[exec-server] remove added HTTP upgrade tests

[exec-server] add HTTP-upgrade listen mode
[exec-server] preserve raw websocket listen mode
2026-06-04 04:12:03 +00:00 · 2026-05-11 15:31:01 -07:00 · 2026-05-11 22:11:36 +00:00 · 2026-05-11 22:08:49 +00:00 · 2026-05-11 22:07:02 +00:00 · 2026-05-11 21:33:10 +00:00
1296 changed files with 49267 additions and 111752 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -193,10 +193,5 @@ common --@v8//:v8_enable_sandbox=True
 common:v8-release-compat --@v8//:v8_enable_pointer_compression=False
 common:v8-release-compat --@v8//:v8_enable_sandbox=False

-# Match rusty_v8's upstream GN release contract for published artifacts: every
-# target object uses Chromium's custom libc++ headers and the archive folds in
-# the matching runtime objects.
-common:rusty-v8-upstream-libcxx --@v8//:v8_use_rusty_v8_custom_libcxx=True
-
 # Optional per-user local overrides.
 try-import %workspace%/user.bazelrc
--- a/.codex/skills/codex-issue-digest/SKILL.md
+++ b/.codex/skills/codex-issue-digest/SKILL.md
@@ -53,7 +53,7 @@ Use `--window "past week"` or `--window-hours 168` when the user asks for a non-
 ## Summary
 No major issues reported by users.

-Source: collector v5, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
+Source: collector v4, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
 Want details? I can expand this into the issue table.
 ```

@@ -65,7 +65,7 @@ Two issues are being surfaced by users:
 🔥🔥 Terminal launch hangs on startup [1](https://github.com/openai/codex/issues/123)
 🔥 Resume switches model providers unexpectedly [2](https://github.com/openai/codex/issues/456)

-Source: collector v5, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
+Source: collector v4, git `abc123def456`, window `2026-04-27T00:00:00Z` to `2026-04-28T00:00:00Z`.
 Want details? I can expand this into the issue table.
 ```
 5. In `## Details`, when details are requested, include a compact table only when useful:
@@ -76,7 +76,7 @@ Want details? I can expand this into the issue table.
   - A clear quiet/no-concern sentence when there is no meaningful signal.
 6. Use the JSON `attention_marker` exactly. It is empty for normal rows, `🔥` for elevated rows, and `🔥🔥` for very high-attention rows. The actual cutoffs are in `attention_thresholds`.
 7. Use inline numbered references where a row or bullet points to issues, for example `Compaction bugs [1](https://github.com/openai/codex/issues/123), [2](https://github.com/openai/codex/issues/456)`. Do not add a separate footnotes section.
-8. Label `interactions` as `Interactions`; it counts unique human GitHub users who created a new issue, added a new comment, or reacted during the requested window. Multiple posts/reactions from the same user on the same issue count once.
+8. Label `interactions` as `Interactions`; it counts posts/comments/reactions during the requested window, not unique people.
 9. Mention the collector `script_version`, repo checkout `git_head`, and time window in one compact source line. In default mode, put this before the details prompt so the final line still asks whether the user wants details. In details-upfront mode, it can be the footer.

 ## Reaction Handling
@@ -89,7 +89,7 @@ GitHub issue search is still seeded by issue `updated_at`, so a purely reaction-

 ## Attention Markers

-The collector scales attention markers by the requested time window. The baseline is 5 unique human users for `🔥` and 10 unique human users for `🔥🔥` over 24 hours; longer or shorter windows scale those cutoffs linearly and round up. For example, a one-week report uses 35 and 70 interactions. Unique human users are users who authored a new issue, authored a new comment, or reacted during the window, including upvotes. Multiple actions from the same user on the same issue count once. Bot posts and bot reactions are excluded. In prose, explain this as high user interaction rather than naming the emoji.
+The collector scales attention markers by the requested time window. The baseline is 5 human user interactions for `🔥` and 10 for `🔥🔥` over 24 hours; longer or shorter windows scale those cutoffs linearly and round up. For example, a one-week report uses 35 and 70 interactions. Human user interactions are human-authored new issue posts, human-authored new comments, and human reactions created during the window, including upvotes. Bot posts and bot reactions are excluded. In prose, explain this as high user interaction rather than naming the emoji.

 ## Freshness

--- a/.codex/skills/codex-issue-digest/scripts/collect_issue_digest.py
+++ b/.codex/skills/codex-issue-digest/scripts/collect_issue_digest.py
@@ -11,7 +11,7 @@ from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from urllib.parse import quote

-SCRIPT_VERSION = 5
+SCRIPT_VERSION = 4
 QUALIFYING_KIND_LABELS = ("bug", "enhancement")
 REACTION_KEYS = ("+1", "-1", "laugh", "hooray", "confused", "heart", "rocket", "eyes")
 BASE_ATTENTION_WINDOW_HOURS = 24.0
@@ -393,15 +393,9 @@ def is_bot_login(login):
    return bool(login) and login.lower().endswith("[bot]")


-def human_login_key(user_obj):
-    login = extract_login(user_obj)
-    if not login or is_bot_login(login):
-        return ""
-    return login.casefold()
-
-
 def is_human_user(user_obj):
-    return bool(human_login_key(user_obj))
+    login = extract_login(user_obj)
+    return bool(login) and not is_bot_login(login)


 def label_names(issue):
@@ -473,26 +467,22 @@ def reaction_summary(item):
 def reaction_event_summary(reactions, since, until):
    counts = {}
    total = 0
-    users = set()
    for reaction in reactions or []:
        if not isinstance(reaction, dict):
            continue
        if not is_in_window(str(reaction.get("created_at") or ""), since, until):
            continue
-        user_key = human_login_key(reaction.get("user"))
-        if not user_key:
+        if not is_human_user(reaction.get("user")):
            continue
        content = str(reaction.get("content") or "")
        if not content:
            continue
        counts[content] = counts.get(content, 0) + 1
        total += 1
-        users.add(user_key)
    return {
        "total": total,
        "counts": counts,
        "upvotes": counts.get("+1", 0),
-        "users": sorted(users, key=str.casefold),
    }


@@ -628,21 +618,13 @@ def summarize_issue(
    new_comment_reaction_total = sum(
        comment["reaction_total"] for comment in new_comments
    )
-    new_issue_user_key = human_login_key(issue.get("user")) if new_issue else ""
-    new_issue_user_interaction = bool(new_issue_user_key)
+    new_issue_user_interaction = new_issue and is_human_user(issue.get("user"))
    new_comment_user_interactions = sum(
        1 for comment in new_comments if comment["human_user_interaction"]
    )
-    interaction_user_keys = set(issue_reaction_events_summary["users"])
-    interaction_user_keys.update(comment_reaction_events_summary["users"])
-    if new_issue_user_key:
-        interaction_user_keys.add(new_issue_user_key)
-    interaction_user_keys.update(
-        comment["author"].casefold()
-        for comment in new_comments
-        if comment["human_user_interaction"]
+    user_interactions = (
+        int(new_issue_user_interaction) + new_comment_user_interactions + new_reactions
    )
-    user_interactions = len(interaction_user_keys)
    attention_level = attention_level_for(user_interactions, attention_thresholds)
    attention_marker = attention_marker_for(user_interactions, attention_thresholds)
    updated_without_visible_new_post = (
@@ -975,7 +957,6 @@ def collect_digest(args):
            "New issue comments are filtered by comment creation time within the window from the fetched comment set.",
            "Reaction events are counted by GitHub reaction created_at timestamps for hydrated issues and fetched comments.",
            "Current reaction totals are standing engagement signals; new_reactions and new_upvotes are windowed activity.",
-            "user_interactions counts unique human users per issue across new issues, new comments, and new reactions; repeated actions by the same user count once.",
            "The collector does not assign semantic clusters; use summary_inputs as model-ready evidence for report-time clustering.",
            "Pure reaction-only issues may be missed if GitHub issue search does not surface them via updated_at.",
            "Issues updated during the window without a new issue body or new comment are retained because label/status edits can still be useful owner signals.",
--- a/.codex/skills/codex-issue-digest/scripts/test_collect_issue_digest.py
+++ b/.codex/skills/codex-issue-digest/scripts/test_collect_issue_digest.py
@@ -494,70 +494,6 @@ def test_reactions_count_toward_attention_markers():
    assert summary["new_comments"][0]["new_upvotes"] == 0


-def test_user_interactions_are_deduped_by_human_login():
-    since = collect_issue_digest.parse_timestamp("2026-04-25T00:00:00Z", "--since")
-    until = collect_issue_digest.parse_timestamp("2026-04-26T00:00:00Z", "--until")
-
-    def comment(comment_id, login):
-        return {
-            "id": comment_id,
-            "created_at": f"2026-04-25T0{comment_id + 1}:00:00Z",
-            "updated_at": f"2026-04-25T0{comment_id + 1}:00:00Z",
-            "user": {"login": login},
-            "body": "same issue",
-        }
-
-    def reaction(content, login, created_at="2026-04-25T10:00:00Z"):
-        return {
-            "content": content,
-            "created_at": created_at,
-            "user": {"login": login},
-        }
-
-    issue = {
-        "number": 790,
-        "title": "Repeated pings should not boost attention",
-        "html_url": "https://github.com/openai/codex/issues/790",
-        "state": "open",
-        "created_at": "2026-04-25T01:00:00Z",
-        "updated_at": "2026-04-25T12:00:00Z",
-        "user": {"login": "Alice"},
-        "labels": [{"name": "bug"}, {"name": "tui"}],
-    }
-    comments = [comment(1, "alice"), comment(2, "ALICE"), comment(3, "bob")]
-    comments.append(comment(4, "github-actions[bot]"))
-    issue_reactions = [
-        reaction("+1", "alice"),
-        reaction("rocket", "Alice"),
-        reaction("+1", "bob"),
-        reaction("+1", "github-actions[bot]"),
-        reaction("+1", "carol", created_at="2026-04-24T23:00:00Z"),
-    ]
-    comment_reactions_by_id = {
-        1: [reaction("heart", "alice")],
-        2: [reaction("+1", "bob")],
-        3: [reaction("eyes", "carol")],
-    }
-
-    summary = collect_issue_digest.summarize_issue(
-        issue,
-        comments,
-        ["tui"],
-        since,
-        until,
-        body_chars=100,
-        comment_chars=100,
-        issue_reaction_events=issue_reactions,
-        comment_reactions_by_id=comment_reactions_by_id,
-    )
-
-    assert summary["activity"]["new_human_comments"] == 3
-    assert summary["new_reactions"] == 6
-    assert summary["user_interactions"] == 3
-    assert summary["attention"] is False
-    assert summary["attention_marker"] == ""
-
-
 def test_digest_rows_are_table_ready_with_concise_descriptions():
    rows = collect_issue_digest.digest_rows(
        [
--- a/.codex/skills/update-v8-version/SKILL.md
+++ b/.codex/skills/update-v8-version/SKILL.md
@@ -1,72 +0,0 @@
---
-name: update-v8-version
-description: Update Codex's pinned `v8` / `rusty_v8` versions, validate the release-candidate path, and investigate failed V8 canary or artifact builds. Use when asked to bump V8, update `rusty_v8` artifacts, prepare or validate a V8 release candidate, check `v8-canary`, or diagnose why a V8 version update no longer builds.
---
-
-# Update V8 Version
-
-## Core Workflow
-
-1. Read `third_party/v8/README.md` and follow its version-bump sequence. Treat
-   that document as the release-process source of truth.
-2. Inspect and update the concrete repo surfaces that carry the pin:
-   - `codex-rs/Cargo.toml`
-   - `codex-rs/Cargo.lock`
-   - `MODULE.bazel`
-   - `third_party/v8/BUILD.bazel`
-   - `third_party/v8/README.md`
-   - the matching `third_party/v8/rusty_v8_<version>.sha256` manifest when the
-     remaining prebuilt inputs change
-3. Keep the existing checksum helpers in the loop:
-
-   ```bash
-   python3 .github/scripts/rusty_v8_bazel.py update-module-bazel
-   python3 .github/scripts/rusty_v8_bazel.py check-module-bazel
-   python3 -m unittest discover -s .github/scripts -p test_rusty_v8_bazel.py
-   ```
-
-4. Validate the release-candidate path before broadening the work:
-   - Prefer checking the `v8-canary` CI result for the candidate branch or PR
-     when one exists, using GitHub check tooling or `gh` as appropriate.
-   - If CI is unavailable or the user asked for a local-only check, run the
-     closest local validation that is practical for the changed surface and say
-     explicitly that it is a local substitute, not the full hosted canary.
-5. If the canary path passes, stop there. Summarize the result and encourage the
-   user to commit the candidate changes or proceed with the release flow they
-   requested. Do not publish tags, releases, or pushes unless the user asked.
-
-## Failure Path
-
-Enter this path only when the canary or local build path fails.
-
-1. Capture the failing target, workflow job, and first actionable error.
-2. Compare the currently pinned version with the target version at the relevant
-   upstream tag or SHA. Inspect both:
-   - `denoland/rusty_v8`
-   - upstream V8 source at the target Bazel-pinned version
-3. Track build-relevant deltas rather than broad source churn:
-   - generated binding layout changes
-   - archive or asset naming changes
-   - GN/Bazel target changes
-   - custom libc++ / libc++abi / llvm-libc inputs
-   - sandbox or pointer-compression feature relationships
-   - patch hunks in `patches/` that no longer apply or no longer match upstream
-4. Trace each failing delta back into Codex's build graph:
-   - `MODULE.bazel`
-   - `third_party/v8/BUILD.bazel`
-   - `.github/scripts/rusty_v8_bazel.py`
-   - `.github/workflows/v8-canary.yml`
-   - `.github/workflows/rusty-v8-release.yml`
-5. Update only the pieces required to restore the target version's build and
-   artifact contract. Keep patch explanations and doc changes close to the
-   affected files.
-6. Re-run the focused validation. If it becomes green, return to the normal
-   workflow and stop with a concise summary plus the remaining release step.
-
-## Reporting
-
- Say whether validation came from hosted `v8-canary` or from a local
-  substitute.
- Distinguish "version bump complete" from "release published".
- When blocked, report the upstream delta that matters, the Codex file it hits,
-  and the next concrete fix to try.
--- a/.codex/skills/update-v8-version/agents/openai.yaml
+++ b/.codex/skills/update-v8-version/agents/openai.yaml
@@ -1,4 +0,0 @@
-interface:
-  display_name: "Update V8 Version"
-  short_description: "Guide V8 bumps and release validation"
-  default_prompt: "Use $update-v8-version to update Codex to a new v8 release and validate the release-candidate path."
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,6 +1,5 @@
 # Core crate ownership.
 /codex-rs/core/ @openai/codex-core-agent-team
-/codex-rs/ext/extension-api/ @openai/codex-core-agent-team

 # Keep ownership changes reviewed by the same team.
 /.github/CODEOWNERS @openai/codex-core-agent-team
--- a/.github/ISSUE_TEMPLATE/3-cli.yml
+++ b/.github/ISSUE_TEMPLATE/3-cli.yml
@@ -11,8 +11,6 @@ body:

        Make sure you are running the [latest](https://npmjs.com/package/@openai/codex) version of Codex CLI. The bug you are experiencing may already have been fixed.

-        If your version supports it, please run `codex doctor --json` and paste the output in the "Codex doctor report" field below. This helps us diagnose install, config, auth, terminal, MCP, network, and local state issues.
-
  - type: input
    id: version
    attributes:
@@ -45,16 +43,6 @@ body:
      description: |
        Also note any multiplexer in use (screen / tmux / zellij).
        E.g., VS Code, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
-  - type: textarea
-    id: doctor
-    attributes:
-      label: Codex doctor report
-      description: |
-        If available, run `codex doctor --json` and paste the full output here.
-
-        The report is designed to redact secrets, but please review it before submitting.
-        If your Codex version does not support `doctor`, write `not available`.
-      render: json
  - type: textarea
    id: actual
    attributes:
--- a/.github/actions/setup-rusty-v8-musl/action.yml
+++ b/.github/actions/setup-rusty-v8-musl/action.yml
@@ -31,14 +31,16 @@ runs:
        archive_path="${binding_dir}/librusty_v8_release_${TARGET}.a.gz"
        binding_path="${binding_dir}/src_binding_release_${TARGET}.rs"
        checksums_path="${binding_dir}/rusty_v8_release_${TARGET}.sha256"
+        checksums_source="${GITHUB_WORKSPACE}/third_party/v8/rusty_v8_${version//./_}.sha256"

        mkdir -p "${binding_dir}"
        curl -fsSL "${base_url}/librusty_v8_release_${TARGET}.a.gz" -o "${archive_path}"
        curl -fsSL "${base_url}/src_binding_release_${TARGET}.rs" -o "${binding_path}"
-        curl -fsSL "${base_url}/rusty_v8_release_${TARGET}.sha256" -o "${checksums_path}"
+        grep -E "  (librusty_v8_release_${TARGET}[.]a[.]gz|src_binding_release_${TARGET}[.]rs)$" \
+          "${checksums_source}" > "${checksums_path}"

        if [[ "$(wc -l < "${checksums_path}")" -ne 2 ]]; then
-          echo "Expected exactly two checksums for ${TARGET} in ${checksums_path}" >&2
+          echo "Expected exactly two checksums for ${TARGET} in ${checksums_source}" >&2
          exit 1
        fi

--- a/.github/scripts/rusty_v8_bazel.py
+++ b/.github/scripts/rusty_v8_bazel.py
@@ -5,18 +5,17 @@ from __future__ import annotations
 import argparse
 import gzip
 import hashlib
-import os
 import re
 import shutil
 import subprocess
 import sys
+import tempfile
 import tomllib
 from pathlib import Path

 from rusty_v8_module_bazel import (
    RustyV8ChecksumError,
    check_module_bazel,
-    rusty_v8_http_file_versions,
    update_module_bazel,
 )

@@ -24,16 +23,12 @@ from rusty_v8_module_bazel import (
 ROOT = Path(__file__).resolve().parents[2]
 MODULE_BAZEL = ROOT / "MODULE.bazel"
 RUSTY_V8_CHECKSUMS_DIR = ROOT / "third_party" / "v8"
-RELEASE_ARTIFACT_PROFILE = "release"
-SANDBOX_ARTIFACT_PROFILE = "ptrcomp_sandbox_release"
-ARTIFACT_BAZEL_CONFIGS = ["rusty-v8-upstream-libcxx"]
-
-
-def bazel_remote_args() -> list[str]:
-    buildbuddy_api_key = os.environ.get("BUILDBUDDY_API_KEY")
-    if not buildbuddy_api_key:
-        return []
-    return [f"--remote_header=x-buildbuddy-api-key={buildbuddy_api_key}"]
+MUSL_RUNTIME_ARCHIVE_LABELS = [
+    "@llvm//runtimes/libcxx:libcxx.static",
+    "@llvm//runtimes/libcxx:libcxxabi.static",
+]
+LLVM_AR_LABEL = "@llvm//tools:llvm-ar"
+LLVM_RANLIB_LABEL = "@llvm//tools:llvm-ranlib"


 def bazel_execroot() -> Path:
@@ -80,7 +75,6 @@ def bazel_output_files(
            compilation_mode,
            f"--platforms=@llvm//platforms:{platform}",
            *[f"--config={config}" for config in bazel_configs],
-            *bazel_remote_args(),
            "--output=files",
            expression,
        ],
@@ -97,10 +91,8 @@ def bazel_build(
    labels: list[str],
    compilation_mode: str = "fastbuild",
    bazel_configs: list[str] | None = None,
-    download_toplevel: bool = False,
 ) -> None:
    bazel_configs = bazel_configs or []
-    download_args = ["--remote_download_toplevel"] if download_toplevel else []
    subprocess.run(
        [
            "bazel",
@@ -109,8 +101,6 @@ def bazel_build(
            compilation_mode,
            f"--platforms=@llvm//platforms:{platform}",
            *[f"--config={config}" for config in bazel_configs],
-            *bazel_remote_args(),
-            *download_args,
            *labels,
        ],
        cwd=ROOT,
@@ -124,15 +114,11 @@ def ensure_bazel_output_files(
    compilation_mode: str = "fastbuild",
    bazel_configs: list[str] | None = None,
 ) -> list[Path]:
-    # Bazel output paths can be reused across config flips, so existence alone
-    # does not prove the files match the requested flags.
-    bazel_build(
-        platform,
-        labels,
-        compilation_mode,
-        bazel_configs,
-        download_toplevel=True,
-    )
+    outputs = bazel_output_files(platform, labels, compilation_mode, bazel_configs)
+    if all(path.exists() for path in outputs):
+        return outputs
+
+    bazel_build(platform, labels, compilation_mode, bazel_configs)
    outputs = bazel_output_files(platform, labels, compilation_mode, bazel_configs)
    missing = [str(path) for path in outputs if not path.exists()]
    if missing:
@@ -140,18 +126,9 @@ def ensure_bazel_output_files(
    return outputs


-def artifact_bazel_configs(bazel_configs: list[str] | None = None) -> list[str]:
-    configured = list(ARTIFACT_BAZEL_CONFIGS)
-    for config in bazel_configs or []:
-        if config not in configured:
-            configured.append(config)
-    return configured
-
-
-def release_pair_label(target: str, sandbox: bool = False) -> str:
+def release_pair_label(target: str) -> str:
    target_suffix = target.replace("-", "_")
-    pair_kind = "sandbox_release_pair" if sandbox else "release_pair"
-    return f"//third_party/v8:rusty_v8_{pair_kind}_{target_suffix}"
+    return f"//third_party/v8:rusty_v8_release_pair_{target_suffix}"


 def resolved_v8_crate_version() -> str:
@@ -192,16 +169,6 @@ def rusty_v8_checksum_manifest_path(version: str) -> Path:
 def command_version(version: str | None) -> str:
    if version is not None:
        return version
-
-    manifest_versions = rusty_v8_http_file_versions(MODULE_BAZEL.read_text())
-    if len(manifest_versions) == 1:
-        return manifest_versions[0]
-    if len(manifest_versions) > 1:
-        raise SystemExit(
-            "expected at most one rusty_v8 http_file version in MODULE.bazel, "
-            f"found: {manifest_versions}; pass --version explicitly"
-        )
-
    return resolved_v8_crate_version()


@@ -213,76 +180,66 @@ def command_manifest_path(manifest: Path | None, version: str) -> Path:
    return ROOT / manifest


-def staged_archive_name(target: str, source_path: Path, artifact_profile: str) -> str:
-    if target.endswith("-pc-windows-msvc"):
-        return f"rusty_v8_{artifact_profile}_{target}.lib.gz"
-    return f"librusty_v8_{artifact_profile}_{target}.a.gz"
+def staged_archive_name(target: str, source_path: Path) -> str:
+    if source_path.suffix == ".lib":
+        return f"rusty_v8_release_{target}.lib.gz"
+    return f"librusty_v8_release_{target}.a.gz"


-def staged_binding_name(target: str, artifact_profile: str) -> str:
-    return f"src_binding_{artifact_profile}_{target}.rs"
+def is_musl_archive_target(target: str, source_path: Path) -> bool:
+    return target.endswith("-unknown-linux-musl") and source_path.suffix == ".a"


-def staged_checksums_name(target: str, artifact_profile: str) -> str:
-    return f"rusty_v8_{artifact_profile}_{target}.sha256"
+def single_bazel_output_file(
+    platform: str,
+    label: str,
+    compilation_mode: str = "fastbuild",
+    bazel_configs: list[str] | None = None,
+) -> Path:
+    outputs = ensure_bazel_output_files(platform, [label], compilation_mode, bazel_configs)
+    if len(outputs) != 1:
+        raise SystemExit(f"expected exactly one output for {label}, found {outputs}")
+    return outputs[0]


-def stage_artifacts(
-    target: str,
+def merged_musl_archive(
+    platform: str,
    lib_path: Path,
-    binding_path: Path,
-    output_dir: Path,
-    sandbox: bool,
-) -> None:
-    missing_paths = [str(path) for path in [lib_path, binding_path] if not path.exists()]
-    if missing_paths:
-        raise SystemExit(f"missing release outputs for {target}: {missing_paths}")
+    compilation_mode: str = "fastbuild",
+    bazel_configs: list[str] | None = None,
+) -> Path:
+    llvm_ar = single_bazel_output_file(platform, LLVM_AR_LABEL, compilation_mode, bazel_configs)
+    llvm_ranlib = single_bazel_output_file(
+        platform,
+        LLVM_RANLIB_LABEL,
+        compilation_mode,
+        bazel_configs,
+    )
+    runtime_archives = [
+        single_bazel_output_file(platform, label, compilation_mode, bazel_configs)
+        for label in MUSL_RUNTIME_ARCHIVE_LABELS
+    ]

-    output_dir.mkdir(parents=True, exist_ok=True)
-    artifact_profile = SANDBOX_ARTIFACT_PROFILE if sandbox else RELEASE_ARTIFACT_PROFILE
-    staged_library = output_dir / staged_archive_name(target, lib_path, artifact_profile)
-    staged_binding = output_dir / staged_binding_name(target, artifact_profile)
-
-    with lib_path.open("rb") as src, staged_library.open("wb") as dst:
-        with gzip.GzipFile(
-            filename="",
-            mode="wb",
-            fileobj=dst,
-            compresslevel=6,
-            mtime=0,
-        ) as gz:
-            shutil.copyfileobj(src, gz)
-
-    shutil.copyfile(binding_path, staged_binding)
-
-    staged_checksums = output_dir / staged_checksums_name(target, artifact_profile)
-    with staged_checksums.open("w", encoding="utf-8") as checksums:
-        for path in [staged_library, staged_binding]:
-            digest = hashlib.sha256()
-            with path.open("rb") as artifact:
-                for chunk in iter(lambda: artifact.read(1024 * 1024), b""):
-                    digest.update(chunk)
-            checksums.write(f"{digest.hexdigest()}  {path.name}\n")
-
-    print(staged_library)
-    print(staged_binding)
-    print(staged_checksums)
-
-
-def upstream_release_pair_paths(source_root: Path, target: str) -> tuple[Path, Path]:
-    lib_name = "rusty_v8.lib" if target.endswith("-pc-windows-msvc") else "librusty_v8.a"
-    gn_out = source_root / "target" / target / "release" / "gn_out"
-    return gn_out / "obj" / lib_name, gn_out / "src_binding.rs"
-
-
-def stage_upstream_release_pair(
-    source_root: Path,
-    target: str,
-    output_dir: Path,
-    sandbox: bool = False,
-) -> None:
-    lib_path, binding_path = upstream_release_pair_paths(source_root, target)
-    stage_artifacts(target, lib_path, binding_path, output_dir, sandbox)
+    temp_dir = Path(tempfile.mkdtemp(prefix="rusty-v8-musl-stage-"))
+    merged_archive = temp_dir / lib_path.name
+    merge_commands = "\n".join(
+        [
+            f"create {merged_archive}",
+            f"addlib {lib_path}",
+            *[f"addlib {archive}" for archive in runtime_archives],
+            "save",
+            "end",
+        ]
+    )
+    subprocess.run(
+        [str(llvm_ar), "-M"],
+        cwd=ROOT,
+        check=True,
+        input=merge_commands,
+        text=True,
+    )
+    subprocess.run([str(llvm_ranlib), str(merged_archive)], cwd=ROOT, check=True)
+    return merged_archive


 def stage_release_pair(
@@ -291,12 +248,10 @@ def stage_release_pair(
    output_dir: Path,
    compilation_mode: str = "fastbuild",
    bazel_configs: list[str] | None = None,
-    sandbox: bool = False,
 ) -> None:
-    bazel_configs = artifact_bazel_configs(bazel_configs)
    outputs = ensure_bazel_output_files(
        platform,
-        [release_pair_label(target, sandbox)],
+        [release_pair_label(target)],
        compilation_mode,
        bazel_configs,
    )
@@ -311,7 +266,39 @@ def stage_release_pair(
    except StopIteration as exc:
        raise SystemExit(f"missing Rust binding output for {target}") from exc

-    stage_artifacts(target, lib_path, binding_path, output_dir, sandbox)
+    output_dir.mkdir(parents=True, exist_ok=True)
+    staged_library = output_dir / staged_archive_name(target, lib_path)
+    staged_binding = output_dir / f"src_binding_release_{target}.rs"
+    source_archive = (
+        merged_musl_archive(platform, lib_path, compilation_mode, bazel_configs)
+        if is_musl_archive_target(target, lib_path)
+        else lib_path
+    )
+
+    with source_archive.open("rb") as src, staged_library.open("wb") as dst:
+        with gzip.GzipFile(
+            filename="",
+            mode="wb",
+            fileobj=dst,
+            compresslevel=6,
+            mtime=0,
+        ) as gz:
+            shutil.copyfileobj(src, gz)
+
+    shutil.copyfile(binding_path, staged_binding)
+
+    staged_checksums = output_dir / f"rusty_v8_release_{target}.sha256"
+    with staged_checksums.open("w", encoding="utf-8") as checksums:
+        for path in [staged_library, staged_binding]:
+            digest = hashlib.sha256()
+            with path.open("rb") as artifact:
+                for chunk in iter(lambda: artifact.read(1024 * 1024), b""):
+                    digest.update(chunk)
+            checksums.write(f"{digest.hexdigest()}  {path.name}\n")
+
+    print(staged_library)
+    print(staged_binding)
+    print(staged_checksums)


 def parse_args() -> argparse.Namespace:
@@ -322,7 +309,6 @@ def parse_args() -> argparse.Namespace:
    stage_release_pair_parser.add_argument("--platform", required=True)
    stage_release_pair_parser.add_argument("--target", required=True)
    stage_release_pair_parser.add_argument("--output-dir", required=True)
-    stage_release_pair_parser.add_argument("--sandbox", action="store_true")
    stage_release_pair_parser.add_argument(
        "--bazel-config",
        action="append",
@@ -335,14 +321,6 @@ def parse_args() -> argparse.Namespace:
        choices=["fastbuild", "opt", "dbg"],
    )

-    stage_upstream_release_pair_parser = subparsers.add_parser(
-        "stage-upstream-release-pair"
-    )
-    stage_upstream_release_pair_parser.add_argument("--source-root", type=Path, required=True)
-    stage_upstream_release_pair_parser.add_argument("--target", required=True)
-    stage_upstream_release_pair_parser.add_argument("--output-dir", required=True)
-    stage_upstream_release_pair_parser.add_argument("--sandbox", action="store_true")
-
    subparsers.add_parser("resolved-v8-crate-version")

    check_module_bazel_parser = subparsers.add_parser("check-module-bazel")
@@ -375,15 +353,6 @@ def main() -> int:
            output_dir=Path(args.output_dir),
            compilation_mode=args.compilation_mode,
            bazel_configs=args.bazel_configs,
-            sandbox=args.sandbox,
-        )
-        return 0
-    if args.command == "stage-upstream-release-pair":
-        stage_upstream_release_pair(
-            source_root=args.source_root,
-            target=args.target,
-            output_dir=Path(args.output_dir),
-            sandbox=args.sandbox,
        )
        return 0
    if args.command == "resolved-v8-crate-version":
--- a/.github/scripts/rusty_v8_module_bazel.py
+++ b/.github/scripts/rusty_v8_module_bazel.py
@@ -9,7 +9,6 @@ from pathlib import Path

 SHA256_RE = re.compile(r"[0-9a-f]{64}")
 HTTP_FILE_BLOCK_RE = re.compile(r"(?ms)^http_file\(\n.*?^\)\n?")
-HTTP_FILE_VERSION_RE = re.compile(r"^rusty_v8_([0-9]+)_([0-9]+)_([0-9]+)_")


 class RustyV8ChecksumError(ValueError):
@@ -96,18 +95,6 @@ def rusty_v8_http_files(module_bazel: str, version: str) -> list[RustyV8HttpFile
    return entries


-def rusty_v8_http_file_versions(module_bazel: str) -> list[str]:
-    versions = set()
-    for match in HTTP_FILE_BLOCK_RE.finditer(module_bazel):
-        name = string_field(match.group(0), "name")
-        if not name:
-            continue
-        version_match = HTTP_FILE_VERSION_RE.match(name)
-        if version_match:
-            versions.add(".".join(version_match.groups()))
-    return sorted(versions)
-
-
 def module_entry_set_errors(
    entries: list[RustyV8HttpFile],
    checksums: dict[str, str],
--- a/.github/scripts/test_rusty_v8_bazel.py
+++ b/.github/scripts/test_rusty_v8_bazel.py
@@ -4,270 +4,11 @@ from __future__ import annotations

 import textwrap
 import unittest
-from os import environ
-from pathlib import Path
-from tempfile import TemporaryDirectory
-from unittest.mock import patch

-import rusty_v8_bazel
 import rusty_v8_module_bazel


 class RustyV8BazelTest(unittest.TestCase):
-    def test_consumer_selectors_track_resolved_crate_version(self) -> None:
-        build_bazel = (
-            rusty_v8_bazel.ROOT / "third_party" / "v8" / "BUILD.bazel"
-        ).read_text()
-        version_suffix = rusty_v8_bazel.resolved_v8_crate_version().replace(".", "_")
-
-        for selector in [
-            "aarch64_apple_darwin_bazel",
-            "aarch64_pc_windows_gnullvm",
-            "aarch64_pc_windows_msvc",
-            "aarch64_unknown_linux_gnu_bazel",
-            "aarch64_unknown_linux_musl_release_base",
-            "x86_64_apple_darwin_bazel",
-            "x86_64_pc_windows_gnullvm",
-            "x86_64_pc_windows_msvc",
-            "x86_64_unknown_linux_gnu_bazel",
-            "x86_64_unknown_linux_musl_release",
-        ]:
-            self.assertIn(
-                f":v8_{version_suffix}_{selector}",
-                build_bazel,
-            )
-
-        for selector in [
-            "aarch64_apple_darwin",
-            "aarch64_pc_windows_gnullvm",
-            "aarch64_pc_windows_msvc",
-            "aarch64_unknown_linux_gnu",
-            "aarch64_unknown_linux_musl",
-            "x86_64_apple_darwin",
-            "x86_64_pc_windows_gnullvm",
-            "x86_64_pc_windows_msvc",
-            "x86_64_unknown_linux_gnu",
-            "x86_64_unknown_linux_musl",
-        ]:
-            self.assertIn(
-                f":src_binding_release_{selector}_{version_suffix}_release",
-                build_bazel,
-            )
-
-    def test_command_version_tracks_remaining_http_file_assets(self) -> None:
-        with TemporaryDirectory() as temp_dir:
-            module_bazel = Path(temp_dir) / "MODULE.bazel"
-            module_bazel.write_text(
-                textwrap.dedent(
-                    """\
-                    http_file(
-                        name = "rusty_v8_146_4_0_x86_64_unknown_linux_gnu_archive",
-                        downloaded_file_path = "librusty_v8_release_x86_64-unknown-linux-gnu.a.gz",
-                        urls = ["https://example.test/archive.gz"],
-                    )
-                    """
-                )
-            )
-
-            with patch.object(rusty_v8_bazel, "MODULE_BAZEL", module_bazel):
-                self.assertEqual("146.4.0", rusty_v8_bazel.command_version(None))
-
-    def test_artifact_bazel_configs_always_enable_upstream_libcxx(self) -> None:
-        self.assertEqual(
-            ["rusty-v8-upstream-libcxx"],
-            rusty_v8_bazel.artifact_bazel_configs(),
-        )
-        self.assertEqual(
-            ["rusty-v8-upstream-libcxx", "v8-release-compat"],
-            rusty_v8_bazel.artifact_bazel_configs(["v8-release-compat"]),
-        )
-        self.assertEqual(
-            ["rusty-v8-upstream-libcxx", "v8-release-compat"],
-            rusty_v8_bazel.artifact_bazel_configs(
-                ["rusty-v8-upstream-libcxx", "v8-release-compat"]
-            ),
-        )
-
-    def test_bazel_remote_args_include_buildbuddy_header_when_present(self) -> None:
-        with patch.dict(environ, {"BUILDBUDDY_API_KEY": "token"}, clear=False):
-            self.assertEqual(
-                ["--remote_header=x-buildbuddy-api-key=token"],
-                rusty_v8_bazel.bazel_remote_args(),
-            )
-
-        with patch.dict(environ, {}, clear=True):
-            self.assertEqual([], rusty_v8_bazel.bazel_remote_args())
-
-    def test_release_pair_labels_and_staged_names_distinguish_sandbox_artifacts(self) -> None:
-        self.assertEqual(
-            "//third_party/v8:rusty_v8_release_pair_x86_64_unknown_linux_musl",
-            rusty_v8_bazel.release_pair_label("x86_64-unknown-linux-musl"),
-        )
-        self.assertEqual(
-            "//third_party/v8:rusty_v8_sandbox_release_pair_x86_64_unknown_linux_musl",
-            rusty_v8_bazel.release_pair_label("x86_64-unknown-linux-musl", sandbox=True),
-        )
-        self.assertEqual(
-            "//third_party/v8:rusty_v8_sandbox_release_pair_x86_64_apple_darwin",
-            rusty_v8_bazel.release_pair_label("x86_64-apple-darwin", sandbox=True),
-        )
-        self.assertEqual(
-            "librusty_v8_release_x86_64-unknown-linux-musl.a.gz",
-            rusty_v8_bazel.staged_archive_name(
-                "x86_64-unknown-linux-musl",
-                Path("libv8.a"),
-                rusty_v8_bazel.RELEASE_ARTIFACT_PROFILE,
-            ),
-        )
-        self.assertEqual(
-            "rusty_v8_ptrcomp_sandbox_release_x86_64-pc-windows-msvc.lib.gz",
-            rusty_v8_bazel.staged_archive_name(
-                "x86_64-pc-windows-msvc",
-                Path("v8.a"),
-                rusty_v8_bazel.SANDBOX_ARTIFACT_PROFILE,
-            ),
-        )
-        self.assertEqual(
-            "src_binding_ptrcomp_sandbox_release_x86_64-unknown-linux-musl.rs",
-            rusty_v8_bazel.staged_binding_name(
-                "x86_64-unknown-linux-musl",
-                rusty_v8_bazel.SANDBOX_ARTIFACT_PROFILE,
-            ),
-        )
-        self.assertEqual(
-            "rusty_v8_ptrcomp_sandbox_release_x86_64-unknown-linux-musl.sha256",
-            rusty_v8_bazel.staged_checksums_name(
-                "x86_64-unknown-linux-musl",
-                rusty_v8_bazel.SANDBOX_ARTIFACT_PROFILE,
-            ),
-        )
-
-    def test_stage_artifacts(self) -> None:
-        with TemporaryDirectory() as source_dir, TemporaryDirectory() as output_dir:
-            source_root = Path(source_dir)
-            archive = source_root / "librusty_v8.a"
-            binding = source_root / "src_binding.rs"
-            archive.write_bytes(b"archive")
-            binding.write_text("binding")
-
-            rusty_v8_bazel.stage_artifacts(
-                "aarch64-apple-darwin",
-                archive,
-                binding,
-                Path(output_dir),
-                sandbox=True,
-            )
-
-            self.assertEqual(
-                {
-                    "librusty_v8_ptrcomp_sandbox_release_aarch64-apple-darwin.a.gz",
-                    "src_binding_ptrcomp_sandbox_release_aarch64-apple-darwin.rs",
-                    "rusty_v8_ptrcomp_sandbox_release_aarch64-apple-darwin.sha256",
-                },
-                {path.name for path in Path(output_dir).iterdir()},
-            )
-
-    def test_upstream_release_pair_paths(self) -> None:
-        self.assertEqual(
-            (
-                Path(
-                    "/tmp/rusty_v8/target/x86_64-apple-darwin/release/gn_out/obj/"
-                    "librusty_v8.a"
-                ),
-                Path(
-                    "/tmp/rusty_v8/target/x86_64-apple-darwin/release/gn_out/"
-                    "src_binding.rs"
-                ),
-            ),
-            rusty_v8_bazel.upstream_release_pair_paths(
-                Path("/tmp/rusty_v8"),
-                "x86_64-apple-darwin",
-            ),
-        )
-        self.assertEqual(
-            (
-                Path(
-                    "/tmp/rusty_v8/target/x86_64-pc-windows-msvc/release/gn_out/"
-                    "obj/rusty_v8.lib"
-                ),
-                Path(
-                    "/tmp/rusty_v8/target/x86_64-pc-windows-msvc/release/gn_out/"
-                    "src_binding.rs"
-                ),
-            ),
-            rusty_v8_bazel.upstream_release_pair_paths(
-                Path("/tmp/rusty_v8"),
-                "x86_64-pc-windows-msvc",
-            ),
-        )
-
-    def test_stage_upstream_release_pair(self) -> None:
-        with TemporaryDirectory() as source_dir, TemporaryDirectory() as output_dir:
-            source_root = Path(source_dir)
-            gn_out = (
-                source_root
-                / "target"
-                / "x86_64-pc-windows-msvc"
-                / "release"
-                / "gn_out"
-            )
-            (gn_out / "obj").mkdir(parents=True)
-            (gn_out / "obj" / "rusty_v8.lib").write_bytes(b"archive")
-            (gn_out / "src_binding.rs").write_text("binding")
-
-            rusty_v8_bazel.stage_upstream_release_pair(
-                source_root,
-                "x86_64-pc-windows-msvc",
-                Path(output_dir),
-                sandbox=True,
-            )
-
-            self.assertEqual(
-                {
-                    "rusty_v8_ptrcomp_sandbox_release_x86_64-pc-windows-msvc.lib.gz",
-                    "src_binding_ptrcomp_sandbox_release_x86_64-pc-windows-msvc.rs",
-                    "rusty_v8_ptrcomp_sandbox_release_x86_64-pc-windows-msvc.sha256",
-                },
-                {path.name for path in Path(output_dir).iterdir()},
-            )
-
-    def test_ensure_bazel_output_files_rebuilds_existing_outputs(self) -> None:
-        with TemporaryDirectory() as output_dir:
-            output = Path(output_dir) / "libv8.a"
-            output.write_bytes(b"archive")
-
-            with (
-                patch.object(rusty_v8_bazel, "bazel_build") as bazel_build,
-                patch.object(
-                    rusty_v8_bazel,
-                    "bazel_output_files",
-                    return_value=[output],
-                ) as bazel_output_files,
-            ):
-                self.assertEqual(
-                    [output],
-                    rusty_v8_bazel.ensure_bazel_output_files(
-                        "macos_arm64",
-                        ["//third_party/v8:pair"],
-                        "opt",
-                        ["rusty-v8-upstream-libcxx"],
-                    ),
-                )
-
-            bazel_build.assert_called_once_with(
-                "macos_arm64",
-                ["//third_party/v8:pair"],
-                "opt",
-                ["rusty-v8-upstream-libcxx"],
-                download_toplevel=True,
-            )
-            bazel_output_files.assert_called_once_with(
-                "macos_arm64",
-                ["//third_party/v8:pair"],
-                "opt",
-                ["rusty-v8-upstream-libcxx"],
-            )
-
    def test_update_module_bazel_replaces_and_inserts_sha256(self) -> None:
        module_bazel = textwrap.dedent(
            """\
@@ -380,34 +121,6 @@ class RustyV8BazelTest(unittest.TestCase):
                "146.4.0",
            )

