docs: relax version check instructions

2026-02-02 06:57:03 +00:00 · 2025-10-20 14:51:42 -07:00
222 changed files with 4708 additions and 12023 deletions
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -201,7 +201,7 @@ jobs:
        # Tests take too long for release builds to run them on every PR.
        if: ${{ matrix.profile != 'release' }}
        continue-on-error: true
-        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
+        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }}
        env:
          RUST_BACKTRACE: 1

--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -58,9 +58,9 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - runner: macos-15-xlarge
+          - runner: macos-14
            target: aarch64-apple-darwin
-          - runner: macos-15-xlarge
+          - runner: macos-14
            target: x86_64-apple-darwin
          - runner: ubuntu-24.04
            target: x86_64-unknown-linux-musl
@@ -100,7 +100,7 @@ jobs:
      - name: Cargo build
        run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy

-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-14' }}
        name: Configure Apple code signing
        shell: bash
        env:
@@ -185,7 +185,7 @@ jobs:
          echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
          echo "::add-mask::$APPLE_CODESIGN_IDENTITY"

-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-14' }}
        name: Sign macOS binaries
        shell: bash
        run: |
@@ -206,7 +206,7 @@ jobs:
            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
          done

-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ matrix.runner == 'macos-14' }}
        name: Notarize macOS binaries
        shell: bash
        env:
@@ -328,7 +328,7 @@ jobs:
          done

      - name: Remove signing keychain
-        if: ${{ always() && matrix.runner == 'macos-15-xlarge' }}
+        if: ${{ always() && matrix.runner == 'macos-14' }}
        shell: bash
        env:
          APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
--- a/README.md
+++ b/README.md
@@ -33,8 +33,6 @@ Then simply run `codex` to get started:
 codex
 ```

-If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-update-codex-isnt-upgrading-me).
-
 <details>
 <summary>You can also go to the <a href="https://github.com/openai/codex/releases/latest">latest GitHub Release</a> and download the appropriate binary for your platform.</summary>

--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -182,10 +182,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "assert_cmd",
- "base64",
- "chrono",
 "codex-app-server-protocol",
- "codex-core",
 "serde",
 "serde_json",
 "tokio",
@@ -837,10 +834,8 @@ dependencies = [
 "app_test_support",
 "assert_cmd",
 "base64",
- "chrono",
 "codex-app-server-protocol",
 "codex-arg0",
- "codex-backend-client",
 "codex-common",
 "codex-core",
 "codex-file-search",
@@ -848,12 +843,10 @@ dependencies = [
 "codex-protocol",
 "codex-utils-json-to-toml",
 "core_test_support",
- "opentelemetry-appender-tracing",
 "os_info",
 "pretty_assertions",
 "serde",
 "serde_json",
- "serial_test",
 "tempfile",
 "tokio",
 "toml",
@@ -924,8 +917,6 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "codex-backend-openapi-models",
- "codex-core",
- "codex-protocol",
 "pretty_assertions",
 "reqwest",
 "serde",
@@ -938,7 +929,6 @@ version = "0.0.0"
 dependencies = [
 "serde",
 "serde_json",
- "serde_with",
 ]

 [[package]]
@@ -1062,12 +1052,12 @@ dependencies = [
 "codex-apply-patch",
 "codex-async-utils",
 "codex-file-search",
+ "codex-mcp-client",
 "codex-otel",
 "codex-protocol",
 "codex-rmcp-client",
 "codex-utils-pty",
 "codex-utils-string",
- "codex-utils-tokenizer",
 "core-foundation 0.9.4",
 "core_test_support",
 "dirs",
@@ -1076,7 +1066,6 @@ dependencies = [
 "escargot",
 "eventsource-stream",
 "futures",
- "http",
 "indexmap 2.10.0",
 "landlock",
 "libc",
@@ -1251,6 +1240,19 @@ dependencies = [
 "wiremock",
 ]

+[[package]]
+name = "codex-mcp-client"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "mcp-types",
+ "serde",
+ "serde_json",
+ "tokio",
+ "tracing",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "codex-mcp-server"
 version = "0.0.0"
@@ -1444,12 +1446,12 @@ dependencies = [
 "libc",
 "mcp-types",
 "opentelemetry-appender-tracing",
+ "path-clean",
 "pathdiff",
 "pretty_assertions",
 "pulldown-cmark",
 "rand 0.9.2",
 "ratatui",
- "ratatui-macros",
 "regex-lite",
 "serde",
 "serde_json",
@@ -1506,16 +1508,6 @@ dependencies = [
 name = "codex-utils-string"
 version = "0.0.0"

-[[package]]
-name = "codex-utils-tokenizer"
-version = "0.0.0"
-dependencies = [
- "anyhow",
- "pretty_assertions",
- "thiserror 2.0.16",
- "tiktoken-rs",
-]
-
 [[package]]
 name = "color-eyre"
 version = "0.6.5"
@@ -1636,7 +1628,6 @@ dependencies = [
 "anyhow",
 "assert_cmd",
 "codex-core",
- "codex-protocol",
 "notify",
 "regex-lite",
 "serde_json",
@@ -2314,17 +2305,6 @@ dependencies = [
 "once_cell",
 ]

-[[package]]
-name = "fancy-regex"
-version = "0.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "531e46835a22af56d1e3b66f04844bed63158bc094a628bec1d321d9b4c44bf2"
-dependencies = [
- "bit-set",
- "regex-automata",
- "regex-syntax 0.8.5",
-]
-
 [[package]]
 name = "fastrand"
 version = "2.3.0"
@@ -4297,6 +4277,12 @@ dependencies = [
 "path-dedot",
 ]

+[[package]]
+name = "path-clean"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17359afc20d7ab31fdb42bb844c8b3bb1dabd7dcf7e68428492da7f16966fcef"
+
 [[package]]
 name = "path-dedot"
 version = "3.1.1"
@@ -4642,7 +4628,7 @@ dependencies = [
 "pin-project-lite",
 "quinn-proto",
 "quinn-udp",
- "rustc-hash 2.1.1",
+ "rustc-hash",
 "rustls",
 "socket2 0.6.0",
 "thiserror 2.0.16",
@@ -4662,7 +4648,7 @@ dependencies = [
 "lru-slab",
 "rand 0.9.2",
 "ring",
- "rustc-hash 2.1.1",
+ "rustc-hash",
 "rustls",
 "rustls-pki-types",
 "slab",
@@ -4790,15 +4776,6 @@ dependencies = [
 "unicode-width 0.2.1",
 ]

-[[package]]
-name = "ratatui-macros"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fef540f80dbe8a0773266fa6077788ceb65ef624cdbf36e131aaf90b4a52df4"
-dependencies = [
- "ratatui",
-]
-
 [[package]]
 name = "redox_syscall"
 version = "0.5.15"
@@ -4956,9 +4933,9 @@ dependencies = [

 [[package]]
 name = "rmcp"
-version = "0.8.3"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fdad1258f7259fdc0f2dfc266939c82c3b5d1fd72bcde274d600cdc27e60243"
+checksum = "6f35acda8f89fca5fd8c96cae3c6d5b4c38ea0072df4c8030915f3b5ff469c1c"
 dependencies = [
 "base64",
 "bytes",
@@ -4990,9 +4967,9 @@ dependencies = [

 [[package]]
 name = "rmcp-macros"
-version = "0.8.3"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ede0589a208cc7ce81d1be68aa7e74b917fcd03c81528408bab0457e187dcd9b"
+checksum = "c9f1d5220aaa23b79c3d02e18f7a554403b3ccea544bbb6c69d6bcb3e854a274"
 dependencies = [
 "darling 0.21.3",
 "proc-macro2",
@@ -5007,12 +4984,6 @@ version = "0.1.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "989e6739f80c4ad5b13e0fd7fe89531180375b18520cc8c82080e4dc4035b84f"

-[[package]]
-name = "rustc-hash"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
-
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -6193,21 +6164,6 @@ dependencies = [
 "zune-jpeg",
 ]

-[[package]]
-name = "tiktoken-rs"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25563eeba904d770acf527e8b370fe9a5547bacd20ff84a0b6c3bc41288e5625"
-dependencies = [
- "anyhow",
- "base64",
- "bstr",
- "fancy-regex",
- "lazy_static",
- "regex",
- "rustc-hash 1.1.0",
-]
-
 [[package]]
 name = "time"
 version = "0.3.44"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -20,6 +20,7 @@ members = [
    "git-tooling",
    "linux-sandbox",
    "login",
+    "mcp-client",
    "mcp-server",
    "mcp-types",
    "ollama",
@@ -36,7 +37,6 @@ members = [
    "utils/readiness",
    "utils/pty",
    "utils/string",
-    "utils/tokenizer",
 ]
 resolver = "2"

@@ -57,7 +57,6 @@ codex-app-server-protocol = { path = "app-server-protocol" }
 codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
-codex-backend-client = { path = "backend-client" }
 codex-chatgpt = { path = "chatgpt" }
 codex-common = { path = "common" }
 codex-core = { path = "core" }
@@ -67,6 +66,7 @@ codex-file-search = { path = "file-search" }
 codex-git-tooling = { path = "git-tooling" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-login = { path = "login" }
+codex-mcp-client = { path = "mcp-client" }
 codex-mcp-server = { path = "mcp-server" }
 codex-ollama = { path = "ollama" }
 codex-otel = { path = "otel" }
@@ -78,10 +78,9 @@ codex-rmcp-client = { path = "rmcp-client" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
-codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
+codex-utils-pty = { path = "utils/pty" }
 codex-utils-string = { path = "utils/string" }
-codex-utils-tokenizer = { path = "utils/tokenizer" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
@@ -116,7 +115,6 @@ env_logger = "0.11.5"
 escargot = "0.5"
 eventsource-stream = "0.2.3"
 futures = { version = "0.3", default-features = false }
-http = "1.3.1"
 icu_decimal = "2.0.0"
 icu_locale_core = "2.0.0"
 ignore = "0.4.23"
@@ -144,6 +142,7 @@ os_info = "3.12.0"
 owo-colors = "4.2.0"
 paste = "1.0.15"
 path-absolutize = "3.1.1"
+path-clean = "1.0.1"
 pathdiff = "0.2"
 portable-pty = "0.9.0"
 predicates = "3"
@@ -151,10 +150,9 @@ pretty_assertions = "1.4.1"
 pulldown-cmark = "0.10"
 rand = "0.9"
 ratatui = "0.29.0"
-ratatui-macros = "0.6.0"
 regex-lite = "0.1.7"
 reqwest = "0.12"
-rmcp = { version = "0.8.3", default-features = false }
+rmcp = { version = "0.8.0", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
 sentry = "0.34.0"
@@ -247,7 +245,7 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["openssl-sys", "codex-utils-readiness", "codex-utils-tokenizer"]
+ignored = ["openssl-sys", "codex-utils-readiness"]

 [profile.release]
 lto = "fat"
@@ -258,11 +256,6 @@ strip = "symbols"
 # See https://github.com/openai/codex/issues/1411 for details.
 codegen-units = 1

-[profile.ci-test]
-debug = 1         # Reduce debug symbol size
-inherits = "test"
-opt-level = 0
-
 [patch.crates-io]
