Fix sandbox detection for user shell commands (#6094 )

fix
escalating permissions
2026-02-08 09:53:39 +00:00 · 2025-11-01 17:27:03 -04:00 · 2025-10-31 17:27:35 -04:00 · 2025-10-31 17:15:50 -04:00 · 2025-10-31 13:27:33 -07:00 · 2025-10-31 11:01:58 -07:00
191 changed files with 12555 additions and 3947 deletions
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - name: Prepare Codex inputs
        env:
@@ -87,7 +87,7 @@ jobs:
      issues: write
    steps:
      - name: Comment on issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        env:
          CODEX_OUTPUT: ${{ needs.gather-duplicates.outputs.codex_output }}
        with:
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - id: codex
        uses: openai/codex-action@main
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1 +1 @@
-The changelog can be found on the [releases page](https://github.com/openai/codex/releases)
+The changelog can be found on the [releases page](https://github.com/openai/codex/releases).
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Then simply run `codex` to get started:
 codex
 ```

-If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-update-codex-isnt-upgrading-me).
+If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-upgrade-codex-isnt-upgrading-me).

 <details>
 <summary>You can also go to the <a href="https://github.com/openai/codex/releases/latest">latest GitHub Release</a> and download the appropriate binary for your platform.</summary>
@@ -79,7 +79,7 @@ Codex CLI supports a rich set of configuration options, with preferences stored
  - [Example prompts](./docs/getting-started.md#example-prompts)
  - [Custom prompts](./docs/prompts.md)
  - [Memory with AGENTS.md](./docs/getting-started.md#memory-with-agentsmd)
-  - [Configuration](./docs/config.md)
+- [**Configuration**](./docs/config.md)
 - [**Sandbox & approvals**](./docs/sandbox.md)
 - [**Authentication**](./docs/authentication.md)
  - [Auth methods](./docs/authentication.md#forcing-a-specific-auth-method-advanced)
--- a/codex-rs/.cargo/config.toml
+++ b/codex-rs/.cargo/config.toml
@@ -0,0 +1,5 @@
+[target.'cfg(all(windows, target_env = "msvc"))']
+rustflags = ["-C", "link-arg=/STACK:8388608"]
+
+[target.'cfg(all(windows, target_env = "gnu"))']
+rustflags = ["-C", "link-arg=-Wl,--stack,8388608"]
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -172,9 +172,9 @@ dependencies = [

 [[package]]
 name = "anyhow"
-version = "1.0.99"
+version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"

 [[package]]
 name = "app_test_support"
@@ -592,9 +592,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"

 [[package]]
 name = "bitflags"
-version = "2.9.1"
+version = "2.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967"
+checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"

 [[package]]
 name = "block-buffer"
@@ -891,7 +891,7 @@ dependencies = [
 "pretty_assertions",
 "similar",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tree-sitter",
 "tree-sitter-bash",
 ]
@@ -950,7 +950,7 @@ dependencies = [
 "clap",
 "codex-common",
 "codex-core",
- "codex-git-apply",
+ "codex-git",
 "serde",
 "serde_json",
 "tempfile",
@@ -983,6 +983,7 @@ dependencies = [
 "codex-rmcp-client",
 "codex-stdio-to-uds",
 "codex-tui",
+ "codex-windows-sandbox",
 "ctor 0.5.0",
 "owo-colors",
 "predicates",
@@ -1027,11 +1028,11 @@ dependencies = [
 "async-trait",
 "chrono",
 "codex-backend-client",
- "codex-git-apply",
+ "codex-git",
 "diffy",
 "serde",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -1063,7 +1064,7 @@ dependencies = [
 "codex-apply-patch",
 "codex-async-utils",
 "codex-file-search",
- "codex-git-tooling",
+ "codex-git",
 "codex-keyring-store",
 "codex-otel",
 "codex-protocol",
@@ -1072,6 +1073,7 @@ dependencies = [
 "codex-utils-readiness",
 "codex-utils-string",
 "codex-utils-tokenizer",
+ "codex-windows-sandbox",
 "core-foundation 0.9.4",
 "core_test_support",
 "dirs",
@@ -1082,7 +1084,7 @@ dependencies = [
 "futures",
 "http",
 "image",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "keyring",
 "landlock",
 "libc",
@@ -1106,7 +1108,7 @@ dependencies = [
 "strum_macros 0.27.2",
 "tempfile",
 "test-log",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "time",
 "tokio",
 "tokio-test",
@@ -1202,24 +1204,17 @@ dependencies = [
 ]

 [[package]]
-name = "codex-git-apply"
-version = "0.0.0"
-dependencies = [
- "once_cell",
- "regex",
- "tempfile",
-]
-
-[[package]]
-name = "codex-git-tooling"
+name = "codex-git"
 version = "0.0.0"
 dependencies = [
 "assert_matches",
+ "once_cell",
 "pretty_assertions",
+ "regex",
 "schemars 0.8.22",
 "serde",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "ts-rs",
 "walkdir",
 ]
@@ -1346,10 +1341,11 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "base64",
- "codex-git-tooling",
+ "codex-git",
 "codex-utils-image",
 "icu_decimal",
 "icu_locale_core",
+ "icu_provider",
 "mcp-types",
 "mime_guess",
 "schemars 0.8.22",
@@ -1510,7 +1506,7 @@ dependencies = [
 "codex-utils-cache",
 "image",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 ]

@@ -1538,7 +1534,7 @@ version = "0.0.0"
 dependencies = [
 "assert_matches",
 "async-trait",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "time",
 "tokio",
 ]
@@ -1553,10 +1549,22 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "pretty_assertions",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tiktoken-rs",
 ]

+[[package]]
+name = "codex-windows-sandbox"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "dirs-next",
+ "rand 0.8.5",
+ "serde",
+ "serde_json",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "color-eyre"
 version = "0.6.5"
@@ -1745,7 +1753,7 @@ version = "0.28.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "829d955a0bb380ef178a640b91779e3987da38c9aea133b20614cfed8cdea9c6"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "crossterm_winapi",
 "futures-core",
 "mio",
@@ -2089,7 +2097,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "89a09f22a6c6069a18470eb92d2298acf25463f14256d24778e1230d789a2aec"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "objc2",
 ]

@@ -2714,7 +2722,7 @@ dependencies = [
 "futures-core",
 "futures-sink",
 "http",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "slab",
 "tokio",
 "tokio-util",
@@ -2758,6 +2766,12 @@ dependencies = [
 "foldhash",
 ]

+[[package]]
+name = "hashbrown"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
+
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -2991,9 +3005,9 @@ dependencies = [

 [[package]]
 name = "icu_collections"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
 dependencies = [
 "displaydoc",
 "potential_utf",
@@ -3004,34 +3018,31 @@ dependencies = [

 [[package]]
 name = "icu_decimal"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fec61c43fdc4e368a9f450272833123a8ef0d7083a44597660ce94d791b8a2e2"
+checksum = "a38c52231bc348f9b982c1868a2af3195199623007ba2c7650f432038f5b3e8e"
 dependencies = [
- "displaydoc",
 "fixed_decimal",
 "icu_decimal_data",
 "icu_locale",
 "icu_locale_core",
 "icu_provider",
- "tinystr",
 "writeable",
 "zerovec",
 ]

 [[package]]
 name = "icu_decimal_data"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b70963bc35f9bdf1bc66a5c1f458f4991c1dc71760e00fa06016b2c76b2738d5"
+checksum = "2905b4044eab2dd848fe84199f9195567b63ab3a93094711501363f63546fef7"

 [[package]]
 name = "icu_locale"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ae5921528335e91da1b6c695dbf1ec37df5ac13faa3f91e5640be93aa2fbefd"
+checksum = "532b11722e350ab6bf916ba6eb0efe3ee54b932666afec989465f9243fe6dd60"
 dependencies = [
- "displaydoc",
 "icu_collections",
 "icu_locale_core",
 "icu_locale_data",
@@ -3043,12 +3054,13 @@ dependencies = [

 [[package]]
 name = "icu_locale_core"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
 dependencies = [
 "displaydoc",
 "litemap",
+ "serde",
 "tinystr",
 "writeable",
 "zerovec",
@@ -3056,17 +3068,16 @@ dependencies = [

 [[package]]
 name = "icu_locale_data"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fdef0c124749d06a743c69e938350816554eb63ac979166590e2b4ee4252765"
+checksum = "f03e2fcaefecdf05619f3d6f91740e79ab969b4dd54f77cbf546b1d0d28e3147"

 [[package]]
 name = "icu_normalizer"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
 dependencies = [
- "displaydoc",
 "icu_collections",
 "icu_normalizer_data",
 "icu_properties",
@@ -3077,42 +3088,40 @@ dependencies = [

 [[package]]
 name = "icu_normalizer_data"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"

 [[package]]
 name = "icu_properties"
-version = "2.0.1"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
+checksum = "e93fcd3157766c0c8da2f8cff6ce651a31f0810eaa1c51ec363ef790bbb5fb99"
 dependencies = [
- "displaydoc",
 "icu_collections",
 "icu_locale_core",
 "icu_properties_data",
 "icu_provider",
- "potential_utf",
 "zerotrie",
 "zerovec",
 ]

 [[package]]
 name = "icu_properties_data"
-version = "2.0.1"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
+checksum = "02845b3647bb045f1100ecd6480ff52f34c35f82d9880e029d329c21d1054899"

 [[package]]
 name = "icu_provider"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
 dependencies = [
 "displaydoc",
 "icu_locale_core",
+ "serde",
 "stable_deref_trait",
- "tinystr",
 "writeable",
 "yoke",
 "zerofrom",
@@ -3198,13 +3207,14 @@ dependencies = [

 [[package]]
 name = "indexmap"
-version = "2.10.0"
+version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe4cd85333e22411419a0bcae1297d25e58c9443848b11dc6a86fefe8c78a661"
+checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f"
 dependencies = [
 "equivalent",
- "hashbrown 0.15.4",
+ "hashbrown 0.16.0",
 "serde",
+ "serde_core",
 ]

 [[package]]
@@ -3219,7 +3229,7 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "inotify-sys",
 "libc",
 ]
@@ -3282,7 +3292,7 @@ version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "cfg-if",
 "libc",
 ]
@@ -3492,7 +3502,7 @@ checksum = "b3d2ef408b88e913bfc6594f5e693d57676f6463ded7d8bf994175364320c706"
 dependencies = [
 "enumflags2",
 "libc",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -3528,7 +3538,7 @@ version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4488594b9328dee448adb906d8b126d9b7deb7cf5c22161ee591610bb1be83c0"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "libc",
 ]

@@ -3538,7 +3548,7 @@ version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "761e49ec5fd8a5a463f9b84e877c373d888935b71c6be78f3767fe2ae6bed18e"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "libc",
 ]

@@ -3806,7 +3816,7 @@ version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ab2156c4fce2f8df6c499cc1c763e4394b7482525bf2a9701c9d79d215f519e4"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "cfg-if",
 "cfg_aliases 0.1.1",
 "libc",
@@ -3818,7 +3828,7 @@ version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71e2746dc3a24dd78b3cfcb7be93368c6de9963d30f43a6a73998a9cf4b17b46"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "cfg-if",
 "cfg_aliases 0.2.1",
 "libc",
@@ -3831,7 +3841,7 @@ version = "0.30.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "cfg-if",
 "cfg_aliases 0.2.1",
 "libc",
@@ -3859,7 +3869,7 @@ version = "8.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "fsevent-sys",
 "inotify",
 "kqueue",
@@ -4029,7 +4039,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6f29f568bec459b0ddff777cec4fe3fd8666d82d5a40ebd0ff7e66134f89bcc"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "objc2",
 "objc2-core-graphics",
 "objc2-foundation",
@@ -4041,7 +4051,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c10c2894a6fed806ade6027bcd50662746363a9589d3ec9d9bef30a4e4bc166"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "dispatch2",
 "objc2",
 ]
@@ -4052,7 +4062,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "989c6c68c13021b5c2d6b71456ebb0f9dc78d752e86a98da7c716f4f9470f5a4"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "dispatch2",
 "objc2",
 "objc2-core-foundation",
@@ -4071,7 +4081,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "900831247d2fe1a09a683278e5384cfb8c80c79fe6b166f9d14bfdde0ea1b03c"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "objc2",
 "objc2-core-foundation",
 ]
@@ -4082,7 +4092,7 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7282e9ac92529fa3457ce90ebb15f4ecbc383e8338060960760fa2cf75420c3c"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "objc2",
 "objc2-core-foundation",
 ]
@@ -4114,7 +4124,7 @@ version = "0.10.73"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "cfg-if",
 "foreign-types",
 "libc",
@@ -4172,7 +4182,7 @@ dependencies = [
 "futures-sink",
 "js-sys",
 "pin-project-lite",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tracing",
 ]

@@ -4215,7 +4225,7 @@ dependencies = [
 "prost",
 "reqwest",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tonic",
 "tracing",
@@ -4255,7 +4265,7 @@ dependencies = [
 "percent-encoding",
 "rand 0.9.2",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 ]
@@ -4366,7 +4376,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
 "fixedbitset",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 ]

 [[package]]
@@ -4434,7 +4444,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3af6b589e163c5a788fab00ce0c0366f6efbb9959c2f9874b224936af7fce7e1"
 dependencies = [
 "base64",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "quick-xml",
 "serde",
 "time",
@@ -4446,7 +4456,7 @@ version = "0.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "97baced388464909d42d89643fe4361939af9b7ce7a31ee32a168f832a70f2a0"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "crc32fast",
 "fdeflate",
 "flate2",
@@ -4505,11 +4515,12 @@ dependencies = [

 [[package]]
 name = "potential_utf"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
 dependencies = [
- "serde",
+ "serde_core",
+ "writeable",
 "zerovec",
 ]

@@ -4599,7 +4610,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a3ef4f2f0422f23a82ec9f628ea2acd12871c81a9362b02c43c1aa86acfc3ba1"
 dependencies = [
 "futures",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "nix 0.30.1",
 "tokio",
 "tracing",
@@ -4635,7 +4646,7 @@ version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "76979bea66e7875e7509c4ec5300112b316af87fa7a252ca91c448b32dfe3993"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "getopts",
 "memchr",
 "pulldown-cmark-escape",
@@ -4686,7 +4697,7 @@ dependencies = [
 "rustc-hash 2.1.1",
 "rustls",
 "socket2 0.6.0",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tracing",
 "web-time",
@@ -4707,7 +4718,7 @@ dependencies = [
 "rustls",
 "rustls-pki-types",
 "slab",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tinyvec",
 "tracing",
 "web-time",
@@ -4816,7 +4827,7 @@ name = "ratatui"
 version = "0.29.0"
 source = "git+https://github.com/nornagon/ratatui?branch=nornagon-v0.29.0-patch#9b2ad1298408c45918ee9f8241a6f95498cdbed2"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "cassowary",
 "compact_str",
 "crossterm",
@@ -4846,7 +4857,7 @@ version = "0.5.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7e8af0dde094006011e6a740d4879319439489813bd0bcdc7d821beaeeff48ec"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 ]

 [[package]]
@@ -4868,7 +4879,7 @@ checksum = "dd6f9d3d47bdd2ad6945c5015a226ec6155d0bcdfd8f7cd29f86b71f8de99d2b"
 dependencies = [
 "getrandom 0.2.16",
 "libredox",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -5019,7 +5030,7 @@ dependencies = [
 "serde",
 "serde_json",
 "sse-stream",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 "tokio-util",
@@ -5075,7 +5086,7 @@ version = "0.38.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fdb5bc1ae2baa591800df16c9ca78619bf65c0488b41b96ccec5d11220d8c154"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "errno",
 "libc",
 "linux-raw-sys 0.4.15",
@@ -5088,7 +5099,7 @@ version = "1.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "11181fbabf243db407ef8df94a6ce0b2f9a733bd8be4ad02b4eda9602296cac8"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "errno",
 "libc",
 "linux-raw-sys 0.9.4",
@@ -5154,7 +5165,7 @@ version = "14.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7803e8936da37efd9b6d4478277f4b2b9bb5cdb37a113e8d63222e58da647e63"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "cfg-if",
 "clipboard-win",
 "fd-lock",
@@ -5353,7 +5364,7 @@ version = "2.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "core-foundation 0.9.4",
 "core-foundation-sys",
 "libc",
@@ -5366,7 +5377,7 @@ version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "core-foundation 0.10.1",
 "core-foundation-sys",
 "libc",
@@ -5544,7 +5555,7 @@ version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "itoa",
 "memchr",
 "ryu",
@@ -5605,7 +5616,7 @@ dependencies = [
 "chrono",
 "hex",
 "indexmap 1.9.3",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "schemars 0.9.0",
 "schemars 1.0.4",
 "serde",
@@ -6065,7 +6076,7 @@ version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "core-foundation 0.9.4",
 "system-configuration-sys",
 ]
@@ -6182,11 +6193,11 @@ dependencies = [

 [[package]]
 name = "thiserror"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 dependencies = [
- "thiserror-impl 2.0.16",
+ "thiserror-impl 2.0.17",
 ]

 [[package]]
@@ -6202,9 +6213,9 @@ dependencies = [

 [[package]]
 name = "thiserror-impl"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -6423,7 +6434,7 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75129e1dc5000bfbaa9fee9d1b21f974f9fbad9daec557a521ee6e080825f6e8"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "serde",
 "serde_spanned",
 "toml_datetime",
@@ -6447,7 +6458,7 @@ version = "0.23.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7211ff1b8f0d3adae1663b7da9ffe396eabe1ca25f0b0bee42b0da29a9ddce93"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "toml_datetime",
 "toml_parser",
 "toml_writer",
@@ -6506,7 +6517,7 @@ checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
 "futures-core",
 "futures-util",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "pin-project-lite",
 "slab",
 "sync_wrapper",
@@ -6523,7 +6534,7 @@ version = "0.6.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 "bytes",
 "futures-util",
 "http",
@@ -6684,7 +6695,7 @@ checksum = "adc5f880ad8d8f94e88cb81c3557024cf1a8b75e3b504c50481ed4f5a6006ff3"
 dependencies = [
 "regex",
 "streaming-iterator",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tree-sitter",
 ]

@@ -6707,7 +6718,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6ef1b7a6d914a34127ed8e1fa927eb7088903787bcded4fa3eef8f85ee1568be"
 dependencies = [
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "ts-rs-macros",
 "uuid",
 ]
@@ -7598,14 +7609,14 @@ version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1"
 dependencies = [
- "bitflags 2.9.1",
+ "bitflags 2.10.0",
 ]

 [[package]]
 name = "writeable"
-version = "0.6.1"
+version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"

 [[package]]
 name = "x11rb"
@@ -7800,10 +7811,11 @@ dependencies = [

 [[package]]
 name = "zerovec"
-version = "0.11.2"
+version = "0.11.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
 dependencies = [
+ "serde",
 "yoke",
 "zerofrom",
 "zerovec-derive",
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -18,7 +18,6 @@ members = [
    "execpolicy",
    "keyring-store",
    "file-search",
-    "git-tooling",
    "linux-sandbox",
    "login",
    "mcp-server",
@@ -32,7 +31,7 @@ members = [
    "stdio-to-uds",
    "otel",
    "tui",
-    "git-apply",
+    "utils/git",
    "utils/cache",
    "utils/image",
    "utils/json-to-toml",
@@ -67,7 +66,7 @@ codex-core = { path = "core" }
 codex-exec = { path = "exec" }
 codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
-codex-git-tooling = { path = "git-tooling" }
+codex-git = { path = "utils/git" }
 codex-keyring-store = { path = "keyring-store" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-login = { path = "login" }
@@ -88,6 +87,7 @@ codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-string = { path = "utils/string" }
 codex-utils-tokenizer = { path = "utils/tokenizer" }
+codex-windows-sandbox = { path = "windows-sandbox" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
@@ -123,11 +123,12 @@ escargot = "0.5"
 eventsource-stream = "0.2.3"
 futures = { version = "0.3", default-features = false }
 http = "1.3.1"
-icu_decimal = "2.0.0"
-icu_locale_core = "2.0.0"
+icu_decimal = "2.1"
+icu_provider = { version = "2.1", features = ["sync"] }
+icu_locale_core = "2.1"
 ignore = "0.4.23"
 image = { version = "^0.25.8", default-features = false }
-indexmap = "2.6.0"
+indexmap = "2.12.0"
 insta = "1.43.2"
 itertools = "0.14.0"
 keyring = "3.6"
@@ -181,7 +182,7 @@ sys-locale = "0.3.2"
 tempfile = "3.23.0"
 test-log = "0.2.18"
 textwrap = "0.16.2"
-thiserror = "2.0.16"
+thiserror = "2.0.17"
 time = "0.3"
 tiny_http = "0.12"
 tokio = "1"
@@ -210,6 +211,7 @@ walkdir = "2.5.0"
 webbrowser = "1.0"
 which = "6"
 wildmatch = "2.5.0"
+
 wiremock = "0.6"
 zeroize = "1.8.1"

@@ -254,7 +256,7 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["openssl-sys", "codex-utils-readiness", "codex-utils-tokenizer"]
+ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness", "codex-utils-tokenizer"]

 [profile.release]
 lto = "fat"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -63,6 +63,9 @@ codex sandbox macos [--full-auto] [COMMAND]...
 # Linux
 codex sandbox linux [--full-auto] [COMMAND]...

+# Windows
+codex sandbox windows [--full-auto] [COMMAND]...
+
 # Legacy aliases
 codex debug seatbelt [--full-auto] [COMMAND]...
 codex debug landlock [--full-auto] [COMMAND]...
--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -16,6 +16,7 @@ use serde::Serialize;
 use serde_json::Map;
 use serde_json::Value;
 use std::collections::BTreeMap;
+use std::collections::HashSet;
 use std::ffi::OsStr;
 use std::fs;
 use std::io::Read;
@@ -177,24 +178,16 @@ pub fn generate_json(out_dir: &Path) -> Result<()> {

    for (name, schema) in bundle {
        let mut schema_value = serde_json::to_value(schema)?;
-        if let Value::Object(ref mut obj) = schema_value {
-            if let Some(defs) = obj.remove("definitions")
-                && let Value::Object(defs_obj) = defs
-            {
-                for (def_name, def_schema) in defs_obj {
-                    if !SPECIAL_DEFINITIONS.contains(&def_name.as_str()) {
-                        definitions.insert(def_name, def_schema);
-                    }
-                }
-            }
+        annotate_schema(&mut schema_value, Some(name.as_str()));

-            if let Some(Value::Array(one_of)) = obj.get_mut("oneOf") {
-                for variant in one_of.iter_mut() {
-                    if let Some(variant_name) = variant_definition_name(&name, variant)
-                        && let Value::Object(variant_obj) = variant
-                    {
-                        variant_obj.insert("title".into(), Value::String(variant_name));
-                    }
+        if let Value::Object(ref mut obj) = schema_value
+            && let Some(defs) = obj.remove("definitions")
+            && let Value::Object(defs_obj) = defs
+        {
+            for (def_name, mut def_schema) in defs_obj {
+                if !SPECIAL_DEFINITIONS.contains(&def_name.as_str()) {
+                    annotate_schema(&mut def_schema, Some(def_name.as_str()));
+                    definitions.insert(def_name, def_schema);
                }
            }
        }
@@ -227,9 +220,12 @@ where
 {
    let file_stem = name.trim();
    let schema = schema_for!(T);
-    write_pretty_json(out_dir.join(format!("{file_stem}.json")), &schema)
+    let mut schema_value = serde_json::to_value(schema)?;
+    annotate_schema(&mut schema_value, Some(file_stem));
+    write_pretty_json(out_dir.join(format!("{file_stem}.json")), &schema_value)
        .with_context(|| format!("Failed to write JSON schema for {file_stem}"))?;
-    Ok(schema)
+    let annotated_schema = serde_json::from_value(schema_value)?;
+    Ok(annotated_schema)
 }

 pub(crate) fn write_json_schema<T>(out_dir: &Path, name: &str) -> Result<()>
@@ -301,11 +297,147 @@ fn variant_definition_name(base: &str, variant: &Value) -> Option<String> {
 }

 fn literal_from_property<'a>(props: &'a Map<String, Value>, key: &str) -> Option<&'a str> {
-    props
-        .get(key)
-        .and_then(|value| value.get("enum"))
-        .and_then(Value::as_array)
-        .and_then(|arr| arr.first())
+    props.get(key).and_then(string_literal)
+}
+
+fn string_literal(value: &Value) -> Option<&str> {
+    value.get("const").and_then(Value::as_str).or_else(|| {
+        value
+            .get("enum")
+            .and_then(Value::as_array)
+            .and_then(|arr| arr.first())
+            .and_then(Value::as_str)
+    })
+}
+
+fn annotate_schema(value: &mut Value, base: Option<&str>) {
+    match value {
+        Value::Object(map) => annotate_object(map, base),
+        Value::Array(items) => {
+            for item in items {
+                annotate_schema(item, base);
+            }
+        }
+        _ => {}
+    }
+}
+
+fn annotate_object(map: &mut Map<String, Value>, base: Option<&str>) {
+    let owner = map.get("title").and_then(Value::as_str).map(str::to_owned);
+    if let Some(owner) = owner.as_deref()
+        && let Some(Value::Object(props)) = map.get_mut("properties")
+    {
+        set_discriminator_titles(props, owner);
+    }
+
+    if let Some(Value::Array(variants)) = map.get_mut("oneOf") {
+        annotate_variant_list(variants, base);
+    }
+    if let Some(Value::Array(variants)) = map.get_mut("anyOf") {
+        annotate_variant_list(variants, base);
+    }
+
+    if let Some(Value::Object(defs)) = map.get_mut("definitions") {
+        for (name, schema) in defs.iter_mut() {
+            annotate_schema(schema, Some(name.as_str()));
+        }
+    }
+
+    if let Some(Value::Object(defs)) = map.get_mut("$defs") {
+        for (name, schema) in defs.iter_mut() {
+            annotate_schema(schema, Some(name.as_str()));
+        }
+    }
+
+    if let Some(Value::Object(props)) = map.get_mut("properties") {
+        for value in props.values_mut() {
+            annotate_schema(value, base);
+        }
+    }
+
+    if let Some(items) = map.get_mut("items") {
+        annotate_schema(items, base);
+    }
+
+    if let Some(additional) = map.get_mut("additionalProperties") {
+        annotate_schema(additional, base);
+    }
+
+    for (key, child) in map.iter_mut() {
+        match key.as_str() {
+            "oneOf"
+            | "anyOf"
+            | "definitions"
+            | "$defs"
+            | "properties"
+            | "items"
+            | "additionalProperties" => {}
+            _ => annotate_schema(child, base),
+        }
+    }
+}
+
+fn annotate_variant_list(variants: &mut [Value], base: Option<&str>) {
+    let mut seen = HashSet::new();
+
+    for variant in variants.iter() {
+        if let Some(name) = variant_title(variant) {
+            seen.insert(name.to_owned());
+        }
+    }
+
+    for variant in variants.iter_mut() {
+        let mut variant_name = variant_title(variant).map(str::to_owned);
+
+        if variant_name.is_none()
+            && let Some(base_name) = base
+            && let Some(name) = variant_definition_name(base_name, variant)
+        {
+            let mut candidate = name.clone();
+            let mut index = 2;
+            while seen.contains(&candidate) {
+                candidate = format!("{name}{index}");
+                index += 1;
+            }
+            if let Some(obj) = variant.as_object_mut() {
+                obj.insert("title".into(), Value::String(candidate.clone()));
+            }
+            seen.insert(candidate.clone());
+            variant_name = Some(candidate);
+        }
+
+        if let Some(name) = variant_name.as_deref()
+            && let Some(obj) = variant.as_object_mut()
+            && let Some(Value::Object(props)) = obj.get_mut("properties")
+        {
+            set_discriminator_titles(props, name);
+        }
+
+        annotate_schema(variant, base);
+    }
+}
+
+const DISCRIMINATOR_KEYS: &[&str] = &["type", "method", "mode", "status", "role", "reason"];
+
+fn set_discriminator_titles(props: &mut Map<String, Value>, owner: &str) {
+    for key in DISCRIMINATOR_KEYS {
+        if let Some(prop_schema) = props.get_mut(*key)
+            && string_literal(prop_schema).is_some()
+            && let Value::Object(prop_obj) = prop_schema
+        {
+            if prop_obj.contains_key("title") {
+                continue;
+            }
+            let suffix = to_pascal_case(key);
+            prop_obj.insert("title".into(), Value::String(format!("{owner}{suffix}")));
+        }
+    }
+}
+
+fn variant_title(value: &Value) -> Option<&str> {
+    value
+        .as_object()
+        .and_then(|obj| obj.get("title"))
        .and_then(Value::as_str)
 }

@@ -402,3 +534,204 @@ fn generate_index_ts(out_dir: &Path) -> Result<PathBuf> {
        .with_context(|| format!("Failed to write {}", index_path.display()))?;
    Ok(index_path)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use anyhow::Result;
+    use std::collections::BTreeSet;
+    use std::fs;
+    use std::path::PathBuf;
+    use uuid::Uuid;
+
+    #[test]
+    fn generated_ts_has_no_optional_nullable_fields() -> Result<()> {
+        let output_dir = std::env::temp_dir().join(format!("codex_ts_types_{}", Uuid::now_v7()));
+        fs::create_dir(&output_dir)?;
+
+        struct TempDirGuard(PathBuf);
+
+        impl Drop for TempDirGuard {
+            fn drop(&mut self) {
+                let _ = fs::remove_dir_all(&self.0);
+            }
+        }
+
+        let _guard = TempDirGuard(output_dir.clone());
+
+        generate_ts(&output_dir, None)?;
+
+        let mut undefined_offenders = Vec::new();
+        let mut optional_nullable_offenders = BTreeSet::new();
+        let mut stack = vec![output_dir];
+        while let Some(dir) = stack.pop() {
+            for entry in fs::read_dir(&dir)? {
+                let entry = entry?;
+                let path = entry.path();
+                if path.is_dir() {
+                    stack.push(path);
+                    continue;
+                }
+
+                if matches!(path.extension().and_then(|ext| ext.to_str()), Some("ts")) {
+                    let contents = fs::read_to_string(&path)?;
+                    if contents.contains("| undefined") {
+                        undefined_offenders.push(path.clone());
+                    }
+
+                    const SKIP_PREFIXES: &[&str] = &[
+                        "const ",
+                        "let ",
+                        "var ",
+                        "export const ",
+                        "export let ",
+                        "export var ",
+                    ];
+
+                    let mut search_start = 0;
+                    while let Some(idx) = contents[search_start..].find("| null") {
+                        let abs_idx = search_start + idx;
+                        // Find the property-colon for this field by scanning forward
+                        // from the start of the segment and ignoring nested braces,
+                        // brackets, and parens. This avoids colons inside nested
+                        // type literals like `{ [k in string]?: string }`.
+
+                        let line_start_idx =
+                            contents[..abs_idx].rfind('\n').map(|i| i + 1).unwrap_or(0);
+
+                        let mut segment_start_idx = line_start_idx;
+                        if let Some(rel_idx) = contents[line_start_idx..abs_idx].rfind(',') {
+                            segment_start_idx = segment_start_idx.max(line_start_idx + rel_idx + 1);
+                        }
+                        if let Some(rel_idx) = contents[line_start_idx..abs_idx].rfind('{') {
+                            segment_start_idx = segment_start_idx.max(line_start_idx + rel_idx + 1);
+                        }
+                        if let Some(rel_idx) = contents[line_start_idx..abs_idx].rfind('}') {
+                            segment_start_idx = segment_start_idx.max(line_start_idx + rel_idx + 1);
+                        }
+
+                        // Scan forward for the colon that separates the field name from its type.
+                        let mut level_brace = 0_i32;
+                        let mut level_brack = 0_i32;
+                        let mut level_paren = 0_i32;
+                        let mut in_single = false;
+                        let mut in_double = false;
+                        let mut escape = false;
+                        let mut prop_colon_idx = None;
+                        for (i, ch) in contents[segment_start_idx..abs_idx].char_indices() {
+                            let idx_abs = segment_start_idx + i;
+                            if escape {
+                                escape = false;
+                                continue;
+                            }
+                            match ch {
+                                '\\' => {
+                                    // Only treat as escape when inside a string.
+                                    if in_single || in_double {
+                                        escape = true;
+                                    }
+                                }
+                                '\'' => {
+                                    if !in_double {
+                                        in_single = !in_single;
+                                    }
+                                }
+                                '"' => {
+                                    if !in_single {
+                                        in_double = !in_double;
+                                    }
+                                }
+                                '{' if !in_single && !in_double => level_brace += 1,
+                                '}' if !in_single && !in_double => level_brace -= 1,
+                                '[' if !in_single && !in_double => level_brack += 1,
+                                ']' if !in_single && !in_double => level_brack -= 1,
+                                '(' if !in_single && !in_double => level_paren += 1,
+                                ')' if !in_single && !in_double => level_paren -= 1,
+                                ':' if !in_single
+                                    && !in_double
+                                    && level_brace == 0
+                                    && level_brack == 0
+                                    && level_paren == 0 =>
+                                {
+                                    prop_colon_idx = Some(idx_abs);
+                                    break;
+                                }
+                                _ => {}
+                            }
+                        }
+
+                        let Some(colon_idx) = prop_colon_idx else {
+                            search_start = abs_idx + 5;
+                            continue;
+                        };
+
+                        let mut field_prefix = contents[segment_start_idx..colon_idx].trim();
+                        if field_prefix.is_empty() {
+                            search_start = abs_idx + 5;
+                            continue;
+                        }
+
+                        if let Some(comment_idx) = field_prefix.rfind("*/") {
+                            field_prefix = field_prefix[comment_idx + 2..].trim_start();
+                        }
+
+                        if field_prefix.is_empty() {
+                            search_start = abs_idx + 5;
+                            continue;
+                        }
+
+                        if SKIP_PREFIXES
+                            .iter()
+                            .any(|prefix| field_prefix.starts_with(prefix))
+                        {
+                            search_start = abs_idx + 5;
+                            continue;
+                        }
+
+                        if field_prefix.contains('(') {
+                            search_start = abs_idx + 5;
+                            continue;
+                        }
+
+                        // If the last non-whitespace before ':' is '?', then this is an
+                        // optional field with a nullable type (i.e., "?: T | null"),
+                        // which we explicitly disallow.
+                        if field_prefix.chars().rev().find(|c| !c.is_whitespace()) == Some('?') {
+                            let line_number =
+                                contents[..abs_idx].chars().filter(|c| *c == '\n').count() + 1;
+                            let offending_line_end = contents[line_start_idx..]
+                                .find('\n')
+                                .map(|i| line_start_idx + i)
+                                .unwrap_or(contents.len());
+                            let offending_snippet =
+                                contents[line_start_idx..offending_line_end].trim();
+
+                            optional_nullable_offenders.insert(format!(
+                                "{}:{}: {offending_snippet}",
+                                path.display(),
+                                line_number
+                            ));
+                        }
+
+                        search_start = abs_idx + 5;
+                    }
+                }
+            }
+        }
+
+        assert!(
+            undefined_offenders.is_empty(),
+            "Generated TypeScript still includes unions with `undefined` in {undefined_offenders:?}"
+        );
+
+        // If this assertion fails, it means a field was generated as
+        // "?: T | null" — i.e., both optional (undefined) and nullable (null).
+        // We only want either "?: T" or ": T | null".
