_context(|| {
-                    format!("failed to read pid file {}", self.pid_file.display())
-                });
-            }
-        };
-        if contents.trim().is_empty() {
-            let _ = fs::remove_file(&self.pid_file).await;
-            return Ok(PidFileState::Missing);
-        }
-        let record = serde_json::from_str(&contents)
-            .with_context(|| format!("invalid pid file contents in {}", self.pid_file.display()))?;
-        Ok(PidFileState::Running(record))
-    }
-
-    async fn refresh_after_stale_record(&self, expected: &PidRecord) -> Result<PidFileState> {
-        let reservation_lock = self.acquire_reservation_lock().await?;
-        let state = match self.read_pid_file_state_with_lock_held().await? {
-            PidFileState::Running(record) if record == *expected => {
-                let _ = fs::remove_file(&self.pid_file).await;
-                PidFileState::Missing
-            }
-            state => state,
-        };
-        drop(reservation_lock);
-        Ok(state)
-    }
-
-    async fn acquire_reservation_lock(&self) -> Result<fs::File> {
-        let reservation_lock = fs::OpenOptions::new()
-            .create(true)
-            .truncate(false)
-            .write(true)
-            .open(&self.lock_file)
-            .await
-            .with_context(|| {
-                format!("failed to open pid lock file {}", self.lock_file.display())
-            })?;
-        let lock_deadline = tokio::time::Instant::now() + START_TIMEOUT;
-        while !try_lock_file(&reservation_lock)? {
-            if tokio::time::Instant::now() >= lock_deadline {
-                bail!(
-                    "timed out waiting for pid lock {}",
-                    self.lock_file.display()
-                );
-            }
-            sleep(STOP_POLL_INTERVAL).await;
-        }
-        Ok(reservation_lock)
-    }
-
-    #[cfg(unix)]
-    fn command_args(&self) -> Vec<&'static str> {
-        match self.command_kind {
-            PidCommandKind::AppServer {
-                remote_control_enabled: true,
-            } => vec!["app-server", "--remote-control", "--listen", "unix://"],
-            PidCommandKind::AppServer {
-                remote_control_enabled: false,
-            } => vec!["app-server", "--listen", "unix://"],
-            PidCommandKind::UpdateLoop => vec!["app-server", "daemon", "pid-update-loop"],
-        }
-    }
-
-    fn terminate_process(&self, pid: u32) -> Result<()> {
-        match self.command_kind {
-            PidCommandKind::AppServer { .. } => terminate_process(pid),
-            PidCommandKind::UpdateLoop => terminate_process(pid),
-        }
-    }
-
-    fn force_terminate_process(&self, pid: u32) -> Result<()> {
-        match self.command_kind {
-            PidCommandKind::AppServer { .. } => force_terminate_process(pid),
-            PidCommandKind::UpdateLoop => force_terminate_process_group(pid),
-        }
-    }
-
-    async fn record_is_active(&self, record: &PidRecord) -> Result<bool> {
-        process_matches_record(record).await
-    }
-}
-
-#[cfg(unix)]
-fn process_exists(pid: u32) -> bool {
-    let Ok(pid) = libc::pid_t::try_from(pid) else {
-        return false;
-    };
-    let result = unsafe { libc::kill(pid, 0) };
-    result == 0 || std::io::Error::last_os_error().raw_os_error() == Some(libc::EPERM)
-}
-
-#[cfg(unix)]
-fn terminate_process(pid: u32) -> Result<()> {
-    let raw_pid = libc::pid_t::try_from(pid)
-        .with_context(|| format!("pid-managed app server pid {pid} is out of range"))?;
-    let result = unsafe { libc::kill(raw_pid, libc::SIGTERM) };
-    if result == 0 {
-        return Ok(());
-    }
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::ESRCH) {
-        return Ok(());
-    }
-    Err(err).with_context(|| format!("failed to terminate pid-managed app server {pid}"))
-}
-
-#[cfg(unix)]
-fn force_terminate_process(pid: u32) -> Result<()> {
-    let raw_pid = libc::pid_t::try_from(pid)
-        .with_context(|| format!("pid-managed app server pid {pid} is out of range"))?;
-    let result = unsafe { libc::kill(raw_pid, libc::SIGKILL) };
-    if result == 0 {
-        return Ok(());
-    }
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::ESRCH) {
-        return Ok(());
-    }
-    Err(err).with_context(|| format!("failed to force terminate pid-managed app server {pid}"))
-}
-
-#[cfg(unix)]
-fn force_terminate_process_group(pid: u32) -> Result<()> {
-    let raw_pid = libc::pid_t::try_from(pid)
-        .with_context(|| format!("pid-managed updater pid {pid} is out of range"))?;
-    let result = unsafe { libc::kill(-raw_pid, libc::SIGKILL) };
-    if result == 0 {
-        return Ok(());
-    }
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::ESRCH) {
-        return Ok(());
-    }
-    Err(err).with_context(|| format!("failed to force terminate pid-managed updater group {pid}"))
-}
-
-#[cfg(not(unix))]
-fn terminate_process(_pid: u32) -> Result<()> {
-    bail!("pid-managed app-server shutdown is unsupported on this platform")
-}
-
-#[cfg(not(unix))]
-fn force_terminate_process(_pid: u32) -> Result<()> {
-    bail!("pid-managed app-server shutdown is unsupported on this platform")
-}
-
-#[cfg(not(unix))]
-fn force_terminate_process_group(_pid: u32) -> Result<()> {
-    bail!("pid-managed updater shutdown is unsupported on this platform")
-}
-
-#[cfg(unix)]
-async fn process_matches_record(record: &PidRecord) -> Result<bool> {
-    if !process_exists(record.pid) {
-        return Ok(false);
-    }
-
-    match read_process_start_time(record.pid).await {
-        Ok(start_time) => Ok(start_time == record.process_start_time),
-        Err(_err) if !process_exists(record.pid) => Ok(false),
-        Err(err) => Err(err),
-    }
-}
-
-#[cfg(not(unix))]
-async fn process_matches_record(_record: &PidRecord) -> Result<bool> {
-    Ok(false)
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-#[cfg_attr(not(unix), allow(dead_code))]
-enum EmptyPidReservation {
-    Active,
-    Stale,
-    Record(PidRecord),
-}
-
-#[cfg(unix)]
-fn try_lock_file(file: &fs::File) -> Result<bool> {
-    use std::os::fd::AsRawFd;
-
-    let result = unsafe { libc::flock(file.as_raw_fd(), libc::LOCK_EX | libc::LOCK_NB) };
-    if result == 0 {
-        return Ok(true);
-    }
-
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::EWOULDBLOCK) {
-        return Ok(false);
-    }
-    Err(err).context("failed to lock pid reservation")
-}
-
-#[cfg(not(unix))]
-fn try_lock_file(_file: &fs::File) -> Result<bool> {
-    bail!("pid-managed app-server startup is unsupported on this platform")
-}
-
-#[cfg(unix)]
-async fn reservation_lock_is_active(path: &Path) -> Result<bool> {
-    let file = match fs::OpenOptions::new()
-        .write(true)
-        .create(true)
-        .truncate(false)
-        .open(path)
-        .await
-    {
-        Ok(file) => file,
-        Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-            return Ok(false);
-        }
-        Err(err) => {
-            return Err(err)
-                .with_context(|| format!("failed to inspect pid lock file {}", path.display()));
-        }
-    };
-    Ok(!try_lock_file(&file)?)
-}
-
-#[cfg(not(unix))]
-async fn reservation_lock_is_active(_path: &Path) -> Result<bool> {
-    Ok(false)
-}
-
-#[cfg(unix)]
-async fn inspect_empty_pid_reservation(
-    pid_path: &Path,
-    lock_path: &Path,
-) -> Result<EmptyPidReservation> {
-    let file = match fs::OpenOptions::new()
-        .write(true)
-        .create(true)
-        .truncate(false)
-        .open(lock_path)
-        .await
-    {
-        Ok(file) => file,
-        Err(err) => {
-            return Err(err).with_context(|| {
-                format!("failed to inspect pid lock file {}", lock_path.display())
-            });
-        }
-    };
-    if !try_lock_file(&file)? {
-        return Ok(EmptyPidReservation::Active);
-    }
-
-    let contents = match fs::read_to_string(pid_path).await {
-        Ok(contents) => contents,
-        Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-            return Ok(EmptyPidReservation::Stale);
-        }
-        Err(err) => {
-            return Err(err)
-                .with_context(|| format!("failed to reread pid file {}", pid_path.display()));
-        }
-    };
-    if contents.trim().is_empty() {
-        let _ = fs::remove_file(pid_path).await;
-        return Ok(EmptyPidReservation::Stale);
-    }
-
-    let record = serde_json::from_str(&contents)
-        .with_context(|| format!("invalid pid file contents in {}", pid_path.display()))?;
-    Ok(EmptyPidReservation::Record(record))
-}
-
-#[cfg(not(unix))]
-async fn inspect_empty_pid_reservation(
-    _pid_path: &Path,
-    _lock_path: &Path,
-) -> Result<EmptyPidReservation> {
-    Ok(EmptyPidReservation::Stale)
-}
-
-#[cfg(unix)]
-async fn read_process_start_time(pid: u32) -> Result<String> {
-    let output = Command::new("ps")
-        .args(["-p", &pid.to_string(), "-o", "lstart="])
-        .output()
-        .await
-        .context("failed to invoke ps for pid-managed app server")?;
-    if !output.status.success() {
-        bail!("failed to read start time for pid-managed app server {pid}");
-    }
-
-    let start_time = String::from_utf8(output.stdout)
-        .context("pid-managed app server start time was not utf-8")?;
-    let start_time = start_time.trim();
-    if start_time.is_empty() {
-        bail!("pid-managed app server {pid} has no recorded start time");
-    }
-    Ok(start_time.to_string())
-}
-
-#[cfg(all(test, unix))]
-#[path = "pid_tests.rs"]
-mod tests;
--- a/codex-rs/app-server-daemon/src/backend/pid_tests.rs
+++ b/codex-rs/app-server-daemon/src/backend/pid_tests.rs
@@ -1,172 +0,0 @@
-use std::time::Duration;
-
-use pretty_assertions::assert_eq;
-use tempfile::TempDir;
-
-use super::PidBackend;
-use super::PidCommandKind;
-use super::PidFileState;
-use super::PidRecord;
-use super::try_lock_file;
-
-#[tokio::test]
-async fn locked_empty_pid_file_is_treated_as_active_reservation() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-    let reservation = tokio::fs::OpenOptions::new()
-        .create(true)
-        .truncate(false)
-        .write(true)
-        .open(&backend.lock_file)
-        .await
-        .expect("open pid lock file");
-    assert!(try_lock_file(&reservation).expect("lock reservation"));
-
-    assert_eq!(
-        backend.read_pid_file_state().await.expect("read pid"),
-        PidFileState::Starting
-    );
-    assert!(pid_file.exists());
-}
-
-#[tokio::test]
-async fn unlocked_empty_pid_file_is_treated_as_stale_reservation() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-
-    assert_eq!(
-        backend.read_pid_file_state().await.expect("read pid"),
-        PidFileState::Missing
-    );
-    assert!(!pid_file.exists());
-}
-
-#[tokio::test]
-async fn stop_waits_for_live_reservation_to_resolve() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-    let reservation = tokio::fs::OpenOptions::new()
-        .create(true)
-        .truncate(false)
-        .write(true)
-        .open(&backend.lock_file)
-        .await
-        .expect("open pid lock file");
-    assert!(try_lock_file(&reservation).expect("lock reservation"));
-    let cleanup = tokio::spawn(async move {
-        tokio::time::sleep(Duration::from_millis(50)).await;
-        drop(reservation);
-        tokio::fs::remove_file(pid_file)
-            .await
-            .expect("remove pid file");
-    });
-
-    backend.stop().await.expect("stop");
-    cleanup.await.expect("cleanup task");
-}
-
-#[tokio::test]
-async fn start_retries_stale_empty_pid_file_under_its_own_lock() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("missing-codex"),
-        pid_file,
-        /*remote_control_enabled*/ false,
-    );
-
-    let err = backend.start().await.expect_err("start");
-    assert!(
-        err.to_string()
-            .starts_with("failed to spawn detached app-server process using ")
-    );
-}
-
-#[tokio::test]
-async fn stale_record_cleanup_preserves_replacement_record() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-    let stale = PidRecord {
-        pid: 1,
-        process_start_time: "old".to_string(),
-    };
-    let replacement = PidRecord {
-        pid: 2,
-        process_start_time: "new".to_string(),
-    };
-    tokio::fs::write(
-        &pid_file,
-        serde_json::to_vec(&replacement).expect("serialize replacement"),
-    )
-    .await
-    .expect("write replacement pid file");
-
-    assert_eq!(
-        backend
-            .refresh_after_stale_record(&stale)
-            .await
-            .expect("cleanup"),
-        PidFileState::Running(replacement)
-    );
-}
-
-#[test]
-fn update_loop_uses_hidden_app_server_subcommand() {
-    let backend = PidBackend {
-        codex_bin: "codex".into(),
-        pid_file: "updater.pid".into(),
-        lock_file: "updater.pid.lock".into(),
-        command_kind: PidCommandKind::UpdateLoop,
-    };
-
-    assert_eq!(
-        backend.command_args(),
-        vec!["app-server", "daemon", "pid-update-loop"]
-    );
-}
-
-#[test]
-fn app_server_remote_control_uses_runtime_flag() {
-    let backend = PidBackend::new(
-        "codex".into(),
-        "app-server.pid".into(),
-        /*remote_control_enabled*/ true,
-    );
-
-    assert_eq!(
-        backend.command_args(),
-        vec!["app-server", "--remote-control", "--listen", "unix://"]
-    );
-}
--- a/codex-rs/app-server-daemon/src/client.rs
+++ b/codex-rs/app-server-daemon/src/client.rs
@@ -1,131 +0,0 @@
-use std::path::Path;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::anyhow;
-use codex_app_server_protocol::ClientInfo;
-use codex_app_server_protocol::InitializeParams;
-use codex_app_server_protocol::InitializeResponse;
-use codex_app_server_protocol::JSONRPCMessage;
-use codex_app_server_protocol::JSONRPCNotification;
-use codex_app_server_protocol::JSONRPCRequest;
-use codex_app_server_protocol::RequestId;
-use codex_uds::UnixStream;
-use futures::SinkExt;
-use futures::StreamExt;
-use tokio::time::timeout;
-use tokio_tungstenite::client_async;
-use tokio_tungstenite::tungstenite::Message;
-
-const PROBE_TIMEOUT: Duration = Duration::from_secs(2);
-const CLIENT_NAME: &str = "codex_app_server_daemon";
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub(crate) struct ProbeInfo {
-    pub(crate) app_server_version: String,
-}
-
-pub(crate) async fn probe(socket_path: &Path) -> Result<ProbeInfo> {
-    timeout(PROBE_TIMEOUT, probe_inner(socket_path))
-        .await
-        .with_context(|| {
-            format!(
-                "timed out probing app-server control socket {}",
-                socket_path.display()
-            )
-        })?