 # Uncomment to debug local changes.
 # ratatui = { path = "../../ratatui" }
--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -23,7 +23,6 @@ use std::io::Write;
 use std::path::Path;
 use std::path::PathBuf;
 use std::process::Command;
-use ts_rs::ExportError;
 use ts_rs::TS;

 const HEADER: &str = "// GENERATED CODE! DO NOT MODIFY BY HAND!\n\n";
@@ -105,19 +104,6 @@ macro_rules! for_each_schema_type {
    };
 }

-fn export_ts_with_context<F>(label: &str, export: F) -> Result<()>
-where
-    F: FnOnce() -> std::result::Result<(), ExportError>,
-{
-    match export() {
-        Ok(()) => Ok(()),
-        Err(ExportError::CannotBeExported(ty)) => Err(anyhow!(
-            "failed to export {label}: dependency {ty} cannot be exported"
-        )),
-        Err(err) => Err(err.into()),
-    }
-}
-
 pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
    generate_ts(out_dir, prettier)?;
    generate_json(out_dir)?;
@@ -127,17 +113,13 @@ pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
 pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
    ensure_dir(out_dir)?;

-    export_ts_with_context("ClientRequest", || ClientRequest::export_all_to(out_dir))?;
-    export_ts_with_context("client responses", || export_client_responses(out_dir))?;
-    export_ts_with_context("ClientNotification", || {
-        ClientNotification::export_all_to(out_dir)
-    })?;
+    ClientRequest::export_all_to(out_dir)?;
+    export_client_responses(out_dir)?;
+    ClientNotification::export_all_to(out_dir)?;

-    export_ts_with_context("ServerRequest", || ServerRequest::export_all_to(out_dir))?;
-    export_ts_with_context("server responses", || export_server_responses(out_dir))?;
-    export_ts_with_context("ServerNotification", || {
-        ServerNotification::export_all_to(out_dir)
-    })?;
+    ServerRequest::export_all_to(out_dir)?;
+    export_server_responses(out_dir)?;
+    ServerNotification::export_all_to(out_dir)?;

    generate_index_ts(out_dir)?;

--- a/codex-rs/app-server-protocol/src/protocol.rs
+++ b/codex-rs/app-server-protocol/src/protocol.rs
@@ -5,7 +5,6 @@ use crate::JSONRPCNotification;
 use crate::JSONRPCRequest;
 use crate::RequestId;
 use codex_protocol::ConversationId;
-use codex_protocol::account::Account;
 use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
@@ -15,9 +14,7 @@ use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::FileChange;
-use codex_protocol::protocol::RateLimitSnapshot;
 use codex_protocol::protocol::ReviewDecision;
-use codex_protocol::protocol::SandboxCommandAssessment;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnAbortReason;
 use paste::paste;
@@ -95,43 +92,6 @@ macro_rules! client_request_definitions {
 }

 client_request_definitions! {
-    /// NEW APIs
-    #[serde(rename = "model/list")]
-    #[ts(rename = "model/list")]
-    ListModels {
-        params: ListModelsParams,
-        response: ListModelsResponse,
-    },
-
-    #[serde(rename = "account/login")]
-    #[ts(rename = "account/login")]
-    LoginAccount {
-        params: LoginAccountParams,
-        response: LoginAccountResponse,
-    },
-
-    #[serde(rename = "account/logout")]
-    #[ts(rename = "account/logout")]
-    LogoutAccount {
-        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
-        response: LogoutAccountResponse,
-    },
-
-    #[serde(rename = "account/rateLimits/read")]
-    #[ts(rename = "account/rateLimits/read")]
-    GetAccountRateLimits {
-        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
-        response: GetAccountRateLimitsResponse,
-    },
-
-    #[serde(rename = "account/read")]
-    #[ts(rename = "account/read")]
-    GetAccount {
-        params: #[ts(type = "undefined")] #[serde(skip_serializing_if = "Option::is_none")] Option<()>,
-        response: GetAccountResponse,
-    },
-
-    /// DEPRECATED APIs below
    Initialize {
        params: InitializeParams,
        response: InitializeResponse,
@@ -280,6 +240,10 @@ pub struct NewConversationParams {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub base_instructions: Option<String>,

+    /// Whether to include the plan tool in the conversation.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub include_plan_tool: Option<bool>,
+
    /// Whether to include the apply patch tool in the conversation.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub include_apply_patch_tool: Option<bool>,
@@ -337,79 +301,6 @@ pub struct ListConversationsResponse {
    pub next_cursor: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct ListModelsParams {
-    /// Optional page size; defaults to a reasonable server-side value.
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub page_size: Option<usize>,
-    /// Opaque pagination cursor returned by a previous call.
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub cursor: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct Model {
-    pub id: String,
-    pub model: String,
-    pub display_name: String,
-    pub description: String,
-    pub supported_reasoning_efforts: Vec<ReasoningEffortOption>,
-    pub default_reasoning_effort: ReasoningEffort,
-    // Only one model should be marked as default.
-    pub is_default: bool,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct ReasoningEffortOption {
-    pub reasoning_effort: ReasoningEffort,
-    pub description: String,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct ListModelsResponse {
-    pub items: Vec<Model>,
-    /// Opaque cursor to pass to the next call to continue after the last item.
-    /// if None, there are no more items to return.
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub next_cursor: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(tag = "type")]
-#[ts(tag = "type")]
-pub enum LoginAccountParams {
-    #[serde(rename = "apiKey")]
-    #[ts(rename = "apiKey")]
-    ApiKey {
-        #[serde(rename = "apiKey")]
-        #[ts(rename = "apiKey")]
-        api_key: String,
-    },
-    #[serde(rename = "chatgpt")]
-    #[ts(rename = "chatgpt")]
-    ChatGpt,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct LoginAccountResponse {
-    /// Only set if the login method is ChatGPT.
-    #[schemars(with = "String")]
-    pub login_id: Option<Uuid>,
-
-    /// URL the client should open in a browser to initiate the OAuth flow.
-    /// Only set if the login method is ChatGPT.
-    pub auth_url: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct LogoutAccountResponse {}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ResumeConversationParams {
@@ -529,18 +420,6 @@ pub struct ExecOneOffCommandResponse {
    pub stderr: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-pub struct GetAccountRateLimitsResponse {
-    pub rate_limits: RateLimitSnapshot,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(transparent)]
-#[ts(export)]
-#[ts(type = "Account | null")]
-pub struct GetAccountResponse(#[ts(type = "Account | null")] pub Option<Account>);
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetAuthStatusResponse {
@@ -717,8 +596,6 @@ pub struct SendUserMessageResponse {}
 #[serde(rename_all = "camelCase")]
 pub struct AddConversationListenerParams {
    pub conversation_id: ConversationId,
-    #[serde(default)]
-    pub experimental_raw_events: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -850,8 +727,6 @@ pub struct ExecCommandApprovalParams {
    pub cwd: PathBuf,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reason: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub risk: Option<SandboxCommandAssessment>,
    pub parsed_cmd: Vec<ParsedCommand>,
 }

@@ -943,13 +818,6 @@ pub struct AuthStatusChangeNotification {
 #[serde(tag = "method", content = "params", rename_all = "camelCase")]
 #[strum(serialize_all = "camelCase")]
 pub enum ServerNotification {
-    /// NEW NOTIFICATIONS
-    #[serde(rename = "account/rateLimits/updated")]
-    #[ts(rename = "account/rateLimits/updated")]
-    #[strum(serialize = "account/rateLimits/updated")]
-    AccountRateLimitsUpdated(RateLimitSnapshot),
-
-    /// DEPRECATED NOTIFICATIONS below
    /// Authentication status changed
    AuthStatusChange(AuthStatusChangeNotification),

@@ -963,7 +831,6 @@ pub enum ServerNotification {
 impl ServerNotification {
    pub fn to_params(self) -> Result<serde_json::Value, serde_json::Error> {
        match self {
-            ServerNotification::AccountRateLimitsUpdated(params) => serde_json::to_value(params),
            ServerNotification::AuthStatusChange(params) => serde_json::to_value(params),
            ServerNotification::LoginChatGptComplete(params) => serde_json::to_value(params),
            ServerNotification::SessionConfigured(params) => serde_json::to_value(params),
@@ -1006,6 +873,7 @@ mod tests {
                sandbox: None,
                config: None,
                base_instructions: None,
+                include_plan_tool: None,
                include_apply_patch_tool: None,
            },
        };
@@ -1068,7 +936,6 @@ mod tests {
            command: vec!["echo".to_string(), "hello".to_string()],
            cwd: PathBuf::from("/tmp"),
            reason: Some("because tests".to_string()),
-            risk: None,
            parsed_cmd: vec![ParsedCommand::Unknown {
                cmd: "echo hello".to_string(),
            }],
@@ -1103,110 +970,4 @@ mod tests {
        assert_eq!(payload.request_with_id(RequestId::Integer(7)), request);
        Ok(())
    }
-
-    #[test]
-    fn serialize_get_account_rate_limits() -> Result<()> {
-        let request = ClientRequest::GetAccountRateLimits {
-            request_id: RequestId::Integer(1),
-            params: None,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/rateLimits/read",
-                "id": 1,
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_account_login_api_key() -> Result<()> {
-        let request = ClientRequest::LoginAccount {
-            request_id: RequestId::Integer(2),
-            params: LoginAccountParams::ApiKey {
-                api_key: "secret".to_string(),
-            },
-        };
-        assert_eq!(
-            json!({
-                "method": "account/login",
-                "id": 2,
-                "params": {
-                    "type": "apiKey",
-                    "apiKey": "secret"
-                }
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_account_login_chatgpt() -> Result<()> {
-        let request = ClientRequest::LoginAccount {
-            request_id: RequestId::Integer(3),
-            params: LoginAccountParams::ChatGpt,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/login",
-                "id": 3,
-                "params": {
-                    "type": "chatgpt"
-                }
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_account_logout() -> Result<()> {
-        let request = ClientRequest::LogoutAccount {
-            request_id: RequestId::Integer(4),
-            params: None,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/logout",
-                "id": 4,
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_get_account() -> Result<()> {
-        let request = ClientRequest::GetAccount {
-            request_id: RequestId::Integer(5),
-            params: None,
-        };
-        assert_eq!(
-            json!({
-                "method": "account/read",
-                "id": 5,
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
-    #[test]
-    fn serialize_list_models() -> Result<()> {
-        let request = ClientRequest::ListModels {
-            request_id: RequestId::Integer(6),
-            params: ListModelsParams::default(),
-        };
-        assert_eq!(
-            json!({
-                "method": "model/list",
-                "id": 6,
-                "params": {}
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
 }
--- a/codex-rs/app-server/Cargo.toml
+++ b/codex-rs/app-server/Cargo.toml
@@ -19,13 +19,11 @@ anyhow = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
-codex-backend-client = { workspace = true }
 codex-file-search = { workspace = true }
 codex-login = { workspace = true }
 codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-utils-json-to-toml = { workspace = true }
-chrono = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [
@@ -37,7 +35,6 @@ tokio = { workspace = true, features = [
 ] }
 tracing = { workspace = true, features = ["log"] }
 tracing-subscriber = { workspace = true, features = ["env-filter", "fmt"] }
-opentelemetry-appender-tracing = { workspace = true }
 uuid = { workspace = true, features = ["serde", "v7"] }

 [dev-dependencies]
@@ -47,7 +44,6 @@ base64 = { workspace = true }
 core_test_support = { workspace = true }
 os_info = { workspace = true }
 pretty_assertions = { workspace = true }
-serial_test = { workspace = true }
 tempfile = { workspace = true }
 toml = { workspace = true }
 wiremock = { workspace = true }
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -1,7 +1,6 @@
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
 use crate::fuzzy_file_search::run_fuzzy_file_search;
-use crate::models::supported_models;
 use crate::outgoing_message::OutgoingMessageSender;
 use crate::outgoing_message::OutgoingNotification;
 use codex_app_server_protocol::AddConversationListenerParams;
@@ -10,7 +9,6 @@ use codex_app_server_protocol::ApplyPatchApprovalParams;
 use codex_app_server_protocol::ApplyPatchApprovalResponse;
 use codex_app_server_protocol::ArchiveConversationParams;
 use codex_app_server_protocol::ArchiveConversationResponse;
-use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::AuthStatusChangeNotification;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ConversationSummary;
@@ -20,7 +18,6 @@ use codex_app_server_protocol::ExecOneOffCommandParams;
 use codex_app_server_protocol::ExecOneOffCommandResponse;
 use codex_app_server_protocol::FuzzyFileSearchParams;
 use codex_app_server_protocol::FuzzyFileSearchResponse;
-use codex_app_server_protocol::GetAccountRateLimitsResponse;
 use codex_app_server_protocol::GetUserAgentResponse;
 use codex_app_server_protocol::GetUserSavedConfigResponse;
 use codex_app_server_protocol::GitDiffToRemoteResponse;
@@ -30,8 +27,6 @@ use codex_app_server_protocol::InterruptConversationResponse;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::ListConversationsParams;
 use codex_app_server_protocol::ListConversationsResponse;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::ListModelsResponse;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::LoginApiKeyResponse;
 use codex_app_server_protocol::LoginChatGptCompleteNotification;
@@ -54,7 +49,6 @@ use codex_app_server_protocol::SetDefaultModelParams;
 use codex_app_server_protocol::SetDefaultModelResponse;
 use codex_app_server_protocol::UserInfoResponse;
 use codex_app_server_protocol::UserSavedConfig;
-use codex_backend_client::Client as BackendClient;
 use codex_core::AuthManager;
 use codex_core::CodexConversation;
 use codex_core::ConversationManager;
@@ -83,6 +77,7 @@ use codex_core::protocol::ApplyPatchApprovalRequestEvent;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::ExecApprovalRequestEvent;
+use codex_core::protocol::InputItem as CoreInputItem;
 use codex_core::protocol::Op;
 use codex_core::protocol::ReviewDecision;
 use codex_login::ServerOptions as LoginServerOptions;
@@ -90,11 +85,10 @@ use codex_login::ShutdownHandle;
 use codex_login::run_login_server;
 use codex_protocol::ConversationId;
 use codex_protocol::config_types::ForcedLoginMethod;
-use codex_protocol::items::TurnItem;
+use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::RateLimitSnapshot;
+use codex_protocol::protocol::InputMessageKind;
 use codex_protocol::protocol::USER_MESSAGE_BEGIN;
-use codex_protocol::user_input::UserInput as CoreInputItem;
 use codex_utils_json_to_toml::json_to_toml;
 use std::collections::HashMap;
 use std::ffi::OsStr;
@@ -113,6 +107,7 @@ use uuid::Uuid;

 // Duration before a ChatGPT login attempt is abandoned.