+        assert!(
+            optional_nullable_offenders.is_empty(),
+            "Generated TypeScript has optional fields with nullable types (disallowed '?: T | null'), add #[ts(optional)] to fix:\n{optional_nullable_offenders:?}"
+        );
+
+        Ok(())
+    }
+}
--- a/codex-rs/app-server-protocol/src/jsonrpc_lite.rs
+++ b/codex-rs/app-server-protocol/src/jsonrpc_lite.rs
@@ -34,6 +34,7 @@ pub struct JSONRPCRequest {
    pub id: RequestId,
    pub method: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
    pub params: Option<serde_json::Value>,
 }

@@ -42,6 +43,7 @@ pub struct JSONRPCRequest {
 pub struct JSONRPCNotification {
    pub method: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
    pub params: Option<serde_json::Value>,
 }

@@ -63,6 +65,7 @@ pub struct JSONRPCError {
 pub struct JSONRPCErrorError {
    pub code: i64,
    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
    pub data: Option<serde_json::Value>,
    pub message: String,
 }
--- a/codex-rs/app-server-protocol/src/lib.rs
+++ b/codex-rs/app-server-protocol/src/lib.rs
@@ -6,4 +6,6 @@ pub use export::generate_json;
 pub use export::generate_ts;
 pub use export::generate_types;
 pub use jsonrpc_lite::*;
-pub use protocol::*;
+pub use protocol::common::*;
+pub use protocol::v1::*;
+pub use protocol::v2::*;
--- a/codex-rs/app-server-protocol/src/protocol.rs
+++ b/codex-rs/app-server-protocol/src/protocol.rs
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -0,0 +1,685 @@
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use crate::JSONRPCNotification;
+use crate::JSONRPCRequest;
+use crate::RequestId;
+use crate::protocol::v1;
+use crate::protocol::v2;
+use codex_protocol::ConversationId;
+use codex_protocol::parse_command::ParsedCommand;
+use codex_protocol::protocol::FileChange;
+use codex_protocol::protocol::RateLimitSnapshot;
+use codex_protocol::protocol::ReviewDecision;
+use codex_protocol::protocol::SandboxCommandAssessment;
+use paste::paste;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use strum_macros::Display;
+use ts_rs::TS;
+
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema, TS)]
+#[ts(type = "string")]
+pub struct GitSha(pub String);
+
+impl GitSha {
+    pub fn new(sha: &str) -> Self {
+        Self(sha.to_string())
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, JsonSchema, TS)]
+#[serde(rename_all = "lowercase")]
+pub enum AuthMode {
+    ApiKey,
+    ChatGPT,
+}
+
+/// Generates an `enum ClientRequest` where each variant is a request that the
+/// client can send to the server. Each variant has associated `params` and
+/// `response` types. Also generates a `export_client_responses()` function to
+/// export all response types to TypeScript.
+macro_rules! client_request_definitions {
+    (
+        $(
+            $(#[$variant_meta:meta])*
+            $variant:ident {
+                params: $(#[$params_meta:meta])* $params:ty,
+                response: $response:ty,
+            }
+        ),* $(,)?
+    ) => {
+        /// Request from the client to the server.
+        #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+        #[serde(tag = "method", rename_all = "camelCase")]
+        pub enum ClientRequest {
+            $(
+                $(#[$variant_meta])*
+                $variant {
+                    #[serde(rename = "id")]
+                    request_id: RequestId,
+                    $(#[$params_meta])*
+                    params: $params,
+                },
+            )*
+        }
+
+        pub fn export_client_responses(
+            out_dir: &::std::path::Path,
+        ) -> ::std::result::Result<(), ::ts_rs::ExportError> {
+            $(
+                <$response as ::ts_rs::TS>::export_all_to(out_dir)?;
+            )*
+            Ok(())
+        }
+
+        pub fn export_client_response_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<()> {
+            $(
+                crate::export::write_json_schema::<$response>(out_dir, stringify!($response))?;
+            )*
+            Ok(())
+        }
+    };
+}
+
+client_request_definitions! {
+    /// NEW APIs
+    #[serde(rename = "model/list")]
+    #[ts(rename = "model/list")]
+    ListModels {
+        params: v2::ListModelsParams,
+        response: v2::ListModelsResponse,
+    },
+
+    #[serde(rename = "account/login")]
+    #[ts(rename = "account/login")]
+    LoginAccount {
+        params: v2::LoginAccountParams,
+        response: v2::LoginAccountResponse,
+    },
+
+    #[serde(rename = "account/logout")]
+    #[ts(rename = "account/logout")]
+    LogoutAccount {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v2::LogoutAccountResponse,
+    },
+
+    #[serde(rename = "account/rateLimits/read")]
+    #[ts(rename = "account/rateLimits/read")]
+    GetAccountRateLimits {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v2::GetAccountRateLimitsResponse,
+    },
+
+    #[serde(rename = "feedback/upload")]
+    #[ts(rename = "feedback/upload")]
+    UploadFeedback {
+        params: v2::UploadFeedbackParams,
+        response: v2::UploadFeedbackResponse,
+    },
+
+    #[serde(rename = "account/read")]
+    #[ts(rename = "account/read")]
+    GetAccount {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v2::GetAccountResponse,
+    },
+
+    /// DEPRECATED APIs below
+    Initialize {
+        params: v1::InitializeParams,
+        response: v1::InitializeResponse,
+    },
+    NewConversation {
+        params: v1::NewConversationParams,
+        response: v1::NewConversationResponse,
+    },
+    GetConversationSummary {
+        params: v1::GetConversationSummaryParams,
+        response: v1::GetConversationSummaryResponse,
+    },
+    /// List recorded Codex conversations (rollouts) with optional pagination and search.
+    ListConversations {
+        params: v1::ListConversationsParams,
+        response: v1::ListConversationsResponse,
+    },
+    /// Resume a recorded Codex conversation from a rollout file.
+    ResumeConversation {
+        params: v1::ResumeConversationParams,
+        response: v1::ResumeConversationResponse,
+    },
+    ArchiveConversation {
+        params: v1::ArchiveConversationParams,
+        response: v1::ArchiveConversationResponse,
+    },
+    SendUserMessage {
+        params: v1::SendUserMessageParams,
+        response: v1::SendUserMessageResponse,
+    },
+    SendUserTurn {
+        params: v1::SendUserTurnParams,
+        response: v1::SendUserTurnResponse,
+    },
+    InterruptConversation {
+        params: v1::InterruptConversationParams,
+        response: v1::InterruptConversationResponse,
+    },
+    AddConversationListener {
+        params: v1::AddConversationListenerParams,
+        response: v1::AddConversationSubscriptionResponse,
+    },
+    RemoveConversationListener {
+        params: v1::RemoveConversationListenerParams,
+        response: v1::RemoveConversationSubscriptionResponse,
+    },
+    GitDiffToRemote {
+        params: v1::GitDiffToRemoteParams,
+        response: v1::GitDiffToRemoteResponse,
+    },
+    LoginApiKey {
+        params: v1::LoginApiKeyParams,
+        response: v1::LoginApiKeyResponse,
+    },
+    LoginChatGpt {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::LoginChatGptResponse,
+    },
+    CancelLoginChatGpt {
+        params: v1::CancelLoginChatGptParams,
+        response: v1::CancelLoginChatGptResponse,
+    },
+    LogoutChatGpt {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::LogoutChatGptResponse,
+    },
+    GetAuthStatus {
+        params: v1::GetAuthStatusParams,
+        response: v1::GetAuthStatusResponse,
+    },
+    GetUserSavedConfig {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::GetUserSavedConfigResponse,
+    },
+    SetDefaultModel {
+        params: v1::SetDefaultModelParams,
+        response: v1::SetDefaultModelResponse,
+    },
+    GetUserAgent {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::GetUserAgentResponse,
+    },
+    UserInfo {
+        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
+        response: v1::UserInfoResponse,
+    },
+    FuzzyFileSearch {
+        params: FuzzyFileSearchParams,
+        response: FuzzyFileSearchResponse,
+    },
+    /// Execute a command (argv vector) under the server's sandbox.
+    ExecOneOffCommand {
+        params: v1::ExecOneOffCommandParams,
+        response: v1::ExecOneOffCommandResponse,
+    },
+}
+
+/// Generates an `enum ServerRequest` where each variant is a request that the
+/// server can send to the client along with the corresponding params and
+/// response types. It also generates helper types used by the app/server
+/// infrastructure (payload enum, request constructor, and export helpers).
+macro_rules! server_request_definitions {
+    (
+        $(
+            $(#[$variant_meta:meta])*
+            $variant:ident
+        ),* $(,)?
+    ) => {
+        paste! {
+            /// Request initiated from the server and sent to the client.
+            #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+            #[serde(tag = "method", rename_all = "camelCase")]
+            pub enum ServerRequest {
+                $(
+                    $(#[$variant_meta])*
+                    $variant {
+                        #[serde(rename = "id")]
+                        request_id: RequestId,
+                        params: [<$variant Params>],
+                    },
+                )*
+            }
+
+            #[derive(Debug, Clone, PartialEq, JsonSchema)]
+            pub enum ServerRequestPayload {
+                $( $variant([<$variant Params>]), )*
+            }
+
+            impl ServerRequestPayload {
+                pub fn request_with_id(self, request_id: RequestId) -> ServerRequest {
+                    match self {
+                        $(Self::$variant(params) => ServerRequest::$variant { request_id, params },)*
+                    }
+                }
+            }
+        }
+
+        pub fn export_server_responses(
+            out_dir: &::std::path::Path,
+        ) -> ::std::result::Result<(), ::ts_rs::ExportError> {
+            paste! {
+                $(<[<$variant Response>] as ::ts_rs::TS>::export_all_to(out_dir)?;)*
+            }
+            Ok(())
+        }
+
+        pub fn export_server_response_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<()> {
+            paste! {
+                $(crate::export::write_json_schema::<[<$variant Response>]>(out_dir, stringify!([<$variant Response>]))?;)*
+            }
+            Ok(())
+        }
+    };
+}
+
+impl TryFrom<JSONRPCRequest> for ServerRequest {
+    type Error = serde_json::Error;
+
+    fn try_from(value: JSONRPCRequest) -> Result<Self, Self::Error> {
+        serde_json::from_value(serde_json::to_value(value)?)
+    }
+}
+
+server_request_definitions! {
+    /// Request to approve a patch.
+    ApplyPatchApproval,
+    /// Request to exec a command.
+    ExecCommandApproval,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ApplyPatchApprovalParams {
+    pub conversation_id: ConversationId,
+    /// Use to correlate this with [codex_core::protocol::PatchApplyBeginEvent]
+    /// and [codex_core::protocol::PatchApplyEndEvent].
+    pub call_id: String,
+    pub file_changes: HashMap<PathBuf, FileChange>,
+    /// Optional explanatory reason (e.g. request for extra write access).
+    pub reason: Option<String>,
+    /// When set, the agent is asking the user to allow writes under this root
+    /// for the remainder of the session (unclear if this is honored today).
+    pub grant_root: Option<PathBuf>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ExecCommandApprovalParams {
+    pub conversation_id: ConversationId,
+    /// Use to correlate this with [codex_core::protocol::ExecCommandBeginEvent]
+    /// and [codex_core::protocol::ExecCommandEndEvent].
+    pub call_id: String,
+    pub command: Vec<String>,
+    pub cwd: PathBuf,
+    pub reason: Option<String>,
+    pub risk: Option<SandboxCommandAssessment>,
+    pub parsed_cmd: Vec<ParsedCommand>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct ExecCommandApprovalResponse {
+    pub decision: ReviewDecision,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct ApplyPatchApprovalResponse {
+    pub decision: ReviewDecision,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchParams {
+    pub query: String,
+    pub roots: Vec<String>,
+    // if provided, will cancel any previous request that used the same value
+    pub cancellation_token: Option<String>,
+}
+
+/// Superset of [`codex_file_search::FileMatch`]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct FuzzyFileSearchResult {
+    pub root: String,
+    pub path: String,
+    pub file_name: String,
+    pub score: u32,
+    pub indices: Option<Vec<u32>>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+pub struct FuzzyFileSearchResponse {
+    pub files: Vec<FuzzyFileSearchResult>,
+}
+
+/// Notification sent from the server to the client.
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
+#[serde(tag = "method", content = "params", rename_all = "camelCase")]
+#[strum(serialize_all = "camelCase")]
+pub enum ServerNotification {
+    /// NEW NOTIFICATIONS
+    #[serde(rename = "account/rateLimits/updated")]
+    #[ts(rename = "account/rateLimits/updated")]
+    #[strum(serialize = "account/rateLimits/updated")]
+    AccountRateLimitsUpdated(RateLimitSnapshot),
+
+    /// DEPRECATED NOTIFICATIONS below
+    /// Authentication status changed
+    AuthStatusChange(v1::AuthStatusChangeNotification),
+
+    /// ChatGPT login flow completed
+    LoginChatGptComplete(v1::LoginChatGptCompleteNotification),
+
+    /// The special session configured event for a new or resumed conversation.
+    SessionConfigured(v1::SessionConfiguredNotification),
+}
+
+impl ServerNotification {
+    pub fn to_params(self) -> Result<serde_json::Value, serde_json::Error> {
+        match self {
+            ServerNotification::AccountRateLimitsUpdated(params) => serde_json::to_value(params),
+            ServerNotification::AuthStatusChange(params) => serde_json::to_value(params),
+            ServerNotification::LoginChatGptComplete(params) => serde_json::to_value(params),
+            ServerNotification::SessionConfigured(params) => serde_json::to_value(params),
+        }
+    }
+}
+
+impl TryFrom<JSONRPCNotification> for ServerNotification {
+    type Error = serde_json::Error;
+
+    fn try_from(value: JSONRPCNotification) -> Result<Self, Self::Error> {
+        serde_json::from_value(serde_json::to_value(value)?)
+    }
+}
+
+/// Notification sent from the client to the server.
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
+#[serde(tag = "method", content = "params", rename_all = "camelCase")]
+#[strum(serialize_all = "camelCase")]
+pub enum ClientNotification {
+    Initialized,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use anyhow::Result;
+    use codex_protocol::account::PlanType;
+    use codex_protocol::protocol::AskForApproval;
+    use pretty_assertions::assert_eq;
+    use serde_json::json;
+
+    #[test]
+    fn serialize_new_conversation() -> Result<()> {
+        let request = ClientRequest::NewConversation {
+            request_id: RequestId::Integer(42),
+            params: v1::NewConversationParams {
+                model: Some("gpt-5-codex".to_string()),
+                model_provider: None,
+                profile: None,
+                cwd: None,
+                approval_policy: Some(AskForApproval::OnRequest),
+                sandbox: None,
+                config: None,
+                base_instructions: None,
+                developer_instructions: None,
+                compact_prompt: None,
+                include_apply_patch_tool: None,
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "newConversation",
+                "id": 42,
+                "params": {
+                    "model": "gpt-5-codex",
+                    "modelProvider": null,
+                    "profile": null,
+                    "cwd": null,
+                    "approvalPolicy": "on-request",
+                    "sandbox": null,
+                    "config": null,
+                    "baseInstructions": null,
+                    "includeApplyPatchTool": null
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn conversation_id_serializes_as_plain_string() -> Result<()> {
+        let id = ConversationId::from_string("67e55044-10b1-426f-9247-bb680e5fe0c8")?;
+
+        assert_eq!(
+            json!("67e55044-10b1-426f-9247-bb680e5fe0c8"),
+            serde_json::to_value(id)?
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn conversation_id_deserializes_from_plain_string() -> Result<()> {
+        let id: ConversationId =
+            serde_json::from_value(json!("67e55044-10b1-426f-9247-bb680e5fe0c8"))?;
+
+        assert_eq!(
+            ConversationId::from_string("67e55044-10b1-426f-9247-bb680e5fe0c8")?,
+            id,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_client_notification() -> Result<()> {
+        let notification = ClientNotification::Initialized;
+        // Note there is no "params" field for this notification.
+        assert_eq!(
+            json!({
+                "method": "initialized",
+            }),
+            serde_json::to_value(&notification)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_server_request() -> Result<()> {
+        let conversation_id = ConversationId::from_string("67e55044-10b1-426f-9247-bb680e5fe0c8")?;
+        let params = ExecCommandApprovalParams {
+            conversation_id,
+            call_id: "call-42".to_string(),
+            command: vec!["echo".to_string(), "hello".to_string()],
+            cwd: PathBuf::from("/tmp"),
+            reason: Some("because tests".to_string()),
+            risk: None,
+            parsed_cmd: vec![ParsedCommand::Unknown {
+                cmd: "echo hello".to_string(),
+            }],
+        };
+        let request = ServerRequest::ExecCommandApproval {
+            request_id: RequestId::Integer(7),
+            params: params.clone(),
+        };
+
+        assert_eq!(
+            json!({
+                "method": "execCommandApproval",
+                "id": 7,
+                "params": {
+                    "conversationId": "67e55044-10b1-426f-9247-bb680e5fe0c8",
+                    "callId": "call-42",
+                    "command": ["echo", "hello"],
+                    "cwd": "/tmp",
+                    "reason": "because tests",
+                    "risk": null,
+                    "parsedCmd": [
+                        {
+                            "type": "unknown",
+                            "cmd": "echo hello"
+                        }
+                    ]
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+
+        let payload = ServerRequestPayload::ExecCommandApproval(params);
+        assert_eq!(payload.request_with_id(RequestId::Integer(7)), request);
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_get_account_rate_limits() -> Result<()> {
+        let request = ClientRequest::GetAccountRateLimits {
+            request_id: RequestId::Integer(1),
+            params: None,
+        };
+        assert_eq!(
+            json!({
+                "method": "account/rateLimits/read",
+                "id": 1,
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_account_login_api_key() -> Result<()> {
+        let request = ClientRequest::LoginAccount {
+            request_id: RequestId::Integer(2),
+            params: v2::LoginAccountParams::ApiKey {
+                api_key: "secret".to_string(),
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "account/login",
+                "id": 2,
+                "params": {
+                    "type": "apiKey",
+                    "apiKey": "secret"
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_account_login_chatgpt() -> Result<()> {
+        let request = ClientRequest::LoginAccount {
+            request_id: RequestId::Integer(3),
+            params: v2::LoginAccountParams::ChatGpt,
+        };
+        assert_eq!(
+            json!({
+                "method": "account/login",
+                "id": 3,
+                "params": {
+                    "type": "chatgpt"
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_account_logout() -> Result<()> {
+        let request = ClientRequest::LogoutAccount {
+            request_id: RequestId::Integer(4),
+            params: None,
+        };
+        assert_eq!(
+            json!({
+                "method": "account/logout",
+                "id": 4,
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_get_account() -> Result<()> {
+        let request = ClientRequest::GetAccount {
+            request_id: RequestId::Integer(5),
+            params: None,
+        };
+        assert_eq!(
+            json!({
+                "method": "account/read",
+                "id": 5,
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn account_serializes_fields_in_camel_case() -> Result<()> {
+        let api_key = v2::Account::ApiKey {
+            api_key: "secret".to_string(),
+        };
+        assert_eq!(
+            json!({
+                "type": "apiKey",
+                "apiKey": "secret",
+            }),
+            serde_json::to_value(&api_key)?,
+        );
+
+        let chatgpt = v2::Account::ChatGpt {
+            email: Some("user@example.com".to_string()),
+            plan_type: PlanType::Plus,
+        };
+        assert_eq!(
+            json!({
+                "type": "chatgpt",
+                "email": "user@example.com",
+                "planType": "plus",
+            }),
+            serde_json::to_value(&chatgpt)?,
+        );
+
+        Ok(())
+    }
+
+    #[test]
+    fn serialize_list_models() -> Result<()> {
+        let request = ClientRequest::ListModels {
+            request_id: RequestId::Integer(6),
+            params: v2::ListModelsParams::default(),
+        };
+        assert_eq!(
+            json!({
+                "method": "model/list",
+                "id": 6,
+                "params": {
+                    "pageSize": null,
+                    "cursor": null
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+}
--- a/codex-rs/app-server-protocol/src/protocol/mod.rs
+++ b/codex-rs/app-server-protocol/src/protocol/mod.rs
@@ -0,0 +1,6 @@
+// Module declarations for the app-server protocol namespace.
+// Exposes protocol pieces used by `lib.rs` via `pub use protocol::common::*;`.
+
+pub mod common;
+pub mod v1;
+pub mod v2;
--- a/codex-rs/app-server-protocol/src/protocol/v1.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v1.rs
@@ -0,0 +1,405 @@
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use codex_protocol::ConversationId;
+use codex_protocol::config_types::ForcedLoginMethod;
+use codex_protocol::config_types::ReasoningEffort;
+use codex_protocol::config_types::ReasoningSummary;
+use codex_protocol::config_types::SandboxMode;
+use codex_protocol::config_types::Verbosity;
+use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::protocol::TurnAbortReason;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use ts_rs::TS;
+use uuid::Uuid;
+
+// Reuse shared types defined in `common.rs`.
+use crate::protocol::common::AuthMode;
+use crate::protocol::common::GitSha;
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InitializeParams {
+    pub client_info: ClientInfo,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ClientInfo {
+    pub name: String,
+    pub title: Option<String>,
+    pub version: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InitializeResponse {
+    pub user_agent: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct NewConversationParams {
+    pub model: Option<String>,
+    pub model_provider: Option<String>,
+    pub profile: Option<String>,
+    pub cwd: Option<String>,
+    pub approval_policy: Option<AskForApproval>,
+    pub sandbox: Option<SandboxMode>,
+    pub config: Option<HashMap<String, serde_json::Value>>,
+    pub base_instructions: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub developer_instructions: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub compact_prompt: Option<String>,
+    pub include_apply_patch_tool: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct NewConversationResponse {
+    pub conversation_id: ConversationId,
+    pub model: String,
+    pub reasoning_effort: Option<ReasoningEffort>,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ResumeConversationResponse {
+    pub conversation_id: ConversationId,
+    pub model: String,
+    pub initial_messages: Option<Vec<EventMsg>>,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(untagged)]
+pub enum GetConversationSummaryParams {
+    RolloutPath {
+        #[serde(rename = "rolloutPath")]
+        rollout_path: PathBuf,
+    },
+    ConversationId {
+        #[serde(rename = "conversationId")]
+        conversation_id: ConversationId,
+    },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetConversationSummaryResponse {
+    pub summary: ConversationSummary,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ListConversationsParams {
+    pub page_size: Option<usize>,
+    pub cursor: Option<String>,
+    pub model_providers: Option<Vec<String>>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ConversationSummary {
+    pub conversation_id: ConversationId,
+    pub path: PathBuf,
+    pub preview: String,
+    pub timestamp: Option<String>,
+    pub model_provider: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ListConversationsResponse {
+    pub items: Vec<ConversationSummary>,
+    pub next_cursor: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ResumeConversationParams {
+    pub path: Option<PathBuf>,
+    pub conversation_id: Option<ConversationId>,
+    pub history: Option<Vec<ResponseItem>>,
+    pub overrides: Option<NewConversationParams>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct AddConversationSubscriptionResponse {
+    #[schemars(with = "String")]
+    pub subscription_id: Uuid,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ArchiveConversationParams {
+    pub conversation_id: ConversationId,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ArchiveConversationResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct RemoveConversationSubscriptionResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginApiKeyParams {
+    pub api_key: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginApiKeyResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginChatGptResponse {
+    #[schemars(with = "String")]
+    pub login_id: Uuid,
+    pub auth_url: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GitDiffToRemoteResponse {
+    pub sha: GitSha,
+    pub diff: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct CancelLoginChatGptParams {
+    #[schemars(with = "String")]
+    pub login_id: Uuid,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GitDiffToRemoteParams {
+    pub cwd: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct CancelLoginChatGptResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LogoutChatGptParams {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LogoutChatGptResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAuthStatusParams {
+    pub include_token: Option<bool>,
+    pub refresh_token: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ExecOneOffCommandParams {
+    pub command: Vec<String>,
+    pub timeout_ms: Option<u64>,
+    pub cwd: Option<PathBuf>,
+    pub sandbox_policy: Option<SandboxPolicy>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ExecOneOffCommandResponse {
+    pub exit_code: i32,
+    pub stdout: String,
+    pub stderr: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAuthStatusResponse {
+    pub auth_method: Option<AuthMode>,
+    pub auth_token: Option<String>,
+    pub requires_openai_auth: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetUserAgentResponse {
+    pub user_agent: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct UserInfoResponse {
+    pub alleged_user_email: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetUserSavedConfigResponse {
+    pub config: UserSavedConfig,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SetDefaultModelParams {
+    pub model: Option<String>,
+    pub reasoning_effort: Option<ReasoningEffort>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SetDefaultModelResponse {}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct UserSavedConfig {
+    pub approval_policy: Option<AskForApproval>,
+    pub sandbox_mode: Option<SandboxMode>,
+    pub sandbox_settings: Option<SandboxSettings>,
+    pub forced_chatgpt_workspace_id: Option<String>,
+    pub forced_login_method: Option<ForcedLoginMethod>,
+    pub model: Option<String>,
+    pub model_reasoning_effort: Option<ReasoningEffort>,
+    pub model_reasoning_summary: Option<ReasoningSummary>,
+    pub model_verbosity: Option<Verbosity>,
+    pub tools: Option<Tools>,
+    pub profile: Option<String>,
+    pub profiles: HashMap<String, Profile>,
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct Profile {
+    pub model: Option<String>,
+    pub model_provider: Option<String>,
+    pub approval_policy: Option<AskForApproval>,
+    pub model_reasoning_effort: Option<ReasoningEffort>,
+    pub model_reasoning_summary: Option<ReasoningSummary>,
+    pub model_verbosity: Option<Verbosity>,
+    pub chatgpt_base_url: Option<String>,
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct Tools {
+    pub web_search: Option<bool>,
+    pub view_image: Option<bool>,
+}
+
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SandboxSettings {
+    #[serde(default)]
+    pub writable_roots: Vec<PathBuf>,
+    pub network_access: Option<bool>,
+    pub exclude_tmpdir_env_var: Option<bool>,
+    pub exclude_slash_tmp: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserMessageParams {
+    pub conversation_id: ConversationId,
+    pub items: Vec<InputItem>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserTurnParams {
+    pub conversation_id: ConversationId,
+    pub items: Vec<InputItem>,
+    pub cwd: PathBuf,
+    pub approval_policy: AskForApproval,
+    pub sandbox_policy: SandboxPolicy,
+    pub model: String,
+    pub effort: Option<ReasoningEffort>,
+    pub summary: ReasoningSummary,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserTurnResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InterruptConversationParams {
+    pub conversation_id: ConversationId,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct InterruptConversationResponse {
+    pub abort_reason: TurnAbortReason,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SendUserMessageResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct AddConversationListenerParams {
+    pub conversation_id: ConversationId,
+    #[serde(default)]
+    pub experimental_raw_events: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct RemoveConversationListenerParams {
+    #[schemars(with = "String")]
+    pub subscription_id: Uuid,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[serde(tag = "type", content = "data")]
+pub enum InputItem {
+    Text { text: String },
+    Image { image_url: String },
+    LocalImage { path: PathBuf },
+}
+
+// Deprecated notifications (v1)
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginChatGptCompleteNotification {
+    #[schemars(with = "String")]
+    pub login_id: Uuid,
+    pub success: bool,
+    pub error: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct SessionConfiguredNotification {
+    pub session_id: ConversationId,
+    pub model: String,
+    pub reasoning_effort: Option<ReasoningEffort>,
+    pub history_log_id: u64,
+    #[ts(type = "number")]
+    pub history_entry_count: usize,
+    pub initial_messages: Option<Vec<EventMsg>>,
+    pub rollout_path: PathBuf,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthStatusChangeNotification {
+    pub auth_method: Option<AuthMode>,
+}
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -0,0 +1,122 @@
+use codex_protocol::ConversationId;
+use codex_protocol::account::PlanType;
+use codex_protocol::config_types::ReasoningEffort;
+use codex_protocol::protocol::RateLimitSnapshot;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use ts_rs::TS;
+use uuid::Uuid;
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+pub enum Account {
+    #[serde(rename = "apiKey", rename_all = "camelCase")]
+    #[ts(rename = "apiKey", rename_all = "camelCase")]
+    ApiKey { api_key: String },
+
+    #[serde(rename = "chatgpt", rename_all = "camelCase")]
+    #[ts(rename = "chatgpt", rename_all = "camelCase")]
+    ChatGpt {
+        email: Option<String>,
+        plan_type: PlanType,
+    },
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(tag = "type")]
+#[ts(tag = "type")]
+pub enum LoginAccountParams {
+    #[serde(rename = "apiKey")]
+    #[ts(rename = "apiKey")]
+    ApiKey {
+        #[serde(rename = "apiKey")]
+        #[ts(rename = "apiKey")]
+        api_key: String,
+    },
+    #[serde(rename = "chatgpt")]
+    #[ts(rename = "chatgpt")]
+    ChatGpt,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginAccountResponse {
+    /// Only set if the login method is ChatGPT.
+    #[schemars(with = "String")]
+    pub login_id: Option<Uuid>,
+
+    /// URL the client should open in a browser to initiate the OAuth flow.
+    /// Only set if the login method is ChatGPT.
+    pub auth_url: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LogoutAccountResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAccountRateLimitsResponse {
+    pub rate_limits: RateLimitSnapshot,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAccountResponse {
+    pub account: Account,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ListModelsParams {
+    /// Optional page size; defaults to a reasonable server-side value.
+    pub page_size: Option<usize>,
+    /// Opaque pagination cursor returned by a previous call.
+    pub cursor: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct Model {
+    pub id: String,
+    pub model: String,
+    pub display_name: String,
+    pub description: String,
+    pub supported_reasoning_efforts: Vec<ReasoningEffortOption>,
+    pub default_reasoning_effort: ReasoningEffort,
+    // Only one model should be marked as default.
+    pub is_default: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ReasoningEffortOption {
+    pub reasoning_effort: ReasoningEffort,
+    pub description: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct ListModelsResponse {
+    pub items: Vec<Model>,
+    /// Opaque cursor to pass to the next call to continue after the last item.
+    /// if None, there are no more items to return.
+    pub next_cursor: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct UploadFeedbackParams {
+    pub classification: String,
+    pub reason: Option<String>,
+    pub conversation_id: Option<ConversationId>,
+    pub include_logs: bool,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct UploadFeedbackResponse {
+    pub thread_id: String,
+}
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -64,6 +64,7 @@ use codex_core::CodexConversation;
 use codex_core::ConversationManager;
 use codex_core::Cursor as RolloutCursor;
 use codex_core::INTERACTIVE_SESSION_SOURCES;
+use codex_core::InitialHistory;
 use codex_core::NewConversation;
 use codex_core::RolloutRecorder;
 use codex_core::SessionMeta;
@@ -72,13 +73,12 @@ use codex_core::auth::login_with_api_key;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::config::ConfigToml;
-use codex_core::config::load_config_as_toml;
-use codex_core::config_edit::CONFIG_KEY_EFFORT;
-use codex_core::config_edit::CONFIG_KEY_MODEL;
-use codex_core::config_edit::persist_overrides_and_clear_if_none;
+use codex_core::config::edit::ConfigEditsBuilder;
+use codex_core::config_loader::load_config_as_toml;
 use codex_core::default_client::get_codex_user_agent;
 use codex_core::exec::ExecParams;
 use codex_core::exec_env::create_env;
+use codex_core::find_conversation_path_by_id_str;
 use codex_core::get_platform_sandbox;
 use codex_core::git_info::git_diff_to_remote;
 use codex_core::protocol::ApplyPatchApprovalRequestEvent;
@@ -97,6 +97,7 @@ use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::items::TurnItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::RateLimitSnapshot;
+use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::USER_MESSAGE_BEGIN;
 use codex_protocol::user_input::UserInput as CoreInputItem;
 use codex_utils_json_to_toml::json_to_toml;
@@ -686,19 +687,12 @@ impl CodexMessageProcessor {
            model,
            reasoning_effort,
        } = params;
-        let effort_str = reasoning_effort.map(|effort| effort.to_string());

-        let overrides: [(&[&str], Option<&str>); 2] = [
-            (&[CONFIG_KEY_MODEL], model.as_deref()),
-            (&[CONFIG_KEY_EFFORT], effort_str.as_deref()),
-        ];
-
-        match persist_overrides_and_clear_if_none(
-            &self.config.codex_home,
-            self.config.active_profile.as_deref(),
-            &overrides,
-        )
-        .await
+        match ConfigEditsBuilder::new(&self.config.codex_home)
+            .with_profile(self.config.active_profile.as_deref())
+            .set_model(model.as_deref(), reasoning_effort)
+            .apply()
+            .await
        {
            Ok(()) => {
                let response = SetDefaultModelResponse {};
@@ -707,7 +701,7 @@ impl CodexMessageProcessor {
            Err(err) => {
                let error = JSONRPCErrorError {
                    code: INTERNAL_ERROR_CODE,
-                    message: format!("failed to persist overrides: {err}"),
+                    message: format!("failed to persist model selection: {err}"),
                    data: None,
                };
                self.outgoing.send_error(request_id, error).await;
@@ -834,12 +828,37 @@ impl CodexMessageProcessor {
        request_id: RequestId,
        params: GetConversationSummaryParams,
    ) {
-        let GetConversationSummaryParams { rollout_path } = params;
-        let path = if rollout_path.is_relative() {
-            self.config.codex_home.join(&rollout_path)
-        } else {
-            rollout_path.clone()
+        let path = match params {
+            GetConversationSummaryParams::RolloutPath { rollout_path } => {
+                if rollout_path.is_relative() {
+                    self.config.codex_home.join(&rollout_path)
+                } else {
+                    rollout_path
+                }
+            }
+            GetConversationSummaryParams::ConversationId { conversation_id } => {
+                match codex_core::find_conversation_path_by_id_str(
+                    &self.config.codex_home,
+                    &conversation_id.to_string(),
+                )
+                .await
+                {
+                    Ok(Some(p)) => p,
+                    _ => {
+                        let error = JSONRPCErrorError {
+                            code: INVALID_REQUEST_ERROR_CODE,
+                            message: format!(
+                                "no rollout found for conversation id {conversation_id}"
+                            ),
+                            data: None,
+                        };
+                        self.outgoing.send_error(request_id, error).await;
+                        return;
+                    }
+                }
+            }
        };
+
        let fallback_provider = self.config.model_provider_id.as_str();

        match read_summary_from_rollout(&path, fallback_provider).await {
@@ -990,8 +1009,15 @@ impl CodexMessageProcessor {
        request_id: RequestId,
        params: ResumeConversationParams,
    ) {
+        let ResumeConversationParams {
+            path,
+            conversation_id,
+            history,
+            overrides,
+        } = params;
+
        // Derive a Config using the same logic as new conversation, honoring overrides if provided.