-}
-
-async fn probe_inner(socket_path: &Path) -> Result<ProbeInfo> {
-    let stream = UnixStream::connect(socket_path)
-        .await
-        .with_context(|| format!("failed to connect to {}", socket_path.display()))?;
-    let (mut websocket, _response) = client_async("ws://localhost/", stream)
-        .await
-        .with_context(|| format!("failed to upgrade {}", socket_path.display()))?;
-
-    let initialize = JSONRPCMessage::Request(JSONRPCRequest {
-        id: RequestId::Integer(1),
-        method: "initialize".to_string(),
-        params: Some(serde_json::to_value(InitializeParams {
-            client_info: ClientInfo {
-                name: CLIENT_NAME.to_string(),
-                title: Some("Codex App Server Daemon".to_string()),
-                version: env!("CARGO_PKG_VERSION").to_string(),
-            },
-            capabilities: None,
-        })?),
-        trace: None,
-    });
-    websocket
-        .send(Message::Text(serde_json::to_string(&initialize)?.into()))
-        .await
-        .context("failed to send initialize request")?;
-
-    let response = loop {
-        let frame = websocket
-            .next()
-            .await
-            .ok_or_else(|| anyhow!("app-server closed before initialize response"))??;
-        let Message::Text(payload) = frame else {
-            continue;
-        };
-        let message = serde_json::from_str::<JSONRPCMessage>(&payload)?;
-        if let JSONRPCMessage::Response(response) = message
-            && response.id == RequestId::Integer(1)
-        {
-            break response;
-        }
-    };
-    let initialize_response = serde_json::from_value::<InitializeResponse>(response.result)?;
-
-    let initialized = JSONRPCMessage::Notification(JSONRPCNotification {
-        method: "initialized".to_string(),
-        params: None,
-    });
-    websocket
-        .send(Message::Text(serde_json::to_string(&initialized)?.into()))
-        .await
-        .context("failed to send initialized notification")?;
-    websocket.close(None).await.ok();
-
-    Ok(ProbeInfo {
-        app_server_version: parse_version_from_user_agent(&initialize_response.user_agent)?,
-    })
-}
-
-fn parse_version_from_user_agent(user_agent: &str) -> Result<String> {
-    let (_originator, rest) = user_agent
-        .split_once('/')
-        .ok_or_else(|| anyhow!("app-server user-agent omitted version separator"))?;
-    let version = rest
-        .split_whitespace()
-        .next()
-        .filter(|version| !version.is_empty())
-        .ok_or_else(|| anyhow!("app-server user-agent omitted version"))?;
-    Ok(version.to_string())
-}
-
-#[cfg(all(test, unix))]
-mod tests {
-    use pretty_assertions::assert_eq;
-
-    use super::parse_version_from_user_agent;
-
-    #[test]
-    fn parses_version_from_codex_user_agent() {
-        assert_eq!(
-            parse_version_from_user_agent(
-                "codex_app_server_daemon/1.2.3 (Linux 6.8.0; x86_64) codex_cli_rs/1.2.3",
-            )
-            .expect("version"),
-            "1.2.3"
-        );
-    }
-
-    #[test]
-    fn rejects_user_agent_without_version() {
-        assert!(parse_version_from_user_agent("codex_app_server_daemon").is_err());
-    }
-}
--- a/codex-rs/app-server-daemon/src/lib.rs
+++ b/codex-rs/app-server-daemon/src/lib.rs
@@ -1,878 +0,0 @@
-mod backend;
-mod client;
-mod managed_install;
-mod settings;
-mod update_loop;
-
-use std::path::Path;
-use std::path::PathBuf;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::anyhow;
-pub use backend::BackendKind;
-use backend::BackendPaths;
-use codex_app_server_transport::app_server_control_socket_path;
-use codex_utils_home_dir::find_codex_home;
-use managed_install::managed_codex_bin;
-#[cfg(unix)]
-use managed_install::managed_codex_version;
-use serde::Serialize;
-use settings::DaemonSettings;
-use tokio::time::sleep;
-
-const START_POLL_INTERVAL: Duration = Duration::from_millis(50);
-const START_TIMEOUT: Duration = Duration::from_secs(10);
-const OPERATION_LOCK_TIMEOUT: Duration = Duration::from_secs(75);
-const PID_FILE_NAME: &str = "app-server.pid";
-const UPDATE_PID_FILE_NAME: &str = "app-server-updater.pid";
-const OPERATION_LOCK_FILE_NAME: &str = "daemon.lock";
-const SETTINGS_FILE_NAME: &str = "settings.json";
-const STATE_DIR_NAME: &str = "app-server-daemon";
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum LifecycleCommand {
-    Start,
-    Restart,
-    Stop,
-    Version,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum LifecycleStatus {
-    AlreadyRunning,
-    Started,
-    Restarted,
-    Stopped,
-    NotRunning,
-    Running,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub struct LifecycleOutput {
-    pub status: LifecycleStatus,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub backend: Option<BackendKind>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub pid: Option<u32>,
-    pub socket_path: PathBuf,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub cli_version: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub app_server_version: Option<String>,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub struct BootstrapOptions {
-    pub remote_control_enabled: bool,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum BootstrapStatus {
-    Bootstrapped,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub struct BootstrapOutput {
-    pub status: BootstrapStatus,
-    pub backend: BackendKind,
-    pub auto_update_enabled: bool,
-    pub remote_control_enabled: bool,
-    pub managed_codex_path: PathBuf,
-    pub socket_path: PathBuf,
-    pub cli_version: String,
-    pub app_server_version: String,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(untagged)]
-pub enum RemoteControlStartOutput {
-    Bootstrap(BootstrapOutput),
-    Start(LifecycleOutput),
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum RemoteControlMode {
-    Enabled,
-    Disabled,
-}
-
-impl RemoteControlMode {
-    fn is_enabled(self) -> bool {
-        matches!(self, Self::Enabled)
-    }
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum RemoteControlStatus {
-    Enabled,
-    Disabled,
-    AlreadyEnabled,
-    AlreadyDisabled,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub struct RemoteControlOutput {
-    pub status: RemoteControlStatus,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub backend: Option<BackendKind>,
-    pub remote_control_enabled: bool,
-    pub socket_path: PathBuf,
-    pub cli_version: String,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub app_server_version: Option<String>,
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub(crate) enum RestartIfRunningOutcome {
-    Busy,
-    NotRunning,
-    NotReady,
-    AlreadyCurrent,
-    Restarted,
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub(crate) enum RestartMode {
-    IfVersionChanged,
-    Always,
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub(crate) enum UpdaterRefreshMode {
-    None,
-    ReexecIfManagedBinaryChanged,
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-enum RestartDecision {
-    NotReady,
-    AlreadyCurrent,
-    Restart,
-}
-
-pub async fn run(command: LifecycleCommand) -> Result<LifecycleOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?.run(command).await
-}
-
-pub async fn bootstrap(options: BootstrapOptions) -> Result<BootstrapOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?.bootstrap(options).await
-}
-
-pub async fn ensure_remote_control_started() -> Result<RemoteControlStartOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?
-        .ensure_remote_control_started()
-        .await
-}
-
-pub async fn set_remote_control(mode: RemoteControlMode) -> Result<RemoteControlOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?.set_remote_control(mode).await
-}
-
-pub async fn run_pid_update_loop() -> Result<()> {
-    ensure_supported_platform()?;
-    update_loop::run().await
-}
-
-#[cfg(unix)]
-fn ensure_supported_platform() -> Result<()> {
-    Ok(())
-}
-
-#[cfg(not(unix))]
-fn ensure_supported_platform() -> Result<()> {
-    Err(anyhow!(
-        "codex app-server daemon lifecycle is only supported on Unix platforms"
-    ))
-}
-
-struct Daemon {
-    socket_path: PathBuf,
-    pid_file: PathBuf,
-    update_pid_file: PathBuf,
-    operation_lock_file: PathBuf,
-    settings_file: PathBuf,
-    managed_codex_bin: PathBuf,
-}
-
-impl Daemon {
-    fn from_environment() -> Result<Self> {
-        let codex_home = find_codex_home().context("failed to resolve CODEX_HOME")?;
-        let socket_path = app_server_control_socket_path(codex_home.as_path())?
-            .as_path()
-            .to_path_buf();
-        let state_dir = codex_home.as_path().join(STATE_DIR_NAME);
-        Ok(Self {
-            socket_path,
-            pid_file: state_dir.join(PID_FILE_NAME),
-            update_pid_file: state_dir.join(UPDATE_PID_FILE_NAME),
-            operation_lock_file: state_dir.join(OPERATION_LOCK_FILE_NAME),
-            settings_file: state_dir.join(SETTINGS_FILE_NAME),
-            managed_codex_bin: managed_codex_bin(codex_home.as_path()),
-        })
-    }
-
-    async fn run(&self, command: LifecycleCommand) -> Result<LifecycleOutput> {
-        match command {
-            LifecycleCommand::Start => {
-                let _operation_lock = self.acquire_operation_lock().await?;
-                self.start().await
-            }
-            LifecycleCommand::Restart => {
-                let _operation_lock = self.acquire_operation_lock().await?;
-                self.restart().await
-            }
-            LifecycleCommand::Stop => {
-                let _operation_lock = self.acquire_operation_lock().await?;
-                self.stop().await
-            }
-            LifecycleCommand::Version => self.version().await,
-        }
-    }
-
-    async fn start(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        if let Ok(info) = client::probe(&self.socket_path).await {
-            return Ok(self.output(
-                LifecycleStatus::AlreadyRunning,
-                self.running_backend(&settings).await?,
-                /*pid*/ None,
-                Some(info.app_server_version),
-            ));
-        }
-
-        if self.running_backend_instance(&settings).await?.is_some() {
-            let info = self.wait_until_ready().await?;
-            return Ok(self.output(
-                LifecycleStatus::AlreadyRunning,
-                Some(BackendKind::Pid),
-                /*pid*/ None,
-                Some(info.app_server_version),
-            ));
-        }
-
-        self.ensure_managed_codex_bin()?;
-        let pid = self.start_managed_backend(&settings).await?;
-        let info = self.wait_until_ready().await?;
-        Ok(self.output(
-            LifecycleStatus::Started,
-            Some(BackendKind::Pid),
-            pid,
-            Some(info.app_server_version),
-        ))
-    }
-
-    async fn restart(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        if client::probe(&self.socket_path).await.is_ok()
-            && self.running_backend(&settings).await?.is_none()
-        {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-
-        self.ensure_managed_codex_bin()?;
-        if let Some(backend) = self.running_backend_instance(&settings).await? {
-            backend.stop().await?;
-        }
-
-        let pid = self.start_managed_backend(&settings).await?;
-        let info = self.wait_until_ready().await?;
-        Ok(self.output(
-            LifecycleStatus::Restarted,
-            Some(BackendKind::Pid),
-            pid,
-            Some(info.app_server_version),
-        ))
-    }
-
-    #[cfg(unix)]
-    pub(crate) async fn try_restart_if_running(
-        &self,
-        mode: RestartMode,
-        updater_refresh_mode: UpdaterRefreshMode,
-        managed_codex_bin: &Path,
-    ) -> Result<RestartIfRunningOutcome> {
-        let operation_lock = self.open_operation_lock_file().await?;
-        if !try_lock_file(&operation_lock)? {
-            return Ok(RestartIfRunningOutcome::Busy);
-        }
-        let settings = self.load_settings().await?;
-        let outcome = if let Some(backend) = self.running_backend_instance(&settings).await? {
-            let info = client::probe(&self.socket_path).await.ok();
-            let managed_version = if info.is_some() {
-                Some(managed_codex_version(managed_codex_bin).await?)