-    def test_rusty_v8_http_file_versions(self) -> None:
-        module_bazel = textwrap.dedent(
-            """\
-            http_file(
-                name = "rusty_v8_146_4_0_x86_64_unknown_linux_gnu_archive",
-                downloaded_file_path = "archive.gz",
-                urls = ["https://example.test/archive.gz"],
-            )
-
-            http_file(
-                name = "rusty_v8_147_4_0_x86_64_unknown_linux_gnu_archive",
-                downloaded_file_path = "new-archive.gz",
-                urls = ["https://example.test/new-archive.gz"],
-            )
-
-            http_file(
-                name = "unrelated_archive",
-                downloaded_file_path = "other.gz",
-                urls = ["https://example.test/other.gz"],
-            )
-            """
-        )
-
-        self.assertEqual(
-            ["146.4.0", "147.4.0"],
-            rusty_v8_module_bazel.rusty_v8_http_file_versions(module_bazel),
-        )
-

 if __name__ == "__main__":
    unittest.main()
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -17,10 +17,10 @@ concurrency:
  cancel-in-progress: ${{ github.ref_name != 'main' }}
 jobs:
  test:
-    # PRs use the sharded Windows cross-compiled test jobs below. Post-merge
-    # pushes to main also run the native Windows test job for broader Windows
-    # signal without putting PR latency back on the critical path. Cargo CI
-    # owns V8/code-mode test coverage for now.
+    # PRs use a fast Windows cross-compiled test leg for pre-merge signal.
+    # Post-merge pushes to main also run the native Windows test job below for
+    # broader Windows signal without putting PR latency back on the critical
+    # path. Cargo CI owns V8/code-mode test coverage for now.
    timeout-minutes: 30
    strategy:
      fail-fast: false
@@ -44,6 +44,12 @@ jobs:
          # - os: ubuntu-24.04-arm
          #   target: aarch64-unknown-linux-gnu

+          # Windows fast path: build the windows-gnullvm binaries with Linux
+          # RBE, then run the resulting Windows tests on the Windows runner.
+          # Cargo CI preserves V8/code-mode coverage while Bazel CI keeps broad
+          # non-code-mode signal.
+          - os: windows-latest
+            target: x86_64-pc-windows-gnullvm
    runs-on: ${{ matrix.os }}

    # Configure a human readable name for each job
@@ -102,6 +108,13 @@ jobs:
            --test_verbose_timeout_warnings
            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
          )
+          if [[ "${RUNNER_OS}" == "Windows" ]]; then
+            bazel_wrapper_args+=(
+              --windows-cross-compile
+              --remote-download-toplevel
+            )
+          fi
+
          ./.github/scripts/run-bazel-ci.sh \
            "${bazel_wrapper_args[@]}" \
            -- \
@@ -128,118 +141,6 @@ jobs:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}

-  test-windows-shard:
-    # Split the Windows Bazel test leg across separate Windows
-    # hosts. Each shard still uses Linux RBE for build actions, but the test
-    # execution itself happens on its own Windows runner.
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        shard:
-          - 1
-          - 2
-          - 3
-          - 4
-    runs-on: windows-latest
-    name: Bazel test on windows-latest for x86_64-pc-windows-gnullvm shard ${{ matrix.shard }}/4
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
-
-      - name: Prepare Bazel CI
-        id: prepare_bazel
-        uses: ./.github/actions/prepare-bazel-ci
-        with:
-          target: x86_64-pc-windows-gnullvm
-          # Reuse the former monolithic Windows test cache for restores. Do
-          # not save it from every shard below; duplicate uploads would sit on
-          # the PR-blocking critical path after the useful test work is done.
-          cache-scope: bazel-test
-          install-test-prereqs: "true"
-
-      - name: bazel test shard
-        env:
-          BAZEL_TEST_SHARD: ${{ matrix.shard }}
-          BAZEL_TEST_SHARD_COUNT: 4
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          bazel_test_query='tests(//...) except tests(//third_party/v8:all) except //codex-rs/code-mode:code-mode-unit-tests except //codex-rs/v8-poc:v8-poc-unit-tests except attr(tags, "manual", tests(//...))'
-          mapfile -t bazel_targets < <(
-            MSYS2_ARG_CONV_EXCL='*' bazel query --output=label "${bazel_test_query}" \
-              | LC_ALL=C sort
-          )
-
-          selected_targets=()
-          for bazel_target in "${bazel_targets[@]}"; do
-            target_bucket="$(
-              printf '%s\n' "${bazel_target}" \
-                | cksum \
-                | awk -v shard_count="${BAZEL_TEST_SHARD_COUNT}" '{ print ($1 % shard_count) + 1 }'
-            )"
-            if [[ "${target_bucket}" == "${BAZEL_TEST_SHARD}" ]]; then
-              selected_targets+=("${bazel_target}")
-            fi
-          done
-
-          if [[ ${#selected_targets[@]} -eq 0 ]]; then
-            echo "No Bazel test targets selected for Windows shard ${BAZEL_TEST_SHARD}/${BAZEL_TEST_SHARD_COUNT}." >&2
-            exit 1
-          fi
-
-          echo "Selected ${#selected_targets[@]} of ${#bazel_targets[@]} Bazel test targets for Windows shard ${BAZEL_TEST_SHARD}/${BAZEL_TEST_SHARD_COUNT}."
-
-          bazel_test_args=(
-            test
-            --skip_incompatible_explicit_targets
-            --test_tag_filters=-argument-comment-lint
-            --test_verbose_timeout_warnings
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
-            --build_metadata=TAG_windows_test_shard=${BAZEL_TEST_SHARD}
-          )
-
-          ./.github/scripts/run-bazel-ci.sh \
-            --print-failed-action-summary \
-            --print-failed-test-logs \
-            --windows-cross-compile \
-            --remote-download-toplevel \
-            -- \
-            "${bazel_test_args[@]}" \
-            -- \
-            "${selected_targets[@]}"
-
-      - name: Upload Bazel execution logs
-        if: always() && !cancelled()
-        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: bazel-execution-logs-test-x86_64-pc-windows-gnullvm-shard-${{ matrix.shard }}
-          path: ${{ runner.temp }}/bazel-execution-logs
-          if-no-files-found: ignore
-
-  test-windows:
-    # Preserve the existing required-check surface while the real work happens
-    # in the sharded Windows jobs above.
-    if: always()
-    needs: test-windows-shard
-    runs-on: ubuntu-24.04
-    name: Bazel test on windows-latest for x86_64-pc-windows-gnullvm
-
-    steps:
-      - name: Confirm Windows Bazel test shards passed
-        shell: bash
-        run: |
-          if [[ "${{ needs.test-windows-shard.result }}" != "success" ]]; then
-            echo "Windows Bazel test shards finished with result: ${{ needs.test-windows-shard.result }}" >&2
-            exit 1
-          fi
-
  test-windows-native-main:
    # Native Windows Bazel tests are slower and frequently approach the
    # 30-minute PR budget. Run this only for post-merge commits to main and give
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -15,8 +15,14 @@ jobs:
    permissions:
      contents: read
    outputs:
-      codex_output: ${{ steps.codex-all.outputs.final-message }}
+      issues_json: ${{ steps.normalize-all.outputs.issues_json }}
+      reason: ${{ steps.normalize-all.outputs.reason }}
+      has_matches: ${{ steps.normalize-all.outputs.has_matches }}
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
      - name: Prepare Codex inputs
        env:
          GH_TOKEN: ${{ github.token }}
@@ -61,8 +67,6 @@ jobs:
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
-          safety-strategy: drop-sudo
-          sandbox: read-only
          prompt: |
            You are an assistant that triages new GitHub issues by identifying potential duplicates.

@@ -96,21 +100,10 @@ jobs:
              "additionalProperties": false
            }

-  normalize-duplicates-all:
-    name: Normalize pass 1 output
-    needs: gather-duplicates-all
-    if: ${{ needs.gather-duplicates-all.result == 'success' }}
-    runs-on: ubuntu-latest
-    permissions: {}
-    outputs:
-      issues_json: ${{ steps.normalize-all.outputs.issues_json }}
-      reason: ${{ steps.normalize-all.outputs.reason }}
-      has_matches: ${{ steps.normalize-all.outputs.has_matches }}
-    steps:
      - id: normalize-all
        name: Normalize pass 1 output
        env:
-          CODEX_OUTPUT: ${{ needs.gather-duplicates-all.outputs.codex_output }}
+          CODEX_OUTPUT: ${{ steps.codex-all.outputs.final-message }}
          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail
@@ -153,15 +146,21 @@ jobs:

  gather-duplicates-open:
    name: Identify potential duplicates (open issues fallback)
-    # Pass 1 Codex execution drops sudo on its runner, so run the fallback in a fresh job.
-    needs: normalize-duplicates-all
-    if: ${{ needs.normalize-duplicates-all.result == 'success' && needs.normalize-duplicates-all.outputs.has_matches != 'true' }}
+    # Pass 1 may drop sudo on the runner, so run the fallback in a fresh job.
+    needs: gather-duplicates-all
+    if: ${{ needs.gather-duplicates-all.result == 'success' && needs.gather-duplicates-all.outputs.has_matches != 'true' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
-      codex_output: ${{ steps.codex-open.outputs.final-message }}
+      issues_json: ${{ steps.normalize-open.outputs.issues_json }}
+      reason: ${{ steps.normalize-open.outputs.reason }}
+      has_matches: ${{ steps.normalize-open.outputs.has_matches }}
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
      - name: Prepare Codex inputs
        env:
          GH_TOKEN: ${{ github.token }}
@@ -204,8 +203,6 @@ jobs:
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
-          safety-strategy: drop-sudo
-          sandbox: read-only
          prompt: |
            You are an assistant that triages new GitHub issues by identifying potential duplicates.

@@ -239,21 +236,10 @@ jobs:
              "additionalProperties": false
            }

-  normalize-duplicates-open:
-    name: Normalize pass 2 output
-    needs: gather-duplicates-open
-    if: ${{ needs.gather-duplicates-open.result == 'success' }}
-    runs-on: ubuntu-latest
-    permissions: {}
-    outputs:
-      issues_json: ${{ steps.normalize-open.outputs.issues_json }}
-      reason: ${{ steps.normalize-open.outputs.reason }}
-      has_matches: ${{ steps.normalize-open.outputs.has_matches }}
-    steps:
      - id: normalize-open
        name: Normalize pass 2 output
        env:
-          CODEX_OUTPUT: ${{ needs.gather-duplicates-open.outputs.codex_output }}
+          CODEX_OUTPUT: ${{ steps.codex-open.outputs.final-message }}
          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail
@@ -297,9 +283,9 @@ jobs:
  select-final:
    name: Select final duplicate set
    needs:
-      - normalize-duplicates-all
-      - normalize-duplicates-open
-    if: ${{ always() && needs.normalize-duplicates-all.result == 'success' && (needs.normalize-duplicates-open.result == 'success' || needs.normalize-duplicates-open.result == 'skipped') }}
+      - gather-duplicates-all
+      - gather-duplicates-open
+    if: ${{ always() && needs.gather-duplicates-all.result == 'success' && (needs.gather-duplicates-open.result == 'success' || needs.gather-duplicates-open.result == 'skipped') }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -309,12 +295,12 @@ jobs:
      - id: select-final
        name: Select final duplicate set
        env:
-          PASS1_ISSUES: ${{ needs.normalize-duplicates-all.outputs.issues_json }}
-          PASS1_REASON: ${{ needs.normalize-duplicates-all.outputs.reason }}
-          PASS2_ISSUES: ${{ needs.normalize-duplicates-open.outputs.issues_json }}
-          PASS2_REASON: ${{ needs.normalize-duplicates-open.outputs.reason }}
-          PASS1_HAS_MATCHES: ${{ needs.normalize-duplicates-all.outputs.has_matches }}
-          PASS2_HAS_MATCHES: ${{ needs.normalize-duplicates-open.outputs.has_matches }}
+          PASS1_ISSUES: ${{ needs.gather-duplicates-all.outputs.issues_json }}
+          PASS1_REASON: ${{ needs.gather-duplicates-all.outputs.reason }}
+          PASS2_ISSUES: ${{ needs.gather-duplicates-open.outputs.issues_json }}
+          PASS2_REASON: ${{ needs.gather-duplicates-open.outputs.reason }}
+          PASS1_HAS_MATCHES: ${{ needs.gather-duplicates-all.outputs.has_matches }}
+          PASS2_HAS_MATCHES: ${{ needs.gather-duplicates-open.outputs.has_matches }}
        run: |
          set -eo pipefail

--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -17,13 +17,15 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
      - id: codex
        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
-          safety-strategy: drop-sudo
-          sandbox: read-only
          prompt: |
            You are an assistant that reviews GitHub issues for the repository.

--- a/.github/workflows/rust-ci-full.yml
+++ b/.github/workflows/rust-ci-full.yml
@@ -524,9 +524,10 @@ jobs:
  tests:
    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.remote_env == 'true' && ' (remote)' || '' }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    # Windows ARM64 is the long pole here, and nextest retries plus targeted
-    # Windows timeout headroom need more than 45m to finish reliably.
-    timeout-minutes: 60
+    # Perhaps we can bring this back down to 30m once we finish the cutover
+    # from tui_app_server/ to tui/. Incidentally, windows-arm64 was the main
+    # offender for exceeding the timeout.
+    timeout-minutes: 45
    defaults:
      run:
        working-directory: codex-rs
@@ -687,14 +688,6 @@ jobs:
          RUST_MIN_STACK: "8388608" # 8 MiB
          NEXTEST_STATUS_LEVEL: leak

-      - name: Upload nextest JUnit report
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: nextest-junit-rust-ci-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}
-          path: codex-rs/target/nextest/default/junit.xml
-          if-no-files-found: warn
-
      - name: Upload Cargo timings (nextest)
        if: always()
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
--- a/.github/workflows/rust-release-prepare.yml
+++ b/.github/workflows/rust-release-prepare.yml
@@ -16,9 +16,6 @@ jobs:
  prepare:
    # Prevent scheduled runs on forks (no secrets, wastes Actions minutes)
    if: github.repository == 'openai/codex'
-    environment:
-      name: rust-release-prepare
-      deployment: false
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -220,48 +220,6 @@ jobs:
              "$dest/${binary}-${{ matrix.target }}.exe"
          done

-      - name: Build Python runtime wheel
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          case "${{ matrix.target }}" in
-            aarch64-pc-windows-msvc)
-              platform_tag="win_arm64"
-              ;;
-            x86_64-pc-windows-msvc)
-              platform_tag="win_amd64"
-              ;;
-            *)
-              echo "No Python runtime wheel platform tag for ${{ matrix.target }}"
-              exit 1
-              ;;
-          esac
-
-          python -m venv "${RUNNER_TEMP}/python-runtime-build-venv"
-          "${RUNNER_TEMP}/python-runtime-build-venv/Scripts/python.exe" -m pip install build
-
-          stage_dir="${RUNNER_TEMP}/openai-codex-cli-bin-${{ matrix.target }}"
-          wheel_dir="${GITHUB_WORKSPACE}/python-runtime-dist/${{ matrix.target }}"
-          # Keep the helpers next to codex.exe in the runtime wheel so Windows
-          # sandbox/elevation lookup matches the standalone release zip.
-          python "${GITHUB_WORKSPACE}/sdk/python/scripts/update_sdk_artifacts.py" \
-            stage-runtime \
-            "$stage_dir" \
-            "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex.exe" \
-            --codex-version "${GITHUB_REF_NAME}" \
-            --platform-tag "$platform_tag" \
-            --resource-binary "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex-command-runner.exe" \
-            --resource-binary "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe"
-          "${RUNNER_TEMP}/python-runtime-build-venv/Scripts/python.exe" -m build --wheel --outdir "$wheel_dir" "$stage_dir"
-
-      - name: Upload Python runtime wheel
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: python-runtime-wheel-${{ matrix.target }}
-          path: python-runtime-dist/${{ matrix.target }}/*.whl
-          if-no-files-found: error
-
      - name: Install DotSlash
        uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2

--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -4,46 +4,12 @@
 # git tag -a rust-v0.1.0 -m "Release 0.1.0"
 # git push origin rust-v0.1.0
 # ```
-#
-# To use external macOS signing, manually dispatch `release_mode=build_unsigned`,
-# sign the unsigned macOS artifacts in a secure enclave, upload the signed handoff
-# archive as a GitHub Release asset, then manually dispatch
-# `release_mode=promote_signed` with `unsigned_run_id` and `signed_macos_asset`.
-# The signed handoff archive should contain target or artifact directories such
-# as `aarch64-apple-darwin/` with signed binaries.

 name: rust-release
 on:
  push:
    tags:
      - "rust-v*.*.*"
-  workflow_dispatch:
-    inputs:
-      release_mode:
-        description: "build_unsigned creates unsigned macOS handoff artifacts; promote_signed finishes a release from signed macOS handoff artifacts."
-        required: false
-        type: choice
-        default: build_unsigned
-        options:
-          - build_unsigned
-          - promote_signed
-      sign_macos:
-        description: "Deprecated compatibility input; use release_mode instead."
-        required: false
-        type: boolean
-        default: false
-      unsigned_run_id:
-        description: "For promote_signed: workflow run id from the build_unsigned run."
-        required: false
-        type: string
-      signed_macos_asset:
-        description: "For promote_signed: exact GitHub Release asset name containing signed macOS handoff artifacts."
-        required: false
-        type: string
-      signed_macos_sha256:
-        description: "For promote_signed: optional SHA-256 of signed_macos_asset."
-        required: false
-        type: string

 concurrency:
  group: ${{ github.workflow }}
@@ -59,60 +25,10 @@ jobs:
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - name: Validate tag matches Cargo.toml version
        shell: bash
-        env:
-          RELEASE_MODE: ${{ github.event_name == 'workflow_dispatch' && inputs.release_mode || 'signed' }}
-          REQUESTED_SIGN_MACOS: ${{ inputs.sign_macos }}
-          SIGNED_MACOS_ASSET: ${{ inputs.signed_macos_asset }}
-          UNSIGNED_RUN_ID: ${{ inputs.unsigned_run_id }}
        run: |
          set -euo pipefail
          echo "::group::Tag validation"

-          case "${RELEASE_MODE}" in
-            signed)
-              if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
-                echo "❌  Manual rust-release runs must use release_mode=build_unsigned or release_mode=promote_signed"
-                exit 1
-              fi
-              ;;
-            build_unsigned)
-              if [[ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then
-                echo "❌  release_mode=build_unsigned is only valid for manual runs"
-                exit 1
-              fi
-              ;;
-            promote_signed)
-              if [[ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then
-                echo "❌  release_mode=promote_signed is only valid for manual runs"
-                exit 1
-              fi
-              if [[ ! "${UNSIGNED_RUN_ID}" =~ ^[0-9]+$ ]]; then
-                echo "❌  release_mode=promote_signed requires unsigned_run_id to be a workflow run id"
-                exit 1
-              fi
-              if [[ -z "${SIGNED_MACOS_ASSET}" ]]; then
-                echo "❌  release_mode=promote_signed requires signed_macos_asset"
-                exit 1
-              fi
-              if [[ "${SIGNED_MACOS_ASSET}" == */* || "${SIGNED_MACOS_ASSET}" == *"*"* || "${SIGNED_MACOS_ASSET}" == *"?"* || "${SIGNED_MACOS_ASSET}" == *"["* ]]; then
-                echo "❌  signed_macos_asset must be an exact release asset name, not a path or glob"
-                exit 1
-              fi
-              if [[ "${UNSIGNED_RUN_ID}" == "${GITHUB_RUN_ID}" ]]; then
-                echo "❌  unsigned_run_id must refer to the earlier build_unsigned run, not this run"
-                exit 1
-              fi
-              ;;
-            *)
-              echo "❌  Unknown release_mode '${RELEASE_MODE}'"
-              exit 1
-              ;;
-          esac
-
-          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && "${REQUESTED_SIGN_MACOS}" == "true" ]]; then
-            echo "::warning title=Deprecated sign_macos input ignored::Use release_mode=build_unsigned or release_mode=promote_signed instead."
-          fi
-
          # 1. Must be a tag and match the regex
          [[ "${GITHUB_REF_TYPE}" == "tag" ]] \
            || { echo "❌  Not a tag push"; exit 1; }
@@ -132,7 +48,6 @@ jobs:
          echo "::endgroup::"

  build:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    needs: tag-check
    name: Build - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
@@ -149,7 +64,6 @@ jobs:
      # 2026-03-04: temporarily change releases to use thin LTO because
      # Ubuntu ARM is timing out at 60 minutes.
      CARGO_PROFILE_RELEASE_LTO: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'thin' }}
-      SIGN_MACOS: ${{ github.event_name != 'workflow_dispatch' }}

    strategy:
      fail-fast: false
@@ -381,39 +295,6 @@ jobs:
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
          if-no-files-found: warn

-      - if: ${{ runner.os == 'macOS' && env.SIGN_MACOS != 'true' }}
-        name: Stage unsigned macOS artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          target="${{ matrix.target }}"
-          release_dir="target/${target}/release"
-          dest="unsigned-dist/${target}"
-          mkdir -p "$dest"
-
-          for binary in ${{ matrix.binaries }}; do
-            binary_path="${release_dir}/${binary}"
-            unsigned_name="${binary}-${target}-unsigned"
-            unsigned_path="${dest}/${unsigned_name}"
-            if [[ ! -f "${binary_path}" ]]; then
-              echo "Binary ${binary_path} not found"
-              exit 1
-            fi
-
-            cp "${binary_path}" "${unsigned_path}"
-            tar -C "$dest" -czf "${unsigned_path}.tar.gz" "${unsigned_name}"
-            zstd -T0 -19 --rm "${unsigned_path}"
-          done
-
-      - if: ${{ runner.os == 'macOS' && env.SIGN_MACOS != 'true' }}
-        name: Upload unsigned macOS artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: ${{ matrix.artifact_name }}-unsigned
-          path: codex-rs/unsigned-dist/${{ matrix.target }}/*
-          if-no-files-found: error
-
      - if: ${{ contains(matrix.target, 'linux') }}
        name: Cosign Linux artifacts
        uses: ./.github/actions/linux-code-sign
@@ -422,7 +303,7 @@ jobs:
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
          binaries: ${{ matrix.binaries }}

-      - if: ${{ runner.os == 'macOS' && env.SIGN_MACOS == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
        uses: ./.github/actions/macos-code-sign
        with:
@@ -436,7 +317,7 @@ jobs:
          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' && env.SIGN_MACOS == 'true' }}
+      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
        name: Build macOS dmg
        shell: bash
        run: |
@@ -476,7 +357,7 @@ jobs:
            exit 1
          fi

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' && env.SIGN_MACOS == 'true' }}
+      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
        name: MacOS code signing (dmg)
        uses: ./.github/actions/macos-code-sign
        with:
@@ -490,7 +371,6 @@ jobs:
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

      - name: Stage artifacts
-        if: ${{ runner.os != 'macOS' || env.SIGN_MACOS == 'true' }}
        shell: bash
        run: |
          dest="dist/${{ matrix.target }}"
@@ -519,67 +399,7 @@ jobs:
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi

-      - name: Build Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' && (runner.os != 'macOS' || env.SIGN_MACOS == 'true') }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          case "${{ matrix.target }}" in
-            aarch64-apple-darwin)
-              platform_tag="macosx_11_0_arm64"
-              ;;
-            x86_64-apple-darwin)
-              platform_tag="macosx_10_9_x86_64"
-              ;;
-            aarch64-unknown-linux-musl)
-              platform_tag="manylinux_2_17_aarch64"
-              ;;
-            x86_64-unknown-linux-musl)
-              platform_tag="manylinux_2_17_x86_64"
-              ;;
-            *)
-              echo "No Python runtime wheel platform tag for ${{ matrix.target }}"
-              exit 1
-              ;;
-          esac
-
-          python3 -m venv "${RUNNER_TEMP}/python-runtime-build-venv"
-          # Do not install into the runner's system Python; macOS runners mark
-          # the Homebrew Python as externally managed under PEP 668.
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m pip install build
-
-          stage_dir="${RUNNER_TEMP}/openai-codex-cli-bin-${{ matrix.target }}"
-          wheel_dir="${GITHUB_WORKSPACE}/python-runtime-dist/${{ matrix.target }}"
-          stage_runtime_args=(
-            "${GITHUB_WORKSPACE}/sdk/python/scripts/update_sdk_artifacts.py"
-            stage-runtime
-            "$stage_dir"
-            "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/codex"
-            --codex-version "${GITHUB_REF_NAME}"
-            --platform-tag "$platform_tag"
-          )
-          if [[ "${{ matrix.target }}" == *linux* ]]; then
-            # Keep bwrap in the runtime wheel so Linux sandbox fallback behavior
-            # matches the standalone release bundle on hosts without system bwrap.
-            stage_runtime_args+=(
-              --resource-binary
-              "${GITHUB_WORKSPACE}/codex-rs/target/${{ matrix.target }}/release/bwrap"
-            )
-          fi
-          python3 "${stage_runtime_args[@]}"
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m build --wheel --outdir "$wheel_dir" "$stage_dir"
-
-      - name: Upload Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' && (runner.os != 'macOS' || env.SIGN_MACOS == 'true') }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: python-runtime-wheel-${{ matrix.target }}
-          path: python-runtime-dist/${{ matrix.target }}/*.whl
-          if-no-files-found: error
-
      - name: Compress artifacts
-        if: ${{ runner.os != 'macOS' || env.SIGN_MACOS == 'true' }}
        shell: bash
        run: |
          # Path that contains the uncompressed binaries for the current
@@ -616,7 +436,6 @@ jobs:
          done

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        if: ${{ runner.os != 'macOS' || env.SIGN_MACOS == 'true' }}
        with:
          name: ${{ matrix.artifact_name }}
          # Upload the per-binary .zst files, .tar.gz equivalents, and any
@@ -624,233 +443,7 @@ jobs:
          path: |
            codex-rs/dist/${{ matrix.target }}/*

-  stage-signed-macos:
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.release_mode == 'promote_signed' }}
-    needs: tag-check
-    name: Stage signed macOS handoff - ${{ matrix.target }} - ${{ matrix.bundle }}
-    runs-on: macos-15-xlarge
-    timeout-minutes: 30
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: codex-rs
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - target: aarch64-apple-darwin
-            bundle: primary
-            artifact_name: aarch64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
-          - target: aarch64-apple-darwin
-            bundle: app-server
-            artifact_name: aarch64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
-          - target: x86_64-apple-darwin
-            bundle: primary
-            artifact_name: x86_64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
-          - target: x86_64-apple-darwin
-            bundle: app-server
-            artifact_name: x86_64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Download signed macOS handoff
-        shell: bash
-        env:
-          GH_TOKEN: ${{ github.token }}
-          SIGNED_MACOS_ASSET: ${{ inputs.signed_macos_asset }}
-          SIGNED_MACOS_SHA256: ${{ inputs.signed_macos_sha256 }}
-        run: |
-          set -euo pipefail
-
-          download_dir="${RUNNER_TEMP}/signed-macos-download"
-          handoff_dir="${RUNNER_TEMP}/signed-macos-handoff"
-          rm -rf "$download_dir" "$handoff_dir"
-          mkdir -p "$download_dir" "$handoff_dir"
-
-          gh release download "$GITHUB_REF_NAME" \
-            --repo "$GITHUB_REPOSITORY" \
-            --pattern "$SIGNED_MACOS_ASSET" \
-            --dir "$download_dir"
-
-          asset_count="$(find "$download_dir" -maxdepth 1 -type f | wc -l | tr -d '[:space:]')"
-          if [[ "$asset_count" != "1" ]]; then
-            echo "Expected exactly one signed macOS handoff asset named ${SIGNED_MACOS_ASSET}; found ${asset_count}"
-            find "$download_dir" -maxdepth 1 -type f -print
-            exit 1
-          fi
-
-          asset_path="$(find "$download_dir" -maxdepth 1 -type f -print -quit)"
-          if [[ -n "${SIGNED_MACOS_SHA256}" ]]; then
-            expected_sha="$(printf '%s' "$SIGNED_MACOS_SHA256" | tr '[:upper:]' '[:lower:]')"
-            actual_sha="$(shasum -a 256 "$asset_path" | awk '{print $1}')"
-            if [[ "$actual_sha" != "$expected_sha" ]]; then
-              echo "signed_macos_sha256 mismatch for ${SIGNED_MACOS_ASSET}"
-              echo "expected: ${expected_sha}"
-              echo "actual:   ${actual_sha}"
-              exit 1
-            fi
-          fi
-
-          asset_name="$(basename "$asset_path")"
-          case "$asset_name" in
-            *.tar.zst)
-              zstd -dc "$asset_path" | tar -C "$handoff_dir" -xf -
-              ;;
-            *.tar.gz|*.tgz)
-              tar -C "$handoff_dir" -xzf "$asset_path"
-              ;;
-            *.zip)
-              ditto -x -k "$asset_path" "$handoff_dir"
-              ;;
-            *)
-              echo "Unsupported signed macOS handoff archive format: ${asset_name}"
-              exit 1
-              ;;
-          esac
-
-          echo "SIGNED_MACOS_HANDOFF_DIR=$handoff_dir" >> "$GITHUB_ENV"
-
-      - name: Stage signed macOS artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          target="${{ matrix.target }}"
-          artifact_name="${{ matrix.artifact_name }}"
-          source_dir="${SIGNED_MACOS_HANDOFF_DIR}/${artifact_name}"
-          if [[ ! -d "$source_dir" && -d "${SIGNED_MACOS_HANDOFF_DIR}/dist/${artifact_name}" ]]; then
-            source_dir="${SIGNED_MACOS_HANDOFF_DIR}/dist/${artifact_name}"
-          fi
-          if [[ ! -d "$source_dir" && -d "${SIGNED_MACOS_HANDOFF_DIR}/${target}" ]]; then
-            source_dir="${SIGNED_MACOS_HANDOFF_DIR}/${target}"
-          fi
-          if [[ ! -d "$source_dir" && -d "${SIGNED_MACOS_HANDOFF_DIR}/dist/${target}" ]]; then
-            source_dir="${SIGNED_MACOS_HANDOFF_DIR}/dist/${target}"
-          fi
-          if [[ ! -d "$source_dir" ]]; then
-            echo "Signed macOS handoff is missing ${artifact_name}/"
-            echo "Expected either:"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/${artifact_name}"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/dist/${artifact_name}"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/${target}"
-            echo "  ${SIGNED_MACOS_HANDOFF_DIR}/dist/${target}"
-            find "$SIGNED_MACOS_HANDOFF_DIR" -maxdepth 3 -type f -print
-            exit 1
-          fi
-
-          dest="dist/${target}"
-          mkdir -p "$dest"
-
-          for binary in ${{ matrix.binaries }}; do
-            source_path="${source_dir}/${binary}"
-            if [[ ! -f "$source_path" ]]; then
-              source_path="${source_dir}/${binary}-${target}"
-            fi
-            if [[ ! -f "$source_path" ]]; then
-              echo "Signed macOS handoff is missing ${binary} for ${artifact_name}"
-              exit 1
-            fi
-
-            release_path="${dest}/${binary}-${target}"
-            ditto "$source_path" "$release_path"
-            chmod 0755 "$release_path"
-            codesign --verify --strict --verbose=2 "$release_path"
-          done
-
-          # DMG staging is disabled for signed promotion because we no longer
-          # distribute DMGs from this release path. Keep the branch here so the
-          # handoff can opt back in by flipping matrix.build_dmg if needed.
-          if [[ "${{ matrix.build_dmg }}" == "true" ]]; then
-            dmg_name="codex-${target}.dmg"
-            dmg_source="${source_dir}/${dmg_name}"
-            if [[ ! -f "$dmg_source" ]]; then
-              echo "Signed macOS handoff is missing ${dmg_name} for ${artifact_name}"
-              exit 1
-            fi
-
-            codesign --verify --strict --verbose=2 "$dmg_source"
-            xcrun stapler validate "$dmg_source"
-            cp "$dmg_source" "$dest/$dmg_name"
-          fi
-
-      - name: Build Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          case "${{ matrix.target }}" in
-            aarch64-apple-darwin)
-              platform_tag="macosx_11_0_arm64"
-              ;;
-            x86_64-apple-darwin)
-              platform_tag="macosx_10_9_x86_64"
-              ;;
-            *)
-              echo "No Python runtime wheel platform tag for ${{ matrix.target }}"
-              exit 1
-              ;;
-          esac
-
-          python3 -m venv "${RUNNER_TEMP}/python-runtime-build-venv"
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m pip install build
-
-          stage_dir="${RUNNER_TEMP}/openai-codex-cli-bin-${{ matrix.target }}"
-          wheel_dir="${GITHUB_WORKSPACE}/python-runtime-dist/${{ matrix.target }}"
-          python3 \
-            "${GITHUB_WORKSPACE}/sdk/python/scripts/update_sdk_artifacts.py" \
-            stage-runtime \
-            "$stage_dir" \
-            "${GITHUB_WORKSPACE}/codex-rs/dist/${{ matrix.target }}/codex-${{ matrix.target }}" \
-            --codex-version "${GITHUB_REF_NAME}" \
-            --platform-tag "$platform_tag"
-          "${RUNNER_TEMP}/python-runtime-build-venv/bin/python" -m build --wheel --outdir "$wheel_dir" "$stage_dir"
-
-      - name: Upload Python runtime wheel
-        if: ${{ matrix.bundle == 'primary' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: python-runtime-wheel-${{ matrix.target }}
-          path: python-runtime-dist/${{ matrix.target }}/*.whl
-          if-no-files-found: error
-
-      - name: Compress artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          dest="dist/${{ matrix.target }}"
-          for f in "$dest"/*; do
-            base="$(basename "$f")"
-            if [[ "$base" == *.tar.gz || "$base" == *.tar.zst || "$base" == *.zip || "$base" == *.dmg ]]; then
-              continue
-            fi
-
-            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
-            zstd -T0 -19 --rm "$dest/$base"
-          done
-
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: ${{ matrix.artifact_name }}
-          path: |
-            codex-rs/dist/${{ matrix.target }}/*
-
  build-windows:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    needs: tag-check
    uses: ./.github/workflows/rust-release-windows.yml
    with:
@@ -858,7 +451,6 @@ jobs:
    secrets: inherit

  argument-comment-lint-release-assets:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    name: argument-comment-lint release assets
    needs: tag-check
    uses: ./.github/workflows/rust-release-argument-comment-lint.yml
@@ -866,60 +458,26 @@ jobs:
      publish: true

  zsh-release-assets:
-    if: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed' }}
    name: zsh release assets
    needs: tag-check
    uses: ./.github/workflows/rust-release-zsh.yml

  release:
    needs:
-      - tag-check
      - build
-      - stage-signed-macos
      - build-windows
      - argument-comment-lint-release-assets
      - zsh-release-assets
-    if: >-
-      ${{
-        always() &&
-        needs.tag-check.result == 'success' &&
-        (
-          (
-            github.event_name == 'workflow_dispatch' &&
-            inputs.release_mode == 'promote_signed' &&
-            needs.stage-signed-macos.result == 'success' &&
-            needs.build.result == 'skipped' &&
-            needs.build-windows.result == 'skipped' &&
-            needs.argument-comment-lint-release-assets.result == 'skipped' &&
-            needs.zsh-release-assets.result == 'skipped'
-          ) ||
-          (
-            (github.event_name != 'workflow_dispatch' || inputs.release_mode != 'promote_signed') &&
-            needs.build.result == 'success' &&
-            needs.stage-signed-macos.result == 'skipped' &&
-            needs.build-windows.result == 'success' &&
-            needs.argument-comment-lint-release-assets.result == 'success' &&
-            needs.zsh-release-assets.result == 'success'
-          )
-        )
-      }}
    name: release
    runs-on: ubuntu-latest
    permissions:
      contents: write
      actions: read
-    env:
-      RELEASE_MODE: ${{ github.event_name == 'workflow_dispatch' && inputs.release_mode || 'signed' }}
-      SIGN_MACOS: ${{ github.event_name != 'workflow_dispatch' || inputs.release_mode == 'promote_signed' }}
-      SIGNED_MACOS_ASSET: ${{ inputs.signed_macos_asset }}
-      UNSIGNED_RUN_ID: ${{ inputs.unsigned_run_id }}
    outputs:
      version: ${{ steps.release_name.outputs.name }}
      tag: ${{ github.ref_name }}
-      sign_macos: ${{ steps.release_mode.outputs.sign_macos }}
      should_publish_npm: ${{ steps.npm_publish_settings.outputs.should_publish }}
      npm_tag: ${{ steps.npm_publish_settings.outputs.npm_tag }}
-      should_publish_python_runtime: ${{ steps.python_runtime_publish_settings.outputs.should_publish }}

    steps:
      - name: Checkout repository
@@ -927,12 +485,6 @@ jobs:
        with:
          persist-credentials: false