 const LOGIN_CHATGPT_TIMEOUT: Duration = Duration::from_secs(10 * 60);
+
 struct ActiveLogin {
    shutdown_handle: ShutdownHandle,
    login_id: Uuid,
@@ -173,30 +168,6 @@ impl CodexMessageProcessor {
            ClientRequest::ListConversations { request_id, params } => {
                self.handle_list_conversations(request_id, params).await;
            }
-            ClientRequest::ListModels { request_id, params } => {
-                self.list_models(request_id, params).await;
-            }
-            ClientRequest::LoginAccount {
-                request_id,
-                params: _,
-            } => {
-                self.send_unimplemented_error(request_id, "account/login")
-                    .await;
-            }
-            ClientRequest::LogoutAccount {
-                request_id,
-                params: _,
-            } => {
-                self.send_unimplemented_error(request_id, "account/logout")
-                    .await;
-            }
-            ClientRequest::GetAccount {
-                request_id,
-                params: _,
-            } => {
-                self.send_unimplemented_error(request_id, "account/read")
-                    .await;
-            }
            ClientRequest::ResumeConversation { request_id, params } => {
                self.handle_resume_conversation(request_id, params).await;
            }
@@ -269,24 +240,9 @@ impl CodexMessageProcessor {
            ClientRequest::ExecOneOffCommand { request_id, params } => {
                self.exec_one_off_command(request_id, params).await;
            }
-            ClientRequest::GetAccountRateLimits {
-                request_id,
-                params: _,
-            } => {
-                self.get_account_rate_limits(request_id).await;
-            }
        }
    }

-    async fn send_unimplemented_error(&self, request_id: RequestId, method: &str) {
-        let error = JSONRPCErrorError {
-            code: INTERNAL_ERROR_CODE,
-            message: format!("{method} is not implemented yet"),
-            data: None,
-        };
-        self.outgoing.send_error(request_id, error).await;
-    }
-
    async fn login_api_key(&mut self, request_id: RequestId, params: LoginApiKeyParams) {
        if matches!(
            self.config.forced_login_method,
@@ -571,53 +527,6 @@ impl CodexMessageProcessor {
        self.outgoing.send_response(request_id, response).await;
    }

-    async fn get_account_rate_limits(&self, request_id: RequestId) {
-        match self.fetch_account_rate_limits().await {
-            Ok(rate_limits) => {
-                let response = GetAccountRateLimitsResponse { rate_limits };
-                self.outgoing.send_response(request_id, response).await;
-            }
-            Err(error) => {
-                self.outgoing.send_error(request_id, error).await;
-            }
-        }
-    }
-
-    async fn fetch_account_rate_limits(&self) -> Result<RateLimitSnapshot, JSONRPCErrorError> {
-        let Some(auth) = self.auth_manager.auth() else {
-            return Err(JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "codex account authentication required to read rate limits".to_string(),
-                data: None,
-            });
-        };
-
-        if auth.mode != AuthMode::ChatGPT {
-            return Err(JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "chatgpt authentication required to read rate limits".to_string(),
-                data: None,
-            });
-        }
-
-        let client = BackendClient::from_auth(self.config.chatgpt_base_url.clone(), &auth)
-            .await
-            .map_err(|err| JSONRPCErrorError {
-                code: INTERNAL_ERROR_CODE,
-                message: format!("failed to construct backend client: {err}"),
-                data: None,
-            })?;
-
-        client
-            .get_rate_limits()
-            .await
-            .map_err(|err| JSONRPCErrorError {
-                code: INTERNAL_ERROR_CODE,
-                message: format!("failed to fetch codex rate limits: {err}"),
-                data: None,
-            })
-    }
-
    async fn get_user_saved_config(&self, request_id: RequestId) {
        let toml_value = match load_config_as_toml(&self.config.codex_home).await {
            Ok(val) => val,
@@ -865,58 +774,6 @@ impl CodexMessageProcessor {
        self.outgoing.send_response(request_id, response).await;
    }

-    async fn list_models(&self, request_id: RequestId, params: ListModelsParams) {
-        let ListModelsParams { page_size, cursor } = params;
-        let models = supported_models();
-        let total = models.len();
-
-        if total == 0 {
-            let response = ListModelsResponse {
-                items: Vec::new(),
-                next_cursor: None,
-            };
-            self.outgoing.send_response(request_id, response).await;
-            return;
-        }
-
-        let effective_page_size = page_size.unwrap_or(total).max(1).min(total);
-        let start = match cursor {
-            Some(cursor) => match cursor.parse::<usize>() {
-                Ok(idx) => idx,
-                Err(_) => {
-                    let error = JSONRPCErrorError {
-                        code: INVALID_REQUEST_ERROR_CODE,
-                        message: format!("invalid cursor: {cursor}"),
-                        data: None,
-                    };
-                    self.outgoing.send_error(request_id, error).await;
-                    return;
-                }
-            },
-            None => 0,
-        };
-
-        if start > total {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: format!("cursor {start} exceeds total models {total}"),
-                data: None,
-            };
-            self.outgoing.send_error(request_id, error).await;
-            return;
-        }
-
-        let end = start.saturating_add(effective_page_size).min(total);
-        let items = models[start..end].to_vec();
-        let next_cursor = if end < total {
-            Some(end.to_string())
-        } else {
-            None
-        };
-        let response = ListModelsResponse { items, next_cursor };
-        self.outgoing.send_response(request_id, response).await;
-    }
-
    async fn handle_resume_conversation(
        &self,
        request_id: RequestId,
@@ -969,9 +826,18 @@ impl CodexMessageProcessor {
                        },
                    ))
                    .await;
-                let initial_messages = session_configured
-                    .initial_messages
-                    .map(|msgs| msgs.into_iter().collect());
+                let initial_messages = session_configured.initial_messages.map(|msgs| {
+                    msgs.into_iter()
+                        .filter(|event| {
+                            // Don't send non-plain user messages (like user instructions
+                            // or environment context) back so they don't get rendered.
+                            if let EventMsg::UserMessage(user_message) = event {
+                                return matches!(user_message.kind, Some(InputMessageKind::Plain));
+                            }
+                            true
+                        })
+                        .collect()
+                });

                // Reply with conversation id + model and initial messages (when present)
                let response = codex_app_server_protocol::ResumeConversationResponse {
@@ -1256,10 +1122,7 @@ impl CodexMessageProcessor {
        request_id: RequestId,
        params: AddConversationListenerParams,
    ) {
-        let AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events,
-        } = params;
+        let AddConversationListenerParams { conversation_id } = params;
        let Ok(conversation) = self
            .conversation_manager
            .get_conversation(conversation_id)
@@ -1296,11 +1159,6 @@ impl CodexMessageProcessor {
                            }
                        };

-                        if let EventMsg::RawResponseItem(_) = &event.msg
-                            && !experimental_raw_events {
-                                continue;
-                            }
-
                        // For now, we send a notification for every event,
                        // JSON-serializing the `Event` as-is, but these should
                        // be migrated to be variants of `ServerNotification`
@@ -1455,7 +1313,6 @@ async fn apply_bespoke_event_handling(
            command,
            cwd,
            reason,
-            risk,
            parsed_cmd,
        }) => {
            let params = ExecCommandApprovalParams {
@@ -1464,7 +1321,6 @@ async fn apply_bespoke_event_handling(
                command,
                cwd,
                reason,
-                risk,
                parsed_cmd,
            };
            let rx = outgoing
@@ -1476,15 +1332,6 @@ async fn apply_bespoke_event_handling(
                on_exec_approval_response(event_id, rx, conversation).await;
            });
        }
-        EventMsg::TokenCount(token_count_event) => {
-            if let Some(rate_limits) = token_count_event.rate_limits {
-                outgoing
-                    .send_server_notification(ServerNotification::AccountRateLimitsUpdated(
-                        rate_limits,
-                    ))
-                    .await;
-            }
-        }
        // If this is a TurnAborted, reply to any pending interrupt requests.