-            } else {
-                None
-            };
-            match restart_decision(mode, info.as_ref(), managed_version.as_deref()) {
-                RestartDecision::NotReady => return Ok(RestartIfRunningOutcome::NotReady),
-                RestartDecision::AlreadyCurrent => RestartIfRunningOutcome::AlreadyCurrent,
-                RestartDecision::Restart => {
-                    backend.stop().await?;
-                    let _ = self
-                        .start_managed_backend_with_bin(&settings, managed_codex_bin)
-                        .await?;
-                    self.wait_until_ready().await?;
-                    RestartIfRunningOutcome::Restarted
-                }
-            }
-        } else if client::probe(&self.socket_path).await.is_ok() {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        } else {
-            RestartIfRunningOutcome::NotRunning
-        };
-
-        if should_reexec_updater(updater_refresh_mode, outcome) {
-            crate::update_loop::reexec_managed_updater(managed_codex_bin)?;
-        }
-
-        Ok(outcome)
-    }
-
-    async fn stop(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        if let Some(backend) = self.running_backend_instance(&settings).await? {
-            backend.stop().await?;
-            return Ok(self.output(
-                LifecycleStatus::Stopped,
-                Some(BackendKind::Pid),
-                /*pid*/ None,
-                /*app_server_version*/ None,
-            ));
-        }
-
-        if client::probe(&self.socket_path).await.is_ok() {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-
-        Ok(self.output(
-            LifecycleStatus::NotRunning,
-            /*backend*/ None,
-            /*pid*/ None,
-            /*app_server_version*/ None,
-        ))
-    }
-
-    async fn version(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        let info = client::probe(&self.socket_path).await?;
-        Ok(self.output(
-            LifecycleStatus::Running,
-            self.running_backend(&settings).await?,
-            /*pid*/ None,
-            Some(info.app_server_version),
-        ))
-    }
-
-    async fn wait_until_ready(&self) -> Result<client::ProbeInfo> {
-        let deadline = tokio::time::Instant::now() + START_TIMEOUT;
-        loop {
-            match client::probe(&self.socket_path).await {
-                Ok(info) => return Ok(info),
-                Err(err) if tokio::time::Instant::now() < deadline => {
-                    let _ = err;
-                    sleep(START_POLL_INTERVAL).await;
-                }
-                Err(err) => {
-                    return Err(err).with_context(|| {
-                        format!(
-                            "app server did not become ready on {}",
-                            self.socket_path.display()
-                        )
-                    });
-                }
-            }
-        }
-    }
-
-    async fn bootstrap(&self, options: BootstrapOptions) -> Result<BootstrapOutput> {
-        let _operation_lock = self.acquire_operation_lock().await?;
-        self.bootstrap_locked(options).await
-    }
-
-    async fn ensure_remote_control_started(&self) -> Result<RemoteControlStartOutput> {
-        let _operation_lock = self.acquire_operation_lock().await?;
-        let settings = self.load_settings().await?;
-        if self.is_bootstrapped(&settings).await? {
-            let _ = self
-                .set_remote_control_locked(RemoteControlMode::Enabled)
-                .await?;
-            let output = self.start().await?;
-            return Ok(RemoteControlStartOutput::Start(output));
-        }
-
-        let output = self
-            .bootstrap_locked(BootstrapOptions {
-                remote_control_enabled: true,
-            })
-            .await?;
-        Ok(RemoteControlStartOutput::Bootstrap(output))
-    }
-
-    async fn set_remote_control(&self, mode: RemoteControlMode) -> Result<RemoteControlOutput> {
-        let _operation_lock = self.acquire_operation_lock().await?;
-        self.set_remote_control_locked(mode).await
-    }
-
-    async fn set_remote_control_locked(
-        &self,
-        mode: RemoteControlMode,
-    ) -> Result<RemoteControlOutput> {
-        let previous_settings = self.load_settings().await?;
-        let mut settings = previous_settings.clone();
-        let remote_control_enabled = mode.is_enabled();
-        let backend = self.running_backend_instance(&previous_settings).await?;
-
-        if backend.is_none() && client::probe(&self.socket_path).await.is_ok() {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-
-        if settings.remote_control_enabled == remote_control_enabled {
-            let info = if backend.is_some() {
-                Some(self.wait_until_ready().await?)
-            } else {
-                None
-            };
-            return Ok(self.remote_control_output(
-                already_remote_control_status(mode),
-                backend.map(|_| BackendKind::Pid),
-                remote_control_enabled,
-                info.map(|info| info.app_server_version),
-            ));
-        }
-
-        settings.remote_control_enabled = remote_control_enabled;
-        settings.save(&self.settings_file).await?;
-
-        let app_server_version = if let Some(backend) = backend {
-            self.ensure_managed_codex_bin()?;
-            backend.stop().await?;
-            let _ = self.start_managed_backend(&settings).await?;
-            Some(self.wait_until_ready().await?.app_server_version)
-        } else {
-            None
-        };
-
-        Ok(self.remote_control_output(
-            remote_control_status(mode),
-            app_server_version.as_ref().map(|_| BackendKind::Pid),
-            remote_control_enabled,
-            app_server_version,
-        ))
-    }
-
-    async fn bootstrap_locked(&self, options: BootstrapOptions) -> Result<BootstrapOutput> {
-        self.ensure_managed_codex_bin()?;
-
-        let settings = DaemonSettings {
-            remote_control_enabled: options.remote_control_enabled,
-        };
-        if client::probe(&self.socket_path).await.is_ok()
-            && self.running_backend(&settings).await?.is_none()
-        {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-        settings.save(&self.settings_file).await?;
-
-        if let Some(backend) = self.running_backend_instance(&settings).await? {
-            backend.stop().await?;
-        }
-
-        let backend = backend::pid_backend(self.backend_paths(&settings));
-        backend.start().await?;
-        let updater = backend::pid_update_loop_backend(self.backend_paths(&settings));
-        if updater.is_starting_or_running().await? {
-            updater.stop().await?;
-        }
-        updater.start().await?;
-
-        let info = self.wait_until_ready().await?;
-        Ok(BootstrapOutput {
-            status: BootstrapStatus::Bootstrapped,
-            backend: BackendKind::Pid,
-            auto_update_enabled: true,
-            remote_control_enabled: settings.remote_control_enabled,
-            managed_codex_path: self.managed_codex_bin.clone(),
-            socket_path: self.socket_path.clone(),
-            cli_version: env!("CARGO_PKG_VERSION").to_string(),
-            app_server_version: info.app_server_version,
-        })
-    }
-
-    async fn running_backend(&self, settings: &DaemonSettings) -> Result<Option<BackendKind>> {
-        Ok(self
-            .running_backend_instance(settings)
-            .await?
-            .map(|_| BackendKind::Pid))
-    }
-
-    async fn running_backend_instance(
-        &self,
-        settings: &DaemonSettings,
-    ) -> Result<Option<backend::PidBackend>> {
-        let backend = backend::pid_backend(self.backend_paths(settings));
-        if backend.is_starting_or_running().await? {
-            return Ok(Some(backend));
-        }
-        Ok(None)
-    }
-
-    async fn start_managed_backend(&self, settings: &DaemonSettings) -> Result<Option<u32>> {
-        self.start_managed_backend_with_bin(settings, &self.managed_codex_bin)
-            .await
-    }
-
-    async fn start_managed_backend_with_bin(
-        &self,
-        settings: &DaemonSettings,
-        managed_codex_bin: &Path,
-    ) -> Result<Option<u32>> {
-        let backend =
-            backend::pid_backend(self.backend_paths_with_bin(settings, managed_codex_bin));
-        backend.start().await
-    }
-
-    async fn is_bootstrapped(&self, settings: &DaemonSettings) -> Result<bool> {
-        let updater = backend::pid_update_loop_backend(self.backend_paths(settings));
-        updater.is_starting_or_running().await
-    }
-
-    fn ensure_managed_codex_bin(&self) -> Result<()> {
-        if self.managed_codex_bin.is_file() {
-            return Ok(());
-        }
-
-        let managed_codex_path = self.managed_codex_bin.display();
-        Err(anyhow!(
-            "managed standalone Codex install not found at {managed_codex_path}\n\n\
-             This command requires the standalone install managed by the Codex installer, because \
-             the daemon starts and updates app-server from that fixed path.\n\n\
-             Install it with:\n  curl -fsSL https://chatgpt.com/codex/install.sh | sh\n\n\
-             Then rerun the command you just tried."