-        let config = match params.overrides {
+        let config = match overrides {
            Some(overrides) => {
                derive_config_from_params(overrides, self.codex_linux_sandbox_exe.clone()).await
            }
@@ -1000,21 +1026,88 @@ impl CodexMessageProcessor {
        let config = match config {
            Ok(cfg) => cfg,
            Err(err) => {
-                let error = JSONRPCErrorError {
-                    code: INVALID_REQUEST_ERROR_CODE,
-                    message: format!("error deriving config: {err}"),
-                    data: None,
-                };
-                self.outgoing.send_error(request_id, error).await;
+                self.send_invalid_request_error(
+                    request_id,
+                    format!("error deriving config: {err}"),
+                )
+                .await;
                return;
            }
        };

+        let conversation_history = if let Some(path) = path {
+            match RolloutRecorder::get_rollout_history(&path).await {
+                Ok(initial_history) => initial_history,
+                Err(err) => {
+                    self.send_invalid_request_error(
+                        request_id,
+                        format!("failed to load rollout `{}`: {err}", path.display()),
+                    )
+                    .await;
+                    return;
+                }
+            }
+        } else if let Some(conversation_id) = conversation_id {
+            match find_conversation_path_by_id_str(
+                &self.config.codex_home,
+                &conversation_id.to_string(),
+            )
+            .await
+            {
+                Ok(Some(found_path)) => {
+                    match RolloutRecorder::get_rollout_history(&found_path).await {
+                        Ok(initial_history) => initial_history,
+                        Err(err) => {
+                            self.send_invalid_request_error(
+                                request_id,
+                                format!(
+                                    "failed to load rollout `{}` for conversation {conversation_id}: {err}",
+                                    found_path.display()
+                                ),
+                            ).await;
+                            return;
+                        }
+                    }
+                }
+                Ok(None) => {
+                    self.send_invalid_request_error(
+                        request_id,
+                        format!("no rollout found for conversation id {conversation_id}"),
+                    )
+                    .await;
+                    return;
+                }
+                Err(err) => {
+                    self.send_invalid_request_error(
+                        request_id,
+                        format!("failed to locate conversation id {conversation_id}: {err}"),
+                    )
+                    .await;
+                    return;
+                }
+            }
+        } else {
+            match history {
+                Some(history) if !history.is_empty() => InitialHistory::Forked(
+                    history.into_iter().map(RolloutItem::ResponseItem).collect(),
+                ),
+                Some(_) | None => {
+                    self.send_invalid_request_error(
+                        request_id,
+                        "either path, conversation id or non empty history must be provided"
+                            .to_string(),
+                    )
+                    .await;
+                    return;
+                }
+            }
+        };
+
        match self
            .conversation_manager
-            .resume_conversation_from_rollout(
+            .resume_conversation_with_history(
                config,
-                params.path.clone(),
+                conversation_history,
                self.auth_manager.clone(),
            )
            .await
@@ -1046,6 +1139,7 @@ impl CodexMessageProcessor {
                    conversation_id,
                    model: session_configured.model.clone(),
                    initial_messages,
+                    rollout_path: session_configured.rollout_path.clone(),
                };
                self.outgoing.send_response(request_id, response).await;
            }
@@ -1060,6 +1154,15 @@ impl CodexMessageProcessor {
        }
    }

+    async fn send_invalid_request_error(&self, request_id: RequestId, message: String) {
+        let error = JSONRPCErrorError {
+            code: INVALID_REQUEST_ERROR_CODE,
+            message,
+            data: None,
+        };
+        self.outgoing.send_error(request_id, error).await;
+    }
+
    async fn archive_conversation(&self, request_id: RequestId, params: ArchiveConversationParams) {
        let ArchiveConversationParams {
            conversation_id,
@@ -1657,6 +1760,8 @@ async fn derive_config_from_params(
        sandbox: sandbox_mode,
        config: cli_overrides,
        base_instructions,
+        developer_instructions,
+        compact_prompt,
        include_apply_patch_tool,
    } = params;
    let overrides = ConfigOverrides {
@@ -1669,8 +1774,9 @@ async fn derive_config_from_params(
        model_provider,
        codex_linux_sandbox_exe,
        base_instructions,
+        developer_instructions,
+        compact_prompt,
        include_apply_patch_tool,
-        include_view_image_tool: None,
        show_raw_agent_reasoning: None,
        tools_web_search_request: None,
        experimental_sandbox_command_assessment: None,
--- a/codex-rs/app-server/src/outgoing_message.rs
+++ b/codex-rs/app-server/src/outgoing_message.rs
@@ -166,6 +166,7 @@ mod tests {
                "params": {
                    "loginId": Uuid::nil(),
                    "success": true,
+                    "error": null,
                },
            }),
            serde_json::to_value(jsonrpc_notification)
--- a/codex-rs/app-server/tests/suite/list_resume.rs
+++ b/codex-rs/app-server/tests/suite/list_resume.rs
@@ -11,6 +11,9 @@ use codex_app_server_protocol::ResumeConversationParams;
 use codex_app_server_protocol::ResumeConversationResponse;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::SessionConfiguredNotification;
+use codex_core::protocol::EventMsg;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ResponseItem;
 use pretty_assertions::assert_eq;
 use serde_json::json;
 use std::fs;
@@ -168,10 +171,14 @@ async fn test_list_and_resume_conversations() -> Result<()> {
    assert!(empty_items.is_empty());
    assert!(empty_next.is_none());

-    // Now resume one of the sessions and expect a SessionConfigured notification and response.
+    let first_item = &items[0];
+
+    // Now resume one of the sessions from an explicit rollout path.
    let resume_req_id = mcp
        .send_resume_conversation_request(ResumeConversationParams {
-            path: items[0].path.clone(),
+            path: Some(first_item.path.clone()),
+            conversation_id: None,
+            history: None,
            overrides: Some(NewConversationParams {
                model: Some("o3".to_string()),
                ..Default::default()
@@ -186,17 +193,25 @@ async fn test_list_and_resume_conversations() -> Result<()> {
    )
    .await??;
    let session_configured: ServerNotification = notification.try_into()?;
-    // Basic shape assertion: ensure event type is sessionConfigured
    let ServerNotification::SessionConfigured(SessionConfiguredNotification {
        model,
        rollout_path,
+        initial_messages: session_initial_messages,
        ..
    }) = session_configured
    else {
        unreachable!("expected sessionConfigured notification");
    };
    assert_eq!(model, "o3");
-    assert_eq!(items[0].path.clone(), rollout_path);
+    assert_eq!(rollout_path, first_item.path.clone());
+    let session_initial_messages = session_initial_messages
+        .expect("expected initial messages when resuming from rollout path");
+    match session_initial_messages.as_slice() {
+        [EventMsg::UserMessage(message)] => {
+            assert_eq!(message.message, first_item.preview.clone());
+        }
+        other => panic!("unexpected initial messages from rollout resume: {other:#?}"),
+    }

    // Then the response for resumeConversation
    let resume_resp: JSONRPCResponse = timeout(
@@ -205,10 +220,140 @@ async fn test_list_and_resume_conversations() -> Result<()> {
    )
    .await??;
    let ResumeConversationResponse {
-        conversation_id, ..
+        conversation_id,
+        model: resume_model,
+        initial_messages: response_initial_messages,
+        ..
    } = to_response::<ResumeConversationResponse>(resume_resp)?;
    // conversation id should be a valid UUID
    assert!(!conversation_id.to_string().is_empty());
+    assert_eq!(resume_model, "o3");
+    let response_initial_messages =
+        response_initial_messages.expect("expected initial messages in resume response");
+    match response_initial_messages.as_slice() {
+        [EventMsg::UserMessage(message)] => {
+            assert_eq!(message.message, first_item.preview.clone());
+        }
+        other => panic!("unexpected initial messages in resume response: {other:#?}"),
+    }
+
+    // Resuming with only a conversation id should locate the rollout automatically.
+    let resume_by_id_req_id = mcp
+        .send_resume_conversation_request(ResumeConversationParams {
+            path: None,
+            conversation_id: Some(first_item.conversation_id),
+            history: None,
+            overrides: Some(NewConversationParams {
+                model: Some("o3".to_string()),
+                ..Default::default()
+            }),
+        })
+        .await?;
+    let notification: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("sessionConfigured"),
+    )
+    .await??;
+    let session_configured: ServerNotification = notification.try_into()?;
+    let ServerNotification::SessionConfigured(SessionConfiguredNotification {
+        model,
+        rollout_path,
+        initial_messages: session_initial_messages,
+        ..
+    }) = session_configured
+    else {
+        unreachable!("expected sessionConfigured notification");
+    };
+    assert_eq!(model, "o3");
+    assert_eq!(rollout_path, first_item.path.clone());
+    let session_initial_messages = session_initial_messages
+        .expect("expected initial messages when resuming from conversation id");
+    match session_initial_messages.as_slice() {
+        [EventMsg::UserMessage(message)] => {
+            assert_eq!(message.message, first_item.preview.clone());
+        }
+        other => panic!("unexpected initial messages from conversation id resume: {other:#?}"),
+    }
+    let resume_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(resume_by_id_req_id)),
+    )
+    .await??;
+    let ResumeConversationResponse {
+        conversation_id: by_id_conversation_id,
+        model: by_id_model,
+        initial_messages: by_id_initial_messages,
+        ..
+    } = to_response::<ResumeConversationResponse>(resume_resp)?;
+    assert!(!by_id_conversation_id.to_string().is_empty());
+    assert_eq!(by_id_model, "o3");
+    let by_id_initial_messages = by_id_initial_messages
+        .expect("expected initial messages when resuming from conversation id response");
+    match by_id_initial_messages.as_slice() {
+        [EventMsg::UserMessage(message)] => {
+            assert_eq!(message.message, first_item.preview.clone());
+        }
+        other => {
+            panic!("unexpected initial messages in conversation id resume response: {other:#?}")
+        }
+    }
+
+    // Resuming with explicit history should succeed even without a stored rollout.
+    let fork_history_text = "Hello from history";
+    let history = vec![ResponseItem::Message {
+        id: None,
+        role: "user".to_string(),
+        content: vec![ContentItem::InputText {
+            text: fork_history_text.to_string(),
+        }],
+    }];
+    let resume_with_history_req_id = mcp
+        .send_resume_conversation_request(ResumeConversationParams {
+            path: None,
+            conversation_id: None,
+            history: Some(history),
+            overrides: Some(NewConversationParams {
+                model: Some("o3".to_string()),
+                ..Default::default()
+            }),
+        })
+        .await?;
+    let notification: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("sessionConfigured"),
+    )
+    .await??;
+    let session_configured: ServerNotification = notification.try_into()?;
+    let ServerNotification::SessionConfigured(SessionConfiguredNotification {
+        model,
+        initial_messages: session_initial_messages,
+        ..
+    }) = session_configured
+    else {
+        unreachable!("expected sessionConfigured notification");
+    };
+    assert_eq!(model, "o3");
+    assert!(
+        session_initial_messages.as_ref().is_none_or(Vec::is_empty),
+        "expected no initial messages when resuming from explicit history but got {session_initial_messages:#?}"
+    );
+    let resume_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(resume_with_history_req_id)),
+    )
+    .await??;
+    let ResumeConversationResponse {
+        conversation_id: history_conversation_id,
+        model: history_model,
+        initial_messages: history_initial_messages,
+        ..
+    } = to_response::<ResumeConversationResponse>(resume_resp)?;
+    assert!(!history_conversation_id.to_string().is_empty());
+    assert_eq!(history_model, "o3");
+    assert!(
+        history_initial_messages.as_ref().is_none_or(Vec::is_empty),
+        "expected no initial messages in resume response when history is provided but got {history_initial_messages:#?}"
+    );

    Ok(())
 }
--- a/codex-rs/app-server/tests/suite/send_message.rs
+++ b/codex-rs/app-server/tests/suite/send_message.rs
@@ -16,6 +16,7 @@ use codex_app_server_protocol::SendUserMessageResponse;
 use codex_protocol::ConversationId;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::RawResponseItemEvent;
 use pretty_assertions::assert_eq;
 use std::path::Path;
 use tempfile::TempDir;
@@ -43,7 +44,9 @@ async fn test_send_message_success() -> Result<()> {

    // Start a conversation using the new wire API.
    let new_conv_id = mcp
-        .send_new_conversation_request(NewConversationParams::default())
+        .send_new_conversation_request(NewConversationParams {
+            ..Default::default()
+        })
        .await?;
    let new_conv_resp: JSONRPCResponse = timeout(
        DEFAULT_READ_TIMEOUT,
@@ -142,7 +145,10 @@ async fn test_send_message_raw_notifications_opt_in() -> Result<()> {
    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;

    let new_conv_id = mcp
-        .send_new_conversation_request(NewConversationParams::default())
+        .send_new_conversation_request(NewConversationParams {
+            developer_instructions: Some("Use the test harness tools.".to_string()),
+            ..Default::default()
+        })
        .await?;
    let new_conv_resp: JSONRPCResponse = timeout(
        DEFAULT_READ_TIMEOUT,
@@ -176,6 +182,9 @@ async fn test_send_message_raw_notifications_opt_in() -> Result<()> {
        })
        .await?;

+    let developer = read_raw_response_item(&mut mcp, conversation_id).await;
+    assert_developer_message(&developer, "Use the test harness tools.");
+
    let instructions = read_raw_response_item(&mut mcp, conversation_id).await;
    assert_instructions_message(&instructions);

@@ -294,7 +303,9 @@ async fn read_raw_response_item(
        .cloned()
        .expect("raw response item should include msg payload");

-    serde_json::from_value(msg_value).expect("deserialize raw response item")
+    let event: RawResponseItemEvent =
+        serde_json::from_value(msg_value).expect("deserialize raw response item");
+    event.item
 }

 fn assert_instructions_message(item: &ResponseItem) {
@@ -302,10 +313,11 @@ fn assert_instructions_message(item: &ResponseItem) {
        ResponseItem::Message { role, content, .. } => {
            assert_eq!(role, "user");
            let texts = content_texts(content);
+            let is_instructions = texts
+                .iter()
+                .any(|text| text.starts_with("# AGENTS.md instructions for "));
            assert!(
-                texts
-                    .iter()
-                    .any(|text| text.contains("<user_instructions>")),
+                is_instructions,
                "expected instructions message, got {texts:?}"
            );
        }
@@ -313,6 +325,21 @@ fn assert_instructions_message(item: &ResponseItem) {
    }
 }

+fn assert_developer_message(item: &ResponseItem, expected_text: &str) {
+    match item {
+        ResponseItem::Message { role, content, .. } => {
+            assert_eq!(role, "developer");
+            let texts = content_texts(content);
+            assert_eq!(
+                texts,
+                vec![expected_text],
+                "expected developer instructions message, got {texts:?}"
+            );
+        }
+        other => panic!("expected developer instructions message, got {other:?}"),
+    }
+}
+
 fn assert_environment_message(item: &ResponseItem) {
    match item {
        ResponseItem::Message { role, content, .. } => {
--- a/codex-rs/chatgpt/Cargo.toml
+++ b/codex-rs/chatgpt/Cargo.toml
@@ -14,7 +14,7 @@ codex-core = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = ["full"] }
-codex-git-apply = { path = "../git-apply" }
+codex-git = { workspace = true }

 [dev-dependencies]
 tempfile = { workspace = true }
--- a/codex-rs/chatgpt/src/apply_command.rs
+++ b/codex-rs/chatgpt/src/apply_command.rs
@@ -59,13 +59,13 @@ pub async fn apply_diff_from_task(

 async fn apply_diff(diff: &str, cwd: Option<PathBuf>) -> anyhow::Result<()> {
    let cwd = cwd.unwrap_or(std::env::current_dir().unwrap_or_else(|_| std::env::temp_dir()));
-    let req = codex_git_apply::ApplyGitRequest {
+    let req = codex_git::ApplyGitRequest {
        cwd,
        diff: diff.to_string(),
        revert: false,
        preflight: false,
    };
-    let res = codex_git_apply::apply_git_patch(&req)?;
+    let res = codex_git::apply_git_patch(&req)?;
    if res.exit_code != 0 {
        anyhow::bail!(
            "Git apply failed (applied={}, skipped={}, conflicts={})\nstdout:\n{}\nstderr:\n{}",
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -47,6 +47,9 @@ tokio = { workspace = true, features = [
    "signal",
 ] }

+[target.'cfg(target_os = "windows")'.dependencies]
+codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
+
 [dev-dependencies]
 assert_cmd = { workspace = true }
 assert_matches = { workspace = true }
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -11,6 +11,7 @@ use codex_protocol::config_types::SandboxMode;

 use crate::LandlockCommand;
 use crate::SeatbeltCommand;
+use crate::WindowsCommand;
 use crate::exit_status::handle_exit_status;

 pub async fn run_command_under_seatbelt(
@@ -51,9 +52,29 @@ pub async fn run_command_under_landlock(
    .await
 }

+pub async fn run_command_under_windows(
+    command: WindowsCommand,
+    codex_linux_sandbox_exe: Option<PathBuf>,
+) -> anyhow::Result<()> {
+    let WindowsCommand {
+        full_auto,
+        config_overrides,
+        command,
+    } = command;
+    run_command_under_sandbox(
+        full_auto,
+        command,
+        config_overrides,
+        codex_linux_sandbox_exe,
+        SandboxType::Windows,
+    )
+    .await
+}
+
 enum SandboxType {
    Seatbelt,
    Landlock,
+    Windows,
 }

 async fn run_command_under_sandbox(
@@ -87,6 +108,63 @@ async fn run_command_under_sandbox(
    let stdio_policy = StdioPolicy::Inherit;
    let env = create_env(&config.shell_environment_policy);

+    // Special-case Windows sandbox: execute and exit the process to emulate inherited stdio.
+    if let SandboxType::Windows = sandbox_type {
+        #[cfg(target_os = "windows")]
+        {
+            use codex_windows_sandbox::run_windows_sandbox_capture;
+
+            let policy_str = match &config.sandbox_policy {
+                codex_core::protocol::SandboxPolicy::DangerFullAccess => "workspace-write",
+                codex_core::protocol::SandboxPolicy::ReadOnly => "read-only",
+                codex_core::protocol::SandboxPolicy::WorkspaceWrite { .. } => "workspace-write",
+            };
+
+            let sandbox_cwd = sandbox_policy_cwd.clone();
+            let cwd_clone = cwd.clone();
+            let env_map = env.clone();
+            let command_vec = command.clone();
+            let res = tokio::task::spawn_blocking(move || {
+                run_windows_sandbox_capture(
+                    policy_str,
+                    &sandbox_cwd,
+                    command_vec,
+                    &cwd_clone,
+                    env_map,
+                    None,
+                )
+            })
+            .await;
+
+            let capture = match res {
+                Ok(Ok(v)) => v,
+                Ok(Err(err)) => {
+                    eprintln!("windows sandbox failed: {err}");
+                    std::process::exit(1);
+                }
+                Err(join_err) => {
+                    eprintln!("windows sandbox join error: {join_err}");
+                    std::process::exit(1);
+                }
+            };
+
+            if !capture.stdout.is_empty() {
+                use std::io::Write;
+                let _ = std::io::stdout().write_all(&capture.stdout);
+            }
+            if !capture.stderr.is_empty() {
+                use std::io::Write;
+                let _ = std::io::stderr().write_all(&capture.stderr);
+            }
+
+            std::process::exit(capture.exit_code);
+        }
+        #[cfg(not(target_os = "windows"))]
+        {
+            anyhow::bail!("Windows sandbox is only available on Windows");
+        }
+    }
+
    let mut child = match sandbox_type {
        SandboxType::Seatbelt => {
            spawn_command_under_seatbelt(
@@ -115,6 +193,9 @@ async fn run_command_under_sandbox(
            )
            .await?
        }
+        SandboxType::Windows => {
+            unreachable!("Windows sandbox should have been handled above");
+        }
    };
    let status = child.wait().await?;

--- a/codex-rs/cli/src/lib.rs
+++ b/codex-rs/cli/src/lib.rs
@@ -32,3 +32,17 @@ pub struct LandlockCommand {
    #[arg(trailing_var_arg = true)]
    pub command: Vec<String>,
 }
+
+#[derive(Debug, Parser)]
+pub struct WindowsCommand {
+    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
+    #[arg(long = "full-auto", default_value_t = false)]
+    pub full_auto: bool,
+
+    #[clap(skip)]
+    pub config_overrides: CliConfigOverrides,
+
+    /// Full command args to run under Windows restricted token sandbox.
+    #[arg(trailing_var_arg = true)]
+    pub command: Vec<String>,
+}
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -7,6 +7,7 @@ use codex_chatgpt::apply_command::ApplyCommand;
 use codex_chatgpt::apply_command::run_apply_command;
 use codex_cli::LandlockCommand;
 use codex_cli::SeatbeltCommand;
+use codex_cli::WindowsCommand;
 use codex_cli::login::read_api_key_from_stdin;
 use codex_cli::login::run_login_status;
 use codex_cli::login::run_login_with_api_key;
@@ -151,6 +152,9 @@ enum SandboxCommand {
    /// Run a command under Landlock+seccomp (Linux only).
    #[clap(visible_alias = "landlock")]
    Linux(LandlockCommand),
+
+    /// Run a command under Windows restricted token (Windows only).
+    Windows(WindowsCommand),
 }

 #[derive(Debug, Parser)]
@@ -472,6 +476,17 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                )
                .await?;
            }
+            SandboxCommand::Windows(mut windows_cli) => {
+                prepend_config_flags(
+                    &mut windows_cli.config_overrides,
+                    root_config_overrides.clone(),
+                );
+                codex_cli::debug_sandbox::run_command_under_windows(
+                    windows_cli,
+                    codex_linux_sandbox_exe,
+                )
+                .await?;
+            }
        },
        Some(Subcommand::Apply(mut apply_cli)) => {
            prepend_config_flags(
@@ -497,7 +512,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                // Respect root-level `-c` overrides plus top-level flags like `--profile`.
                let cli_kv_overrides = root_config_overrides
                    .parse_overrides()
-                    .map_err(|e| anyhow::anyhow!(e))?;
+                    .map_err(anyhow::Error::msg)?;

                // Thread through relevant top-level flags (at minimum, `--profile`).
                // Also honor `--search` since it maps to a feature toggle.
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -9,11 +9,11 @@ use codex_common::CliConfigOverrides;
 use codex_common::format_env_display::format_env_display;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
+use codex_core::config::edit::ConfigEditsBuilder;
 use codex_core::config::find_codex_home;
 use codex_core::config::load_global_mcp_servers;
-use codex_core::config::write_global_mcp_servers;
-use codex_core::config_types::McpServerConfig;
-use codex_core::config_types::McpServerTransportConfig;
+use codex_core::config::types::McpServerConfig;
+use codex_core::config::types::McpServerTransportConfig;
 use codex_core::features::Feature;
 use codex_core::mcp::auth::compute_auth_statuses;
 use codex_core::protocol::McpAuthStatus;
@@ -196,7 +196,9 @@ impl McpCli {

 async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Result<()> {
    // Validate any provided overrides even though they are not currently applied.
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
@@ -263,7 +265,10 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re

    servers.insert(name.clone(), new_entry);

-    write_global_mcp_servers(&codex_home, &servers)
+    ConfigEditsBuilder::new(&codex_home)
+        .replace_mcp_servers(&servers)
+        .apply()
+        .await
        .with_context(|| format!("failed to write MCP servers to {}", codex_home.display()))?;

    println!("Added global MCP server '{name}'.");
@@ -307,7 +312,9 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
 }

 async fn run_remove(config_overrides: &CliConfigOverrides, remove_args: RemoveArgs) -> Result<()> {
-    config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;

    let RemoveArgs { name } = remove_args;

@@ -321,7 +328,10 @@ async fn run_remove(config_overrides: &CliConfigOverrides, remove_args: RemoveAr
    let removed = servers.remove(&name).is_some();

    if removed {
-        write_global_mcp_servers(&codex_home, &servers)
+        ConfigEditsBuilder::new(&codex_home)
+            .replace_mcp_servers(&servers)
+            .apply()
+            .await
            .with_context(|| format!("failed to write MCP servers to {}", codex_home.display()))?;
    }

@@ -335,15 +345,15 @@ async fn run_remove(config_overrides: &CliConfigOverrides, remove_args: RemoveAr
 }

 async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;

    if !config.features.enabled(Feature::RmcpClient) {
-        bail!(
-            "OAuth login is only supported when experimental_use_rmcp_client is true in config.toml."
-        );
+        bail!("OAuth login is only supported when [feature].rmcp_client is true in config.toml.");
    }

    let LoginArgs { name, scopes } = login_args;
@@ -376,7 +386,9 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
 }

 async fn run_logout(config_overrides: &CliConfigOverrides, logout_args: LogoutArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
@@ -403,7 +415,9 @@ async fn run_logout(config_overrides: &CliConfigOverrides, logout_args: LogoutAr
 }

 async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
@@ -658,7 +672,9 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
 }

 async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Result<()> {
-    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides
+        .parse_overrides()
+        .map_err(anyhow::Error::msg)?;
    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
        .await
        .context("failed to load configuration")?;
--- a/codex-rs/cli/tests/mcp_add_remove.rs
+++ b/codex-rs/cli/tests/mcp_add_remove.rs
@@ -2,7 +2,7 @@ use std::path::Path;

 use anyhow::Result;
 use codex_core::config::load_global_mcp_servers;
-use codex_core::config_types::McpServerTransportConfig;
+use codex_core::config::types::McpServerTransportConfig;
 use predicates::str::contains;
 use pretty_assertions::assert_eq;
 use tempfile::TempDir;
--- a/codex-rs/cli/tests/mcp_list.rs
+++ b/codex-rs/cli/tests/mcp_list.rs
@@ -1,9 +1,9 @@
 use std::path::Path;

 use anyhow::Result;
+use codex_core::config::edit::ConfigEditsBuilder;
 use codex_core::config::load_global_mcp_servers;
-use codex_core::config::write_global_mcp_servers;
-use codex_core::config_types::McpServerTransportConfig;
+use codex_core::config::types::McpServerTransportConfig;
 use predicates::prelude::PredicateBooleanExt;
 use predicates::str::contains;
 use pretty_assertions::assert_eq;
@@ -59,7 +59,9 @@ async fn list_and_get_render_expected_output() -> Result<()> {
        }
        other => panic!("unexpected transport: {other:?}"),
    }
-    write_global_mcp_servers(codex_home.path(), &servers)?;
+    ConfigEditsBuilder::new(codex_home.path())
+        .replace_mcp_servers(&servers)
+        .apply_blocking()?;

    let mut list_cmd = codex_command(codex_home.path())?;
    let list_output = list_cmd.args(["mcp", "list"]).output()?;
@@ -149,7 +151,9 @@ async fn get_disabled_server_shows_single_line() -> Result<()> {
        .get_mut("docs")
        .expect("docs server should exist after add");
    docs.enabled = false;
-    write_global_mcp_servers(codex_home.path(), &servers)?;
+    ConfigEditsBuilder::new(codex_home.path())
+        .replace_mcp_servers(&servers)
+        .apply_blocking()?;

    let mut get_cmd = codex_command(codex_home.path())?;
    let get_output = get_cmd.args(["mcp", "get", "docs"]).output()?;
--- a/codex-rs/cloud-tasks-client/Cargo.toml
+++ b/codex-rs/cloud-tasks-client/Cargo.toml
@@ -22,6 +22,6 @@ chrono = { version = "0.4", features = ["serde"] }
 diffy = "0.4.2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-thiserror = "2.0.12"
+thiserror = "2.0.17"
 codex-backend-client = { path = "../backend-client", optional = true }
-codex-git-apply = { path = "../git-apply" }
+codex-git = { workspace = true }
--- a/codex-rs/cloud-tasks-client/src/http.rs
+++ b/codex-rs/cloud-tasks-client/src/http.rs
@@ -362,13 +362,13 @@ mod api {
                });
            }

-            let req = codex_git_apply::ApplyGitRequest {
+            let req = codex_git::ApplyGitRequest {
                cwd: std::env::current_dir().unwrap_or_else(|_| std::env::temp_dir()),
                diff: diff.clone(),
                revert: false,
                preflight,
            };
-            let r = codex_git_apply::apply_git_patch(&req)
+            let r = codex_git::apply_git_patch(&req)
                .map_err(|e| CloudTaskError::Io(format!("git apply failed to run: {e}")))?;

            let status = if r.exit_code == 0 {
--- a/codex-rs/cloud-tasks-client/src/lib.rs
+++ b/codex-rs/cloud-tasks-client/src/lib.rs
@@ -26,4 +26,4 @@ pub use mock::MockClient;
 #[cfg(feature = "online")]
 pub use http::HttpClient;

-// Reusable apply engine now lives in the shared crate `codex-git-apply`.
+// Reusable apply engine now lives in the shared crate `codex-git`.
--- a/codex-rs/codex-backend-openapi-models/Cargo.toml
+++ b/codex-rs/codex-backend-openapi-models/Cargo.toml
@@ -16,3 +16,6 @@ path = "src/lib.rs"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_with = "3"
+
+[package.metadata.cargo-shear]
+ignored = ["serde_with"]
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -23,7 +23,7 @@ codex-app-server-protocol = { workspace = true }
 codex-apply-patch = { workspace = true }
 codex-async-utils = { workspace = true }
 codex-file-search = { workspace = true }
-codex-git-tooling = { workspace = true }
+codex-git = { workspace = true }
 codex-keyring-store = { workspace = true }
 codex-otel = { workspace = true, features = ["otel"] }
 codex-protocol = { workspace = true }
@@ -83,6 +83,7 @@ tree-sitter-bash = { workspace = true }
 uuid = { workspace = true, features = ["serde", "v4"] }
 which = { workspace = true }
 wildmatch = { workspace = true }
+codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }


 [target.'cfg(target_os = "linux")'.dependencies]
--- a/codex-rs/core/review_prompt.md
+++ b/codex-rs/core/review_prompt.md
@@ -82,6 +82,6 @@ OUTPUT FORMAT:

 * **Do not** wrap the JSON in markdown fences or extra prose.
 * The code_location field is required and must include absolute_file_path and line_range.
-*Line ranges must be as short as possible for interpreting the issue (avoid ranges over 5–10 lines; pick the most suitable subrange).
+* Line ranges must be as short as possible for interpreting the issue (avoid ranges over 5–10 lines; pick the most suitable subrange).
 * The code_location should overlap with the diff.
-* Do not generate a PR fix.
+* Do not generate a PR fix.
--- a/codex-rs/core/src/apply_patch.rs
+++ b/codex-rs/core/src/apply_patch.rs
@@ -61,7 +61,13 @@ pub(crate) async fn apply_patch(
            // that similar patches can be auto-approved in the future during
            // this session.
            let rx_approve = sess
-                .request_patch_approval(turn_context, call_id.to_owned(), &action, None, None)
+                .request_patch_approval(
+                    turn_context,
+                    call_id.to_owned(),
+                    convert_apply_patch_to_protocol(&action),
+                    None,
+                    None,
+                )
                .await;
            match rx_approve.await.unwrap_or_default() {
                ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
--- a/codex-rs/core/src/auth.rs
+++ b/codex-rs/core/src/auth.rs
@@ -25,6 +25,7 @@ use crate::default_client::CodexHttpClient;
 use crate::token_data::PlanType;
 use crate::token_data::TokenData;
 use crate::token_data::parse_id_token;
+use crate::util::try_parse_error_message;

 #[derive(Debug, Clone)]
 pub struct CodexAuth {
@@ -42,6 +43,9 @@ impl PartialEq for CodexAuth {
    }
 }

+// TODO(pakrym): use token exp field to check for expiration instead
+const TOKEN_REFRESH_INTERVAL: i64 = 8;
+
 impl CodexAuth {
    pub async fn refresh_token(&self) -> Result<String, std::io::Error> {
        tracing::info!("Refreshing token");
@@ -94,7 +98,7 @@ impl CodexAuth {
                last_refresh: Some(last_refresh),
                ..
            }) => {
-                if last_refresh < Utc::now() - chrono::Duration::days(28) {
+                if last_refresh < Utc::now() - chrono::Duration::days(TOKEN_REFRESH_INTERVAL) {
                    let refresh_response = tokio::time::timeout(
                        Duration::from_secs(60),
                        try_refresh_token(tokens.refresh_token.clone(), &self.client),
@@ -446,8 +450,9 @@ async fn try_refresh_token(
        Ok(refresh_response)
    } else {
        Err(std::io::Error::other(format!(
-            "Failed to refresh token: {}",
-            response.status()
+            "Failed to refresh token: {}: {}",
+            response.status(),
+            try_parse_error_message(&response.text().await.unwrap_or_default()),
        )))
    }
 }
--- a/codex-rs/core/src/chat_completions.rs
+++ b/codex-rs/core/src/chat_completions.rs
@@ -20,6 +20,8 @@ use codex_protocol::models::ContentItem;
 use codex_protocol::models::FunctionCallOutputContentItem;
 use codex_protocol::models::ReasoningItemContent;
 use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::SessionSource;
+use codex_protocol::protocol::SubAgentSource;
 use eventsource_stream::Eventsource;
 use futures::Stream;
 use futures::StreamExt;
@@ -41,6 +43,7 @@ pub(crate) async fn stream_chat_completions(
    client: &CodexHttpClient,
    provider: &ModelProviderInfo,
    otel_event_manager: &OtelEventManager,
+    session_source: &SessionSource,
 ) -> Result<ResponseStream> {
    if prompt.output_schema.is_some() {
        return Err(CodexErr::UnsupportedOperation(
@@ -343,7 +346,20 @@ pub(crate) async fn stream_chat_completions(
    loop {
        attempt += 1;

-        let req_builder = provider.create_request_builder(client, &None).await?;
+        let mut req_builder = provider.create_request_builder(client, &None).await?;
+
+        // Include subagent header only for subagent sessions.
+        if let SessionSource::SubAgent(sub) = session_source.clone() {
+            let subagent = if let SubAgentSource::Other(label) = sub {
+                label
+            } else {
+                serde_json::to_value(&sub)
+                    .ok()
+                    .and_then(|v| v.as_str().map(std::string::ToString::to_string))
+                    .unwrap_or_else(|| "other".to_string())
+            };
+            req_builder = req_builder.header("x-openai-subagent", subagent);
+        }

        let res = otel_event_manager
            .log_request(attempt, || {
@@ -413,6 +429,61 @@ pub(crate) async fn stream_chat_completions(
    }
 }

+async fn append_assistant_text(
+    tx_event: &mpsc::Sender<Result<ResponseEvent>>,
+    assistant_item: &mut Option<ResponseItem>,
+    text: String,
+) {
+    if assistant_item.is_none() {
+        let item = ResponseItem::Message {
+            id: None,
+            role: "assistant".to_string(),
+            content: vec![],
+        };
+        *assistant_item = Some(item.clone());
+        let _ = tx_event
+            .send(Ok(ResponseEvent::OutputItemAdded(item)))
+            .await;
+    }
+
+    if let Some(ResponseItem::Message { content, .. }) = assistant_item {
+        content.push(ContentItem::OutputText { text: text.clone() });
+        let _ = tx_event
+            .send(Ok(ResponseEvent::OutputTextDelta(text.clone())))
+            .await;
+    }
+}
+
+async fn append_reasoning_text(
+    tx_event: &mpsc::Sender<Result<ResponseEvent>>,
+    reasoning_item: &mut Option<ResponseItem>,
+    text: String,
+) {
+    if reasoning_item.is_none() {
+        let item = ResponseItem::Reasoning {
+            id: String::new(),
+            summary: Vec::new(),
+            content: Some(vec![]),
+            encrypted_content: None,
+        };
+        *reasoning_item = Some(item.clone());
+        let _ = tx_event
+            .send(Ok(ResponseEvent::OutputItemAdded(item)))
+            .await;
+    }
+
+    if let Some(ResponseItem::Reasoning {
+        content: Some(content),
+        ..
+    }) = reasoning_item
+    {
+        content.push(ReasoningItemContent::ReasoningText { text: text.clone() });
+
+        let _ = tx_event
+            .send(Ok(ResponseEvent::ReasoningContentDelta(text.clone())))
+            .await;
+    }
+}
 /// Lightweight SSE processor for the Chat Completions streaming format. The
 /// output is mapped onto Codex's internal [`ResponseEvent`] so that the rest
 /// of the pipeline can stay agnostic of the underlying wire format.
@@ -440,8 +511,8 @@ async fn process_chat_sse<S>(
    }

    let mut fn_call_state = FunctionCallState::default();
-    let mut assistant_text = String::new();
-    let mut reasoning_text = String::new();
+    let mut assistant_item: Option<ResponseItem> = None;
+    let mut reasoning_item: Option<ResponseItem> = None;

    loop {
        let start = std::time::Instant::now();
@@ -482,26 +553,11 @@ async fn process_chat_sse<S>(
        if sse.data.trim() == "[DONE]" {
            // Emit any finalized items before closing so downstream consumers receive
            // terminal events for both assistant content and raw reasoning.
-            if !assistant_text.is_empty() {
-                let item = ResponseItem::Message {
-                    role: "assistant".to_string(),
-                    content: vec![ContentItem::OutputText {
-                        text: std::mem::take(&mut assistant_text),
-                    }],
-                    id: None,
-                };
+            if let Some(item) = assistant_item {
                let _ = tx_event.send(Ok(ResponseEvent::OutputItemDone(item))).await;
            }

-            if !reasoning_text.is_empty() {
-                let item = ResponseItem::Reasoning {
-                    id: String::new(),
-                    summary: Vec::new(),
-                    content: Some(vec![ReasoningItemContent::ReasoningText {
-                        text: std::mem::take(&mut reasoning_text),
-                    }]),
-                    encrypted_content: None,
-                };
+            if let Some(item) = reasoning_item {
                let _ = tx_event.send(Ok(ResponseEvent::OutputItemDone(item))).await;
            }

@@ -531,10 +587,7 @@ async fn process_chat_sse<S>(
                .and_then(|c| c.as_str())
                && !content.is_empty()
            {
-                assistant_text.push_str(content);
-                let _ = tx_event
-                    .send(Ok(ResponseEvent::OutputTextDelta(content.to_string())))
-                    .await;
+                append_assistant_text(&tx_event, &mut assistant_item, content.to_string()).await;
            }

            // Forward any reasoning/thinking deltas if present.