        EventMsg::TurnAborted(turn_aborted_event) => {
            let pending = {
@@ -1517,6 +1364,7 @@ async fn derive_config_from_params(
        sandbox: sandbox_mode,
        config: cli_overrides,
        base_instructions,
+        include_plan_tool,
        include_apply_patch_tool,
    } = params;
    let overrides = ConfigOverrides {
@@ -1529,11 +1377,11 @@ async fn derive_config_from_params(
        model_provider: None,
        codex_linux_sandbox_exe,
        base_instructions,
+        include_plan_tool,
        include_apply_patch_tool,
        include_view_image_tool: None,
        show_raw_agent_reasoning: None,
        tools_web_search_request: None,
-        experimental_sandbox_command_assessment: None,
        additional_writable_roots: Vec::new(),
    };

@@ -1636,8 +1484,18 @@ fn extract_conversation_summary(
    let preview = head
        .iter()
        .filter_map(|value| serde_json::from_value::<ResponseItem>(value.clone()).ok())
-        .find_map(|item| match codex_core::parse_turn_item(&item) {
-            Some(TurnItem::UserMessage(user)) => Some(user.message()),
+        .find_map(|item| match item {
+            ResponseItem::Message { content, .. } => {
+                content.into_iter().find_map(|content| match content {
+                    ContentItem::InputText { text } => {
+                        match InputMessageKind::from(("user", &text)) {
+                            InputMessageKind::Plain => Some(text),
+                            _ => None,
+                        }
+                    }
+                    _ => None,
+                })
+            }
            _ => None,
        })?;

--- a/codex-rs/app-server/src/fuzzy_file_search.rs
+++ b/codex-rs/app-server/src/fuzzy_file_search.rs
@@ -46,7 +46,6 @@ pub(crate) async fn run_fuzzy_file_search(
                threads,
                cancel_flag,
                COMPUTE_INDICES,
-                true,
            ) {
                Ok(res) => Ok((root, res)),
                Err(err) => Err((root, err)),
--- a/codex-rs/app-server/src/lib.rs
+++ b/codex-rs/app-server/src/lib.rs
@@ -1,16 +1,13 @@
 #![deny(clippy::print_stdout, clippy::print_stderr)]

-use codex_common::CliConfigOverrides;
-use codex_core::config::Config;
-use codex_core::config::ConfigOverrides;
-use opentelemetry_appender_tracing::layer::OpenTelemetryTracingBridge;
 use std::io::ErrorKind;
 use std::io::Result as IoResult;
 use std::path::PathBuf;

-use crate::message_processor::MessageProcessor;
-use crate::outgoing_message::OutgoingMessage;
-use crate::outgoing_message::OutgoingMessageSender;
+use codex_common::CliConfigOverrides;
+use codex_core::config::Config;
+use codex_core::config::ConfigOverrides;
+
 use codex_app_server_protocol::JSONRPCMessage;
 use tokio::io::AsyncBufReadExt;
 use tokio::io::AsyncWriteExt;
@@ -21,15 +18,15 @@ use tracing::debug;
 use tracing::error;
 use tracing::info;
 use tracing_subscriber::EnvFilter;
-use tracing_subscriber::Layer;
-use tracing_subscriber::layer::SubscriberExt;
-use tracing_subscriber::util::SubscriberInitExt;
+
+use crate::message_processor::MessageProcessor;
+use crate::outgoing_message::OutgoingMessage;
+use crate::outgoing_message::OutgoingMessageSender;

 mod codex_message_processor;
 mod error_code;
 mod fuzzy_file_search;
 mod message_processor;
-mod models;
 mod outgoing_message;

 /// Size of the bounded channels used to communicate between tasks. The value
@@ -41,6 +38,13 @@ pub async fn run_main(
    codex_linux_sandbox_exe: Option<PathBuf>,
    cli_config_overrides: CliConfigOverrides,
 ) -> IoResult<()> {
+    // Install a simple subscriber so `tracing` output is visible.  Users can
+    // control the log level with `RUST_LOG`.
+    tracing_subscriber::fmt()
+        .with_writer(std::io::stderr)
+        .with_env_filter(EnvFilter::from_default_env())
+        .init();
+
    // Set up channels.
    let (incoming_tx, mut incoming_rx) = mpsc::channel::<JSONRPCMessage>(CHANNEL_CAPACITY);
    let (outgoing_tx, mut outgoing_rx) = mpsc::unbounded_channel::<OutgoingMessage>();
@@ -82,29 +86,6 @@ pub async fn run_main(
            std::io::Error::new(ErrorKind::InvalidData, format!("error loading config: {e}"))
        })?;

-    let otel =
-        codex_core::otel_init::build_provider(&config, env!("CARGO_PKG_VERSION")).map_err(|e| {
-            std::io::Error::new(
-                ErrorKind::InvalidData,
-                format!("error loading otel config: {e}"),
-            )
-        })?;
-
-    // Install a simple subscriber so `tracing` output is visible.  Users can
-    // control the log level with `RUST_LOG`.
-    let stderr_fmt = tracing_subscriber::fmt::layer()
-        .with_writer(std::io::stderr)
-        .with_filter(EnvFilter::from_default_env());
-
-    let _ = tracing_subscriber::registry()
-        .with(stderr_fmt)
-        .with(otel.as_ref().map(|provider| {
-            OpenTelemetryTracingBridge::new(&provider.logger).with_filter(
-                tracing_subscriber::filter::filter_fn(codex_core::otel_init::codex_export_filter),
-            )
-        }))
-        .try_init();
-
    // Task: process incoming messages.
    let processor_handle = tokio::spawn({
        let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
--- a/codex-rs/app-server/src/models.rs
+++ b/codex-rs/app-server/src/models.rs
@@ -1,38 +0,0 @@
-use codex_app_server_protocol::Model;
-use codex_app_server_protocol::ReasoningEffortOption;
-use codex_common::model_presets::ModelPreset;
-use codex_common::model_presets::ReasoningEffortPreset;
-use codex_common::model_presets::builtin_model_presets;
-
-pub fn supported_models() -> Vec<Model> {
-    builtin_model_presets(None)
-        .into_iter()
-        .map(model_from_preset)
-        .collect()
-}
-
-fn model_from_preset(preset: ModelPreset) -> Model {
-    Model {
-        id: preset.id.to_string(),
-        model: preset.model.to_string(),
-        display_name: preset.display_name.to_string(),
-        description: preset.description.to_string(),
-        supported_reasoning_efforts: reasoning_efforts_from_preset(
-            preset.supported_reasoning_efforts,
-        ),
-        default_reasoning_effort: preset.default_reasoning_effort,
-        is_default: preset.is_default,
-    }
-}
-
-fn reasoning_efforts_from_preset(
-    efforts: &'static [ReasoningEffortPreset],
-) -> Vec<ReasoningEffortOption> {
-    efforts
-        .iter()
-        .map(|preset| ReasoningEffortOption {
-            reasoning_effort: preset.effort,
-            description: preset.description.to_string(),
-        })
-        .collect()
-}
--- a/codex-rs/app-server/src/outgoing_message.rs
+++ b/codex-rs/app-server/src/outgoing_message.rs
@@ -142,8 +142,6 @@ pub(crate) struct OutgoingError {
 #[cfg(test)]
 mod tests {
    use codex_app_server_protocol::LoginChatGptCompleteNotification;
-    use codex_protocol::protocol::RateLimitSnapshot;
-    use codex_protocol::protocol::RateLimitWindow;
    use pretty_assertions::assert_eq;
    use serde_json::json;
    use uuid::Uuid;
@@ -173,34 +171,4 @@ mod tests {
            "ensure the strum macros serialize the method field correctly"
        );
    }
-
-    #[test]
-    fn verify_account_rate_limits_notification_serialization() {
-        let notification = ServerNotification::AccountRateLimitsUpdated(RateLimitSnapshot {
-            primary: Some(RateLimitWindow {
-                used_percent: 25.0,
-                window_minutes: Some(15),
-                resets_at: Some(123),
-            }),
-            secondary: None,
-        });
-
-        let jsonrpc_notification = OutgoingMessage::AppServerNotification(notification);
-        assert_eq!(
-            json!({
-                "method": "account/rateLimits/updated",
-                "params": {
-                    "primary": {
-                        "used_percent": 25.0,
-                        "window_minutes": 15,
-                        "resets_at": 123,
-                    },
-                    "secondary": null,
-                },
-            }),
-            serde_json::to_value(jsonrpc_notification)
-                .expect("ensure the notification serializes correctly"),
-            "ensure the notification serializes correctly"
-        );
-    }
 }
--- a/codex-rs/app-server/tests/common/Cargo.toml
+++ b/codex-rs/app-server/tests/common/Cargo.toml
@@ -9,10 +9,7 @@ path = "lib.rs"
 [dependencies]
 anyhow = { workspace = true }
 assert_cmd = { workspace = true }
-base64 = { workspace = true }
-chrono = { workspace = true }
 codex-app-server-protocol = { workspace = true }
-codex-core = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = [
--- a/codex-rs/app-server/tests/common/auth_fixtures.rs
+++ b/codex-rs/app-server/tests/common/auth_fixtures.rs
@@ -1,131 +0,0 @@
-use std::path::Path;
-
-use anyhow::Context;
-use anyhow::Result;
-use base64::Engine;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
-use chrono::DateTime;
-use chrono::Utc;
-use codex_core::auth::AuthDotJson;
-use codex_core::auth::get_auth_file;
-use codex_core::auth::write_auth_json;
-use codex_core::token_data::TokenData;
-use codex_core::token_data::parse_id_token;
-use serde_json::json;
-
-/// Builder for writing a fake ChatGPT auth.json in tests.
-#[derive(Debug, Clone)]
-pub struct ChatGptAuthFixture {
-    access_token: String,
-    refresh_token: String,
-    account_id: Option<String>,
-    claims: ChatGptIdTokenClaims,
-    last_refresh: Option<Option<DateTime<Utc>>>,
-}
-
-impl ChatGptAuthFixture {
-    pub fn new(access_token: impl Into<String>) -> Self {
-        Self {
-            access_token: access_token.into(),
-            refresh_token: "refresh-token".to_string(),
-            account_id: None,
-            claims: ChatGptIdTokenClaims::default(),
-            last_refresh: None,
-        }
-    }
-
-    pub fn refresh_token(mut self, refresh_token: impl Into<String>) -> Self {
-        self.refresh_token = refresh_token.into();
-        self
-    }
-
-    pub fn account_id(mut self, account_id: impl Into<String>) -> Self {
-        self.account_id = Some(account_id.into());
-        self
-    }
-
-    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
-        self.claims.plan_type = Some(plan_type.into());
-        self
-    }
-
-    pub fn email(mut self, email: impl Into<String>) -> Self {
-        self.claims.email = Some(email.into());
-        self
-    }
-
-    pub fn last_refresh(mut self, last_refresh: Option<DateTime<Utc>>) -> Self {
-        self.last_refresh = Some(last_refresh);
-        self
-    }
-
-    pub fn claims(mut self, claims: ChatGptIdTokenClaims) -> Self {
-        self.claims = claims;
-        self
-    }
-}
-
-#[derive(Debug, Clone, Default)]
-pub struct ChatGptIdTokenClaims {
-    pub email: Option<String>,
-    pub plan_type: Option<String>,
-}
-
-impl ChatGptIdTokenClaims {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn email(mut self, email: impl Into<String>) -> Self {
-        self.email = Some(email.into());
-        self
-    }
-
-    pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
-        self.plan_type = Some(plan_type.into());
-        self
-    }
-}
-
-pub fn encode_id_token(claims: &ChatGptIdTokenClaims) -> Result<String> {
-    let header = json!({ "alg": "none", "typ": "JWT" });
-    let mut payload = serde_json::Map::new();
-    if let Some(email) = &claims.email {
-        payload.insert("email".to_string(), json!(email));
-    }
-    if let Some(plan_type) = &claims.plan_type {
-        payload.insert(
-            "https://api.openai.com/auth".to_string(),
-            json!({ "chatgpt_plan_type": plan_type }),
-        );
-    }
-    let payload = serde_json::Value::Object(payload);
-
-    let header_b64 =
-        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&header).context("serialize jwt header")?);
-    let payload_b64 =
-        URL_SAFE_NO_PAD.encode(serde_json::to_vec(&payload).context("serialize jwt payload")?);
-    let signature_b64 = URL_SAFE_NO_PAD.encode(b"signature");
-    Ok(format!("{header_b64}.{payload_b64}.{signature_b64}"))
-}
-
-pub fn write_chatgpt_auth(codex_home: &Path, fixture: ChatGptAuthFixture) -> Result<()> {
-    let id_token_raw = encode_id_token(&fixture.claims)?;
-    let id_token = parse_id_token(&id_token_raw).context("parse id token")?;
-    let tokens = TokenData {
-        id_token,
-        access_token: fixture.access_token,
-        refresh_token: fixture.refresh_token,
-        account_id: fixture.account_id,
-    };
-
-    let last_refresh = fixture.last_refresh.unwrap_or_else(|| Some(Utc::now()));
-
-    let auth = AuthDotJson {
-        openai_api_key: None,
-        tokens: Some(tokens),
-        last_refresh,
-    };
-
-    write_auth_json(&get_auth_file(codex_home), &auth).context("write auth.json")
-}
--- a/codex-rs/app-server/tests/common/lib.rs
+++ b/codex-rs/app-server/tests/common/lib.rs
@@ -1,12 +1,7 @@
-mod auth_fixtures;
 mod mcp_process;
 mod mock_model_server;
 mod responses;

-pub use auth_fixtures::ChatGptAuthFixture;
-pub use auth_fixtures::ChatGptIdTokenClaims;
-pub use auth_fixtures::encode_id_token;
-pub use auth_fixtures::write_chatgpt_auth;
 use codex_app_server_protocol::JSONRPCResponse;
 pub use mcp_process::McpProcess;
 pub use mock_model_server::create_mock_chat_completions_server;
--- a/codex-rs/app-server/tests/common/mcp_process.rs
+++ b/codex-rs/app-server/tests/common/mcp_process.rs
@@ -21,7 +21,6 @@ use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::InterruptConversationParams;
 use codex_app_server_protocol::ListConversationsParams;
-use codex_app_server_protocol::ListModelsParams;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::NewConversationParams;
 use codex_app_server_protocol::RemoveConversationListenerParams;
@@ -237,11 +236,6 @@ impl McpProcess {
        self.send_request("getUserAgent", None).await
    }

-    /// Send an `account/rateLimits/read` JSON-RPC request.