-      - name: Define release mode
-        id: release_mode
-        run: |
-          echo "release_mode=${RELEASE_MODE}" >> "$GITHUB_OUTPUT"
-          echo "sign_macos=${SIGN_MACOS}" >> "$GITHUB_OUTPUT"
-
      - name: Generate release notes from tag commit message
        id: release_notes
        shell: bash
@@ -957,121 +509,9 @@ jobs:
        with:
          path: dist

-      - name: Validate unsigned build run
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          run_summary="$(gh run view "$UNSIGNED_RUN_ID" \
-            --repo "$GITHUB_REPOSITORY" \
-            --json conclusion,event,headBranch,headSha,status,workflowName,url \
-            --jq '[.workflowName, .event, .headBranch, .headSha, .status, .conclusion, .url] | @tsv')"
-          IFS=$'\t' read -r workflow_name event head_branch head_sha status conclusion run_url <<< "$run_summary"
-          expected_head_sha="$(git rev-parse "${GITHUB_SHA}^{commit}")"
-
-          if [[ "$workflow_name" != "$GITHUB_WORKFLOW" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} is for workflow '${workflow_name}', expected '${GITHUB_WORKFLOW}'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$event" != "workflow_dispatch" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} was triggered by '${event}', expected 'workflow_dispatch'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$head_branch" != "$GITHUB_REF_NAME" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} used ref '${head_branch}', expected '${GITHUB_REF_NAME}'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$head_sha" != "$expected_head_sha" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} used head SHA '${head_sha}', expected '${expected_head_sha}'"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-          if [[ "$status" != "completed" || "$conclusion" != "success" ]]; then
-            echo "unsigned_run_id ${UNSIGNED_RUN_ID} is ${status}/${conclusion}, expected completed/success"
-            echo "Run URL: ${run_url}"
-            exit 1
-          fi
-
-      - name: Download artifacts from unsigned build run
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-          gh run download "$UNSIGNED_RUN_ID" \
-            --repo "$GITHUB_REPOSITORY" \
-            --dir dist
-
-      - name: Remove unsigned macOS staging artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        run: |
-          set -euo pipefail
-          find dist -mindepth 1 -maxdepth 1 -type d \
-            -name '*-apple-darwin*-unsigned' \
-            -exec rm -rf {} +
-
-      - name: Re-upload promoted Linux x64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: x86_64-unknown-linux-musl
-          path: dist/x86_64-unknown-linux-musl/*
-          if-no-files-found: error
-
-      - name: Re-upload promoted Linux arm64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: aarch64-unknown-linux-musl
-          path: dist/aarch64-unknown-linux-musl/*
-          if-no-files-found: error
-
-      - name: Re-upload promoted Windows x64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: x86_64-pc-windows-msvc
-          path: dist/x86_64-pc-windows-msvc/*
-          if-no-files-found: error
-
-      - name: Re-upload promoted Windows arm64 artifacts
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: aarch64-pc-windows-msvc
-          path: dist/aarch64-pc-windows-msvc/*
-          if-no-files-found: error
-
      - name: List
        run: ls -R dist/

-      - name: Prune artifacts excluded from unsigned macOS release
-        if: ${{ env.SIGN_MACOS == 'false' }}
-        run: |
-          find dist -mindepth 1 -maxdepth 1 -type d \
-            ! -name '*-apple-darwin*-unsigned' \
-            ! -name 'aarch64-unknown-linux-musl' \
-            ! -name 'aarch64-unknown-linux-musl-app-server' \
-            ! -name 'x86_64-unknown-linux-musl' \
-            ! -name 'x86_64-unknown-linux-musl-app-server' \
-            ! -name 'aarch64-pc-windows-msvc' \
-            ! -name 'x86_64-pc-windows-msvc' \
-            -exec rm -rf {} +
-
-          if ! find dist -type f -name '*-apple-darwin*-unsigned*' | grep -q .; then
-            echo "No unsigned macOS artifacts found in downloaded workflow artifacts."
-            exit 1
-          fi
-
      - name: Delete entries from dist/ that should not go in the release
        run: |
          rm -rf dist/windows-binaries*
@@ -1103,12 +543,6 @@ jobs:
          set -euo pipefail
          version="${VERSION}"

-          if [[ "${SIGN_MACOS}" != "true" ]]; then
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            echo "npm_tag=" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
          if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "should_publish=true" >> "$GITHUB_OUTPUT"
            echo "npm_tag=" >> "$GITHUB_OUTPUT"
@@ -1120,61 +554,33 @@ jobs:
            echo "npm_tag=" >> "$GITHUB_OUTPUT"
          fi

-      - name: Determine Python runtime publish settings
-        id: python_runtime_publish_settings
-        env:
-          VERSION: ${{ steps.release_name.outputs.name }}
-        run: |
-          set -euo pipefail
-          version="${VERSION}"
-
-          if [[ "${SIGN_MACOS}" != "true" ]]; then
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "should_publish=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
-            echo "should_publish=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "should_publish=false" >> "$GITHUB_OUTPUT"
-          fi
-
      - name: Setup pnpm
-        if: ${{ env.SIGN_MACOS == 'true' }}
        uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
        with:
          run_install: false

      - name: Setup Node.js for npm packaging
-        if: ${{ env.SIGN_MACOS == 'true' }}
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 22

      - name: Install dependencies
-        if: ${{ env.SIGN_MACOS == 'true' }}
        run: pnpm install --frozen-lockfile

      # stage_npm_packages.py requires DotSlash when staging releases.
      - uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
      - name: Stage npm packages
-        if: ${{ env.SIGN_MACOS == 'true' }}
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_VERSION: ${{ steps.release_name.outputs.name }}
        run: |
-          workflow_url="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
          ./scripts/stage_npm_packages.py \
            --release-version "$RELEASE_VERSION" \
-            --workflow-url "$workflow_url" \
            --package codex \
            --package codex-responses-api-proxy \
            --package codex-sdk

      - name: Stage installer scripts
-        if: ${{ env.SIGN_MACOS == 'true' }}
        run: |
          cp scripts/install/install.sh dist/install.sh
          cp scripts/install/install.ps1 dist/install.ps1
@@ -1186,56 +592,25 @@ jobs:
          tag_name: ${{ github.ref_name }}
          body_path: ${{ steps.release_notes.outputs.path }}
          files: dist/**
-          overwrite_files: true
-          make_latest: ${{ env.SIGN_MACOS == 'true' && !contains(steps.release_name.outputs.name, '-') }}
          # Mark as prerelease only when the version has a suffix after x.y.z
          # (e.g. -alpha, -beta). Otherwise publish a normal release.
          prerelease: ${{ contains(steps.release_name.outputs.name, '-') }}

-      - name: Clean up signed promotion handoff assets
-        if: ${{ env.RELEASE_MODE == 'promote_signed' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          release_id="$(gh api "repos/${GITHUB_REPOSITORY}/releases/tags/${GITHUB_REF_NAME}" --jq '.id')"
-          gh api --paginate "repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets" \
-            --jq '.[] | [.id, .name] | @tsv' |
-            while IFS=$'\t' read -r asset_id asset_name; do
-              if [[ -z "$asset_id" || -z "$asset_name" ]]; then
-                continue
-              fi
-
-              delete_asset=false
-              if [[ "$asset_name" == *unsigned* || "$asset_name" == "$SIGNED_MACOS_ASSET" ]]; then
-                delete_asset=true
-              fi
-
-              if [[ "$delete_asset" == "true" ]]; then
-                echo "Deleting release asset ${asset_name}"
-                gh api -X DELETE "repos/${GITHUB_REPOSITORY}/releases/assets/${asset_id}"
-              fi
-            done
-
-      - if: ${{ env.SIGN_MACOS == 'true' }}
-        uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
+      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag: ${{ github.ref_name }}
          config: .github/dotslash-config.json

-      - if: ${{ env.SIGN_MACOS == 'true' }}
-        uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
+      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag: ${{ github.ref_name }}
          config: .github/dotslash-zsh-config.json

-      - if: ${{ env.SIGN_MACOS == 'true' }}
-        uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
+      - uses: facebook/dotslash-publish-release@9c9ec027515c34db9282a09a25a9cab5880b2c52 # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -1245,7 +620,7 @@ jobs:
      - name: Trigger developers.openai.com deploy
        # Only trigger the deploy if the release is not a pre-release.
        # The deploy is used to update the developers.openai.com website with the new config schema json file.
-        if: ${{ env.SIGN_MACOS == 'true' && !contains(steps.release_name.outputs.name, '-') }}
+        if: ${{ !contains(steps.release_name.outputs.name, '-') }}
        continue-on-error: true
        env:
          DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL: ${{ secrets.DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL }}
@@ -1260,15 +635,7 @@ jobs:
  # npm docs: https://docs.npmjs.com/trusted-publishers
  publish-npm:
    # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
-    # promote_signed intentionally skips build jobs that are ancestors of release;
-    # include the !cancelled() status function so Actions does not apply its implicit
-    # success() check to the whole dependency chain before evaluating release outputs.
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.should_publish_npm == 'true'
-      }}
+    if: ${{ needs.release.outputs.should_publish_npm == 'true' }}
    name: publish-npm
    needs: release
    runs-on: ubuntu-latest
@@ -1420,65 +787,12 @@ jobs:
            exit "${publish_status}"
          done

-  # Publish the platform-specific Python runtime wheels using PyPI trusted publishing.
-  # PyPI project configuration must trust this workflow and job. Keep this
-  # non-blocking while the Python runtime publishing path is new; failures still
-  # need release follow-up, but should not invalidate the Rust release itself.
-  publish-python-runtime:
-    # Publish to PyPI for stable releases and alpha pre-releases with numeric suffixes.
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.should_publish_python_runtime == 'true'
-      }}
-    name: publish-python-runtime
-    needs: release
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    environment: pypi
-    permissions:
-      id-token: write # Required for PyPI trusted publishing.
-      contents: read
-
-    steps:
-      - name: Download Python runtime wheels from release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          RELEASE_TAG: ${{ needs.release.outputs.tag }}
-          RELEASE_VERSION: ${{ needs.release.outputs.version }}
-        run: |
-          set -euo pipefail
-          python_version="$RELEASE_VERSION"
-          python_version="${python_version/-alpha./a}"
-          python_version="${python_version/-beta./b}"
-          python_version="${python_version/-rc./rc}"
-
-          mkdir -p dist/python-runtime
-          gh release download "$RELEASE_TAG" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "openai_codex_cli_bin-${python_version}-*.whl" \
-            --dir dist/python-runtime
-          ls -lh dist/python-runtime
-
-      - name: Publish Python runtime wheels to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          packages-dir: dist/python-runtime
-          skip-existing: true
-
  winget:
    name: winget
    needs: release
    # Only publish stable/mainline releases to WinGet; pre-releases include a
    # '-' in the semver string (e.g., 1.2.3-alpha.1).
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.sign_macos == 'true' &&
-        !contains(needs.release.outputs.version, '-')
-      }}
+    if: ${{ !contains(needs.release.outputs.version, '-') }}
    # This job only invokes a GitHub Action to open/update the winget-pkgs PR;
    # it does not execute Windows-only tooling, so Linux is sufficient.
    runs-on: ubuntu-latest
@@ -1498,12 +812,6 @@ jobs:

  update-branch:
    name: Update latest-alpha-cli branch
-    if: >-
-      ${{
-        !cancelled() &&
-        needs.release.result == 'success' &&
-        needs.release.outputs.sign_macos == 'true'
-      }}
    permissions:
      contents: write
    needs: release
--- a/.github/workflows/rusty-v8-release.yml
+++ b/.github/workflows/rusty-v8-release.yml
@@ -46,14 +46,14 @@ jobs:
          expected_release_tag="rusty-v8-v${V8_VERSION}"
          release_tag="${GITHUB_REF_NAME}"
          if [[ "${release_tag}" != "${expected_release_tag}" ]]; then
-            echo "Tag ${release_tag} does not match expected release tag ${expected_release_tag}." >&2
+            echo "Tag ${release_tag} does not match resolved v8 crate version ${V8_VERSION}." >&2
            exit 1
          fi

          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"

  build:
-    name: Build ${{ matrix.variant }} ${{ matrix.target }}
+    name: Build ${{ matrix.target }}
    needs: metadata
    runs-on: ${{ matrix.runner }}
    permissions:
@@ -64,77 +64,11 @@ jobs:
      matrix:
        include:
          - runner: ubuntu-24.04
-            bazel_config: ci-v8
-            platform: linux_amd64
-            sandbox: false
-            target: x86_64-unknown-linux-gnu
-            variant: release
-          - runner: ubuntu-24.04
-            bazel_config: ci-v8
-            platform: linux_amd64
-            sandbox: true
-            target: x86_64-unknown-linux-gnu
-            variant: ptrcomp-sandbox
-          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
-            platform: linux_arm64
-            sandbox: false
-            target: aarch64-unknown-linux-gnu
-            variant: release
-          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
-            platform: linux_arm64
-            sandbox: true
-            target: aarch64-unknown-linux-gnu
-            variant: ptrcomp-sandbox
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_amd64
-            sandbox: false
-            target: x86_64-apple-darwin
-            variant: release
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_amd64
-            sandbox: true
-            target: x86_64-apple-darwin
-            variant: ptrcomp-sandbox
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_arm64
-            sandbox: false
-            target: aarch64-apple-darwin
-            variant: release
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_arm64
-            sandbox: true
-            target: aarch64-apple-darwin
-            variant: ptrcomp-sandbox
-          - runner: ubuntu-24.04
-            bazel_config: ci-v8
            platform: linux_amd64_musl
-            sandbox: false
            target: x86_64-unknown-linux-musl
-            variant: release
          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
            platform: linux_arm64_musl
-            sandbox: false
            target: aarch64-unknown-linux-musl
-            variant: release
-          - runner: ubuntu-24.04
-            bazel_config: ci-v8
-            platform: linux_amd64_musl
-            sandbox: true
-            target: x86_64-unknown-linux-musl
-            variant: ptrcomp-sandbox
-          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
-            platform: linux_arm64_musl
-            sandbox: true
-            target: aarch64-unknown-linux-musl
-            variant: ptrcomp-sandbox

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -151,115 +85,61 @@ jobs:
        with:
          python-version: "3.12"

-      - name: Set up Rust toolchain for Cargo smoke
-        uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          toolchain: "1.93.0"
-
      - name: Build Bazel V8 release pair
        env:
          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
          PLATFORM: ${{ matrix.platform }}
-          SANDBOX: ${{ matrix.sandbox }}
          TARGET: ${{ matrix.target }}
        shell: bash
        run: |
          set -euo pipefail

          target_suffix="${TARGET//-/_}"
-          pair_kind="release_pair"
-          if [[ "${SANDBOX}" == "true" ]]; then
-            pair_kind="sandbox_release_pair"
+          pair_target="//third_party/v8:rusty_v8_release_pair_${target_suffix}"
+          extra_targets=()
+          if [[ "${TARGET}" == *-unknown-linux-musl ]]; then
+            extra_targets=(
+              "@llvm//runtimes/libcxx:libcxx.static"
+              "@llvm//runtimes/libcxx:libcxxabi.static"
+            )
          fi
-          pair_target="//third_party/v8:rusty_v8_${pair_kind}_${target_suffix}"

          bazel_args=(
            build
            -c
            opt
            "--platforms=@llvm//platforms:${PLATFORM}"
-            --config=rusty-v8-upstream-libcxx
+            --config=v8-release-compat
            "${pair_target}"
+            "${extra_targets[@]}"
            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
          )
-          if [[ "${SANDBOX}" != "true" ]]; then
-            bazel_args+=(--config=v8-release-compat)
-          fi

          bazel \
            --noexperimental_remote_repo_contents_cache \
            "${bazel_args[@]}" \
-            "--config=${{ matrix.bazel_config }}" \
+            --config=ci-v8 \
            "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"

      - name: Stage release pair
        env:
-          BAZEL_CONFIG: ${{ matrix.bazel_config }}
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
          PLATFORM: ${{ matrix.platform }}
-          SANDBOX: ${{ matrix.sandbox }}
          TARGET: ${{ matrix.target }}
        shell: bash
        run: |
          set -euo pipefail

-          stage_args=(
-            --platform "${PLATFORM}"
-            --target "${TARGET}"
-            --compilation-mode opt
+          python3 .github/scripts/rusty_v8_bazel.py stage-release-pair \
+            --platform "${PLATFORM}" \
+            --target "${TARGET}" \
+            --compilation-mode opt \
+            --bazel-config v8-release-compat \
            --output-dir "dist/${TARGET}"
-            --bazel-config "${BAZEL_CONFIG}"
-          )
-          if [[ "${SANDBOX}" == "true" ]]; then
-            stage_args+=(--sandbox)
-          else
-            stage_args+=(--bazel-config v8-release-compat)
-          fi

-          python3 .github/scripts/rusty_v8_bazel.py stage-release-pair "${stage_args[@]}"
-
-      - name: Smoke test staged artifact with Cargo
-        env:
-          SANDBOX: ${{ matrix.sandbox }}
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          host_arch="$(uname -m)"
-          case "${TARGET}:${host_arch}" in
-            x86_64-apple-darwin:x86_64|aarch64-apple-darwin:arm64|x86_64-unknown-linux-gnu:x86_64|aarch64-unknown-linux-gnu:aarch64)
-              ;;
-            *)
-              echo "Skipping non-native Cargo smoke for ${TARGET} on ${host_arch}."
-              exit 0
-              ;;
-          esac
-
-          archive="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'librusty_v8_*.a.gz' -print -quit)"
-          binding="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'src_binding_*.rs' -print -quit)"
-          if [[ -z "${archive}" || -z "${binding}" ]]; then
-            echo "Missing staged archive or binding for ${TARGET}." >&2
-            exit 1
-          fi
-
-          cargo_args=(test -p codex-v8-poc)
-          if [[ "${SANDBOX}" == "true" ]]; then
-            cargo_args+=(--features sandbox)
-          fi
-
-          (
-            cd codex-rs
-            CARGO_TARGET_DIR="${RUNNER_TEMP}/rusty-v8-cargo-smoke-${TARGET}-${SANDBOX}" \
-            RUSTY_V8_ARCHIVE="${GITHUB_WORKSPACE}/${archive}" \
-            RUSTY_V8_SRC_BINDING_PATH="${GITHUB_WORKSPACE}/${binding}" \
-            cargo "${cargo_args[@]}"
-          )
-
-      - name: Upload staged artifacts
+      - name: Upload staged musl artifacts
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
-          name: rusty-v8-${{ needs.metadata.outputs.v8_version }}-${{ matrix.variant }}-${{ matrix.target }}
+          name: rusty-v8-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
          path: dist/${{ matrix.target }}/*

  publish-release:
@@ -272,8 +152,7 @@ jobs:
      actions: read

    steps:
-      - name: Check whether release already exists
-        id: release
+      - name: Ensure release tag is new
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ needs.metadata.outputs.release_tag }}
@@ -282,9 +161,8 @@ jobs:
          set -euo pipefail

          if gh release view "${RELEASE_TAG}" --repo "${GITHUB_REPOSITORY}" > /dev/null 2>&1; then
-            echo "exists=true" >> "${GITHUB_OUTPUT}"
-          else
-            echo "exists=false" >> "${GITHUB_OUTPUT}"
+            echo "Release tag ${RELEASE_TAG} already exists; musl artifact tags are immutable." >&2
+            exit 1
          fi

      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -292,7 +170,6 @@ jobs:
          path: dist

      - name: Create GitHub Release
-        if: ${{ steps.release.outputs.exists != 'true' }}
        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          tag_name: ${{ needs.metadata.outputs.release_tag }}
@@ -300,14 +177,3 @@ jobs:
          files: dist/**
          # Keep V8 artifact releases out of Codex's normal "latest release" channel.
          prerelease: true
-
-      - name: Amend existing GitHub Release
-        if: ${{ steps.release.outputs.exists == 'true' }}
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
-        with:
-          tag_name: ${{ needs.metadata.outputs.release_tag }}
-          name: ${{ needs.metadata.outputs.release_tag }}
-          files: dist/**
-          overwrite_files: true
-          # Keep V8 artifact releases out of Codex's normal "latest release" channel.
-          prerelease: true
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -6,41 +6,6 @@ on:
  pull_request: {}

 jobs:
-  python-sdk:
-    runs-on:
-      group: codex-runners
-      labels: codex-linux-x64
-    timeout-minutes: 10
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
-
-      - name: Test Python SDK
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          # Run inside Alpine so dependency resolution exercises the pinned
-          # runtime wheel on the same Linux wheel family that CI installs.
-          docker run --rm \
-            --user "$(id -u):$(id -g)" \
-            -e HOME=/tmp/codex-python-sdk-home \
-            -e UV_LINK_MODE=copy \
-            -v "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}" \
-            -w "${GITHUB_WORKSPACE}/sdk/python" \
-            python:3.12-alpine \
-            sh -euxc '
-              python -m venv /tmp/uv
-              /tmp/uv/bin/python -m pip install uv==0.11.3
-              /tmp/uv/bin/uv sync --extra dev --frozen
-              /tmp/uv/bin/uv run --extra dev ruff check --output-format=github .
-              /tmp/uv/bin/uv run --extra dev ruff format --check .
-              /tmp/uv/bin/uv run --extra dev pytest
-            '
-
  sdks:
    runs-on:
      group: codex-runners
--- a/.github/workflows/v8-canary.yml
+++ b/.github/workflows/v8-canary.yml
@@ -3,36 +3,28 @@ name: v8-canary
 on:
  pull_request:
    paths:
-      - ".bazelrc"
      - ".github/actions/setup-bazel-ci/**"
      - ".github/scripts/rusty_v8_bazel.py"
-      - ".github/scripts/rusty_v8_module_bazel.py"
      - ".github/workflows/rusty-v8-release.yml"
      - ".github/workflows/v8-canary.yml"
      - "MODULE.bazel"
      - "MODULE.bazel.lock"
      - "codex-rs/Cargo.toml"
      - "patches/BUILD.bazel"
-      - "patches/llvm_*.patch"
-      - "patches/rules_cc_*.patch"
      - "patches/v8_*.patch"
      - "third_party/v8/**"
  push:
    branches:
      - main
    paths:
-      - ".bazelrc"
      - ".github/actions/setup-bazel-ci/**"
      - ".github/scripts/rusty_v8_bazel.py"
-      - ".github/scripts/rusty_v8_module_bazel.py"
      - ".github/workflows/rusty-v8-release.yml"
      - ".github/workflows/v8-canary.yml"
      - "MODULE.bazel"
      - "MODULE.bazel.lock"
      - "codex-rs/Cargo.toml"
      - "patches/BUILD.bazel"
-      - "patches/llvm_*.patch"
-      - "patches/rules_cc_*.patch"
      - "patches/v8_*.patch"
      - "third_party/v8/**"
  workflow_dispatch:
@@ -67,7 +59,7 @@ jobs:
          echo "version=${version}" >> "$GITHUB_OUTPUT"

  build:
-    name: Build ${{ matrix.variant }} ${{ matrix.target }}
+    name: Build ${{ matrix.target }}
    needs: metadata
    runs-on: ${{ matrix.runner }}
    permissions:
@@ -78,77 +70,12 @@ jobs:
      matrix:
        include:
          - runner: ubuntu-24.04
-            bazel_config: ci-v8
-            platform: linux_amd64
-            sandbox: false
-            target: x86_64-unknown-linux-gnu
-            variant: release
-          - runner: ubuntu-24.04
-            bazel_config: ci-v8
-            platform: linux_amd64
-            sandbox: true
-            target: x86_64-unknown-linux-gnu
-            variant: ptrcomp-sandbox
-          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
-            platform: linux_arm64
-            sandbox: false
-            target: aarch64-unknown-linux-gnu
-            variant: release
-          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
-            platform: linux_arm64
-            sandbox: true
-            target: aarch64-unknown-linux-gnu
-            variant: ptrcomp-sandbox
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_amd64
-            sandbox: false
-            target: x86_64-apple-darwin
-            variant: release
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_amd64
-            sandbox: true
-            target: x86_64-apple-darwin
-            variant: ptrcomp-sandbox
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_arm64
-            sandbox: false
-            target: aarch64-apple-darwin
-            variant: release
-          - runner: macos-15-xlarge
-            bazel_config: ci-macos
-            platform: macos_arm64
-            sandbox: true
-            target: aarch64-apple-darwin
-            variant: ptrcomp-sandbox
-          - runner: ubuntu-24.04
-            bazel_config: ci-v8
            platform: linux_amd64_musl
-            sandbox: false
            target: x86_64-unknown-linux-musl
-            variant: release
-          - runner: ubuntu-24.04
-            bazel_config: ci-v8
-            platform: linux_amd64_musl
-            sandbox: true
-            target: x86_64-unknown-linux-musl
-            variant: ptrcomp-sandbox
          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
            platform: linux_arm64_musl
-            sandbox: false
            target: aarch64-unknown-linux-musl
-            variant: release
-          - runner: ubuntu-24.04-arm
-            bazel_config: ci-v8
-            platform: linux_arm64_musl
-            sandbox: true
-            target: aarch64-unknown-linux-musl
-            variant: ptrcomp-sandbox
+
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -165,247 +92,53 @@ jobs:
        with:
          python-version: "3.12"

-      - name: Set up Rust toolchain for Cargo smoke
-        uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          toolchain: "1.93.0"
-
      - name: Build Bazel V8 release pair
        env:
          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
          PLATFORM: ${{ matrix.platform }}
-          SANDBOX: ${{ matrix.sandbox }}
          TARGET: ${{ matrix.target }}
        shell: bash
        run: |
          set -euo pipefail

          target_suffix="${TARGET//-/_}"
-          pair_kind="release_pair"
-          if [[ "${SANDBOX}" == "true" ]]; then
-            pair_kind="sandbox_release_pair"
-          fi
-          pair_target="//third_party/v8:rusty_v8_${pair_kind}_${target_suffix}"
+          pair_target="//third_party/v8:rusty_v8_release_pair_${target_suffix}"
+          extra_targets=(
+            "@llvm//runtimes/libcxx:libcxx.static"
+            "@llvm//runtimes/libcxx:libcxxabi.static"
+          )

          bazel_args=(
            build
            "--platforms=@llvm//platforms:${PLATFORM}"
-            --config=rusty-v8-upstream-libcxx
+            --config=v8-release-compat
            "${pair_target}"
+            "${extra_targets[@]}"
            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
          )
-          if [[ "${SANDBOX}" != "true" ]]; then
-            bazel_args+=(--config=v8-release-compat)
-          fi

          bazel \
            --noexperimental_remote_repo_contents_cache \
            "${bazel_args[@]}" \
-            "--config=${{ matrix.bazel_config }}" \
+            --config=ci-v8 \
            "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"

      - name: Stage release pair
        env:
-          BAZEL_CONFIG: ${{ matrix.bazel_config }}
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
          PLATFORM: ${{ matrix.platform }}
-          SANDBOX: ${{ matrix.sandbox }}
          TARGET: ${{ matrix.target }}
        shell: bash
        run: |
          set -euo pipefail

-          stage_args=(
-            --platform "${PLATFORM}"
-            --target "${TARGET}"
+          python3 .github/scripts/rusty_v8_bazel.py stage-release-pair \
+            --platform "${PLATFORM}" \
+            --target "${TARGET}" \
+            --bazel-config v8-release-compat \
            --output-dir "dist/${TARGET}"
-            --bazel-config "${BAZEL_CONFIG}"
-          )
-          if [[ "${SANDBOX}" == "true" ]]; then
-            stage_args+=(--sandbox)
-          else
-            stage_args+=(--bazel-config v8-release-compat)
-          fi

-          python3 .github/scripts/rusty_v8_bazel.py stage-release-pair "${stage_args[@]}"
-
-      - name: Smoke test staged artifact with Cargo
-        env:
-          SANDBOX: ${{ matrix.sandbox }}
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          host_arch="$(uname -m)"
-          case "${TARGET}:${host_arch}" in
-            x86_64-apple-darwin:x86_64|aarch64-apple-darwin:arm64|x86_64-unknown-linux-gnu:x86_64|aarch64-unknown-linux-gnu:aarch64)
-              ;;
-            *)
-              echo "Skipping non-native Cargo smoke for ${TARGET} on ${host_arch}."
-              exit 0
-              ;;
-          esac
-
-          archive="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'librusty_v8_*.a.gz' -print -quit)"
-          binding="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'src_binding_*.rs' -print -quit)"
-          if [[ -z "${archive}" || -z "${binding}" ]]; then
-            echo "Missing staged archive or binding for ${TARGET}." >&2
-            exit 1
-          fi
-
-          cargo_args=(test -p codex-v8-poc)
-          if [[ "${SANDBOX}" == "true" ]]; then
-            cargo_args+=(--features sandbox)
-          fi
-
-          (
-            cd codex-rs
-            CARGO_TARGET_DIR="${RUNNER_TEMP}/rusty-v8-cargo-smoke-${TARGET}-${SANDBOX}" \
-            RUSTY_V8_ARCHIVE="${GITHUB_WORKSPACE}/${archive}" \
-            RUSTY_V8_SRC_BINDING_PATH="${GITHUB_WORKSPACE}/${binding}" \
-            cargo "${cargo_args[@]}"
-          )
-
-      - name: Upload staged artifacts
+      - name: Upload staged musl artifacts
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
-          name: v8-canary-${{ needs.metadata.outputs.v8_version }}-${{ matrix.variant }}-${{ matrix.target }}
-          path: dist/${{ matrix.target }}/*
-
-  build-windows-source:
-    name: Build ptrcomp-sandbox ${{ matrix.target }} from source
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: windows-2022
-            target: x86_64-pc-windows-msvc
-          - runner: windows-2022
-            target: aarch64-pc-windows-msvc
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Configure git for upstream checkout
-        shell: bash
-        run: git config --global core.symlinks true
-
-      - name: Check out upstream rusty_v8
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          repository: denoland/rusty_v8
-          ref: v${{ needs.metadata.outputs.v8_version }}
-          path: upstream-rusty-v8
-          submodules: recursive
-
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-        with:
-          python-version: "3.11"
-          architecture: x64
-
-      - name: Set up Codex Rust toolchain for Cargo smoke
-        uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-        with:
-          toolchain: "1.93.0"
-          targets: ${{ matrix.target }}
-
-      - name: Install rusty_v8 Rust toolchain
-        env:
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          rustup toolchain install 1.91.0 --profile minimal --no-self-update
-          rustup target add --toolchain 1.91.0 "${TARGET}"
-
-      - name: Write upstream submodule status
-        shell: bash
-        working-directory: upstream-rusty-v8
-        run: git submodule status --recursive > git_submodule_status.txt
-
-      - name: Restore upstream source-build cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            upstream-rusty-v8/target/sccache
-            upstream-rusty-v8/target/${{ matrix.target }}/release/gn_out
-          key: rusty-v8-source-${{ matrix.target }}-sandbox-${{ hashFiles('upstream-rusty-v8/Cargo.lock', 'upstream-rusty-v8/build.rs', 'upstream-rusty-v8/git_submodule_status.txt') }}
-          restore-keys: |
-            rusty-v8-source-${{ matrix.target }}-sandbox-
-
-      - name: Install and start sccache
-        shell: pwsh
-        env:
-          SCCACHE_CACHE_SIZE: 256M
-          SCCACHE_DIR: ${{ github.workspace }}/upstream-rusty-v8/target/sccache
-          SCCACHE_IDLE_TIMEOUT: 0
-        run: |
-          $version = "v0.8.2"
-          $platform = "x86_64-pc-windows-msvc"
-          $basename = "sccache-$version-$platform"
-          $url = "https://github.com/mozilla/sccache/releases/download/$version/$basename.tar.gz"
-          cd ~
-          curl -LO $url
-          tar -xzvf "$basename.tar.gz"
-          . $basename/sccache --start-server
-          echo "$(pwd)/$basename" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
-      - name: Install Chromium clang for ARM64 MSVC cross build
-        if: matrix.target == 'aarch64-pc-windows-msvc'
-        shell: bash
-        working-directory: upstream-rusty-v8
-        run: python3 tools/clang/scripts/update.py
-
-      - name: Build upstream rusty_v8 sandbox release pair
-        env:
-          SCCACHE_IDLE_TIMEOUT: 0
-          TARGET: ${{ matrix.target }}
-          V8_FROM_SOURCE: "1"
-        shell: bash
-        working-directory: upstream-rusty-v8
-        run: cargo +1.91.0 build --locked --release --target "${TARGET}" --features v8_enable_sandbox
-
-      - name: Stage upstream sandbox release pair
-        env:
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          python3 .github/scripts/rusty_v8_bazel.py stage-upstream-release-pair \
-            --source-root upstream-rusty-v8 \
-            --target "${TARGET}" \
-            --output-dir "dist/${TARGET}" \
-            --sandbox
-
-      - name: Smoke link staged artifact with Cargo
-        env:
-          TARGET: ${{ matrix.target }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          archive="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'rusty_v8_*.lib.gz' -print -quit)"
-          binding="$(find "dist/${TARGET}" -maxdepth 1 -type f -name 'src_binding_*.rs' -print -quit)"
-          if [[ -z "${archive}" || -z "${binding}" ]]; then
-            echo "Missing staged archive or binding for ${TARGET}." >&2
-            exit 1
-          fi
-
-          (
-            cd codex-rs
-            RUSTY_V8_ARCHIVE="${GITHUB_WORKSPACE}/${archive}" \
-            RUSTY_V8_SRC_BINDING_PATH="${GITHUB_WORKSPACE}/${binding}" \
-            cargo +1.93.0 test -p codex-v8-poc --target "${TARGET}" --features sandbox --no-run
-          )
-
-      - name: Upload staged artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: v8-canary-${{ needs.metadata.outputs.v8_version }}-ptrcomp-sandbox-${{ matrix.target }}
+          name: v8-canary-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
          path: dist/${{ matrix.target }}/*
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,7 +1,6 @@
 {
    "recommendations": [
        "rust-lang.rust-analyzer",
-        "charliermarsh.ruff",
        "tamasfe.even-better-toml",
        "vadimcn.vscode-lldb",

--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -12,14 +12,6 @@
        "editor.defaultFormatter": "tamasfe.even-better-toml",
        "editor.formatOnSave": true,
    },
-    "[python]": {
-        "editor.defaultFormatter": "charliermarsh.ruff",
-        "editor.formatOnSave": true,
-        "editor.codeActionsOnSave": {
-            "source.fixAll.ruff": "explicit",
-            "source.organizeImports.ruff": "explicit",
-        },
-    },
    // Array order for options in ~/.codex/config.toml such as `notify` and the
    // `args` for an MCP server is significant, so we disable reordering.
    "evenBetterToml.formatter.reorderArrays": false,
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -10,7 +10,6 @@ single_version_override(
    module_name = "llvm",
    patch_strip = 1,
    patches = [
-        "//patches:llvm_rusty_v8_custom_libcxx.patch",
        "//patches:llvm_windows_symlink_extract.patch",
    ],
 )
@@ -78,13 +77,6 @@ use_repo(osx, "macos_sdk")
 # Needed to disable xcode...
 bazel_dep(name = "apple_support", version = "2.1.0")
 bazel_dep(name = "rules_cc", version = "0.2.16")
-single_version_override(
-    module_name = "rules_cc",
-    patch_strip = 1,
-    patches = [
-        "//patches:rules_cc_rusty_v8_custom_libcxx.patch",
-    ],
-)
 bazel_dep(name = "rules_platform", version = "0.1.0")
 bazel_dep(name = "rules_rs", version = "0.0.58")
 # `rules_rs` still does not model `windows-gnullvm` as a distinct Windows exec
@@ -415,18 +407,18 @@ crate.annotation(

 inject_repo(crate, "alsa_lib")

-bazel_dep(name = "v8", version = "14.7.173.20")
+bazel_dep(name = "v8", version = "14.6.202.9")
 archive_override(
    module_name = "v8",
-    integrity = "sha256-v/x6I4X38a2wckzUIft3Dh0SUdkuOTokwxyF7lzW8Lc=",
+    integrity = "sha256-JphDwLAzsd9KvgRZ7eQvNtPU6qGd3XjFt/a/1QITAJU=",
    patch_strip = 3,
    patches = [
        "//patches:v8_module_deps.patch",
        "//patches:v8_bazel_rules.patch",
        "//patches:v8_source_portability.patch",
    ],
-    strip_prefix = "v8-14.7.173.20",
-    urls = ["https://github.com/v8/v8/archive/refs/tags/14.7.173.20.tar.gz"],
+    strip_prefix = "v8-14.6.202.9",
+    urls = ["https://github.com/v8/v8/archive/refs/tags/14.6.202.9.tar.gz"],
 )

 http_archive(
@@ -438,53 +430,93 @@ http_archive(
    urls = ["https://static.crates.io/crates/v8/v8-146.4.0.crate"],
 )