@@ -564,10 +617,7 @@ async fn process_chat_sse<S>(

                if let Some(reasoning) = maybe_text {
                    // Accumulate so we can emit a terminal Reasoning item at the end.
-                    reasoning_text.push_str(&reasoning);
-                    let _ = tx_event
-                        .send(Ok(ResponseEvent::ReasoningContentDelta(reasoning)))
-                        .await;
+                    append_reasoning_text(&tx_event, &mut reasoning_item, reasoning).await;
                }
            }

@@ -577,10 +627,7 @@ async fn process_chat_sse<S>(
                // Accept either a plain string or an object with { text | content }
                if let Some(s) = message_reasoning.as_str() {
                    if !s.is_empty() {
-                        reasoning_text.push_str(s);
-                        let _ = tx_event
-                            .send(Ok(ResponseEvent::ReasoningContentDelta(s.to_string())))
-                            .await;
+                        append_reasoning_text(&tx_event, &mut reasoning_item, s.to_string()).await;
                    }
                } else if let Some(obj) = message_reasoning.as_object()
                    && let Some(s) = obj
@@ -589,10 +636,7 @@ async fn process_chat_sse<S>(
                        .or_else(|| obj.get("content").and_then(|v| v.as_str()))
                    && !s.is_empty()
                {
-                    reasoning_text.push_str(s);
-                    let _ = tx_event
-                        .send(Ok(ResponseEvent::ReasoningContentDelta(s.to_string())))
-                        .await;
+                    append_reasoning_text(&tx_event, &mut reasoning_item, s.to_string()).await;
                }
            }

@@ -630,15 +674,7 @@ async fn process_chat_sse<S>(
                    "tool_calls" if fn_call_state.active => {
                        // First, flush the terminal raw reasoning so UIs can finalize
                        // the reasoning stream before any exec/tool events begin.
-                        if !reasoning_text.is_empty() {
-                            let item = ResponseItem::Reasoning {
-                                id: String::new(),
-                                summary: Vec::new(),
-                                content: Some(vec![ReasoningItemContent::ReasoningText {
-                                    text: std::mem::take(&mut reasoning_text),
-                                }]),
-                                encrypted_content: None,
-                            };
+                        if let Some(item) = reasoning_item.take() {
                            let _ = tx_event.send(Ok(ResponseEvent::OutputItemDone(item))).await;
                        }

@@ -655,26 +691,11 @@ async fn process_chat_sse<S>(
                    "stop" => {
                        // Regular turn without tool-call. Emit the final assistant message
                        // as a single OutputItemDone so non-delta consumers see the result.
-                        if !assistant_text.is_empty() {
-                            let item = ResponseItem::Message {
-                                role: "assistant".to_string(),
-                                content: vec![ContentItem::OutputText {
-                                    text: std::mem::take(&mut assistant_text),
-                                }],
-                                id: None,
-                            };
+                        if let Some(item) = assistant_item.take() {
                            let _ = tx_event.send(Ok(ResponseEvent::OutputItemDone(item))).await;
                        }
                        // Also emit a terminal Reasoning item so UIs can finalize raw reasoning.
-                        if !reasoning_text.is_empty() {
-                            let item = ResponseItem::Reasoning {
-                                id: String::new(),
-                                summary: Vec::new(),
-                                content: Some(vec![ReasoningItemContent::ReasoningText {
-                                    text: std::mem::take(&mut reasoning_text),
-                                }]),
-                                encrypted_content: None,
-                            };
+                        if let Some(item) = reasoning_item.take() {
                            let _ = tx_event.send(Ok(ResponseEvent::OutputItemDone(item))).await;
                        }
                    }
@@ -893,8 +914,8 @@ where
                Poll::Ready(Some(Ok(ResponseEvent::ReasoningSummaryPartAdded))) => {
                    continue;
                }
-                Poll::Ready(Some(Ok(ResponseEvent::WebSearchCallBegin { call_id }))) => {
-                    return Poll::Ready(Some(Ok(ResponseEvent::WebSearchCallBegin { call_id })));
+                Poll::Ready(Some(Ok(ResponseEvent::OutputItemAdded(item)))) => {
+                    return Poll::Ready(Some(Ok(ResponseEvent::OutputItemAdded(item))));
                }
            }
        }
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -13,6 +13,7 @@ use codex_protocol::ConversationId;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
 use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::SessionSource;
 use eventsource_stream::Eventsource;
 use futures::prelude::*;
 use regex_lite::Regex;
@@ -56,7 +57,6 @@ use crate::openai_model_info::get_model_info;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::RateLimitWindow;
 use crate::protocol::TokenUsage;
-use crate::state::TaskKind;
 use crate::token_data::PlanType;
 use crate::tools::spec::create_tools_json_for_responses_api;
 use crate::util::backoff;
@@ -87,8 +87,10 @@ pub struct ModelClient {
    conversation_id: ConversationId,
    effort: Option<ReasoningEffortConfig>,
    summary: ReasoningSummaryConfig,
+    session_source: SessionSource,
 }

+#[allow(clippy::too_many_arguments)]
 impl ModelClient {
    pub fn new(
        config: Arc<Config>,
@@ -98,6 +100,7 @@ impl ModelClient {
        effort: Option<ReasoningEffortConfig>,
        summary: ReasoningSummaryConfig,
        conversation_id: ConversationId,
+        session_source: SessionSource,
    ) -> Self {
        let client = create_client();

@@ -110,6 +113,7 @@ impl ModelClient {
            conversation_id,
            effort,
            summary,
+            session_source,
        }
    }

@@ -127,13 +131,6 @@ impl ModelClient {
        })
    }

-    /// Dispatches to either the Responses or Chat implementation depending on
-    /// the provider config.  Public callers always invoke `stream()` – the
-    /// specialised helpers are private to avoid accidental misuse.
-    pub async fn stream(&self, prompt: &Prompt) -> Result<ResponseStream> {
-        self.stream_with_task_kind(prompt, TaskKind::Regular).await
-    }
-
    pub fn config(&self) -> Arc<Config> {
        Arc::clone(&self.config)
    }
@@ -142,13 +139,9 @@ impl ModelClient {
        &self.provider
    }

-    pub(crate) async fn stream_with_task_kind(
-        &self,
-        prompt: &Prompt,
-        task_kind: TaskKind,
-    ) -> Result<ResponseStream> {
+    pub async fn stream(&self, prompt: &Prompt) -> Result<ResponseStream> {
        match self.provider.wire_api {
-            WireApi::Responses => self.stream_responses(prompt, task_kind).await,
+            WireApi::Responses => self.stream_responses(prompt).await,
            WireApi::Chat => {
                // Create the raw streaming connection first.
                let response_stream = stream_chat_completions(
@@ -157,6 +150,7 @@ impl ModelClient {
                    &self.client,
                    &self.provider,
                    &self.otel_event_manager,
+                    &self.session_source,
                )
                .await?;

@@ -189,11 +183,7 @@ impl ModelClient {
    }

    /// Implementation for the OpenAI *Responses* experimental API.
-    async fn stream_responses(
-        &self,
-        prompt: &Prompt,
-        task_kind: TaskKind,
-    ) -> Result<ResponseStream> {
+    async fn stream_responses(&self, prompt: &Prompt) -> Result<ResponseStream> {
        if let Some(path) = &*CODEX_RS_SSE_FIXTURE {
            // short circuit for tests
            warn!(path, "Streaming from fixture");
@@ -226,10 +216,12 @@ impl ModelClient {
        let verbosity = if self.config.model_family.support_verbosity {
            self.config.model_verbosity
        } else {
-            warn!(
-                "model_verbosity is set but ignored as the model does not support verbosity: {}",
-                self.config.model_family.family
-            );
+            if self.config.model_verbosity.is_some() {
+                warn!(
+                    "model_verbosity is set but ignored as the model does not support verbosity: {}",
+                    self.config.model_family.family
+                );
+            }
            None
        };

@@ -268,7 +260,7 @@ impl ModelClient {
        let max_attempts = self.provider.request_max_retries();
        for attempt in 0..=max_attempts {
            match self
-                .attempt_stream_responses(attempt, &payload_json, &auth_manager, task_kind)
+                .attempt_stream_responses(attempt, &payload_json, &auth_manager)
                .await
            {
                Ok(stream) => {
@@ -296,7 +288,6 @@ impl ModelClient {
        attempt: u64,
        payload_json: &Value,
        auth_manager: &Option<Arc<AuthManager>>,
-        task_kind: TaskKind,
    ) -> std::result::Result<ResponseStream, StreamAttemptError> {
        // Always fetch the latest auth in case a prior attempt refreshed the token.
        let auth = auth_manager.as_ref().and_then(|m| m.auth());
@@ -314,12 +305,24 @@ impl ModelClient {
            .await
            .map_err(StreamAttemptError::Fatal)?;

+        // Include subagent header only for subagent sessions.
+        if let SessionSource::SubAgent(sub) = &self.session_source {
+            let subagent = if let crate::protocol::SubAgentSource::Other(label) = sub {
+                label.clone()
+            } else {
+                serde_json::to_value(sub)
+                    .ok()
+                    .and_then(|v| v.as_str().map(std::string::ToString::to_string))
+                    .unwrap_or_else(|| "other".to_string())
+            };
+            req_builder = req_builder.header("x-openai-subagent", subagent);
+        }
+
        req_builder = req_builder
            // Send session_id for compatibility.
            .header("conversation_id", self.conversation_id.to_string())
            .header("session_id", self.conversation_id.to_string())
            .header(reqwest::header::ACCEPT, "text/event-stream")
-            .header("Codex-Task-Type", task_kind.header_value())
            .json(payload_json);

        if let Some(auth) = auth.as_ref()
@@ -462,6 +465,10 @@ impl ModelClient {
        self.otel_event_manager.clone()
    }

+    pub fn get_session_source(&self) -> SessionSource {
+        self.session_source.clone()
+    }
+
    /// Returns the currently configured model slug.
    pub fn get_model(&self) -> String {
        self.config.model.clone()
@@ -869,21 +876,15 @@ async fn process_sse<S>(
            | "response.in_progress"
            | "response.output_text.done" => {}
            "response.output_item.added" => {
-                if let Some(item) = event.item.as_ref() {
-                    // Detect web_search_call begin and forward a synthetic event upstream.
-                    if let Some(ty) = item.get("type").and_then(|v| v.as_str())
-                        && ty == "web_search_call"
-                    {
-                        let call_id = item
-                            .get("id")
-                            .and_then(|v| v.as_str())
-                            .unwrap_or("")
-                            .to_string();
-                        let ev = ResponseEvent::WebSearchCallBegin { call_id };
-                        if tx_event.send(Ok(ev)).await.is_err() {
-                            return;
-                        }
-                    }
+                let Some(item_val) = event.item else { continue };
+                let Ok(item) = serde_json::from_value::<ResponseItem>(item_val) else {
+                    debug!("failed to parse ResponseItem from output_item.done");
+                    continue;
+                };
+
+                let event = ResponseEvent::OutputItemAdded(item);
+                if tx_event.send(Ok(event)).await.is_err() {
+                    return;
                }
            }
            "response.reasoning_summary_part.added" => {
--- a/codex-rs/core/src/client_common.rs
+++ b/codex-rs/core/src/client_common.rs
@@ -23,6 +23,11 @@ use tokio::sync::mpsc;
 /// Review thread system prompt. Edit `core/src/review_prompt.md` to customize.
 pub const REVIEW_PROMPT: &str = include_str!("../review_prompt.md");

+// Centralized templates for review-related user messages
+pub const REVIEW_EXIT_SUCCESS_TMPL: &str = include_str!("../templates/review/exit_success.xml");
+pub const REVIEW_EXIT_INTERRUPTED_TMPL: &str =
+    include_str!("../templates/review/exit_interrupted.xml");
+
 /// API request payload for a single model turn
 #[derive(Default, Debug, Clone)]
 pub struct Prompt {
@@ -192,6 +197,7 @@ fn strip_total_output_header(output: &str) -> Option<&str> {
 pub enum ResponseEvent {
    Created,
    OutputItemDone(ResponseItem),
+    OutputItemAdded(ResponseItem),
    Completed {
        response_id: String,
        token_usage: Option<TokenUsage>,
@@ -200,9 +206,6 @@ pub enum ResponseEvent {
    ReasoningSummaryDelta(String),
    ReasoningContentDelta(String),
    ReasoningSummaryPartAdded,
-    WebSearchCallBegin {
-        call_id: String,
-    },
    RateLimits(RateLimitSnapshot),
 }

--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
--- a/codex-rs/core/src/codex/compact.rs
+++ b/codex-rs/core/src/codex/compact.rs
@@ -13,7 +13,7 @@ use crate::protocol::ErrorEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::TaskStartedEvent;
 use crate::protocol::TurnContextItem;
-use crate::state::TaskKind;
+use crate::protocol::WarningEvent;
 use crate::truncate::truncate_middle;
 use crate::util::backoff;
 use askama::Template;
@@ -40,9 +40,8 @@ pub(crate) async fn run_inline_auto_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
 ) {
-    let input = vec![UserInput::Text {
-        text: SUMMARIZATION_PROMPT.to_string(),
-    }];
+    let prompt = turn_context.compact_prompt().to_string();
+    let input = vec![UserInput::Text { text: prompt }];
    run_compact_task_inner(sess, turn_context, input).await;
 }

@@ -170,6 +169,11 @@ async fn run_compact_task_inner(
        message: "Compact task completed".to_string(),
    });
    sess.send_event(&turn_context, event).await;
+
+    let warning = EventMsg::Warning(WarningEvent {
+        message: "Heads up: Long conversations and multiple compactions can cause the model to be less accurate. Start new a new conversation when possible to keep conversations small and targeted.".to_string(),
+    });
+    sess.send_event(&turn_context, warning).await;
 }

 pub fn content_items_to_text(content: &[ContentItem]) -> Option<String> {
@@ -255,11 +259,7 @@ async fn drain_to_completed(
    turn_context: &TurnContext,
    prompt: &Prompt,
 ) -> CodexResult<()> {
-    let mut stream = turn_context
-        .client
-        .clone()
-        .stream_with_task_kind(prompt, TaskKind::Compact)
-        .await?;
+    let mut stream = turn_context.client.clone().stream(prompt).await?;
    loop {
        let maybe_event = stream.next().await;
        let Some(event) = maybe_event else {
@@ -353,7 +353,8 @@ mod tests {
                id: None,
                role: "user".to_string(),
                content: vec![ContentItem::InputText {
-                    text: "<user_instructions>do things</user_instructions>".to_string(),
+                    text: "# AGENTS.md instructions for project\n\n<INSTRUCTIONS>\ndo things\n</INSTRUCTIONS>"
+                        .to_string(),
                }],
            },
            ResponseItem::Message {
--- a/codex-rs/core/src/codex_delegate.rs
+++ b/codex-rs/core/src/codex_delegate.rs
@@ -0,0 +1,295 @@
+use std::sync::Arc;
+use std::sync::atomic::AtomicU64;
+
+use async_channel::Receiver;
+use async_channel::Sender;
+use codex_async_utils::OrCancelExt;
+use codex_protocol::protocol::ApplyPatchApprovalRequestEvent;
+use codex_protocol::protocol::Event;
+use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::ExecApprovalRequestEvent;
+use codex_protocol::protocol::Op;
+use codex_protocol::protocol::SessionSource;
+use codex_protocol::protocol::SubAgentSource;
+use codex_protocol::protocol::Submission;
+use codex_protocol::user_input::UserInput;
+use tokio_util::sync::CancellationToken;
+
+use crate::AuthManager;
+use crate::codex::Codex;
+use crate::codex::CodexSpawnOk;
+use crate::codex::SUBMISSION_CHANNEL_CAPACITY;
+use crate::codex::Session;
+use crate::codex::TurnContext;
+use crate::config::Config;
+use crate::error::CodexErr;
+use codex_protocol::protocol::InitialHistory;
+
+/// Start an interactive sub-Codex conversation and return IO channels.
+///
+/// The returned `events_rx` yields non-approval events emitted by the sub-agent.
+/// Approval requests are handled via `parent_session` and are not surfaced.
+/// The returned `ops_tx` allows the caller to submit additional `Op`s to the sub-agent.
+pub(crate) async fn run_codex_conversation_interactive(
+    config: Config,
+    auth_manager: Arc<AuthManager>,
+    parent_session: Arc<Session>,
+    parent_ctx: Arc<TurnContext>,
+    cancel_token: CancellationToken,
+    initial_history: Option<InitialHistory>,
+) -> Result<Codex, CodexErr> {
+    let (tx_sub, rx_sub) = async_channel::bounded(SUBMISSION_CHANNEL_CAPACITY);
+    let (tx_ops, rx_ops) = async_channel::bounded(SUBMISSION_CHANNEL_CAPACITY);
+
+    let CodexSpawnOk { codex, .. } = Codex::spawn(
+        config,
+        auth_manager,
+        initial_history.unwrap_or(InitialHistory::New),
+        SessionSource::SubAgent(SubAgentSource::Review),
+    )
+    .await?;
+    let codex = Arc::new(codex);
+
+    // Use a child token so parent cancel cascades but we can scope it to this task
+    let cancel_token_events = cancel_token.child_token();
+    let cancel_token_ops = cancel_token.child_token();
+
+    // Forward events from the sub-agent to the consumer, filtering approvals and
+    // routing them to the parent session for decisions.
+    let parent_session_clone = Arc::clone(&parent_session);
+    let parent_ctx_clone = Arc::clone(&parent_ctx);
+    let codex_for_events = Arc::clone(&codex);
+    tokio::spawn(async move {
+        let _ = forward_events(
+            codex_for_events,
+            tx_sub,
+            parent_session_clone,
+            parent_ctx_clone,
+            cancel_token_events.clone(),
+        )
+        .or_cancel(&cancel_token_events)
+        .await;
+    });
+
+    // Forward ops from the caller to the sub-agent.
+    let codex_for_ops = Arc::clone(&codex);
+    tokio::spawn(async move {
+        forward_ops(codex_for_ops, rx_ops, cancel_token_ops).await;
+    });
+
+    Ok(Codex {
+        next_id: AtomicU64::new(0),
+        tx_sub: tx_ops,
+        rx_event: rx_sub,
+    })
+}
+
+/// Convenience wrapper for one-time use with an initial prompt.
+///
+/// Internally calls the interactive variant, then immediately submits the provided input.
+pub(crate) async fn run_codex_conversation_one_shot(
+    config: Config,
+    auth_manager: Arc<AuthManager>,
+    input: Vec<UserInput>,
+    parent_session: Arc<Session>,
+    parent_ctx: Arc<TurnContext>,
+    cancel_token: CancellationToken,
+    initial_history: Option<InitialHistory>,
+) -> Result<Codex, CodexErr> {
+    // Use a child token so we can stop the delegate after completion without
+    // requiring the caller to cancel the parent token.
+    let child_cancel = cancel_token.child_token();
+    let io = run_codex_conversation_interactive(
+        config,
+        auth_manager,
+        parent_session,
+        parent_ctx,
+        child_cancel.clone(),
+        initial_history,
+    )
+    .await?;
+
+    // Send the initial input to kick off the one-shot turn.
+    io.submit(Op::UserInput { items: input }).await?;
+
+    // Bridge events so we can observe completion and shut down automatically.
+    let (tx_bridge, rx_bridge) = async_channel::bounded(SUBMISSION_CHANNEL_CAPACITY);
+    let ops_tx = io.tx_sub.clone();
+    let io_for_bridge = io;
+    tokio::spawn(async move {
+        while let Ok(event) = io_for_bridge.next_event().await {
+            let should_shutdown = matches!(
+                event.msg,
+                EventMsg::TaskComplete(_) | EventMsg::TurnAborted(_)
+            );
+            let _ = tx_bridge.send(event).await;
+            if should_shutdown {
+                let _ = ops_tx
+                    .send(Submission {
+                        id: "shutdown".to_string(),
+                        op: Op::Shutdown {},
+                    })
+                    .await;
+                child_cancel.cancel();
+                break;
+            }
+        }
+    });
+
+    // For one-shot usage, return a closed `tx_sub` so callers cannot submit
+    // additional ops after the initial request. Create a channel and drop the
+    // receiver to close it immediately.
+    let (tx_closed, rx_closed) = async_channel::bounded(SUBMISSION_CHANNEL_CAPACITY);
+    drop(rx_closed);
+
+    Ok(Codex {
+        next_id: AtomicU64::new(0),
+        rx_event: rx_bridge,
+        tx_sub: tx_closed,
+    })
+}
+
+async fn forward_events(
+    codex: Arc<Codex>,
+    tx_sub: Sender<Event>,
+    parent_session: Arc<Session>,
+    parent_ctx: Arc<TurnContext>,
+    cancel_token: CancellationToken,
+) {
+    while let Ok(event) = codex.next_event().await {
+        match event {
+            Event {
+                id: _,
+                msg: EventMsg::SessionConfigured(_),
+            } => continue,
+            Event {
+                id,
+                msg: EventMsg::ExecApprovalRequest(event),
+            } => {
+                // Initiate approval via parent session; do not surface to consumer.
+                handle_exec_approval(
+                    &codex,
+                    id,
+                    &parent_session,
+                    &parent_ctx,
+                    event,
+                    &cancel_token,
+                )
+                .await;
+            }
+            Event {
+                id,
+                msg: EventMsg::ApplyPatchApprovalRequest(event),
+            } => {
+                handle_patch_approval(
+                    &codex,
+                    id,
+                    &parent_session,
+                    &parent_ctx,
+                    event,
+                    &cancel_token,
+                )
+                .await;
+            }
+            other => {
+                let _ = tx_sub.send(other).await;
+            }
+        }
+    }
+}
+
+/// Forward ops from a caller to a sub-agent, respecting cancellation.
+async fn forward_ops(
+    codex: Arc<Codex>,
+    rx_ops: Receiver<Submission>,
+    cancel_token_ops: CancellationToken,
+) {
+    loop {
+        let op: Op = match rx_ops.recv().or_cancel(&cancel_token_ops).await {
+            Ok(Ok(Submission { id: _, op })) => op,
+            Ok(Err(_)) | Err(_) => break,
+        };
+        let _ = codex.submit(op).await;
+    }
+}
+
+/// Handle an ExecApprovalRequest by consulting the parent session and replying.
+async fn handle_exec_approval(
+    codex: &Codex,
+    id: String,
+    parent_session: &Session,
+    parent_ctx: &TurnContext,
+    event: ExecApprovalRequestEvent,
+    cancel_token: &CancellationToken,
+) {
+    // Race approval with cancellation and timeout to avoid hangs.
+    let approval_fut = parent_session.request_command_approval(
+        parent_ctx,
+        parent_ctx.sub_id.clone(),
+        event.command,
+        event.cwd,
+        event.reason,
+        event.risk,
+    );
+    let decision = await_approval_with_cancel(
+        approval_fut,
+        parent_session,
+        &parent_ctx.sub_id,
+        cancel_token,
+    )
+    .await;
+
+    let _ = codex.submit(Op::ExecApproval { id, decision }).await;
+}
+
+/// Handle an ApplyPatchApprovalRequest by consulting the parent session and replying.
+async fn handle_patch_approval(
+    codex: &Codex,
+    id: String,
+    parent_session: &Session,
+    parent_ctx: &TurnContext,
+    event: ApplyPatchApprovalRequestEvent,
+    cancel_token: &CancellationToken,
+) {
+    let decision_rx = parent_session
+        .request_patch_approval(
+            parent_ctx,
+            parent_ctx.sub_id.clone(),
+            event.changes,
+            event.reason,
+            event.grant_root,
+        )
+        .await;
+    let decision = await_approval_with_cancel(
+        async move { decision_rx.await.unwrap_or_default() },
+        parent_session,
+        &parent_ctx.sub_id,
+        cancel_token,
+    )
+    .await;
+    let _ = codex.submit(Op::PatchApproval { id, decision }).await;
+}
+
+/// Await an approval decision, aborting on cancellation.
+async fn await_approval_with_cancel<F>(
+    fut: F,
+    parent_session: &Session,
+    sub_id: &str,
+    cancel_token: &CancellationToken,
+) -> codex_protocol::protocol::ReviewDecision
+where
+    F: core::future::Future<Output = codex_protocol::protocol::ReviewDecision>,
+{
+    tokio::select! {
+        biased;
+        _ = cancel_token.cancelled() => {
+            parent_session
+                .notify_approval(sub_id, codex_protocol::protocol::ReviewDecision::Abort)
+                .await;
+            codex_protocol::protocol::ReviewDecision::Abort
+        }
+        decision = fut => {
+            decision
+        }
+    }
+}
--- a/codex-rs/core/src/config/edit.rs
+++ b/codex-rs/core/src/config/edit.rs
@@ -0,0 +1,954 @@
+use crate::config::CONFIG_TOML_FILE;
+use crate::config::types::McpServerConfig;
+use crate::config::types::Notice;
+use anyhow::Context;
+use codex_protocol::config_types::ReasoningEffort;
+use std::collections::BTreeMap;
+use std::path::Path;
+use std::path::PathBuf;
+use tempfile::NamedTempFile;
+use tokio::task;
+use toml_edit::DocumentMut;
+use toml_edit::Item as TomlItem;
+use toml_edit::Table as TomlTable;
+use toml_edit::value;
+
+/// Discrete config mutations supported by the persistence engine.
+#[derive(Clone, Debug)]
+pub enum ConfigEdit {
+    /// Update the active (or default) model selection and optional reasoning effort.
+    SetModel {
+        model: Option<String>,
+        effort: Option<ReasoningEffort>,
+    },
+    /// Toggle the acknowledgement flag under `[notice]`.
+    SetNoticeHideFullAccessWarning(bool),
+    /// Toggle the Windows onboarding acknowledgement flag.
+    SetWindowsWslSetupAcknowledged(bool),
+    /// Replace the entire `[mcp_servers]` table.
+    ReplaceMcpServers(BTreeMap<String, McpServerConfig>),
+    /// Set trust_level = "trusted" under `[projects."<path>"]`,
+    /// migrating inline tables to explicit tables.
+    SetProjectTrusted(PathBuf),
+    /// Set the value stored at the exact dotted path.
+    SetPath {
+        segments: Vec<String>,
+        value: TomlItem,
+    },
+    /// Remove the value stored at the exact dotted path.
+    ClearPath { segments: Vec<String> },
+}
+
+// TODO(jif) move to a dedicated file
+mod document_helpers {
+    use crate::config::types::McpServerConfig;
+    use crate::config::types::McpServerTransportConfig;
+    use toml_edit::Array as TomlArray;
+    use toml_edit::InlineTable;
+    use toml_edit::Item as TomlItem;
+    use toml_edit::Table as TomlTable;
+    use toml_edit::value;
+
+    pub(super) fn ensure_table_for_write(item: &mut TomlItem) -> Option<&mut TomlTable> {
+        match item {
+            TomlItem::Table(table) => Some(table),
+            TomlItem::Value(value) => {
+                if let Some(inline) = value.as_inline_table() {
+                    *item = TomlItem::Table(table_from_inline(inline));
+                    item.as_table_mut()
+                } else {
+                    *item = TomlItem::Table(new_implicit_table());
+                    item.as_table_mut()
+                }
+            }
+            TomlItem::None => {
+                *item = TomlItem::Table(new_implicit_table());
+                item.as_table_mut()
+            }
+            _ => None,
+        }
+    }
+
+    pub(super) fn ensure_table_for_read(item: &mut TomlItem) -> Option<&mut TomlTable> {
+        match item {
+            TomlItem::Table(table) => Some(table),
+            TomlItem::Value(value) => {
+                let inline = value.as_inline_table()?;
+                *item = TomlItem::Table(table_from_inline(inline));
+                item.as_table_mut()
+            }
+            _ => None,
+        }
+    }
+
+    pub(super) fn serialize_mcp_server(config: &McpServerConfig) -> TomlItem {
+        let mut entry = TomlTable::new();
+        entry.set_implicit(false);
+
+        match &config.transport {
+            McpServerTransportConfig::Stdio {
+                command,
+                args,
+                env,
+                env_vars,
+                cwd,
+            } => {
+                entry["command"] = value(command.clone());
+                if !args.is_empty() {
+                    entry["args"] = array_from_iter(args.iter().cloned());
+                }
+                if let Some(env) = env
+                    && !env.is_empty()
+                {
+                    entry["env"] = table_from_pairs(env.iter());
+                }
+                if !env_vars.is_empty() {
+                    entry["env_vars"] = array_from_iter(env_vars.iter().cloned());
+                }
+                if let Some(cwd) = cwd {
+                    entry["cwd"] = value(cwd.to_string_lossy().to_string());
+                }
+            }
+            McpServerTransportConfig::StreamableHttp {
+                url,
+                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
+            } => {
+                entry["url"] = value(url.clone());
+                if let Some(env_var) = bearer_token_env_var {
+                    entry["bearer_token_env_var"] = value(env_var.clone());
+                }
+                if let Some(headers) = http_headers
+                    && !headers.is_empty()
+                {
+                    entry["http_headers"] = table_from_pairs(headers.iter());
+                }
+                if let Some(headers) = env_http_headers
+                    && !headers.is_empty()
+                {
+                    entry["env_http_headers"] = table_from_pairs(headers.iter());
+                }
+            }
+        }
+
+        if !config.enabled {
+            entry["enabled"] = value(false);
+        }
+        if let Some(timeout) = config.startup_timeout_sec {
+            entry["startup_timeout_sec"] = value(timeout.as_secs_f64());
+        }
+        if let Some(timeout) = config.tool_timeout_sec {
+            entry["tool_timeout_sec"] = value(timeout.as_secs_f64());
+        }
+        if let Some(enabled_tools) = &config.enabled_tools
+            && !enabled_tools.is_empty()
+        {
+            entry["enabled_tools"] = array_from_iter(enabled_tools.iter().cloned());
+        }
+        if let Some(disabled_tools) = &config.disabled_tools
+            && !disabled_tools.is_empty()
+        {
+            entry["disabled_tools"] = array_from_iter(disabled_tools.iter().cloned());
+        }
+
+        TomlItem::Table(entry)
+    }
+
+    fn table_from_inline(inline: &InlineTable) -> TomlTable {
+        let mut table = new_implicit_table();
+        for (key, value) in inline.iter() {
+            let mut value = value.clone();
+            let decor = value.decor_mut();
+            decor.set_suffix("");
+            table.insert(key, TomlItem::Value(value));
+        }
+        table
+    }
+
+    pub(super) fn new_implicit_table() -> TomlTable {
+        let mut table = TomlTable::new();
+        table.set_implicit(true);
+        table
+    }
+
+    fn array_from_iter<I>(iter: I) -> TomlItem
+    where
+        I: Iterator<Item = String>,
+    {
+        let mut array = TomlArray::new();
+        for value in iter {
+            array.push(value);
+        }
+        TomlItem::Value(array.into())
+    }
+
+    fn table_from_pairs<'a, I>(pairs: I) -> TomlItem
+    where
+        I: IntoIterator<Item = (&'a String, &'a String)>,
+    {
+        let mut entries: Vec<_> = pairs.into_iter().collect();
+        entries.sort_by(|(a, _), (b, _)| a.cmp(b));
+        let mut table = TomlTable::new();
+        table.set_implicit(false);
+        for (key, val) in entries {
+            table.insert(key, value(val.clone()));
+        }
+        TomlItem::Table(table)
+    }
+}
+
+struct ConfigDocument {
+    doc: DocumentMut,
+    profile: Option<String>,
+}
+
+#[derive(Copy, Clone)]
+enum Scope {
+    Global,
+    Profile,
+}
+
+#[derive(Copy, Clone)]
+enum TraversalMode {
+    Create,
+    Existing,
+}
+
+impl ConfigDocument {
+    fn new(doc: DocumentMut, profile: Option<String>) -> Self {
+        Self { doc, profile }
+    }
+
+    fn apply(&mut self, edit: &ConfigEdit) -> anyhow::Result<bool> {
+        match edit {
+            ConfigEdit::SetModel { model, effort } => Ok({
+                let mut mutated = false;
+                mutated |= self.write_profile_value(
+                    &["model"],
+                    model.as_ref().map(|model_value| value(model_value.clone())),
+                );
+                mutated |= self.write_profile_value(
+                    &["model_reasoning_effort"],
+                    effort.map(|effort| value(effort.to_string())),
+                );
+                mutated
+            }),
+            ConfigEdit::SetNoticeHideFullAccessWarning(acknowledged) => Ok(self.write_value(
+                Scope::Global,
+                &[Notice::TABLE_KEY, "hide_full_access_warning"],
+                value(*acknowledged),
+            )),
+            ConfigEdit::SetWindowsWslSetupAcknowledged(acknowledged) => Ok(self.write_value(
+                Scope::Global,
+                &["windows_wsl_setup_acknowledged"],
+                value(*acknowledged),
+            )),
+            ConfigEdit::ReplaceMcpServers(servers) => Ok(self.replace_mcp_servers(servers)),
+            ConfigEdit::SetPath { segments, value } => Ok(self.insert(segments, value.clone())),
+            ConfigEdit::ClearPath { segments } => Ok(self.clear_owned(segments)),
+            ConfigEdit::SetProjectTrusted(project_path) => {
+                // Delegate to the existing, tested logic in config.rs to
+                // ensure tables are explicit and migration is preserved.
+                crate::config::set_project_trusted_inner(&mut self.doc, project_path.as_path())?;
+                Ok(true)
+            }
+        }
+    }
+
+    fn write_profile_value(&mut self, segments: &[&str], value: Option<TomlItem>) -> bool {
+        match value {
+            Some(item) => self.write_value(Scope::Profile, segments, item),
+            None => self.clear(Scope::Profile, segments),
+        }
+    }
+
+    fn write_value(&mut self, scope: Scope, segments: &[&str], value: TomlItem) -> bool {
+        let resolved = self.scoped_segments(scope, segments);
+        self.insert(&resolved, value)
+    }
+
+    fn clear(&mut self, scope: Scope, segments: &[&str]) -> bool {
+        let resolved = self.scoped_segments(scope, segments);
+        self.remove(&resolved)
+    }
+
+    fn clear_owned(&mut self, segments: &[String]) -> bool {
+        self.remove(segments)
+    }
+
+    fn replace_mcp_servers(&mut self, servers: &BTreeMap<String, McpServerConfig>) -> bool {
+        if servers.is_empty() {
+            return self.clear(Scope::Global, &["mcp_servers"]);
+        }
+
+        let mut table = TomlTable::new();
+        table.set_implicit(true);
+
+        for (name, config) in servers {
+            table.insert(name, document_helpers::serialize_mcp_server(config));
+        }
+
+        let item = TomlItem::Table(table);
+        self.write_value(Scope::Global, &["mcp_servers"], item)
+    }
+
+    fn scoped_segments(&self, scope: Scope, segments: &[&str]) -> Vec<String> {
+        let resolved: Vec<String> = segments
+            .iter()
+            .map(|segment| (*segment).to_string())
+            .collect();
+
+        if matches!(scope, Scope::Profile)
+            && resolved.first().is_none_or(|segment| segment != "profiles")
+            && let Some(profile) = self.profile.as_deref()
+        {
+            let mut scoped = Vec::with_capacity(resolved.len() + 2);
+            scoped.push("profiles".to_string());
+            scoped.push(profile.to_string());
+            scoped.extend(resolved);
+            return scoped;
+        }
+
+        resolved
+    }
+
+    fn insert(&mut self, segments: &[String], value: TomlItem) -> bool {
+        let Some((last, parents)) = segments.split_last() else {
+            return false;
+        };
+
+        let Some(parent) = self.descend(parents, TraversalMode::Create) else {
+            return false;
+        };
+
+        parent[last] = value;
+        true
+    }
+
+    fn remove(&mut self, segments: &[String]) -> bool {
+        let Some((last, parents)) = segments.split_last() else {
+            return false;
+        };
+
+        let Some(parent) = self.descend(parents, TraversalMode::Existing) else {
+            return false;
+        };
+
+        parent.remove(last).is_some()
+    }
+
+    fn descend(&mut self, segments: &[String], mode: TraversalMode) -> Option<&mut TomlTable> {
+        let mut current = self.doc.as_table_mut();
+
+        for segment in segments {
+            match mode {
+                TraversalMode::Create => {
+                    if !current.contains_key(segment.as_str()) {
+                        current.insert(
+                            segment.as_str(),
+                            TomlItem::Table(document_helpers::new_implicit_table()),
+                        );
+                    }
+
+                    let item = current.get_mut(segment.as_str())?;
+                    current = document_helpers::ensure_table_for_write(item)?;
+                }
+                TraversalMode::Existing => {
+                    let item = current.get_mut(segment.as_str())?;
+                    current = document_helpers::ensure_table_for_read(item)?;
+                }
+            }
+        }
+
+        Some(current)
+    }
+}
+
+/// Persist edits using a blocking strategy.