-    pub async fn send_get_account_rate_limits_request(&mut self) -> anyhow::Result<i64> {
-        self.send_request("account/rateLimits/read", None).await
-    }
-
    /// Send a `userInfo` JSON-RPC request.
    pub async fn send_user_info_request(&mut self) -> anyhow::Result<i64> {
        self.send_request("userInfo", None).await
@@ -265,15 +259,6 @@ impl McpProcess {
        self.send_request("listConversations", params).await
    }

-    /// Send a `model/list` JSON-RPC request.
-    pub async fn send_list_models_request(
-        &mut self,
-        params: ListModelsParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("model/list", params).await
-    }
-
    /// Send a `resumeConversation` JSON-RPC request.
    pub async fn send_resume_conversation_request(
        &mut self,
--- a/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
+++ b/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
@@ -30,6 +30,7 @@ use codex_protocol::config_types::SandboxMode;
 use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::Event;
 use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::InputMessageKind;
 use pretty_assertions::assert_eq;
 use std::env;
 use tempfile::TempDir;
@@ -103,10 +104,7 @@ async fn test_codex_jsonrpc_conversation_flow() {

    // 2) addConversationListener
    let add_listener_id = mcp
-        .send_add_conversation_listener_request(AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events: false,
-        })
+        .send_add_conversation_listener_request(AddConversationListenerParams { conversation_id })
        .await
        .expect("send addConversationListener");
    let add_listener_resp: JSONRPCResponse = timeout(
@@ -255,10 +253,7 @@ async fn test_send_user_turn_changes_approval_policy_behavior() {

    // 2) addConversationListener
    let add_listener_id = mcp
-        .send_add_conversation_listener_request(AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events: false,
-        })
+        .send_add_conversation_listener_request(AddConversationListenerParams { conversation_id })
        .await
        .expect("send addConversationListener");
    let _: AddConversationSubscriptionResponse =
@@ -317,7 +312,6 @@ async fn test_send_user_turn_changes_approval_policy_behavior() {
            ],
            cwd: working_directory.clone(),
            reason: None,
-            risk: None,
            parsed_cmd: vec![ParsedCommand::Unknown {
                cmd: "python3 -c 'print(42)'".to_string()
            }],
@@ -465,10 +459,7 @@ async fn test_send_user_turn_updates_sandbox_and_cwd_between_turns() {
        .expect("deserialize newConversation response");

    let add_listener_id = mcp
-        .send_add_conversation_listener_request(AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events: false,
-        })
+        .send_add_conversation_listener_request(AddConversationListenerParams { conversation_id })
        .await
        .expect("send addConversationListener");
    timeout(
@@ -537,6 +528,43 @@ async fn test_send_user_turn_updates_sandbox_and_cwd_between_turns() {
    .expect("sendUserTurn 2 timeout")
    .expect("sendUserTurn 2 resp");

+    let mut env_message: Option<String> = None;
+    let second_cwd_str = second_cwd.to_string_lossy().into_owned();
+    for _ in 0..10 {
+        let notification = timeout(
+            DEFAULT_READ_TIMEOUT,
+            mcp.read_stream_until_notification_message("codex/event/user_message"),
+        )
+        .await
+        .expect("user_message timeout")
+        .expect("user_message notification");
+        let params = notification
+            .params
+            .clone()
+            .expect("user_message should include params");
+        let event: Event = serde_json::from_value(params).expect("deserialize user_message event");
+        if let EventMsg::UserMessage(user) = event.msg
+            && matches!(user.kind, Some(InputMessageKind::EnvironmentContext))
+            && user.message.contains(&second_cwd_str)
+        {
+            env_message = Some(user.message);
+            break;
+        }
+    }
+    let env_message = env_message.expect("expected environment context update");
+    assert!(
+        env_message.contains("<sandbox_mode>danger-full-access</sandbox_mode>"),
+        "env context should reflect new sandbox mode: {env_message}"
+    );
+    assert!(
+        env_message.contains("<network_access>enabled</network_access>"),
+        "env context should enable network access for danger-full-access policy: {env_message}"
+    );
+    assert!(
+        env_message.contains(&second_cwd_str),
+        "env context should include updated cwd: {env_message}"
+    );
+
    let exec_begin_notification = timeout(
        DEFAULT_READ_TIMEOUT,
        mcp.read_stream_until_notification_message("codex/event/exec_command_begin"),
--- a/codex-rs/app-server/tests/suite/create_conversation.rs
+++ b/codex-rs/app-server/tests/suite/create_conversation.rs
@@ -67,10 +67,7 @@ async fn test_conversation_create_and_send_message_ok() {

    // Add a listener so we receive notifications for this conversation (not strictly required for this test).
    let add_listener_id = mcp
-        .send_add_conversation_listener_request(AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events: false,
-        })
+        .send_add_conversation_listener_request(AddConversationListenerParams { conversation_id })
        .await
        .expect("send addConversationListener");
    let _sub: AddConversationSubscriptionResponse =
--- a/codex-rs/app-server/tests/suite/interrupt.rs
+++ b/codex-rs/app-server/tests/suite/interrupt.rs
@@ -88,10 +88,7 @@ async fn shell_command_interruption() -> anyhow::Result<()> {

    // 2) addConversationListener
    let add_listener_id = mcp
-        .send_add_conversation_listener_request(AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events: false,
-        })
+        .send_add_conversation_listener_request(AddConversationListenerParams { conversation_id })
        .await?;
    let _add_listener_resp: JSONRPCResponse = timeout(
        DEFAULT_READ_TIMEOUT,
--- a/codex-rs/app-server/tests/suite/login.rs
+++ b/codex-rs/app-server/tests/suite/login.rs
@@ -13,7 +13,6 @@ use codex_app_server_protocol::LoginChatGptResponse;
 use codex_app_server_protocol::LogoutChatGptResponse;
 use codex_app_server_protocol::RequestId;
 use codex_login::login_with_api_key;
-use serial_test::serial;
 use tempfile::TempDir;
 use tokio::time::timeout;

@@ -95,8 +94,6 @@ async fn logout_chatgpt_removes_auth() {
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-// Serialize tests that launch the login server since it binds to a fixed port.
-#[serial(login_port)]
 async fn login_and_cancel_chatgpt() {
    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
    create_config_toml(codex_home.path()).unwrap_or_else(|err| panic!("write config.toml: {err}"));
@@ -211,8 +208,6 @@ async fn login_chatgpt_rejected_when_forced_api() {
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-// Serialize tests that launch the login server since it binds to a fixed port.
-#[serial(login_port)]
 async fn login_chatgpt_includes_forced_workspace_query_param() {
    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
    create_config_toml_forced_workspace(codex_home.path(), "ws-forced")
--- a/codex-rs/app-server/tests/suite/mod.rs
+++ b/codex-rs/app-server/tests/suite/mod.rs
@@ -7,8 +7,6 @@ mod fuzzy_file_search;
 mod interrupt;
 mod list_resume;
 mod login;
-mod model_list;
-mod rate_limits;
 mod send_message;
 mod set_default_model;
 mod user_agent;
--- a/codex-rs/app-server/tests/suite/model_list.rs
+++ b/codex-rs/app-server/tests/suite/model_list.rs
@@ -1,183 +0,0 @@
-use std::time::Duration;
-
-use anyhow::Result;
-use anyhow::anyhow;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::ListModelsParams;
-use codex_app_server_protocol::ListModelsResponse;
-use codex_app_server_protocol::Model;
-use codex_app_server_protocol::ReasoningEffortOption;
-use codex_app_server_protocol::RequestId;
-use codex_protocol::config_types::ReasoningEffort;
-use pretty_assertions::assert_eq;
-use tempfile::TempDir;
-use tokio::time::timeout;
-
-const DEFAULT_TIMEOUT: Duration = Duration::from_secs(10);
-const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(100),
-            cursor: None,
-        })
-        .await?;
-
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-
-    let ListModelsResponse { items, next_cursor } = to_response::<ListModelsResponse>(response)?;
-
-    let expected_models = vec![
-        Model {
-            id: "gpt-5-codex".to_string(),
-            model: "gpt-5-codex".to_string(),
-            display_name: "gpt-5-codex".to_string(),
-            description: "Optimized for coding tasks with many tools.".to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Fastest responses with limited reasoning".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Dynamically adjusts reasoning based on the task".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex or ambiguous problems"
-                        .to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: true,
-        },
-        Model {
-            id: "gpt-5".to_string(),
-            model: "gpt-5".to_string(),
-            display_name: "gpt-5".to_string(),
-            description: "Broad world knowledge with strong general reasoning.".to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Minimal,
-                    description: "Fastest responses with little reasoning".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Balances speed with some reasoning; useful for straightforward \
-                                   queries and short explanations"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Provides a solid balance of reasoning depth and latency for \
-                         general-purpose tasks"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex or ambiguous problems"
-                        .to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: false,
-        },
-    ];
-
-    assert_eq!(items, expected_models);
-    assert!(next_cursor.is_none());
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_pagination_works() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let first_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
-            cursor: None,
-        })
-        .await?;
-
-    let first_response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(first_request)),
-    )
-    .await??;
-
-    let ListModelsResponse {
-        items: first_items,
-        next_cursor: first_cursor,
-    } = to_response::<ListModelsResponse>(first_response)?;
-
-    assert_eq!(first_items.len(), 1);
-    assert_eq!(first_items[0].id, "gpt-5-codex");
-    let next_cursor = first_cursor.ok_or_else(|| anyhow!("cursor for second page"))?;
-
-    let second_request = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: Some(1),
-            cursor: Some(next_cursor.clone()),
-        })
-        .await?;
-
-    let second_response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(second_request)),
-    )
-    .await??;
-
-    let ListModelsResponse {
-        items: second_items,
-        next_cursor: second_cursor,
-    } = to_response::<ListModelsResponse>(second_response)?;
-
-    assert_eq!(second_items.len(), 1);
-    assert_eq!(second_items[0].id, "gpt-5");
-    assert!(second_cursor.is_none());
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_models_rejects_invalid_cursor() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-
-    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_list_models_request(ListModelsParams {
-            page_size: None,
-            cursor: Some("invalid".to_string()),
-        })
-        .await?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(error.error.message, "invalid cursor: invalid");
-    Ok(())
-}
--- a/codex-rs/app-server/tests/suite/rate_limits.rs
+++ b/codex-rs/app-server/tests/suite/rate_limits.rs
@@ -1,215 +0,0 @@
-use anyhow::Context;
-use anyhow::Result;
-use app_test_support::ChatGptAuthFixture;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use app_test_support::write_chatgpt_auth;
-use codex_app_server_protocol::GetAccountRateLimitsResponse;
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::LoginApiKeyParams;
-use codex_app_server_protocol::RequestId;
-use codex_protocol::protocol::RateLimitSnapshot;
-use codex_protocol::protocol::RateLimitWindow;
-use pretty_assertions::assert_eq;
-use serde_json::json;
-use std::path::Path;
-use tempfile::TempDir;
-use tokio::time::timeout;
-use wiremock::Mock;
-use wiremock::MockServer;
-use wiremock::ResponseTemplate;
-use wiremock::matchers::header;
-use wiremock::matchers::method;
-use wiremock::matchers::path;
-
-const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
-const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_requires_auth() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-
-    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read error")?;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(
-        error.error.message,
-        "codex account authentication required to read rate limits"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_requires_chatgpt_auth() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-
-    let mut mcp = McpProcess::new(codex_home.path())
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    login_with_api_key(&mut mcp, "sk-test-key").await?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let error: JSONRPCError = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read error")?;
-
-    assert_eq!(error.id, RequestId::Integer(request_id));
-    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
-    assert_eq!(
-        error.error.message,
-        "chatgpt authentication required to read rate limits"
-    );
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
-    let codex_home = TempDir::new().context("create codex home tempdir")?;
-    write_chatgpt_auth(
-        codex_home.path(),
-        ChatGptAuthFixture::new("chatgpt-token")
-            .account_id("account-123")
-            .plan_type("pro"),
-    )
-    .context("write chatgpt auth")?;
-
-    let server = MockServer::start().await;
-    let server_url = server.uri();
-    write_chatgpt_base_url(codex_home.path(), &server_url).context("write chatgpt base url")?;
-
-    let primary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T00:02:00Z")
-        .expect("parse primary reset timestamp")
-        .timestamp();
-    let secondary_reset_timestamp = chrono::DateTime::parse_from_rfc3339("2025-01-01T01:00:00Z")
-        .expect("parse secondary reset timestamp")
-        .timestamp();
-    let response_body = json!({
-        "plan_type": "pro",
-        "rate_limit": {
-            "allowed": true,
-            "limit_reached": false,
-            "primary_window": {
-                "used_percent": 42,
-                "limit_window_seconds": 3600,
-                "reset_after_seconds": 120,
-                "reset_at": primary_reset_timestamp,
-            },
-            "secondary_window": {
-                "used_percent": 5,
-                "limit_window_seconds": 86400,
-                "reset_after_seconds": 43200,
-                "reset_at": secondary_reset_timestamp,
-            }
-        }
-    });
-
-    Mock::given(method("GET"))
-        .and(path("/api/codex/usage"))
-        .and(header("authorization", "Bearer chatgpt-token"))
-        .and(header("chatgpt-account-id", "account-123"))
-        .respond_with(ResponseTemplate::new(200).set_body_json(response_body))
-        .mount(&server)
-        .await;
-
-    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)])
-        .await
-        .context("spawn mcp process")?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .context("initialize timeout")?