-http_archive(
-    name = "v8_crate_147_4_0",
-    build_file = "//third_party/v8:v8_crate.BUILD.bazel",
-    sha256 = "2df8fffd507fb18ed000673a83d937f58e60fb07f3306b2274284125b15137cd",
-    strip_prefix = "v8-147.4.0",
-    type = "tar.gz",
-    urls = ["https://static.crates.io/crates/v8/v8-147.4.0.crate"],
-)
-
-git_repository = use_repo_rule("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
-
-git_repository(
-    name = "rusty_v8_libcxx",
-    build_file = "//third_party/v8:libcxx.BUILD.bazel",
-    commit = "7ab65651aed6802d2599dcb7a73b1f82d5179d05",
-    remote = "https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxx.git",
-)
-
-git_repository(
-    name = "rusty_v8_libcxxabi",
-    build_file = "//third_party/v8:libcxxabi.BUILD.bazel",
-    commit = "8f11bb1d4438d0239d0dfc1bd9456a9f31629dda",
-    remote = "https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi.git",
-)
-
-git_repository(
-    name = "rusty_v8_llvm_libc",
-    build_file = "//third_party/v8:llvm_libc.BUILD.bazel",
-    commit = "b3aa5bb702ff9e890179fd1e7d3ba346e17ecf8e",
-    remote = "https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libc.git",
-)
-
 http_file(
-    name = "rusty_v8_147_4_0_aarch64_pc_windows_msvc_archive",
-    downloaded_file_path = "rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
-    sha256 = "1fa3f94d9e09cff1f6bcce94c478e5cb072c0755f6a0357abadb9dd3b48d8127",
+    name = "rusty_v8_146_4_0_aarch64_apple_darwin_archive",
+    downloaded_file_path = "librusty_v8_release_aarch64-apple-darwin.a.gz",
+    sha256 = "bfe2c9be32a56c28546f0f965825ee68fbf606405f310cc4e17b448a568cf98a",
    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v147.4.0/rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
+        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_aarch64-apple-darwin.a.gz",
    ],
 )

 http_file(
-    name = "rusty_v8_147_4_0_x86_64_pc_windows_msvc_archive",
-    downloaded_file_path = "rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
-    sha256 = "e2827ff98b1a9d4c0343000fc5124ac30dfab3007bc0129c168c9355fc2fcd7c",
+    name = "rusty_v8_146_4_0_aarch64_unknown_linux_gnu_archive",
+    downloaded_file_path = "librusty_v8_release_aarch64-unknown-linux-gnu.a.gz",
+    sha256 = "dbf165b07c81bdb054bc046b43d23e69fcf7bcc1a4c1b5b4776983a71062ecd8",
    urls = [
-        "https://github.com/denoland/rusty_v8/releases/download/v147.4.0/rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
+        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_aarch64-unknown-linux-gnu.a.gz",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_aarch64_pc_windows_msvc_archive",
+    downloaded_file_path = "rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
+    sha256 = "ed13363659c6d08583ac8fdc40493445c5767d8b94955a4d5d7bb8d5a81f6bf8",
+    urls = [
+        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/rusty_v8_release_aarch64-pc-windows-msvc.lib.gz",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_x86_64_apple_darwin_archive",
+    downloaded_file_path = "librusty_v8_release_x86_64-apple-darwin.a.gz",
+    sha256 = "630cd240f1bbecdb071417dc18387ab81cf67c549c1c515a0b4fcf9eba647bb7",
+    urls = [
+        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_x86_64-apple-darwin.a.gz",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_x86_64_unknown_linux_gnu_archive",
+    downloaded_file_path = "librusty_v8_release_x86_64-unknown-linux-gnu.a.gz",
+    sha256 = "e64b4d99e4ae293a2e846244a89b80178ba10382c13fb591c1fa6968f5291153",
+    urls = [
+        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/librusty_v8_release_x86_64-unknown-linux-gnu.a.gz",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_x86_64_pc_windows_msvc_archive",
+    downloaded_file_path = "rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
+    sha256 = "90a9a2346acd3685a355e98df85c24dbe406cb124367d16259a4b5d522621862",
+    urls = [
+        "https://github.com/denoland/rusty_v8/releases/download/v146.4.0/rusty_v8_release_x86_64-pc-windows-msvc.lib.gz",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_aarch64_unknown_linux_musl_archive",
+    downloaded_file_path = "librusty_v8_release_aarch64-unknown-linux-musl.a.gz",
+    sha256 = "27a08ed26c34297bfd93e514692ccc44b85f8b15c6aa39cf34e784f84fb37e8e",
+    urls = [
+        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/librusty_v8_release_aarch64-unknown-linux-musl.a.gz",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_aarch64_unknown_linux_musl_binding",
+    downloaded_file_path = "src_binding_release_aarch64-unknown-linux-musl.rs",
+    sha256 = "09f8900ced8297c229246c7a50b2e0ec23c54d0a554f369619cc29863f38dd1a",
+    urls = [
+        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/src_binding_release_aarch64-unknown-linux-musl.rs",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_x86_64_unknown_linux_musl_archive",
+    downloaded_file_path = "librusty_v8_release_x86_64-unknown-linux-musl.a.gz",
+    sha256 = "20d8271ad712323d352c1383c36e3c4b755abc41ece35819c49c75ec7134d2f8",
+    urls = [
+        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/librusty_v8_release_x86_64-unknown-linux-musl.a.gz",
+    ],
+)
+
+http_file(
+    name = "rusty_v8_146_4_0_x86_64_unknown_linux_musl_binding",
+    downloaded_file_path = "src_binding_release_x86_64-unknown-linux-musl.rs",
+    sha256 = "09f8900ced8297c229246c7a50b2e0ec23c54d0a554f369619cc29863f38dd1a",
+    urls = [
+        "https://github.com/openai/codex/releases/download/rusty-v8-v146.4.0/src_binding_release_x86_64-unknown-linux-musl.rs",
    ],
 )

--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/codex-cli/bin/codex.js
+++ b/codex-cli/bin/codex.js
@@ -2,7 +2,7 @@
 // Unified entry point for the Codex CLI.

 import { spawn } from "node:child_process";
-import { existsSync, realpathSync } from "fs";
+import { existsSync } from "fs";
 import { createRequire } from "node:module";
 import path from "path";
 import { fileURLToPath } from "url";
@@ -171,7 +171,6 @@ const packageManagerEnvVar =
    ? "CODEX_MANAGED_BY_BUN"
    : "CODEX_MANAGED_BY_NPM";
 env[packageManagerEnvVar] = "1";
-env.CODEX_MANAGED_PACKAGE_ROOT = realpathSync(path.join(__dirname, ".."));

 const child = spawn(binaryPath, process.argv.slice(2), {
  stdio: "inherit",
--- a/codex-rs/.cargo/config.toml
+++ b/codex-rs/.cargo/config.toml
@@ -1,5 +1,5 @@
 [target.'cfg(all(windows, target_env = "msvc"))']
-rustflags = ["-C", "link-arg=/STACK:8388608", "-C", "target-feature=+crt-static"]
+rustflags = ["-C", "link-arg=/STACK:8388608"]

 # MSVC emits a warning about code that may trip "Cortex-A53 MPCore processor bug #843419" (see
 # https://developer.arm.com/documentation/epm048406/latest) which is sometimes emitted by LLVM.
--- a/codex-rs/.config/nextest.toml
+++ b/codex-rs/.config/nextest.toml
@@ -1,10 +1,6 @@
 [profile.default]
-# Retry once so one transient failure does not fail full-CI outright.
+# Do not increase, fix your test instead
 slow-timeout = { period = "15s", terminate-after = 2 }
-retries = 1
-
-[profile.default.junit]
-path = "junit.xml"

 [test-groups.app_server_protocol_codegen]
 max-threads = 1
@@ -18,9 +14,6 @@ max-threads = 1
 [test-groups.windows_sandbox_legacy_sessions]
 max-threads = 1

-[test-groups.windows_process_heavy]
-max-threads = 2
-
 [[profile.default.overrides]]
 # Do not add new tests here
 filter = 'test(rmcp_client) | test(humanlike_typing_1000_chars_appears_live_no_placeholder)'
@@ -51,18 +44,3 @@ test-group = 'core_apply_patch_cli_integration'
 # Serialize them to avoid exhausting Windows session/global desktop resources in CI.
 filter = 'package(codex-windows-sandbox) & test(legacy_)'
 test-group = 'windows_sandbox_legacy_sessions'
-
-[[profile.default.overrides]]
-# This Codex-home startup path still exceeded the broader Windows-heavy ceiling
-# in both Windows full-CI lanes after contention was reduced.
-platform = 'cfg(windows)'
-filter = 'test(start_thread_uses_all_default_environments_from_codex_home)'
-slow-timeout = { period = "1m", terminate-after = 2 }
-
-[[profile.default.overrides]]
-# These Windows-heavy tests spawn subprocesses, session files, or JSON-RPC
-# clients and have been the dominant source of 30s full-CI timeouts.
-platform = 'cfg(windows)'
-filter = 'test(suite::resume::) | test(suite::cli_stream::) | test(suite::auth_env::) | test(start_thread_uses_all_default_environments_from_codex_home) | test(connect_stdio_command_initializes_json_rpc_client_on_windows)'
-test-group = 'windows_process_heavy'
-slow-timeout = { period = "45s", terminate-after = 2 }
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -1518,9 +1518,9 @@ checksum = "ade8366b8bd5ba243f0a58f036cc0ca8a2f069cff1a2351ef1cac6b083e16fc0"

 [[package]]
 name = "calendrical_calculations"
-version = "0.2.4"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5abbd6eeda6885048d357edc66748eea6e0268e3dd11f326fff5bd248d779c26"
+checksum = "3a0b39595c6ee54a8d0900204ba4c401d0ab4eb45adaf07178e8d017541529e7"
 dependencies = [
 "core_maths",
 "displaydoc",
@@ -1895,7 +1895,6 @@ dependencies = [
 "codex-core",
 "codex-core-plugins",
 "codex-exec-server",
- "codex-extension-api",
 "codex-external-agent-migration",
 "codex-external-agent-sessions",
 "codex-features",
@@ -1903,11 +1902,9 @@ dependencies = [
 "codex-file-search",
 "codex-file-watcher",
 "codex-git-utils",
- "codex-guardian",
 "codex-hooks",
 "codex-login",
 "codex-mcp",
- "codex-memories-extension",
 "codex-memories-write",
 "codex-model-provider",
 "codex-model-provider-info",
@@ -1970,8 +1967,6 @@ dependencies = [
 "codex-exec-server",
 "codex-feedback",
 "codex-protocol",
- "codex-uds",
- "codex-utils-absolute-path",
 "codex-utils-rustls-provider",
 "futures",
 "pretty_assertions",
@@ -1992,15 +1987,14 @@ dependencies = [
 "anyhow",
 "codex-app-server-protocol",
 "codex-app-server-transport",
+ "codex-core",
 "codex-uds",
- "codex-utils-home-dir",
 "futures",
 "libc",
 "pretty_assertions",
 "reqwest",
 "serde",
 "serde_json",
- "sha2",
 "tempfile",
 "tokio",
 "tokio-tungstenite",
@@ -2180,6 +2174,17 @@ dependencies = [
 "serde_with",
 ]

+[[package]]
+name = "codex-builtin-mcps"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "codex-memories-mcp",
+ "codex-utils-absolute-path",
+ "pretty_assertions",
+ "tokio",
+]
+
 [[package]]
 name = "codex-bwrap"
 version = "0.0.0"
@@ -2221,7 +2226,6 @@ dependencies = [
 "assert_matches",
 "clap",
 "clap_complete",
- "codex-api",
 "codex-app-server",
 "codex-app-server-daemon",
 "codex-app-server-protocol",
@@ -2236,14 +2240,11 @@ dependencies = [
 "codex-exec-server",
 "codex-execpolicy",
 "codex-features",
- "codex-install-context",
 "codex-login",
 "codex-mcp",
 "codex-mcp-server",
 "codex-memories-write",
- "codex-model-provider",
 "codex-models-manager",
- "codex-plugin",
 "codex-protocol",
 "codex-responses-api-proxy",
 "codex-rmcp-client",
@@ -2258,14 +2259,11 @@ dependencies = [
 "codex-utils-cli",
 "codex-utils-path",
 "codex-windows-sandbox",
- "crossterm",
- "http 1.4.0",
 "libc",
 "owo-colors",
 "predicates",
 "pretty_assertions",
 "regex-lite",
- "serde",
 "serde_json",
 "sqlx",
 "supports-color 3.0.2",
@@ -2439,7 +2437,6 @@ dependencies = [
 "prost 0.14.3",
 "schemars 0.8.22",
 "serde",
- "serde_ignored",
 "serde_json",
 "serde_path_to_error",
 "sha2",
@@ -2500,7 +2497,6 @@ dependencies = [
 "codex-core-skills",
 "codex-exec-server",
 "codex-execpolicy",
- "codex-extension-api",
 "codex-features",
 "codex-feedback",
 "codex-git-utils",
@@ -2536,6 +2532,7 @@ dependencies = [
 "codex-utils-path",
 "codex-utils-plugins",
 "codex-utils-pty",
+ "codex-utils-readiness",
 "codex-utils-stream-parser",
 "codex-utils-string",
 "codex-utils-template",
@@ -2545,6 +2542,7 @@ dependencies = [
 "ctor 0.6.3",
 "dirs",
 "dunce",
+ "env-flags",
 "eventsource-stream",
 "futures",
 "http 1.4.0",
@@ -2602,7 +2600,6 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-exec-server",
- "codex-extension-api",
 "codex-features",
 "codex-login",
 "codex-model-provider-info",
@@ -2636,7 +2633,6 @@ dependencies = [
 "libc",
 "pretty_assertions",
 "reqwest",
- "semver",
 "serde",
 "serde_json",
 "tar",
@@ -2717,7 +2713,6 @@ dependencies = [
 "codex-utils-cargo-bin",
 "codex-utils-cli",
 "codex-utils-oss",
- "codex-utils-sandbox-summary",
 "core_test_support",
 "libc",
 "opentelemetry",
@@ -2749,7 +2744,6 @@ dependencies = [
 "axum",
 "base64 0.22.1",
 "bytes",
- "codex-api",
 "codex-app-server-protocol",
 "codex-client",
 "codex-file-system",
@@ -2761,9 +2755,7 @@ dependencies = [
 "codex-utils-rustls-provider",
 "ctor 0.6.3",
 "futures",
- "http 1.4.0",
 "pretty_assertions",
- "prost 0.14.3",
 "reqwest",
 "serde",
 "serde_json",
@@ -2826,15 +2818,6 @@ dependencies = [
 "syn 2.0.114",
 ]

-[[package]]
-name = "codex-extension-api"
-version = "0.0.0"
-dependencies = [
- "async-trait",
- "codex-protocol",
- "codex-tools",
-]
-
 [[package]]
 name = "codex-external-agent-migration"
 version = "0.0.0"
@@ -2948,28 +2931,6 @@ dependencies = [
 "walkdir",
 ]

-[[package]]
-name = "codex-goal-extension"
-version = "0.0.0"
-dependencies = [
- "async-trait",
- "codex-extension-api",
- "codex-protocol",
- "codex-tools",
- "serde",
- "serde_json",
-]
-
-[[package]]
-name = "codex-guardian"
-version = "0.0.0"
-dependencies = [
- "async-trait",
- "codex-core",
- "codex-extension-api",
- "codex-protocol",
-]
-
 [[package]]
 name = "codex-hooks"
 version = "0.0.0"
@@ -3097,6 +3058,7 @@ dependencies = [
 "async-channel",
 "codex-api",
 "codex-async-utils",
+ "codex-builtin-mcps",
 "codex-config",
 "codex-exec-server",
 "codex-login",
@@ -3130,7 +3092,6 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-exec-server",
- "codex-extension-api",
 "codex-login",
 "codex-protocol",
 "codex-shell-command",
@@ -3153,27 +3114,6 @@ dependencies = [
 "wiremock",
 ]

-[[package]]
-name = "codex-memories-extension"
-version = "0.0.0"
-dependencies = [
- "async-trait",
- "codex-core",
- "codex-extension-api",
- "codex-features",
- "codex-memories-read",
- "codex-tools",
- "codex-utils-absolute-path",
- "codex-utils-output-truncation",
- "pretty_assertions",
- "schemars 0.8.22",
- "serde",
- "serde_json",
- "tempfile",
- "thiserror 2.0.18",
- "tokio",
-]
-
 [[package]]
 name = "codex-memories-mcp"
 version = "0.0.0"
@@ -3498,7 +3438,6 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "axum",
- "base64 0.22.1",
 "bytes",
 "codex-api",
 "codex-client",
@@ -3562,7 +3501,6 @@ dependencies = [
 "anyhow",
 "codex-code-mode",
 "codex-protocol",
- "http 1.4.0",
 "pretty_assertions",
 "serde",
 "serde_json",
@@ -3735,7 +3673,6 @@ dependencies = [
 "codex-protocol",
 "codex-rollout",
 "codex-state",
- "codex-utils-path",
 "pretty_assertions",
 "serde",
 "serde_json",
@@ -3750,19 +3687,16 @@ dependencies = [
 name = "codex-tools"
 version = "0.0.0"
 dependencies = [
- "async-trait",
 "codex-app-server-protocol",
 "codex-code-mode",
 "codex-features",
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-pty",
- "codex-utils-string",
 "pretty_assertions",
 "rmcp",
 "serde",
 "serde_json",
- "thiserror 2.0.18",
 "tracing",
 ]

@@ -3804,7 +3738,6 @@ dependencies = [
 "codex-protocol",
 "codex-realtime-webrtc",
 "codex-rollout",
- "codex-sandboxing",
 "codex-shell-command",
 "codex-state",
 "codex-terminal-detection",
@@ -3814,16 +3747,15 @@ dependencies = [
 "codex-utils-cli",
 "codex-utils-elapsed",
 "codex-utils-fuzzy-match",
- "codex-utils-home-dir",
 "codex-utils-oss",
 "codex-utils-path",
 "codex-utils-plugins",
+ "codex-utils-pty",
 "codex-utils-sandbox-summary",
 "codex-utils-sleep-inhibitor",
 "codex-utils-string",
 "codex-windows-sandbox",
 "color-eyre",
- "core_test_support",
 "cpal",
 "crossterm",
 "derive_more 2.1.1",
@@ -3847,7 +3779,6 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test",
- "sha2",
 "shlex",
 "strum 0.27.2",
 "strum_macros 0.28.0",
@@ -3874,7 +3805,6 @@ dependencies = [
 "which 8.0.0",
 "windows-sys 0.52.0",
 "winsplit",
- "wiremock",
 ]

 [[package]]
@@ -3934,7 +3864,6 @@ version = "0.0.0"
 dependencies = [
 "clap",
 "codex-protocol",
- "codex-shell-command",
 "pretty_assertions",
 "serde",
 "toml 0.9.11+spec-1.1.0",
@@ -4370,7 +4299,6 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-exec-server",
- "codex-extension-api",
 "codex-features",
 "codex-hooks",
 "codex-login",
@@ -5099,9 +5027,9 @@ dependencies = [

 [[package]]
 name = "diplomat"
-version = "0.15.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7935649d00000f5c5d735448ad3dc07b9738160727017914cf42138b8e8e6611"
+checksum = "9adb46b05e2f53dcf6a7dfc242e4ce9eb60c369b6b6eb10826a01e93167f59c6"
 dependencies = [
 "diplomat_core",
 "proc-macro2",
@@ -5111,15 +5039,15 @@ dependencies = [

 [[package]]
 name = "diplomat-runtime"
-version = "0.15.1"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "970ac38ad677632efcee6d517e783958da9bc78ec206d8d5e35b459ffc5e4864"
+checksum = "0569bd3caaf13829da7ee4e83dbf9197a0e1ecd72772da6d08f0b4c9285c8d29"

 [[package]]
 name = "diplomat_core"
-version = "0.15.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9cf41b94101a4bce993febaf0098092b0bb31deaf0ecaf6e0a2562465f61b383"
+checksum = "51731530ed7f2d4495019abc7df3744f53338e69e2863a6a64ae91821c763df1"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -5424,6 +5352,12 @@ dependencies = [
 "syn 2.0.114",
 ]

+[[package]]
+name = "env-flags"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbfd0e7fc632dec5e6c9396a27bc9f9975b4e039720e1fd3e34021d3ce28c415"
+
 [[package]]
 name = "env_filter"
 version = "1.0.0"
@@ -5475,7 +5409,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
 "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -5663,9 +5597,9 @@ dependencies = [

 [[package]]
 name = "fixed_decimal"
-version = "0.7.2"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79c3c892f121fff406e5dd6b28c1b30096b95111c30701a899d4f2b18da6d1bd"
+checksum = "35eabf480f94d69182677e37571d3be065822acfafd12f2f085db44fbbcc8e57"
 dependencies = [
 "displaydoc",
 "smallvec",
@@ -7508,9 +7442,9 @@ dependencies = [

 [[package]]
 name = "icu_calendar"
-version = "2.2.1"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2b2acc6263f494f1df50685b53ff8e57869e47d5c6fe39c23d518ae9a4f3e45"
+checksum = "d6f0e52e009b6b16ba9c0693578796f2dd4aaa59a7f8f920423706714a89ac4e"
 dependencies = [
 "calendrical_calculations",
 "displaydoc",
@@ -7524,19 +7458,18 @@ dependencies = [

 [[package]]
 name = "icu_calendar_data"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "118577bcf3a0fa7c6ac0a7d6e951814da84ee56b9b1f68fb4d8d10b08cefaf4d"
+checksum = "527f04223b17edfe0bd43baf14a0cb1b017830db65f3950dc00224860a9a446d"

 [[package]]
 name = "icu_collections"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2984d1cd16c883d7935b9e07e44071dca8d917fd52ecc02c04d5fa0b5a3f191c"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
 dependencies = [
 "displaydoc",
 "potential_utf",
- "utf8_iter",
 "yoke",
 "zerofrom",
 "zerovec",
@@ -7544,16 +7477,14 @@ dependencies = [

 [[package]]
 name = "icu_decimal"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "288247df2e32aa776ac54fdd64de552149ac43cb840f2761811f0e8d09719dd4"
+checksum = "a38c52231bc348f9b982c1868a2af3195199623007ba2c7650f432038f5b3e8e"
 dependencies = [
- "displaydoc",
 "fixed_decimal",
 "icu_decimal_data",
 "icu_locale",
 "icu_locale_core",
- "icu_plurals",
 "icu_provider",
 "writeable",
 "zerovec",
@@ -7561,15 +7492,15 @@ dependencies = [

 [[package]]
 name = "icu_decimal_data"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6f14a5ca9e8af29eef62064f269078424283d90dbaffeac5225addf62aaabc22"
+checksum = "2905b4044eab2dd848fe84199f9195567b63ab3a93094711501363f63546fef7"

 [[package]]
 name = "icu_locale"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5a396343c7208121dc86e35623d3dfe19814a7613cfd14964994cdc9c9a2e26"
+checksum = "532b11722e350ab6bf916ba6eb0efe3ee54b932666afec989465f9243fe6dd60"
 dependencies = [
 "icu_collections",
 "icu_locale_core",
@@ -7582,9 +7513,9 @@ dependencies = [

 [[package]]
 name = "icu_locale_core"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92219b62b3e2b4d88ac5119f8904c10f8f61bf7e95b640d25ba3075e6cac2c29"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
 dependencies = [
 "displaydoc",
 "litemap",
@@ -7596,15 +7527,15 @@ dependencies = [

 [[package]]
 name = "icu_locale_data"
-version = "2.2.0"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5fdcc9ac77c6d74ff5cf6e65ef3181d6af32003b16fce3a77fb451d2f695993"
+checksum = "1c5f1d16b4c3a2642d3a719f18f6b06070ab0aef246a6418130c955ae08aa831"

 [[package]]
 name = "icu_normalizer"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c56e5ee99d6e3d33bd91c5d85458b6005a22140021cc324cea84dd0e72cff3b4"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
 dependencies = [
 "icu_collections",
 "icu_normalizer_data",
@@ -7616,34 +7547,15 @@ dependencies = [

 [[package]]
 name = "icu_normalizer_data"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da3be0ae77ea334f4da67c12f149704f19f81d1adf7c51cf482943e84a2bad38"
-
-[[package]]
-name = "icu_plurals"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2a50023f1d49ad5c4333380328a0d4a19e4b9d6d842ec06639affd5ba47c8103"
-dependencies = [
- "fixed_decimal",
- "icu_locale",
- "icu_plurals_data",
- "icu_provider",
- "zerovec",
-]
-
-[[package]]
-name = "icu_plurals_data"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8485497155dc865f901decb93ecc20d3e467df67bfeceb91e3ba34e2b11e8e1d"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"

 [[package]]
 name = "icu_properties"
-version = "2.2.0"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bee3b67d0ea5c2cca5003417989af8996f8604e34fb9ddf96208a033901e70de"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
 dependencies = [
 "icu_collections",
 "icu_locale_core",
@@ -7655,15 +7567,15 @@ dependencies = [

 [[package]]
 name = "icu_properties_data"
-version = "2.2.0"
+version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e2bbb201e0c04f7b4b3e14382af113e17ba4f63e2c9d2ee626b720cbce54a14"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"

 [[package]]
 name = "icu_provider"
-version = "2.2.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "139c4cf31c8b5f33d7e199446eff9c1e02decfc2f0eec2c8d71f65befa45b421"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
 dependencies = [
 "displaydoc",
 "icu_locale_core",
@@ -9045,7 +8957,7 @@ version = "5.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d"
 dependencies = [
- "base64 0.22.1",
+ "base64 0.21.7",
 "chrono",
 "getrandom 0.2.17",
 "http 1.4.0",
@@ -9513,7 +9425,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
 "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.45.0",
 ]

 [[package]]
@@ -10918,9 +10830,9 @@ dependencies = [

 [[package]]
 name = "resb"
-version = "0.1.2"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22d392791f3c6802a1905a509e9d1a6039cbbcb5e9e00e5a6d3661f7c874f390"
+checksum = "6a067ab3b5ca3b4dc307d0de9cf75f9f5e6ca9717b192b2f28a36c83e5de9e76"
 dependencies = [
 "potential_utf",
 "serde_core",
@@ -11684,16 +11596,6 @@ dependencies = [
 "serde_core",
 ]

-[[package]]
-name = "serde_ignored"
-version = "0.1.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "115dffd5f3853e06e746965a20dcbae6ee747ae30b543d91b0e089668bb07798"
-dependencies = [
- "serde",
- "serde_core",
-]
-
 [[package]]
 name = "serde_json"
 version = "1.0.149"
@@ -12647,14 +12549,14 @@ dependencies = [

 [[package]]
 name = "temporal_capi"
-version = "0.2.3"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a2a1f001e756a9f5f2d175a9965c4c0b3a054f09f30de3a75ab49765f2deb36"
+checksum = "a151e402c2bdb6a3a2a2f3f225eddaead2e7ce7dd5d3fa2090deb11b17aa4ed8"
 dependencies = [
 "diplomat",
 "diplomat-runtime",
 "icu_calendar",
- "icu_locale_core",
+ "icu_locale",
 "num-traits",
 "temporal_rs",
 "timezone_provider",
@@ -12664,14 +12566,13 @@ dependencies = [

 [[package]]
 name = "temporal_rs"
-version = "0.2.3"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a902a45282e5175186b21d355efc92564601efe6e2d92818dc9e333d50bd4de"
+checksum = "88afde3bd75d2fc68d77a914bece426aa08aa7649ffd0cdd4a11c3d4d33474d1"
 dependencies = [
- "calendrical_calculations",
 "core_maths",
 "icu_calendar",
- "icu_locale_core",
+ "icu_locale",
 "ixdtf",
 "num-traits",
 "timezone_provider",
@@ -12888,9 +12789,9 @@ dependencies = [

 [[package]]
 name = "timezone_provider"
-version = "0.2.3"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c48f9b04628a2b813051e4dfe97c65281e49625eabd09ec343190e31e399a8c2"
+checksum = "df9ba0000e9e73862f3e7ca1ff159e2ddf915c9d8bb11e38a7874760f445d993"
 dependencies = [
 "tinystr",
 "zerotrie",
@@ -12921,9 +12822,9 @@ dependencies = [

 [[package]]
 name = "tinystr"
-version = "0.8.3"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8323304221c2a851516f22236c5722a72eaa19749016521d6dff0824447d96d"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
 dependencies = [
 "displaydoc",
 "serde_core",
@@ -13737,9 +13638,9 @@ dependencies = [

 [[package]]
 name = "v8"
-version = "147.4.0"
+version = "146.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2df8fffd507fb18ed000673a83d937f58e60fb07f3306b2274284125b15137cd"
+checksum = "d97bcac5cdc5a195a4813f1855a6bc658f240452aac36caa12fd6c6f16026ab1"
 dependencies = [
 "bindgen",
 "bitflags 2.10.0",
@@ -14168,7 +14069,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.48.0",
 ]

 [[package]]
@@ -14889,9 +14790,9 @@ dependencies = [

 [[package]]
 name = "yoke"
-version = "0.8.2"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "abe8c5fda708d9ca3df187cae8bfb9ceda00dd96231bed36e445a1a48e66f9ca"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
 dependencies = [
 "stable_deref_trait",
 "yoke-derive",
@@ -14900,9 +14801,9 @@ dependencies = [

 [[package]]
 name = "yoke-derive"
-version = "0.8.2"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de844c262c8848816172cef550288e7dc6c7b7814b4ee56b3e1553f275f1858e"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -15035,21 +14936,20 @@ dependencies = [

 [[package]]
 name = "zerotrie"
-version = "0.2.4"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f9152d31db0792fa83f70fb2f83148effb5c1f5b8c7686c3459e361d9bc20bf"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
 dependencies = [
 "displaydoc",
 "yoke",
 "zerofrom",
- "zerovec",
 ]

 [[package]]
 name = "zerovec"
-version = "0.11.6"
+version = "0.11.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90f911cbc359ab6af17377d242225f4d75119aec87ea711a880987b18cd7b239"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
 dependencies = [
 "serde",
 "yoke",
@@ -15059,9 +14959,9 @@ dependencies = [

 [[package]]
 name = "zerovec-derive"
-version = "0.11.3"
+version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "625dc425cab0dca6dc3c3319506e6593dcb08a9f387ea3b284dbd52a92c40555"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -15132,9 +15032,9 @@ checksum = "3ff05f8caa9038894637571ae6b9e29466c1f4f829d26c9b28f869a29cbe3445"

 [[package]]
 name = "zoneinfo64"
-version = "0.3.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed6eb2607e906160c457fd573e9297e65029669906b9ac8fb1b5cd5e055f0705"
+checksum = "bb2e5597efbe7c421da8a7fd396b20b571704e787c21a272eecf35dfe9d386f0"
 dependencies = [
 "calendrical_calculations",
 "icu_locale_core",
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -5,6 +5,7 @@ members = [
    "agent-graph-store",
    "agent-identity",
    "backend-client",
+    "builtin-mcps",
    "bwrap",
    "ansi-escape",
    "async-utils",
@@ -44,10 +45,6 @@ members = [
    "exec-server",
    "execpolicy",
    "execpolicy-legacy",
-    "ext/extension-api",
-    "ext/goal",
-    "ext/guardian",
-    "ext/memories",
    "external-agent-migration",
    "external-agent-sessions",
    "keyring-store",
@@ -144,6 +141,7 @@ codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
 codex-backend-client = { path = "backend-client" }
+codex-builtin-mcps = { path = "builtin-mcps" }
 codex-chatgpt = { path = "chatgpt" }
 codex-cli = { path = "cli" }
 codex-client = { path = "codex-client" }
@@ -162,9 +160,6 @@ codex-exec = { path = "exec" }
 codex-file-system = { path = "file-system" }
 codex-exec-server = { path = "exec-server" }
 codex-execpolicy = { path = "execpolicy" }
-codex-extension-api = { path = "ext/extension-api" }
-codex-goal-extension = { path = "ext/goal" }
-codex-guardian = { path = "ext/guardian" }
 codex-external-agent-migration = { path = "external-agent-migration" }
 codex-external-agent-sessions = { path = "external-agent-sessions" }
 codex-experimental-api-macros = { path = "codex-experimental-api-macros" }
@@ -180,7 +175,7 @@ codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
 codex-login = { path = "login" }
 codex-message-history = { path = "message-history" }
-codex-memories-extension = { path = "ext/memories" }
+codex-memories-mcp = { path = "memories/mcp" }
 codex-memories-read = { path = "memories/read" }
 codex-memories-write = { path = "memories/write" }
 codex-mcp = { path = "codex-mcp" }
@@ -228,6 +223,7 @@ codex-utils-output-truncation = { path = "utils/output-truncation" }
 codex-utils-path = { path = "utils/path-utils" }
 codex-utils-plugins = { path = "utils/plugins" }
 codex-utils-pty = { path = "utils/pty" }
+codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-rustls-provider = { path = "utils/rustls-provider" }
 codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
 codex-utils-sleep-inhibitor = { path = "utils/sleep-inhibitor" }
@@ -280,6 +276,7 @@ dotenvy = "0.15.7"
 dunce = "1.0.4"
 ed25519-dalek = { version = "2.2.0", features = ["pkcs8"] }
 encoding_rs = "0.8.35"
+env-flags = "0.1.1"
 env_logger = "0.11.9"
 eventsource-stream = "0.2.3"
 flate2 = "1.1.8"
@@ -352,7 +349,6 @@ seccompiler = "0.5.0"
 semver = "1.0"
 sentry = "0.46.0"
 serde = "1"
-serde_ignored = "0.1.14"
 serde_json = "1"
 serde_path_to_error = "0.1.20"
 serde_with = "3.17"
@@ -413,7 +409,7 @@ unicode-width = "0.2"
 url = "2"
 urlencoding = "2.1"
 uuid = "1"
-v8 = "=147.4.0"
+v8 = "=146.4.0"
 vt100 = "0.16.2"
 walkdir = "2.5.0"
 webbrowser = "1.0"
@@ -472,7 +468,6 @@ unwrap_used = "deny"
 [workspace.metadata.cargo-shear]
 ignored = [
    "codex-agent-graph-store",
-    "codex-goal-extension",
    "icu_provider",
    "openssl-sys",
    "codex-v8-poc",
--- a/codex-rs/analytics/src/accepted_lines.rs
+++ b/codex-rs/analytics/src/accepted_lines.rs
@@ -7,6 +7,9 @@ use codex_git_utils::get_git_remote_urls_assume_git_repo;
 use sha1::Digest;
 use std::path::Path;

+const ACCEPTED_LINE_FINGERPRINT_EVENT_TARGET_BYTES: usize = 2 * 1024 * 1024;
+const ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES: usize = 1024;
+
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct AcceptedLineFingerprintSummary {
    pub accepted_added_lines: u64,
@@ -94,38 +97,39 @@ pub fn fingerprint_hash(domain: &str, value: &str) -> String {
 pub(crate) fn accepted_line_fingerprint_event_requests(
    input: AcceptedLineFingerprintEventInput,
 ) -> Vec<TrackEventRequest> {
-    let AcceptedLineFingerprintEventInput {
-        event_type,
-        turn_id,
-        thread_id,
-        product_surface,
-        model_slug,
-        completed_at,
-        repo_hash,
-        accepted_added_lines,
-        accepted_deleted_lines,
-        line_fingerprints: _line_fingerprints,
-    } = input;
-
-    vec![TrackEventRequest::AcceptedLineFingerprints(Box::new(
-        CodexAcceptedLineFingerprintsEventRequest {
-            event_type: "codex_accepted_line_fingerprints",
-            event_params: CodexAcceptedLineFingerprintsEventParams {
-                event_type,
-                turn_id,
-                thread_id,
-                product_surface,
-                model_slug,
-                completed_at,
-                repo_hash,
-                accepted_added_lines,
-                accepted_deleted_lines,
-                // Keep computing local fingerprints for parsing tests and future attribution,
-                // but do not upload path/line hashes in the analytics event payload.
-                line_fingerprints: Vec::new(),
-            },
-        },
-    ))]
+    let chunks = accepted_line_fingerprint_chunks(input.line_fingerprints);
+    chunks
+        .into_iter()
+        .enumerate()
+        .map(|(index, line_fingerprints)| {
+            let is_first_chunk = index == 0;
+            TrackEventRequest::AcceptedLineFingerprints(Box::new(
+                CodexAcceptedLineFingerprintsEventRequest {
+                    event_type: "codex_accepted_line_fingerprints",
+                    event_params: CodexAcceptedLineFingerprintsEventParams {
+                        event_type: input.event_type,
+                        turn_id: input.turn_id.clone(),
+                        thread_id: input.thread_id.clone(),
+                        product_surface: input.product_surface.clone(),
+                        model_slug: input.model_slug.clone(),
+                        completed_at: input.completed_at,
+                        repo_hash: input.repo_hash.clone(),
+                        accepted_added_lines: if is_first_chunk {
+                            input.accepted_added_lines
+                        } else {
+                            0
+                        },
+                        accepted_deleted_lines: if is_first_chunk {
+                            input.accepted_deleted_lines
+                        } else {
+                            0
+                        },
+                        line_fingerprints,
+                    },
+                },
+            ))
+        })
+        .collect()
 }

 pub async fn accepted_line_repo_hash_for_cwd(cwd: &Path) -> Option<String> {
@@ -168,6 +172,44 @@ fn normalize_effective_line(line: &str) -> Option<String> {
    Some(normalized)
 }

+fn accepted_line_fingerprint_chunks(
+    line_fingerprints: Vec<AcceptedLineFingerprint>,
+) -> Vec<Vec<AcceptedLineFingerprint>> {
+    if line_fingerprints.is_empty() {
+        return vec![Vec::new()];
+    }
+
+    let mut chunks = Vec::new();
+    let mut current = Vec::new();
+    let mut current_bytes = ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES;
+
+    for fingerprint in line_fingerprints {
+        let item_bytes = accepted_line_fingerprint_json_bytes(&fingerprint);
+        let separator_bytes = usize::from(!current.is_empty());
+        if !current.is_empty()
+            && current_bytes + separator_bytes + item_bytes
+                > ACCEPTED_LINE_FINGERPRINT_EVENT_TARGET_BYTES
+        {
+            chunks.push(current);
+            current = Vec::new();
+            current_bytes = ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES;
+        }
+        current_bytes += usize::from(!current.is_empty()) + item_bytes;
+        current.push(fingerprint);
+    }
+
+    if !current.is_empty() {
+        chunks.push(current);
+    }
+    chunks
+}
+
+fn accepted_line_fingerprint_json_bytes(fingerprint: &AcceptedLineFingerprint) -> usize {
+    // {"path_hash":"...","line_hash":"..."} plus one byte of array comma
+    // accounted for by the caller when needed.
+    32 + fingerprint.path_hash.len() + fingerprint.line_hash.len()
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -33,7 +33,6 @@ use codex_login::AuthManager;
 use codex_login::CodexAuth;
 use codex_login::default_client::create_client;
 use codex_plugin::PluginTelemetryMetadata;
-use codex_protocol::request_permissions::RequestPermissionsResponse;
 use std::collections::HashSet;
 use std::sync::Arc;
 use std::sync::Mutex;
@@ -173,10 +172,9 @@ impl AnalyticsEventsClient {
        &self,
        tracking: &GuardianReviewTrackContext,
        result: GuardianReviewAnalyticsResult,
-        completed_at_ms: u64,
    ) {
        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::GuardianReview(
-            Box::new(tracking.event_params(result, completed_at_ms)),
+            Box::new(tracking.event_params(result)),
        )));
    }