+pub fn apply_blocking(
+    codex_home: &Path,
+    profile: Option<&str>,
+    edits: &[ConfigEdit],
+) -> anyhow::Result<()> {
+    if edits.is_empty() {
+        return Ok(());
+    }
+
+    let config_path = codex_home.join(CONFIG_TOML_FILE);
+    let serialized = match std::fs::read_to_string(&config_path) {
+        Ok(contents) => contents,
+        Err(err) if err.kind() == std::io::ErrorKind::NotFound => String::new(),
+        Err(err) => return Err(err.into()),
+    };
+
+    let doc = if serialized.is_empty() {
+        DocumentMut::new()
+    } else {
+        serialized.parse::<DocumentMut>()?
+    };
+
+    let profile = profile.map(ToOwned::to_owned).or_else(|| {
+        doc.get("profile")
+            .and_then(|item| item.as_str())
+            .map(ToOwned::to_owned)
+    });
+
+    let mut document = ConfigDocument::new(doc, profile);
+    let mut mutated = false;
+
+    for edit in edits {
+        mutated |= document.apply(edit)?;
+    }
+
+    if !mutated {
+        return Ok(());
+    }
+
+    std::fs::create_dir_all(codex_home).with_context(|| {
+        format!(
+            "failed to create Codex home directory at {}",
+            codex_home.display()
+        )
+    })?;
+
+    let tmp = NamedTempFile::new_in(codex_home)?;
+    std::fs::write(tmp.path(), document.doc.to_string()).with_context(|| {
+        format!(
+            "failed to write temporary config file at {}",
+            tmp.path().display()
+        )
+    })?;
+    tmp.persist(config_path)?;
+
+    Ok(())
+}
+
+/// Persist edits asynchronously by offloading the blocking writer.
+pub async fn apply(
+    codex_home: &Path,
+    profile: Option<&str>,
+    edits: Vec<ConfigEdit>,
+) -> anyhow::Result<()> {
+    let codex_home = codex_home.to_path_buf();
+    let profile = profile.map(ToOwned::to_owned);
+    task::spawn_blocking(move || apply_blocking(&codex_home, profile.as_deref(), &edits))
+        .await
+        .context("config persistence task panicked")?
+}
+
+/// Fluent builder to batch config edits and apply them atomically.
+#[derive(Default)]
+pub struct ConfigEditsBuilder {
+    codex_home: PathBuf,
+    profile: Option<String>,
+    edits: Vec<ConfigEdit>,
+}
+
+impl ConfigEditsBuilder {
+    pub fn new(codex_home: &Path) -> Self {
+        Self {
+            codex_home: codex_home.to_path_buf(),
+            profile: None,
+            edits: Vec::new(),
+        }
+    }
+
+    pub fn with_profile(mut self, profile: Option<&str>) -> Self {
+        self.profile = profile.map(ToOwned::to_owned);
+        self
+    }
+
+    pub fn set_model(mut self, model: Option<&str>, effort: Option<ReasoningEffort>) -> Self {
+        self.edits.push(ConfigEdit::SetModel {
+            model: model.map(ToOwned::to_owned),
+            effort,
+        });
+        self
+    }
+
+    pub fn set_hide_full_access_warning(mut self, acknowledged: bool) -> Self {
+        self.edits
+            .push(ConfigEdit::SetNoticeHideFullAccessWarning(acknowledged));
+        self
+    }
+
+    pub fn set_windows_wsl_setup_acknowledged(mut self, acknowledged: bool) -> Self {
+        self.edits
+            .push(ConfigEdit::SetWindowsWslSetupAcknowledged(acknowledged));
+        self
+    }
+
+    pub fn replace_mcp_servers(mut self, servers: &BTreeMap<String, McpServerConfig>) -> Self {
+        self.edits
+            .push(ConfigEdit::ReplaceMcpServers(servers.clone()));
+        self
+    }
+
+    pub fn set_project_trusted<P: Into<PathBuf>>(mut self, project_path: P) -> Self {
+        self.edits
+            .push(ConfigEdit::SetProjectTrusted(project_path.into()));
+        self
+    }
+
+    /// Apply edits on a blocking thread.
+    pub fn apply_blocking(self) -> anyhow::Result<()> {
+        apply_blocking(&self.codex_home, self.profile.as_deref(), &self.edits)
+    }
+
+    /// Apply edits asynchronously via a blocking offload.
+    pub async fn apply(self) -> anyhow::Result<()> {
+        task::spawn_blocking(move || {
+            apply_blocking(&self.codex_home, self.profile.as_deref(), &self.edits)
+        })
+        .await
+        .context("config persistence task panicked")?
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::config::types::McpServerTransportConfig;
+    use codex_protocol::config_types::ReasoningEffort;
+    use pretty_assertions::assert_eq;
+    use tempfile::tempdir;
+    use tokio::runtime::Builder;
+    use toml::Value as TomlValue;
+
+    #[test]
+    fn blocking_set_model_top_level() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::SetModel {
+                model: Some("gpt-5-codex".to_string()),
+                effort: Some(ReasoningEffort::High),
+            }],
+        )
+        .expect("persist");
+
+        let contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let expected = r#"model = "gpt-5-codex"
+model_reasoning_effort = "high"
+"#;
+        assert_eq!(contents, expected);
+    }
+
+    #[test]
+    fn blocking_set_model_preserves_inline_table_contents() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+
+        // Seed with inline tables for profiles to simulate common user config.
+        std::fs::write(
+            codex_home.join(CONFIG_TOML_FILE),
+            r#"profile = "fast"
+
+profiles = { fast = { model = "gpt-4o", sandbox_mode = "strict" } }
+"#,
+        )
+        .expect("seed");
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::SetModel {
+                model: Some("o4-mini".to_string()),
+                effort: None,
+            }],
+        )
+        .expect("persist");
+
+        let raw = std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let value: TomlValue = toml::from_str(&raw).expect("parse config");
+
+        // Ensure sandbox_mode is preserved under profiles.fast and model updated.
+        let profiles_tbl = value
+            .get("profiles")
+            .and_then(|v| v.as_table())
+            .expect("profiles table");
+        let fast_tbl = profiles_tbl
+            .get("fast")
+            .and_then(|v| v.as_table())
+            .expect("fast table");
+        assert_eq!(
+            fast_tbl.get("sandbox_mode").and_then(|v| v.as_str()),
+            Some("strict")
+        );
+        assert_eq!(
+            fast_tbl.get("model").and_then(|v| v.as_str()),
+            Some("o4-mini")
+        );
+    }
+
+    #[test]
+    fn blocking_clear_model_removes_inline_table_entry() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+
+        std::fs::write(
+            codex_home.join(CONFIG_TOML_FILE),
+            r#"profile = "fast"
+
+profiles = { fast = { model = "gpt-4o", sandbox_mode = "strict" } }
+"#,
+        )
+        .expect("seed");
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::SetModel {
+                model: None,
+                effort: Some(ReasoningEffort::High),
+            }],
+        )
+        .expect("persist");
+
+        let contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let expected = r#"profile = "fast"
+
+[profiles.fast]
+sandbox_mode = "strict"
+model_reasoning_effort = "high"
+"#;
+        assert_eq!(contents, expected);
+    }
+
+    #[test]
+    fn blocking_set_model_scopes_to_active_profile() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+        std::fs::write(
+            codex_home.join(CONFIG_TOML_FILE),
+            r#"profile = "team"
+
+[profiles.team]
+model_reasoning_effort = "low"
+"#,
+        )
+        .expect("seed");
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::SetModel {
+                model: Some("o5-preview".to_string()),
+                effort: Some(ReasoningEffort::Minimal),
+            }],
+        )
+        .expect("persist");
+
+        let contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let expected = r#"profile = "team"
+
+[profiles.team]
+model_reasoning_effort = "minimal"
+model = "o5-preview"
+"#;
+        assert_eq!(contents, expected);
+    }
+
+    #[test]
+    fn blocking_set_model_with_explicit_profile() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+        std::fs::write(
+            codex_home.join(CONFIG_TOML_FILE),
+            r#"[profiles."team a"]
+model = "gpt-5-codex"
+"#,
+        )
+        .expect("seed");
+
+        apply_blocking(
+            codex_home,
+            Some("team a"),
+            &[ConfigEdit::SetModel {
+                model: Some("o4-mini".to_string()),
+                effort: None,
+            }],
+        )
+        .expect("persist");
+
+        let contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let expected = r#"[profiles."team a"]
+model = "o4-mini"
+"#;
+        assert_eq!(contents, expected);
+    }
+
+    #[test]
+    fn blocking_set_hide_full_access_warning_preserves_table() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+        std::fs::write(
+            codex_home.join(CONFIG_TOML_FILE),
+            r#"# Global comment
+
+[notice]
+# keep me
+existing = "value"
+"#,
+        )
+        .expect("seed");
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::SetNoticeHideFullAccessWarning(true)],
+        )
+        .expect("persist");
+
+        let contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let expected = r#"# Global comment
+
+[notice]
+# keep me
+existing = "value"
+hide_full_access_warning = true
+"#;
+        assert_eq!(contents, expected);
+    }
+
+    #[test]
+    fn blocking_replace_mcp_servers_round_trips() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+
+        let mut servers = BTreeMap::new();
+        servers.insert(
+            "stdio".to_string(),
+            McpServerConfig {
+                transport: McpServerTransportConfig::Stdio {
+                    command: "cmd".to_string(),
+                    args: vec!["--flag".to_string()],
+                    env: Some(
+                        [
+                            ("B".to_string(), "2".to_string()),
+                            ("A".to_string(), "1".to_string()),
+                        ]
+                        .into_iter()
+                        .collect(),
+                    ),
+                    env_vars: vec!["FOO".to_string()],
+                    cwd: None,
+                },
+                enabled: true,
+                startup_timeout_sec: None,
+                tool_timeout_sec: None,
+                enabled_tools: Some(vec!["one".to_string(), "two".to_string()]),
+                disabled_tools: None,
+            },
+        );
+
+        servers.insert(
+            "http".to_string(),
+            McpServerConfig {
+                transport: McpServerTransportConfig::StreamableHttp {
+                    url: "https://example.com".to_string(),
+                    bearer_token_env_var: Some("TOKEN".to_string()),
+                    http_headers: Some(
+                        [("Z-Header".to_string(), "z".to_string())]
+                            .into_iter()
+                            .collect(),
+                    ),
+                    env_http_headers: None,
+                },
+                enabled: false,
+                startup_timeout_sec: Some(std::time::Duration::from_secs(5)),
+                tool_timeout_sec: None,
+                enabled_tools: None,
+                disabled_tools: Some(vec!["forbidden".to_string()]),
+            },
+        );
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::ReplaceMcpServers(servers.clone())],
+        )
+        .expect("persist");
+
+        let raw = std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let expected = "\
+[mcp_servers.http]
+url = \"https://example.com\"
+bearer_token_env_var = \"TOKEN\"
+enabled = false
+startup_timeout_sec = 5.0
+disabled_tools = [\"forbidden\"]
+
+[mcp_servers.http.http_headers]
+Z-Header = \"z\"
+
+[mcp_servers.stdio]
+command = \"cmd\"
+args = [\"--flag\"]
+env_vars = [\"FOO\"]
+enabled_tools = [\"one\", \"two\"]
+
+[mcp_servers.stdio.env]
+A = \"1\"
+B = \"2\"
+";
+        assert_eq!(raw, expected);
+    }
+
+    #[test]
+    fn blocking_clear_path_noop_when_missing() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::ClearPath {
+                segments: vec!["missing".to_string()],
+            }],
+        )
+        .expect("apply");
+
+        assert!(
+            !codex_home.join(CONFIG_TOML_FILE).exists(),
+            "config.toml should not be created on noop"
+        );
+    }
+
+    #[test]
+    fn blocking_set_path_updates_notifications() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+
+        let item = value(false);
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::SetPath {
+                segments: vec!["tui".to_string(), "notifications".to_string()],
+                value: item,
+            }],
+        )
+        .expect("apply");
+
+        let raw = std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let config: TomlValue = toml::from_str(&raw).expect("parse config");
+        let notifications = config
+            .get("tui")
+            .and_then(|item| item.as_table())
+            .and_then(|tbl| tbl.get("notifications"))
+            .and_then(toml::Value::as_bool);
+        assert_eq!(notifications, Some(false));
+    }
+
+    #[tokio::test]
+    async fn async_builder_set_model_persists() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path().to_path_buf();
+
+        ConfigEditsBuilder::new(&codex_home)
+            .set_model(Some("gpt-5-codex"), Some(ReasoningEffort::High))
+            .apply()
+            .await
+            .expect("persist");
+
+        let contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let expected = r#"model = "gpt-5-codex"
+model_reasoning_effort = "high"
+"#;
+        assert_eq!(contents, expected);
+    }
+
+    #[test]
+    fn blocking_builder_set_model_round_trips_back_and_forth() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+
+        let initial_expected = r#"model = "o4-mini"
+model_reasoning_effort = "low"
+"#;
+        ConfigEditsBuilder::new(codex_home)
+            .set_model(Some("o4-mini"), Some(ReasoningEffort::Low))
+            .apply_blocking()
+            .expect("persist initial");
+        let mut contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        assert_eq!(contents, initial_expected);
+
+        let updated_expected = r#"model = "gpt-5-codex"
+model_reasoning_effort = "high"
+"#;
+        ConfigEditsBuilder::new(codex_home)
+            .set_model(Some("gpt-5-codex"), Some(ReasoningEffort::High))
+            .apply_blocking()
+            .expect("persist update");
+        contents = std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        assert_eq!(contents, updated_expected);
+
+        ConfigEditsBuilder::new(codex_home)
+            .set_model(Some("o4-mini"), Some(ReasoningEffort::Low))
+            .apply_blocking()
+            .expect("persist revert");
+        contents = std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        assert_eq!(contents, initial_expected);
+    }
+
+    #[test]
+    fn blocking_set_asynchronous_helpers_available() {
+        let rt = Builder::new_current_thread()
+            .enable_all()
+            .build()
+            .expect("runtime");
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path().to_path_buf();
+
+        rt.block_on(async {
+            ConfigEditsBuilder::new(&codex_home)
+                .set_hide_full_access_warning(true)
+                .apply()
+                .await
+                .expect("persist");
+        });
+
+        let raw = std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        let notice = toml::from_str::<TomlValue>(&raw)
+            .expect("parse config")
+            .get("notice")
+            .and_then(|item| item.as_table())
+            .and_then(|tbl| tbl.get("hide_full_access_warning"))
+            .and_then(toml::Value::as_bool);
+        assert_eq!(notice, Some(true));
+    }
+
+    #[test]
+    fn replace_mcp_servers_blocking_clears_table_when_empty() {
+        let tmp = tempdir().expect("tmpdir");
+        let codex_home = tmp.path();
+        std::fs::write(
+            codex_home.join(CONFIG_TOML_FILE),
+            "[mcp_servers]\nfoo = { command = \"cmd\" }\n",
+        )
+        .expect("seed");
+
+        apply_blocking(
+            codex_home,
+            None,
+            &[ConfigEdit::ReplaceMcpServers(BTreeMap::new())],
+        )
+        .expect("persist");
+
+        let contents =
+            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
+        assert!(!contents.contains("mcp_servers"));
+    }
+}
--- a/codex-rs/core/src/config/mod.rs
+++ b/codex-rs/core/src/config/mod.rs
--- a/codex-rs/core/src/config/profile.rs
+++ b/codex-rs/core/src/config/profile.rs
@@ -22,8 +22,8 @@ pub struct ConfigProfile {
    pub model_verbosity: Option<Verbosity>,
    pub chatgpt_base_url: Option<String>,
    pub experimental_instructions_file: Option<PathBuf>,
+    pub experimental_compact_prompt_file: Option<PathBuf>,
    pub include_apply_patch_tool: Option<bool>,
-    pub include_view_image_tool: Option<bool>,
    pub experimental_use_unified_exec_tool: Option<bool>,
    pub experimental_use_exec_command_tool: Option<bool>,
    pub experimental_use_rmcp_client: Option<bool>,
--- a/codex-rs/core/src/config/types.rs
+++ b/codex-rs/core/src/config/types.rs
@@ -361,7 +361,7 @@ pub struct Notice {
 }

 impl Notice {
-    /// used by set_hide_full_access_warning until we refactor config updates
+    /// referenced by config_edit helpers when writing notice flags
    pub(crate) const TABLE_KEY: &'static str = "notice";
 }

--- a/codex-rs/core/src/config_edit.rs
+++ b/codex-rs/core/src/config_edit.rs
@@ -1,748 +0,0 @@
-use crate::config::CONFIG_TOML_FILE;
-use anyhow::Result;
-use std::path::Path;
-use tempfile::NamedTempFile;
-use toml_edit::DocumentMut;
-
-pub const CONFIG_KEY_MODEL: &str = "model";
-pub const CONFIG_KEY_EFFORT: &str = "model_reasoning_effort";
-
-#[derive(Copy, Clone)]
-enum NoneBehavior {
-    Skip,
-    Remove,
-}
-
-/// Persist overrides into `config.toml` using explicit key segments per
-/// override. This avoids ambiguity with keys that contain dots or spaces.
-pub async fn persist_overrides(
-    codex_home: &Path,
-    profile: Option<&str>,
-    overrides: &[(&[&str], &str)],
-) -> Result<()> {
-    let with_options: Vec<(&[&str], Option<&str>)> = overrides
-        .iter()
-        .map(|(segments, value)| (*segments, Some(*value)))
-        .collect();
-
-    persist_overrides_with_behavior(codex_home, profile, &with_options, NoneBehavior::Skip).await
-}
-
-/// Persist overrides where values may be optional. Any entries with `None`
-/// values are skipped. If all values are `None`, this becomes a no-op and
-/// returns `Ok(())` without touching the file.
-pub async fn persist_non_null_overrides(
-    codex_home: &Path,
-    profile: Option<&str>,
-    overrides: &[(&[&str], Option<&str>)],
-) -> Result<()> {
-    persist_overrides_with_behavior(codex_home, profile, overrides, NoneBehavior::Skip).await
-}
-
-/// Persist overrides where `None` values clear any existing values from the
-/// configuration file.
-pub async fn persist_overrides_and_clear_if_none(
-    codex_home: &Path,
-    profile: Option<&str>,
-    overrides: &[(&[&str], Option<&str>)],
-) -> Result<()> {
-    persist_overrides_with_behavior(codex_home, profile, overrides, NoneBehavior::Remove).await
-}
-
-/// Apply a single override onto a `toml_edit` document while preserving
-/// existing formatting/comments.
-/// The key is expressed as explicit segments to correctly handle keys that
-/// contain dots or spaces.
-fn apply_toml_edit_override_segments(
-    doc: &mut DocumentMut,
-    segments: &[&str],
-    value: toml_edit::Item,
-) {
-    use toml_edit::Item;
-
-    if segments.is_empty() {
-        return;
-    }
-
-    let mut current = doc.as_table_mut();
-    for seg in &segments[..segments.len() - 1] {
-        if !current.contains_key(seg) {
-            current[*seg] = Item::Table(toml_edit::Table::new());
-            if let Some(t) = current[*seg].as_table_mut() {
-                t.set_implicit(true);
-            }
-        }
-
-        let maybe_item = current.get_mut(seg);
-        let Some(item) = maybe_item else { return };
-
-        if !item.is_table() {
-            *item = Item::Table(toml_edit::Table::new());
-            if let Some(t) = item.as_table_mut() {
-                t.set_implicit(true);
-            }
-        }
-
-        let Some(tbl) = item.as_table_mut() else {
-            return;
-        };
-        current = tbl;
-    }
-
-    let last = segments[segments.len() - 1];
-    current[last] = value;
-}
-
-async fn persist_overrides_with_behavior(
-    codex_home: &Path,
-    profile: Option<&str>,
-    overrides: &[(&[&str], Option<&str>)],
-    none_behavior: NoneBehavior,
-) -> Result<()> {
-    if overrides.is_empty() {
-        return Ok(());
-    }
-
-    let should_skip = match none_behavior {
-        NoneBehavior::Skip => overrides.iter().all(|(_, value)| value.is_none()),
-        NoneBehavior::Remove => false,
-    };
-
-    if should_skip {
-        return Ok(());
-    }
-
-    let config_path = codex_home.join(CONFIG_TOML_FILE);
-
-    let read_result = tokio::fs::read_to_string(&config_path).await;
-    let mut doc = match read_result {
-        Ok(contents) => contents.parse::<DocumentMut>()?,
-        Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
-            if overrides
-                .iter()
-                .all(|(_, value)| value.is_none() && matches!(none_behavior, NoneBehavior::Remove))
-            {
-                return Ok(());
-            }
-
-            tokio::fs::create_dir_all(codex_home).await?;
-            DocumentMut::new()
-        }
-        Err(e) => return Err(e.into()),
-    };
-
-    let effective_profile = if let Some(p) = profile {
-        Some(p.to_owned())
-    } else {
-        doc.get("profile")
-            .and_then(|i| i.as_str())
-            .map(str::to_string)
-    };
-
-    let mut mutated = false;
-
-    for (segments, value) in overrides.iter().copied() {
-        let mut seg_buf: Vec<&str> = Vec::new();
-        let segments_to_apply: &[&str];
-
-        if let Some(ref name) = effective_profile {
-            if segments.first().copied() == Some("profiles") {
-                segments_to_apply = segments;
-            } else {
-                seg_buf.reserve(2 + segments.len());
-                seg_buf.push("profiles");
-                seg_buf.push(name.as_str());
-                seg_buf.extend_from_slice(segments);
-                segments_to_apply = seg_buf.as_slice();
-            }
-        } else {
-            segments_to_apply = segments;
-        }
-
-        match value {
-            Some(v) => {
-                let item_value = toml_edit::value(v);
-                apply_toml_edit_override_segments(&mut doc, segments_to_apply, item_value);
-                mutated = true;
-            }
-            None => {
-                if matches!(none_behavior, NoneBehavior::Remove)
-                    && remove_toml_edit_segments(&mut doc, segments_to_apply)
-                {
-                    mutated = true;
-                }
-            }
-        }
-    }
-
-    if !mutated {
-        return Ok(());
-    }
-
-    let tmp_file = NamedTempFile::new_in(codex_home)?;
-    tokio::fs::write(tmp_file.path(), doc.to_string()).await?;
-    tmp_file.persist(config_path)?;
-
-    Ok(())
-}
-
-fn remove_toml_edit_segments(doc: &mut DocumentMut, segments: &[&str]) -> bool {
-    use toml_edit::Item;
-
-    if segments.is_empty() {
-        return false;
-    }
-
-    let mut current = doc.as_table_mut();
-    for seg in &segments[..segments.len() - 1] {
-        let Some(item) = current.get_mut(seg) else {
-            return false;
-        };
-
-        match item {
-            Item::Table(table) => {
-                current = table;
-            }
-            _ => {
-                return false;
-            }
-        }
-    }
-
-    current.remove(segments[segments.len() - 1]).is_some()
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use pretty_assertions::assert_eq;
-    use tempfile::tempdir;
-
-    /// Verifies model and effort are written at top-level when no profile is set.
-    #[tokio::test]
-    async fn set_default_model_and_effort_top_level_when_no_profile() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        persist_overrides(
-            codex_home,
-            None,
-            &[
-                (&[CONFIG_KEY_MODEL], "gpt-5-codex"),
-                (&[CONFIG_KEY_EFFORT], "high"),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"model = "gpt-5-codex"
-model_reasoning_effort = "high"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies values are written under the active profile when `profile` is set.
-    #[tokio::test]
-    async fn set_defaults_update_profile_when_profile_set() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Seed config with a profile selection but without profiles table
-        let seed = "profile = \"o3\"\n";
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        persist_overrides(
-            codex_home,
-            None,
-            &[
-                (&[CONFIG_KEY_MODEL], "o3"),
-                (&[CONFIG_KEY_EFFORT], "minimal"),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"profile = "o3"
-
-[profiles.o3]
-model = "o3"
-model_reasoning_effort = "minimal"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies profile names with dots/spaces are preserved via explicit segments.
-    #[tokio::test]
-    async fn set_defaults_update_profile_with_dot_and_space() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Seed config with a profile name that contains a dot and a space
-        let seed = "profile = \"my.team name\"\n";
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        persist_overrides(
-            codex_home,
-            None,
-            &[
-                (&[CONFIG_KEY_MODEL], "o3"),
-                (&[CONFIG_KEY_EFFORT], "minimal"),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"profile = "my.team name"
-
-[profiles."my.team name"]
-model = "o3"
-model_reasoning_effort = "minimal"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies explicit profile override writes under that profile even without active profile.
-    #[tokio::test]
-    async fn set_defaults_update_when_profile_override_supplied() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // No profile key in config.toml
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), "")
-            .await
-            .expect("seed write");
-
-        // Persist with an explicit profile override
-        persist_overrides(
-            codex_home,
-            Some("o3"),
-            &[(&[CONFIG_KEY_MODEL], "o3"), (&[CONFIG_KEY_EFFORT], "high")],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"[profiles.o3]
-model = "o3"
-model_reasoning_effort = "high"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies nested tables are created as needed when applying overrides.
-    #[tokio::test]
-    async fn persist_overrides_creates_nested_tables() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        persist_overrides(
-            codex_home,
-            None,
-            &[
-                (&["a", "b", "c"], "v"),
-                (&["x"], "y"),
-                (&["profiles", "p1", CONFIG_KEY_MODEL], "gpt-5-codex"),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"x = "y"
-
-[a.b]
-c = "v"
-
-[profiles.p1]
-model = "gpt-5-codex"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies a scalar key becomes a table when nested keys are written.
-    #[tokio::test]
-    async fn persist_overrides_replaces_scalar_with_table() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-        let seed = "foo = \"bar\"\n";
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        persist_overrides(codex_home, None, &[(&["foo", "bar", "baz"], "ok")])
-            .await
-            .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"[foo.bar]
-baz = "ok"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies comments and spacing are preserved when writing under active profile.
-    #[tokio::test]
-    async fn set_defaults_preserve_comments() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Seed a config with comments and spacing we expect to preserve
-        let seed = r#"# Global comment
-# Another line
-
-profile = "o3"
-
-# Profile settings
-[profiles.o3]
-# keep me
-existing = "keep"
-"#;
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        // Apply defaults; since profile is set, it should write under [profiles.o3]
-        persist_overrides(
-            codex_home,
-            None,
-            &[(&[CONFIG_KEY_MODEL], "o3"), (&[CONFIG_KEY_EFFORT], "high")],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"# Global comment
-# Another line
-
-profile = "o3"
-
-# Profile settings
-[profiles.o3]
-# keep me
-existing = "keep"
-model = "o3"
-model_reasoning_effort = "high"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies comments and spacing are preserved when writing at top level.
-    #[tokio::test]
-    async fn set_defaults_preserve_global_comments() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Seed a config WITHOUT a profile, containing comments and spacing
-        let seed = r#"# Top-level comments
-# should be preserved
-
-existing = "keep"
-"#;
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        // Since there is no profile, the defaults should be written at top-level
-        persist_overrides(
-            codex_home,
-            None,
-            &[
-                (&[CONFIG_KEY_MODEL], "gpt-5-codex"),
-                (&[CONFIG_KEY_EFFORT], "minimal"),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"# Top-level comments
-# should be preserved
-
-existing = "keep"
-model = "gpt-5-codex"
-model_reasoning_effort = "minimal"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies errors on invalid TOML propagate and file is not clobbered.
-    #[tokio::test]
-    async fn persist_overrides_errors_on_parse_failure() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Write an intentionally invalid TOML file
-        let invalid = "invalid = [unclosed";
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), invalid)
-            .await
-            .expect("seed write");
-
-        // Attempting to persist should return an error and must not clobber the file.
-        let res = persist_overrides(codex_home, None, &[(&["x"], "y")]).await;
-        assert!(res.is_err(), "expected parse error to propagate");
-
-        // File should be unchanged
-        let contents = read_config(codex_home).await;
-        assert_eq!(contents, invalid);
-    }
-
-    /// Verifies changing model only preserves existing effort at top-level.
-    #[tokio::test]
-    async fn changing_only_model_preserves_existing_effort_top_level() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Seed with an effort value only
-        let seed = "model_reasoning_effort = \"minimal\"\n";
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        // Change only the model
-        persist_overrides(codex_home, None, &[(&[CONFIG_KEY_MODEL], "o3")])
-            .await
-            .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"model_reasoning_effort = "minimal"
-model = "o3"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies changing effort only preserves existing model at top-level.
-    #[tokio::test]
-    async fn changing_only_effort_preserves_existing_model_top_level() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Seed with a model value only
-        let seed = "model = \"gpt-5-codex\"\n";
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        // Change only the effort
-        persist_overrides(codex_home, None, &[(&[CONFIG_KEY_EFFORT], "high")])
-            .await
-            .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"model = "gpt-5-codex"
-model_reasoning_effort = "high"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies changing model only preserves existing effort in active profile.
-    #[tokio::test]
-    async fn changing_only_model_preserves_effort_in_active_profile() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // Seed with an active profile and an existing effort under that profile
-        let seed = r#"profile = "p1"
-
-[profiles.p1]
-model_reasoning_effort = "low"
-"#;
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        persist_overrides(codex_home, None, &[(&[CONFIG_KEY_MODEL], "o4-mini")])
-            .await
-            .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"profile = "p1"
-
-[profiles.p1]
-model_reasoning_effort = "low"
-model = "o4-mini"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies changing effort only preserves existing model in a profile override.
-    #[tokio::test]
-    async fn changing_only_effort_preserves_model_in_profile_override() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        // No active profile key; we'll target an explicit override
-        let seed = r#"[profiles.team]
-model = "gpt-5-codex"
-"#;
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        persist_overrides(
-            codex_home,
-            Some("team"),
-            &[(&[CONFIG_KEY_EFFORT], "minimal")],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"[profiles.team]
-model = "gpt-5-codex"
-model_reasoning_effort = "minimal"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies `persist_non_null_overrides` skips `None` entries and writes only present values at top-level.
-    #[tokio::test]
-    async fn persist_non_null_skips_none_top_level() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        persist_non_null_overrides(
-            codex_home,
-            None,
-            &[
-                (&[CONFIG_KEY_MODEL], Some("gpt-5-codex")),
-                (&[CONFIG_KEY_EFFORT], None),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = "model = \"gpt-5-codex\"\n";
-        assert_eq!(contents, expected);
-    }
-
-    /// Verifies no-op behavior when all provided overrides are `None` (no file created/modified).
-    #[tokio::test]
-    async fn persist_non_null_noop_when_all_none() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        persist_non_null_overrides(
-            codex_home,
-            None,
-            &[(&["a"], None), (&["profiles", "p", "x"], None)],
-        )
-        .await
-        .expect("persist");
-
-        // Should not create config.toml on a pure no-op
-        assert!(!codex_home.join(CONFIG_TOML_FILE).exists());
-    }
-
-    /// Verifies entries are written under the specified profile and `None` entries are skipped.
-    #[tokio::test]
-    async fn persist_non_null_respects_profile_override() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        persist_non_null_overrides(
-            codex_home,
-            Some("team"),
-            &[
-                (&[CONFIG_KEY_MODEL], Some("o3")),
-                (&[CONFIG_KEY_EFFORT], None),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"[profiles.team]
-model = "o3"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    #[tokio::test]
-    async fn persist_clear_none_removes_top_level_value() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        let seed = r#"model = "gpt-5-codex"
-model_reasoning_effort = "medium"
-"#;
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        persist_overrides_and_clear_if_none(
-            codex_home,
-            None,
-            &[
-                (&[CONFIG_KEY_MODEL], None),
-                (&[CONFIG_KEY_EFFORT], Some("high")),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = "model_reasoning_effort = \"high\"\n";
-        assert_eq!(contents, expected);
-    }
-
-    #[tokio::test]
-    async fn persist_clear_none_respects_active_profile() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        let seed = r#"profile = "team"
-
-[profiles.team]
-model = "gpt-4"
-model_reasoning_effort = "minimal"
-"#;
-        tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), seed)
-            .await
-            .expect("seed write");
-
-        persist_overrides_and_clear_if_none(
-            codex_home,
-            None,
-            &[
-                (&[CONFIG_KEY_MODEL], None),
-                (&[CONFIG_KEY_EFFORT], Some("high")),
-            ],
-        )
-        .await
-        .expect("persist");
-
-        let contents = read_config(codex_home).await;
-        let expected = r#"profile = "team"
-
-[profiles.team]
-model_reasoning_effort = "high"
-"#;
-        assert_eq!(contents, expected);
-    }
-
-    #[tokio::test]
-    async fn persist_clear_none_noop_when_file_missing() {
-        let tmpdir = tempdir().expect("tmp");
-        let codex_home = tmpdir.path();
-
-        persist_overrides_and_clear_if_none(codex_home, None, &[(&[CONFIG_KEY_MODEL], None)])
-            .await
-            .expect("persist");
-
-        assert!(!codex_home.join(CONFIG_TOML_FILE).exists());
-    }
-
-    // Test helper moved to bottom per review guidance.
-    async fn read_config(codex_home: &Path) -> String {
-        let p = codex_home.join(CONFIG_TOML_FILE);
-        tokio::fs::read_to_string(p).await.unwrap_or_default()
-    }
-}
--- a/codex-rs/core/src/conversation_history.rs
+++ b/codex-rs/core/src/conversation_history.rs
@@ -1,12 +1,13 @@
 use codex_protocol::models::FunctionCallOutputContentItem;
 use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseItem;
+
+use crate::util::error_or_panic;
 use codex_protocol::protocol::TokenUsage;
 use codex_protocol::protocol::TokenUsageInfo;
 use codex_utils_string::take_bytes_at_char_boundary;
 use codex_utils_string::take_last_bytes_at_char_boundary;
 use std::ops::Deref;
-use tracing::error;

 // Model-formatting limits: clients get full streams; only content sent to the model is truncated.
 pub(crate) const MODEL_FORMAT_MAX_BYTES: usize = 10 * 1024; // 10 KiB
@@ -72,7 +73,6 @@ impl ConversationHistory {
    pub(crate) fn get_history_for_prompt(&mut self) -> Vec<ResponseItem> {
        let mut history = self.get_history();
        Self::remove_ghost_snapshots(&mut history);
-        Self::remove_reasoning_before_last_turn(&mut history);
        history
    }

@@ -124,25 +124,6 @@ impl ConversationHistory {
        items.retain(|item| !matches!(item, ResponseItem::GhostSnapshot { .. }));
    }

-    fn remove_reasoning_before_last_turn(items: &mut Vec<ResponseItem>) {
-        // Responses API drops reasoning items before the last user message.
-        // Sending them is harmless but can lead to validation errors when switching between API organizations.