-        .context("initialize request")?;
-
-    let request_id = mcp
-        .send_get_account_rate_limits_request()
-        .await
-        .context("send account/rateLimits/read")?;
-
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("account/rateLimits/read timeout")?
-    .context("account/rateLimits/read response")?;
-
-    let received: GetAccountRateLimitsResponse =
-        to_response(response).context("deserialize rate limit response")?;
-
-    let expected = GetAccountRateLimitsResponse {
-        rate_limits: RateLimitSnapshot {
-            primary: Some(RateLimitWindow {
-                used_percent: 42.0,
-                window_minutes: Some(60),
-                resets_at: Some(primary_reset_timestamp),
-            }),
-            secondary: Some(RateLimitWindow {
-                used_percent: 5.0,
-                window_minutes: Some(1440),
-                resets_at: Some(secondary_reset_timestamp),
-            }),
-        },
-    };
-    assert_eq!(received, expected);
-
-    Ok(())
-}
-
-async fn login_with_api_key(mcp: &mut McpProcess, api_key: &str) -> Result<()> {
-    let request_id = mcp
-        .send_login_api_key_request(LoginApiKeyParams {
-            api_key: api_key.to_string(),
-        })
-        .await
-        .context("send loginApiKey")?;
-
-    timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await
-    .context("loginApiKey timeout")?
-    .context("loginApiKey response")?;
-
-    Ok(())
-}
-
-fn write_chatgpt_base_url(codex_home: &Path, base_url: &str) -> std::io::Result<()> {
-    let config_toml = codex_home.join("config.toml");
-    std::fs::write(config_toml, format!("chatgpt_base_url = \"{base_url}\"\n"))
-}
--- a/codex-rs/app-server/tests/suite/send_message.rs
+++ b/codex-rs/app-server/tests/suite/send_message.rs
@@ -15,8 +15,6 @@ use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SendUserMessageParams;
 use codex_app_server_protocol::SendUserMessageResponse;
 use codex_protocol::ConversationId;
-use codex_protocol::models::ContentItem;
-use codex_protocol::models::ResponseItem;
 use pretty_assertions::assert_eq;
 use tempfile::TempDir;
 use tokio::time::timeout;
@@ -64,10 +62,7 @@ async fn test_send_message_success() {

    // 2) addConversationListener
    let add_listener_id = mcp
-        .send_add_conversation_listener_request(AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events: false,
-        })
+        .send_add_conversation_listener_request(AddConversationListenerParams { conversation_id })
        .await
        .expect("send addConversationListener");
    let add_listener_resp: JSONRPCResponse = timeout(
@@ -129,105 +124,6 @@ async fn send_message(message: &str, conversation_id: ConversationId, mcp: &mut
            .expect("should have conversationId"),
        &serde_json::Value::String(conversation_id.to_string())
    );
-
-    let raw_attempt = tokio::time::timeout(
-        std::time::Duration::from_millis(200),
-        mcp.read_stream_until_notification_message("codex/event/raw_response_item"),
-    )
-    .await;
-    assert!(
-        raw_attempt.is_err(),
-        "unexpected raw item notification when not opted in"
-    );
-}
-
-#[tokio::test]
-async fn test_send_message_raw_notifications_opt_in() {
-    let responses = vec![
-        create_final_assistant_message_sse_response("Done").expect("build mock assistant message"),
-    ];
-    let server = create_mock_chat_completions_server(responses).await;
-
-    let codex_home = TempDir::new().expect("create temp dir");
-    create_config_toml(codex_home.path(), &server.uri()).expect("write config.toml");
-
-    let mut mcp = McpProcess::new(codex_home.path())
-        .await
-        .expect("spawn mcp process");
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
-        .await
-        .expect("init timed out")
-        .expect("init failed");
-
-    let new_conv_id = mcp
-        .send_new_conversation_request(NewConversationParams::default())
-        .await
-        .expect("send newConversation");
-    let new_conv_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(new_conv_id)),
-    )
-    .await
-    .expect("newConversation timeout")
-    .expect("newConversation resp");
-    let NewConversationResponse {
-        conversation_id, ..
-    } = to_response::<_>(new_conv_resp).expect("deserialize newConversation response");
-
-    let add_listener_id = mcp
-        .send_add_conversation_listener_request(AddConversationListenerParams {
-            conversation_id,
-            experimental_raw_events: true,
-        })
-        .await
-        .expect("send addConversationListener");
-    let add_listener_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(add_listener_id)),
-    )
-    .await
-    .expect("addConversationListener timeout")
-    .expect("addConversationListener resp");
-    let AddConversationSubscriptionResponse { subscription_id: _ } =
-        to_response::<_>(add_listener_resp).expect("deserialize addConversationListener response");
-
-    let send_id = mcp
-        .send_send_user_message_request(SendUserMessageParams {
-            conversation_id,
-            items: vec![InputItem::Text {
-                text: "Hello".to_string(),
-            }],
-        })
-        .await
-        .expect("send sendUserMessage");
-
-    let instructions = read_raw_response_item(&mut mcp, conversation_id).await;
-    assert_instructions_message(&instructions);
-
-    let environment = read_raw_response_item(&mut mcp, conversation_id).await;
-    assert_environment_message(&environment);
-
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(send_id)),
-    )
-    .await
-    .expect("sendUserMessage response timeout")
-    .expect("sendUserMessage response error");
-    let _ok: SendUserMessageResponse = to_response::<SendUserMessageResponse>(response)
-        .expect("deserialize sendUserMessage response");
-
-    let user_message = read_raw_response_item(&mut mcp, conversation_id).await;
-    assert_user_message(&user_message, "Hello");
-
-    let assistant_message = read_raw_response_item(&mut mcp, conversation_id).await;
-    assert_assistant_message(&assistant_message, "Done");
-
-    let _ = tokio::time::timeout(
-        std::time::Duration::from_millis(250),
-        mcp.read_stream_until_notification_message("codex/event/task_complete"),
-    )
-    .await;
 }

 #[tokio::test]
@@ -288,108 +184,3 @@ stream_max_retries = 0
        ),
    )
 }
-
-#[expect(clippy::expect_used)]
-async fn read_raw_response_item(
-    mcp: &mut McpProcess,
-    conversation_id: ConversationId,
-) -> ResponseItem {
-    let raw_notification: JSONRPCNotification = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_notification_message("codex/event/raw_response_item"),
-    )
-    .await
-    .expect("codex/event/raw_response_item notification timeout")
-    .expect("codex/event/raw_response_item notification resp");
-
-    let serde_json::Value::Object(params) = raw_notification
-        .params
-        .expect("codex/event/raw_response_item should have params")
-    else {
-        panic!("codex/event/raw_response_item should have params");
-    };
-
-    let conversation_id_value = params
-        .get("conversationId")
-        .and_then(|value| value.as_str())
-        .expect("raw response item should include conversationId");
-
-    assert_eq!(
-        conversation_id_value,
-        conversation_id.to_string(),
-        "raw response item conversation mismatch"
-    );
-
-    let msg_value = params
-        .get("msg")
-        .cloned()
-        .expect("raw response item should include msg payload");
-
-    serde_json::from_value(msg_value).expect("deserialize raw response item")
-}
-
-fn assert_instructions_message(item: &ResponseItem) {
-    match item {
-        ResponseItem::Message { role, content, .. } => {
-            assert_eq!(role, "user");
-            let texts = content_texts(content);
-            assert!(
-                texts
-                    .iter()
-                    .any(|text| text.contains("<user_instructions>")),
-                "expected instructions message, got {texts:?}"
-            );
-        }
-        other => panic!("expected instructions message, got {other:?}"),
-    }
-}
-
-fn assert_environment_message(item: &ResponseItem) {
-    match item {
-        ResponseItem::Message { role, content, .. } => {
-            assert_eq!(role, "user");
-            let texts = content_texts(content);
-            assert!(
-                texts
-                    .iter()
-                    .any(|text| text.contains("<environment_context>")),
-                "expected environment context message, got {texts:?}"
-            );
-        }
-        other => panic!("expected environment message, got {other:?}"),
-    }
-}
-
-fn assert_user_message(item: &ResponseItem, expected_text: &str) {
-    match item {
-        ResponseItem::Message { role, content, .. } => {
-            assert_eq!(role, "user");
-            let texts = content_texts(content);
-            assert_eq!(texts, vec![expected_text]);
-        }
-        other => panic!("expected user message, got {other:?}"),
-    }
-}
-
-fn assert_assistant_message(item: &ResponseItem, expected_text: &str) {
-    match item {
-        ResponseItem::Message { role, content, .. } => {
-            assert_eq!(role, "assistant");
-            let texts = content_texts(content);
-            assert_eq!(texts, vec![expected_text]);
-        }
-        other => panic!("expected assistant message, got {other:?}"),
-    }
-}
-
-fn content_texts(content: &[ContentItem]) -> Vec<&str> {
-    content
-        .iter()
-        .filter_map(|item| match item {
-            ContentItem::InputText { text } | ContentItem::OutputText { text } => {
-                Some(text.as_str())
-            }
-            _ => None,
-        })
-        .collect()
-}
--- a/codex-rs/app-server/tests/suite/user_info.rs
+++ b/codex-rs/app-server/tests/suite/user_info.rs
@@ -1,13 +1,20 @@
 use std::time::Duration;

-use app_test_support::ChatGptAuthFixture;
+use anyhow::Context;
 use app_test_support::McpProcess;
 use app_test_support::to_response;
-use app_test_support::write_chatgpt_auth;
+use base64::Engine;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::UserInfoResponse;
+use codex_core::auth::AuthDotJson;
+use codex_core::auth::get_auth_file;
+use codex_core::auth::write_auth_json;
+use codex_core::token_data::IdTokenInfo;
+use codex_core::token_data::TokenData;
 use pretty_assertions::assert_eq;
+use serde_json::json;
 use tempfile::TempDir;
 use tokio::time::timeout;

@@ -17,13 +24,22 @@ const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(10);
 async fn user_info_returns_email_from_auth_json() {
    let codex_home = TempDir::new().expect("create tempdir");