@@ -350,26 +348,6 @@ impl AnalyticsEventsClient {
        });
    }

-    pub fn track_effective_permissions_approval_response(
-        &self,
-        completed_at_ms: u64,
-        request_id: RequestId,
-        response: RequestPermissionsResponse,
-    ) {
-        self.record_fact(AnalyticsFact::EffectivePermissionsApprovalResponse {
-            completed_at_ms,
-            request_id,
-            response: Box::new(response),
-        });
-    }
-
-    pub fn track_server_request_aborted(&self, completed_at_ms: u64, request_id: RequestId) {
-        self.record_fact(AnalyticsFact::ServerRequestAborted {
-            completed_at_ms,
-            request_id,
-        });
-    }
-
    pub fn track_notification(&self, notification: ServerNotification) {
        if !matches!(
            notification,
--- a/codex-rs/analytics/src/client_tests.rs
+++ b/codex-rs/analytics/src/client_tests.rs
@@ -6,12 +6,14 @@ use crate::events::CodexAcceptedLineFingerprintsEventRequest;
 use crate::events::SkillInvocationEventParams;
 use crate::events::SkillInvocationEventRequest;
 use crate::events::TrackEventRequest;
+use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AnalyticsFact;
 use crate::facts::InvocationType;
 use codex_app_server_protocol::ApprovalsReviewer as AppServerApprovalsReviewer;
 use codex_app_server_protocol::AskForApproval as AppServerAskForApproval;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ClientResponsePayload;
+use codex_app_server_protocol::PermissionProfile as AppServerPermissionProfile;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SandboxPolicy as AppServerSandboxPolicy;
 use codex_app_server_protocol::SessionSource as AppServerSessionSource;
@@ -28,6 +30,7 @@ use codex_app_server_protocol::TurnStartResponse;
 use codex_app_server_protocol::TurnStatus as AppServerTurnStatus;
 use codex_app_server_protocol::TurnSteerParams;
 use codex_app_server_protocol::TurnSteerResponse;
+use codex_protocol::models::PermissionProfile as CorePermissionProfile;
 use codex_utils_absolute_path::test_support::PathBufExt;
 use codex_utils_absolute_path::test_support::test_path_buf;
 use std::collections::HashSet;
@@ -50,7 +53,10 @@ fn sample_accepted_line_fingerprint_event(thread_id: &str) -> TrackEventRequest
                repo_hash: None,
                accepted_added_lines: 1,
                accepted_deleted_lines: 0,
-                line_fingerprints: Vec::new(),
+                line_fingerprints: vec![AcceptedLineFingerprint {
+                    path_hash: "path-hash".to_string(),
+                    line_hash: "line-hash".to_string(),
+                }],
            },
        },
    ))
@@ -140,6 +146,10 @@ fn sample_thread(thread_id: &str) -> Thread {
    }
 }

+fn sample_permission_profile() -> AppServerPermissionProfile {
+    CorePermissionProfile::Disabled.into()
+}
+
 fn sample_thread_start_response() -> ClientResponsePayload {
    ClientResponsePayload::ThreadStart(ThreadStartResponse {
        thread: sample_thread("thread-1"),
@@ -147,11 +157,11 @@ fn sample_thread_start_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
-        runtime_workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
        sandbox: AppServerSandboxPolicy::DangerFullAccess,
+        permission_profile: Some(sample_permission_profile()),
        active_permission_profile: None,
        reasoning_effort: None,
    })
@@ -164,11 +174,11 @@ fn sample_thread_resume_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
-        runtime_workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
        sandbox: AppServerSandboxPolicy::DangerFullAccess,
+        permission_profile: Some(sample_permission_profile()),
        active_permission_profile: None,
        reasoning_effort: None,
    })
@@ -181,11 +191,11 @@ fn sample_thread_fork_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
-        runtime_workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
        sandbox: AppServerSandboxPolicy::DangerFullAccess,
+        permission_profile: Some(sample_permission_profile()),
        active_permission_profile: None,
        reasoning_effort: None,
    })
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -20,6 +20,7 @@ use crate::facts::TurnSteerRejectionReason;
 use crate::facts::TurnSteerResult;
 use crate::facts::TurnSubmissionType;
 use crate::now_unix_millis;
+use crate::now_unix_seconds;
 use codex_app_server_protocol::CodexErrorInfo;
 use codex_app_server_protocol::CommandExecutionSource;
 use codex_login::default_client::originator;
@@ -319,7 +320,6 @@ impl GuardianReviewTrackContext {
    pub(crate) fn event_params(
        &self,
        result: GuardianReviewAnalyticsResult,
-        completed_at_ms: u64,
    ) -> GuardianReviewEventParams {
        GuardianReviewEventParams {
            thread_id: self.thread_id.clone(),
@@ -346,7 +346,7 @@ impl GuardianReviewTrackContext {
            time_to_first_token_ms: result.time_to_first_token_ms,
            completion_latency_ms: Some(self.started_instant.elapsed().as_millis() as u64),
            started_at: self.started_at_ms / 1_000,
-            completed_at: Some(completed_at_ms / 1_000),
+            completed_at: Some(now_unix_seconds()),
            input_tokens: result.token_usage.as_ref().map(|usage| usage.input_tokens),
            cached_input_tokens: result
                .token_usage
@@ -429,7 +429,7 @@ pub(crate) struct GuardianReviewEventPayload {
 #[allow(dead_code)]
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "snake_case")]
-pub(crate) enum FinalApprovalOutcome {
+pub(crate) enum ToolItemFinalApprovalOutcome {
    Unknown,
    NotNeeded,
    ConfigAllowed,
@@ -486,7 +486,7 @@ pub(crate) struct CodexToolItemEventBase {
    pub(crate) review_count: u64,
    pub(crate) guardian_review_count: u64,
    pub(crate) user_review_count: u64,
-    pub(crate) final_approval_outcome: FinalApprovalOutcome,
+    pub(crate) final_approval_outcome: ToolItemFinalApprovalOutcome,
    pub(crate) terminal_status: ToolItemTerminalStatus,
    pub(crate) failure_kind: Option<ToolItemFailureKind>,
    pub(crate) requested_additional_permissions: bool,
@@ -553,8 +553,8 @@ pub(crate) struct CodexReviewEventParams {
    pub(crate) thread_source: Option<ThreadSource>,
    pub(crate) subagent_source: Option<String>,
    pub(crate) parent_thread_id: Option<String>,
-    pub(crate) subject_kind: ReviewSubjectKind,
-    pub(crate) subject_name: String,
+    pub(crate) tool_kind: ReviewSubjectKind,
+    pub(crate) tool_name: String,
    pub(crate) reviewer: Reviewer,
    pub(crate) trigger: ReviewTrigger,
    pub(crate) status: ReviewStatus,
@@ -794,6 +794,8 @@ pub(crate) struct CodexTurnEventParams {
    pub(crate) status: Option<TurnStatus>,
    pub(crate) turn_error: Option<CodexErrorInfo>,
    pub(crate) steer_count: Option<usize>,
+    // TODO(rhan-oai): Populate these once tool-call accounting is emitted from
+    // core; the schema is reserved but these fields are currently always None.
    pub(crate) total_tool_call_count: Option<usize>,
    pub(crate) shell_command_count: Option<usize>,
    pub(crate) file_change_count: Option<usize>,
--- a/codex-rs/analytics/src/facts.rs
+++ b/codex-rs/analytics/src/facts.rs
@@ -25,7 +25,6 @@ use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SkillScope;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
-use codex_protocol::request_permissions::RequestPermissionsResponse;
 use serde::Serialize;
 use std::path::PathBuf;

@@ -306,15 +305,6 @@ pub(crate) enum AnalyticsFact {
        completed_at_ms: u64,
        response: Box<ServerResponse>,
    },
-    EffectivePermissionsApprovalResponse {
-        completed_at_ms: u64,
-        request_id: RequestId,
-        response: Box<RequestPermissionsResponse>,
-    },
-    ServerRequestAborted {
-        completed_at_ms: u64,
-        request_id: RequestId,
-    },
    Notification(Box<ServerNotification>),
    // Facts that do not naturally exist on the app-server protocol surface, or
    // would require non-trivial protocol reshaping on this branch.
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
--- a/codex-rs/app-server-client/Cargo.toml
+++ b/codex-rs/app-server-client/Cargo.toml
@@ -21,8 +21,6 @@ codex-core = { workspace = true }
 codex-exec-server = { workspace = true }
 codex-feedback = { workspace = true }
 codex-protocol = { workspace = true }
-codex-uds = { workspace = true }
-codex-utils-absolute-path = { workspace = true }
 codex-utils-rustls-provider = { workspace = true }
 futures = { workspace = true }
 serde = { workspace = true }
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -25,7 +25,6 @@ use std::io::Result as IoResult;
 use std::sync::Arc;
 use std::time::Duration;

-pub use codex_app_server::app_server_control_socket_path;
 pub use codex_app_server::in_process::DEFAULT_IN_PROCESS_CHANNEL_CAPACITY;
 pub use codex_app_server::in_process::InProcessServerEvent;
 use codex_app_server::in_process::InProcessStartArgs;
@@ -62,7 +61,6 @@ use tracing::warn;

 pub use crate::remote::RemoteAppServerClient;
 pub use crate::remote::RemoteAppServerConnectArgs;
-pub use crate::remote::RemoteAppServerEndpoint;

 /// Transitional access to core-only embedded app-server types.
 ///
@@ -336,8 +334,6 @@ pub struct InProcessClientStartArgs {
    pub cli_overrides: Vec<(String, TomlValue)>,
    /// Loader override knobs used by config API paths.
    pub loader_overrides: LoaderOverrides,
-    /// Whether config API paths should reject unknown config fields.
-    pub strict_config: bool,
    /// Preloaded cloud requirements provider.
    pub cloud_requirements: CloudRequirementsLoader,
    /// Feedback sink used by app-server/core telemetry and logs.
@@ -404,7 +400,6 @@ impl InProcessClientStartArgs {
            config: self.config,
            cli_overrides: self.cli_overrides,
            loader_overrides: self.loader_overrides,
-            strict_config: self.strict_config,
            cloud_requirements: self.cloud_requirements,
            thread_config_loader,
            feedback: self.feedback,
@@ -957,8 +952,6 @@ mod tests {
    use codex_app_server_protocol::ToolRequestUserInputQuestion;
    use codex_core::config::ConfigBuilder;
    use codex_core::init_state_db;
-    use codex_uds::UnixListener;
-    use codex_utils_absolute_path::AbsolutePathBuf;
    use futures::SinkExt;
    use futures::StreamExt;
    use pretty_assertions::assert_eq;
@@ -968,7 +961,6 @@ mod tests {
    use tokio::net::TcpListener;
    use tokio::time::Duration;
    use tokio::time::timeout;
-    use tokio_tungstenite::accept_async;
    use tokio_tungstenite::accept_hdr_async;
    use tokio_tungstenite::tungstenite::Message;
    use tokio_tungstenite::tungstenite::handshake::server::Request as WebSocketRequest;
@@ -1033,7 +1025,6 @@ mod tests {
            config,
            cli_overrides: Vec::new(),
            loader_overrides: LoaderOverrides::default(),
-            strict_config: false,
            cloud_requirements: CloudRequirementsLoader::default(),
            feedback: CodexFeedback::new(),
            log_db: None,
@@ -1109,10 +1100,9 @@ mod tests {
        format!("ws://{addr}")
    }

-    async fn expect_remote_initialize<S>(websocket: &mut tokio_tungstenite::WebSocketStream<S>)
-    where
-        S: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin,
-    {
+    async fn expect_remote_initialize(
+        websocket: &mut tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>,
+    ) {
        let JSONRPCMessage::Request(request) = read_websocket_message(websocket).await else {
            panic!("expected initialize request");
        };
@@ -1133,12 +1123,9 @@ mod tests {
        assert_eq!(notification.method, "initialized");
    }

-    async fn read_websocket_message<S>(
-        websocket: &mut tokio_tungstenite::WebSocketStream<S>,
-    ) -> JSONRPCMessage
-    where
-        S: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin,
-    {
+    async fn read_websocket_message(
+        websocket: &mut tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>,
+    ) -> JSONRPCMessage {
        loop {
            let frame = websocket
                .next()
@@ -1158,12 +1145,10 @@ mod tests {
        }
    }

-    async fn write_websocket_message<S>(
-        websocket: &mut tokio_tungstenite::WebSocketStream<S>,
+    async fn write_websocket_message(
+        websocket: &mut tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>,
        message: JSONRPCMessage,
-    ) where
-        S: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin,
-    {
+    ) {
        websocket
            .send(Message::Text(
                serde_json::to_string(&message)
@@ -1228,10 +1213,8 @@ mod tests {

    fn test_remote_connect_args(websocket_url: String) -> RemoteAppServerConnectArgs {
        RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::WebSocket {
-                websocket_url,
-                auth_token: None,
-            },
+            websocket_url,
+            auth_token: None,
            client_name: "codex-app-server-client-test".to_string(),
            client_version: "0.0.0-test".to_string(),
            experimental_api: true,
@@ -1470,64 +1453,6 @@ mod tests {
        client.shutdown().await.expect("shutdown should complete");
    }

-    #[tokio::test]
-    async fn remote_unix_socket_typed_request_roundtrip_works() {
-        let socket_dir = TempDir::new().expect("socket dir");
-        let socket_path = AbsolutePathBuf::from_absolute_path(socket_dir.path().join("codex.sock"))
-            .expect("socket path should resolve");
-        let mut listener = UnixListener::bind(socket_path.as_path())
-            .await
-            .expect("listener should bind");
-        tokio::spawn(async move {
-            let stream = listener.accept().await.expect("accept should succeed");
-            let mut websocket = accept_async(stream)
-                .await
-                .expect("websocket upgrade should succeed");
-            expect_remote_initialize(&mut websocket).await;
-            let JSONRPCMessage::Request(request) = read_websocket_message(&mut websocket).await
-            else {
-                panic!("expected account/read request");
-            };
-            assert_eq!(request.method, "account/read");
-            write_websocket_message(
-                &mut websocket,
-                JSONRPCMessage::Response(JSONRPCResponse {
-                    id: request.id,
-                    result: serde_json::to_value(GetAccountResponse {
-                        account: None,
-                        requires_openai_auth: false,
-                    })
-                    .expect("response should serialize"),
-                }),
-            )
-            .await;
-            websocket.close(None).await.expect("close should succeed");
-        });
-        let client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::UnixSocket { socket_path },
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: 8,
-        })
-        .await
-        .expect("remote client should connect");
-
-        let response: GetAccountResponse = client
-            .request_typed(ClientRequest::GetAccount {
-                request_id: RequestId::Integer(1),
-                params: codex_app_server_protocol::GetAccountParams {
-                    refresh_token: false,
-                },
-            })
-            .await
-            .expect("typed request should succeed");
-        assert_eq!(response.account, None);
-
-        client.shutdown().await.expect("shutdown should complete");
-    }
-
    #[tokio::test]
    async fn remote_typed_request_accepts_large_single_frame_response() {
        let padding = "x".repeat((17 << 20) + 1024);
@@ -1589,15 +1514,8 @@ mod tests {
        )
        .await;
        let client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::WebSocket {
-                websocket_url,
-                auth_token: Some(auth_token),
-            },
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: 8,
+            auth_token: Some(auth_token),
+            ..test_remote_connect_args(websocket_url)
        })
        .await
        .expect("remote client should connect");
@@ -1608,15 +1526,9 @@ mod tests {
    #[tokio::test]
    async fn remote_connect_rejects_non_loopback_ws_when_auth_configured() {
        let result = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
-            endpoint: RemoteAppServerEndpoint::WebSocket {
-                websocket_url: "ws://example.com:4500".to_string(),
-                auth_token: Some("remote-bearer-token".to_string()),
-            },
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: 8,
+            websocket_url: "ws://example.com:4500".to_string(),
+            auth_token: Some("remote-bearer-token".to_string()),
+            ..test_remote_connect_args("ws://127.0.0.1:1".to_string())
        })
        .await;
        let err = match result {
@@ -1794,8 +1706,13 @@ mod tests {
        })
        .await;
        let mut client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
+            websocket_url,
+            auth_token: None,
+            client_name: "codex-app-server-client-test".to_string(),
+            client_version: "0.0.0-test".to_string(),
+            experimental_api: true,
+            opt_out_notification_methods: Vec::new(),
            channel_capacity: 1,
-            ..test_remote_connect_args(websocket_url)
        })
        .await
        .expect("remote client should connect");
@@ -2192,7 +2109,6 @@ mod tests {
            config: config.clone(),
            cli_overrides: Vec::new(),
            loader_overrides: LoaderOverrides::default(),
-            strict_config: false,
            cloud_requirements: CloudRequirementsLoader::default(),
            feedback: CodexFeedback::new(),
            log_db: None,
@@ -2233,7 +2149,6 @@ mod tests {
            config: Arc::new(config),
            cli_overrides: Vec::new(),
            loader_overrides: LoaderOverrides::default(),
-            strict_config: false,
            cloud_requirements: CloudRequirementsLoader::default(),
            feedback: CodexFeedback::new(),
            log_db: None,
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -1,13 +1,11 @@
 /*
-This module implements the remote app-server client transport.
+This module implements the websocket-backed app-server client transport.

 It owns the remote connection lifecycle, including the initialize/initialized
 handshake, JSON-RPC request/response routing, server-request resolution, and
-notification streaming. Remote connections always carry WebSocket frames, over
-either TCP WebSocket URLs or local Unix sockets. The rest of the crate uses the
-same `AppServerEvent` surface for both in-process and remote transports, so
-callers such as the TUI can switch between them without changing their
-higher-level session logic.
+notification streaming. The rest of the crate uses the same `AppServerEvent`
+surface for both in-process and remote transports, so callers such as the TUI
+can switch between them without changing their higher-level session logic.
 */

 use std::collections::HashMap;
@@ -37,23 +35,17 @@ use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::Result as JsonRpcResult;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
-use codex_uds::UnixStream;
-use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_rustls_provider::ensure_rustls_crypto_provider;
 use futures::SinkExt;
 use futures::StreamExt;
 use serde::de::DeserializeOwned;
-use tokio::io::AsyncRead;
-use tokio::io::AsyncWrite;
 use tokio::net::TcpStream;
 use tokio::sync::mpsc;
 use tokio::sync::oneshot;
 use tokio::time::timeout;
 use tokio_tungstenite::MaybeTlsStream;
 use tokio_tungstenite::WebSocketStream;
-use tokio_tungstenite::client_async_with_config;
 use tokio_tungstenite::connect_async_with_config;
-use tokio_tungstenite::tungstenite::Error as TungsteniteError;
 use tokio_tungstenite::tungstenite::Message;
 use tokio_tungstenite::tungstenite::client::IntoClientRequest;
 use tokio_tungstenite::tungstenite::http::HeaderValue;
@@ -65,30 +57,18 @@ use url::Url;
 const CONNECT_TIMEOUT: Duration = Duration::from_secs(10);
 const INITIALIZE_TIMEOUT: Duration = Duration::from_secs(10);
 const REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE: usize = 128 << 20;
-// Tungstenite still needs an HTTP request URI for the WebSocket handshake;
-// the bytes travel over the Unix socket, not TCP.
-const UDS_WEBSOCKET_HANDSHAKE_URL: &str = "ws://localhost/rpc";
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub enum RemoteAppServerEndpoint {
-    WebSocket {
-        websocket_url: String,
-        auth_token: Option<String>,
-    },
-    UnixSocket {
-        socket_path: AbsolutePathBuf,
-    },
-}

 #[derive(Debug, Clone)]
 pub struct RemoteAppServerConnectArgs {
-    pub endpoint: RemoteAppServerEndpoint,
+    pub websocket_url: String,
+    pub auth_token: Option<String>,
    pub client_name: String,
    pub client_version: String,
    pub experimental_api: bool,
    pub opt_out_notification_methods: Vec<String>,
    pub channel_capacity: usize,
 }
+
 impl RemoteAppServerConnectArgs {
    fn initialize_params(&self) -> InitializeParams {
        let capabilities = InitializeCapabilities {
@@ -161,39 +141,69 @@ pub struct RemoteAppServerRequestHandle {
 impl RemoteAppServerClient {
    pub async fn connect(args: RemoteAppServerConnectArgs) -> IoResult<Self> {
        let channel_capacity = args.channel_capacity.max(1);
-        let initialize_params = args.initialize_params();
-        match args.endpoint {
-            RemoteAppServerEndpoint::WebSocket {
-                websocket_url,
-                auth_token,
-            } => {
-                let (endpoint, stream) =
-                    connect_websocket_endpoint(websocket_url, auth_token).await?;
-                Self::connect_with_stream(channel_capacity, endpoint, stream, initialize_params)
-                    .await
-            }
-            RemoteAppServerEndpoint::UnixSocket { socket_path } => {
-                let (endpoint, stream) = connect_unix_socket_endpoint(socket_path).await?;
-                Self::connect_with_stream(channel_capacity, endpoint, stream, initialize_params)
-                    .await
-            }
+        let websocket_url = args.websocket_url.clone();
+        let url = Url::parse(&websocket_url).map_err(|err| {
+            IoError::new(
+                ErrorKind::InvalidInput,
+                format!("invalid websocket URL `{websocket_url}`: {err}"),
+            )
+        })?;
+        if args.auth_token.is_some() && !websocket_url_supports_auth_token(&url) {
+            return Err(IoError::new(
+                ErrorKind::InvalidInput,
+                format!(
+                    "remote auth tokens require `wss://` or loopback `ws://` URLs; got `{websocket_url}`"
+                ),
+            ));
        }
-    }
-
-    async fn connect_with_stream<S>(
-        channel_capacity: usize,
-        endpoint: String,
-        stream: WebSocketStream<S>,
-        initialize_params: InitializeParams,
-    ) -> IoResult<Self>
-    where
-        S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
-    {
+        let mut request = url.as_str().into_client_request().map_err(|err| {
+            IoError::new(
+                ErrorKind::InvalidInput,
+                format!("invalid websocket URL `{websocket_url}`: {err}"),
+            )
+        })?;
+        if let Some(auth_token) = args.auth_token.as_deref() {
+            let header_value =
+                HeaderValue::from_str(&format!("Bearer {auth_token}")).map_err(|err| {
+                    IoError::new(
+                        ErrorKind::InvalidInput,
+                        format!("invalid remote authorization header value: {err}"),
+                    )
+                })?;
+            request.headers_mut().insert(AUTHORIZATION, header_value);
+        }
+        ensure_rustls_crypto_provider();
+        // Remote resume responses can legitimately carry large thread histories.
+        // Keep a bounded cap, but raise it above tungstenite's 16 MiB frame default.
+        let websocket_config = WebSocketConfig::default()
+            .max_frame_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE))
+            .max_message_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE));
+        let stream = timeout(
+            CONNECT_TIMEOUT,
+            connect_async_with_config(
+                request,
+                Some(websocket_config),
+                /*disable_nagle*/ false,
+            ),
+        )
+        .await
+        .map_err(|_| {
+            IoError::new(
+                ErrorKind::TimedOut,
+                format!("timed out connecting to remote app server at `{websocket_url}`"),
+            )
+        })?
+        .map(|(stream, _response)| stream)
+        .map_err(|err| {
+            IoError::other(format!(
+                "failed to connect to remote app server at `{websocket_url}`: {err}"
+            ))
+        })?;
        let mut stream = stream;
        let pending_events = initialize_remote_connection(
            &mut stream,
-            &endpoint,
-            initialize_params,
+            &websocket_url,
+            args.initialize_params(),
            INITIALIZE_TIMEOUT,
        )
        .await?;
@@ -225,13 +235,13 @@ impl RemoteAppServerClient {
                                if let Err(err) = write_jsonrpc_message(
                                    &mut stream,
                                    JSONRPCMessage::Request(jsonrpc_request_from_client_request(*request)),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await
                                {
                                    let err_message = err.to_string();
                                    let message = format!(
-                                        "remote app server at `{endpoint}` write failed: {err_message}"
+                                        "remote app server at `{websocket_url}` write failed: {err_message}"
                                    );
                                    if let Some(response_tx) = pending_requests.remove(&request_id) {
                                        let _ = response_tx.send(Err(err));
@@ -252,7 +262,7 @@ impl RemoteAppServerClient {
                                    JSONRPCMessage::Notification(
                                        jsonrpc_notification_from_client_notification(notification),
                                    ),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await;
                                let _ = response_tx.send(result);
@@ -268,7 +278,7 @@ impl RemoteAppServerClient {
                                        id: request_id,
                                        result,
                                    }),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await;
                                let _ = response_tx.send(result);
@@ -284,20 +294,16 @@ impl RemoteAppServerClient {
                                        error,
                                        id: request_id,
                                    }),
-                                    &endpoint,
+                                    &websocket_url,
                                )
                                .await;
                                let _ = response_tx.send(result);
                            }
                            RemoteClientCommand::Shutdown { response_tx } => {
-                                let close_result = stream.close(None).await.or_else(|err| {
-                                    if websocket_close_error_is_already_closed(&err) {
-                                        Ok(())
-                                    } else {
-                                        Err(IoError::other(format!(
-                                            "failed to close websocket app server `{endpoint}`: {err}"
-                                        )))
-                                    }
+                                let close_result = stream.close(None).await.map_err(|err| {
+                                    IoError::other(format!(
+                                        "failed to close websocket app server `{websocket_url}`: {err}"
+                                    ))
                                });
                                let _ = response_tx.send(close_result);
                                break;
@@ -358,13 +364,13 @@ impl RemoteAppServerClient {
                                                        },
                                                        id: request_id,
                                                    }),
-                                                    &endpoint,
+                                                    &websocket_url,
                                                )
                                                .await
                                                {
                                                    let err_message = reject_err.to_string();
                                                    let message = format!(
-                                                        "remote app server at `{endpoint}` write failed: {err_message}"
+                                                        "remote app server at `{websocket_url}` write failed: {err_message}"
                                                    );
                                                    let _ = deliver_event(
                                                        &event_tx,
@@ -381,7 +387,7 @@ impl RemoteAppServerClient {
                                    }
                                    Err(err) => {
                                        let message = format!(
-                                            "remote app server at `{endpoint}` sent invalid JSON-RPC: {err}"
+                                            "remote app server at `{websocket_url}` sent invalid JSON-RPC: {err}"
                                        );
                                        let _ = deliver_event(
                                            &event_tx,
@@ -402,7 +408,7 @@ impl RemoteAppServerClient {
                                    .filter(|reason| !reason.is_empty())
                                    .unwrap_or_else(|| "connection closed".to_string());
                                let message = format!(
-                                    "remote app server at `{endpoint}` disconnected: {reason}"
+                                    "remote app server at `{websocket_url}` disconnected: {reason}"
                                );
                                let _ = deliver_event(
                                    &event_tx,
@@ -422,7 +428,7 @@ impl RemoteAppServerClient {
                            | Some(Ok(Message::Frame(_))) => {}
                            Some(Err(err)) => {
                                let message = format!(
-                                    "remote app server at `{endpoint}` transport failed: {err}"
+                                    "remote app server at `{websocket_url}` transport failed: {err}"
                                );
                                let _ = deliver_event(
                                    &event_tx,
@@ -435,7 +441,7 @@ impl RemoteAppServerClient {
                            }
                            None => {
                                let message = format!(
-                                    "remote app server at `{endpoint}` closed the connection"
+                                    "remote app server at `{websocket_url}` closed the connection"
                                );
                                let _ = deliver_event(
                                    &event_tx,
@@ -672,131 +678,12 @@ impl RemoteAppServerRequestHandle {
    }
 }

-async fn connect_websocket_endpoint(
-    websocket_url: String,
-    auth_token: Option<String>,
-) -> IoResult<(String, WebSocketStream<MaybeTlsStream<TcpStream>>)> {
-    let url = Url::parse(&websocket_url).map_err(|err| {
-        IoError::new(
-            ErrorKind::InvalidInput,
-            format!("invalid websocket URL `{websocket_url}`: {err}"),
-        )
-    })?;
-    if auth_token.is_some() && !websocket_url_supports_auth_token(&url) {
-        return Err(IoError::new(
-            ErrorKind::InvalidInput,
-            format!(
-                "remote auth tokens require `wss://` or loopback `ws://` URLs; got `{websocket_url}`"
-            ),
-        ));
-    }
-
-    let mut request = url.as_str().into_client_request().map_err(|err| {
-        IoError::new(
-            ErrorKind::InvalidInput,
-            format!("invalid websocket URL `{websocket_url}`: {err}"),
-        )
-    })?;
-    if let Some(auth_token) = auth_token.as_deref() {
-        let header_value =
-            HeaderValue::from_str(&format!("Bearer {auth_token}")).map_err(|err| {
-                IoError::new(
-                    ErrorKind::InvalidInput,
-                    format!("invalid remote authorization header value: {err}"),
-                )
-            })?;
-        request.headers_mut().insert(AUTHORIZATION, header_value);
-    }
-
-    ensure_rustls_crypto_provider();
-    let websocket_config = remote_websocket_config();
-    let stream = timeout(
-        CONNECT_TIMEOUT,
-        connect_async_with_config(
-            request,
-            Some(websocket_config),
-            /*disable_nagle*/ false,
-        ),
-    )
-    .await
-    .map_err(|_| {
-        IoError::new(
-            ErrorKind::TimedOut,
-            format!("timed out connecting to remote app server at `{websocket_url}`"),
-        )
-    })?
-    .map(|(stream, _response)| stream)
-    .map_err(|err| {
-        IoError::other(format!(
-            "failed to connect to remote app server at `{websocket_url}`: {err}"
-        ))
-    })?;
-
-    Ok((websocket_url, stream))
-}
-
-async fn connect_unix_socket_endpoint(
-    socket_path: AbsolutePathBuf,
-) -> IoResult<(String, WebSocketStream<UnixStream>)> {
-    let endpoint = format!("unix://{}", socket_path.display());
-    let request = UDS_WEBSOCKET_HANDSHAKE_URL
-        .into_client_request()
-        .map_err(|err| {
-            IoError::new(
-                ErrorKind::InvalidInput,
-                format!("invalid UDS websocket handshake URL: {err}"),
-            )
-        })?;
-    let stream = timeout(CONNECT_TIMEOUT, UnixStream::connect(socket_path.as_path()))
-        .await
-        .map_err(|_| {
-            IoError::new(
-                ErrorKind::TimedOut,
-                format!("timed out connecting to remote app server at `{endpoint}`"),
-            )
-        })?
-        .map_err(|err| {
-            IoError::other(format!(
-                "failed to connect to remote app server at `{endpoint}`: {err}"
-            ))
-        })?;
-    let websocket_config = remote_websocket_config();
-    let stream = timeout(
-        CONNECT_TIMEOUT,
-        client_async_with_config(request, stream, Some(websocket_config)),
-    )
-    .await
-    .map_err(|_| {
-        IoError::new(
-            ErrorKind::TimedOut,
-            format!("timed out upgrading remote app server at `{endpoint}`"),
-        )
-    })?
-    .map(|(stream, _response)| stream)
-    .map_err(|err| {
-        IoError::other(format!(
-            "failed to upgrade remote app server at `{endpoint}`: {err}"
-        ))
-    })?;
-
-    Ok((endpoint, stream))
-}
-
-fn remote_websocket_config() -> WebSocketConfig {
-    WebSocketConfig::default()
-        .max_frame_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE))
-        .max_message_size(Some(REMOTE_APP_SERVER_MAX_WEBSOCKET_MESSAGE_SIZE))
-}
-
-async fn initialize_remote_connection<S>(
-    stream: &mut WebSocketStream<S>,
-    endpoint: &str,
+async fn initialize_remote_connection(
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
+    websocket_url: &str,
    params: InitializeParams,
    initialize_timeout: Duration,
-) -> IoResult<Vec<AppServerEvent>>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
+) -> IoResult<Vec<AppServerEvent>> {
    let initialize_request_id = RequestId::String("initialize".to_string());
    let mut pending_events = Vec::new();
    write_jsonrpc_message(
@@ -807,7 +694,7 @@ where
                params,
            },
        )),
-        endpoint,
+        websocket_url,
    )
    .await?;

@@ -817,7 +704,7 @@ where
                Some(Ok(Message::Text(text))) => {
                    let message = serde_json::from_str::<JSONRPCMessage>(&text).map_err(|err| {
                        IoError::other(format!(
-                            "remote app server at `{endpoint}` sent invalid initialize response: {err}"
+                            "remote app server at `{websocket_url}` sent invalid initialize response: {err}"
                        ))
                    })?;
                    match message {
@@ -826,7 +713,7 @@ where
                        }
                        JSONRPCMessage::Error(error) if error.id == initialize_request_id => {
                            break Err(IoError::other(format!(
-                                "remote app server at `{endpoint}` rejected initialize: {}",
+                                "remote app server at `{websocket_url}` rejected initialize: {}",
                                error.error.message
                            )));
                        }
@@ -856,7 +743,7 @@ where
                                            },
                                            id: request_id,
                                        }),
-                                        endpoint,
+                                        websocket_url,
                                    )
                                    .await?;
                                }
@@ -878,19 +765,19 @@ where
                    break Err(IoError::new(
                        ErrorKind::ConnectionAborted,
                        format!(
-                            "remote app server at `{endpoint}` closed during initialize: {reason}"
+                            "remote app server at `{websocket_url}` closed during initialize: {reason}"
                        ),
                    ));
                }
                Some(Err(err)) => {
                    break Err(IoError::other(format!(
-                        "remote app server at `{endpoint}` transport failed during initialize: {err}"
+                        "remote app server at `{websocket_url}` transport failed during initialize: {err}"
                    )));
                }
                None => {
                    break Err(IoError::new(
                        ErrorKind::UnexpectedEof,
-                        format!("remote app server at `{endpoint}` closed during initialize"),
+                        format!("remote app server at `{websocket_url}` closed during initialize"),
                    ));
                }
            }
@@ -900,7 +787,7 @@ where
    .map_err(|_| {
        IoError::new(
            ErrorKind::TimedOut,
-            format!("timed out waiting for initialize response from `{endpoint}`"),
+            format!("timed out waiting for initialize response from `{websocket_url}`"),
        )
    })??;

@@ -909,7 +796,7 @@ where
        JSONRPCMessage::Notification(jsonrpc_notification_from_client_notification(
            ClientNotification::Initialized,
        )),
-        endpoint,
+        websocket_url,
    )
    .await?;

@@ -963,35 +850,21 @@ fn jsonrpc_notification_from_client_notification(
    }
 }

-async fn write_jsonrpc_message<S>(
-    stream: &mut WebSocketStream<S>,
+async fn write_jsonrpc_message(
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
    message: JSONRPCMessage,
-    endpoint: &str,
-) -> IoResult<()>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
+    websocket_url: &str,
+) -> IoResult<()> {
    let payload = serde_json::to_string(&message).map_err(IoError::other)?;
    stream
        .send(Message::Text(payload.into()))
        .await
        .map_err(|err| {
            IoError::other(format!(
-                "failed to write websocket message to `{endpoint}`: {err}"
+                "failed to write websocket message to `{websocket_url}`: {err}"
            ))
        })
 }
-
-fn websocket_close_error_is_already_closed(err: &TungsteniteError) -> bool {
-    match err {
-        TungsteniteError::ConnectionClosed | TungsteniteError::AlreadyClosed => true,
-        TungsteniteError::Io(err) => matches!(
-            err.kind(),
-            ErrorKind::BrokenPipe | ErrorKind::ConnectionReset | ErrorKind::NotConnected
-        ),
-        _ => false,
-    }
-}
 #[cfg(test)]
 mod tests {
    use super::*;
--- a/codex-rs/app-server-daemon/Cargo.toml
+++ b/codex-rs/app-server-daemon/Cargo.toml
@@ -16,14 +16,13 @@ workspace = true
 anyhow = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-app-server-transport = { workspace = true }
-codex-utils-home-dir = { workspace = true }
+codex-core = { workspace = true }
 codex-uds = { workspace = true }
 futures = { workspace = true }
 libc = { workspace = true }
 reqwest = { workspace = true, features = ["rustls-tls"] }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
-sha2 = { workspace = true }
 tokio = { workspace = true, features = [
    "fs",
    "io-util",
--- a/codex-rs/app-server-daemon/README.md
+++ b/codex-rs/app-server-daemon/README.md
@@ -52,8 +52,8 @@ the standalone managed binary under `CODEX_HOME`.
 | Situation | What starts | Does this daemon fetch new binaries? | Does a running app-server eventually move to a newer binary on its own? |
 | --- | --- | --- | --- |
 | `install.sh` has run, but only `start` is used | `start` uses `CODEX_HOME/packages/standalone/current/codex` | No | No. The managed path is used when starting or restarting, but no updater is installed. |
-| `install.sh` has run, then `bootstrap` is used | The pidfile backend uses `CODEX_HOME/packages/standalone/current/codex` | Yes. Bootstrap launches a detached updater loop that runs `install.sh` hourly. | Yes, while that updater process is alive and app-server is already running. After a successful fetch, the updater restarts app-server with the refreshed binary and only then replaces its own process image. |
-| Some other tool updates the managed binary path | The next fresh start or restart uses the updated file at that path | Only if `bootstrap` is active, because the updater still runs `install.sh` on its normal cadence. | Without `bootstrap`, no. With `bootstrap`, the next successful updater pass compares the managed binary contents after `install.sh` runs; if app-server is running and they differ from the updater's current image, it refreshes app-server first and then itself. |
+| `install.sh` has run, then `bootstrap` is used | The pidfile backend uses `CODEX_HOME/packages/standalone/current/codex` | Yes. Bootstrap launches a detached updater loop that runs `install.sh` hourly. | Yes, while that updater process is alive. After a successful fetch, it restarts a currently running app-server only when the managed binary reports a different version. |
+| Some other tool updates the managed binary path | The next fresh start or restart uses the updated file at that path | No | Not automatically. The existing process keeps the old executable image until an explicit `restart`. |

 ### Standalone installs

@@ -62,24 +62,19 @@ For installs created by `install.sh`:
 - lifecycle commands always use the standalone managed binary path
 - `bootstrap` is supported
 - `bootstrap` starts a detached pid-backed updater loop that fetches via
-  `install.sh`
- after a successful refresh, if app-server is running and the managed binary
-  contents changed, the updater restarts app-server with that binary first and
-  only then replaces its own process image
+  `install.sh`, then restarts app-server if it is running on a different version
 - the updater loop is not reboot-persistent; it must be started again by
  rerunning `bootstrap` after a reboot

 ### Out-of-band updates

 This daemon does not watch arbitrary executable files for replacement. If some
-other tool updates the managed binary path:
+other tool updates a binary that the daemon would use on its next launch:

- without `bootstrap`, a currently running app-server remains on the old
-  executable image until an explicit `restart`
- with `bootstrap`, the detached updater loop notices the changed managed
-  binary on its next successful scheduled pass after running `install.sh`; if
-  app-server is running, it refreshes app-server first and then refreshes itself
-  once that replacement starts successfully
+- a currently running app-server remains on the old executable image
+- `restart` will launch the updated binary
+- for bootstrapped daemons, the detached updater loop only reacts to updates it
+  fetched itself; it does not watch arbitrary file replacement

 ## Lifecycle semantics

@@ -92,10 +87,6 @@ JSON-RPC initialize handshake on the Unix control socket.
 for future starts. If a managed app-server is already running, they restart it
 so the new setting takes effect immediately.