-        ))
-    }
-
-    fn backend_paths(&self, settings: &DaemonSettings) -> BackendPaths {
-        self.backend_paths_with_bin(settings, &self.managed_codex_bin)
-    }
-
-    fn backend_paths_with_bin(
-        &self,
-        settings: &DaemonSettings,
-        managed_codex_bin: &Path,
-    ) -> BackendPaths {
-        BackendPaths {
-            codex_bin: managed_codex_bin.to_path_buf(),
-            pid_file: self.pid_file.clone(),
-            update_pid_file: self.update_pid_file.clone(),
-            remote_control_enabled: settings.remote_control_enabled,
-        }
-    }
-
-    async fn load_settings(&self) -> Result<DaemonSettings> {
-        DaemonSettings::load(&self.settings_file).await
-    }
-
-    async fn acquire_operation_lock(&self) -> Result<tokio::fs::File> {
-        let operation_lock = self.open_operation_lock_file().await?;
-        let deadline = tokio::time::Instant::now() + OPERATION_LOCK_TIMEOUT;
-        while !try_lock_file(&operation_lock)? {
-            if tokio::time::Instant::now() >= deadline {
-                return Err(anyhow!(
-                    "timed out waiting for daemon operation lock {}",
-                    self.operation_lock_file.display()
-                ));
-            }
-            sleep(START_POLL_INTERVAL).await;
-        }
-        Ok(operation_lock)
-    }
-
-    async fn open_operation_lock_file(&self) -> Result<tokio::fs::File> {
-        if let Some(parent) = self.operation_lock_file.parent() {
-            tokio::fs::create_dir_all(parent).await.with_context(|| {
-                format!(
-                    "failed to create daemon state directory {}",
-                    parent.display()
-                )
-            })?;
-        }
-        tokio::fs::OpenOptions::new()
-            .create(true)
-            .truncate(false)
-            .write(true)
-            .open(&self.operation_lock_file)
-            .await
-            .with_context(|| {
-                format!(
-                    "failed to open daemon operation lock {}",
-                    self.operation_lock_file.display()
-                )
-            })
-    }
-
-    fn output(
-        &self,
-        status: LifecycleStatus,
-        backend: Option<BackendKind>,
-        pid: Option<u32>,
-        app_server_version: Option<String>,
-    ) -> LifecycleOutput {
-        LifecycleOutput {
-            status,
-            backend,
-            pid,
-            socket_path: self.socket_path.clone(),
-            cli_version: Some(env!("CARGO_PKG_VERSION").to_string()),
-            app_server_version,
-        }
-    }
-
-    fn remote_control_output(
-        &self,
-        status: RemoteControlStatus,
-        backend: Option<BackendKind>,
-        remote_control_enabled: bool,
-        app_server_version: Option<String>,
-    ) -> RemoteControlOutput {
-        RemoteControlOutput {
-            status,
-            backend,
-            remote_control_enabled,
-            socket_path: self.socket_path.clone(),
-            cli_version: env!("CARGO_PKG_VERSION").to_string(),
-            app_server_version,
-        }
-    }
-}
-
-fn remote_control_status(mode: RemoteControlMode) -> RemoteControlStatus {
-    match mode {
-        RemoteControlMode::Enabled => RemoteControlStatus::Enabled,
-        RemoteControlMode::Disabled => RemoteControlStatus::Disabled,
-    }
-}
-
-fn already_remote_control_status(mode: RemoteControlMode) -> RemoteControlStatus {
-    match mode {
-        RemoteControlMode::Enabled => RemoteControlStatus::AlreadyEnabled,
-        RemoteControlMode::Disabled => RemoteControlStatus::AlreadyDisabled,
-    }
-}
-
-#[cfg(unix)]
-fn restart_decision(
-    mode: RestartMode,
-    info: Option<&client::ProbeInfo>,
-    managed_version: Option<&str>,
-) -> RestartDecision {
-    match (mode, info, managed_version) {
-        (RestartMode::IfVersionChanged, None, _) => RestartDecision::NotReady,
-        (RestartMode::IfVersionChanged, Some(info), Some(managed_version))
-            if info.app_server_version == managed_version =>
-        {
-            RestartDecision::AlreadyCurrent
-        }
-        _ => RestartDecision::Restart,
-    }
-}
-
-#[cfg(unix)]
-fn should_reexec_updater(
-    updater_refresh_mode: UpdaterRefreshMode,
-    outcome: RestartIfRunningOutcome,
-) -> bool {
-    updater_refresh_mode == UpdaterRefreshMode::ReexecIfManagedBinaryChanged
-        && outcome == RestartIfRunningOutcome::Restarted
-}
-
-#[cfg(unix)]
-fn try_lock_file(file: &tokio::fs::File) -> Result<bool> {
-    use std::os::fd::AsRawFd;
-
-    let result = unsafe { libc::flock(file.as_raw_fd(), libc::LOCK_EX | libc::LOCK_NB) };
-    if result == 0 {
-        return Ok(true);
-    }
-
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::EWOULDBLOCK) {
-        return Ok(false);
-    }
-    Err(err).context("failed to lock daemon operation")
-}
-
-#[cfg(not(unix))]
-fn try_lock_file(_file: &tokio::fs::File) -> Result<bool> {
-    Ok(true)
-}
-
-#[cfg(all(test, unix))]
-mod tests {
-    use pretty_assertions::assert_eq;
-
-    use super::BackendKind;
-    use super::BootstrapOutput;
-    use super::BootstrapStatus;
-    use super::LifecycleOutput;
-    use super::LifecycleStatus;
-    use super::RemoteControlStartOutput;
-    use super::RemoteControlStatus;
-    use super::RestartDecision;
-    use super::RestartIfRunningOutcome;
-    use super::RestartMode;
-    use super::UpdaterRefreshMode;
-    use super::restart_decision;
-    use super::should_reexec_updater;
-    use crate::client::ProbeInfo;
-
-    #[test]
-    fn lifecycle_status_uses_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&LifecycleStatus::AlreadyRunning).expect("serialize"),
-            "\"alreadyRunning\""
-        );
-    }
-
-    #[test]
-    fn bootstrap_status_uses_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&BootstrapStatus::Bootstrapped).expect("serialize"),
-            "\"bootstrapped\""
-        );
-    }
-
-    #[test]
-    fn remote_control_status_uses_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&RemoteControlStatus::AlreadyEnabled).expect("serialize"),
-            "\"alreadyEnabled\""
-        );
-    }
-
-    #[test]
-    fn updater_reexec_waits_for_validated_restart() {
-        assert_eq!(
-            [
-                RestartIfRunningOutcome::Busy,
-                RestartIfRunningOutcome::NotReady,
-                RestartIfRunningOutcome::AlreadyCurrent,
-                RestartIfRunningOutcome::NotRunning,
-                RestartIfRunningOutcome::Restarted,
-            ]
-            .map(|outcome| {
-                should_reexec_updater(UpdaterRefreshMode::ReexecIfManagedBinaryChanged, outcome)
-            }),
-            [false, false, false, false, true]
-        );
-    }
-
-    #[test]
-    fn unchanged_updater_never_reexecs() {
-        assert_eq!(
-            [
-                RestartIfRunningOutcome::Busy,
-                RestartIfRunningOutcome::NotReady,
-                RestartIfRunningOutcome::AlreadyCurrent,
-                RestartIfRunningOutcome::NotRunning,
-                RestartIfRunningOutcome::Restarted,
-            ]
-            .map(|outcome| should_reexec_updater(UpdaterRefreshMode::None, outcome)),
-            [false, false, false, false, false]
-        );
-    }
-
-    #[test]
-    fn restart_decision_preserves_forced_refreshes() {
-        let current_info = ProbeInfo {
-            app_server_version: "0.1.0".to_string(),
-        };
-
-        assert_eq!(
-            [
-                restart_decision(
-                    RestartMode::IfVersionChanged,
-                    Some(&current_info),
-                    Some("0.1.0"),
-                ),
-                restart_decision(
-                    RestartMode::IfVersionChanged,
-                    /*info*/ None,
-                    /*managed_version*/ None,
-                ),
-                restart_decision(RestartMode::Always, Some(&current_info), Some("0.1.0")),
-                restart_decision(
-                    RestartMode::Always,
-                    /*info*/ None,
-                    /*managed_version*/ None,
-                ),
-            ],
-            [
-                RestartDecision::AlreadyCurrent,
-                RestartDecision::NotReady,
-                RestartDecision::Restart,
-                RestartDecision::Restart,
-            ]
-        );
-    }
-
-    #[test]
-    fn remote_control_start_output_serializes_inner_output_without_tag() {
-        let lifecycle_output = LifecycleOutput {
-            status: LifecycleStatus::AlreadyRunning,
-            backend: Some(BackendKind::Pid),
-            pid: None,
-            socket_path: "codex.sock".into(),
-            cli_version: Some("1.2.3".to_string()),
-            app_server_version: Some("1.2.4".to_string()),
-        };
-        let output = RemoteControlStartOutput::Start(lifecycle_output.clone());
-
-        assert_eq!(
-            serde_json::to_value(output).expect("serialize"),
-            serde_json::to_value(lifecycle_output).expect("serialize")
-        );
-
-        let bootstrap_output = BootstrapOutput {
-            status: BootstrapStatus::Bootstrapped,
-            backend: BackendKind::Pid,
-            auto_update_enabled: true,
-            remote_control_enabled: true,
-            managed_codex_path: "codex".into(),
-            socket_path: "codex.sock".into(),
-            cli_version: "1.2.3".to_string(),
-            app_server_version: "1.2.4".to_string(),
-        };
-        let output = RemoteControlStartOutput::Bootstrap(bootstrap_output.clone());
-
-        assert_eq!(
-            serde_json::to_value(output).expect("serialize"),
-            serde_json::to_value(bootstrap_output).expect("serialize")
-        );
-    }
-}
--- a/codex-rs/app-server-daemon/src/managed_install.rs
+++ b/codex-rs/app-server-daemon/src/managed_install.rs
@@ -1,103 +0,0 @@
-use std::path::Path;
-use std::path::PathBuf;
-
-#[cfg(unix)]
-use anyhow::Context;
-#[cfg(unix)]
-use anyhow::Result;
-#[cfg(unix)]
-use anyhow::anyhow;
-#[cfg(unix)]
-use sha2::Digest;
-#[cfg(unix)]
-use sha2::Sha256;
-#[cfg(unix)]
-use tokio::fs;
-#[cfg(unix)]
-use tokio::process::Command;
-
-pub(crate) fn managed_codex_bin(codex_home: &Path) -> PathBuf {
-    codex_home
-        .join("packages")
-        .join("standalone")
-        .join("current")
-        .join(managed_codex_file_name())
-}
-
-#[cfg(unix)]
-pub(crate) async fn resolved_managed_codex_bin(codex_bin: &Path) -> Result<PathBuf> {
-    fs::canonicalize(codex_bin).await.with_context(|| {
-        format!(
-            "failed to resolve managed Codex binary {}",
-            codex_bin.display()
-        )
-    })
-}
-
-#[cfg(unix)]
-pub(crate) async fn managed_codex_version(codex_bin: &Path) -> Result<String> {
-    let output = Command::new(codex_bin)
-        .arg("--version")
-        .output()
-        .await
-        .with_context(|| {
-            format!(
-                "failed to invoke managed Codex binary {}",
-                codex_bin.display()
-            )
-        })?;
-    if !output.status.success() {
-        return Err(anyhow!(
-            "managed Codex binary {} exited with status {}",
-            codex_bin.display(),
-            output.status
-        ));
-    }
-
-    let stdout = String::from_utf8(output.stdout).with_context(|| {
-        format!(
-            "managed Codex version was not utf-8: {}",
-            codex_bin.display()
-        )
-    })?;
-    parse_codex_version(&stdout)
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub(crate) struct ExecutableIdentity {
-    digest: [u8; 32],
-}
-
-#[cfg(unix)]
-pub(crate) async fn executable_identity(executable: &Path) -> Result<ExecutableIdentity> {
-    let bytes = fs::read(executable)
-        .await
-        .with_context(|| format!("failed to read executable {}", executable.display()))?;
-    Ok(executable_identity_from_bytes(&bytes))
-}
-
-#[cfg(unix)]
-pub(crate) fn executable_identity_from_bytes(bytes: &[u8]) -> ExecutableIdentity {
-    ExecutableIdentity {
-        digest: Sha256::digest(bytes).into(),
-    }
-}
-
-fn managed_codex_file_name() -> &'static str {
-    if cfg!(windows) { "codex.exe" } else { "codex" }
-}
-
-#[cfg(unix)]
-fn parse_codex_version(output: &str) -> Result<String> {
-    let version = output
-        .split_whitespace()
-        .nth(1)
-        .filter(|version| !version.is_empty())
-        .ok_or_else(|| anyhow!("managed Codex version output was malformed"))?;
-    Ok(version.to_string())
-}
-
-#[cfg(all(test, unix))]
-#[path = "managed_install_tests.rs"]
-mod tests;
--- a/codex-rs/app-server-daemon/src/managed_install_tests.rs
+++ b/codex-rs/app-server-daemon/src/managed_install_tests.rs
@@ -1,27 +0,0 @@
-use pretty_assertions::assert_eq;
-
-use super::executable_identity_from_bytes;
-use super::parse_codex_version;
-
-#[test]
-fn parses_codex_cli_version_output() {
-    assert_eq!(
-        parse_codex_version("codex 1.2.3\n").expect("version"),
-        "1.2.3"
-    );
-}
-
-#[test]
-fn rejects_malformed_codex_cli_version_output() {
-    assert!(parse_codex_version("codex\n").is_err());
-}
-
-#[test]
-fn executable_identity_uses_binary_contents() {
-    let old = executable_identity_from_bytes(b"old");
-    let same = executable_identity_from_bytes(b"old");
-    let new = executable_identity_from_bytes(b"new");
-
-    assert_eq!(old, same);
-    assert_ne!(old, new);
-}
--- a/codex-rs/app-server-daemon/src/settings.rs
+++ b/codex-rs/app-server-daemon/src/settings.rs
@@ -1,63 +0,0 @@
-use std::path::Path;
-
-use anyhow::Context;
-use anyhow::Result;
-use serde::Deserialize;
-use serde::Serialize;
-use tokio::fs;
-
-#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub(crate) struct DaemonSettings {
-    pub(crate) remote_control_enabled: bool,
-}
-
-impl DaemonSettings {
-    pub(crate) async fn load(path: &Path) -> Result<Self> {
-        let contents = match fs::read_to_string(path).await {
-            Ok(contents) => contents,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(Self::default()),
-            Err(err) => {
-                return Err(err)
-                    .with_context(|| format!("failed to read daemon settings {}", path.display()));
-            }
-        };
-
-        serde_json::from_str(&contents)
-            .with_context(|| format!("failed to parse daemon settings {}", path.display()))
-    }
-
-    pub(crate) async fn save(&self, path: &Path) -> Result<()> {
-        if let Some(parent) = path.parent() {
-            fs::create_dir_all(parent).await.with_context(|| {
-                format!(
-                    "failed to create daemon settings directory {}",
-                    parent.display()
-                )
-            })?;
-        }
-
-        let contents = serde_json::to_vec_pretty(self).context("failed to serialize settings")?;
-        fs::write(path, contents)
-            .await
-            .with_context(|| format!("failed to write daemon settings {}", path.display()))
-    }
-}
-
-#[cfg(all(test, unix))]
-mod tests {
-    use pretty_assertions::assert_eq;
-
-    use super::DaemonSettings;
-
-    #[test]
-    fn daemon_settings_use_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&DaemonSettings {
-                remote_control_enabled: true,
-            })
-            .expect("serialize"),
-            r#"{"remoteControlEnabled":true}"#
-        );
-    }
-}
--- a/codex-rs/app-server-daemon/src/update_loop.rs
+++ b/codex-rs/app-server-daemon/src/update_loop.rs
@@ -1,197 +0,0 @@
-#[cfg(unix)]
-use std::process::Command as StdCommand;
-#[cfg(unix)]
-use std::process::Stdio;
-#[cfg(unix)]
-use std::time::Duration;
-
-#[cfg(unix)]
-use anyhow::Context;
-use anyhow::Result;
-#[cfg(not(unix))]
-use anyhow::bail;
-#[cfg(unix)]
-use futures::FutureExt;
-#[cfg(unix)]
-use std::os::unix::process::CommandExt;
-#[cfg(unix)]
-use tokio::io::AsyncWriteExt;
-#[cfg(unix)]
-use tokio::process::Command;
-#[cfg(unix)]
-use tokio::signal::unix::Signal;
-#[cfg(unix)]
-use tokio::signal::unix::SignalKind;
-#[cfg(unix)]
-use tokio::signal::unix::signal;
-#[cfg(unix)]
-use tokio::time::sleep;
-
-#[cfg(unix)]
-use crate::Daemon;
-#[cfg(unix)]
-use crate::RestartIfRunningOutcome;
-#[cfg(unix)]
-use crate::RestartMode;
-#[cfg(unix)]
-use crate::UpdaterRefreshMode;
-#[cfg(unix)]
-use crate::managed_install::ExecutableIdentity;
-#[cfg(unix)]
-use crate::managed_install::executable_identity;
-#[cfg(unix)]
-use crate::managed_install::resolved_managed_codex_bin;
-
-#[cfg(unix)]
-const INITIAL_UPDATE_DELAY: Duration = Duration::from_secs(5 * 60);
-#[cfg(unix)]
-const RESTART_RETRY_INTERVAL: Duration = Duration::from_millis(50);
-#[cfg(unix)]
-const UPDATE_INTERVAL: Duration = Duration::from_secs(60 * 60);
-
-#[cfg(unix)]
-pub(crate) async fn run() -> Result<()> {
-    let mut terminate =
-        signal(SignalKind::terminate()).context("failed to install updater shutdown handler")?;
-    let running_updater_identity = current_updater_identity().await?;
-    if sleep_or_terminate(INITIAL_UPDATE_DELAY, &mut terminate).await {
-        return Ok(());
-    }
-    loop {
-        match update_once(&running_updater_identity, &mut terminate).await {
-            Ok(UpdateLoopControl::Continue) | Err(_) => {}
-            Ok(UpdateLoopControl::Stop) => return Ok(()),
-        }
-        if sleep_or_terminate(UPDATE_INTERVAL, &mut terminate).await {
-            return Ok(());
-        }
-    }
-}
-
-#[cfg(not(unix))]
-pub(crate) async fn run() -> Result<()> {
-    bail!("pid-managed updater loop is unsupported on this platform")
-}
-
-#[cfg(unix)]
-async fn sleep_or_terminate(duration: Duration, terminate: &mut Signal) -> bool {
-    tokio::select! {
-        _ = sleep(duration) => false,
-        _ = terminate.recv() => true,
-    }
-}
-
-#[cfg(unix)]
-enum UpdateLoopControl {
-    Continue,
-    Stop,
-}
-
-#[cfg(unix)]
-async fn update_once(
-    running_updater_identity: &ExecutableIdentity,
-    terminate: &mut Signal,
-) -> Result<UpdateLoopControl> {
-    install_latest_standalone().await?;
-
-    let daemon = Daemon::from_environment()?;
-    let managed_codex_bin = resolved_managed_codex_bin(&daemon.managed_codex_bin).await?;
-    let managed_identity = executable_identity(&managed_codex_bin).await?;
-    let (restart_mode, updater_refresh_mode) =
-        update_modes_for_identities(running_updater_identity, &managed_identity);
-
-    loop {
-        if terminate.recv().now_or_never().flatten().is_some() {
-            return Ok(UpdateLoopControl::Stop);
-        }
-        match daemon
-            .try_restart_if_running(restart_mode, updater_refresh_mode, &managed_codex_bin)
-            .await?