-        // https://cookbook.openai.com/examples/responses_api/reasoning_items#caching
-        let Some(last_user_index) = items
-            .iter()
-            // Use last user message as the turn boundary.
-            .rposition(|item| matches!(item, ResponseItem::Message { role, .. } if role == "user"))
-        else {
-            return;
-        };
-        let mut index = 0usize;
-        items.retain(|item| {
-            let keep = index >= last_user_index || !matches!(item, ResponseItem::Reasoning { .. });
-            index += 1;
-            keep
-        });
-    }
-
    fn ensure_call_outputs_present(&mut self) {
        // Collect synthetic outputs to insert immediately after their calls.
        // Store the insertion position (index of call) alongside the item so
@@ -385,23 +366,10 @@ impl ConversationHistory {
        match item {
            ResponseItem::FunctionCallOutput { call_id, output } => {
                let truncated = format_output_for_model_body(output.content.as_str());
-                let truncated_items = output.content_items.as_ref().map(|items| {
-                    items
-                        .iter()
-                        .map(|it| match it {
-                            FunctionCallOutputContentItem::InputText { text } => {
-                                FunctionCallOutputContentItem::InputText {
-                                    text: format_output_for_model_body(text),
-                                }
-                            }
-                            FunctionCallOutputContentItem::InputImage { image_url } => {
-                                FunctionCallOutputContentItem::InputImage {
-                                    image_url: image_url.clone(),
-                                }
-                            }
-                        })
-                        .collect()
-                });
+                let truncated_items = output
+                    .content_items
+                    .as_ref()
+                    .map(|items| globally_truncate_function_output_items(items));
                ResponseItem::FunctionCallOutput {
                    call_id: call_id.clone(),
                    output: FunctionCallOutputPayload {
@@ -430,6 +398,53 @@ impl ConversationHistory {
    }
 }

+fn globally_truncate_function_output_items(
+    items: &[FunctionCallOutputContentItem],
+) -> Vec<FunctionCallOutputContentItem> {
+    let mut out: Vec<FunctionCallOutputContentItem> = Vec::with_capacity(items.len());
+    let mut remaining = MODEL_FORMAT_MAX_BYTES;
+    let mut omitted_text_items = 0usize;
+
+    for it in items {
+        match it {
+            FunctionCallOutputContentItem::InputText { text } => {
+                if remaining == 0 {
+                    omitted_text_items += 1;
+                    continue;
+                }
+
+                let len = text.len();
+                if len <= remaining {
+                    out.push(FunctionCallOutputContentItem::InputText { text: text.clone() });
+                    remaining -= len;
+                } else {
+                    let slice = take_bytes_at_char_boundary(text, remaining);
+                    if !slice.is_empty() {
+                        out.push(FunctionCallOutputContentItem::InputText {
+                            text: slice.to_string(),
+                        });
+                    }
+                    remaining = 0;
+                }
+            }
+            // todo(aibrahim): handle input images; resize
+            FunctionCallOutputContentItem::InputImage { image_url } => {
+                out.push(FunctionCallOutputContentItem::InputImage {
+                    image_url: image_url.clone(),
+                });
+            }
+        }
+    }
+
+    if omitted_text_items > 0 {
+        out.push(FunctionCallOutputContentItem::InputText {
+            text: format!("[omitted {omitted_text_items} text items ...]"),
+        });
+    }
+
+    out
+}
+
 pub(crate) fn format_output_for_model_body(content: &str) -> String {
    // Head+tail truncation for the model: show the beginning and end with an elision.
    // Clients still receive full streams; only this formatted summary is capped.
@@ -501,15 +516,6 @@ fn truncate_formatted_exec_output(content: &str, total_lines: usize) -> String {
    result
 }

-#[inline]
-fn error_or_panic(message: String) {
-    if cfg!(debug_assertions) || env!("CARGO_PKG_VERSION").contains("alpha") {
-        panic!("{message}");
-    } else {
-        error!("{message}");
-    }
-}
-
 /// Anything that is not a system message or "reasoning" message is considered
 /// an API message.
 fn is_api_message(message: &ResponseItem) -> bool {
@@ -530,7 +536,7 @@ fn is_api_message(message: &ResponseItem) -> bool {
 #[cfg(test)]
 mod tests {
    use super::*;
-    use codex_git_tooling::GhostCommit;
+    use codex_git::GhostCommit;
    use codex_protocol::models::ContentItem;
    use codex_protocol::models::FunctionCallOutputPayload;
    use codex_protocol::models::LocalShellAction;
@@ -548,15 +554,6 @@ mod tests {
        }
    }

-    fn reasoning(id: &str) -> ResponseItem {
-        ResponseItem::Reasoning {
-            id: id.to_string(),
-            summary: Vec::new(),
-            content: None,
-            encrypted_content: None,
-        }
-    }
-
    fn create_history_with_items(items: Vec<ResponseItem>) -> ConversationHistory {
        let mut h = ConversationHistory::new();
        h.record_items(items.iter());
@@ -613,40 +610,6 @@ mod tests {
        );
    }

-    #[test]
-    fn get_history_drops_reasoning_before_last_user_message() {
-        let mut history = ConversationHistory::new();
-        let items = vec![
-            user_msg("initial"),
-            reasoning("first"),
-            assistant_msg("ack"),
-            user_msg("latest"),
-            reasoning("second"),
-            assistant_msg("ack"),
-            reasoning("third"),
-        ];
-        history.record_items(items.iter());
-
-        let filtered = history.get_history_for_prompt();
-        assert_eq!(
-            filtered,
-            vec![
-                user_msg("initial"),
-                assistant_msg("ack"),
-                user_msg("latest"),
-                reasoning("second"),
-                assistant_msg("ack"),
-                reasoning("third"),
-            ]
-        );
-        let reasoning_count = history
-            .contents()
-            .iter()
-            .filter(|item| matches!(item, ResponseItem::Reasoning { .. }))
-            .count();
-        assert_eq!(reasoning_count, 3);
-    }
-
    #[test]
    fn get_history_for_prompt_drops_ghost_commits() {
        let items = vec![ResponseItem::GhostSnapshot {
@@ -927,6 +890,81 @@ mod tests {
        );
    }

+    #[test]
+    fn truncates_across_multiple_under_limit_texts_and_reports_omitted() {
+        // Arrange: several text items, none exceeding per-item limit, but total exceeds budget.
+        let budget = MODEL_FORMAT_MAX_BYTES;
+        let t1_len = (budget / 2).saturating_sub(10);
+        let t2_len = (budget / 2).saturating_sub(10);
+        let remaining_after_t1_t2 = budget.saturating_sub(t1_len + t2_len);
+        let t3_len = 50; // gets truncated to remaining_after_t1_t2
+        let t4_len = 5; // omitted
+        let t5_len = 7; // omitted
+
+        let t1 = "a".repeat(t1_len);
+        let t2 = "b".repeat(t2_len);
+        let t3 = "c".repeat(t3_len);
+        let t4 = "d".repeat(t4_len);
+        let t5 = "e".repeat(t5_len);
+
+        let item = ResponseItem::FunctionCallOutput {
+            call_id: "call-omit".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "irrelevant".to_string(),
+                content_items: Some(vec![
+                    FunctionCallOutputContentItem::InputText { text: t1 },
+                    FunctionCallOutputContentItem::InputText { text: t2 },
+                    FunctionCallOutputContentItem::InputImage {
+                        image_url: "img:mid".to_string(),
+                    },
+                    FunctionCallOutputContentItem::InputText { text: t3 },
+                    FunctionCallOutputContentItem::InputText { text: t4 },
+                    FunctionCallOutputContentItem::InputText { text: t5 },
+                ]),
+                success: Some(true),
+            },
+        };
+
+        let mut history = ConversationHistory::new();
+        history.record_items([&item]);
+        assert_eq!(history.items.len(), 1);
+        let json = serde_json::to_value(&history.items[0]).expect("serialize to json");
+
+        let output = json
+            .get("output")
+            .expect("output field")
+            .as_array()
+            .expect("array output");
+
+        // Expect: t1 (full), t2 (full), image, t3 (truncated), summary mentioning 2 omitted.
+        assert_eq!(output.len(), 5);
+
+        let first = output[0].as_object().expect("first obj");
+        assert_eq!(first.get("type").unwrap(), "input_text");
+        let first_text = first.get("text").unwrap().as_str().unwrap();
+        assert_eq!(first_text.len(), t1_len);
+
+        let second = output[1].as_object().expect("second obj");
+        assert_eq!(second.get("type").unwrap(), "input_text");
+        let second_text = second.get("text").unwrap().as_str().unwrap();
+        assert_eq!(second_text.len(), t2_len);
+
+        assert_eq!(
+            output[2],
+            serde_json::json!({"type": "input_image", "image_url": "img:mid"})
+        );
+
+        let fourth = output[3].as_object().expect("fourth obj");
+        assert_eq!(fourth.get("type").unwrap(), "input_text");
+        let fourth_text = fourth.get("text").unwrap().as_str().unwrap();
+        assert_eq!(fourth_text.len(), remaining_after_t1_t2);
+
+        let summary = output[4].as_object().expect("summary obj");
+        assert_eq!(summary.get("type").unwrap(), "input_text");
+        let summary_text = summary.get("text").unwrap().as_str().unwrap();
+        assert!(summary_text.contains("omitted 2 text items"));
+    }
+
    //TODO(aibrahim): run CI in release mode.
    #[cfg(not(debug_assertions))]
    #[test]
--- a/codex-rs/core/src/conversation_manager.rs
+++ b/codex-rs/core/src/conversation_manager.rs
@@ -73,7 +73,7 @@ impl ConversationManager {
            config,
            auth_manager,
            InitialHistory::New,
-            self.session_source,
+            self.session_source.clone(),
        )
        .await?;
        self.finalize_spawn(codex, conversation_id).await
@@ -132,10 +132,26 @@ impl ConversationManager {
        auth_manager: Arc<AuthManager>,
    ) -> CodexResult<NewConversation> {
        let initial_history = RolloutRecorder::get_rollout_history(&rollout_path).await?;
+        self.resume_conversation_with_history(config, initial_history, auth_manager)
+            .await
+    }
+
+    pub async fn resume_conversation_with_history(
+        &self,
+        config: Config,
+        initial_history: InitialHistory,
+        auth_manager: Arc<AuthManager>,
+    ) -> CodexResult<NewConversation> {
        let CodexSpawnOk {
            codex,
            conversation_id,
-        } = Codex::spawn(config, auth_manager, initial_history, self.session_source).await?;
+        } = Codex::spawn(
+            config,
+            auth_manager,
+            initial_history,
+            self.session_source.clone(),
+        )
+        .await?;
        self.finalize_spawn(codex, conversation_id).await
    }

@@ -169,7 +185,7 @@ impl ConversationManager {
        let CodexSpawnOk {
            codex,
            conversation_id,
-        } = Codex::spawn(config, auth_manager, history, self.session_source).await?;
+        } = Codex::spawn(config, auth_manager, history, self.session_source.clone()).await?;

        self.finalize_spawn(codex, conversation_id).await
    }
--- a/codex-rs/core/src/error.rs
+++ b/codex-rs/core/src/error.rs
@@ -4,6 +4,8 @@ use crate::token_data::KnownPlan;
 use crate::token_data::PlanType;
 use crate::truncate::truncate_middle;
 use chrono::DateTime;
+use chrono::Datelike;
+use chrono::Local;
 use chrono::Utc;
 use codex_async_utils::CancelErr;
 use codex_protocol::ConversationId;
@@ -253,7 +255,7 @@ impl std::fmt::Display for UsageLimitReachedError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let message = match self.plan_type.as_ref() {
            Some(PlanType::Known(KnownPlan::Plus)) => format!(
-                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing){}",
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits{}",
                retry_suffix_after_or(self.resets_at.as_ref())
            ),
            Some(PlanType::Known(KnownPlan::Team)) | Some(PlanType::Known(KnownPlan::Business)) => {
@@ -266,8 +268,11 @@ impl std::fmt::Display for UsageLimitReachedError {
                "You've hit your usage limit. Upgrade to Plus to continue using Codex (https://openai.com/chatgpt/pricing)."
                    .to_string()
            }
-            Some(PlanType::Known(KnownPlan::Pro))
-            | Some(PlanType::Known(KnownPlan::Enterprise))
+            Some(PlanType::Known(KnownPlan::Pro)) => format!(
+                "You've hit your usage limit. Visit chatgpt.com/codex/settings/usage to purchase more credits{}",
+                retry_suffix_after_or(self.resets_at.as_ref())
+            ),
+            Some(PlanType::Known(KnownPlan::Enterprise))
            | Some(PlanType::Known(KnownPlan::Edu)) => format!(
                "You've hit your usage limit.{}",
                retry_suffix(self.resets_at.as_ref())
@@ -283,28 +288,46 @@ impl std::fmt::Display for UsageLimitReachedError {
 }

 fn retry_suffix(resets_at: Option<&DateTime<Utc>>) -> String {
-    if let Some(secs) = remaining_seconds(resets_at) {
-        let reset_duration = format_reset_duration(secs);
-        format!(" Try again in {reset_duration}.")
+    if let Some(resets_at) = resets_at {
+        let formatted = format_retry_timestamp(resets_at);
+        format!(" Try again at {formatted}.")
    } else {
        " Try again later.".to_string()
    }
 }

 fn retry_suffix_after_or(resets_at: Option<&DateTime<Utc>>) -> String {
-    if let Some(secs) = remaining_seconds(resets_at) {
-        let reset_duration = format_reset_duration(secs);
-        format!(" or try again in {reset_duration}.")
+    if let Some(resets_at) = resets_at {
+        let formatted = format_retry_timestamp(resets_at);
+        format!(" or try again at {formatted}.")
    } else {
        " or try again later.".to_string()
    }
 }

-fn remaining_seconds(resets_at: Option<&DateTime<Utc>>) -> Option<u64> {
-    let resets_at = resets_at.cloned()?;
-    let now = now_for_retry();
-    let secs = resets_at.signed_duration_since(now).num_seconds();
-    Some(if secs <= 0 { 0 } else { secs as u64 })
+fn format_retry_timestamp(resets_at: &DateTime<Utc>) -> String {
+    let local_reset = resets_at.with_timezone(&Local);
+    let local_now = now_for_retry().with_timezone(&Local);
+    if local_reset.date_naive() == local_now.date_naive() {
+        local_reset.format("%-I:%M %p").to_string()
+    } else {
+        let suffix = day_suffix(local_reset.day());
+        local_reset
+            .format(&format!("%b %-d{suffix}, %Y %-I:%M %p"))
+            .to_string()
+    }
+}
+
+fn day_suffix(day: u32) -> &'static str {
+    match day {
+        11..=13 => "th",
+        _ => match day % 10 {
+            1 => "st",
+            2 => "nd", // codespell:ignore
+            3 => "rd",
+            _ => "th",
+        },
+    }
 }

 #[cfg(test)]
@@ -323,36 +346,6 @@ fn now_for_retry() -> DateTime<Utc> {
    Utc::now()
 }

-fn format_reset_duration(total_secs: u64) -> String {
-    let days = total_secs / 86_400;
-    let hours = (total_secs % 86_400) / 3_600;
-    let minutes = (total_secs % 3_600) / 60;
-
-    let mut parts: Vec<String> = Vec::new();
-    if days > 0 {
-        let unit = if days == 1 { "day" } else { "days" };
-        parts.push(format!("{days} {unit}"));
-    }
-    if hours > 0 {
-        let unit = if hours == 1 { "hour" } else { "hours" };
-        parts.push(format!("{hours} {unit}"));
-    }
-    if minutes > 0 {
-        let unit = if minutes == 1 { "minute" } else { "minutes" };
-        parts.push(format!("{minutes} {unit}"));
-    }
-
-    if parts.is_empty() {
-        return "less than a minute".to_string();
-    }
-
-    match parts.len() {
-        1 => parts[0].clone(),
-        2 => format!("{} {}", parts[0], parts[1]),
-        _ => format!("{} {} {}", parts[0], parts[1], parts[2]),
-    }
-}
-
 #[derive(Debug)]
 pub struct EnvVarError {
    /// Name of the environment variable that is missing.
@@ -467,7 +460,7 @@ mod tests {
        };
        assert_eq!(
            err.to_string(),
-            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again later."
+            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits or try again later."
        );
    }

@@ -569,15 +562,16 @@ mod tests {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::hours(1);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: Some(PlanType::Known(KnownPlan::Team)),
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. To get more access now, send a request to your admin or try again in 1 hour."
+            let expected = format!(
+                "You've hit your usage limit. To get more access now, send a request to your admin or try again at {expected_time}."
            );
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -597,7 +591,7 @@ mod tests {
    #[test]
    fn usage_limit_reached_error_formats_default_for_other_plans() {
        let err = UsageLimitReachedError {
-            plan_type: Some(PlanType::Known(KnownPlan::Pro)),
+            plan_type: Some(PlanType::Known(KnownPlan::Enterprise)),
            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
@@ -607,20 +601,37 @@ mod tests {
        );
    }

+    #[test]
+    fn usage_limit_reached_error_formats_pro_plan_with_reset() {
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::hours(1);
+        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
+            let err = UsageLimitReachedError {
+                plan_type: Some(PlanType::Known(KnownPlan::Pro)),
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            let expected = format!(
+                "You've hit your usage limit. Visit chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
+            );
+            assert_eq!(err.to_string(), expected);
+        });
+    }
+
    #[test]
    fn usage_limit_reached_includes_minutes_when_available() {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::minutes(5);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: None,
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Try again in 5 minutes."
-            );
+            let expected = format!("You've hit your usage limit. Try again at {expected_time}.");
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -629,15 +640,16 @@ mod tests {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::hours(3) + ChronoDuration::minutes(32);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: Some(PlanType::Known(KnownPlan::Plus)),
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again in 3 hours 32 minutes."
+            let expected = format!(
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
            );
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -647,15 +659,14 @@ mod tests {
        let resets_at =
            base + ChronoDuration::days(2) + ChronoDuration::hours(3) + ChronoDuration::minutes(5);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: None,
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Try again in 2 days 3 hours 5 minutes."
-            );
+            let expected = format!("You've hit your usage limit. Try again at {expected_time}.");
+            assert_eq!(err.to_string(), expected);
        });
    }

@@ -664,15 +675,14 @@ mod tests {
        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
        let resets_at = base + ChronoDuration::seconds(30);
        with_now_override(base, move || {
+            let expected_time = format_retry_timestamp(&resets_at);
            let err = UsageLimitReachedError {
                plan_type: None,
                resets_at: Some(resets_at),
                rate_limits: Some(rate_limit_snapshot()),
            };
-            assert_eq!(
-                err.to_string(),
-                "You've hit your usage limit. Try again in less than a minute."
-            );
+            let expected = format!("You've hit your usage limit. Try again at {expected_time}.");
+            assert_eq!(err.to_string(), expected);
        });
    }
 }
--- a/codex-rs/core/src/event_mapping.rs
+++ b/codex-rs/core/src/event_mapping.rs
@@ -11,14 +11,21 @@ use codex_protocol::models::ResponseItem;
 use codex_protocol::models::WebSearchAction;
 use codex_protocol::user_input::UserInput;
 use tracing::warn;
+use uuid::Uuid;
+
+use crate::user_instructions::UserInstructions;

 fn is_session_prefix(text: &str) -> bool {
    let trimmed = text.trim_start();
    let lowered = trimmed.to_ascii_lowercase();
-    lowered.starts_with("<environment_context>") || lowered.starts_with("<user_instructions>")
+    lowered.starts_with("<environment_context>")
 }

 fn parse_user_message(message: &[ContentItem]) -> Option<UserMessageItem> {
+    if UserInstructions::is_user_instructions(message) {
+        return None;
+    }
+
    let mut content: Vec<UserInput> = Vec::new();

    for content_item in message.iter() {
@@ -46,7 +53,7 @@ fn parse_user_message(message: &[ContentItem]) -> Option<UserMessageItem> {
    Some(UserMessageItem::new(&content))
 }

-fn parse_agent_message(message: &[ContentItem]) -> AgentMessageItem {
+fn parse_agent_message(id: Option<&String>, message: &[ContentItem]) -> AgentMessageItem {
    let mut content: Vec<AgentMessageContent> = Vec::new();
    for content_item in message.iter() {
        match content_item {
@@ -61,14 +68,18 @@ fn parse_agent_message(message: &[ContentItem]) -> AgentMessageItem {
            }
        }
    }
-    AgentMessageItem::new(&content)
+    let id = id.cloned().unwrap_or_else(|| Uuid::new_v4().to_string());
+    AgentMessageItem { id, content }
 }

 pub fn parse_turn_item(item: &ResponseItem) -> Option<TurnItem> {
    match item {
-        ResponseItem::Message { role, content, .. } => match role.as_str() {
+        ResponseItem::Message { role, content, id } => match role.as_str() {
            "user" => parse_user_message(content).map(TurnItem::UserMessage),
-            "assistant" => Some(TurnItem::AgentMessage(parse_agent_message(content))),
+            "assistant" => Some(TurnItem::AgentMessage(parse_agent_message(
+                id.as_ref(),
+                content,
+            ))),
            "system" => None,
            _ => None,
        },
@@ -162,6 +173,38 @@ mod tests {
        }
    }

+    #[test]
+    fn skips_user_instructions_and_env() {
+        let items = vec![
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "<user_instructions>test_text</user_instructions>".to_string(),
+                }],
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "<environment_context>test_text</environment_context>".to_string(),
+                }],
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>".to_string(),
+                }],
+            },
+        ];
+
+        for item in items {
+            let turn_item = parse_turn_item(&item);
+            assert!(turn_item.is_none(), "expected none, got {turn_item:?}");
+        }
+    }
+
    #[test]
    fn parses_agent_message() {
        let item = ResponseItem::Message {
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -72,6 +72,9 @@ pub enum SandboxType {

    /// Only available on Linux.
    LinuxSeccomp,
+
+    /// Only available on Windows.
+    WindowsRestrictedToken,
 }

 #[derive(Clone)]
@@ -158,11 +161,79 @@ pub(crate) async fn execute_exec_env(
    };

    let start = Instant::now();
-    let raw_output_result = exec(params, sandbox_policy, stdout_stream).await;
+    let raw_output_result = exec(params, sandbox, sandbox_policy, stdout_stream).await;
    let duration = start.elapsed();
    finalize_exec_result(raw_output_result, sandbox, duration)
 }

+#[cfg(target_os = "windows")]
+async fn exec_windows_sandbox(
+    params: ExecParams,
+    sandbox_policy: &SandboxPolicy,
+) -> Result<RawExecToolCallOutput> {
+    use codex_windows_sandbox::run_windows_sandbox_capture;
+
+    let ExecParams {
+        command,
+        cwd,
+        env,
+        timeout_ms,
+        ..
+    } = params;
+
+    let policy_str = match sandbox_policy {
+        SandboxPolicy::DangerFullAccess => "workspace-write",
+        SandboxPolicy::ReadOnly => "read-only",
+        SandboxPolicy::WorkspaceWrite { .. } => "workspace-write",
+    };
+
+    let sandbox_cwd = cwd.clone();
+    let spawn_res = tokio::task::spawn_blocking(move || {
+        run_windows_sandbox_capture(policy_str, &sandbox_cwd, command, &cwd, env, timeout_ms)
+    })
+    .await;
+
+    let capture = match spawn_res {
+        Ok(Ok(v)) => v,
+        Ok(Err(err)) => {
+            return Err(CodexErr::Io(io::Error::other(format!(
+                "windows sandbox: {err}"
+            ))));
+        }
+        Err(join_err) => {
+            return Err(CodexErr::Io(io::Error::other(format!(
+                "windows sandbox join error: {join_err}"
+            ))));
+        }
+    };
+
+    let exit_status = synthetic_exit_status(capture.exit_code);
+    let stdout = StreamOutput {
+        text: capture.stdout,
+        truncated_after_lines: None,
+    };
+    let stderr = StreamOutput {
+        text: capture.stderr,
+        truncated_after_lines: None,
+    };
+    // Best-effort aggregate: stdout then stderr
+    let mut aggregated = Vec::with_capacity(stdout.text.len() + stderr.text.len());
+    append_all(&mut aggregated, &stdout.text);
+    append_all(&mut aggregated, &stderr.text);
+    let aggregated_output = StreamOutput {
+        text: aggregated,
+        truncated_after_lines: None,
+    };
+
+    Ok(RawExecToolCallOutput {
+        exit_status,
+        stdout,
+        stderr,
+        aggregated_output,
+        timed_out: capture.timed_out,
+    })
+}
+
 fn finalize_exec_result(
    raw_output_result: std::result::Result<RawExecToolCallOutput, CodexErr>,
    sandbox_type: SandboxType,
@@ -347,11 +418,17 @@ pub struct ExecToolCallOutput {
    pub timed_out: bool,
 }

+#[cfg_attr(not(target_os = "windows"), allow(unused_variables))]
 async fn exec(
    params: ExecParams,
+    sandbox: SandboxType,
    sandbox_policy: &SandboxPolicy,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<RawExecToolCallOutput> {
+    #[cfg(target_os = "windows")]
+    if sandbox == SandboxType::WindowsRestrictedToken {
+        return exec_windows_sandbox(params, sandbox_policy).await;
+    }
    let timeout = params.timeout_duration();
    let ExecParams {
        command,
@@ -525,8 +602,9 @@ fn synthetic_exit_status(code: i32) -> ExitStatus {
 #[cfg(windows)]
 fn synthetic_exit_status(code: i32) -> ExitStatus {
    use std::os::windows::process::ExitStatusExt;
-    #[expect(clippy::unwrap_used)]
-    std::process::ExitStatus::from_raw(code.try_into().unwrap())
+    // On Windows the raw status is a u32. Use a direct cast to avoid
+    // panicking on negative i32 values produced by prior narrowing casts.
+    std::process::ExitStatus::from_raw(code as u32)
 }

 #[cfg(test)]
--- a/codex-rs/core/src/exec_env.rs
+++ b/codex-rs/core/src/exec_env.rs
@@ -1,6 +1,6 @@
-use crate::config_types::EnvironmentVariablePattern;
-use crate::config_types::ShellEnvironmentPolicy;
-use crate::config_types::ShellEnvironmentPolicyInherit;
+use crate::config::types::EnvironmentVariablePattern;
+use crate::config::types::ShellEnvironmentPolicy;
+use crate::config::types::ShellEnvironmentPolicyInherit;
 use std::collections::HashMap;
 use std::collections::HashSet;

@@ -71,7 +71,7 @@ where
 #[cfg(test)]
 mod tests {
    use super::*;
-    use crate::config_types::ShellEnvironmentPolicyInherit;
+    use crate::config::types::ShellEnvironmentPolicyInherit;
    use maplit::hashmap;

    fn make_vars(pairs: &[(&str, &str)]) -> Vec<(String, String)> {
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -6,7 +6,7 @@
 //! container attached to `Config`.

 use crate::config::ConfigToml;
-use crate::config_profile::ConfigProfile;
+use crate::config::profile::ConfigProfile;
 use serde::Deserialize;
 use std::collections::BTreeMap;
 use std::collections::BTreeSet;
@@ -43,6 +43,8 @@ pub enum Feature {
    SandboxCommandAssessment,
    /// Create a ghost commit at each turn.
    GhostCommit,
+    /// Enable Windows sandbox (restricted token) on Windows.
+    WindowsSandbox,
 }

 impl Feature {
@@ -66,16 +68,22 @@ impl Feature {
    }
 }

+#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
+pub struct LegacyFeatureUsage {
+    pub alias: String,
+    pub feature: Feature,
+}
+
 /// Holds the effective set of enabled features.
 #[derive(Debug, Clone, Default, PartialEq)]
 pub struct Features {
    enabled: BTreeSet<Feature>,
+    legacy_usages: BTreeSet<LegacyFeatureUsage>,
 }

 #[derive(Debug, Clone, Default)]
 pub struct FeatureOverrides {
    pub include_apply_patch_tool: Option<bool>,
-    pub include_view_image_tool: Option<bool>,
    pub web_search_request: Option<bool>,
    pub experimental_sandbox_command_assessment: Option<bool>,
 }
@@ -84,7 +92,6 @@ impl FeatureOverrides {
    fn apply(self, features: &mut Features) {
        LegacyFeatureToggles {
            include_apply_patch_tool: self.include_apply_patch_tool,
-            include_view_image_tool: self.include_view_image_tool,
            tools_web_search: self.web_search_request,
            ..Default::default()
        }
@@ -101,7 +108,10 @@ impl Features {
                set.insert(spec.id);
            }
        }
-        Self { enabled: set }
+        Self {
+            enabled: set,
+            legacy_usages: BTreeSet::new(),
+        }
    }

    pub fn enabled(&self, f: Feature) -> bool {
@@ -112,8 +122,29 @@ impl Features {
        self.enabled.insert(f);
    }

-    pub fn disable(&mut self, f: Feature) {
+    pub fn disable(&mut self, f: Feature) -> &mut Self {
        self.enabled.remove(&f);
+        self
+    }
+
+    pub fn record_legacy_usage_force(&mut self, alias: &str, feature: Feature) {
+        self.legacy_usages.insert(LegacyFeatureUsage {
+            alias: alias.to_string(),
+            feature,
+        });
+    }
+
+    pub fn record_legacy_usage(&mut self, alias: &str, feature: Feature) {
+        if alias == feature.key() {
+            return;
+        }
+        self.record_legacy_usage_force(alias, feature);
+    }
+
+    pub fn legacy_feature_usages(&self) -> impl Iterator<Item = (&str, Feature)> + '_ {
+        self.legacy_usages
+            .iter()
+            .map(|usage| (usage.alias.as_str(), usage.feature))
    }

    /// Apply a table of key -> bool toggles (e.g. from TOML).
@@ -121,6 +152,9 @@ impl Features {
        for (k, v) in m {
            match feature_for_key(k) {
                Some(feat) => {
+                    if k != feat.key() {
+                        self.record_legacy_usage(k.as_str(), feat);
+                    }
                    if *v {
                        self.enable(feat);
                    } else {
@@ -159,7 +193,6 @@ impl Features {

        let profile_legacy = LegacyFeatureToggles {
            include_apply_patch_tool: config_profile.include_apply_patch_tool,
-            include_view_image_tool: config_profile.include_view_image_tool,
            experimental_sandbox_command_assessment: config_profile
                .experimental_sandbox_command_assessment,
            experimental_use_freeform_apply_patch: config_profile
@@ -261,4 +294,10 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Experimental,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::WindowsSandbox,
+        key: "enable_experimental_windows_sandbox",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
 ];
--- a/codex-rs/core/src/features/legacy.rs
+++ b/codex-rs/core/src/features/legacy.rs
@@ -33,10 +33,6 @@ const ALIASES: &[Alias] = &[
        legacy_key: "include_apply_patch_tool",
        feature: Feature::ApplyPatchFreeform,
    },
-    Alias {
-        legacy_key: "include_view_image_tool",
-        feature: Feature::ViewImageTool,
-    },
    Alias {
        legacy_key: "web_search",
        feature: Feature::WebSearchRequest,
@@ -56,7 +52,6 @@ pub(crate) fn feature_for_key(key: &str) -> Option<Feature> {
 #[derive(Debug, Default)]
 pub struct LegacyFeatureToggles {
    pub include_apply_patch_tool: Option<bool>,
-    pub include_view_image_tool: Option<bool>,
    pub experimental_sandbox_command_assessment: Option<bool>,
    pub experimental_use_freeform_apply_patch: Option<bool>,
    pub experimental_use_exec_command_tool: Option<bool>,
@@ -110,12 +105,6 @@ impl LegacyFeatureToggles {
            self.tools_web_search,
            "tools.web_search",
        );
-        set_if_some(
-            features,
-            Feature::ViewImageTool,
-            self.include_view_image_tool,
-            "include_view_image_tool",
-        );
        set_if_some(
            features,
            Feature::ViewImageTool,
@@ -134,6 +123,7 @@ fn set_if_some(
    if let Some(enabled) = maybe_value {
        set_feature(features, feature, enabled);
        log_alias(alias_key, feature);
+        features.record_legacy_usage_force(alias_key, feature);
    }
 }

--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -14,12 +14,10 @@ mod client_common;
 pub mod codex;
 mod codex_conversation;
 pub use codex_conversation::CodexConversation;
+mod codex_delegate;
 mod command_safety;
 pub mod config;
-pub mod config_edit;
 pub mod config_loader;
-pub mod config_profile;
-pub mod config_types;
 mod conversation_history;
 pub mod custom_prompts;
 mod environment_context;
--- a/codex-rs/core/src/mcp/auth.rs
+++ b/codex-rs/core/src/mcp/auth.rs
@@ -7,8 +7,8 @@ use codex_rmcp_client::determine_streamable_http_auth_status;
 use futures::future::join_all;
 use tracing::warn;

-use crate::config_types::McpServerConfig;
-use crate::config_types::McpServerTransportConfig;
+use crate::config::types::McpServerConfig;
+use crate::config::types::McpServerTransportConfig;

 #[derive(Debug, Clone)]
 pub struct McpAuthStatusEntry {
--- a/codex-rs/core/src/mcp_connection_manager.rs
+++ b/codex-rs/core/src/mcp_connection_manager.rs
@@ -37,8 +37,8 @@ use tokio::task::JoinSet;
 use tracing::info;
 use tracing::warn;

-use crate::config_types::McpServerConfig;
-use crate::config_types::McpServerTransportConfig;
+use crate::config::types::McpServerConfig;
+use crate::config::types::McpServerTransportConfig;

 /// Delimiter used to separate the server name from the tool name in a fully
 /// qualified tool name.