-Top-level `codex remote-control` bootstraps with `--remote-control` when the
-updater loop is not running. Otherwise it enables remote control and starts the
-daemon normally.
-
 `stop` sends a graceful termination request first, then sends a second
 termination signal after the grace window if the process is still alive.

--- a/codex-rs/app-server-daemon/src/backend/mod.rs
+++ b/codex-rs/app-server-daemon/src/backend/mod.rs
@@ -1,6 +1,5 @@
 mod pid;

-use std::path::Path;
 use std::path::PathBuf;

 use serde::Serialize;
@@ -32,15 +31,3 @@ pub(crate) fn pid_backend(paths: BackendPaths) -> PidBackend {
 pub(crate) fn pid_update_loop_backend(paths: BackendPaths) -> PidBackend {
    PidBackend::new_update_loop(paths.codex_bin, paths.update_pid_file)
 }
-
-pub(crate) async fn append_stderr_log_tail_context(pid_file: &Path, context: &mut String) {
-    match pid::read_stderr_log_tail(pid_file).await {
-        Ok(Some(tail)) => tail.append_to_context(context),
-        Ok(None) => {}
-        Err(err) => {
-            context.push_str(&format!(
-                "\n\nFailed to read managed app-server stderr log: {err:#}"
-            ));
-        }
-    }
-}
--- a/codex-rs/app-server-daemon/src/backend/pid.rs
+++ b/codex-rs/app-server-daemon/src/backend/pid.rs
@@ -1,4 +1,3 @@
-use std::io::SeekFrom;
 use std::path::Path;
 use std::path::PathBuf;
 #[cfg(unix)]
@@ -11,8 +10,6 @@ use anyhow::bail;
 use serde::Deserialize;
 use serde::Serialize;
 use tokio::fs;
-use tokio::io::AsyncReadExt;
-use tokio::io::AsyncSeekExt;
 #[cfg(unix)]
 use tokio::process::Command;
 use tokio::time::sleep;
@@ -21,7 +18,6 @@ const STOP_POLL_INTERVAL: Duration = Duration::from_millis(50);
 const STOP_GRACE_PERIOD: Duration = Duration::from_secs(60);
 const STOP_TIMEOUT: Duration = Duration::from_secs(70);
 const START_TIMEOUT: Duration = Duration::from_secs(10);
-const STDERR_LOG_TAIL_BYTES: u64 = 4096;

 #[derive(Debug)]
 #[cfg_attr(not(unix), allow(dead_code))]
@@ -39,25 +35,6 @@ struct PidRecord {
    process_start_time: String,
 }

-#[derive(Debug, Clone, PartialEq, Eq)]
-pub(crate) struct PidLogTail {
-    pub(crate) path: PathBuf,
-    pub(crate) contents: String,
-}
-
-impl PidLogTail {
-    pub(crate) fn append_to_context(&self, context: &mut String) {
-        context.push_str(&format!(
-            "\n\nManaged app-server stderr ({}):",
-            self.path.display()
-        ));
-        for line in self.contents.lines() {
-            context.push_str("\n  ");
-            context.push_str(line);
-        }
-    }
-}
-
 #[derive(Debug, Clone, PartialEq, Eq)]
 enum PidFileState {
    Missing,
@@ -152,18 +129,11 @@ impl PidBackend {
            }
        };
        let mut command = Command::new(&self.codex_bin);
-        let stderr_log = match self.open_stderr_log().await {
-            Ok(stderr_log) => stderr_log,
-            Err(err) => {
-                let _ = fs::remove_file(&self.pid_file).await;
-                return Err(err);
-            }
-        };
        command
            .args(self.command_args())
            .stdin(Stdio::null())
            .stdout(Stdio::null())
-            .stderr(Stdio::from(stderr_log.into_std().await));
+            .stderr(Stdio::null());

        #[cfg(unix)]
        {
@@ -199,11 +169,8 @@ impl PidBackend {
            },
            Err(err) => {
                let _ = self.terminate_process(pid);
-                let mut context =
-                    format!("failed to record pid-managed app-server process {pid} startup");
-                super::append_stderr_log_tail_context(&self.pid_file, &mut context).await;
                let _ = fs::remove_file(&self.pid_file).await;
-                return Err(err).context(context);
+                return Err(err);
            }
        };
        let contents = serde_json::to_vec(&record).context("failed to serialize pid record")?;
@@ -377,29 +344,18 @@ impl PidBackend {
        Ok(reservation_lock)
    }

-    #[cfg(unix)]
-    async fn open_stderr_log(&self) -> Result<fs::File> {
-        let stderr_log_file = stderr_log_file_for_pid_file(&self.pid_file);
-        fs::OpenOptions::new()
-            .create(true)
-            .truncate(true)
-            .write(true)
-            .open(&stderr_log_file)
-            .await
-            .with_context(|| {
-                format!(
-                    "failed to open stderr log for pid-managed app server {}",
-                    stderr_log_file.display()
-                )
-            })
-    }
-
    #[cfg(unix)]
    fn command_args(&self) -> Vec<&'static str> {
        match self.command_kind {
            PidCommandKind::AppServer {
                remote_control_enabled: true,
-            } => vec!["app-server", "--remote-control", "--listen", "unix://"],
+            } => vec![
+                "--enable",
+                "remote_control",
+                "app-server",
+                "--listen",
+                "unix://",
+            ],
            PidCommandKind::AppServer {
                remote_control_enabled: false,
            } => vec!["app-server", "--listen", "unix://"],
@@ -426,56 +382,6 @@ impl PidBackend {
    }
 }

-pub(crate) async fn read_stderr_log_tail(pid_file: &Path) -> Result<Option<PidLogTail>> {
-    let path = stderr_log_file_for_pid_file(pid_file);
-    let Some(contents) = read_log_tail(&path, STDERR_LOG_TAIL_BYTES).await? else {
-        return Ok(None);
-    };
-    Ok(Some(PidLogTail { path, contents }))
-}
-
-fn stderr_log_file_for_pid_file(pid_file: &Path) -> PathBuf {
-    pid_file.with_extension("stderr.log")
-}
-
-async fn read_log_tail(path: &Path, byte_limit: u64) -> Result<Option<String>> {
-    let mut file = match fs::File::open(path).await {
-        Ok(file) => file,
-        Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(None),
-        Err(err) => {
-            return Err(err)
-                .with_context(|| format!("failed to open stderr log {}", path.display()));
-        }
-    };
-    let len = file
-        .metadata()
-        .await
-        .with_context(|| format!("failed to inspect stderr log {}", path.display()))?
-        .len();
-    if len == 0 {
-        return Ok(None);
-    }
-
-    let start = len.saturating_sub(byte_limit);
-    file.seek(SeekFrom::Start(start))
-        .await
-        .with_context(|| format!("failed to seek stderr log {}", path.display()))?;
-    let mut bytes = Vec::new();
-    file.read_to_end(&mut bytes)
-        .await
-        .with_context(|| format!("failed to read stderr log {}", path.display()))?;
-    if start > 0
-        && let Some(newline_index) = bytes.iter().position(|byte| *byte == b'\n')
-    {
-        bytes.drain(..=newline_index);
-    }
-    let contents = String::from_utf8_lossy(&bytes).trim_end().to_string();
-    if contents.is_empty() {
-        return Ok(None);
-    }
-    Ok(Some(contents))
-}
-
 #[cfg(unix)]
 fn process_exists(pid: u32) -> bool {
    let Ok(pid) = libc::pid_t::try_from(pid) else {
--- a/codex-rs/app-server-daemon/src/backend/pid_tests.rs
+++ b/codex-rs/app-server-daemon/src/backend/pid_tests.rs
@@ -6,10 +6,7 @@ use tempfile::TempDir;
 use super::PidBackend;
 use super::PidCommandKind;
 use super::PidFileState;
-use super::PidLogTail;
 use super::PidRecord;
-use super::read_stderr_log_tail;
-use super::stderr_log_file_for_pid_file;
 use super::try_lock_file;

 #[tokio::test]
@@ -159,38 +156,3 @@ fn update_loop_uses_hidden_app_server_subcommand() {
        vec!["app-server", "daemon", "pid-update-loop"]
    );
 }
-
-#[test]
-fn app_server_remote_control_uses_runtime_flag() {
-    let backend = PidBackend::new(
-        "codex".into(),
-        "app-server.pid".into(),
-        /*remote_control_enabled*/ true,
-    );
-
-    assert_eq!(
-        backend.command_args(),
-        vec!["app-server", "--remote-control", "--listen", "unix://"]
-    );
-}
-
-#[tokio::test]
-async fn read_stderr_log_tail_returns_recent_complete_lines() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    let log_file = stderr_log_file_for_pid_file(&pid_file);
-    let contents = format!("{}\nrecent error\nusage", "x".repeat(4100));
-    tokio::fs::write(&log_file, contents)
-        .await
-        .expect("write stderr log");
-
-    assert_eq!(
-        read_stderr_log_tail(&pid_file)
-            .await
-            .expect("read stderr log"),
-        Some(PidLogTail {
-            path: log_file,
-            contents: "recent error\nusage".to_string(),
-        })
-    );
-}
--- a/codex-rs/app-server-daemon/src/client.rs
+++ b/codex-rs/app-server-daemon/src/client.rs
@@ -5,7 +5,6 @@ use anyhow::Context;
 use anyhow::Result;
 use anyhow::anyhow;
 use codex_app_server_protocol::ClientInfo;
-use codex_app_server_protocol::InitializeCapabilities;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::InitializeResponse;
 use codex_app_server_protocol::JSONRPCMessage;
@@ -15,16 +14,12 @@ use codex_app_server_protocol::RequestId;
 use codex_uds::UnixStream;
 use futures::SinkExt;
 use futures::StreamExt;
-use tokio::io::AsyncRead;
-use tokio::io::AsyncWrite;
 use tokio::time::timeout;
-use tokio_tungstenite::WebSocketStream;
 use tokio_tungstenite::client_async;
 use tokio_tungstenite::tungstenite::Message;

-pub(crate) const CONTROL_SOCKET_RESPONSE_TIMEOUT: Duration = Duration::from_secs(2);
+const PROBE_TIMEOUT: Duration = Duration::from_secs(2);
 const CLIENT_NAME: &str = "codex_app_server_daemon";
-const INITIALIZE_REQUEST_ID: RequestId = RequestId::Integer(1);

 #[derive(Debug, Clone, PartialEq, Eq)]
 pub(crate) struct ProbeInfo {
@@ -32,7 +27,7 @@ pub(crate) struct ProbeInfo {
 }

 pub(crate) async fn probe(socket_path: &Path) -> Result<ProbeInfo> {
-    timeout(CONTROL_SOCKET_RESPONSE_TIMEOUT, probe_inner(socket_path))
+    timeout(PROBE_TIMEOUT, probe_inner(socket_path))
        .await
        .with_context(|| {
            format!(
@@ -43,42 +38,15 @@ pub(crate) async fn probe(socket_path: &Path) -> Result<ProbeInfo> {
 }

 async fn probe_inner(socket_path: &Path) -> Result<ProbeInfo> {
-    let mut websocket = connect(socket_path).await?;
-
-    let initialize_response = initialize(&mut websocket, /*experimental_api*/ false).await?;
-    let initialized = JSONRPCMessage::Notification(JSONRPCNotification {
-        method: "initialized".to_string(),
-        params: None,
-    });
-    send_message(&mut websocket, &initialized)
-        .await
-        .context("failed to send initialized notification")?;
-    websocket.close(None).await.ok();
-
-    Ok(ProbeInfo {
-        app_server_version: parse_version_from_user_agent(&initialize_response.user_agent)?,
-    })
-}
-
-pub(crate) async fn connect(socket_path: &Path) -> Result<WebSocketStream<UnixStream>> {
    let stream = UnixStream::connect(socket_path)
        .await
        .with_context(|| format!("failed to connect to {}", socket_path.display()))?;
-    let (websocket, _response) = client_async("ws://localhost/", stream)
+    let (mut websocket, _response) = client_async("ws://localhost/", stream)
        .await
        .with_context(|| format!("failed to upgrade {}", socket_path.display()))?;
-    Ok(websocket)
-}

-pub(crate) async fn initialize<S>(
-    websocket: &mut WebSocketStream<S>,
-    experimental_api: bool,
-) -> Result<InitializeResponse>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
    let initialize = JSONRPCMessage::Request(JSONRPCRequest {
-        id: INITIALIZE_REQUEST_ID,
+        id: RequestId::Integer(1),
        method: "initialize".to_string(),
        params: Some(serde_json::to_value(InitializeParams {
            client_info: ClientInfo {
@@ -86,63 +54,45 @@ where
                title: Some("Codex App Server Daemon".to_string()),
                version: env!("CARGO_PKG_VERSION").to_string(),
            },
-            capabilities: if experimental_api {
-                Some(InitializeCapabilities {
-                    experimental_api: true,
-                    ..Default::default()
-                })
-            } else {
-                None
-            },
+            capabilities: None,
        })?),
        trace: None,
    });
-    send_message(websocket, &initialize)
+    websocket
+        .send(Message::Text(serde_json::to_string(&initialize)?.into()))
        .await
        .context("failed to send initialize request")?;

    let response = loop {
-        let message = timeout(CONTROL_SOCKET_RESPONSE_TIMEOUT, read_message(websocket))
+        let frame = websocket
+            .next()
            .await
-            .context("timed out waiting for initialize response")??;
+            .ok_or_else(|| anyhow!("app-server closed before initialize response"))??;
+        let Message::Text(payload) = frame else {
+            continue;
+        };
+        let message = serde_json::from_str::<JSONRPCMessage>(&payload)?;
        if let JSONRPCMessage::Response(response) = message
-            && response.id == INITIALIZE_REQUEST_ID
+            && response.id == RequestId::Integer(1)
        {
            break response;
        }
    };
-    serde_json::from_value::<InitializeResponse>(response.result)
-        .context("failed to parse initialize response")
-}
+    let initialize_response = serde_json::from_value::<InitializeResponse>(response.result)?;

-pub(crate) async fn send_message<S>(
-    websocket: &mut WebSocketStream<S>,
-    message: &JSONRPCMessage,
-) -> Result<()>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
+    let initialized = JSONRPCMessage::Notification(JSONRPCNotification {
+        method: "initialized".to_string(),
+        params: None,
+    });
    websocket
-        .send(Message::Text(serde_json::to_string(message)?.into()))
-        .await?;
-    Ok(())
-}
+        .send(Message::Text(serde_json::to_string(&initialized)?.into()))
+        .await
+        .context("failed to send initialized notification")?;
+    websocket.close(None).await.ok();

-pub(crate) async fn read_message<S>(websocket: &mut WebSocketStream<S>) -> Result<JSONRPCMessage>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
-    loop {
-        let frame = websocket
-            .next()
-            .await
-            .ok_or_else(|| anyhow!("app-server closed the control socket"))??;
-        let Message::Text(payload) = frame else {
-            continue;
-        };
-        return serde_json::from_str::<JSONRPCMessage>(&payload)
-            .context("failed to parse app-server JSON-RPC message");
-    }
+    Ok(ProbeInfo {
+        app_server_version: parse_version_from_user_agent(&initialize_response.user_agent)?,
+    })
 }

 fn parse_version_from_user_agent(user_agent: &str) -> Result<String> {
--- a/codex-rs/app-server-daemon/src/lib.rs
+++ b/codex-rs/app-server-daemon/src/lib.rs
@@ -1,11 +1,9 @@
 mod backend;
 mod client;
 mod managed_install;
-mod remote_control_client;
 mod settings;
 mod update_loop;

-use std::path::Path;
 use std::path::PathBuf;
 use std::time::Duration;

@@ -14,9 +12,8 @@ use anyhow::Result;
 use anyhow::anyhow;
 pub use backend::BackendKind;
 use backend::BackendPaths;
-use codex_app_server_protocol::RemoteControlConnectionStatus;
 use codex_app_server_transport::app_server_control_socket_path;
-use codex_utils_home_dir::find_codex_home;
+use codex_core::config::find_codex_home;
 use managed_install::managed_codex_bin;
 #[cfg(unix)]
 use managed_install::managed_codex_version;
@@ -60,8 +57,6 @@ pub struct LifecycleOutput {
    pub backend: Option<BackendKind>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pid: Option<u32>,
-    pub managed_codex_path: PathBuf,
-    pub managed_codex_version: Option<String>,
    pub socket_path: PathBuf,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cli_version: Option<String>,
@@ -88,33 +83,11 @@ pub struct BootstrapOutput {
    pub auto_update_enabled: bool,
    pub remote_control_enabled: bool,
    pub managed_codex_path: PathBuf,
-    pub managed_codex_version: Option<String>,
    pub socket_path: PathBuf,
    pub cli_version: String,
    pub app_server_version: String,
 }

-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(untagged)]
-pub enum RemoteControlStartOutput {
-    Bootstrap(BootstrapOutput),
-    Start(LifecycleOutput),
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct RemoteControlReadyStatus {
-    pub status: RemoteControlConnectionStatus,
-    pub server_name: String,
-    pub environment_id: Option<String>,
-    pub timed_out: bool,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct RemoteControlReadyOutput {
-    pub daemon: RemoteControlStartOutput,
-    pub remote_control: RemoteControlReadyStatus,
-}
-
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum RemoteControlMode {
    Enabled,
@@ -150,35 +123,9 @@ pub struct RemoteControlOutput {
 }

 #[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub(crate) enum RestartIfRunningOutcome {
+    Completed,
    Busy,
-    NotRunning,
-    NotReady,
-    AlreadyCurrent,
-    Restarted,
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub(crate) enum RestartMode {
-    IfVersionChanged,
-    Always,
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub(crate) enum UpdaterRefreshMode {
-    None,
-    ReexecIfManagedBinaryChanged,
-}
-
-#[cfg(unix)]
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-enum RestartDecision {
-    NotReady,
-    AlreadyCurrent,
-    Restart,
 }

 pub async fn run(command: LifecycleCommand) -> Result<LifecycleOutput> {
@@ -191,34 +138,6 @@ pub async fn bootstrap(options: BootstrapOptions) -> Result<BootstrapOutput> {
    Daemon::from_environment()?.bootstrap(options).await
 }

-pub async fn ensure_remote_control_started() -> Result<RemoteControlStartOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?
-        .ensure_remote_control_started()
-        .await
-}
-
-pub async fn ensure_remote_control_ready() -> Result<RemoteControlReadyOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?
-        .ensure_remote_control_ready()
-        .await
-}
-
-pub async fn enable_remote_control_on_socket(
-    socket_path: &Path,
-    connect_timeout: Duration,
-    connect_retry_delay: Duration,
-) -> Result<RemoteControlReadyStatus> {
-    ensure_supported_platform()?;
-    remote_control_client::enable_remote_control_with_connect_retry(
-        socket_path,
-        connect_timeout,
-        connect_retry_delay,
-    )
-    .await
-}
-
 pub async fn set_remote_control(mode: RemoteControlMode) -> Result<RemoteControlOutput> {
    ensure_supported_platform()?;
    Daemon::from_environment()?.set_remote_control(mode).await
@@ -288,39 +207,33 @@ impl Daemon {
    async fn start(&self) -> Result<LifecycleOutput> {
        let settings = self.load_settings().await?;
        if let Ok(info) = client::probe(&self.socket_path).await {
-            return Ok(self
-                .output(
-                    LifecycleStatus::AlreadyRunning,
-                    self.running_backend(&settings).await?,
-                    /*pid*/ None,
-                    Some(info.app_server_version),
-                )
-                .await);
+            return Ok(self.output(
+                LifecycleStatus::AlreadyRunning,
+                self.running_backend(&settings).await?,
+                /*pid*/ None,
+                Some(info.app_server_version),
+            ));
        }

        if self.running_backend_instance(&settings).await?.is_some() {
            let info = self.wait_until_ready().await?;
-            return Ok(self
-                .output(
-                    LifecycleStatus::AlreadyRunning,
-                    Some(BackendKind::Pid),
-                    /*pid*/ None,
-                    Some(info.app_server_version),
-                )
-                .await);
+            return Ok(self.output(
+                LifecycleStatus::AlreadyRunning,
+                Some(BackendKind::Pid),
+                /*pid*/ None,
+                Some(info.app_server_version),
+            ));
        }

        self.ensure_managed_codex_bin()?;
        let pid = self.start_managed_backend(&settings).await?;
        let info = self.wait_until_ready().await?;
-        Ok(self
-            .output(
-                LifecycleStatus::Started,
-                Some(BackendKind::Pid),
-                pid,
-                Some(info.app_server_version),
-            )
-            .await)
+        Ok(self.output(
+            LifecycleStatus::Started,
+            Some(BackendKind::Pid),
+            pid,
+            Some(info.app_server_version),
+        ))
    }

    async fn restart(&self) -> Result<LifecycleOutput> {
@@ -340,74 +253,33 @@ impl Daemon {

        let pid = self.start_managed_backend(&settings).await?;
        let info = self.wait_until_ready().await?;
-        Ok(self
-            .output(
-                LifecycleStatus::Restarted,
-                Some(BackendKind::Pid),
-                pid,
-                Some(info.app_server_version),
-            )
-            .await)
+        Ok(self.output(
+            LifecycleStatus::Restarted,
+            Some(BackendKind::Pid),
+            pid,
+            Some(info.app_server_version),
+        ))
    }

    #[cfg(unix)]
-    pub(crate) async fn try_restart_if_running(
-        &self,
-        mode: RestartMode,
-        updater_refresh_mode: UpdaterRefreshMode,
-        managed_codex_bin: &Path,
-    ) -> Result<RestartIfRunningOutcome> {
+    pub(crate) async fn try_restart_if_running(&self) -> Result<RestartIfRunningOutcome> {
        let operation_lock = self.open_operation_lock_file().await?;
        if !try_lock_file(&operation_lock)? {
            return Ok(RestartIfRunningOutcome::Busy);
        }
-        let settings = self.load_settings().await?;
-        let outcome = if let Some(backend) = self.running_backend_instance(&settings).await? {
-            let info = client::probe(&self.socket_path).await.ok();
-            let managed_version = if info.is_some() {
-                Some(managed_codex_version(managed_codex_bin).await?)
-            } else {
-                None
-            };
-            match restart_decision(mode, info.as_ref(), managed_version.as_deref()) {
-                RestartDecision::NotReady => return Ok(RestartIfRunningOutcome::NotReady),
-                RestartDecision::AlreadyCurrent => RestartIfRunningOutcome::AlreadyCurrent,
-                RestartDecision::Restart => {
-                    backend.stop().await?;
-                    let _ = self
-                        .start_managed_backend_with_bin(&settings, managed_codex_bin)
-                        .await?;
-                    self.wait_until_ready().await?;
-                    RestartIfRunningOutcome::Restarted
-                }
-            }
-        } else if client::probe(&self.socket_path).await.is_ok() {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        } else {
-            RestartIfRunningOutcome::NotRunning
-        };
-
-        if should_reexec_updater(updater_refresh_mode, outcome) {
-            crate::update_loop::reexec_managed_updater(managed_codex_bin)?;
-        }
-
-        Ok(outcome)
-    }
-
-    async fn stop(&self) -> Result<LifecycleOutput> {
        let settings = self.load_settings().await?;
        if let Some(backend) = self.running_backend_instance(&settings).await? {
+            let Ok(info) = client::probe(&self.socket_path).await else {
+                return Ok(RestartIfRunningOutcome::Completed);
+            };
+            let managed_version = managed_codex_version(&self.managed_codex_bin).await?;
+            if info.app_server_version == managed_version {
+                return Ok(RestartIfRunningOutcome::Completed);
+            }
            backend.stop().await?;
-            return Ok(self
-                .output(
-                    LifecycleStatus::Stopped,
-                    Some(BackendKind::Pid),
-                    /*pid*/ None,
-                    /*app_server_version*/ None,
-                )
-                .await);
+            let _ = self.start_managed_backend(&settings).await?;
+            self.wait_until_ready().await?;
+            return Ok(RestartIfRunningOutcome::Completed);
        }

        if client::probe(&self.socket_path).await.is_ok() {
@@ -416,27 +288,44 @@ impl Daemon {
            ));
        }

-        Ok(self
-            .output(
-                LifecycleStatus::NotRunning,
-                /*backend*/ None,
+        Ok(RestartIfRunningOutcome::Completed)
+    }
+
+    async fn stop(&self) -> Result<LifecycleOutput> {
+        let settings = self.load_settings().await?;
+        if let Some(backend) = self.running_backend_instance(&settings).await? {
+            backend.stop().await?;
+            return Ok(self.output(
+                LifecycleStatus::Stopped,
+                Some(BackendKind::Pid),
                /*pid*/ None,
                /*app_server_version*/ None,
-            )
-            .await)
+            ));
+        }
+
+        if client::probe(&self.socket_path).await.is_ok() {
+            return Err(anyhow!(
+                "app server is running but is not managed by codex app-server daemon"
+            ));
+        }
+
+        Ok(self.output(
+            LifecycleStatus::NotRunning,
+            /*backend*/ None,
+            /*pid*/ None,
+            /*app_server_version*/ None,
+        ))
    }

    async fn version(&self) -> Result<LifecycleOutput> {
        let settings = self.load_settings().await?;
        let info = client::probe(&self.socket_path).await?;
-        Ok(self
-            .output(
-                LifecycleStatus::Running,
-                self.running_backend(&settings).await?,
-                /*pid*/ None,
-                Some(info.app_server_version),
-            )
-            .await)
+        Ok(self.output(
+            LifecycleStatus::Running,
+            self.running_backend(&settings).await?,
+            /*pid*/ None,
+            Some(info.app_server_version),
+        ))
    }

    async fn wait_until_ready(&self) -> Result<client::ProbeInfo> {
@@ -449,77 +338,24 @@ impl Daemon {
                    sleep(START_POLL_INTERVAL).await;
                }
                Err(err) => {
-                    let context = self.app_server_not_ready_context().await;
-                    return Err(err).context(context);
+                    return Err(err).with_context(|| {
+                        format!(
+                            "app server did not become ready on {}",
+                            self.socket_path.display()
+                        )
+                    });
                }
            }
        }
    }

-    async fn app_server_not_ready_context(&self) -> String {
-        let mut context = format!(
-            "app server did not become ready on {}",
-            self.socket_path.display()
-        );
-        self.append_daemon_app_server_context(&mut context).await;
-        backend::append_stderr_log_tail_context(&self.pid_file, &mut context).await;
-        context
-    }
-
-    async fn append_daemon_app_server_context(&self, context: &mut String) {
-        let managed_codex_version = self
-            .managed_codex_version_best_effort()
-            .await
-            .unwrap_or_else(|| "unknown".to_string());
-        context.push_str(&format!(
-            "\n\nDaemon used app-server:\n  path: {}\n  version: {managed_codex_version}",
-            self.managed_codex_bin.display()
-        ));
-    }
-
    async fn bootstrap(&self, options: BootstrapOptions) -> Result<BootstrapOutput> {
        let _operation_lock = self.acquire_operation_lock().await?;
        self.bootstrap_locked(options).await
    }

-    async fn ensure_remote_control_started(&self) -> Result<RemoteControlStartOutput> {
-        let _operation_lock = self.acquire_operation_lock().await?;
-        let settings = self.load_settings().await?;
-        if self.is_bootstrapped(&settings).await? {
-            let _ = self
-                .set_remote_control_locked(RemoteControlMode::Enabled)
-                .await?;
-            let output = self.start().await?;
-            return Ok(RemoteControlStartOutput::Start(output));
-        }
-
-        let output = self
-            .bootstrap_locked(BootstrapOptions {
-                remote_control_enabled: true,
-            })
-            .await?;
-        Ok(RemoteControlStartOutput::Bootstrap(output))
-    }
-
-    async fn ensure_remote_control_ready(&self) -> Result<RemoteControlReadyOutput> {
-        let daemon = self.ensure_remote_control_started().await?;
-        let remote_control =
-            remote_control_client::enable_remote_control(&self.socket_path).await?;
-        Ok(RemoteControlReadyOutput {
-            daemon,
-            remote_control,
-        })
-    }
-
    async fn set_remote_control(&self, mode: RemoteControlMode) -> Result<RemoteControlOutput> {
        let _operation_lock = self.acquire_operation_lock().await?;
-        self.set_remote_control_locked(mode).await
-    }
-
-    async fn set_remote_control_locked(
-        &self,
-        mode: RemoteControlMode,
-    ) -> Result<RemoteControlOutput> {
        let previous_settings = self.load_settings().await?;
        let mut settings = previous_settings.clone();
        let remote_control_enabled = mode.is_enabled();
@@ -593,14 +429,12 @@ impl Daemon {
        updater.start().await?;

        let info = self.wait_until_ready().await?;
-        let managed_codex_version = self.managed_codex_version_best_effort().await;
        Ok(BootstrapOutput {
            status: BootstrapStatus::Bootstrapped,
            backend: BackendKind::Pid,
            auto_update_enabled: true,
            remote_control_enabled: settings.remote_control_enabled,
            managed_codex_path: self.managed_codex_bin.clone(),
-            managed_codex_version,
            socket_path: self.socket_path.clone(),
            cli_version: env!("CARGO_PKG_VERSION").to_string(),
            app_server_version: info.app_server_version,
@@ -626,61 +460,24 @@ impl Daemon {
    }

    async fn start_managed_backend(&self, settings: &DaemonSettings) -> Result<Option<u32>> {
-        self.start_managed_backend_with_bin(settings, &self.managed_codex_bin)
-            .await
-    }
-
-    async fn start_managed_backend_with_bin(
-        &self,
-        settings: &DaemonSettings,
-        managed_codex_bin: &Path,
-    ) -> Result<Option<u32>> {
-        let backend =
-            backend::pid_backend(self.backend_paths_with_bin(settings, managed_codex_bin));
+        let backend = backend::pid_backend(self.backend_paths(settings));
        backend.start().await
    }

-    async fn is_bootstrapped(&self, settings: &DaemonSettings) -> Result<bool> {
-        let updater = backend::pid_update_loop_backend(self.backend_paths(settings));
-        updater.is_starting_or_running().await
-    }
-
    fn ensure_managed_codex_bin(&self) -> Result<()> {
        if self.managed_codex_bin.is_file() {
            return Ok(());
        }

-        let managed_codex_path = self.managed_codex_bin.display();
        Err(anyhow!(
-            "managed standalone Codex install not found at {managed_codex_path}\n\n\
-             This command requires the standalone install managed by the Codex installer, because \
-             the daemon starts and updates app-server from that fixed path.\n\n\
-             Install it with:\n  curl -fsSL https://chatgpt.com/codex/install.sh | sh\n\n\
-             Then rerun the command you just tried."
+            "managed standalone Codex install not found at {}; install Codex first",
+            self.managed_codex_bin.display()
        ))
    }

-    #[cfg(unix)]
-    async fn managed_codex_version_best_effort(&self) -> Option<String> {
-        managed_codex_version(&self.managed_codex_bin).await.ok()
-    }
-
-    #[cfg(not(unix))]
-    async fn managed_codex_version_best_effort(&self) -> Option<String> {
-        None
-    }
-
    fn backend_paths(&self, settings: &DaemonSettings) -> BackendPaths {
-        self.backend_paths_with_bin(settings, &self.managed_codex_bin)
-    }
-
-    fn backend_paths_with_bin(
-        &self,
-        settings: &DaemonSettings,
-        managed_codex_bin: &Path,
-    ) -> BackendPaths {
        BackendPaths {
-            codex_bin: managed_codex_bin.to_path_buf(),
+            codex_bin: self.managed_codex_bin.clone(),
            pid_file: self.pid_file.clone(),
            update_pid_file: self.update_pid_file.clone(),
            remote_control_enabled: settings.remote_control_enabled,
@@ -729,20 +526,17 @@ impl Daemon {
            })
    }

-    async fn output(
+    fn output(
        &self,
        status: LifecycleStatus,
        backend: Option<BackendKind>,
        pid: Option<u32>,
        app_server_version: Option<String>,
    ) -> LifecycleOutput {
-        let managed_codex_version = self.managed_codex_version_best_effort().await;
        LifecycleOutput {
            status,
            backend,
            pid,
-            managed_codex_path: self.managed_codex_bin.clone(),
-            managed_codex_version,
            socket_path: self.socket_path.clone(),
            cli_version: Some(env!("CARGO_PKG_VERSION").to_string()),
            app_server_version,
@@ -781,32 +575,6 @@ fn already_remote_control_status(mode: RemoteControlMode) -> RemoteControlStatus
    }
 }

-#[cfg(unix)]
-fn restart_decision(
-    mode: RestartMode,
-    info: Option<&client::ProbeInfo>,
-    managed_version: Option<&str>,
-) -> RestartDecision {
-    match (mode, info, managed_version) {
-        (RestartMode::IfVersionChanged, None, _) => RestartDecision::NotReady,
-        (RestartMode::IfVersionChanged, Some(info), Some(managed_version))
-            if info.app_server_version == managed_version =>
-        {
-            RestartDecision::AlreadyCurrent
-        }
-        _ => RestartDecision::Restart,
-    }
-}
-
-#[cfg(unix)]
-fn should_reexec_updater(
-    updater_refresh_mode: UpdaterRefreshMode,
-    outcome: RestartIfRunningOutcome,
-) -> bool {
-    updater_refresh_mode == UpdaterRefreshMode::ReexecIfManagedBinaryChanged
-        && outcome == RestartIfRunningOutcome::Restarted
-}
-
 #[cfg(unix)]
 fn try_lock_file(file: &tokio::fs::File) -> Result<bool> {
    use std::os::fd::AsRawFd;
@@ -831,23 +599,26 @@ fn try_lock_file(_file: &tokio::fs::File) -> Result<bool> {
 #[cfg(all(test, unix))]
 mod tests {
    use pretty_assertions::assert_eq;
-    use tempfile::TempDir;

-    use super::BackendKind;
-    use super::BootstrapOutput;
    use super::BootstrapStatus;
-    use super::Daemon;
-    use super::LifecycleOutput;
    use super::LifecycleStatus;
-    use super::RemoteControlStartOutput;
    use super::RemoteControlStatus;
-    use super::RestartDecision;
-    use super::RestartIfRunningOutcome;
-    use super::RestartMode;
-    use super::UpdaterRefreshMode;
-    use super::restart_decision;
-    use super::should_reexec_updater;
-    use crate::client::ProbeInfo;
+
+    #[test]
+    fn lifecycle_status_uses_camel_case_json() {
+        assert_eq!(
+            serde_json::to_string(&LifecycleStatus::AlreadyRunning).expect("serialize"),
+            "\"alreadyRunning\""
+        );
+    }
+
+    #[test]
+    fn bootstrap_status_uses_camel_case_json() {
+        assert_eq!(
+            serde_json::to_string(&BootstrapStatus::Bootstrapped).expect("serialize"),
+            "\"bootstrapped\""
+        );
+    }