-        {
-            RestartIfRunningOutcome::Busy => {
-                if sleep_or_terminate(RESTART_RETRY_INTERVAL, terminate).await {
-                    return Ok(UpdateLoopControl::Stop);
-                }
-            }
-            _ => return Ok(UpdateLoopControl::Continue),
-        }
-    }
-}
-
-#[cfg(unix)]
-async fn current_updater_identity() -> Result<ExecutableIdentity> {
-    let current_exe =
-        std::env::current_exe().context("failed to resolve current updater executable")?;
-    executable_identity(&current_exe).await
-}
-
-#[cfg(unix)]
-fn update_modes_for_identities(
-    running_updater_identity: &ExecutableIdentity,
-    managed_identity: &ExecutableIdentity,
-) -> (RestartMode, UpdaterRefreshMode) {
-    if running_updater_identity == managed_identity {
-        (RestartMode::IfVersionChanged, UpdaterRefreshMode::None)
-    } else {
-        (
-            RestartMode::Always,
-            UpdaterRefreshMode::ReexecIfManagedBinaryChanged,
-        )
-    }
-}
-
-#[cfg(unix)]
-pub(crate) fn reexec_managed_updater(managed_codex_bin: &std::path::Path) -> Result<()> {
-    let err = StdCommand::new(managed_codex_bin)
-        .args(["app-server", "daemon", "pid-update-loop"])
-        .exec();
-    Err(err).with_context(|| {
-        format!(
-            "failed to replace updater with managed Codex binary {}",
-            managed_codex_bin.display()
-        )
-    })
-}
-
-#[cfg(unix)]
-async fn install_latest_standalone() -> Result<()> {
-    let script = reqwest::get("https://chatgpt.com/codex/install.sh")
-        .await
-        .context("failed to fetch standalone Codex updater")?
-        .error_for_status()
-        .context("standalone Codex updater request failed")?
-        .bytes()
-        .await
-        .context("failed to read standalone Codex updater")?;
-
-    let mut child = Command::new("/bin/sh")
-        .arg("-s")
-        .stdin(Stdio::piped())
-        .stdout(Stdio::null())
-        .stderr(Stdio::null())
-        .spawn()
-        .context("failed to invoke standalone Codex updater")?;
-    let mut stdin = child
-        .stdin
-        .take()
-        .context("standalone Codex updater stdin was unavailable")?;
-    stdin
-        .write_all(&script)
-        .await
-        .context("failed to pass standalone Codex updater to shell")?;
-    drop(stdin);
-    let status = child
-        .wait()
-        .await
-        .context("failed to wait for standalone Codex updater")?;
-
-    if status.success() {
-        Ok(())
-    } else {
-        anyhow::bail!("standalone Codex updater exited with status {status}")
-    }
-}
-
-#[cfg(all(test, unix))]
-#[path = "update_loop_tests.rs"]
-mod tests;
--- a/codex-rs/app-server-daemon/src/update_loop_tests.rs
+++ b/codex-rs/app-server-daemon/src/update_loop_tests.rs
@@ -1,31 +0,0 @@
-use pretty_assertions::assert_eq;
-
-use super::update_modes_for_identities;
-use crate::RestartMode;
-use crate::UpdaterRefreshMode;
-use crate::managed_install::executable_identity_from_bytes;
-
-#[test]
-fn unchanged_updater_uses_version_based_restart() {
-    assert_eq!(
-        update_modes_for_identities(
-            &executable_identity_from_bytes(b"same"),
-            &executable_identity_from_bytes(b"same"),
-        ),
-        (RestartMode::IfVersionChanged, UpdaterRefreshMode::None)
-    );
-}
-
-#[test]
-fn changed_updater_forces_refresh_even_when_version_may_match() {
-    assert_eq!(
-        update_modes_for_identities(
-            &executable_identity_from_bytes(b"old"),
-            &executable_identity_from_bytes(b"new"),
-        ),
-        (
-            RestartMode::Always,
-            UpdaterRefreshMode::ReexecIfManagedBinaryChanged,
-        )
-    );
-}
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -7,7 +7,6 @@ license.workspace = true
 [lib]
 name = "codex_app_server_protocol"
 path = "src/lib.rs"
-doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateParams.json
+++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateParams.json
@@ -1,5 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "AttestationGenerateParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
@@ -1,14 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "token": {
-      "description": "Opaque client attestation token.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "token"
-  ],
-  "title": "AttestationGenerateResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -5,26 +5,6 @@
      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
      "type": "string"
    },
-    "ActivePermissionProfile": {
-      "properties": {
-        "extends": {
-          "default": null,
-          "description": "Parent profile identifier once permissions profiles support inheritance. This is currently always `null`.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "id": {
-          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "id"
-      ],
-      "type": "object"
-    },
    "AddCreditsNudgeCreditType": {
      "enum": [
        "credits",
@@ -739,6 +719,202 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FsCopyParams": {
      "description": "Copy a file or directory tree on the host filesystem.",
      "properties": {
@@ -1059,6 +1235,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -1081,11 +1259,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
@@ -1554,6 +1727,194 @@
      ],
      "type": "string"
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
@@ -1649,17 +2010,6 @@
      ],
      "type": "object"
    },
-    "PluginShareCheckoutParams": {
-      "properties": {
-        "remotePluginId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "remotePluginId"
-      ],
-      "type": "object"
-    },
    "PluginShareDeleteParams": {
      "properties": {
        "remotePluginId": {
@@ -1733,37 +2083,16 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
-    },
-    "PluginShareUpdateDiscoverability": {
-      "enum": [
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginShareUpdateTargetsParams": {
      "properties": {
-        "discoverability": {
-          "$ref": "#/definitions/PluginShareUpdateDiscoverability"
-        },
        "remotePluginId": {
          "type": "string"
        },
@@ -1775,7 +2104,6 @@
        }
      },
      "required": [
-        "discoverability",
        "remotePluginId",
        "shareTargets"
      ],
@@ -2422,22 +2750,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
@@ -2900,6 +3212,24 @@
      ],
      "type": "object"
    },
+    "SkillsListExtraRootsForCwd": {
+      "properties": {
+        "cwd": {
+          "type": "string"
+        },
+        "extraUserRoots": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "cwd",
+        "extraUserRoots"
+      ],
+      "type": "object"
+    },
    "SkillsListParams": {
      "properties": {
        "cwds": {
@@ -2912,6 +3242,17 @@
        "forceReload": {
          "description": "When true, bypass the skills cache and re-scan skills from disk.",
          "type": "boolean"
+        },
+        "perCwdExtraUserRoots": {
+          "default": null,
+          "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+          "items": {
+            "$ref": "#/definitions/SkillsListExtraRootsForCwd"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
        }
      },
      "type": "object"
@@ -3755,31 +4096,6 @@
      ],
      "type": "object"
    },
-    "TurnItemsView": {
-      "oneOf": [
-        {
-          "description": "`items` was not loaded for this turn. The field is intentionally empty.",
-          "enum": [
-            "notLoaded"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "`items` contains only a display summary for this turn.",
-          "enum": [
-            "summary"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "`items` contains every ThreadItem available from persisted app-server history for this turn.",
-          "enum": [
-            "full"
-          ],
-          "type": "string"
-        }
-      ]
-    },
    "TurnStartParams": {
      "properties": {
        "approvalPolicy": {
@@ -3943,17 +4259,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -3974,17 +4279,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -4758,30 +5052,6 @@
      "title": "Plugin/share/listRequest",
      "type": "object"
    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "plugin/share/checkout"
-          ],
-          "title": "Plugin/share/checkoutRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/PluginShareCheckoutParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Plugin/share/checkoutRequest",
-      "type": "object"
-    },
    {
      "properties": {
        "id": {
@@ -5911,4 +6181,4 @@
    }
  ],
  "title": "ClientRequest"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
@@ -593,11 +593,6 @@
        "null"
      ]
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this approval request started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "threadId": {
      "type": "string"
    },
@@ -607,7 +602,6 @@
  },
  "required": [
    "itemId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/FileChangeRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/FileChangeRequestApprovalParams.json
@@ -18,11 +18,6 @@
        "null"
      ]
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this approval request started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "threadId": {
      "type": "string"
    },
@@ -32,7 +27,6 @@
  },
  "required": [
    "itemId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
@@ -297,11 +297,6 @@
        "null"
      ]
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this approval request started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "threadId": {
      "type": "string"
    },
@@ -313,7 +308,6 @@
    "cwd",
    "itemId",
    "permissions",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -1932,13 +1932,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "ItemCompletedNotification": {
      "properties": {
        "completedAtMs": {
@@ -1970,11 +1963,6 @@
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
-        "completedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review completed.",
-          "format": "int64",
-          "type": "integer"
-        },
        "decisionSource": {
          "$ref": "#/definitions/AutoReviewDecisionSource"
        },
@@ -1985,11 +1973,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -2006,11 +1989,9 @@
      },
      "required": [
        "action",
-        "completedAtMs",
        "decisionSource",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2029,11 +2010,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -2052,7 +2028,6 @@
        "action",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2744,7 +2719,7 @@
      "type": "string"
    },
    "RemoteControlStatusChangedNotification": {
-      "description": "Current remote-control connection status and remote identity exposed to clients.",
+      "description": "Current remote-control connection status and environment id exposed to clients.",
      "properties": {
        "environmentId": {
          "type": [
@@ -2752,19 +2727,11 @@
            "null"
          ]
        },
-        "installationId": {
-          "type": "string"
-        },
-        "serverName": {
-          "type": "string"
-        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
-        "installationId",
-        "serverName",
        "status"
      ],
      "type": "object"
@@ -4600,17 +4567,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -4631,17 +4587,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/ServerRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerRequest.json
@@ -121,9 +121,6 @@
      ],
      "type": "object"
    },
-    "AttestationGenerateParams": {
-      "type": "object"
-    },
    "ChatgptAuthTokensRefreshParams": {
      "properties": {
        "previousAccountId": {
@@ -420,11 +417,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -434,7 +426,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -607,11 +598,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -621,7 +607,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -1602,11 +1587,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -1618,7 +1598,6 @@
        "cwd",
        "itemId",
        "permissions",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -1921,31 +1900,6 @@
      "title": "Account/chatgptAuthTokens/refreshRequest",
      "type": "object"
    },
-    {
-      "description": "Generate a fresh upstream attestation result on demand.",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "attestation/generate"
-          ],
-          "title": "Attestation/generateRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/AttestationGenerateParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Attestation/generateRequest",
-      "type": "object"
-    },
    {
      "description": "DEPRECATED APIs below Request to approve a patch. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
      "properties": {
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -83,25 +83,6 @@
      "title": "ApplyPatchApprovalResponse",
      "type": "object"
    },
-    "AttestationGenerateParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "title": "AttestationGenerateParams",
-      "type": "object"
-    },
-    "AttestationGenerateResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "token": {
-          "description": "Opaque client attestation token.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "token"
-      ],
-      "title": "AttestationGenerateResponse",
-      "type": "object"
-    },
    "ChatgptAuthTokensRefreshParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -877,30 +858,6 @@
          "title": "Plugin/share/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "plugin/share/checkout"
-              ],
-              "title": "Plugin/share/checkoutRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/v2/PluginShareCheckoutParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Plugin/share/checkoutRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -2189,11 +2146,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -2203,7 +2155,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2460,11 +2411,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -2474,7 +2420,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2663,11 +2608,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
@@ -3651,11 +3591,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -3667,7 +3602,6 @@
        "cwd",
        "itemId",
        "permissions",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -5255,31 +5189,6 @@
          "title": "Account/chatgptAuthTokens/refreshRequest",
          "type": "object"
        },
-        {
-          "description": "Generate a fresh upstream attestation result on demand.",
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "attestation/generate"
-              ],
-              "title": "Attestation/generateRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/AttestationGenerateParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Attestation/generateRequest",
-          "type": "object"
-        },
        {
          "description": "DEPRECATED APIs below Request to approve a patch. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
          "properties": {
@@ -5607,6 +5516,14 @@
          "id": {
            "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
            "type": "string"
+          },
+          "modifications": {
+            "default": [],
+            "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+            "items": {
+              "$ref": "#/definitions/v2/ActivePermissionProfileModification"
+            },
+            "type": "array"
          }
        },
        "required": [
@@ -5614,6 +5531,31 @@
        ],
        "type": "object"
      },
+      "ActivePermissionProfileModification": {
+        "oneOf": [
+          {
+            "description": "Additional concrete directory that should be writable.",
+            "properties": {
+              "path": {
+                "$ref": "#/definitions/v2/AbsolutePathBuf"