-    write_chatgpt_auth(
-        codex_home.path(),
-        ChatGptAuthFixture::new("access")
-            .refresh_token("refresh")
-            .email("user@example.com"),
-    )
-    .expect("write chatgpt auth");
+    let auth_path = get_auth_file(codex_home.path());
+    let mut id_token = IdTokenInfo::default();
+    id_token.email = Some("user@example.com".to_string());
+    id_token.raw_jwt = encode_id_token_with_email("user@example.com").expect("encode id token");
+
+    let auth = AuthDotJson {
+        openai_api_key: None,
+        tokens: Some(TokenData {
+            id_token,
+            access_token: "access".to_string(),
+            refresh_token: "refresh".to_string(),
+            account_id: None,
+        }),
+        last_refresh: None,
+    };
+    write_auth_json(&auth_path, &auth).expect("write auth.json");

    let mut mcp = McpProcess::new(codex_home.path())
        .await
@@ -49,3 +65,14 @@ async fn user_info_returns_email_from_auth_json() {

    assert_eq!(received, expected);
 }
+
+fn encode_id_token_with_email(email: &str) -> anyhow::Result<String> {
+    let header_b64 = URL_SAFE_NO_PAD.encode(
+        serde_json::to_vec(&json!({ "alg": "none", "typ": "JWT" }))
+            .context("serialize jwt header")?,
+    );
+    let payload =
+        serde_json::to_vec(&json!({ "email": email })).context("serialize jwt payload")?;
+    let payload_b64 = URL_SAFE_NO_PAD.encode(payload);
+    Ok(format!("{header_b64}.{payload_b64}.signature"))
+}
--- a/codex-rs/apply-patch/tests/suite/mod.rs
+++ b/codex-rs/apply-patch/tests/suite/mod.rs
@@ -1,3 +1 @@
 mod cli;
-#[cfg(not(target_os = "windows"))]
-mod tool;
--- a/codex-rs/apply-patch/tests/suite/tool.rs
+++ b/codex-rs/apply-patch/tests/suite/tool.rs
@@ -1,257 +0,0 @@
-use assert_cmd::Command;
-use pretty_assertions::assert_eq;
-use std::fs;
-use std::path::Path;
-use tempfile::tempdir;
-
-fn run_apply_patch_in_dir(dir: &Path, patch: &str) -> anyhow::Result<assert_cmd::assert::Assert> {
-    let mut cmd = Command::cargo_bin("apply_patch")?;
-    cmd.current_dir(dir);
-    Ok(cmd.arg(patch).assert())
-}
-
-fn apply_patch_command(dir: &Path) -> anyhow::Result<Command> {
-    let mut cmd = Command::cargo_bin("apply_patch")?;
-    cmd.current_dir(dir);
-    Ok(cmd)
-}
-
-#[test]
-fn test_apply_patch_cli_applies_multiple_operations() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let modify_path = tmp.path().join("modify.txt");
-    let delete_path = tmp.path().join("delete.txt");
-
-    fs::write(&modify_path, "line1\nline2\n")?;
-    fs::write(&delete_path, "obsolete\n")?;
-
-    let patch = "*** Begin Patch\n*** Add File: nested/new.txt\n+created\n*** Delete File: delete.txt\n*** Update File: modify.txt\n@@\n-line2\n+changed\n*** End Patch";
-
-    run_apply_patch_in_dir(tmp.path(), patch)?.success().stdout(
-        "Success. Updated the following files:\nA nested/new.txt\nM modify.txt\nD delete.txt\n",
-    );
-
-    assert_eq!(
-        fs::read_to_string(tmp.path().join("nested/new.txt"))?,
-        "created\n"
-    );
-    assert_eq!(fs::read_to_string(&modify_path)?, "line1\nchanged\n");
-    assert!(!delete_path.exists());
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_applies_multiple_chunks() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let target_path = tmp.path().join("multi.txt");
-    fs::write(&target_path, "line1\nline2\nline3\nline4\n")?;
-
-    let patch = "*** Begin Patch\n*** Update File: multi.txt\n@@\n-line2\n+changed2\n@@\n-line4\n+changed4\n*** End Patch";
-
-    run_apply_patch_in_dir(tmp.path(), patch)?
-        .success()
-        .stdout("Success. Updated the following files:\nM multi.txt\n");
-
-    assert_eq!(
-        fs::read_to_string(&target_path)?,
-        "line1\nchanged2\nline3\nchanged4\n"
-    );
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_moves_file_to_new_directory() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let original_path = tmp.path().join("old/name.txt");
-    let new_path = tmp.path().join("renamed/dir/name.txt");
-    fs::create_dir_all(original_path.parent().expect("parent should exist"))?;
-    fs::write(&original_path, "old content\n")?;
-
-    let patch = "*** Begin Patch\n*** Update File: old/name.txt\n*** Move to: renamed/dir/name.txt\n@@\n-old content\n+new content\n*** End Patch";
-
-    run_apply_patch_in_dir(tmp.path(), patch)?
-        .success()
-        .stdout("Success. Updated the following files:\nM renamed/dir/name.txt\n");
-
-    assert!(!original_path.exists());
-    assert_eq!(fs::read_to_string(&new_path)?, "new content\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_empty_patch() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("No files were modified.\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_reports_missing_context() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let target_path = tmp.path().join("modify.txt");
-    fs::write(&target_path, "line1\nline2\n")?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Update File: modify.txt\n@@\n-missing\n+changed\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Failed to find expected lines in modify.txt:\nmissing\n");
-    assert_eq!(fs::read_to_string(&target_path)?, "line1\nline2\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_missing_file_delete() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Delete File: missing.txt\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Failed to delete file missing.txt\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_empty_update_hunk() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Update File: foo.txt\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Invalid patch hunk on line 2: Update file hunk for path 'foo.txt' is empty\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_requires_existing_file_for_update() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Update File: missing.txt\n@@\n-old\n+new\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr(
-            "Failed to read file to update missing.txt: No such file or directory (os error 2)\n",
-        );
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_move_overwrites_existing_destination() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let original_path = tmp.path().join("old/name.txt");
-    let destination = tmp.path().join("renamed/dir/name.txt");
-    fs::create_dir_all(original_path.parent().expect("parent should exist"))?;
-    fs::create_dir_all(destination.parent().expect("parent should exist"))?;
-    fs::write(&original_path, "from\n")?;
-    fs::write(&destination, "existing\n")?;
-
-    run_apply_patch_in_dir(
-        tmp.path(),
-        "*** Begin Patch\n*** Update File: old/name.txt\n*** Move to: renamed/dir/name.txt\n@@\n-from\n+new\n*** End Patch",
-    )?
-    .success()
-    .stdout("Success. Updated the following files:\nM renamed/dir/name.txt\n");
-
-    assert!(!original_path.exists());
-    assert_eq!(fs::read_to_string(&destination)?, "new\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_add_overwrites_existing_file() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let path = tmp.path().join("duplicate.txt");
-    fs::write(&path, "old content\n")?;
-
-    run_apply_patch_in_dir(
-        tmp.path(),
-        "*** Begin Patch\n*** Add File: duplicate.txt\n+new content\n*** End Patch",
-    )?
-    .success()
-    .stdout("Success. Updated the following files:\nA duplicate.txt\n");
-
-    assert_eq!(fs::read_to_string(&path)?, "new content\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_delete_directory_fails() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    fs::create_dir(tmp.path().join("dir"))?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Delete File: dir\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Failed to delete file dir\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_rejects_invalid_hunk_header() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Frobnicate File: foo\n*** End Patch")
-        .assert()
-        .failure()
-        .stderr("Invalid patch hunk on line 2: '*** Frobnicate File: foo' is not a valid hunk header. Valid hunk headers: '*** Add File: {path}', '*** Delete File: {path}', '*** Update File: {path}'\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_updates_file_appends_trailing_newline() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let target_path = tmp.path().join("no_newline.txt");
-    fs::write(&target_path, "no newline at end")?;
-
-    run_apply_patch_in_dir(
-        tmp.path(),
-        "*** Begin Patch\n*** Update File: no_newline.txt\n@@\n-no newline at end\n+first line\n+second line\n*** End Patch",
-    )?
-    .success()
-    .stdout("Success. Updated the following files:\nM no_newline.txt\n");
-
-    let contents = fs::read_to_string(&target_path)?;
-    assert!(contents.ends_with('\n'));
-    assert_eq!(contents, "first line\nsecond line\n");
-
-    Ok(())
-}
-
-#[test]
-fn test_apply_patch_cli_failure_after_partial_success_leaves_changes() -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-    let new_file = tmp.path().join("created.txt");
-
-    apply_patch_command(tmp.path())?
-        .arg("*** Begin Patch\n*** Add File: created.txt\n+hello\n*** Update File: missing.txt\n@@\n-old\n+new\n*** End Patch")
-        .assert()
-        .failure()
-        .stdout("")
-        .stderr("Failed to read file to update missing.txt: No such file or directory (os error 2)\n");
-
-    assert_eq!(fs::read_to_string(&new_file)?, "hello\n");
-
-    Ok(())
-}
--- a/codex-rs/backend-client/Cargo.toml
+++ b/codex-rs/backend-client/Cargo.toml
@@ -13,8 +13,6 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 codex-backend-openapi-models = { path = "../codex-backend-openapi-models" }
-codex-protocol = { workspace = true }
-codex-core = { workspace = true }

 [dev-dependencies]
 pretty_assertions = "1"
--- a/codex-rs/backend-client/src/client.rs
+++ b/codex-rs/backend-client/src/client.rs
@@ -1,13 +1,7 @@
 use crate::types::CodeTaskDetailsResponse;
 use crate::types::PaginatedListTaskListItem;
-use crate::types::RateLimitStatusPayload;
-use crate::types::RateLimitWindowSnapshot;
 use crate::types::TurnAttemptsSiblingTurnsResponse;
 use anyhow::Result;
-use codex_core::auth::CodexAuth;
-use codex_core::default_client::get_codex_user_agent;
-use codex_protocol::protocol::RateLimitSnapshot;
-use codex_protocol::protocol::RateLimitWindow;
 use reqwest::header::AUTHORIZATION;
 use reqwest::header::CONTENT_TYPE;
 use reqwest::header::HeaderMap;
@@ -70,17 +64,6 @@ impl Client {
        })
    }

-    pub async fn from_auth(base_url: impl Into<String>, auth: &CodexAuth) -> Result<Self> {
-        let token = auth.get_token().await.map_err(anyhow::Error::from)?;
-        let mut client = Self::new(base_url)?