    #[test]
    fn remote_control_status_uses_camel_case_json() {
@@ -856,163 +627,4 @@ mod tests {
            "\"alreadyEnabled\""
        );
    }
-
-    #[test]
-    fn updater_reexec_waits_for_validated_restart() {
-        assert_eq!(
-            [
-                RestartIfRunningOutcome::Busy,
-                RestartIfRunningOutcome::NotReady,
-                RestartIfRunningOutcome::AlreadyCurrent,
-                RestartIfRunningOutcome::NotRunning,
-                RestartIfRunningOutcome::Restarted,
-            ]
-            .map(|outcome| {
-                should_reexec_updater(UpdaterRefreshMode::ReexecIfManagedBinaryChanged, outcome)
-            }),
-            [false, false, false, false, true]
-        );
-    }
-
-    #[test]
-    fn unchanged_updater_never_reexecs() {
-        assert_eq!(
-            [
-                RestartIfRunningOutcome::Busy,
-                RestartIfRunningOutcome::NotReady,
-                RestartIfRunningOutcome::AlreadyCurrent,
-                RestartIfRunningOutcome::NotRunning,
-                RestartIfRunningOutcome::Restarted,
-            ]
-            .map(|outcome| should_reexec_updater(UpdaterRefreshMode::None, outcome)),
-            [false, false, false, false, false]
-        );
-    }
-
-    #[test]
-    fn restart_decision_preserves_forced_refreshes() {
-        let current_info = ProbeInfo {
-            app_server_version: "0.1.0".to_string(),
-        };
-
-        assert_eq!(
-            [
-                restart_decision(
-                    RestartMode::IfVersionChanged,
-                    Some(&current_info),
-                    Some("0.1.0"),
-                ),
-                restart_decision(
-                    RestartMode::IfVersionChanged,
-                    /*info*/ None,
-                    /*managed_version*/ None,
-                ),
-                restart_decision(RestartMode::Always, Some(&current_info), Some("0.1.0")),
-                restart_decision(
-                    RestartMode::Always,
-                    /*info*/ None,
-                    /*managed_version*/ None,
-                ),
-            ],
-            [
-                RestartDecision::AlreadyCurrent,
-                RestartDecision::NotReady,
-                RestartDecision::Restart,
-                RestartDecision::Restart,
-            ]
-        );
-    }
-
-    #[test]
-    fn remote_control_start_output_serializes_inner_output_without_tag() {
-        let lifecycle_output = LifecycleOutput {
-            status: LifecycleStatus::AlreadyRunning,
-            backend: Some(BackendKind::Pid),
-            pid: None,
-            managed_codex_path: "codex".into(),
-            managed_codex_version: Some("1.2.3".to_string()),
-            socket_path: "codex.sock".into(),
-            cli_version: Some("1.2.3".to_string()),
-            app_server_version: Some("1.2.4".to_string()),
-        };
-        let output = RemoteControlStartOutput::Start(lifecycle_output.clone());
-
-        assert_eq!(
-            serde_json::to_value(&lifecycle_output).expect("serialize"),
-            serde_json::json!({
-                "status": "alreadyRunning",
-                "backend": "pid",
-                "managedCodexPath": "codex",
-                "managedCodexVersion": "1.2.3",
-                "socketPath": "codex.sock",
-                "cliVersion": "1.2.3",
-                "appServerVersion": "1.2.4",
-            })
-        );
-        assert_eq!(
-            serde_json::to_value(output).expect("serialize"),
-            serde_json::to_value(lifecycle_output).expect("serialize")
-        );
-
-        let bootstrap_output = BootstrapOutput {
-            status: BootstrapStatus::Bootstrapped,
-            backend: BackendKind::Pid,
-            auto_update_enabled: true,
-            remote_control_enabled: true,
-            managed_codex_path: "codex".into(),
-            managed_codex_version: Some("1.2.3".to_string()),
-            socket_path: "codex.sock".into(),
-            cli_version: "1.2.3".to_string(),
-            app_server_version: "1.2.4".to_string(),
-        };
-        let output = RemoteControlStartOutput::Bootstrap(bootstrap_output.clone());
-
-        assert_eq!(
-            serde_json::to_value(&bootstrap_output).expect("serialize"),
-            serde_json::json!({
-                "status": "bootstrapped",
-                "backend": "pid",
-                "autoUpdateEnabled": true,
-                "remoteControlEnabled": true,
-                "managedCodexPath": "codex",
-                "managedCodexVersion": "1.2.3",
-                "socketPath": "codex.sock",
-                "cliVersion": "1.2.3",
-                "appServerVersion": "1.2.4",
-            })
-        );
-        assert_eq!(
-            serde_json::to_value(output).expect("serialize"),
-            serde_json::to_value(bootstrap_output).expect("serialize")
-        );
-    }
-
-    #[tokio::test]
-    async fn not_ready_context_reports_daemon_app_server_before_stderr() {
-        let temp_dir = TempDir::new().expect("temp dir");
-        let daemon = Daemon {
-            socket_path: temp_dir.path().join("app-server-control.sock"),
-            pid_file: temp_dir.path().join("app-server.pid"),
-            update_pid_file: temp_dir.path().join("app-server-updater.pid"),
-            operation_lock_file: temp_dir.path().join("daemon.lock"),
-            settings_file: temp_dir.path().join("settings.json"),
-            managed_codex_bin: temp_dir.path().join("missing-codex"),
-        };
-        let stderr_log = daemon.pid_file.with_extension("stderr.log");
-        tokio::fs::write(&stderr_log, "unexpected argument")
-            .await
-            .expect("write stderr log");
-
-        assert_eq!(
-            daemon.app_server_not_ready_context().await,
-            format!(
-                "app server did not become ready on {}\n\n\
-                 Daemon used app-server:\n  path: {}\n  version: unknown\n\n\
-                 Managed app-server stderr ({}):\n  unexpected argument",
-                daemon.socket_path.display(),
-                daemon.managed_codex_bin.display(),
-                stderr_log.display()
-            )
-        );
-    }
 }
--- a/codex-rs/app-server-daemon/src/managed_install.rs
+++ b/codex-rs/app-server-daemon/src/managed_install.rs
@@ -8,12 +8,6 @@ use anyhow::Result;
 #[cfg(unix)]
 use anyhow::anyhow;
 #[cfg(unix)]
-use sha2::Digest;
-#[cfg(unix)]
-use sha2::Sha256;
-#[cfg(unix)]
-use tokio::fs;
-#[cfg(unix)]
 use tokio::process::Command;

 pub(crate) fn managed_codex_bin(codex_home: &Path) -> PathBuf {
@@ -24,16 +18,6 @@ pub(crate) fn managed_codex_bin(codex_home: &Path) -> PathBuf {
        .join(managed_codex_file_name())
 }

-#[cfg(unix)]
-pub(crate) async fn resolved_managed_codex_bin(codex_bin: &Path) -> Result<PathBuf> {
-    fs::canonicalize(codex_bin).await.with_context(|| {
-        format!(
-            "failed to resolve managed Codex binary {}",
-            codex_bin.display()
-        )
-    })
-}
-
 #[cfg(unix)]
 pub(crate) async fn managed_codex_version(codex_bin: &Path) -> Result<String> {
    let output = Command::new(codex_bin)
@@ -63,27 +47,6 @@ pub(crate) async fn managed_codex_version(codex_bin: &Path) -> Result<String> {
    parse_codex_version(&stdout)
 }

-#[cfg(unix)]
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub(crate) struct ExecutableIdentity {
-    digest: [u8; 32],
-}
-
-#[cfg(unix)]
-pub(crate) async fn executable_identity(executable: &Path) -> Result<ExecutableIdentity> {
-    let bytes = fs::read(executable)
-        .await
-        .with_context(|| format!("failed to read executable {}", executable.display()))?;
-    Ok(executable_identity_from_bytes(&bytes))
-}
-
-#[cfg(unix)]
-pub(crate) fn executable_identity_from_bytes(bytes: &[u8]) -> ExecutableIdentity {
-    ExecutableIdentity {
-        digest: Sha256::digest(bytes).into(),
-    }
-}
-
 fn managed_codex_file_name() -> &'static str {
    if cfg!(windows) { "codex.exe" } else { "codex" }
 }
--- a/codex-rs/app-server-daemon/src/managed_install_tests.rs
+++ b/codex-rs/app-server-daemon/src/managed_install_tests.rs
@@ -1,6 +1,5 @@
 use pretty_assertions::assert_eq;

-use super::executable_identity_from_bytes;
 use super::parse_codex_version;

 #[test]
@@ -15,13 +14,3 @@ fn parses_codex_cli_version_output() {
 fn rejects_malformed_codex_cli_version_output() {
    assert!(parse_codex_version("codex\n").is_err());
 }
-
-#[test]
-fn executable_identity_uses_binary_contents() {
-    let old = executable_identity_from_bytes(b"old");
-    let same = executable_identity_from_bytes(b"old");
-    let new = executable_identity_from_bytes(b"new");
-
-    assert_eq!(old, same);
-    assert_ne!(old, new);
-}
--- a/codex-rs/app-server-daemon/src/remote_control_client.rs
+++ b/codex-rs/app-server-daemon/src/remote_control_client.rs
@@ -1,459 +0,0 @@
-use std::path::Path;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::anyhow;
-use codex_app_server_protocol::JSONRPCMessage;
-use codex_app_server_protocol::JSONRPCNotification;
-use codex_app_server_protocol::JSONRPCRequest;
-use codex_app_server_protocol::RemoteControlConnectionStatus;
-use codex_app_server_protocol::RemoteControlEnableResponse;
-use codex_app_server_protocol::RemoteControlStatusChangedNotification;
-use codex_app_server_protocol::RequestId;
-use tokio::io::AsyncRead;
-use tokio::io::AsyncWrite;
-use tokio::time::Instant;
-use tokio::time::sleep;
-use tokio::time::timeout;
-use tokio_tungstenite::WebSocketStream;
-
-use crate::RemoteControlReadyStatus;
-use crate::client;
-
-const REMOTE_CONTROL_READY_TIMEOUT: Duration = Duration::from_secs(10);
-const REMOTE_CONTROL_ENABLE_REQUEST_ID: RequestId = RequestId::Integer(2);
-
-pub(crate) async fn enable_remote_control(socket_path: &Path) -> Result<RemoteControlReadyStatus> {
-    let mut websocket = client::connect(socket_path).await?;
-    enable_remote_control_with_timeout(&mut websocket, REMOTE_CONTROL_READY_TIMEOUT).await
-}
-
-pub(crate) async fn enable_remote_control_with_connect_retry(
-    socket_path: &Path,
-    connect_timeout: Duration,
-    connect_retry_delay: Duration,
-) -> Result<RemoteControlReadyStatus> {
-    let mut websocket =
-        connect_with_retry(socket_path, connect_timeout, connect_retry_delay).await?;
-    enable_remote_control_with_timeout(&mut websocket, REMOTE_CONTROL_READY_TIMEOUT).await
-}
-
-async fn enable_remote_control_with_timeout<S>(
-    websocket: &mut WebSocketStream<S>,
-    ready_timeout: Duration,
-) -> Result<RemoteControlReadyStatus>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
-    client::initialize(websocket, /*experimental_api*/ true).await?;
-    let initialized = JSONRPCMessage::Notification(JSONRPCNotification {
-        method: "initialized".to_string(),
-        params: None,
-    });
-    client::send_message(websocket, &initialized)
-        .await
-        .context("failed to send initialized notification")?;
-
-    let enable = JSONRPCMessage::Request(JSONRPCRequest {
-        id: REMOTE_CONTROL_ENABLE_REQUEST_ID,
-        method: "remoteControl/enable".to_string(),
-        params: None,
-        trace: None,
-    });
-    client::send_message(websocket, &enable)
-        .await
-        .context("failed to send remoteControl/enable request")?;
-
-    let mut latest = read_enable_response(websocket).await?;
-    if latest.status == RemoteControlConnectionStatus::Connecting {
-        latest = wait_for_remote_control_status(websocket, latest, ready_timeout).await?;
-    }
-    websocket.close(None).await.ok();
-    Ok(latest)
-}
-
-async fn connect_with_retry(
-    socket_path: &Path,
-    connect_timeout: Duration,
-    connect_retry_delay: Duration,
-) -> Result<WebSocketStream<codex_uds::UnixStream>> {
-    let deadline = Instant::now() + connect_timeout;
-    loop {
-        match client::connect(socket_path).await {
-            Ok(websocket) => return Ok(websocket),
-            Err(_) if Instant::now() < deadline => {
-                sleep(connect_retry_delay).await;
-            }
-            Err(error) => {
-                return Err(error).with_context(|| {
-                    format!(
-                        "app server did not become ready on {}",
-                        socket_path.display()
-                    )
-                });
-            }
-        }
-    }
-}
-
-async fn read_enable_response<S>(
-    websocket: &mut WebSocketStream<S>,
-) -> Result<RemoteControlReadyStatus>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
-    loop {
-        let message = timeout(
-            client::CONTROL_SOCKET_RESPONSE_TIMEOUT,
-            client::read_message(websocket),
-        )
-        .await
-        .context("timed out waiting for remoteControl/enable response")??;
-        match message {
-            JSONRPCMessage::Response(response)
-                if response.id == REMOTE_CONTROL_ENABLE_REQUEST_ID =>
-            {
-                let response =
-                    serde_json::from_value::<RemoteControlEnableResponse>(response.result)
-                        .context("failed to parse remoteControl/enable response")?;
-                return Ok(RemoteControlReadyStatus::from(response));
-            }
-            JSONRPCMessage::Error(err) if err.id == REMOTE_CONTROL_ENABLE_REQUEST_ID => {
-                return Err(anyhow!(
-                    "remoteControl/enable failed: {}",
-                    err.error.message
-                ));
-            }
-            JSONRPCMessage::Notification(notification)
-                if remote_control_status_notification(&notification).is_some() =>
-            {
-                continue;
-            }
-            _ => {}
-        }
-    }
-}
-
-async fn wait_for_remote_control_status<S>(
-    websocket: &mut WebSocketStream<S>,
-    mut latest: RemoteControlReadyStatus,
-    ready_timeout: Duration,
-) -> Result<RemoteControlReadyStatus>
-where
-    S: AsyncRead + AsyncWrite + Unpin,
-{
-    let deadline = tokio::time::Instant::now() + ready_timeout;
-    while tokio::time::Instant::now() < deadline {
-        let remaining = deadline.saturating_duration_since(tokio::time::Instant::now());
-        let message = match timeout(remaining, client::read_message(websocket)).await {
-            Ok(Ok(message)) => message,
-            Ok(Err(err)) => return Err(err),
-            Err(_) => {
-                latest.timed_out = true;
-                return Ok(latest);
-            }
-        };
-        let JSONRPCMessage::Notification(notification) = message else {
-            continue;
-        };
-        let Some(status) = remote_control_status_notification(&notification) else {
-            continue;
-        };
-        latest = RemoteControlReadyStatus::from(status);
-        if latest.status != RemoteControlConnectionStatus::Connecting {
-            return Ok(latest);
-        }
-    }
-    latest.timed_out = true;
-    Ok(latest)
-}
-
-fn remote_control_status_notification(
-    notification: &JSONRPCNotification,
-) -> Option<RemoteControlStatusChangedNotification> {
-    if notification.method != "remoteControl/status/changed" {
-        return None;
-    }
-    let params = notification.params.clone()?;
-    serde_json::from_value(params).ok()
-}
-
-impl From<RemoteControlEnableResponse> for RemoteControlReadyStatus {
-    fn from(response: RemoteControlEnableResponse) -> Self {
-        let RemoteControlEnableResponse {
-            status,
-            server_name,
-            installation_id: _,
-            environment_id,
-        } = response;
-        Self {
-            status,
-            server_name,
-            environment_id,
-            timed_out: false,
-        }
-    }
-}
-
-impl From<RemoteControlStatusChangedNotification> for RemoteControlReadyStatus {
-    fn from(notification: RemoteControlStatusChangedNotification) -> Self {
-        let RemoteControlStatusChangedNotification {
-            status,
-            server_name,
-            installation_id: _,
-            environment_id,
-        } = notification;
-        Self {
-            status,
-            server_name,
-            environment_id,
-            timed_out: false,
-        }
-    }
-}
-
-#[cfg(all(test, unix))]
-mod tests {
-    use anyhow::Result;
-    use codex_app_server_protocol::JSONRPCResponse;
-    use codex_uds::UnixListener;
-    use pretty_assertions::assert_eq;
-    use tempfile::TempDir;
-    use tokio_tungstenite::accept_async;
-
-    use super::*;
-
-    const INITIALIZE_REQUEST_ID: RequestId = RequestId::Integer(1);
-    const TEST_INSTALLATION_ID: &str = "11111111-1111-4111-8111-111111111111";
-    const TEST_SERVER_NAME: &str = "owen-mbp";
-    const TEST_CODEX_HOME: &str = "/tmp/codex-home";
-
-    #[tokio::test]
-    async fn enable_remote_control_uses_connected_enable_response_without_later_notification()
-    -> Result<()> {
-        let status = run_enable_remote_control_scenario(EnableScenario {
-            initial_notification: Some(remote_control_status(
-                RemoteControlConnectionStatus::Connected,
-                Some("env_test"),
-            )),
-            enable_response: remote_control_status(
-                RemoteControlConnectionStatus::Connected,
-                Some("env_test"),
-            ),
-            after_enable_notification: None,
-            ready_timeout: Duration::from_millis(20),
-        })
-        .await?;
-
-        assert_eq!(
-            status,
-            RemoteControlReadyStatus {
-                status: RemoteControlConnectionStatus::Connected,
-                server_name: TEST_SERVER_NAME.to_string(),
-                environment_id: Some("env_test".to_string()),
-                timed_out: false,
-            }
-        );
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn enable_remote_control_waits_for_connected_notification() -> Result<()> {
-        let status = run_enable_remote_control_scenario(EnableScenario {
-            initial_notification: None,
-            enable_response: remote_control_status(
-                RemoteControlConnectionStatus::Connecting,
-                /*environment_id*/ None,
-            ),
-            after_enable_notification: Some(remote_control_status(
-                RemoteControlConnectionStatus::Connected,
-                Some("env_test"),
-            )),
-            ready_timeout: Duration::from_secs(1),
-        })
-        .await?;
-
-        assert_eq!(
-            status,
-            RemoteControlReadyStatus {
-                status: RemoteControlConnectionStatus::Connected,
-                server_name: TEST_SERVER_NAME.to_string(),
-                environment_id: Some("env_test".to_string()),
-                timed_out: false,
-            }
-        );
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn enable_remote_control_reports_connecting_after_timeout() -> Result<()> {
-        let status = run_enable_remote_control_scenario(EnableScenario {
-            initial_notification: None,
-            enable_response: remote_control_status(
-                RemoteControlConnectionStatus::Connecting,
-                /*environment_id*/ None,
-            ),
-            after_enable_notification: None,
-            ready_timeout: Duration::from_millis(20),
-        })
-        .await?;
-
-        assert_eq!(
-            status,
-            RemoteControlReadyStatus {
-                status: RemoteControlConnectionStatus::Connecting,
-                server_name: TEST_SERVER_NAME.to_string(),
-                environment_id: None,
-                timed_out: true,
-            }
-        );
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn enable_remote_control_returns_errored_enable_response() -> Result<()> {
-        let status = run_enable_remote_control_scenario(EnableScenario {
-            initial_notification: None,
-            enable_response: remote_control_status(
-                RemoteControlConnectionStatus::Errored,
-                /*environment_id*/ None,
-            ),
-            after_enable_notification: None,
-            ready_timeout: Duration::from_millis(20),
-        })
-        .await?;
-
-        assert_eq!(
-            status,
-            RemoteControlReadyStatus {
-                status: RemoteControlConnectionStatus::Errored,
-                server_name: TEST_SERVER_NAME.to_string(),
-                environment_id: None,
-                timed_out: false,
-            }
-        );
-        Ok(())
-    }
-
-    struct EnableScenario {
-        initial_notification: Option<RemoteControlStatusChangedNotification>,
-        enable_response: RemoteControlStatusChangedNotification,
-        after_enable_notification: Option<RemoteControlStatusChangedNotification>,
-        ready_timeout: Duration,
-    }
-
-    async fn run_enable_remote_control_scenario(
-        scenario: EnableScenario,
-    ) -> Result<RemoteControlReadyStatus> {
-        let dir = TempDir::new()?;
-        let socket_path = dir.path().join("app-server.sock");
-        let listener = UnixListener::bind(&socket_path).await?;
-        let ready_timeout = scenario.ready_timeout;
-        let server_task = tokio::spawn(serve_enable_remote_control_scenario(listener, scenario));
-
-        let mut websocket = client::connect(&socket_path).await?;
-        let status = enable_remote_control_with_timeout(&mut websocket, ready_timeout).await?;
-        server_task.await??;
-        Ok(status)
-    }
-
-    async fn serve_enable_remote_control_scenario(
-        mut listener: UnixListener,
-        scenario: EnableScenario,
-    ) -> Result<()> {
-        let stream = listener.accept().await?;
-        let mut websocket = accept_async(stream).await?;
-
-        let initialize = client::read_message(&mut websocket).await?;
-        let JSONRPCMessage::Request(initialize) = initialize else {
-            panic!("expected initialize request");
-        };
-        assert_eq!(initialize.id, INITIALIZE_REQUEST_ID);
-        assert_eq!(initialize.method, "initialize");
-        let Some(initialize_params) = initialize.params else {
-            panic!("expected initialize params");
-        };
-        assert_eq!(
-            initialize_params["capabilities"]["experimentalApi"],
-            serde_json::Value::Bool(true)
-        );
-        client::send_message(
-            &mut websocket,
-            &JSONRPCMessage::Response(JSONRPCResponse {
-                id: INITIALIZE_REQUEST_ID,
-                result: serde_json::json!({
-                    "userAgent": "codex_app_server/1.2.3",
-                    "codexHome": TEST_CODEX_HOME,
-                    "platformFamily": "unix",
-                    "platformOs": "macos",
-                }),
-            }),
-        )
-        .await?;
-
-        let initialized = client::read_message(&mut websocket).await?;
-        let JSONRPCMessage::Notification(initialized) = initialized else {
-            panic!("expected initialized notification");
-        };
-        assert_eq!(initialized.method, "initialized");
-
-        if let Some(status) = scenario.initial_notification {
-            send_remote_control_status(&mut websocket, status).await?;
-        }
-
-        let enable = client::read_message(&mut websocket).await?;
-        let JSONRPCMessage::Request(enable) = enable else {
-            panic!("expected remoteControl/enable request");
-        };
-        assert_eq!(enable.id, REMOTE_CONTROL_ENABLE_REQUEST_ID);
-        assert_eq!(enable.method, "remoteControl/enable");
-        client::send_message(
-            &mut websocket,
-            &JSONRPCMessage::Response(JSONRPCResponse {
-                id: REMOTE_CONTROL_ENABLE_REQUEST_ID,
-                result: serde_json::to_value(RemoteControlEnableResponse::from(
-                    scenario.enable_response,
-                ))?,
-            }),
-        )
-        .await?;
-
-        if let Some(status) = scenario.after_enable_notification {
-            send_remote_control_status(&mut websocket, status).await?;
-        } else {
-            tokio::time::sleep(Duration::from_millis(50)).await;
-        }
-
-        Ok(())
-    }
-
-    async fn send_remote_control_status<S>(
-        websocket: &mut WebSocketStream<S>,
-        status: RemoteControlStatusChangedNotification,
-    ) -> Result<()>
-    where
-        S: tokio::io::AsyncRead + tokio::io::AsyncWrite + Unpin,
-    {
-        client::send_message(
-            websocket,
-            &JSONRPCMessage::Notification(JSONRPCNotification {
-                method: "remoteControl/status/changed".to_string(),
-                params: Some(serde_json::to_value(status)?),
-            }),
-        )
-        .await
-    }
-
-    fn remote_control_status(
-        status: RemoteControlConnectionStatus,
-        environment_id: Option<&str>,
-    ) -> RemoteControlStatusChangedNotification {
-        RemoteControlStatusChangedNotification {
-            status,
-            server_name: TEST_SERVER_NAME.to_string(),
-            installation_id: TEST_INSTALLATION_ID.to_string(),
-            environment_id: environment_id.map(str::to_string),
-        }
-    }
-}
--- a/codex-rs/app-server-daemon/src/update_loop.rs
+++ b/codex-rs/app-server-daemon/src/update_loop.rs
@@ -1,6 +1,4 @@
 #[cfg(unix)]
-use std::process::Command as StdCommand;
-#[cfg(unix)]
 use std::process::Stdio;
 #[cfg(unix)]
 use std::time::Duration;
@@ -13,8 +11,6 @@ use anyhow::bail;
 #[cfg(unix)]
 use futures::FutureExt;
 #[cfg(unix)]
-use std::os::unix::process::CommandExt;
-#[cfg(unix)]
 use tokio::io::AsyncWriteExt;
 #[cfg(unix)]
 use tokio::process::Command;
@@ -31,16 +27,6 @@ use tokio::time::sleep;
 use crate::Daemon;
 #[cfg(unix)]
 use crate::RestartIfRunningOutcome;
-#[cfg(unix)]
-use crate::RestartMode;
-#[cfg(unix)]
-use crate::UpdaterRefreshMode;
-#[cfg(unix)]
-use crate::managed_install::ExecutableIdentity;
-#[cfg(unix)]
-use crate::managed_install::executable_identity;
-#[cfg(unix)]
-use crate::managed_install::resolved_managed_codex_bin;

 #[cfg(unix)]
 const INITIAL_UPDATE_DELAY: Duration = Duration::from_secs(5 * 60);
@@ -53,12 +39,11 @@ const UPDATE_INTERVAL: Duration = Duration::from_secs(60 * 60);
 pub(crate) async fn run() -> Result<()> {
    let mut terminate =
        signal(SignalKind::terminate()).context("failed to install updater shutdown handler")?;
-    let running_updater_identity = current_updater_identity().await?;
    if sleep_or_terminate(INITIAL_UPDATE_DELAY, &mut terminate).await {
        return Ok(());
    }
    loop {
-        match update_once(&running_updater_identity, &mut terminate).await {
+        match update_once(&mut terminate).await {
            Ok(UpdateLoopControl::Continue) | Err(_) => {}
            Ok(UpdateLoopControl::Stop) => return Ok(()),
        }
@@ -88,71 +73,25 @@ enum UpdateLoopControl {
 }

 #[cfg(unix)]
-async fn update_once(
-    running_updater_identity: &ExecutableIdentity,
-    terminate: &mut Signal,
-) -> Result<UpdateLoopControl> {
+async fn update_once(terminate: &mut Signal) -> Result<UpdateLoopControl> {
    install_latest_standalone().await?;

    let daemon = Daemon::from_environment()?;
-    let managed_codex_bin = resolved_managed_codex_bin(&daemon.managed_codex_bin).await?;
-    let managed_identity = executable_identity(&managed_codex_bin).await?;
-    let (restart_mode, updater_refresh_mode) =
-        update_modes_for_identities(running_updater_identity, &managed_identity);
-
    loop {
        if terminate.recv().now_or_never().flatten().is_some() {
            return Ok(UpdateLoopControl::Stop);
        }
-        match daemon
-            .try_restart_if_running(restart_mode, updater_refresh_mode, &managed_codex_bin)
-            .await?
-        {
+        match daemon.try_restart_if_running().await? {
+            RestartIfRunningOutcome::Completed => return Ok(UpdateLoopControl::Continue),
            RestartIfRunningOutcome::Busy => {
                if sleep_or_terminate(RESTART_RETRY_INTERVAL, terminate).await {
                    return Ok(UpdateLoopControl::Stop);
                }
            }
-            _ => return Ok(UpdateLoopControl::Continue),
        }
    }
 }