+              },
+              "type": {
+                "enum": [
+                  "additionalWritableRoot"
+                ],
+                "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "path",
+              "type"
+            ],
+            "title": "AdditionalWritableRootActivePermissionProfileModification",
+            "type": "object"
+          }
+        ]
+      },
      "AddCreditsNudgeCreditType": {
        "enum": [
          "credits",
@@ -7086,13 +7028,6 @@
              "null"
            ]
          },
-          "desktop": {
-            "additionalProperties": true,
-            "type": [
-              "object",
-              "null"
-            ]
-          },
          "developer_instructions": {
            "type": [
              "string",
@@ -7100,13 +7035,9 @@
            ]
          },
          "forced_chatgpt_workspace_id": {
-            "anyOf": [
-              {
-                "$ref": "#/definitions/v2/ForcedChatgptWorkspaceIds"
-              },
-              {
-                "type": "null"
-              }
+            "type": [
+              "string",
+              "null"
            ]
          },
          "forced_login_method": {
@@ -7401,13 +7332,6 @@
                ],
                "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
              },
-              "profile": {
-                "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-                "type": [
-                  "string",
-                  "null"
-                ]
-              },
              "type": {
                "enum": [
                  "user"
@@ -7549,12 +7473,6 @@
      },
      "ConfigRequirements": {
        "properties": {
-          "allowManagedHooksOnly": {
-            "type": [
-              "boolean",
-              "null"
-            ]
-          },
          "allowedApprovalPolicies": {
            "items": {
              "$ref": "#/definitions/v2/AskForApproval"
@@ -7739,12 +7657,6 @@
              "command": {
                "type": "string"
              },
-              "commandWindows": {
-                "type": [
-                  "string",
-                  "null"
-                ]
-              },
              "statusMessage": {
                "type": [
                  "string",
@@ -8675,20 +8587,6 @@
        ],
        "type": "object"
      },
-      "ForcedChatgptWorkspaceIds": {
-        "anyOf": [
-          {
-            "type": "string"
-          },
-          {
-            "items": {
-              "type": "string"
-            },
-            "type": "array"
-          }
-        ],
-        "description": "Backward-compatible API shape for ChatGPT workspace login restrictions."
-      },
      "ForcedLoginMethod": {
        "enum": [
          "chatgpt",
@@ -9920,6 +9818,8 @@
      },
      "ImageDetail": {
        "enum": [
+          "auto",
+          "low",
          "high",
          "original"
        ],
@@ -9978,11 +9878,6 @@
          "action": {
            "$ref": "#/definitions/v2/GuardianApprovalReviewAction"
          },
-          "completedAtMs": {
-            "description": "Unix timestamp (in milliseconds) when this review completed.",
-            "format": "int64",
-            "type": "integer"
-          },
          "decisionSource": {
            "$ref": "#/definitions/v2/AutoReviewDecisionSource"
          },
@@ -9993,11 +9888,6 @@
            "description": "Stable identifier for this review.",
            "type": "string"
          },
-          "startedAtMs": {
-            "description": "Unix timestamp (in milliseconds) when this review started.",
-            "format": "int64",
-            "type": "integer"
-          },
          "targetItemId": {
            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
            "type": [
@@ -10014,11 +9904,9 @@
        },
        "required": [
          "action",
-          "completedAtMs",
          "decisionSource",
          "review",
          "reviewId",
-          "startedAtMs",
          "threadId",
          "turnId"
        ],
@@ -10039,11 +9927,6 @@
            "description": "Stable identifier for this review.",
            "type": "string"
          },
-          "startedAtMs": {
-            "description": "Unix timestamp (in milliseconds) when this review started.",
-            "format": "int64",
-            "type": "integer"
-          },
          "targetItemId": {
            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
            "type": [
@@ -10062,7 +9945,6 @@
          "action",
          "review",
          "reviewId",
-          "startedAtMs",
          "threadId",
          "turnId"
        ],
@@ -11619,6 +11501,194 @@
          }
        ]
      },
+      "PermissionProfile": {
+        "oneOf": [
+          {
+            "description": "Codex owns sandbox construction for this profile.",
+            "properties": {
+              "fileSystem": {
+                "$ref": "#/definitions/v2/PermissionProfileFileSystemPermissions"
+              },
+              "network": {
+                "$ref": "#/definitions/v2/PermissionProfileNetworkPermissions"
+              },
+              "type": {
+                "enum": [
+                  "managed"
+                ],
+                "title": "ManagedPermissionProfileType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "fileSystem",
+              "network",
+              "type"
+            ],
+            "title": "ManagedPermissionProfile",
+            "type": "object"
+          },
+          {
+            "description": "Do not apply an outer sandbox.",
+            "properties": {
+              "type": {
+                "enum": [
+                  "disabled"
+                ],
+                "title": "DisabledPermissionProfileType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "DisabledPermissionProfile",
+            "type": "object"
+          },
+          {
+            "description": "Filesystem isolation is enforced by an external caller.",
+            "properties": {
+              "network": {
+                "$ref": "#/definitions/v2/PermissionProfileNetworkPermissions"
+              },
+              "type": {
+                "enum": [
+                  "external"
+                ],
+                "title": "ExternalPermissionProfileType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "network",
+              "type"
+            ],
+            "title": "ExternalPermissionProfile",
+            "type": "object"
+          }
+        ]
+      },
+      "PermissionProfileFileSystemPermissions": {
+        "oneOf": [
+          {
+            "properties": {
+              "entries": {
+                "items": {
+                  "$ref": "#/definitions/v2/FileSystemSandboxEntry"
+                },
+                "type": "array"
+              },
+              "globScanMaxDepth": {
+                "format": "uint",
+                "minimum": 1.0,
+                "type": [
+                  "integer",
+                  "null"
+                ]
+              },
+              "type": {
+                "enum": [
+                  "restricted"
+                ],
+                "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "entries",
+              "type"
+            ],
+            "title": "RestrictedPermissionProfileFileSystemPermissions",
+            "type": "object"
+          },
+          {
+            "properties": {
+              "type": {
+                "enum": [
+                  "unrestricted"
+                ],
+                "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+            "type": "object"
+          }
+        ]
+      },
+      "PermissionProfileModificationParams": {
+        "oneOf": [
+          {
+            "description": "Additional concrete directory that should be writable.",
+            "properties": {
+              "path": {
+                "$ref": "#/definitions/v2/AbsolutePathBuf"
+              },
+              "type": {
+                "enum": [
+                  "additionalWritableRoot"
+                ],
+                "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "path",
+              "type"
+            ],
+            "title": "AdditionalWritableRootPermissionProfileModificationParams",
+            "type": "object"
+          }
+        ]
+      },
+      "PermissionProfileNetworkPermissions": {
+        "properties": {
+          "enabled": {
+            "type": "boolean"
+          }
+        },
+        "required": [
+          "enabled"
+        ],
+        "type": "object"
+      },
+      "PermissionProfileSelectionParams": {
+        "oneOf": [
+          {
+            "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+            "properties": {
+              "id": {
+                "type": "string"
+              },
+              "modifications": {
+                "items": {
+                  "$ref": "#/definitions/v2/PermissionProfileModificationParams"
+                },
+                "type": [
+                  "array",
+                  "null"
+                ]
+              },
+              "type": {
+                "enum": [
+                  "profile"
+                ],
+                "title": "ProfilePermissionProfileSelectionParamsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "id",
+              "type"
+            ],
+            "title": "ProfilePermissionProfileSelectionParams",
+            "type": "object"
+          }
+        ]
+      },
      "Personality": {
        "enum": [
          "none",
@@ -12101,58 +12171,6 @@
        "title": "PluginReadResponse",
        "type": "object"
      },
-      "PluginShareCheckoutParams": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "properties": {
-          "remotePluginId": {
-            "type": "string"
-          }
-        },
-        "required": [
-          "remotePluginId"
-        ],
-        "title": "PluginShareCheckoutParams",
-        "type": "object"
-      },
-      "PluginShareCheckoutResponse": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "properties": {
-          "marketplaceName": {
-            "type": "string"
-          },
-          "marketplacePath": {
-            "$ref": "#/definitions/v2/AbsolutePathBuf"
-          },
-          "pluginId": {
-            "type": "string"
-          },
-          "pluginName": {
-            "type": "string"
-          },
-          "pluginPath": {
-            "$ref": "#/definitions/v2/AbsolutePathBuf"
-          },
-          "remotePluginId": {
-            "type": "string"
-          },
-          "remoteVersion": {
-            "type": [
-              "string",
-              "null"
-            ]
-          }
-        },
-        "required": [
-          "marketplaceName",
-          "marketplacePath",
-          "pluginId",
-          "pluginName",
-          "pluginPath",
-          "remotePluginId"
-        ],
-        "title": "PluginShareCheckoutResponse",
-        "type": "object"
-      },
      "PluginShareContext": {
        "properties": {
          "creatorAccountUserId": {
@@ -12167,41 +12185,8 @@
              "null"
            ]
          },
-          "discoverability": {
-            "anyOf": [
-              {
-                "$ref": "#/definitions/v2/PluginShareDiscoverability"
-              },
-              {
-                "type": "null"
-              }
-            ]
-          },
          "remotePluginId": {
            "type": "string"
-          },
-          "remoteVersion": {
-            "default": null,
-            "description": "Version of the remote shared plugin release when available.",
-            "type": [
-              "string",
-              "null"
-            ]
-          },
-          "sharePrincipals": {
-            "items": {
-              "$ref": "#/definitions/v2/PluginSharePrincipal"
-            },
-            "type": [
-              "array",
-              "null"
-            ]
-          },
-          "shareUrl": {
-            "type": [
-              "string",
-              "null"
-            ]
          }
        },
        "required": [
@@ -12249,10 +12234,14 @@
          },
          "plugin": {
            "$ref": "#/definitions/v2/PluginSummary"
+          },
+          "shareUrl": {
+            "type": "string"
          }
        },
        "required": [
-          "plugin"
+          "plugin",
+          "shareUrl"
        ],
        "type": "object"
      },
@@ -12287,27 +12276,15 @@
          },
          "principalType": {
            "$ref": "#/definitions/v2/PluginSharePrincipalType"
-          },
-          "role": {
-            "$ref": "#/definitions/v2/PluginSharePrincipalRole"
          }
        },
        "required": [
          "name",
          "principalId",
-          "principalType",
-          "role"
+          "principalType"
        ],
        "type": "object"
      },
-      "PluginSharePrincipalRole": {
-        "enum": [
-          "reader",
-          "editor",
-          "owner"
-        ],
-        "type": "string"
-      },
      "PluginSharePrincipalType": {
        "enum": [
          "user",
@@ -12378,38 +12355,17 @@
          },
          "principalType": {
            "$ref": "#/definitions/v2/PluginSharePrincipalType"
-          },
-          "role": {
-            "$ref": "#/definitions/v2/PluginShareTargetRole"
          }
        },
        "required": [
          "principalId",
-          "principalType",
-          "role"
+          "principalType"
        ],
        "type": "object"
      },
-      "PluginShareTargetRole": {
-        "enum": [
-          "reader",
-          "editor"
-        ],
-        "type": "string"
-      },
-      "PluginShareUpdateDiscoverability": {
-        "enum": [
-          "UNLISTED",
-          "PRIVATE"
-        ],
-        "type": "string"
-      },
      "PluginShareUpdateTargetsParams": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
-          "discoverability": {
-            "$ref": "#/definitions/v2/PluginShareUpdateDiscoverability"
-          },
          "remotePluginId": {
            "type": "string"
          },
@@ -12421,7 +12377,6 @@
          }
        },
        "required": [
-          "discoverability",
          "remotePluginId",
          "shareTargets"
        ],
@@ -12431,9 +12386,6 @@
      "PluginShareUpdateTargetsResponse": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
-          "discoverability": {
-            "$ref": "#/definitions/v2/PluginShareDiscoverability"
-          },
          "principals": {
            "items": {
              "$ref": "#/definitions/v2/PluginSharePrincipal"
@@ -12442,7 +12394,6 @@
          }
        },
        "required": [
-          "discoverability",
          "principals"
        ],
        "title": "PluginShareUpdateTargetsResponse",
@@ -12604,24 +12555,9 @@
            },
            "type": "array"
          },
-          "localVersion": {
-            "default": null,
-            "description": "Version of the locally materialized plugin package when available.",
-            "type": [
-              "string",
-              "null"
-            ]
-          },
          "name": {
            "type": "string"
          },
-          "remotePluginId": {
-            "description": "Backend remote plugin identifier when available.",
-            "type": [
-              "string",
-              "null"
-            ]
-          },
          "shareContext": {
            "anyOf": [
              {
@@ -13304,7 +13240,7 @@
      },
      "RemoteControlStatusChangedNotification": {
        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Current remote-control connection status and remote identity exposed to clients.",
+        "description": "Current remote-control connection status and environment id exposed to clients.",
        "properties": {
          "environmentId": {
            "type": [
@@ -13312,19 +13248,11 @@
              "null"
            ]
          },
-          "installationId": {
-            "type": "string"
-          },
-          "serverName": {
-            "type": "string"
-          },