--- a/codex-rs/core/src/message_history.rs
+++ b/codex-rs/core/src/message_history.rs
@@ -28,7 +28,7 @@ use tokio::fs;
 use tokio::io::AsyncReadExt;

 use crate::config::Config;
-use crate::config_types::HistoryPersistence;
+use crate::config::types::HistoryPersistence;

 use codex_protocol::ConversationId;
 #[cfg(unix)]
--- a/codex-rs/core/src/model_family.rs
+++ b/codex-rs/core/src/model_family.rs
@@ -1,4 +1,4 @@
-use crate::config_types::ReasoningSummaryFormat;
+use crate::config::types::ReasoningSummaryFormat;
 use crate::tools::handlers::apply_patch::ApplyPatchToolType;

 /// The `instructions` field in the payload sent to a model should always start
@@ -160,7 +160,7 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
            reasoning_summary_format: ReasoningSummaryFormat::Experimental,
            base_instructions: GPT_5_CODEX_INSTRUCTIONS.to_string(),
            apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
-            support_verbosity: true,
+            support_verbosity: false,
        )
    } else if slug.starts_with("gpt-5") {
        model_family!(
--- a/codex-rs/core/src/otel_init.rs
+++ b/codex-rs/core/src/otel_init.rs
@@ -1,6 +1,6 @@
 use crate::config::Config;
-use crate::config_types::OtelExporterKind as Kind;
-use crate::config_types::OtelHttpProtocol as Protocol;
+use crate::config::types::OtelExporterKind as Kind;
+use crate::config::types::OtelHttpProtocol as Protocol;
 use crate::default_client::originator;
 use codex_otel::config::OtelExporter;
 use codex_otel::config::OtelHttpProtocol;
--- a/codex-rs/core/src/response_processing.rs
+++ b/codex-rs/core/src/response_processing.rs
@@ -1,6 +1,5 @@
 use crate::codex::Session;
 use crate::codex::TurnContext;
-use crate::conversation_history::ConversationHistory;
 use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseInputItem;
 use codex_protocol::models::ResponseItem;
@@ -11,8 +10,6 @@ use tracing::warn;
 /// - `ResponseInputItem`s to send back to the model on the next turn.
 pub(crate) async fn process_items(
    processed_items: Vec<crate::codex::ProcessedResponseItem>,
-    is_review_mode: bool,
-    review_thread_history: &mut ConversationHistory,
    sess: &Session,
    turn_context: &TurnContext,
 ) -> (Vec<ResponseInputItem>, Vec<ResponseItem>) {
@@ -100,12 +97,8 @@ pub(crate) async fn process_items(

    // Only attempt to take the lock if there is something to record.
    if !items_to_record_in_conversation_history.is_empty() {
-        if is_review_mode {
-            review_thread_history.record_items(items_to_record_in_conversation_history.iter());
-        } else {
-            sess.record_conversation_items(turn_context, &items_to_record_in_conversation_history)
-                .await;
-        }
+        sess.record_conversation_items(turn_context, &items_to_record_in_conversation_history)
+            .await;
    }
    (responses, items_to_record_in_conversation_history)
 }
--- a/codex-rs/core/src/rollout/list.rs
+++ b/codex-rs/core/src/rollout/list.rs
@@ -409,7 +409,7 @@ async fn read_head_and_tail(

        match rollout_line.item {
            RolloutItem::SessionMeta(session_meta_line) => {
-                summary.source = Some(session_meta_line.meta.source);
+                summary.source = Some(session_meta_line.meta.source.clone());
                summary.model_provider = session_meta_line.meta.model_provider.clone();
                summary.created_at = summary
                    .created_at
--- a/codex-rs/core/src/rollout/policy.rs
+++ b/codex-rs/core/src/rollout/policy.rs
@@ -46,6 +46,7 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
        | EventMsg::UndoCompleted(_)
        | EventMsg::TurnAborted(_) => true,
        EventMsg::Error(_)
+        | EventMsg::Warning(_)
        | EventMsg::TaskStarted(_)
        | EventMsg::TaskComplete(_)
        | EventMsg::AgentMessageDelta(_)
@@ -75,7 +76,11 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
        | EventMsg::PlanUpdate(_)
        | EventMsg::ShutdownComplete
        | EventMsg::ViewImageToolCall(_)
+        | EventMsg::DeprecationNotice(_)
        | EventMsg::ItemStarted(_)
-        | EventMsg::ItemCompleted(_) => false,
+        | EventMsg::ItemCompleted(_)
+        | EventMsg::AgentMessageContentDelta(_)
+        | EventMsg::ReasoningContentDelta(_)
+        | EventMsg::ReasoningRawContentDelta(_) => false,
    }
 }
--- a/codex-rs/core/src/rollout/recorder.rs
+++ b/codex-rs/core/src/rollout/recorder.rs
@@ -207,7 +207,7 @@ impl RolloutRecorder {
            .map_err(|e| IoError::other(format!("failed waiting for rollout flush: {e}")))
    }

-    pub(crate) async fn get_rollout_history(path: &Path) -> std::io::Result<InitialHistory> {
+    pub async fn get_rollout_history(path: &Path) -> std::io::Result<InitialHistory> {
        info!("Resuming rollout from {path:?}");
        let text = tokio::fs::read_to_string(path).await?;
        if text.trim().is_empty() {
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -10,6 +10,23 @@ use crate::exec::SandboxType;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;

+#[cfg(target_os = "windows")]
+use std::sync::atomic::AtomicBool;
+#[cfg(target_os = "windows")]
+use std::sync::atomic::Ordering;
+
+#[cfg(target_os = "windows")]
+static WINDOWS_SANDBOX_ENABLED: AtomicBool = AtomicBool::new(false);
+
+#[cfg(target_os = "windows")]
+pub fn set_windows_sandbox_enabled(enabled: bool) {
+    WINDOWS_SANDBOX_ENABLED.store(enabled, Ordering::Relaxed);
+}
+
+#[cfg(not(target_os = "windows"))]
+#[allow(dead_code)]
+pub fn set_windows_sandbox_enabled(_enabled: bool) {}
+
 #[derive(Debug, PartialEq)]
 pub enum SafetyCheck {
    AutoApprove {
@@ -84,6 +101,14 @@ pub fn get_platform_sandbox() -> Option<SandboxType> {
        Some(SandboxType::MacosSeatbelt)
    } else if cfg!(target_os = "linux") {
        Some(SandboxType::LinuxSeccomp)
+    } else if cfg!(target_os = "windows") {
+        #[cfg(target_os = "windows")]
+        {
+            if WINDOWS_SANDBOX_ENABLED.load(Ordering::Relaxed) {
+                return Some(SandboxType::WindowsRestrictedToken);
+            }
+        }
+        None
    } else {
        None
    }
--- a/codex-rs/core/src/sandboxing/assessment.rs
+++ b/codex-rs/core/src/sandboxing/assessment.rs
@@ -17,6 +17,7 @@ use codex_protocol::ConversationId;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::SandboxCommandAssessment;
+use codex_protocol::protocol::SessionSource;
 use futures::StreamExt;
 use serde_json::json;
 use tokio::time::timeout;
@@ -53,6 +54,7 @@ pub(crate) async fn assess_command(
    auth_manager: Arc<AuthManager>,
    parent_otel: &OtelEventManager,
    conversation_id: ConversationId,
+    session_source: SessionSource,
    call_id: &str,
    command: &[String],
    sandbox_policy: &SandboxPolicy,
@@ -141,6 +143,7 @@ pub(crate) async fn assess_command(
        config.model_reasoning_effort,
        config.model_reasoning_summary,
        conversation_id,
+        session_source,
    );

    let start = Instant::now();
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -74,25 +74,13 @@ impl SandboxManager {
        match pref {
            SandboxablePreference::Forbid => SandboxType::None,
            SandboxablePreference::Require => {
-                #[cfg(target_os = "macos")]
-                {
-                    return SandboxType::MacosSeatbelt;
-                }
-                #[cfg(target_os = "linux")]
-                {
-                    return SandboxType::LinuxSeccomp;
-                }
-                #[allow(unreachable_code)]
-                SandboxType::None
+                // Require a platform sandbox when available; on Windows this
+                // respects the enable_experimental_windows_sandbox feature.
+                crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None)
            }
            SandboxablePreference::Auto => match policy {
                SandboxPolicy::DangerFullAccess => SandboxType::None,
-                #[cfg(target_os = "macos")]
-                _ => SandboxType::MacosSeatbelt,
-                #[cfg(target_os = "linux")]
-                _ => SandboxType::LinuxSeccomp,
-                #[cfg(not(any(target_os = "macos", target_os = "linux")))]
-                _ => SandboxType::None,
+                _ => crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None),
            },
        }
    }
@@ -143,6 +131,14 @@ impl SandboxManager {
                    Some("codex-linux-sandbox".to_string()),
                )
            }
+            // On Windows, the restricted token sandbox executes in-process via the
+            // codex-windows-sandbox crate. We leave the command unchanged here and
+            // branch during execution based on the sandbox type.
+            #[cfg(target_os = "windows")]
+            SandboxType::WindowsRestrictedToken => (command, HashMap::new(), None),
+            // When building for non-Windows targets, this variant is never constructed.
+            #[cfg(not(target_os = "windows"))]
+            SandboxType::WindowsRestrictedToken => (command, HashMap::new(), None),
        };

        env.extend(sandbox_env);
--- a/codex-rs/core/src/seatbelt_base_policy.sbpl
+++ b/codex-rs/core/src/seatbelt_base_policy.sbpl
@@ -71,6 +71,10 @@
  (sysctl-name-prefix "net.routetable.")
 )

+; Allow Java to set CPU type grade when required
+(allow sysctl-write
+  (sysctl-name "kern.grade_cputype"))
+
 ; IOKit
 (allow iokit-open
  (iokit-registry-entry-class "RootDomainUserClient")
--- a/codex-rs/core/src/shell.rs
+++ b/codex-rs/core/src/shell.rs
@@ -98,6 +98,7 @@ pub async fn default_user_shell() -> Shell {
        .unwrap_or(false);
    let bash_exe = if Command::new("bash.exe")
        .arg("--version")
+        .stdin(std::process::Stdio::null())
        .output()
        .await
        .ok()
--- a/codex-rs/core/src/state/turn.rs
+++ b/codex-rs/core/src/state/turn.rs
@@ -37,16 +37,6 @@ pub(crate) enum TaskKind {
    Compact,
 }

-impl TaskKind {
-    pub(crate) fn header_value(self) -> &'static str {
-        match self {
-            TaskKind::Regular => "standard",
-            TaskKind::Review => "review",
-            TaskKind::Compact => "compact",
-        }
-    }
-}
-
 #[derive(Clone)]
 pub(crate) struct RunningTask {
    pub(crate) done: Arc<Notify>,
@@ -123,15 +113,3 @@ impl ActiveTurn {
        ts.clear_pending();
    }
 }
-
-#[cfg(test)]
-mod tests {
-    use super::TaskKind;
-
-    #[test]
-    fn header_value_matches_expected_labels() {
-        assert_eq!(TaskKind::Regular.header_value(), "standard");
-        assert_eq!(TaskKind::Review.header_value(), "review");
-        assert_eq!(TaskKind::Compact.header_value(), "compact");
-    }
-}
--- a/codex-rs/core/src/tasks/ghost_snapshot.rs
+++ b/codex-rs/core/src/tasks/ghost_snapshot.rs
@@ -3,9 +3,9 @@ use crate::state::TaskKind;
 use crate::tasks::SessionTask;
 use crate::tasks::SessionTaskContext;
 use async_trait::async_trait;
-use codex_git_tooling::CreateGhostCommitOptions;
-use codex_git_tooling::GitToolingError;
-use codex_git_tooling::create_ghost_commit;
+use codex_git::CreateGhostCommitOptions;
+use codex_git::GitToolingError;
+use codex_git::create_ghost_commit;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::user_input::UserInput;
 use codex_utils_readiness::Readiness;
--- a/codex-rs/core/src/tasks/mod.rs
+++ b/codex-rs/core/src/tasks/mod.rs
@@ -3,6 +3,7 @@ mod ghost_snapshot;
 mod regular;
 mod review;
 mod undo;
+mod user_shell;

 use std::sync::Arc;
 use std::time::Duration;
@@ -15,6 +16,7 @@ use tokio_util::task::AbortOnDropHandle;
 use tracing::trace;
 use tracing::warn;

+use crate::AuthManager;
 use crate::codex::Session;
 use crate::codex::TurnContext;
 use crate::protocol::EventMsg;
@@ -31,6 +33,7 @@ pub(crate) use ghost_snapshot::GhostSnapshotTask;
 pub(crate) use regular::RegularTask;
 pub(crate) use review::ReviewTask;
 pub(crate) use undo::UndoTask;
+pub(crate) use user_shell::UserShellCommandTask;

 const GRACEFULL_INTERRUPTION_TIMEOUT_MS: u64 = 100;

@@ -48,6 +51,10 @@ impl SessionTaskContext {
    pub(crate) fn clone_session(&self) -> Arc<Session> {
        Arc::clone(&self.session)
    }
+
+    pub(crate) fn auth_manager(&self) -> Arc<AuthManager> {
+        Arc::clone(&self.session.services.auth_manager)
+    }
 }

 /// Async task that drives a [`Session`] turn.
@@ -121,7 +128,7 @@ impl Session {
                        task_cancellation_token.child_token(),
                    )
                    .await;
-
+                session_ctx.clone_session().flush_rollout().await;
                if !task_cancellation_token.is_cancelled() {
                    // Emit completion uniformly from spawn site so all tasks share the same lifecycle.
                    let sess = session_ctx.clone_session();
--- a/codex-rs/core/src/tasks/regular.rs
+++ b/codex-rs/core/src/tasks/regular.rs
@@ -28,6 +28,6 @@ impl SessionTask for RegularTask {
        cancellation_token: CancellationToken,
    ) -> Option<String> {
        let sess = session.clone_session();
-        run_task(sess, ctx, input, TaskKind::Regular, cancellation_token).await
+        run_task(sess, ctx, input, cancellation_token).await
    }
 }
--- a/codex-rs/core/src/tasks/review.rs
+++ b/codex-rs/core/src/tasks/review.rs
@@ -1,11 +1,22 @@
 use std::sync::Arc;

 use async_trait::async_trait;
+use codex_protocol::items::TurnItem;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ResponseItem;
+use codex_protocol::protocol::AgentMessageContentDeltaEvent;
+use codex_protocol::protocol::AgentMessageDeltaEvent;
+use codex_protocol::protocol::Event;
+use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::ExitedReviewModeEvent;
+use codex_protocol::protocol::ItemCompletedEvent;
+use codex_protocol::protocol::ReviewOutputEvent;
 use tokio_util::sync::CancellationToken;

+use crate::codex::Session;
 use crate::codex::TurnContext;
-use crate::codex::exit_review_mode;
-use crate::codex::run_task;
+use crate::codex_delegate::run_codex_conversation_one_shot;
+use crate::review_format::format_review_findings_block;
 use crate::state::TaskKind;
 use codex_protocol::user_input::UserInput;

@@ -28,11 +39,172 @@ impl SessionTask for ReviewTask {
        input: Vec<UserInput>,
        cancellation_token: CancellationToken,
    ) -> Option<String> {
-        let sess = session.clone_session();
-        run_task(sess, ctx, input, TaskKind::Review, cancellation_token).await
+        // Start sub-codex conversation and get the receiver for events.
+        let output = match start_review_conversation(
+            session.clone(),
+            ctx.clone(),
+            input,
+            cancellation_token.clone(),
+        )
+        .await
+        {
+            Some(receiver) => process_review_events(session.clone(), ctx.clone(), receiver).await,
+            None => None,
+        };
+        if !cancellation_token.is_cancelled() {
+            exit_review_mode(session.clone_session(), output.clone(), ctx.clone()).await;
+        }
+        None
    }

    async fn abort(&self, session: Arc<SessionTaskContext>, ctx: Arc<TurnContext>) {
-        exit_review_mode(session.clone_session(), ctx, None).await;
+        exit_review_mode(session.clone_session(), None, ctx).await;
    }
 }
+
+async fn start_review_conversation(
+    session: Arc<SessionTaskContext>,
+    ctx: Arc<TurnContext>,
+    input: Vec<UserInput>,
+    cancellation_token: CancellationToken,
+) -> Option<async_channel::Receiver<Event>> {
+    let config = ctx.client.config();
+    let mut sub_agent_config = config.as_ref().clone();
+    // Run with only reviewer rubric — drop outer user_instructions
+    sub_agent_config.user_instructions = None;
+    // Avoid loading project docs; reviewer only needs findings
+    sub_agent_config.project_doc_max_bytes = 0;
+    // Carry over review-only feature restrictions so the delegate cannot
+    // re-enable blocked tools (web search, view image, streamable shell).
+    sub_agent_config
+        .features
+        .disable(crate::features::Feature::WebSearchRequest)
+        .disable(crate::features::Feature::ViewImageTool)
+        .disable(crate::features::Feature::StreamableShell);
+    // Set explicit review rubric for the sub-agent
+    sub_agent_config.base_instructions = Some(crate::REVIEW_PROMPT.to_string());
+    (run_codex_conversation_one_shot(
+        sub_agent_config,
+        session.auth_manager(),
+        input,
+        session.clone_session(),
+        ctx.clone(),
+        cancellation_token,
+        None,
+    )
+    .await)
+        .ok()
+        .map(|io| io.rx_event)
+}
+
+async fn process_review_events(
+    session: Arc<SessionTaskContext>,
+    ctx: Arc<TurnContext>,
+    receiver: async_channel::Receiver<Event>,
+) -> Option<ReviewOutputEvent> {
+    let mut prev_agent_message: Option<Event> = None;
+    while let Ok(event) = receiver.recv().await {
+        match event.clone().msg {
+            EventMsg::AgentMessage(_) => {
+                if let Some(prev) = prev_agent_message.take() {
+                    session
+                        .clone_session()
+                        .send_event(ctx.as_ref(), prev.msg)
+                        .await;
+                }
+                prev_agent_message = Some(event);
+            }
+            // Suppress ItemCompleted only for assistant messages: forwarding it
+            // would trigger legacy AgentMessage via as_legacy_events(), which this
+            // review flow intentionally hides in favor of structured output.
+            EventMsg::ItemCompleted(ItemCompletedEvent {
+                item: TurnItem::AgentMessage(_),
+                ..
+            })
+            | EventMsg::AgentMessageDelta(AgentMessageDeltaEvent { .. })
+            | EventMsg::AgentMessageContentDelta(AgentMessageContentDeltaEvent { .. }) => {}
+            EventMsg::TaskComplete(task_complete) => {
+                // Parse review output from the last agent message (if present).
+                let out = task_complete
+                    .last_agent_message
+                    .as_deref()
+                    .map(parse_review_output_event);
+                return out;
+            }
+            EventMsg::TurnAborted(_) => {
+                // Cancellation or abort: consumer will finalize with None.
+                return None;
+            }
+            other => {
+                session
+                    .clone_session()
+                    .send_event(ctx.as_ref(), other)
+                    .await;
+            }
+        }
+    }
+    // Channel closed without TaskComplete: treat as interrupted.
+    None
+}
+
+/// Parse a ReviewOutputEvent from a text blob returned by the reviewer model.
+/// If the text is valid JSON matching ReviewOutputEvent, deserialize it.
+/// Otherwise, attempt to extract the first JSON object substring and parse it.
+/// If parsing still fails, return a structured fallback carrying the plain text
+/// in `overall_explanation`.
+fn parse_review_output_event(text: &str) -> ReviewOutputEvent {
+    if let Ok(ev) = serde_json::from_str::<ReviewOutputEvent>(text) {
+        return ev;
+    }
+    if let (Some(start), Some(end)) = (text.find('{'), text.rfind('}'))
+        && start < end
+        && let Some(slice) = text.get(start..=end)
+        && let Ok(ev) = serde_json::from_str::<ReviewOutputEvent>(slice)
+    {
+        return ev;
+    }
+    ReviewOutputEvent {
+        overall_explanation: text.to_string(),
+        ..Default::default()
+    }
+}
+
+/// Emits an ExitedReviewMode Event with optional ReviewOutput,
+/// and records a developer message with the review output.
+pub(crate) async fn exit_review_mode(
+    session: Arc<Session>,
+    review_output: Option<ReviewOutputEvent>,
+    ctx: Arc<TurnContext>,
+) {
+    let user_message = if let Some(out) = review_output.clone() {
+        let mut findings_str = String::new();
+        let text = out.overall_explanation.trim();
+        if !text.is_empty() {
+            findings_str.push_str(text);
+        }
+        if !out.findings.is_empty() {
+            let block = format_review_findings_block(&out.findings, None);
+            findings_str.push_str(&format!("\n{block}"));
+        }
+        crate::client_common::REVIEW_EXIT_SUCCESS_TMPL.replace("{results}", &findings_str)
+    } else {
+        crate::client_common::REVIEW_EXIT_INTERRUPTED_TMPL.to_string()
+    };
+
+    session
+        .record_conversation_items(
+            &ctx,
+            &[ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText { text: user_message }],
+            }],
+        )
+        .await;
+    session
+        .send_event(
+            ctx.as_ref(),
+            EventMsg::ExitedReviewMode(ExitedReviewModeEvent { review_output }),
+        )
+        .await;
+}
--- a/codex-rs/core/src/tasks/undo.rs
+++ b/codex-rs/core/src/tasks/undo.rs
@@ -8,7 +8,7 @@ use crate::state::TaskKind;
 use crate::tasks::SessionTask;
 use crate::tasks::SessionTaskContext;
 use async_trait::async_trait;
-use codex_git_tooling::restore_ghost_commit;
+use codex_git::restore_ghost_commit;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::user_input::UserInput;
 use tokio_util::sync::CancellationToken;
--- a/codex-rs/core/src/tasks/user_shell.rs
+++ b/codex-rs/core/src/tasks/user_shell.rs
@@ -0,0 +1,115 @@
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use codex_protocol::models::ShellToolCallParams;
+use codex_protocol::user_input::UserInput;
+use tokio::sync::Mutex;
+use tokio_util::sync::CancellationToken;
+use tracing::error;
+use uuid::Uuid;
+
+use crate::codex::TurnContext;
+use crate::protocol::EventMsg;
+use crate::protocol::TaskStartedEvent;
+use crate::state::TaskKind;
+use crate::tools::context::ToolPayload;
+use crate::tools::parallel::ToolCallRuntime;
+use crate::tools::router::ToolCall;
+use crate::tools::router::ToolRouter;
+use crate::turn_diff_tracker::TurnDiffTracker;
+
+use super::SessionTask;
+use super::SessionTaskContext;
+
+const USER_SHELL_TOOL_NAME: &str = "local_shell";
+
+#[derive(Clone)]
+pub(crate) struct UserShellCommandTask {
+    command: String,
+}
+
+impl UserShellCommandTask {
+    pub(crate) fn new(command: String) -> Self {
+        Self { command }
+    }
+}
+
+#[async_trait]
+impl SessionTask for UserShellCommandTask {
+    fn kind(&self) -> TaskKind {
+        TaskKind::Regular
+    }
+
+    async fn run(
+        self: Arc<Self>,
+        session: Arc<SessionTaskContext>,
+        turn_context: Arc<TurnContext>,
+        _input: Vec<UserInput>,
+        cancellation_token: CancellationToken,
+    ) -> Option<String> {
+        let event = EventMsg::TaskStarted(TaskStartedEvent {
+            model_context_window: turn_context.client.get_model_context_window(),
+        });
+        let session = session.clone_session();
+        session.send_event(turn_context.as_ref(), event).await;
+
+        // Execute the user's script under their default shell when known; this
+        // allows commands that use shell features (pipes, &&, redirects, etc.).
+        // We do not source rc files or otherwise reformat the script.
+        let shell_invocation = match session.user_shell() {
+            crate::shell::Shell::Zsh(zsh) => vec![
+                zsh.shell_path.clone(),
+                "-lc".to_string(),
+                self.command.clone(),
+            ],
+            crate::shell::Shell::Bash(bash) => vec![
+                bash.shell_path.clone(),
+                "-lc".to_string(),
+                self.command.clone(),
+            ],
+            crate::shell::Shell::PowerShell(ps) => vec![
+                ps.exe.clone(),
+                "-NoProfile".to_string(),
+                "-Command".to_string(),
+                self.command.clone(),
+            ],
+            crate::shell::Shell::Unknown => {
+                shlex::split(&self.command).unwrap_or_else(|| vec![self.command.clone()])
+            }
+        };
+
+        let params = ShellToolCallParams {
+            command: shell_invocation,
+            workdir: None,
+            timeout_ms: None,
+            with_escalated_permissions: None,
+            justification: None,
+        };
+
+        let tool_call = ToolCall {
+            tool_name: USER_SHELL_TOOL_NAME.to_string(),
+            call_id: Uuid::new_v4().to_string(),
+            payload: ToolPayload::LocalShell {
+                params,
+                is_user_shell_command: true,
+            },
+        };
+
+        let router = Arc::new(ToolRouter::from_config(&turn_context.tools_config, None));
+        let tracker = Arc::new(Mutex::new(TurnDiffTracker::new()));
+        let runtime = ToolCallRuntime::new(
+            Arc::clone(&router),
+            Arc::clone(&session),
+            Arc::clone(&turn_context),
+            Arc::clone(&tracker),
+        );
+
+        if let Err(err) = runtime
+            .handle_tool_call(tool_call, cancellation_token)
+            .await
+        {
+            error!("user shell command failed: {err:?}");
+        }
+        None
+    }
+}
--- a/codex-rs/core/src/tools/context.rs
+++ b/codex-rs/core/src/tools/context.rs
@@ -40,6 +40,7 @@ pub enum ToolPayload {
    },
    LocalShell {
        params: ShellToolCallParams,
+        is_user_shell_command: bool,
    },
    UnifiedExec {
        arguments: String,
@@ -56,7 +57,7 @@ impl ToolPayload {
        match self {
            ToolPayload::Function { arguments } => Cow::Borrowed(arguments),
            ToolPayload::Custom { input } => Cow::Borrowed(input),
-            ToolPayload::LocalShell { params } => Cow::Owned(params.command.join(" ")),
+            ToolPayload::LocalShell { params, .. } => Cow::Owned(params.command.join(" ")),
            ToolPayload::UnifiedExec { arguments } => Cow::Borrowed(arguments),
            ToolPayload::Mcp { raw_arguments, .. } => Cow::Borrowed(raw_arguments),
        }
@@ -255,6 +256,9 @@ pub(crate) struct ExecCommandContext {
    pub(crate) apply_patch: Option<ApplyPatchCommandContext>,
    pub(crate) tool_name: String,
    pub(crate) otel_event_manager: OtelEventManager,
+    // TODO(abhisek-oai): Find a better way to track this.
+    // https://github.com/openai/codex/pull/2471/files#r2470352242
+    pub(crate) is_user_shell_command: bool,
 }

 #[derive(Clone, Debug)]
--- a/codex-rs/core/src/tools/events.rs
+++ b/codex-rs/core/src/tools/events.rs
@@ -56,7 +56,12 @@ pub(crate) enum ToolEventFailure {
    Message(String),
 }

-pub(crate) async fn emit_exec_command_begin(ctx: ToolEventCtx<'_>, command: &[String], cwd: &Path) {
+pub(crate) async fn emit_exec_command_begin(
+    ctx: ToolEventCtx<'_>,
+    command: &[String],
+    cwd: &Path,
+    is_user_shell_command: bool,
+) {
    ctx.session
        .send_event(
            ctx.turn,
@@ -65,6 +70,7 @@ pub(crate) async fn emit_exec_command_begin(ctx: ToolEventCtx<'_>, command: &[St
                command: command.to_vec(),
                cwd: cwd.to_path_buf(),
                parsed_cmd: parse_command(command),
+                is_user_shell_command,
            }),
        )
        .await;
@@ -74,6 +80,7 @@ pub(crate) enum ToolEmitter {
    Shell {
        command: Vec<String>,
        cwd: PathBuf,
+        is_user_shell_command: bool,
    },
    ApplyPatch {
        changes: HashMap<PathBuf, FileChange>,
@@ -89,8 +96,12 @@ pub(crate) enum ToolEmitter {
 }

 impl ToolEmitter {
-    pub fn shell(command: Vec<String>, cwd: PathBuf) -> Self {
-        Self::Shell { command, cwd }
+    pub fn shell(command: Vec<String>, cwd: PathBuf, is_user_shell_command: bool) -> Self {
+        Self::Shell {
+            command,
+            cwd,
+            is_user_shell_command,
+        }
    }

    pub fn apply_patch(changes: HashMap<PathBuf, FileChange>, auto_approved: bool) -> Self {
@@ -110,8 +121,15 @@ impl ToolEmitter {

    pub async fn emit(&self, ctx: ToolEventCtx<'_>, stage: ToolEventStage) {
        match (self, stage) {
-            (Self::Shell { command, cwd }, ToolEventStage::Begin) => {
-                emit_exec_command_begin(ctx, command, cwd.as_path()).await;
+            (
+                Self::Shell {
+                    command,
+                    cwd,
+                    is_user_shell_command,
+                },
+                ToolEventStage::Begin,
+            ) => {
+                emit_exec_command_begin(ctx, command, cwd.as_path(), *is_user_shell_command).await;
            }
            (Self::Shell { .. }, ToolEventStage::Success(output)) => {
                emit_exec_end(
@@ -200,7 +218,7 @@ impl ToolEmitter {
                emit_patch_end(ctx, String::new(), (*message).to_string(), false).await;
            }
            (Self::UnifiedExec { command, cwd, .. }, ToolEventStage::Begin) => {
-                emit_exec_command_begin(ctx, &[command.to_string()], cwd.as_path()).await;
+                emit_exec_command_begin(ctx, &[command.to_string()], cwd.as_path(), false).await;
            }
            (Self::UnifiedExec { .. }, ToolEventStage::Success(output)) => {
                emit_exec_end(
@@ -256,31 +274,32 @@ impl ToolEmitter {
        ctx: ToolEventCtx<'_>,
        out: Result<ExecToolCallOutput, ToolError>,
    ) -> Result<String, FunctionCallError> {
-        let event;
-        let result = match out {
+        let (event, result) = match out {
            Ok(output) => {
                let content = super::format_exec_output_for_model(&output);
                let exit_code = output.exit_code;
-                event = ToolEventStage::Success(output);
-                if exit_code == 0 {
+                let event = ToolEventStage::Success(output);
+                let result = if exit_code == 0 {
                    Ok(content)
                } else {
                    Err(FunctionCallError::RespondToModel(content))
-                }
+                };
+                (event, result)
            }
            Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output })))
            | Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
                let response = super::format_exec_output_for_model(&output);
-                event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
-                Err(FunctionCallError::RespondToModel(response))
+                let event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
+                let result = Err(FunctionCallError::RespondToModel(response));
+                (event, result)
            }
            Err(ToolError::Codex(err)) => {
                let message = format!("execution error: {err:?}");
-                let response = message.clone();
-                event = ToolEventStage::Failure(ToolEventFailure::Message(message));
-                Err(FunctionCallError::RespondToModel(response))
+                let event = ToolEventStage::Failure(ToolEventFailure::Message(message.clone()));
+                let result = Err(FunctionCallError::RespondToModel(message));
+                (event, result)
            }
-            Err(ToolError::Rejected(msg)) | Err(ToolError::SandboxDenied(msg)) => {
+            Err(ToolError::Rejected(msg)) => {
                // Normalize common rejection messages for exec tools so tests and
                // users see a clear, consistent phrase.
                let normalized = if msg == "rejected by user" {
@@ -288,9 +307,9 @@ impl ToolEmitter {
                } else {
                    msg
                };
-                let response = &normalized;
-                event = ToolEventStage::Failure(ToolEventFailure::Message(normalized.clone()));
-                Err(FunctionCallError::RespondToModel(response.clone()))
+                let event = ToolEventStage::Failure(ToolEventFailure::Message(normalized.clone()));
+                let result = Err(FunctionCallError::RespondToModel(normalized));
+                (event, result)
            }
        };
        self.emit(ctx, event).await;
--- a/codex-rs/core/src/tools/handlers/shell.rs
+++ b/codex-rs/core/src/tools/handlers/shell.rs
@@ -78,10 +78,14 @@ impl ToolHandler for ShellHandler {
                    turn,
                    tracker,
                    call_id,
+                    false,
                )
                .await
            }
-            ToolPayload::LocalShell { params } => {
+            ToolPayload::LocalShell {
+                params,
+                is_user_shell_command,
+            } => {
                let exec_params = Self::to_exec_params(params, turn.as_ref());
                Self::run_exec_like(
                    tool_name.as_str(),
@@ -90,6 +94,7 @@ impl ToolHandler for ShellHandler {
                    turn,
                    tracker,
                    call_id,
+                    is_user_shell_command,
                )
                .await
            }
@@ -108,6 +113,7 @@ impl ShellHandler {
        turn: Arc<TurnContext>,
        tracker: crate::tools::context::SharedTurnDiffTracker,
        call_id: String,
+        is_user_shell_command: bool,
    ) -> Result<ToolOutput, FunctionCallError> {
        // Approval policy guard for explicit escalation in non-OnRequest modes.
        if exec_params.with_escalated_permissions.unwrap_or(false)
@@ -201,7 +207,11 @@ impl ShellHandler {
        }

        // Regular shell execution path.
-        let emitter = ToolEmitter::shell(exec_params.command.clone(), exec_params.cwd.clone());
+        let emitter = ToolEmitter::shell(
+            exec_params.command.clone(),
+            exec_params.cwd.clone(),
+            is_user_shell_command,
+        );
        let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
        emitter.begin(event_ctx).await;

@@ -212,6 +222,7 @@ impl ShellHandler {
            env: exec_params.env.clone(),
            with_escalated_permissions: exec_params.with_escalated_permissions,
            justification: exec_params.justification.clone(),
+            is_user_shell_command,
        };
        let mut orchestrator = ToolOrchestrator::new();
        let mut runtime = ShellRuntime::new();
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -83,6 +83,8 @@ impl ToolOrchestrator {
        if tool.wants_escalated_first_attempt(req) {
            initial_sandbox = crate::exec::SandboxType::None;
        }
+        // Platform-specific flag gating is handled by SandboxManager::select_initial
+        // via crate::safety::get_platform_sandbox().
        let initial_attempt = SandboxAttempt {
            sandbox: initial_sandbox,
            policy: &turn_ctx.sandbox_policy,
@@ -98,15 +100,16 @@ impl ToolOrchestrator {
            }
            Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
                if !tool.escalate_on_failure() {
-                    return Err(ToolError::SandboxDenied(
-                        "sandbox denied and no retry".to_string(),
-                    ));
+                    return Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied {
+                        output,
+                    })));
                }
-                // Under `Never` or `OnRequest`, do not retry without sandbox; surface a concise message
-                // derived from the actual output (platform-agnostic).
+                // Under `Never` or `OnRequest`, do not retry without sandbox; surface a concise
+                // sandbox denial that preserves the original output.
                if !tool.wants_no_sandbox_approval(approval_policy) {
-                    let msg = build_never_denied_message_from_output(output.as_ref());
-                    return Err(ToolError::SandboxDenied(msg));
+                    return Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied {
+                        output,
+                    })));
                }

                // Ask for approval before retrying without sandbox.
@@ -167,29 +170,6 @@ impl ToolOrchestrator {
    }
 }

-fn build_never_denied_message_from_output(output: &ExecToolCallOutput) -> String {
-    let body = format!(
-        "{}\n{}\n{}",
-        output.stderr.text, output.stdout.text, output.aggregated_output.text
-    )
-    .to_lowercase();
-
-    let detail = if body.contains("permission denied") {
-        Some("Permission denied")
-    } else if body.contains("operation not permitted") {
-        Some("Operation not permitted")
-    } else if body.contains("read-only file system") {
-        Some("Read-only file system")
-    } else {
-        None
-    };
-
-    match detail {
-        Some(tag) => format!("failed in sandbox: {tag}"),
-        None => "failed in sandbox".to_string(),
-    }
-}
-
 fn build_denial_reason_from_output(_output: &ExecToolCallOutput) -> String {
    // Keep approval reason terse and stable for UX/tests, but accept the
    // output so we can evolve heuristics later without touching call sites.
--- a/codex-rs/core/src/tools/router.rs
+++ b/codex-rs/core/src/tools/router.rs
@@ -120,7 +120,10 @@ impl ToolRouter {
                        Ok(Some(ToolCall {
                            tool_name: "local_shell".to_string(),
                            call_id,
-                            payload: ToolPayload::LocalShell { params },
+                            payload: ToolPayload::LocalShell {
+                                params,
+                                is_user_shell_command: false,
+                            },
                        }))
                    }
                }
--- a/codex-rs/core/src/tools/runtimes/shell.rs
+++ b/codex-rs/core/src/tools/runtimes/shell.rs
@@ -34,6 +34,7 @@ pub struct ShellRequest {
    pub env: std::collections::HashMap<String, String>,
    pub with_escalated_permissions: Option<bool>,
    pub justification: Option<String>,
+    pub is_user_shell_command: bool,
 }

 impl ProvidesSandboxRetryData for ShellRequest {
@@ -121,6 +122,9 @@ impl Approvable<ShellRequest> for ShellRuntime {
        policy: AskForApproval,
        sandbox_policy: &SandboxPolicy,
    ) -> bool {
+        if req.is_user_shell_command {
+            return false;
+        }
        if is_known_safe_command(&req.command) {
            return false;
        }
@@ -146,7 +150,7 @@ impl Approvable<ShellRequest> for ShellRuntime {
    }

    fn wants_escalated_first_attempt(&self, req: &ShellRequest) -> bool {
-        req.with_escalated_permissions.unwrap_or(false)
+        req.is_user_shell_command || req.with_escalated_permissions.unwrap_or(false)
    }
 }

--- a/codex-rs/core/src/tools/sandboxing.rs
+++ b/codex-rs/core/src/tools/sandboxing.rs
@@ -173,7 +173,6 @@ pub(crate) trait ProvidesSandboxRetryData {
 #[derive(Debug)]
 pub(crate) enum ToolError {
    Rejected(String),
-    SandboxDenied(String),
    Codex(CodexErr),
 }

--- a/codex-rs/core/src/user_instructions.rs
+++ b/codex-rs/core/src/user_instructions.rs
@@ -3,29 +3,25 @@ use serde::Serialize;

 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::USER_INSTRUCTIONS_CLOSE_TAG;
-use codex_protocol::protocol::USER_INSTRUCTIONS_OPEN_TAG;

-/// Wraps user instructions in a tag so the model can classify them easily.