-#[cfg(unix)]
-async fn current_updater_identity() -> Result<ExecutableIdentity> {
-    let current_exe =
-        std::env::current_exe().context("failed to resolve current updater executable")?;
-    executable_identity(&current_exe).await
-}
-
-#[cfg(unix)]
-fn update_modes_for_identities(
-    running_updater_identity: &ExecutableIdentity,
-    managed_identity: &ExecutableIdentity,
-) -> (RestartMode, UpdaterRefreshMode) {
-    if running_updater_identity == managed_identity {
-        (RestartMode::IfVersionChanged, UpdaterRefreshMode::None)
-    } else {
-        (
-            RestartMode::Always,
-            UpdaterRefreshMode::ReexecIfManagedBinaryChanged,
-        )
-    }
-}
-
-#[cfg(unix)]
-pub(crate) fn reexec_managed_updater(managed_codex_bin: &std::path::Path) -> Result<()> {
-    let err = StdCommand::new(managed_codex_bin)
-        .args(["app-server", "daemon", "pid-update-loop"])
-        .exec();
-    Err(err).with_context(|| {
-        format!(
-            "failed to replace updater with managed Codex binary {}",
-            managed_codex_bin.display()
-        )
-    })
-}
-
 #[cfg(unix)]
 async fn install_latest_standalone() -> Result<()> {
    let script = reqwest::get("https://chatgpt.com/codex/install.sh")
@@ -191,7 +130,3 @@ async fn install_latest_standalone() -> Result<()> {
        anyhow::bail!("standalone Codex updater exited with status {status}")
    }
 }
-
-#[cfg(all(test, unix))]
-#[path = "update_loop_tests.rs"]
-mod tests;
--- a/codex-rs/app-server-daemon/src/update_loop_tests.rs
+++ b/codex-rs/app-server-daemon/src/update_loop_tests.rs
@@ -1,31 +0,0 @@
-use pretty_assertions::assert_eq;
-
-use super::update_modes_for_identities;
-use crate::RestartMode;
-use crate::UpdaterRefreshMode;
-use crate::managed_install::executable_identity_from_bytes;
-
-#[test]
-fn unchanged_updater_uses_version_based_restart() {
-    assert_eq!(
-        update_modes_for_identities(
-            &executable_identity_from_bytes(b"same"),
-            &executable_identity_from_bytes(b"same"),
-        ),
-        (RestartMode::IfVersionChanged, UpdaterRefreshMode::None)
-    );
-}
-
-#[test]
-fn changed_updater_forces_refresh_even_when_version_may_match() {
-    assert_eq!(
-        update_modes_for_identities(
-            &executable_identity_from_bytes(b"old"),
-            &executable_identity_from_bytes(b"new"),
-        ),
-        (
-            RestartMode::Always,
-            UpdaterRefreshMode::ReexecIfManagedBinaryChanged,
-        )
-    );
-}
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -591,13 +591,6 @@
            "integer",
            "null"
          ]
-        },
-        "threadId": {
-          "description": "Optional loaded thread id. Pass this when showing feature state for an existing thread so enablement is computed from that thread's refreshed config, including project-local config for the thread's cwd.",
-          "type": [
-            "string",
-            "null"
-          ]
        }
      },
      "type": "object"
@@ -726,6 +719,202 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FsCopyParams": {
      "description": "Copy a file or directory tree on the host filesystem.",
      "properties": {
@@ -1046,6 +1235,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -1541,6 +1732,194 @@
      ],
      "type": "string"
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
@@ -1576,31 +1955,6 @@
      ],
      "type": "object"
    },
-    "PluginInstalledParams": {
-      "properties": {
-        "cwds": {
-          "description": "Optional working directories used to discover repo marketplaces.",
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "installSuggestionPluginNames": {
-          "description": "Additional uninstalled plugin names that should be returned when present locally. This is used by mention surfaces that intentionally expose install entrypoints.",
-          "items": {
-            "type": "string"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
    "PluginListMarketplaceKind": {
      "enum": [
        "local",
@@ -1661,17 +2015,6 @@
      ],
      "type": "object"
    },
-    "PluginShareCheckoutParams": {
-      "properties": {
-        "remotePluginId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "remotePluginId"
-      ],
-      "type": "object"
-    },
    "PluginShareDeleteParams": {
      "properties": {
        "remotePluginId": {
@@ -2434,22 +2777,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
@@ -3111,8 +3438,6 @@
      "enum": [
        "active",
        "paused",
-        "blocked",
-        "usageLimited",
        "budgetLimited",
        "complete"
      ],
@@ -3957,17 +4282,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -3988,17 +4302,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -4652,30 +4955,6 @@
      "title": "Plugin/listRequest",
      "type": "object"
    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "plugin/installed"
-          ],
-          "title": "Plugin/installedRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/PluginInstalledParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Plugin/installedRequest",
-      "type": "object"
-    },
    {
      "properties": {
        "id": {
@@ -4796,30 +5075,6 @@
      "title": "Plugin/share/listRequest",
      "type": "object"
    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "plugin/share/checkout"
-          ],
-          "title": "Plugin/share/checkoutRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/PluginShareCheckoutParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Plugin/share/checkoutRequest",
-      "type": "object"
-    },
    {
      "properties": {
        "id": {
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -1932,13 +1932,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "ItemCompletedNotification": {
      "properties": {
        "completedAtMs": {
@@ -2755,16 +2748,12 @@
        "installationId": {
          "type": "string"
        },
-        "serverName": {
-          "type": "string"
-        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
        "installationId",
-        "serverName",
        "status"
      ],
      "type": "object"
@@ -3257,8 +3246,6 @@
      "enum": [
        "active",
        "paused",
-        "blocked",
-        "usageLimited",
        "budgetLimited",
        "complete"
      ],
@@ -4602,17 +4589,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -4633,17 +4609,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -757,30 +757,6 @@
          "title": "Plugin/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "plugin/installed"
-              ],
-              "title": "Plugin/installedRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/v2/PluginInstalledParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Plugin/installedRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -901,30 +877,6 @@
          "title": "Plugin/share/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "plugin/share/checkout"
-              ],
-              "title": "Plugin/share/checkoutRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/v2/PluginShareCheckoutParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Plugin/share/checkoutRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -5631,6 +5583,14 @@
          "id": {
            "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
            "type": "string"
+          },
+          "modifications": {
+            "default": [],
+            "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+            "items": {
+              "$ref": "#/definitions/v2/ActivePermissionProfileModification"
+            },
+            "type": "array"
          }
        },
        "required": [
@@ -5638,6 +5598,31 @@
        ],
        "type": "object"
      },
+      "ActivePermissionProfileModification": {
+        "oneOf": [
+          {
+            "description": "Additional concrete directory that should be writable.",
+            "properties": {
+              "path": {
+                "$ref": "#/definitions/v2/AbsolutePathBuf"
+              },
+              "type": {
+                "enum": [
+                  "additionalWritableRoot"
+                ],
+                "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "path",
+              "type"
+            ],
+            "title": "AdditionalWritableRootActivePermissionProfileModification",
+            "type": "object"
+          }
+        ]
+      },
      "AddCreditsNudgeCreditType": {
        "enum": [
          "credits",
@@ -6314,25 +6299,6 @@
          }
        ]
      },
-      "AutoCompactTokenLimitScope": {
-        "description": "Selects which part of the active context is charged against `model_auto_compact_token_limit`.",
-        "oneOf": [
-          {
-            "description": "Count the full active context against the limit.",
-            "enum": [
-              "total"
-            ],
-            "type": "string"
-          },
-          {
-            "description": "Count sampled output and later growth after the carried window prefix.",
-            "enum": [
-              "body_after_prefix"
-            ],
-            "type": "string"
-          }
-        ]
-      },
      "AutoReviewDecisionSource": {
        "description": "[UNSTABLE] Source that produced a terminal approval auto-review decision.",
        "enum": [
@@ -7129,13 +7095,6 @@
              "null"
            ]
          },
-          "desktop": {
-            "additionalProperties": true,
-            "type": [
-              "object",
-              "null"
-            ]
-          },
          "developer_instructions": {
            "type": [
              "string",
@@ -7143,13 +7102,9 @@
            ]
          },
          "forced_chatgpt_workspace_id": {
-            "anyOf": [
-              {
-                "$ref": "#/definitions/v2/ForcedChatgptWorkspaceIds"
-              },
-              {
-                "type": "null"
-              }
+            "type": [
+              "string",
+              "null"
            ]
          },
          "forced_login_method": {
@@ -7181,16 +7136,6 @@
              "null"
            ]
          },
-          "model_auto_compact_token_limit_scope": {
-            "anyOf": [
-              {
-                "$ref": "#/definitions/v2/AutoCompactTokenLimitScope"
-              },
-              {
-                "type": "null"
-              }
-            ]
-          },
          "model_context_window": {
            "format": "int64",
            "type": [
@@ -7454,13 +7399,6 @@
                ],
                "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
              },
-              "profile": {
-                "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-                "type": [
-                  "string",
-                  "null"
-                ]
-              },
              "type": {
                "enum": [
                  "user"
@@ -7602,12 +7540,6 @@
      },
      "ConfigRequirements": {
        "properties": {
-          "allowManagedHooksOnly": {
-            "type": [
-              "boolean",
-              "null"
-            ]
-          },
          "allowedApprovalPolicies": {
            "items": {
              "$ref": "#/definitions/v2/AskForApproval"
@@ -7792,12 +7724,6 @@
              "command": {
                "type": "string"
              },
-              "commandWindows": {
-                "type": [
-                  "string",
-                  "null"
-                ]
-              },
              "statusMessage": {
                "type": [
                  "string",
@@ -8223,13 +8149,6 @@
              "integer",
              "null"
            ]
-          },
-          "threadId": {
-            "description": "Optional loaded thread id. Pass this when showing feature state for an existing thread so enablement is computed from that thread's refreshed config, including project-local config for the thread's cwd.",
-            "type": [
-              "string",
-              "null"
-            ]
          }
        },
        "title": "ExperimentalFeatureListParams",
@@ -8735,20 +8654,6 @@
        ],
        "type": "object"
      },
-      "ForcedChatgptWorkspaceIds": {
-        "anyOf": [
-          {
-            "type": "string"
-          },
-          {
-            "items": {
-              "type": "string"
-            },
-            "type": "array"
-          }
-        ],
-        "description": "Backward-compatible API shape for ChatGPT workspace login restrictions."
-      },
      "ForcedLoginMethod": {
        "enum": [
          "chatgpt",
@@ -9980,6 +9885,8 @@
      },
      "ImageDetail": {
        "enum": [
+          "auto",
+          "low",
          "high",
          "original"
        ],
@@ -11679,6 +11586,194 @@
          }
        ]
      },
+      "PermissionProfile": {
+        "oneOf": [
+          {
+            "description": "Codex owns sandbox construction for this profile.",
+            "properties": {
+              "fileSystem": {
+                "$ref": "#/definitions/v2/PermissionProfileFileSystemPermissions"
+              },
+              "network": {
+                "$ref": "#/definitions/v2/PermissionProfileNetworkPermissions"
+              },
+              "type": {
+                "enum": [
+                  "managed"
+                ],
+                "title": "ManagedPermissionProfileType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "fileSystem",
+              "network",
+              "type"
+            ],
+            "title": "ManagedPermissionProfile",
+            "type": "object"
+          },
+          {
+            "description": "Do not apply an outer sandbox.",
+            "properties": {
+              "type": {
+                "enum": [
+                  "disabled"
+                ],
+                "title": "DisabledPermissionProfileType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "DisabledPermissionProfile",
+            "type": "object"
+          },
+          {
+            "description": "Filesystem isolation is enforced by an external caller.",
+            "properties": {
+              "network": {
+                "$ref": "#/definitions/v2/PermissionProfileNetworkPermissions"
+              },
+              "type": {
+                "enum": [
+                  "external"
+                ],
+                "title": "ExternalPermissionProfileType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "network",
+              "type"
+            ],
+            "title": "ExternalPermissionProfile",
+            "type": "object"
+          }
+        ]
+      },
+      "PermissionProfileFileSystemPermissions": {
+        "oneOf": [
+          {
+            "properties": {
+              "entries": {
+                "items": {
+                  "$ref": "#/definitions/v2/FileSystemSandboxEntry"
+                },
+                "type": "array"
+              },
+              "globScanMaxDepth": {
+                "format": "uint",
+                "minimum": 1.0,
+                "type": [
+                  "integer",
+                  "null"
+                ]
+              },
+              "type": {
+                "enum": [
+                  "restricted"
+                ],
+                "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "entries",
+              "type"
+            ],
+            "title": "RestrictedPermissionProfileFileSystemPermissions",
+            "type": "object"
+          },
+          {
+            "properties": {
+              "type": {
+                "enum": [
+                  "unrestricted"
+                ],
+                "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+            "type": "object"
+          }
+        ]
+      },
+      "PermissionProfileModificationParams": {
+        "oneOf": [
+          {
+            "description": "Additional concrete directory that should be writable.",
+            "properties": {
+              "path": {
+                "$ref": "#/definitions/v2/AbsolutePathBuf"
+              },
+              "type": {
+                "enum": [
+                  "additionalWritableRoot"
+                ],
+                "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "path",
+              "type"
+            ],
+            "title": "AdditionalWritableRootPermissionProfileModificationParams",
+            "type": "object"
+          }
+        ]
+      },
+      "PermissionProfileNetworkPermissions": {
+        "properties": {
+          "enabled": {
+            "type": "boolean"
+          }
+        },
+        "required": [
+          "enabled"
+        ],
+        "type": "object"
+      },
+      "PermissionProfileSelectionParams": {
+        "oneOf": [
+          {
+            "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+            "properties": {
+              "id": {
+                "type": "string"
+              },
+              "modifications": {
+                "items": {
+                  "$ref": "#/definitions/v2/PermissionProfileModificationParams"
+                },
+                "type": [
+                  "array",
+                  "null"
+                ]
+              },
+              "type": {
+                "enum": [
+                  "profile"
+                ],
+                "title": "ProfilePermissionProfileSelectionParamsType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "id",
+              "type"
+            ],
+            "title": "ProfilePermissionProfileSelectionParams",
+            "type": "object"
+          }
+        ]
+      },
      "Personality": {
        "enum": [
          "none",
@@ -11885,56 +11980,6 @@
        "title": "PluginInstallResponse",
        "type": "object"
      },
-      "PluginInstalledParams": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "properties": {
-          "cwds": {
-            "description": "Optional working directories used to discover repo marketplaces.",
-            "items": {
-              "$ref": "#/definitions/v2/AbsolutePathBuf"
-            },
-            "type": [
-              "array",
-              "null"
-            ]
-          },
-          "installSuggestionPluginNames": {
-            "description": "Additional uninstalled plugin names that should be returned when present locally. This is used by mention surfaces that intentionally expose install entrypoints.",
-            "items": {
-              "type": "string"
-            },
-            "type": [
-              "array",
-              "null"
-            ]
-          }
-        },
-        "title": "PluginInstalledParams",
-        "type": "object"
-      },
-      "PluginInstalledResponse": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "properties": {
-          "marketplaceLoadErrors": {
-            "default": [],
-            "items": {
-              "$ref": "#/definitions/v2/MarketplaceLoadErrorInfo"
-            },
-            "type": "array"
-          },
-          "marketplaces": {
-            "items": {
-              "$ref": "#/definitions/v2/PluginMarketplaceEntry"
-            },
-            "type": "array"
-          }
-        },
-        "required": [
-          "marketplaces"
-        ],
-        "title": "PluginInstalledResponse",
-        "type": "object"
-      },
      "PluginInterface": {
        "properties": {
          "brandColor": {
@@ -12211,58 +12256,6 @@
        "title": "PluginReadResponse",
        "type": "object"
      },
-      "PluginShareCheckoutParams": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "properties": {
-          "remotePluginId": {
-            "type": "string"
-          }
-        },
-        "required": [
-          "remotePluginId"
-        ],
-        "title": "PluginShareCheckoutParams",
-        "type": "object"
-      },
-      "PluginShareCheckoutResponse": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "properties": {
-          "marketplaceName": {
-            "type": "string"
-          },
-          "marketplacePath": {
-            "$ref": "#/definitions/v2/AbsolutePathBuf"
-          },
-          "pluginId": {
-            "type": "string"
-          },
-          "pluginName": {
-            "type": "string"
-          },
-          "pluginPath": {
-            "$ref": "#/definitions/v2/AbsolutePathBuf"
-          },
-          "remotePluginId": {
-            "type": "string"
-          },
-          "remoteVersion": {
-            "type": [
-              "string",
-              "null"
-            ]
-          }
-        },
-        "required": [
-          "marketplaceName",
-          "marketplacePath",
-          "pluginId",
-          "pluginName",
-          "pluginPath",
-          "remotePluginId"
-        ],
-        "title": "PluginShareCheckoutResponse",
-        "type": "object"
-      },
      "PluginShareContext": {
        "properties": {
          "creatorAccountUserId": {
@@ -12290,14 +12283,6 @@
          "remotePluginId": {
            "type": "string"
          },
-          "remoteVersion": {
-            "default": null,
-            "description": "Version of the remote shared plugin release when available.",
-            "type": [
-              "string",
-              "null"
-            ]
-          },
          "sharePrincipals": {
            "items": {
              "$ref": "#/definitions/v2/PluginSharePrincipal"
@@ -12714,24 +12699,9 @@
            },
            "type": "array"
          },
-          "localVersion": {
-            "default": null,
-            "description": "Version of the locally materialized plugin package when available.",
-            "type": [
-              "string",
-              "null"
-            ]
-          },
          "name": {
            "type": "string"
          },
-          "remotePluginId": {
-            "description": "Backend remote plugin identifier when available.",
-            "type": [
-              "string",
-              "null"
-            ]
-          },
          "shareContext": {
            "anyOf": [
              {
@@ -13425,16 +13395,12 @@
          "installationId": {
            "type": "string"
          },
-          "serverName": {
-            "type": "string"
-          },
          "status": {
            "$ref": "#/definitions/v2/RemoteControlConnectionStatus"
          }
        },
        "required": [
          "installationId",
-          "serverName",
          "status"
        ],
        "title": "RemoteControlStatusChangedNotification",
@@ -14048,22 +14014,6 @@
            "title": "CompactionResponseItem",
            "type": "object"
          },
-          {
-            "properties": {
-              "type": {
-                "enum": [
-                  "compaction_trigger"
-                ],
-                "title": "CompactionTriggerResponseItemType",
-                "type": "string"
-              }
-            },
-            "required": [
-              "type"
-            ],
-            "title": "CompactionTriggerResponseItem",
-            "type": "object"
-          },
          {
            "properties": {
              "encrypted_content": {
@@ -15510,7 +15460,7 @@
                "$ref": "#/definitions/v2/SandboxPolicy"
              }
            ],
-            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
          },
          "serviceTier": {
            "type": [
@@ -15597,8 +15547,6 @@
        "enum": [
          "active",
          "paused",
-          "blocked",
-          "usageLimited",
          "budgetLimited",
          "complete"
        ],
@@ -17004,7 +16952,7 @@
                "$ref": "#/definitions/v2/SandboxPolicy"
              }
            ],
-            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
          },
          "serviceTier": {
            "type": [
@@ -17312,7 +17260,7 @@
                "$ref": "#/definitions/v2/SandboxPolicy"
              }
            ],
-            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+            "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
          },
          "serviceTier": {
            "type": [
@@ -17634,6 +17582,12 @@
      },
      "ToolsV2": {
        "properties": {
+          "view_image": {
+            "type": [
+              "boolean",
+              "null"
+            ]
+          },
          "web_search": {
            "anyOf": [
              {
@@ -18115,17 +18069,6 @@
          },
          {
            "properties": {
-              "detail": {
-                "anyOf": [
-                  {
-                    "$ref": "#/definitions/v2/ImageDetail"
-                  },
-                  {
-                    "type": "null"
-                  }
-                ],
-                "default": null
-              },
              "type": {
                "enum": [
                  "image"
@@ -18146,17 +18089,6 @@
          },
          {
            "properties": {
-              "detail": {
-                "anyOf": [
-                  {
-                    "$ref": "#/definitions/v2/ImageDetail"
-                  },
-                  {
-                    "type": "null"
-                  }
-                ],
-                "default": null
-              },
              "path": {
                "type": "string"
              },
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
@@ -143,6 +143,14 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
+        },
+        "modifications": {
+          "default": [],
+          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+          "items": {
+            "$ref": "#/definitions/ActivePermissionProfileModification"
+          },
+          "type": "array"
        }
      },
      "required": [
@@ -150,6 +158,31 @@
      ],
      "type": "object"
    },
+    "ActivePermissionProfileModification": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootActivePermissionProfileModification",
+          "type": "object"
+        }
+      ]
+    },
    "AddCreditsNudgeCreditType": {
      "enum": [
        "credits",
@@ -826,25 +859,6 @@
        }
      ]
    },
-    "AutoCompactTokenLimitScope": {
-      "description": "Selects which part of the active context is charged against `model_auto_compact_token_limit`.",
-      "oneOf": [
-        {
-          "description": "Count the full active context against the limit.",
-          "enum": [
-            "total"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "Count sampled output and later growth after the carried window prefix.",
-          "enum": [
-            "body_after_prefix"
-          ],
-          "type": "string"
-        }
-      ]
-    },
    "AutoReviewDecisionSource": {
      "description": "[UNSTABLE] Source that produced a terminal approval auto-review decision.",
      "enum": [
@@ -1483,30 +1497,6 @@
          "title": "Plugin/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/RequestId"
-            },
-            "method": {
-              "enum": [
-                "plugin/installed"
-              ],
-              "title": "Plugin/installedRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/PluginInstalledParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Plugin/installedRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -1627,30 +1617,6 @@
          "title": "Plugin/share/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/RequestId"
-            },
-            "method": {
-              "enum": [
-                "plugin/share/checkout"
-              ],
-              "title": "Plugin/share/checkoutRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/PluginShareCheckoutParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Plugin/share/checkoutRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -3518,13 +3484,6 @@
            "null"
          ]
        },
-        "desktop": {
-          "additionalProperties": true,
-          "type": [
-            "object",
-            "null"
-          ]
-        },
        "developer_instructions": {
          "type": [
            "string",
@@ -3532,13 +3491,9 @@
          ]
        },
        "forced_chatgpt_workspace_id": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/ForcedChatgptWorkspaceIds"
-            },
-            {
-              "type": "null"
-            }
+          "type": [
+            "string",
+            "null"
          ]
        },
        "forced_login_method": {
@@ -3570,16 +3525,6 @@
            "null"
          ]
        },
-        "model_auto_compact_token_limit_scope": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AutoCompactTokenLimitScope"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "model_context_window": {
          "format": "int64",
          "type": [
@@ -3843,13 +3788,6 @@
              ],
              "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
            },
-            "profile": {
-              "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "user"
@@ -3991,12 +3929,6 @@
    },
    "ConfigRequirements": {
      "properties": {
-        "allowManagedHooksOnly": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        },
        "allowedApprovalPolicies": {
          "items": {
            "$ref": "#/definitions/AskForApproval"
@@ -4181,12 +4113,6 @@
            "command": {
              "type": "string"
            },
-            "commandWindows": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "statusMessage": {
              "type": [
                "string",
@@ -4612,13 +4538,6 @@
            "integer",
            "null"
          ]
-        },
-        "threadId": {
-          "description": "Optional loaded thread id. Pass this when showing feature state for an existing thread so enablement is computed from that thread's refreshed config, including project-local config for the thread's cwd.",
-          "type": [
-            "string",
-            "null"
-          ]
        }
      },
      "title": "ExperimentalFeatureListParams",
@@ -5124,20 +5043,6 @@
      ],
      "type": "object"
    },
-    "ForcedChatgptWorkspaceIds": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      ],
-      "description": "Backward-compatible API shape for ChatGPT workspace login restrictions."
-    },
    "ForcedLoginMethod": {
      "enum": [
        "chatgpt",
@@ -6480,6 +6385,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -8228,6 +8135,194 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
@@ -8434,56 +8529,6 @@
      "title": "PluginInstallResponse",
      "type": "object"
    },
-    "PluginInstalledParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "cwds": {
-          "description": "Optional working directories used to discover repo marketplaces.",
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "installSuggestionPluginNames": {
-          "description": "Additional uninstalled plugin names that should be returned when present locally. This is used by mention surfaces that intentionally expose install entrypoints.",
-          "items": {
-            "type": "string"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        }
-      },
-      "title": "PluginInstalledParams",
-      "type": "object"
-    },
-    "PluginInstalledResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "marketplaceLoadErrors": {
-          "default": [],
-          "items": {
-            "$ref": "#/definitions/MarketplaceLoadErrorInfo"
-          },
-          "type": "array"
-        },
-        "marketplaces": {
-          "items": {
-            "$ref": "#/definitions/PluginMarketplaceEntry"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "marketplaces"
-      ],
-      "title": "PluginInstalledResponse",
-      "type": "object"
-    },
    "PluginInterface": {
      "properties": {
        "brandColor": {
@@ -8760,58 +8805,6 @@
      "title": "PluginReadResponse",
      "type": "object"
    },
-    "PluginShareCheckoutParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "remotePluginId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "remotePluginId"
-      ],
-      "title": "PluginShareCheckoutParams",
-      "type": "object"
-    },
-    "PluginShareCheckoutResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "marketplaceName": {
-          "type": "string"
-        },
-        "marketplacePath": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "pluginId": {
-          "type": "string"
-        },
-        "pluginName": {
-          "type": "string"
-        },
-        "pluginPath": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "remotePluginId": {
-          "type": "string"
-        },
-        "remoteVersion": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "marketplaceName",
-        "marketplacePath",
-        "pluginId",
-        "pluginName",
-        "pluginPath",
-        "remotePluginId"
-      ],
-      "title": "PluginShareCheckoutResponse",
-      "type": "object"
-    },
    "PluginShareContext": {
      "properties": {
        "creatorAccountUserId": {
@@ -8839,14 +8832,6 @@
        "remotePluginId": {
          "type": "string"
        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "sharePrincipals": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
@@ -9263,24 +9248,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
@@ -9974,16 +9944,12 @@
        "installationId": {
          "type": "string"
        },
-        "serverName": {
-          "type": "string"
-        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
        "installationId",
-        "serverName",
        "status"
      ],
      "title": "RemoteControlStatusChangedNotification",
@@ -10597,22 +10563,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
@@ -13334,7 +13284,7 @@
              "$ref": "#/definitions/SandboxPolicy"
            }
          ],
-          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
        },
        "serviceTier": {
          "type": [
@@ -13421,8 +13371,6 @@
      "enum": [
        "active",
        "paused",
-        "blocked",
-        "usageLimited",
        "budgetLimited",
        "complete"
      ],
@@ -14828,7 +14776,7 @@
              "$ref": "#/definitions/SandboxPolicy"
            }
          ],
-          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
        },
        "serviceTier": {
          "type": [
@@ -15136,7 +15084,7 @@
              "$ref": "#/definitions/SandboxPolicy"
            }
          ],
-          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+          "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
        },
        "serviceTier": {
          "type": [
@@ -15458,6 +15406,12 @@
    },
    "ToolsV2": {
      "properties": {
+        "view_image": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
        "web_search": {
          "anyOf": [
            {
@@ -15939,17 +15893,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -15970,17 +15913,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -27,6 +27,202 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "NetworkAccess": {
      "enum": [
        "restricted",
@@ -34,6 +230,135 @@
      ],
      "type": "string"
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "SandboxPolicy": {
      "oneOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
@@ -188,25 +188,6 @@
        }
      ]
    },
-    "AutoCompactTokenLimitScope": {
-      "description": "Selects which part of the active context is charged against `model_auto_compact_token_limit`.",
-      "oneOf": [
-        {
-          "description": "Count the full active context against the limit.",
-          "enum": [
-            "total"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "Count sampled output and later growth after the carried window prefix.",
-          "enum": [
-            "body_after_prefix"
-          ],
-          "type": "string"
-        }
-      ]
-    },
    "Config": {
      "additionalProperties": true,
      "properties": {
@@ -247,13 +228,6 @@
            "null"
          ]
        },
-        "desktop": {
-          "additionalProperties": true,
-          "type": [
-            "object",
-            "null"
-          ]
-        },
        "developer_instructions": {
          "type": [
            "string",
@@ -261,13 +235,9 @@
          ]
        },
        "forced_chatgpt_workspace_id": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/ForcedChatgptWorkspaceIds"
-            },
-            {
-              "type": "null"
-            }
+          "type": [
+            "string",
+            "null"
          ]
        },
        "forced_login_method": {
@@ -299,16 +269,6 @@
            "null"
          ]
        },
-        "model_auto_compact_token_limit_scope": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AutoCompactTokenLimitScope"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "model_context_window": {
          "format": "int64",
          "type": [
@@ -522,13 +482,6 @@
              ],
              "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
            },
-            "profile": {
-              "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "user"
@@ -621,20 +574,6 @@
        }
      ]
    },
-    "ForcedChatgptWorkspaceIds": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      ],
-      "description": "Backward-compatible API shape for ChatGPT workspace login restrictions."
-    },
    "ForcedLoginMethod": {
      "enum": [
        "chatgpt",
@@ -809,6 +748,12 @@
    },
    "ToolsV2": {
      "properties": {
+        "view_image": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
        "web_search": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
@@ -62,12 +62,6 @@
    },
    "ConfigRequirements": {
      "properties": {
-        "allowManagedHooksOnly": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        },
        "allowedApprovalPolicies": {
          "items": {
            "$ref": "#/definitions/AskForApproval"
@@ -127,12 +121,6 @@
            "command": {
              "type": "string"
            },
-            "commandWindows": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "statusMessage": {
              "type": [
                "string",
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigWriteResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigWriteResponse.json
@@ -84,13 +84,6 @@
              ],
              "description": "This is the path to the user's config.toml file, though it is not guaranteed to exist."
            },
-            "profile": {
-              "description": "Name of the selected profile-v2 config layered on top of the base user config, when this layer represents one.",
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "user"
--- a/codex-rs/app-server-protocol/schema/json/v2/ExperimentalFeatureListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ExperimentalFeatureListParams.json
@@ -16,13 +16,6 @@
        "integer",
        "null"
      ]
-    },
-    "threadId": {
-      "description": "Optional loaded thread id. Pass this when showing feature state for an existing thread so enablement is computed from that thread's refreshed config, including project-local config for the thread's cwd.",
-      "type": [
-        "string",
-        "null"
-      ]
    }
  },
  "title": "ExperimentalFeatureListParams",
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemCompletedNotification.json
@@ -285,13 +285,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1186,17 +1179,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1217,17 +1199,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemStartedNotification.json
@@ -285,13 +285,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1186,17 +1179,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1217,17 +1199,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginInstalledParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginInstalledParams.json
@@ -1,33 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    }
-  },
-  "properties": {
-    "cwds": {
-      "description": "Optional working directories used to discover repo marketplaces.",
-      "items": {
-        "$ref": "#/definitions/AbsolutePathBuf"
-      },
-      "type": [
-        "array",
-        "null"
-      ]
-    },
-    "installSuggestionPluginNames": {
-      "description": "Additional uninstalled plugin names that should be returned when present locally. This is used by mention surfaces that intentionally expose install entrypoints.",
-      "items": {
-        "type": "string"
-      },
-      "type": [
-        "array",
-        "null"
-      ]
-    }
-  },
-  "title": "PluginInstalledParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginInstalledResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginInstalledResponse.json
@@ -1,525 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
-    "MarketplaceInterface": {
-      "properties": {
-        "displayName": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
-    "MarketplaceLoadErrorInfo": {
-      "properties": {
-        "marketplacePath": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "message": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "marketplacePath",
-        "message"
-      ],
-      "type": "object"
-    },
-    "PluginAuthPolicy": {
-      "enum": [
-        "ON_INSTALL",
-        "ON_USE"
-      ],
-      "type": "string"
-    },
-    "PluginAvailability": {
-      "oneOf": [
-        {
-          "enum": [
-            "DISABLED_BY_ADMIN"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "Plugin-service currently sends `\"ENABLED\"` for available remote plugins. Codex app-server exposes `\"AVAILABLE\"` in its API; the alias keeps decoding compatible with that upstream response.",
-          "enum": [
-            "AVAILABLE"
-          ],
-          "type": "string"
-        }
-      ]
-    },
-    "PluginInstallPolicy": {
-      "enum": [
-        "NOT_AVAILABLE",
-        "AVAILABLE",
-        "INSTALLED_BY_DEFAULT"
-      ],
-      "type": "string"
-    },
-    "PluginInterface": {
-      "properties": {
-        "brandColor": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "capabilities": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "category": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "composerIcon": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Local composer icon path, resolved from the installed plugin package."
-        },
-        "composerIconUrl": {
-          "description": "Remote composer icon URL from the plugin catalog.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "defaultPrompt": {
-          "description": "Starter prompts for the plugin. Capped at 3 entries with a maximum of 128 characters per entry.",
-          "items": {
-            "type": "string"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "developerName": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "displayName": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "logo": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Local logo path, resolved from the installed plugin package."
-        },
-        "logoUrl": {
-          "description": "Remote logo URL from the plugin catalog.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "longDescription": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "privacyPolicyUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "screenshotUrls": {
-          "description": "Remote screenshot URLs from the plugin catalog.",
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "screenshots": {
-          "description": "Local screenshot paths, resolved from the installed plugin package.",
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": "array"
-        },
-        "shortDescription": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "termsOfServiceUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "websiteUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "capabilities",
-        "screenshotUrls",
-        "screenshots"
-      ],
-      "type": "object"
-    },
-    "PluginMarketplaceEntry": {
-      "properties": {
-        "interface": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/MarketplaceInterface"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "name": {
-          "type": "string"
-        },
-        "path": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Local marketplace file path when the marketplace is backed by a local file. Remote-only catalog marketplaces do not have a local path."
-        },
-        "plugins": {
-          "items": {
-            "$ref": "#/definitions/PluginSummary"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "name",
-        "plugins"
-      ],
-      "type": "object"
-    },
-    "PluginShareContext": {
-      "properties": {
-        "creatorAccountUserId": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "creatorName": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "remotePluginId": {
-          "type": "string"
-        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "sharePrincipals": {
-          "items": {
-            "$ref": "#/definitions/PluginSharePrincipal"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "shareUrl": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "remotePluginId"
-      ],
-      "type": "object"
-    },
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
-    "PluginSharePrincipal": {
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "principalId": {
-          "type": "string"
-        },
-        "principalType": {
-          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
-        }
-      },
-      "required": [
-        "name",
-        "principalId",
-        "principalType",
-        "role"
-      ],
-      "type": "object"
-    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
-    "PluginSharePrincipalType": {
-      "enum": [
-        "user",
-        "group",
-        "workspace"
-      ],
-      "type": "string"
-    },
-    "PluginSource": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "local"
-              ],
-              "title": "LocalPluginSourceType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "LocalPluginSource",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "refName": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "sha": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "git"
-              ],
-              "title": "GitPluginSourceType",
-              "type": "string"
-            },
-            "url": {
-              "type": "string"
-            }
-          },
-          "required": [
-            "type",
-            "url"
-          ],
-          "title": "GitPluginSource",
-          "type": "object"
-        },
-        {
-          "description": "The plugin is available in the remote catalog. Download metadata is kept server-side and is not exposed through the app-server API.",
-          "properties": {
-            "type": {
-              "enum": [
-                "remote"
-              ],
-              "title": "RemotePluginSourceType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "RemotePluginSource",
-          "type": "object"
-        }
-      ]
-    },
-    "PluginSummary": {
-      "properties": {
-        "authPolicy": {
-          "$ref": "#/definitions/PluginAuthPolicy"
-        },
-        "availability": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/PluginAvailability"
-            }
-          ],
-          "default": "AVAILABLE",
-          "description": "Availability state for installing and using the plugin."
-        },
-        "enabled": {
-          "type": "boolean"
-        },
-        "id": {
-          "type": "string"
-        },
-        "installPolicy": {
-          "$ref": "#/definitions/PluginInstallPolicy"
-        },
-        "installed": {
-          "type": "boolean"
-        },
-        "interface": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginInterface"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "keywords": {
-          "default": [],
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "name": {
-          "type": "string"
-        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "shareContext": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareContext"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Remote sharing context associated with this plugin when available."
-        },
-        "source": {
-          "$ref": "#/definitions/PluginSource"
-        }
-      },
-      "required": [
-        "authPolicy",
-        "enabled",
-        "id",
-        "installPolicy",
-        "installed",
-        "name",
-        "source"
-      ],
-      "type": "object"
-    }
-  },
-  "properties": {
-    "marketplaceLoadErrors": {
-      "default": [],
-      "items": {
-        "$ref": "#/definitions/MarketplaceLoadErrorInfo"
-      },
-      "type": "array"
-    },
-    "marketplaces": {
-      "items": {
-        "$ref": "#/definitions/PluginMarketplaceEntry"
-      },
-      "type": "array"
-    }
-  },
-  "required": [
-    "marketplaces"
-  ],
-  "title": "PluginInstalledResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
@@ -259,14 +259,6 @@
        "remotePluginId": {
          "type": "string"
        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "sharePrincipals": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
@@ -457,24 +449,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
@@ -313,14 +313,6 @@
        "remotePluginId": {
          "type": "string"
        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "sharePrincipals": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
@@ -511,24 +503,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutParams.json
@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "remotePluginId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "remotePluginId"
-  ],
-  "title": "PluginShareCheckoutParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareCheckoutResponse.json
@@ -1,45 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    }
-  },
-  "properties": {
-    "marketplaceName": {
-      "type": "string"
-    },
-    "marketplacePath": {
-      "$ref": "#/definitions/AbsolutePathBuf"
-    },
-    "pluginId": {
-      "type": "string"
-    },
-    "pluginName": {
-      "type": "string"
-    },
-    "pluginPath": {
-      "$ref": "#/definitions/AbsolutePathBuf"
-    },
-    "remotePluginId": {
-      "type": "string"
-    },
-    "remoteVersion": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "required": [
-    "marketplaceName",
-    "marketplacePath",
-    "pluginId",
-    "pluginName",
-    "pluginPath",
-    "remotePluginId"
-  ],
-  "title": "PluginShareCheckoutResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
@@ -194,14 +194,6 @@
        "remotePluginId": {
          "type": "string"
        },
-        "remoteVersion": {
-          "default": null,
-          "description": "Version of the remote shared plugin release when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "sharePrincipals": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
@@ -413,24 +405,9 @@
          },
          "type": "array"
        },
-        "localVersion": {
-          "default": null,
-          "description": "Version of the locally materialized plugin package when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "name": {
          "type": "string"
        },
-        "remotePluginId": {
-          "description": "Backend remote plugin identifier when available.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "shareContext": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/RawResponseItemCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/RawResponseItemCompletedNotification.json
@@ -145,6 +145,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -730,22 +732,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
--- a/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
@@ -22,16 +22,12 @@
    "installationId": {
      "type": "string"
    },
-    "serverName": {
-      "type": "string"
-    },
    "status": {
      "$ref": "#/definitions/RemoteControlConnectionStatus"
    }
  },
  "required": [
    "installationId",
-    "serverName",
    "status"
  ],
  "title": "RemoteControlStatusChangedNotification",
--- a/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
@@ -422,13 +422,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1459,17 +1452,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1490,17 +1472,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
@@ -1,6 +1,10 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
    "ApprovalsReviewer": {
      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
@@ -60,6 +64,65 @@
        }
      ]
    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxMode": {
      "enum": [
        "read-only",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -18,6 +18,14 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
+        },
+        "modifications": {
+          "default": [],
+          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+          "items": {
+            "$ref": "#/definitions/ActivePermissionProfileModification"
+          },
+          "type": "array"
        }
      },
      "required": [
@@ -25,6 +33,31 @@
      ],
      "type": "object"
    },
+    "ActivePermissionProfileModification": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootActivePermissionProfileModification",
+          "type": "object"
+        }
+      ]
+    },
    "AgentPath": {
      "type": "string"
    },
@@ -470,6 +503,202 @@
      ],
      "type": "string"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -527,13 +756,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -715,6 +937,135 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -2019,17 +2370,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -2050,17 +2390,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -2276,7 +2605,7 @@
          "$ref": "#/definitions/SandboxPolicy"
        }
      ],
-      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
    },
    "serviceTier": {
      "type": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalUpdatedNotification.json
@@ -51,8 +51,6 @@
      "enum": [
        "active",
        "paused",
-        "blocked",
-        "usageLimited",
        "budgetLimited",
        "complete"
      ],
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
@@ -1,6 +1,10 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
    "ApprovalsReviewer": {
      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
@@ -204,6 +208,8 @@
    },
    "ImageDetail": {
      "enum": [
+        "auto",
+        "low",
        "high",
        "original"
      ],
@@ -292,6 +298,65 @@
        }
      ]
    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
@@ -797,22 +862,6 @@
          "title": "CompactionResponseItem",
          "type": "object"
        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "compaction_trigger"
-              ],
-              "title": "CompactionTriggerResponseItemType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "CompactionTriggerResponseItem",
-          "type": "object"
-        },
        {
          "properties": {
            "encrypted_content": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -18,6 +18,14 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
+        },
+        "modifications": {
+          "default": [],
+          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+          "items": {
+            "$ref": "#/definitions/ActivePermissionProfileModification"
+          },
+          "type": "array"
        }
      },
      "required": [
@@ -25,6 +33,31 @@
      ],
      "type": "object"
    },
+    "ActivePermissionProfileModification": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootActivePermissionProfileModification",
+          "type": "object"
+        }
+      ]
+    },
    "AgentPath": {
      "type": "string"
    },
@@ -470,6 +503,202 @@
      ],
      "type": "string"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -527,13 +756,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -715,6 +937,135 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -2019,17 +2370,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -2050,17 +2390,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -2276,7 +2605,7 @@
          "$ref": "#/definitions/SandboxPolicy"
        }
      ],
-      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
    },
    "serviceTier": {
      "type": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
@@ -90,6 +90,65 @@
      ],
      "type": "object"
    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
@@ -18,6 +18,14 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
+        },
+        "modifications": {
+          "default": [],
+          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
+          "items": {
+            "$ref": "#/definitions/ActivePermissionProfileModification"
+          },
+          "type": "array"
        }
      },
      "required": [
@@ -25,6 +33,31 @@
      ],
      "type": "object"
    },
+    "ActivePermissionProfileModification": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootActivePermissionProfileModification",
+          "type": "object"
+        }
+      ]
+    },
    "AgentPath": {
      "type": "string"
    },
@@ -470,6 +503,202 @@
      ],
      "type": "string"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -527,13 +756,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -715,6 +937,135 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -2019,17 +2370,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -2050,17 +2390,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
@@ -2276,7 +2605,7 @@
          "$ref": "#/definitions/SandboxPolicy"
        }
      ],
-      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `activePermissionProfile` for profile provenance."
+      "description": "Legacy sandbox policy retained for compatibility. Experimental clients should prefer `permissionProfile` when they need exact runtime permissions."
    },
    "serviceTier": {
      "type": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
@@ -448,13 +448,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1834,17 +1827,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1865,17 +1847,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
@@ -422,13 +422,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1459,17 +1452,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1490,17 +1472,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
@@ -99,13 +99,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "ModeKind": {
      "description": "Initial collaboration mode to use when the TUI starts.",
      "enum": [
@@ -121,6 +114,65 @@
      ],
      "type": "string"
    },
+    "PermissionProfileModificationParams": {
+      "oneOf": [
+        {
+          "description": "Additional concrete directory that should be writable.",
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "additionalWritableRoot"
+              ],
+              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "AdditionalWritableRootPermissionProfileModificationParams",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileSelectionParams": {
+      "oneOf": [
+        {
+          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "properties": {
+            "id": {
+              "type": "string"
+            },
+            "modifications": {
+              "items": {
+                "$ref": "#/definitions/PermissionProfileModificationParams"
+              },
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "profile"
+              ],
+              "title": "ProfilePermissionProfileSelectionParamsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "id",
+            "type"
+          ],
+          "title": "ProfilePermissionProfileSelectionParams",
+          "type": "object"
+        }
+      ]
+    },
    "Personality": {
      "enum": [
        "none",
@@ -358,17 +410,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -389,17 +430,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
@@ -422,13 +422,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1459,17 +1452,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1490,17 +1472,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
@@ -422,13 +422,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -1459,17 +1452,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -1490,17 +1472,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnSteerParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnSteerParams.json
@@ -20,13 +20,6 @@
      ],
      "type": "object"
    },
-    "ImageDetail": {
-      "enum": [
-        "high",
-        "original"
-      ],
-      "type": "string"
-    },
    "TextElement": {
      "properties": {
        "byteRange": {
@@ -82,17 +75,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "type": {
              "enum": [
                "image"
@@ -113,17 +95,6 @@
        },
        {
          "properties": {
-            "detail": {
-              "anyOf": [
-                {
-                  "$ref": "#/definitions/ImageDetail"
-                },
-                {
-                  "type": "null"
-                }
-              ],
-              "default": null
-            },
            "path": {
              "type": "string"
            },
--- a/codex-rs/app-server-protocol/schema/typescript/AutoCompactTokenLimitScope.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/AutoCompactTokenLimitScope.ts
@@ -1,9 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-/**
- * Selects which part of the active context is charged against
- * `model_auto_compact_token_limit`.
- */
-export type AutoCompactTokenLimitScope = "total" | "body_after_prefix";
--- a/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
--- a/codex-rs/app-server-protocol/schema/typescript/ImageDetail.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ImageDetail.ts
@@ -2,4 +2,4 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type ImageDetail = "high" | "original";
+export type ImageDetail = "auto" | "low" | "high" | "original";
--- a/codex-rs/app-server-protocol/schema/typescript/ResponseItem.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ResponseItem.ts
@@ -14,4 +14,4 @@ export type ResponseItem = { "type": "message", role: string, content: Array<Con
 /**
 * Set when using the Responses API.
 */
-call_id: string | null, status: LocalShellStatus, action: LocalShellAction, } | { "type": "function_call", name: string, namespace?: string, arguments: string, call_id: string, } | { "type": "tool_search_call", call_id: string | null, status?: string, execution: string, arguments: unknown, } | { "type": "function_call_output", call_id: string, output: FunctionCallOutputBody, } | { "type": "custom_tool_call", status?: string, call_id: string, name: string, input: string, } | { "type": "custom_tool_call_output", call_id: string, name?: string, output: FunctionCallOutputBody, } | { "type": "tool_search_output", call_id: string | null, status: string, execution: string, tools: unknown[], } | { "type": "web_search_call", status?: string, action?: WebSearchAction, } | { "type": "image_generation_call", id: string, status: string, revised_prompt?: string, result: string, } | { "type": "compaction", encrypted_content: string, } | { "type": "compaction_trigger" } | { "type": "context_compaction", encrypted_content?: string, } | { "type": "other" };
+call_id: string | null, status: LocalShellStatus, action: LocalShellAction, } | { "type": "function_call", name: string, namespace?: string, arguments: string, call_id: string, } | { "type": "tool_search_call", call_id: string | null, status?: string, execution: string, arguments: unknown, } | { "type": "function_call_output", call_id: string, output: FunctionCallOutputBody, } | { "type": "custom_tool_call", status?: string, call_id: string, name: string, input: string, } | { "type": "custom_tool_call_output", call_id: string, name?: string, output: FunctionCallOutputBody, } | { "type": "tool_search_output", call_id: string | null, status: string, execution: string, tools: unknown[], } | { "type": "web_search_call", status?: string, action?: WebSearchAction, } | { "type": "image_generation_call", id: string, status: string, revised_prompt?: string, result: string, } | { "type": "compaction", encrypted_content: string, } | { "type": "context_compaction", encrypted_content?: string, } | { "type": "other" };
--- a/codex-rs/app-server-protocol/schema/typescript/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/index.ts
@@ -5,7 +5,6 @@ export type { AgentPath } from "./AgentPath";
 export type { ApplyPatchApprovalParams } from "./ApplyPatchApprovalParams";
 export type { ApplyPatchApprovalResponse } from "./ApplyPatchApprovalResponse";
 export type { AuthMode } from "./AuthMode";
-export type { AutoCompactTokenLimitScope } from "./AutoCompactTokenLimitScope";
 export type { ClientInfo } from "./ClientInfo";
 export type { ClientNotification } from "./ClientNotification";
 export type { ClientRequest } from "./ClientRequest";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfile.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfile.ts
@@ -1,6 +1,7 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { ActivePermissionProfileModification } from "./ActivePermissionProfileModification";

 export type ActivePermissionProfile = {
 /**
@@ -12,4 +13,9 @@ id: string,
 * Parent profile identifier once permissions profiles support
 * inheritance. This is currently always `null`.
 */
-extends: string | null, };
+extends: string | null,
+/**
+ * Bounded user-requested modifications applied on top of the named
+ * profile, if any.
+ */
+modifications: Array<ActivePermissionProfileModification>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfileModification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfileModification.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+export type ActivePermissionProfileModification = { "type": "additionalWritableRoot", path: AbsolutePathBuf, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/Config.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/Config.ts
@@ -1,7 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { AutoCompactTokenLimitScope } from "../AutoCompactTokenLimitScope";
 import type { ForcedLoginMethod } from "../ForcedLoginMethod";
 import type { ReasoningEffort } from "../ReasoningEffort";
 import type { ReasoningSummary } from "../ReasoningSummary";
@@ -11,14 +10,13 @@ import type { JsonValue } from "../serde_json/JsonValue";
 import type { AnalyticsConfig } from "./AnalyticsConfig";
 import type { ApprovalsReviewer } from "./ApprovalsReviewer";
 import type { AskForApproval } from "./AskForApproval";
-import type { ForcedChatgptWorkspaceIds } from "./ForcedChatgptWorkspaceIds";
 import type { ProfileV2 } from "./ProfileV2";
 import type { SandboxMode } from "./SandboxMode";
 import type { SandboxWorkspaceWrite } from "./SandboxWorkspaceWrite";
 import type { ToolsV2 } from "./ToolsV2";

-export type Config = {model: string | null, review_model: string | null, model_context_window: bigint | null, model_auto_compact_token_limit: bigint | null, model_auto_compact_token_limit_scope: AutoCompactTokenLimitScope | null, model_provider: string | null, approval_policy: AskForApproval | null, /**
+export type Config = {model: string | null, review_model: string | null, model_context_window: bigint | null, model_auto_compact_token_limit: bigint | null, model_provider: string | null, approval_policy: AskForApproval | null, /**
 * [UNSTABLE] Optional default for where approval requests are routed for
 * review.
 */
-approvals_reviewer: ApprovalsReviewer | null, sandbox_mode: SandboxMode | null, sandbox_workspace_write: SandboxWorkspaceWrite | null, forced_chatgpt_workspace_id: ForcedChatgptWorkspaceIds | null, forced_login_method: ForcedLoginMethod | null, web_search: WebSearchMode | null, tools: ToolsV2 | null, profile: string | null, profiles: { [key in string]?: ProfileV2 }, instructions: string | null, developer_instructions: string | null, compact_prompt: string | null, model_reasoning_effort: ReasoningEffort | null, model_reasoning_summary: ReasoningSummary | null, model_verbosity: Verbosity | null, service_tier: string | null, analytics: AnalyticsConfig | null, desktop: { [key in string]?: JsonValue } | null} & ({ [key in string]?: number | string | boolean | Array<JsonValue> | { [key in string]?: JsonValue } | null });
+approvals_reviewer: ApprovalsReviewer | null, sandbox_mode: SandboxMode | null, sandbox_workspace_write: SandboxWorkspaceWrite | null, forced_chatgpt_workspace_id: string | null, forced_login_method: ForcedLoginMethod | null, web_search: WebSearchMode | null, tools: ToolsV2 | null, profile: string | null, profiles: { [key in string]?: ProfileV2 }, instructions: string | null, developer_instructions: string | null, compact_prompt: string | null, model_reasoning_effort: ReasoningEffort | null, model_reasoning_summary: ReasoningSummary | null, model_verbosity: Verbosity | null, service_tier: string | null, analytics: AnalyticsConfig | null} & ({ [key in string]?: number | string | boolean | Array<JsonValue> | { [key in string]?: JsonValue } | null });
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Michael Zeng	65c80faaf5	[exec-server] remove added HTTP upgrade tests	2026-05-11 15:31:01 -07:00
Ruslan Nigmatullin	81f5eabfc1	[exec-server] add HTTP-upgrade listen mode	2026-05-11 22:11:36 +00:00
Ruslan Nigmatullin	686953b63b	[exec-server] preserve raw websocket listen mode	2026-05-11 22:08:49 +00:00
Ruslan Nigmatullin	a4a0322224	[exec-server] drop binary websocket handling	2026-05-11 22:07:02 +00:00
Ruslan Nigmatullin	a5a031cde0	[exec-server] add readiness endpoint	2026-05-11 21:33:10 +00:00
Ruslan Nigmatullin	734af5228e	[exec-server] keep websocket URL surface unchanged	2026-05-11 21:16:39 +00:00
Ruslan Nigmatullin	6f40914087	[exec-server] add HTTP health endpoints	2026-05-09 21:48:53 +00:00