          "status": {
            "$ref": "#/definitions/v2/RemoteControlConnectionStatus"
          }
        },
        "required": [
-          "installationId",
-          "serverName",
          "status"
        ],
        "title": "RemoteControlStatusChangedNotification",
@@ -13938,22 +13866,6 @@
            "title": "CompactionResponseItem",
            "type": "object"
          },
-          {
-            "properties": {
-              "type": {
-                "enum": [
-                  "compaction_trigger"
-                ],
-                "title": "CompactionTriggerResponseItemType",
-                "type": "string"
-              }
-            },
-            "required": [
-              "type"
-            ],
-            "title": "CompactionTriggerResponseItem",
-            "type": "object"
-          },
          {
            "properties": {
              "encrypted_content": {
@@ -14803,6 +14715,24 @@
        ],
        "type": "object"
      },
+      "SkillsListExtraRootsForCwd": {
+        "properties": {
+          "cwd": {
+            "type": "string"
+          },
+          "extraUserRoots": {
+            "items": {
+              "type": "string"
+            },
+            "type": "array"
+          }
+        },
+        "required": [
+          "cwd",
+          "extraUserRoots"
+        ],
+        "type": "object"
+      },
      "SkillsListParams": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
@@ -14816,6 +14746,17 @@
          "forceReload": {
            "description": "When true, bypass the skills cache and re-scan skills from disk.",
            "type": "boolean"
+          },
+          "perCwdExtraUserRoots": {
+            "default": null,
+            "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+            "items": {
+              "$ref": "#/definitions/v2/SkillsListExtraRootsForCwd"
+            },
+            "type": [
+              "array",
+              "null"
+            ]
          }
        },
        "title": "SkillsListParams",
@@ -15400,7 +15341,7 @@
                "$ref": "#/definitions/v2/SandboxPolicy"
              }
            ],
-            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
          },
          "serviceTier": {
            "type": [
@@ -16892,7 +16833,7 @@
                "$ref": "#/definitions/v2/SandboxPolicy"
              }
            ],
-            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
          },
          "serviceTier": {
            "type": [
@@ -17200,7 +17141,7 @@
                "$ref": "#/definitions/v2/SandboxPolicy"
              }
            ],
-            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
          },
          "serviceTier": {
            "type": [
@@ -17522,6 +17463,12 @@
      },
      "ToolsV2": {
        "properties": {
+          "view_image": {
+            "type": [
+              "boolean",
+              "null"
+            ]
+          },
          "web_search": {
            "anyOf": [
              {
@@ -18003,17 +17950,6 @@
          },
          {
            "properties": {
-              "detail": {
-                "anyOf": [
-                  {
-                    "$ref": "#/definitions/v2/ImageDetail"
-                  },
-                  {
-                    "type": "null"
-                  }
-                ],
-                "default": null
-              },
              "type": {
                "enum": [
                  "image"
@@ -18034,17 +17970,6 @@
          },
          {
            "properties": {
-              "detail": {
-                "anyOf": [
-                  {
-                    "$ref": "#/definitions/v2/ImageDetail"
-                  },
-                  {
-                    "type": "null"
-                  }
-                ],
-                "default": null
-              },
              "path": {
                "type": "string"
              },
@@ -18449,4 +18374,4 @@
  },
  "title": "CodexAppServerProtocol",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
@@ -143,6 +143,14 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
+        },
+        "modifications": {
+          "default": [],
+          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+          "items": {
+            "$ref": "#/definitions/ActivePermissionProfileModification"
+          },
+          "type": "array"
        }
      },
      "required": [
@@ -150,6 +158,31 @@
      ],
      "type": "object"
    },
+    "ActivePermissionProfileModification": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootActivePermissionProfileModification",
+          "type": "object"
+        }
+      ]
+    },
    "AddCreditsNudgeCreditType": {
      "enum": [
        "credits",
@@ -1584,30 +1617,6 @@
          "title": "Plugin/share/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/RequestId"
-            },
-            "method": {
-              "enum": [
-                "plugin/share/checkout"
-              ],
-              "title": "Plugin/share/checkoutRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/PluginShareCheckoutParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Plugin/share/checkoutRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -3475,13 +3484,6 @@
            "null"
          ]
        },
-        "desktop": {
-          "additionalProperties": true,
-          "type": [
-            "object",
-            "null"
-          ]
-        },
        "developer_instructions": {
          "type": [
            "string",
@@ -3489,13 +3491,9 @@
          ]
        },
        "forced_chatgpt_workspace_id": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/ForcedChatgptWorkspaceIds"
-            },
-            {
-              "type": "null"
-            }
+          "type": [
+            "string",
+            "null"
          ]
        },
        "forced_login_method": {
@@ -3790,13 +3788,6 @@
              ],
              "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
            },
-            "profile": {
-              "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "user"
@@ -3938,12 +3929,6 @@
    },
    "ConfigRequirements": {
      "properties": {
-        "allowManagedHooksOnly": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        },
        "allowedApprovalPolicies": {
          "items": {
            "$ref": "#/definitions/AskForApproval"
@@ -4128,12 +4113,6 @@
            "command": {
              "type": "string"
            },
-            "commandWindows": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "statusMessage": {
              "type": [
                "string",
@@ -5064,20 +5043,6 @@
      ],
      "type": "object"
    },
-    "ForcedChatgptWorkspaceIds": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      ],
-      "description": "Backward-compatible API shape for ChatGPT workspace login restrictions."
-    },
    "ForcedLoginMethod": {
      "enum": [
        "chatgpt",
@@ -6420,6 +6385,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -6442,11 +6409,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
@@ -6527,11 +6489,6 @@
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
-        "completedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review completed.",
-          "format": "int64",
-          "type": "integer"
-        },
        "decisionSource": {
          "$ref": "#/definitions/AutoReviewDecisionSource"
        },
@@ -6542,11 +6499,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -6563,11 +6515,9 @@
      },
      "required": [
        "action",
-        "completedAtMs",
        "decisionSource",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -6588,11 +6538,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -6611,7 +6556,6 @@
        "action",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -8168,6 +8112,194 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
@@ -8650,58 +8782,6 @@
      "title": "PluginReadResponse",
      "type": "object"
    },
-    "PluginShareCheckoutParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "remotePluginId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "remotePluginId"
-      ],
-      "title": "PluginShareCheckoutParams",
-      "type": "object"
-    },
-    "PluginShareCheckoutResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "marketplaceName": {
-          "type": "string"
-        },
-        "marketplacePath": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "pluginId": {
-          "type": "string"
-        },
-        "pluginName": {
-          "type": "string"
-        },
-        "pluginPath": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "remotePluginId": {
-          "type": "string"
-        },
-        "remoteVersion": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "marketplaceName",
-        "marketplacePath",
-        "pluginId",
-        "pluginName",
-        "pluginPath",
-        "remotePluginId"
-      ],
-      "title": "PluginShareCheckoutResponse",
-      "type": "object"
-    },
    "PluginShareContext": {
      "properties": {
        "creatorAccountUserId": {
@@ -8716,41 +8796,8 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
-        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "sharePrincipals": {
-          "items": {
-            "$ref": "#/definitions/PluginSharePrincipal"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "shareUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
        }
      },
      "required": [
@@ -8798,10 +8845,14 @@
        },
        "plugin": {
          "$ref": "#/definitions/PluginSummary"
+        },
+        "shareUrl": {
+          "type": "string"
        }
      },
      "required": [
-        "plugin"
+        "plugin",
+        "shareUrl"
      ],
      "type": "object"
    },
@@ -8836,27 +8887,15 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
        }
      },
      "required": [
        "name",
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipalType": {
      "enum": [
        "user",
@@ -8927,38 +8966,17 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
-    },
-    "PluginShareUpdateDiscoverability": {
-      "enum": [
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginShareUpdateTargetsParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
-        "discoverability": {
-          "$ref": "#/definitions/PluginShareUpdateDiscoverability"
-        },
        "remotePluginId": {
          "type": "string"
        },
@@ -8970,7 +8988,6 @@
        }
      },
      "required": [
-        "discoverability",
        "remotePluginId",
        "shareTargets"
      ],
@@ -8980,9 +8997,6 @@
    "PluginShareUpdateTargetsResponse": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
-        "discoverability": {
-          "$ref": "#/definitions/PluginShareDiscoverability"
-        },
        "principals": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
@@ -8991,7 +9005,6 @@
        }
      },
      "required": [
-        "discoverability",
        "principals"
      ],
      "title": "PluginShareUpdateTargetsResponse",
@@ -9153,24 +9166,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
@@ -9853,7 +9851,7 @@
    },
    "RemoteControlStatusChangedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Current remote-control connection status and remote identity exposed to clients.",
+      "description": "Current remote-control connection status and environment id exposed to clients.",
      "properties": {
        "environmentId": {
          "type": [
@@ -9861,19 +9859,11 @@
            "null"
          ]
        },
-        "installationId": {
-          "type": "string"
-        },
-        "serverName": {
-          "type": "string"
-        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
-        "installationId",
-        "serverName",
        "status"
      ],
      "title": "RemoteControlStatusChangedNotification",
@@ -10487,22 +10477,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
@@ -12627,6 +12601,24 @@
      ],
      "type": "object"
    },
+    "SkillsListExtraRootsForCwd": {
+      "properties": {
+        "cwd": {
+          "type": "string"
+        },
+        "extraUserRoots": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "cwd",
+        "extraUserRoots"
+      ],
+      "type": "object"
+    },
    "SkillsListParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -12640,6 +12632,17 @@
        "forceReload": {
          "description": "When true, bypass the skills cache and re-scan skills from disk.",
          "type": "boolean"
+        },
+        "perCwdExtraUserRoots": {
+          "default": null,
+          "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+          "items": {
+            "$ref": "#/definitions/SkillsListExtraRootsForCwd"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
        }
      },
      "title": "SkillsListParams",
@@ -13224,7 +13227,7 @@
              "$ref": "#/definitions/SandboxPolicy"
            }
          ],
-          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
        },
        "serviceTier": {
          "type": [
@@ -14716,7 +14719,7 @@
              "$ref": "#/definitions/SandboxPolicy"
            }
          ],
-          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
        },
        "serviceTier": {
          "type": [
@@ -15024,7 +15027,7 @@
              "$ref": "#/definitions/SandboxPolicy"
            }
          ],
-          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
        },
        "serviceTier": {
          "type": [
@@ -15346,6 +15349,12 @@
    },
    "ToolsV2": {
      "properties": {
+        "view_image": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
        "web_search": {
          "anyOf": [
            {
@@ -15827,17 +15836,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -15858,17 +15856,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -16272,4 +16259,4 @@
  },
  "title": "CodexAppServerProtocolV2",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
@@ -39,11 +39,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -5,26 +5,6 @@
      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
      "type": "string"
    },
-    "ActivePermissionProfile": {
-      "properties": {
-        "extends": {
-          "default": null,
-          "description": "Parent profile identifier once permissions profiles support inheritance. This is currently always `null`.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "id": {
-          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "id"
-      ],
-      "type": "object"
-    },
    "CommandExecTerminalSize": {
      "description": "PTY size in character cells for `command/exec` PTY sessions.",
      "properties": {
@@ -47,6 +27,202 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "NetworkAccess": {
      "enum": [
        "restricted",
@@ -54,6 +230,135 @@
      ],
      "type": "string"
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "SandboxPolicy": {
      "oneOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
@@ -228,13 +228,6 @@
            "null"
          ]
        },
-        "desktop": {
-          "additionalProperties": true,
-          "type": [
-            "object",
-            "null"
-          ]
-        },
        "developer_instructions": {
          "type": [
            "string",
@@ -242,13 +235,9 @@
          ]
        },
        "forced_chatgpt_workspace_id": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/ForcedChatgptWorkspaceIds"
-            },
-            {
-              "type": "null"
-            }
+          "type": [
+            "string",
+            "null"
          ]
        },
        "forced_login_method": {
@@ -493,13 +482,6 @@
              ],
              "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
            },
-            "profile": {
-              "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "user"
@@ -592,20 +574,6 @@
        }
      ]
    },
-    "ForcedChatgptWorkspaceIds": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      ],
-      "description": "Backward-compatible API shape for ChatGPT workspace login restrictions."