+pub const USER_INSTRUCTIONS_OPEN_TAG_LEGACY: &str = "<user_instructions>";
+pub const USER_INSTRUCTIONS_PREFIX: &str = "# AGENTS.md instructions for ";

 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename = "user_instructions", rename_all = "snake_case")]
 pub(crate) struct UserInstructions {
-    text: String,
+    pub directory: String,
+    pub text: String,
 }

 impl UserInstructions {
-    pub fn new<T: Into<String>>(text: T) -> Self {
-        Self { text: text.into() }
-    }
-
-    /// Serializes the user instructions to an XML-like tagged block that starts
-    /// with <user_instructions> so clients can classify it.
-    pub fn serialize_to_xml(self) -> String {
-        format!(
-            "{USER_INSTRUCTIONS_OPEN_TAG}\n\n{}\n\n{USER_INSTRUCTIONS_CLOSE_TAG}",
-            self.text
-        )
+    pub fn is_user_instructions(message: &[ContentItem]) -> bool {
+        if let [ContentItem::InputText { text }] = message {
+            text.starts_with(USER_INSTRUCTIONS_PREFIX)
+                || text.starts_with(USER_INSTRUCTIONS_OPEN_TAG_LEGACY)
+        } else {
+            false
+        }
    }
 }

@@ -35,8 +31,88 @@ impl From<UserInstructions> for ResponseItem {
            id: None,
            role: "user".to_string(),
            content: vec![ContentItem::InputText {
-                text: ui.serialize_to_xml(),
+                text: format!(
+                    "{USER_INSTRUCTIONS_PREFIX}{directory}\n\n<INSTRUCTIONS>\n{contents}\n</INSTRUCTIONS>",
+                    directory = ui.directory,
+                    contents = ui.text
+                ),
            }],
        }
    }
 }
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+#[serde(rename = "developer_instructions", rename_all = "snake_case")]
+pub(crate) struct DeveloperInstructions {
+    text: String,
+}
+
+impl DeveloperInstructions {
+    pub fn new<T: Into<String>>(text: T) -> Self {
+        Self { text: text.into() }
+    }
+
+    pub fn into_text(self) -> String {
+        self.text
+    }
+}
+
+impl From<DeveloperInstructions> for ResponseItem {
+    fn from(di: DeveloperInstructions) -> Self {
+        ResponseItem::Message {
+            id: None,
+            role: "developer".to_string(),
+            content: vec![ContentItem::InputText {
+                text: di.into_text(),
+            }],
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_user_instructions() {
+        let user_instructions = UserInstructions {
+            directory: "test_directory".to_string(),
+            text: "test_text".to_string(),
+        };
+        let response_item: ResponseItem = user_instructions.into();
+
+        let ResponseItem::Message { role, content, .. } = response_item else {
+            panic!("expected ResponseItem::Message");
+        };
+
+        assert_eq!(role, "user");
+
+        let [ContentItem::InputText { text }] = content.as_slice() else {
+            panic!("expected one InputText content item");
+        };
+
+        assert_eq!(
+            text,
+            "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>",
+        );
+    }
+
+    #[test]
+    fn test_is_user_instructions() {
+        assert!(UserInstructions::is_user_instructions(
+            &[ContentItem::InputText {
+                text: "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>".to_string(),
+            }]
+        ));
+        assert!(UserInstructions::is_user_instructions(&[
+            ContentItem::InputText {
+                text: "<user_instructions>test_text</user_instructions>".to_string(),
+            }
+        ]));
+        assert!(!UserInstructions::is_user_instructions(&[
+            ContentItem::InputText {
+                text: "test_text".to_string(),
+            }
+        ]));
+    }
+}
--- a/codex-rs/core/src/util.rs
+++ b/codex-rs/core/src/util.rs
@@ -1,6 +1,8 @@
 use std::time::Duration;

 use rand::Rng;
+use tracing::debug;
+use tracing::error;

 const INITIAL_DELAY_MS: u64 = 200;
 const BACKOFF_FACTOR: f64 = 2.0;
@@ -11,3 +13,55 @@ pub(crate) fn backoff(attempt: u64) -> Duration {
    let jitter = rand::rng().random_range(0.9..1.1);
    Duration::from_millis((base as f64 * jitter) as u64)
 }
+
+pub(crate) fn error_or_panic(message: String) {
+    if cfg!(debug_assertions) || env!("CARGO_PKG_VERSION").contains("alpha") {
+        panic!("{message}");
+    } else {
+        error!("{message}");
+    }
+}
+
+pub(crate) fn try_parse_error_message(text: &str) -> String {
+    debug!("Parsing server error response: {}", text);
+    let json = serde_json::from_str::<serde_json::Value>(text).unwrap_or_default();
+    if let Some(error) = json.get("error")
+        && let Some(message) = error.get("message")
+        && let Some(message_str) = message.as_str()
+    {
+        return message_str.to_string();
+    }
+    if text.is_empty() {
+        return "Unknown error".to_string();
+    }
+    text.to_string()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_try_parse_error_message() {
+        let text = r#"{
+  "error": {
+    "message": "Your refresh token has already been used to generate a new access token. Please try signing in again.",
+    "type": "invalid_request_error",
+    "param": null,
+    "code": "refresh_token_reused"
+  }
+}"#;
+        let message = try_parse_error_message(text);
+        assert_eq!(
+            message,
+            "Your refresh token has already been used to generate a new access token. Please try signing in again."
+        );
+    }
+
+    #[test]
+    fn test_try_parse_error_message_no_error() {
+        let text = r#"{"message": "test"}"#;
+        let message = try_parse_error_message(text);
+        assert_eq!(message, r#"{"message": "test"}"#);
+    }
+}
--- a/codex-rs/core/templates/review/exit_interrupted.xml
+++ b/codex-rs/core/templates/review/exit_interrupted.xml
@@ -0,0 +1,8 @@
+<user_action>
+  <context>User initiated a review task, but was interrupted. If user asks about this, tell them to re-initiate a review with `/review` and wait for it to complete.</context>
+  <action>review</action>
+  <results>
+  None.
+  </results>
+</user_action>
+
--- a/codex-rs/core/templates/review/exit_success.xml
+++ b/codex-rs/core/templates/review/exit_success.xml
@@ -0,0 +1,8 @@
+<user_action>
+  <context>User initiated a review task. Here's the full review output from reviewer model. User may select one or more comments to resolve.</context>
+  <action>review</action>
+  <results>
+  {results}
+  </results>
+  </user_action>
+
--- a/codex-rs/core/templates/review/history_message_completed.md
+++ b/codex-rs/core/templates/review/history_message_completed.md
@@ -0,0 +1,8 @@
+<user_action>
+  <context>User initiated a review task. Here's the full review output from reviewer model. User may select one or more comments to resolve.</context>
+  <action>review</action>
+  <results>
+  {findings}
+  </results>
+</user_action>
+
--- a/codex-rs/core/templates/review/history_message_interrupted.md
+++ b/codex-rs/core/templates/review/history_message_interrupted.md
@@ -0,0 +1,8 @@
+<user_action>
+  <context>User initiated a review task, but was interrupted. If user asks about this, tell them to re-initiate a review with `/review` and wait for it to complete.</context>
+  <action>review</action>
+  <results>
+  None.
+  </results>
+</user_action>
+
--- a/codex-rs/core/tests/chat_completions_payload.rs
+++ b/codex-rs/core/tests/chat_completions_payload.rs
@@ -94,6 +94,7 @@ async fn run_request(input: Vec<ResponseItem>) -> Value {
        effort,
        summary,
        conversation_id,
+        codex_protocol::protocol::SessionSource::Exec,
    );

    let mut prompt = Prompt::default();
--- a/codex-rs/core/tests/chat_completions_sse.rs
+++ b/codex-rs/core/tests/chat_completions_sse.rs
@@ -94,6 +94,7 @@ async fn run_stream_with_bytes(sse_body: &[u8]) -> Vec<ResponseEvent> {
        effort,
        summary,
        conversation_id,
+        codex_protocol::protocol::SessionSource::Exec,
    );

    let mut prompt = Prompt::default();
@@ -170,19 +171,24 @@ async fn streams_text_without_reasoning() {
    );

    let events = run_stream(sse).await;
-    assert_eq!(events.len(), 3, "unexpected events: {events:?}");
+    assert_eq!(events.len(), 4, "unexpected events: {events:?}");

    match &events[0] {
+        ResponseEvent::OutputItemAdded(ResponseItem::Message { .. }) => {}
+        other => panic!("expected initial assistant item, got {other:?}"),
+    }
+
+    match &events[1] {
        ResponseEvent::OutputTextDelta(text) => assert_eq!(text, "hi"),
        other => panic!("expected text delta, got {other:?}"),
    }

-    match &events[1] {
+    match &events[2] {
        ResponseEvent::OutputItemDone(item) => assert_message(item, "hi"),
        other => panic!("expected terminal message, got {other:?}"),
    }

-    assert_matches!(events[2], ResponseEvent::Completed { .. });
+    assert_matches!(events[3], ResponseEvent::Completed { .. });
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -201,29 +207,39 @@ async fn streams_reasoning_from_string_delta() {
    );

    let events = run_stream(sse).await;
-    assert_eq!(events.len(), 5, "unexpected events: {events:?}");
+    assert_eq!(events.len(), 7, "unexpected events: {events:?}");

    match &events[0] {
+        ResponseEvent::OutputItemAdded(ResponseItem::Reasoning { .. }) => {}
+        other => panic!("expected initial reasoning item, got {other:?}"),
+    }
+
+    match &events[1] {
        ResponseEvent::ReasoningContentDelta(text) => assert_eq!(text, "think1"),
        other => panic!("expected reasoning delta, got {other:?}"),
    }

-    match &events[1] {
+    match &events[2] {
+        ResponseEvent::OutputItemAdded(ResponseItem::Message { .. }) => {}
+        other => panic!("expected initial message item, got {other:?}"),
+    }
+
+    match &events[3] {
        ResponseEvent::OutputTextDelta(text) => assert_eq!(text, "ok"),
        other => panic!("expected text delta, got {other:?}"),
    }

-    match &events[2] {
+    match &events[4] {
        ResponseEvent::OutputItemDone(item) => assert_reasoning(item, "think1"),
-        other => panic!("expected reasoning item, got {other:?}"),
+        other => panic!("expected terminal reasoning, got {other:?}"),
    }

-    match &events[3] {
+    match &events[5] {
        ResponseEvent::OutputItemDone(item) => assert_message(item, "ok"),
-        other => panic!("expected message item, got {other:?}"),
+        other => panic!("expected terminal message, got {other:?}"),
    }

-    assert_matches!(events[4], ResponseEvent::Completed { .. });
+    assert_matches!(events[6], ResponseEvent::Completed { .. });
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -243,34 +259,44 @@ async fn streams_reasoning_from_object_delta() {
    );

    let events = run_stream(sse).await;
-    assert_eq!(events.len(), 6, "unexpected events: {events:?}");
+    assert_eq!(events.len(), 8, "unexpected events: {events:?}");

    match &events[0] {
+        ResponseEvent::OutputItemAdded(ResponseItem::Reasoning { .. }) => {}
+        other => panic!("expected initial reasoning item, got {other:?}"),
+    }
+
+    match &events[1] {
        ResponseEvent::ReasoningContentDelta(text) => assert_eq!(text, "partA"),
        other => panic!("expected reasoning delta, got {other:?}"),
    }

-    match &events[1] {
+    match &events[2] {
        ResponseEvent::ReasoningContentDelta(text) => assert_eq!(text, "partB"),
        other => panic!("expected reasoning delta, got {other:?}"),
    }

-    match &events[2] {
+    match &events[3] {
+        ResponseEvent::OutputItemAdded(ResponseItem::Message { .. }) => {}
+        other => panic!("expected initial message item, got {other:?}"),
+    }
+
+    match &events[4] {
        ResponseEvent::OutputTextDelta(text) => assert_eq!(text, "answer"),
        other => panic!("expected text delta, got {other:?}"),
    }

-    match &events[3] {
+    match &events[5] {
        ResponseEvent::OutputItemDone(item) => assert_reasoning(item, "partApartB"),
-        other => panic!("expected reasoning item, got {other:?}"),
+        other => panic!("expected terminal reasoning, got {other:?}"),
    }

-    match &events[4] {
+    match &events[6] {
        ResponseEvent::OutputItemDone(item) => assert_message(item, "answer"),
-        other => panic!("expected message item, got {other:?}"),
+        other => panic!("expected terminal message, got {other:?}"),
    }

-    assert_matches!(events[5], ResponseEvent::Completed { .. });
+    assert_matches!(events[7], ResponseEvent::Completed { .. });
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -285,19 +311,24 @@ async fn streams_reasoning_from_final_message() {
    let sse = "data: {\"choices\":[{\"message\":{\"reasoning\":\"final-cot\"},\"finish_reason\":\"stop\"}]}\n\n";

    let events = run_stream(sse).await;
-    assert_eq!(events.len(), 3, "unexpected events: {events:?}");
+    assert_eq!(events.len(), 4, "unexpected events: {events:?}");

    match &events[0] {
+        ResponseEvent::OutputItemAdded(ResponseItem::Reasoning { .. }) => {}
+        other => panic!("expected initial reasoning item, got {other:?}"),
+    }
+
+    match &events[1] {
        ResponseEvent::ReasoningContentDelta(text) => assert_eq!(text, "final-cot"),
        other => panic!("expected reasoning delta, got {other:?}"),
    }

-    match &events[1] {
+    match &events[2] {
        ResponseEvent::OutputItemDone(item) => assert_reasoning(item, "final-cot"),
        other => panic!("expected reasoning item, got {other:?}"),
    }

-    assert_matches!(events[2], ResponseEvent::Completed { .. });
+    assert_matches!(events[3], ResponseEvent::Completed { .. });
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -315,19 +346,24 @@ async fn streams_reasoning_before_tool_call() {
    );

    let events = run_stream(sse).await;
-    assert_eq!(events.len(), 4, "unexpected events: {events:?}");
+    assert_eq!(events.len(), 5, "unexpected events: {events:?}");

    match &events[0] {
+        ResponseEvent::OutputItemAdded(ResponseItem::Reasoning { .. }) => {}
+        other => panic!("expected initial reasoning item, got {other:?}"),
+    }
+
+    match &events[1] {
        ResponseEvent::ReasoningContentDelta(text) => assert_eq!(text, "pre-tool"),
        other => panic!("expected reasoning delta, got {other:?}"),
    }

-    match &events[1] {
+    match &events[2] {
        ResponseEvent::OutputItemDone(item) => assert_reasoning(item, "pre-tool"),
        other => panic!("expected reasoning item, got {other:?}"),
    }

-    match &events[2] {
+    match &events[3] {
        ResponseEvent::OutputItemDone(ResponseItem::FunctionCall {
            name,
            arguments,
@@ -341,7 +377,7 @@ async fn streams_reasoning_before_tool_call() {
        other => panic!("expected function call, got {other:?}"),
    }

-    assert_matches!(events[3], ResponseEvent::Completed { .. });
+    assert_matches!(events[4], ResponseEvent::Completed { .. });
 }

 #[tokio::test]
--- a/codex-rs/core/tests/common/responses.rs
+++ b/codex-rs/core/tests/common/responses.rs
@@ -217,6 +217,25 @@ pub fn ev_assistant_message(id: &str, text: &str) -> Value {
    })
 }

+pub fn ev_message_item_added(id: &str, text: &str) -> Value {
+    serde_json::json!({
+        "type": "response.output_item.added",
+        "item": {
+            "type": "message",
+            "role": "assistant",
+            "id": id,
+            "content": [{"type": "output_text", "text": text}]
+        }
+    })
+}
+
+pub fn ev_output_text_delta(delta: &str) -> Value {
+    serde_json::json!({
+        "type": "response.output_text.delta",
+        "delta": delta,
+    })
+}
+
 pub fn ev_reasoning_item(id: &str, summary: &[&str], raw_content: &[&str]) -> Value {
    let summary_entries: Vec<Value> = summary
        .iter()
@@ -243,6 +262,36 @@ pub fn ev_reasoning_item(id: &str, summary: &[&str], raw_content: &[&str]) -> Va
    event
 }

+pub fn ev_reasoning_item_added(id: &str, summary: &[&str]) -> Value {
+    let summary_entries: Vec<Value> = summary
+        .iter()
+        .map(|text| serde_json::json!({"type": "summary_text", "text": text}))
+        .collect();
+
+    serde_json::json!({
+        "type": "response.output_item.added",
+        "item": {
+            "type": "reasoning",
+            "id": id,
+            "summary": summary_entries,
+        }
+    })
+}
+
+pub fn ev_reasoning_summary_text_delta(delta: &str) -> Value {
+    serde_json::json!({
+        "type": "response.reasoning_summary_text.delta",
+        "delta": delta,
+    })
+}
+
+pub fn ev_reasoning_text_delta(delta: &str) -> Value {
+    serde_json::json!({
+        "type": "response.reasoning_text.delta",
+        "delta": delta,
+    })
+}
+
 pub fn ev_web_search_call_added(id: &str, status: &str, query: &str) -> Value {
    serde_json::json!({
        "type": "response.output_item.added",
@@ -430,6 +479,7 @@ pub async fn mount_sse_sequence(server: &MockServer, bodies: Vec<String>) -> Res

    let (mock, response_mock) = base_mock();
    mock.respond_with(responder)
+        .up_to_n_times(num_calls as u64)
        .expect(num_calls as u64)
        .mount(server)
        .await;
--- a/codex-rs/core/tests/common/test_codex.rs
+++ b/codex-rs/core/tests/common/test_codex.rs
@@ -97,11 +97,9 @@ impl TestCodexBuilder {
        let mut config = load_default_config_for_test(home);
        config.cwd = cwd.path().to_path_buf();
        config.model_provider = model_provider;
-        config.codex_linux_sandbox_exe = Some(PathBuf::from(
-            assert_cmd::Command::cargo_bin("codex")?
-                .get_program()
-                .to_os_string(),
-        ));
+        if let Ok(cmd) = assert_cmd::Command::cargo_bin("codex") {
+            config.codex_linux_sandbox_exe = Some(PathBuf::from(cmd.get_program().to_os_string()));
+        }

        let mut mutators = vec![];
        swap(&mut self.config_mutators, &mut mutators);
@@ -242,6 +240,30 @@ impl TestCodexHarness {
            .expect("output string")
            .to_string()
    }
+
+    pub async fn custom_tool_call_output(&self, call_id: &str) -> String {
+        let bodies = self.request_bodies().await;
+        custom_tool_call_output(&bodies, call_id)
+            .get("output")
+            .and_then(Value::as_str)
+            .expect("output string")
+            .to_string()
+    }
+}
+
+fn custom_tool_call_output<'a>(bodies: &'a [Value], call_id: &str) -> &'a Value {
+    for body in bodies {
+        if let Some(items) = body.get("input").and_then(Value::as_array) {
+            for item in items {
+                if item.get("type").and_then(Value::as_str) == Some("custom_tool_call_output")
+                    && item.get("call_id").and_then(Value::as_str) == Some(call_id)
+                {
+                    return item;
+                }
+            }
+        }
+    }
+    panic!("custom_tool_call_output {call_id} not found");
 }

 fn function_call_output<'a>(bodies: &'a [Value], call_id: &str) -> &'a Value {
--- a/codex-rs/core/tests/responses_headers.rs
+++ b/codex-rs/core/tests/responses_headers.rs
@@ -10,6 +10,7 @@ use codex_core::ResponseItem;
 use codex_core::WireApi;
 use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::ConversationId;
+use codex_protocol::protocol::SessionSource;
 use core_test_support::load_default_config_for_test;
 use core_test_support::responses;
 use futures::StreamExt;
@@ -17,7 +18,7 @@ use tempfile::TempDir;
 use wiremock::matchers::header;

 #[tokio::test]
-async fn responses_stream_includes_task_type_header() {
+async fn responses_stream_includes_subagent_header_on_review() {
    core_test_support::skip_if_no_network!();

    let server = responses::start_mock_server().await;
@@ -28,7 +29,7 @@ async fn responses_stream_includes_task_type_header() {

    let request_recorder = responses::mount_sse_once_match(
        &server,
-        header("Codex-Task-Type", "standard"),
+        header("x-openai-subagent", "review"),
        response_body,
    )
    .await;
@@ -78,6 +79,7 @@ async fn responses_stream_includes_task_type_header() {
        effort,
        summary,
        conversation_id,
+        SessionSource::SubAgent(codex_protocol::protocol::SubAgentSource::Review),
    );

    let mut prompt = Prompt::default();
@@ -98,7 +100,97 @@ async fn responses_stream_includes_task_type_header() {

    let request = request_recorder.single_request();
    assert_eq!(
-        request.header("Codex-Task-Type").as_deref(),
-        Some("standard")
+        request.header("x-openai-subagent").as_deref(),
+        Some("review")
+    );
+}
+
+#[tokio::test]
+async fn responses_stream_includes_subagent_header_on_other() {
+    core_test_support::skip_if_no_network!();
+
+    let server = responses::start_mock_server().await;
+    let response_body = responses::sse(vec![
+        responses::ev_response_created("resp-1"),
+        responses::ev_completed("resp-1"),
+    ]);
+
+    let request_recorder = responses::mount_sse_once_match(
+        &server,
+        header("x-openai-subagent", "my-task"),
+        response_body,
+    )
+    .await;
+
+    let provider = ModelProviderInfo {
+        name: "mock".into(),
+        base_url: Some(format!("{}/v1", server.uri())),
+        env_key: None,
+        env_key_instructions: None,
+        experimental_bearer_token: None,
+        wire_api: WireApi::Responses,
+        query_params: None,
+        http_headers: None,
+        env_http_headers: None,
+        request_max_retries: Some(0),
+        stream_max_retries: Some(0),
+        stream_idle_timeout_ms: Some(5_000),
+        requires_openai_auth: false,
+    };
+
+    let codex_home = TempDir::new().expect("failed to create TempDir");
+    let mut config = load_default_config_for_test(&codex_home);
+    config.model_provider_id = provider.name.clone();
+    config.model_provider = provider.clone();
+    let effort = config.model_reasoning_effort;
+    let summary = config.model_reasoning_summary;
+    let config = Arc::new(config);
+
+    let conversation_id = ConversationId::new();
+
+    let otel_event_manager = OtelEventManager::new(
+        conversation_id,
+        config.model.as_str(),
+        config.model_family.slug.as_str(),
+        None,
+        Some("test@test.com".to_string()),
+        Some(AuthMode::ChatGPT),
+        false,
+        "test".to_string(),
+    );
+
+    let client = ModelClient::new(
+        Arc::clone(&config),
+        None,
+        otel_event_manager,
+        provider,
+        effort,
+        summary,
+        conversation_id,
+        SessionSource::SubAgent(codex_protocol::protocol::SubAgentSource::Other(
+            "my-task".to_string(),
+        )),
+    );
+
+    let mut prompt = Prompt::default();
+    prompt.input = vec![ResponseItem::Message {
+        id: None,
+        role: "user".into(),
+        content: vec![ContentItem::InputText {
+            text: "hello".into(),
+        }],
+    }];
+
+    let mut stream = client.stream(&prompt).await.expect("stream failed");
+    while let Some(event) = stream.next().await {
+        if matches!(event, Ok(ResponseEvent::Completed { .. })) {
+            break;
+        }
+    }
+
+    let request = request_recorder.single_request();
+    assert_eq!(
+        request.header("x-openai-subagent").as_deref(),
+        Some("my-task")
    );
 }
--- a/codex-rs/core/tests/suite/apply_patch_freeform.rs
+++ b/codex-rs/core/tests/suite/apply_patch_freeform.rs
--- a/codex-rs/core/tests/suite/approvals.rs
+++ b/codex-rs/core/tests/suite/approvals.rs
@@ -268,11 +268,22 @@ impl Expectation {
                    "expected non-zero exit for {path:?}"
                );
                for needle in *message_contains {
-                    assert!(
-                        result.stdout.contains(needle),
-                        "stdout missing {needle:?}: {}",
-                        result.stdout
-                    );
+                    if needle.contains('|') {
+                        let options: Vec<&str> = needle.split('|').collect();
+                        let matches_any =
+                            options.iter().any(|option| result.stdout.contains(option));
+                        assert!(
+                            matches_any,
+                            "stdout missing one of {options:?}: {}",
+                            result.stdout
+                        );
+                    } else {
+                        assert!(
+                            result.stdout.contains(needle),
+                            "stdout missing {needle:?}: {}",
+                            result.stdout
+                        );
+                    }
                }
                assert!(
                    !path.exists(),
@@ -901,7 +912,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
                message_contains: if cfg!(target_os = "linux") {
                    &["Permission denied"]
                } else {
-                    &["failed in sandbox"]
+                    &["Permission denied|Operation not permitted|Read-only file system"]
                },
            },
        },
@@ -1045,7 +1056,7 @@ fn scenarios() -> Vec<ScenarioSpec> {
                message_contains: if cfg!(target_os = "linux") {
                    &["Permission denied"]
                } else {
-                    &["failed in sandbox"]
+                    &["Permission denied|Operation not permitted|Read-only file system"]
                },
            },
        },
--- a/codex-rs/core/tests/suite/client.rs
+++ b/codex-rs/core/tests/suite/client.rs
@@ -58,6 +58,18 @@ fn assert_message_role(request_body: &serde_json::Value, role: &str) {
    assert_eq!(request_body["role"].as_str().unwrap(), role);
 }

+#[expect(clippy::expect_used)]
+fn assert_message_equals(request_body: &serde_json::Value, text: &str) {
+    let content = request_body["content"][0]["text"]
+        .as_str()
+        .expect("invalid message content");
+
+    assert_eq!(
+        content, text,
+        "expected message content '{content}' to equal '{text}'"
+    );
+}
+
 #[expect(clippy::expect_used)]
 fn assert_message_starts_with(request_body: &serde_json::Value, text: &str) {
    let content = request_body["content"][0]["text"]
@@ -601,13 +613,81 @@ async fn includes_user_instructions_message_in_request() {
            .contains("be nice")
    );
    assert_message_role(&request_body["input"][0], "user");
-    assert_message_starts_with(&request_body["input"][0], "<user_instructions>");
-    assert_message_ends_with(&request_body["input"][0], "</user_instructions>");
+    assert_message_starts_with(&request_body["input"][0], "# AGENTS.md instructions for ");
+    assert_message_ends_with(&request_body["input"][0], "</INSTRUCTIONS>");
+    let ui_text = request_body["input"][0]["content"][0]["text"]
+        .as_str()
+        .expect("invalid message content");
+    assert!(ui_text.contains("<INSTRUCTIONS>"));
+    assert!(ui_text.contains("be nice"));
    assert_message_role(&request_body["input"][1], "user");
    assert_message_starts_with(&request_body["input"][1], "<environment_context>");
    assert_message_ends_with(&request_body["input"][1], "</environment_context>");
 }

+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn includes_developer_instructions_message_in_request() {
+    skip_if_no_network!();
+    let server = MockServer::start().await;
+
+    let resp_mock =
+        responses::mount_sse_once_match(&server, path("/v1/responses"), sse_completed("resp1"))
+            .await;
+
+    let model_provider = ModelProviderInfo {
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
+    };
+
+    let codex_home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.model_provider = model_provider;
+    config.user_instructions = Some("be nice".to_string());
+    config.developer_instructions = Some("be useful".to_string());
+
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
+    let codex = conversation_manager
+        .new_conversation(config)
+        .await
+        .expect("create new conversation")
+        .conversation;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![UserInput::Text {
+                text: "hello".into(),
+            }],
+        })
+        .await
+        .unwrap();
+
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    let request = resp_mock.single_request();
+    let request_body = request.body_json();
+
+    assert!(
+        !request_body["instructions"]
+            .as_str()
+            .unwrap()
+            .contains("be nice")
+    );
+    assert_message_role(&request_body["input"][0], "developer");
+    assert_message_equals(&request_body["input"][0], "be useful");
+    assert_message_role(&request_body["input"][1], "user");
+    assert_message_starts_with(&request_body["input"][1], "# AGENTS.md instructions for ");
+    assert_message_ends_with(&request_body["input"][1], "</INSTRUCTIONS>");
+    let ui_text = request_body["input"][1]["content"][0]["text"]
+        .as_str()
+        .expect("invalid message content");
+    assert!(ui_text.contains("<INSTRUCTIONS>"));
+    assert!(ui_text.contains("be nice"));
+    assert_message_role(&request_body["input"][2], "user");
+    assert_message_starts_with(&request_body["input"][2], "<environment_context>");
+    assert_message_ends_with(&request_body["input"][2], "</environment_context>");
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn azure_responses_request_includes_store_and_reasoning_ids() {
    skip_if_no_network!();
@@ -675,6 +755,7 @@ async fn azure_responses_request_includes_store_and_reasoning_ids() {
        effort,
        summary,
        conversation_id,
+        codex_protocol::protocol::SessionSource::Exec,
    );

    let mut prompt = Prompt::default();
@@ -1261,6 +1342,10 @@ async fn history_dedupes_streamed_and_final_messages_across_turns() {
    // Build a small SSE stream with deltas and a final assistant message.
    // We emit the same body for all 3 turns; ids vary but are unused by assertions.
    let sse_raw = r##"[
+        {"type":"response.output_item.added", "item":{
+            "type":"message", "role":"assistant",
+            "content":[{"type":"output_text","text":""}]
+        }},
        {"type":"response.output_text.delta", "delta":"Hey "},
        {"type":"response.output_text.delta", "delta":"there"},
        {"type":"response.output_text.delta", "delta":"!\n"},
--- a/codex-rs/core/tests/suite/codex_delegate.rs
+++ b/codex-rs/core/tests/suite/codex_delegate.rs
@@ -0,0 +1,173 @@
+use codex_core::protocol::AskForApproval;
+use codex_core::protocol::EventMsg;
+use codex_core::protocol::Op;
+use codex_core::protocol::ReviewDecision;
+use codex_core::protocol::ReviewRequest;
+use codex_core::protocol::SandboxPolicy;
+use core_test_support::responses::ev_apply_patch_function_call;
+use core_test_support::responses::ev_assistant_message;
+use core_test_support::responses::ev_completed;
+use core_test_support::responses::ev_function_call;
+use core_test_support::responses::ev_response_created;
+use core_test_support::responses::mount_sse_sequence;
+use core_test_support::responses::sse;
+use core_test_support::responses::start_mock_server;
+use core_test_support::skip_if_no_network;
+use core_test_support::test_codex::test_codex;
+use core_test_support::wait_for_event;
+
+/// Delegate should surface ExecApprovalRequest from sub-agent and proceed
+/// after parent submits an approval decision.
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn codex_delegate_forwards_exec_approval_and_proceeds_on_approval() {
+    skip_if_no_network!();
+
+    // Sub-agent turn 1: emit a shell function_call requiring approval, then complete.
+    let call_id = "call-exec-1";
+    let args = serde_json::json!({
+        "command": ["bash", "-lc", "rm -rf delegated"],
+        "timeout_ms": 1000,
+        "with_escalated_permissions": true,
+    })
+    .to_string();
+    let sse1 = sse(vec![
+        ev_response_created("resp-1"),
+        ev_function_call(call_id, "shell", &args),
+        ev_completed("resp-1"),
+    ]);
+
+    // Sub-agent turn 2: return structured review output and complete.
+    let review_json = serde_json::json!({
+        "findings": [],
+        "overall_correctness": "ok",
+        "overall_explanation": "delegate approved exec",
+        "overall_confidence_score": 0.5
+    })
+    .to_string();
+    let sse2 = sse(vec![
+        ev_response_created("resp-2"),
+        ev_assistant_message("msg-1", &review_json),
+        ev_completed("resp-2"),
+    ]);
+
+    let server = start_mock_server().await;
+    mount_sse_sequence(&server, vec![sse1, sse2]).await;
+
+    // Build a conversation configured to require approvals so the delegate
+    // routes ExecApprovalRequest via the parent.
+    let mut builder = test_codex().with_config(|config| {
+        config.approval_policy = AskForApproval::OnRequest;
+        config.sandbox_policy = SandboxPolicy::ReadOnly;
+    });
+    let test = builder.build(&server).await.expect("build test codex");
+
+    // Kick off review (sub-agent starts internally).
+    test.codex
+        .submit(Op::Review {
+            review_request: ReviewRequest {
+                prompt: "Please review".to_string(),
+                user_facing_hint: "review".to_string(),
+            },
+        })
+        .await
+        .expect("submit review");
+
+    // Lifecycle: Entered -> ExecApprovalRequest -> Exited(Some) -> TaskComplete.
+    wait_for_event(&test.codex, |ev| {
+        matches!(ev, EventMsg::EnteredReviewMode(_))
+    })
+    .await;
+
+    // Expect parent-side approval request (forwarded by delegate).
+    wait_for_event(&test.codex, |ev| {
+        matches!(ev, EventMsg::ExecApprovalRequest(_))
+    })
+    .await;
+
+    // Approve via parent; id "0" is the active sub_id in tests.
+    test.codex
+        .submit(Op::ExecApproval {
+            id: "0".into(),
+            decision: ReviewDecision::Approved,
+        })
+        .await
+        .expect("submit exec approval");
+
+    wait_for_event(&test.codex, |ev| {
+        matches!(ev, EventMsg::ExitedReviewMode(_))
+    })
+    .await;
+    wait_for_event(&test.codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+}
+
+/// Delegate should surface ApplyPatchApprovalRequest and honor parent decision
+/// so the sub-agent can proceed to completion.
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn codex_delegate_forwards_patch_approval_and_proceeds_on_decision() {
+    skip_if_no_network!();
+
+    let call_id = "call-patch-1";
+    let patch = "*** Begin Patch\n*** Add File: delegated.txt\n+hello\n*** End Patch\n";
+    let sse1 = sse(vec![
+        ev_response_created("resp-1"),
+        ev_apply_patch_function_call(call_id, patch),
+        ev_completed("resp-1"),
+    ]);
+    let review_json = serde_json::json!({
+        "findings": [],
+        "overall_correctness": "ok",
+        "overall_explanation": "delegate patch handled",
+        "overall_confidence_score": 0.5
+    })
+    .to_string();
+    let sse2 = sse(vec![
+        ev_response_created("resp-2"),
+        ev_assistant_message("msg-1", &review_json),
+        ev_completed("resp-2"),
+    ]);
+
+    let server = start_mock_server().await;
+    mount_sse_sequence(&server, vec![sse1, sse2]).await;
+
+    let mut builder = test_codex().with_config(|config| {
+        config.approval_policy = AskForApproval::OnRequest;
+        // Use a restricted sandbox so patch approval is required
+        config.sandbox_policy = SandboxPolicy::ReadOnly;
+        config.include_apply_patch_tool = true;
+    });
+    let test = builder.build(&server).await.expect("build test codex");
+
+    test.codex
+        .submit(Op::Review {
+            review_request: ReviewRequest {
+                prompt: "Please review".to_string(),
+                user_facing_hint: "review".to_string(),
+            },
+        })
+        .await
+        .expect("submit review");
+
+    wait_for_event(&test.codex, |ev| {
+        matches!(ev, EventMsg::EnteredReviewMode(_))
+    })
+    .await;
+    wait_for_event(&test.codex, |ev| {
+        matches!(ev, EventMsg::ApplyPatchApprovalRequest(_))
+    })
+    .await;
+
+    // Deny via parent so delegate can continue; id "0" is the active sub_id in tests.
+    test.codex
+        .submit(Op::PatchApproval {
+            id: "0".into(),
+            decision: ReviewDecision::Denied,
+        })
+        .await
+        .expect("submit patch approval");
+
+    wait_for_event(&test.codex, |ev| {
+        matches!(ev, EventMsg::ExitedReviewMode(_))
+    })
+    .await;
+    wait_for_event(&test.codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+}
--- a/Show More
+++ b/Show More