-    },
    "ForcedLoginMethod": {
      "enum": [
        "chatgpt",
@@ -780,6 +748,12 @@
    },
    "ToolsV2": {
      "properties": {
+        "view_image": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
        "web_search": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
@@ -62,12 +62,6 @@
    },
    "ConfigRequirements": {
      "properties": {
-        "allowManagedHooksOnly": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        },
        "allowedApprovalPolicies": {
          "items": {
            "$ref": "#/definitions/AskForApproval"
@@ -127,12 +121,6 @@
            "command": {
              "type": "string"
            },
-            "commandWindows": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "statusMessage": {
              "type": [
                "string",
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigWriteResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigWriteResponse.json
@@ -84,13 +84,6 @@
              ],
              "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
            },
-            "profile": {
-              "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "user"
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemCompletedNotification.json
@@ -285,13 +285,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1186,17 +1179,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1217,17 +1199,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
@@ -574,11 +574,6 @@
    "action": {
      "$ref": "#/definitions/GuardianApprovalReviewAction"
    },
-    "completedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this review completed.",
-      "format": "int64",
-      "type": "integer"
-    },
    "decisionSource": {
      "$ref": "#/definitions/AutoReviewDecisionSource"
    },
@@ -589,11 +584,6 @@
      "description": "Stable identifier for this review.",
      "type": "string"
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this review started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "targetItemId": {
      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
      "type": [
@@ -610,11 +600,9 @@
  },
  "required": [
    "action",
-    "completedAtMs",
    "decisionSource",
    "review",
    "reviewId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
@@ -574,11 +574,6 @@
      "description": "Stable identifier for this review.",
      "type": "string"
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this review started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "targetItemId": {
      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
      "type": [
@@ -597,7 +592,6 @@
    "action",
    "review",
    "reviewId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemStartedNotification.json
@@ -285,13 +285,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1186,17 +1179,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1217,17 +1199,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
@@ -246,41 +246,8 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
-        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "sharePrincipals": {
-          "items": {
-            "$ref": "#/definitions/PluginSharePrincipal"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "shareUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
        }
      },
      "required": [
@@ -288,53 +255,6 @@
      ],
      "type": "object"
    },
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
-    "PluginSharePrincipal": {
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "principalId": {
-          "type": "string"
-        },
-        "principalType": {
-          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
-        }
-      },
-      "required": [
-        "name",
-        "principalId",
-        "principalType",
-        "role"
-      ],
-      "type": "object"
-    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
-    "PluginSharePrincipalType": {
-      "enum": [
-        "user",
-        "group",
-        "workspace"
-      ],
-      "type": "string"
-    },
    "PluginSource": {
      "oneOf": [
        {
@@ -457,24 +377,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
@@ -300,41 +300,8 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
-        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "sharePrincipals": {
-          "items": {
-            "$ref": "#/definitions/PluginSharePrincipal"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "shareUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
        }
      },
      "required": [
@@ -342,53 +309,6 @@
      ],
      "type": "object"
    },
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
-    "PluginSharePrincipal": {
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "principalId": {
-          "type": "string"
-        },
-        "principalType": {
-          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
-        }
-      },
-      "required": [
-        "name",
-        "principalId",
-        "principalType",
-        "role"
-      ],
-      "type": "object"
-    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
-    "PluginSharePrincipalType": {
-      "enum": [
-        "user",
-        "group",
-        "workspace"
-      ],
-      "type": "string"
-    },
    "PluginSource": {
      "oneOf": [
        {
@@ -511,24 +431,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutParams.json
@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "remotePluginId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "remotePluginId"
-  ],
-  "title": "PluginShareCheckoutParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutResponse.json
@@ -1,45 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    }
-  },
-  "properties": {
-    "marketplaceName": {
-      "type": "string"
-    },
-    "marketplacePath": {
-      "$ref": "#/definitions/AbsolutePathBuf"
-    },
-    "pluginId": {
-      "type": "string"
-    },
-    "pluginName": {
-      "type": "string"
-    },
-    "pluginPath": {
-      "$ref": "#/definitions/AbsolutePathBuf"
-    },
-    "remotePluginId": {
-      "type": "string"
-    },
-    "remoteVersion": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "required": [
-    "marketplaceName",
-    "marketplacePath",
-    "pluginId",
-    "pluginName",
-    "pluginPath",
-    "remotePluginId"
-  ],
-  "title": "PluginShareCheckoutResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
@@ -181,41 +181,8 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
-        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "sharePrincipals": {
-          "items": {
-            "$ref": "#/definitions/PluginSharePrincipal"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "shareUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
        }
      },
      "required": [
@@ -223,14 +190,6 @@
      ],
      "type": "object"
    },
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginShareListItem": {
      "properties": {
        "localPluginPath": {
@@ -245,52 +204,17 @@
        },
        "plugin": {
          "$ref": "#/definitions/PluginSummary"
+        },
+        "shareUrl": {
+          "type": "string"
        }
      },
      "required": [
-        "plugin"
+        "plugin",
+        "shareUrl"
      ],
      "type": "object"
    },
-    "PluginSharePrincipal": {
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "principalId": {
-          "type": "string"
-        },
-        "principalType": {
-          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
-        }
-      },
-      "required": [
-        "name",
-        "principalId",
-        "principalType",
-        "role"
-      ],
-      "type": "object"
-    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
-    "PluginSharePrincipalType": {
-      "enum": [
-        "user",
-        "group",
-        "workspace"
-      ],
-      "type": "string"
-    },
    "PluginSource": {
      "oneOf": [
        {
@@ -413,24 +337,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareSaveParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareSaveParams.json
@@ -28,24 +28,13 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
-    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
    }
  },
  "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsParams.json
@@ -16,37 +16,16 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
-    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
-    },
-    "PluginShareUpdateDiscoverability": {
-      "enum": [
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
    }
  },
  "properties": {
-    "discoverability": {
-      "$ref": "#/definitions/PluginShareUpdateDiscoverability"
-    },
    "remotePluginId": {
      "type": "string"
    },
@@ -58,7 +37,6 @@
    }
  },
  "required": [
-    "discoverability",
    "remotePluginId",
    "shareTargets"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsResponse.json
@@ -1,14 +1,6 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipal": {
      "properties": {
        "name": {
@@ -19,27 +11,15 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
        }
      },
      "required": [
        "name",
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipalType": {
      "enum": [
        "user",
@@ -50,9 +30,6 @@
    }
  },
  "properties": {
-    "discoverability": {
-      "$ref": "#/definitions/PluginShareDiscoverability"
-    },
    "principals": {
      "items": {
        "$ref": "#/definitions/PluginSharePrincipal"
@@ -61,7 +38,6 @@
    }
  },
  "required": [
-    "discoverability",
    "principals"
  ],
  "title": "PluginShareUpdateTargetsResponse",
--- a/codex-rs/app-server-protocol/schema/json/v2/RawResponseItemCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/RawResponseItemCompletedNotification.json
@@ -145,6 +145,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -730,22 +732,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
--- a/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
@@ -11,7 +11,7 @@
      "type": "string"
    }
  },
-  "description": "Current remote-control connection status and remote identity exposed to clients.",
+  "description": "Current remote-control connection status and environment id exposed to clients.",
  "properties": {
    "environmentId": {
      "type": [
@@ -19,19 +19,11 @@
        "null"
      ]
    },
-    "installationId": {
-      "type": "string"
-    },
-    "serverName": {
-      "type": "string"
-    },
    "status": {
      "$ref": "#/definitions/RemoteControlConnectionStatus"
    }
  },
  "required": [
-    "installationId",
-    "serverName",
    "status"
  ],
  "title": "RemoteControlStatusChangedNotification",
--- a/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
@@ -422,13 +422,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1459,17 +1452,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1490,17 +1472,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/SkillsListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/SkillsListParams.json
@@ -1,5 +1,25 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "SkillsListExtraRootsForCwd": {
+      "properties": {
+        "cwd": {
+          "type": "string"
+        },
+        "extraUserRoots": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "cwd",
+        "extraUserRoots"
+      ],
+      "type": "object"
+    }
+  },
  "properties": {
    "cwds": {
      "description": "When empty, defaults to the current session working directory.",
@@ -11,6 +31,17 @@
    "forceReload": {
      "description": "When true, bypass the skills cache and re-scan skills from disk.",
      "type": "boolean"
+    },
+    "perCwdExtraUserRoots": {
+      "default": null,
+      "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+      "items": {
+        "$ref": "#/definitions/SkillsListExtraRootsForCwd"
+      },
+      "type": [
+        "array",
+        "null"
+      ]
    }
  },
  "title": "SkillsListParams",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
@@ -1,6 +1,10 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
    "ApprovalsReviewer": {
      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
@@ -60,6 +64,65 @@
        }
      ]
    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxMode": {
      "enum": [
        "read-only",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -18,6 +18,14 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
+        },
+        "modifications": {
+          "default": [],
+          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+          "items": {
+            "$ref": "#/definitions/ActivePermissionProfileModification"
+          },
+          "type": "array"
        }
      },
      "required": [
@@ -25,6 +33,31 @@
      ],
      "type": "object"
    },
+    "ActivePermissionProfileModification": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootActivePermissionProfileModification",
+          "type": "object"
+        }
+      ]
+    },
    "AgentPath": {
      "type": "string"
    },
@@ -470,6 +503,202 @@
      ],
      "type": "string"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -527,13 +756,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -715,6 +937,135 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -2019,17 +2370,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -2050,17 +2390,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -2276,7 +2605,7 @@
          "$ref": "#/definitions/SandboxPolicy"
        }
      ],
-      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
    },
    "serviceTier": {
      "type": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
@@ -1,6 +1,10 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
    "ApprovalsReviewer": {
      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
@@ -204,6 +208,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -292,6 +298,65 @@
        }
      ]
    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
@@ -797,22 +862,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -18,6 +18,14 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
+        },
+        "modifications": {
+          "default": [],
+          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+          "items": {
+            "$ref": "#/definitions/ActivePermissionProfileModification"
+          },
+          "type": "array"
        }
      },
      "required": [
@@ -25,6 +33,31 @@
      ],
      "type": "object"
    },
+    "ActivePermissionProfileModification": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootActivePermissionProfileModification",
+          "type": "object"
+        }
+      ]
+    },
    "AgentPath": {
      "type": "string"
    },
@@ -470,6 +503,202 @@
      ],
      "type": "string"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -527,13 +756,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -715,6 +937,135 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -2019,17 +2370,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -2050,17 +2390,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -2276,7 +2605,7 @@
          "$ref": "#/definitions/SandboxPolicy"
        }
      ],
-      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
    },
    "serviceTier": {
      "type": [
--- a/Show More
+++ b/Show More