-            .with_user_agent(get_codex_user_agent())
-            .with_bearer_token(token);
-        if let Some(account_id) = auth.get_account_id() {
-            client = client.with_chatgpt_account_id(account_id);
-        }
-        Ok(client)
-    }
-
    pub fn with_bearer_token(mut self, token: impl Into<String>) -> Self {
        self.bearer_token = Some(token.into());
        self
@@ -155,17 +138,6 @@ impl Client {
        }
    }

-    pub async fn get_rate_limits(&self) -> Result<RateLimitSnapshot> {
-        let url = match self.path_style {
-            PathStyle::CodexApi => format!("{}/api/codex/usage", self.base_url),
-            PathStyle::ChatGptApi => format!("{}/wham/usage", self.base_url),
-        };
-        let req = self.http.get(&url).headers(self.headers());
-        let (body, ct) = self.exec_request(req, "GET", &url).await?;
-        let payload: RateLimitStatusPayload = self.decode_json(&url, &ct, &body)?;
-        Ok(Self::rate_limit_snapshot_from_payload(payload))
-    }
-
    pub async fn list_tasks(
        &self,
        limit: Option<i32>,
@@ -269,49 +241,4 @@ impl Client {
            Err(e) => anyhow::bail!("Decode error for {url}: {e}; content-type={ct}; body={body}"),
        }
    }
-
-    // rate limit helpers
-    fn rate_limit_snapshot_from_payload(payload: RateLimitStatusPayload) -> RateLimitSnapshot {
-        let Some(details) = payload
-            .rate_limit
-            .and_then(|inner| inner.map(|boxed| *boxed))
-        else {
-            return RateLimitSnapshot {
-                primary: None,
-                secondary: None,
-            };
-        };
-
-        RateLimitSnapshot {
-            primary: Self::map_rate_limit_window(details.primary_window),
-            secondary: Self::map_rate_limit_window(details.secondary_window),
-        }
-    }
-
-    fn map_rate_limit_window(
-        window: Option<Option<Box<RateLimitWindowSnapshot>>>,
-    ) -> Option<RateLimitWindow> {
-        let snapshot = match window {
-            Some(Some(snapshot)) => *snapshot,
-            _ => return None,
-        };
-
-        let used_percent = f64::from(snapshot.used_percent);
-        let window_minutes = Self::window_minutes_from_seconds(snapshot.limit_window_seconds);
-        let resets_at = Some(i64::from(snapshot.reset_at));
-        Some(RateLimitWindow {
-            used_percent,
-            window_minutes,
-            resets_at,
-        })
-    }
-
-    fn window_minutes_from_seconds(seconds: i32) -> Option<i64> {
-        if seconds <= 0 {
-            return None;
-        }
-
-        let seconds_i64 = i64::from(seconds);
-        Some((seconds_i64 + 59) / 60)
-    }
 }
--- a/codex-rs/backend-client/src/types.rs
+++ b/codex-rs/backend-client/src/types.rs
@@ -1,8 +1,4 @@
 pub use codex_backend_openapi_models::models::PaginatedListTaskListItem;
-pub use codex_backend_openapi_models::models::PlanType;
-pub use codex_backend_openapi_models::models::RateLimitStatusDetails;
-pub use codex_backend_openapi_models::models::RateLimitStatusPayload;
-pub use codex_backend_openapi_models::models::RateLimitWindowSnapshot;
 pub use codex_backend_openapi_models::models::TaskListItem;

 use serde::Deserialize;
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -19,7 +19,7 @@ use codex_exec::Cli as ExecCli;
 use codex_responses_api_proxy::Args as ResponsesApiProxyArgs;
 use codex_tui::AppExitInfo;
 use codex_tui::Cli as TuiCli;
-use codex_tui::updates::UpdateAction;
+use codex_tui::UpdateAction;
 use owo_colors::OwoColorize;
 use std::path::PathBuf;
 use supports_color::Stream;
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -150,10 +150,6 @@ pub struct RemoveArgs {
 pub struct LoginArgs {
    /// Name of the MCP server to authenticate with oauth.
    pub name: String,
-
-    /// Comma-separated list of OAuth scopes to request.
-    #[arg(long, value_delimiter = ',', value_name = "SCOPE,SCOPE")]
-    pub scopes: Vec<String>,
 }

 #[derive(Debug, clap::Parser)]
@@ -257,8 +253,6 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
        enabled: true,
        startup_timeout_sec: None,
        tool_timeout_sec: None,
-        enabled_tools: None,
-        disabled_tools: None,
    };

    servers.insert(name.clone(), new_entry);
@@ -274,33 +268,18 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
        http_headers,
        env_http_headers,
    } = transport
+        && matches!(supports_oauth_login(&url).await, Ok(true))
    {
-        match supports_oauth_login(&url).await {
-            Ok(true) => {
-                if !config.features.enabled(Feature::RmcpClient) {
-                    println!(
-                        "MCP server supports login. Add `experimental_use_rmcp_client = true` \
-                         to your config.toml and run `codex mcp login {name}` to login."
-                    );
-                } else {
-                    println!("Detected OAuth support. Starting OAuth flow…");
-                    perform_oauth_login(
-                        &name,
-                        &url,
-                        config.mcp_oauth_credentials_store_mode,
-                        http_headers.clone(),
-                        env_http_headers.clone(),
-                        &Vec::new(),
-                    )
-                    .await?;
-                    println!("Successfully logged in.");
-                }
-            }
-            Ok(false) => {}
-            Err(_) => println!(
-                "MCP server may or may not require login. Run `codex mcp login {name}` to login."
-            ),
-        }
+        println!("Detected OAuth support. Starting OAuth flow…");
+        perform_oauth_login(
+            &name,
+            &url,
+            config.mcp_oauth_credentials_store_mode,
+            http_headers.clone(),
+            env_http_headers.clone(),
+        )
+        .await?;
+        println!("Successfully logged in.");
    }

    Ok(())
@@ -346,7 +325,7 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
        );
    }

-    let LoginArgs { name, scopes } = login_args;
+    let LoginArgs { name } = login_args;

    let Some(server) = config.mcp_servers.get(&name) else {
        bail!("No MCP server named '{name}' found.");
@@ -368,7 +347,6 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
        config.mcp_oauth_credentials_store_mode,
        http_headers,
        env_http_headers,
-        &scopes,
    )
    .await?;
    println!("Successfully logged in to MCP server '{name}'.");
@@ -422,7 +400,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
            .map(|(name, cfg)| {
                let auth_status = auth_statuses
                    .get(name.as_str())
-                    .map(|entry| entry.auth_status)
+                    .copied()
                    .unwrap_or(McpAuthStatus::Unsupported);
                let transport = match &cfg.transport {
                    McpServerTransportConfig::Stdio {
@@ -509,7 +487,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
                };
                let auth_status = auth_statuses
                    .get(name.as_str())
-                    .map(|entry| entry.auth_status)
+                    .copied()
                    .unwrap_or(McpAuthStatus::Unsupported)
                    .to_string();
                stdio_rows.push([
@@ -534,15 +512,13 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
                };
                let auth_status = auth_statuses
                    .get(name.as_str())
-                    .map(|entry| entry.auth_status)
+                    .copied()
                    .unwrap_or(McpAuthStatus::Unsupported)
                    .to_string();
-                let bearer_token_display =
-                    bearer_token_env_var.as_deref().unwrap_or("-").to_string();
                http_rows.push([
                    name.clone(),
                    url.clone(),
-                    bearer_token_display,
+                    bearer_token_env_var.clone().unwrap_or("-".to_string()),
                    status,
                    auth_status,
                ]);
@@ -700,8 +676,6 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
            "name": get_args.name,
            "enabled": server.enabled,
            "transport": transport,
-            "enabled_tools": server.enabled_tools.clone(),
-            "disabled_tools": server.disabled_tools.clone(),
            "startup_timeout_sec": server
                .startup_timeout_sec
                .map(|timeout| timeout.as_secs_f64()),
@@ -713,28 +687,8 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
        return Ok(());
    }

-    if !server.enabled {
-        println!("{} (disabled)", get_args.name);
-        return Ok(());
-    }
-
    println!("{}", get_args.name);
    println!("  enabled: {}", server.enabled);
-    let format_tool_list = |tools: &Option<Vec<String>>| -> String {
-        match tools {
-            Some(list) if list.is_empty() => "[]".to_string(),
-            Some(list) => list.join(", "),
-            None => "-".to_string(),
-        }
-    };
-    if server.enabled_tools.is_some() {
-        let enabled_tools_display = format_tool_list(&server.enabled_tools);
-        println!("  enabled_tools: {enabled_tools_display}");
-    }
-    if server.disabled_tools.is_some() {
-        let disabled_tools_display = format_tool_list(&server.disabled_tools);
-        println!("  disabled_tools: {disabled_tools_display}");
-    }
    match &server.transport {
        McpServerTransportConfig::Stdio {
            command,
@@ -768,15 +722,15 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
        } => {
            println!("  transport: streamable_http");
            println!("  url: {url}");
-            let bearer_token_display = bearer_token_env_var.as_deref().unwrap_or("-");
-            println!("  bearer_token_env_var: {bearer_token_display}");
+            let env_var = bearer_token_env_var.as_deref().unwrap_or("-");
+            println!("  bearer_token_env_var: {env_var}");
            let headers_display = match http_headers {
                Some(map) if !map.is_empty() => {
                    let mut pairs: Vec<_> = map.iter().collect();
                    pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
                    pairs
                        .into_iter()
-                        .map(|(k, _)| format!("{k}=*****"))
+                        .map(|(k, v)| format!("{k}={v}"))
                        .collect::<Vec<_>>()
                        .join(", ")
                }
@@ -789,7 +743,7 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
                    pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
                    pairs
                        .into_iter()
-                        .map(|(k, var)| format!("{k}={var}"))
+                        .map(|(k, v)| format!("{k}={v}"))
                        .collect::<Vec<_>>()
                        .join(", ")
                }
--- a/codex-rs/cli/tests/mcp_list.rs
+++ b/codex-rs/cli/tests/mcp_list.rs
@@ -68,9 +68,9 @@ async fn list_and_get_render_expected_output() -> Result<()> {
    assert!(stdout.contains("Name"));
    assert!(stdout.contains("docs"));
    assert!(stdout.contains("docs-server"));
-    assert!(stdout.contains("TOKEN=*****"));
-    assert!(stdout.contains("APP_TOKEN=*****"));
-    assert!(stdout.contains("WORKSPACE_ID=*****"));
+    assert!(stdout.contains("TOKEN=secret"));
+    assert!(stdout.contains("APP_TOKEN=$APP_TOKEN"));
+    assert!(stdout.contains("WORKSPACE_ID=$WORKSPACE_ID"));
    assert!(stdout.contains("Status"));
    assert!(stdout.contains("Auth"));
    assert!(stdout.contains("enabled"));
@@ -119,9 +119,9 @@ async fn list_and_get_render_expected_output() -> Result<()> {
    assert!(stdout.contains("transport: stdio"));
    assert!(stdout.contains("command: docs-server"));
    assert!(stdout.contains("args: --port 4000"));
-    assert!(stdout.contains("env: TOKEN=*****"));
-    assert!(stdout.contains("APP_TOKEN=*****"));
-    assert!(stdout.contains("WORKSPACE_ID=*****"));
+    assert!(stdout.contains("env: TOKEN=secret"));
+    assert!(stdout.contains("APP_TOKEN=$APP_TOKEN"));
+    assert!(stdout.contains("WORKSPACE_ID=$WORKSPACE_ID"));
    assert!(stdout.contains("enabled: true"));
    assert!(stdout.contains("remove: codex mcp remove docs"));

@@ -134,28 +134,3 @@ async fn list_and_get_render_expected_output() -> Result<()> {

    Ok(())
 }
-
-#[tokio::test]
-async fn get_disabled_server_shows_single_line() -> Result<()> {
-    let codex_home = TempDir::new()?;
-
-    let mut add = codex_command(codex_home.path())?;
-    add.args(["mcp", "add", "docs", "--", "docs-server"])
-        .assert()
-        .success();
-
-    let mut servers = load_global_mcp_servers(codex_home.path()).await?;
-    let docs = servers
-        .get_mut("docs")
-        .expect("docs server should exist after add");
-    docs.enabled = false;
-    write_global_mcp_servers(codex_home.path(), &servers)?;
-
-    let mut get_cmd = codex_command(codex_home.path())?;
-    let get_output = get_cmd.args(["mcp", "get", "docs"]).output()?;
-    assert!(get_output.status.success());
-    let stdout = String::from_utf8(get_output.stdout)?;
-    assert_eq!(stdout.trim_end(), "docs (disabled)");
-
-    Ok(())
-}
--- a/codex-rs/codex-backend-openapi-models/Cargo.toml
+++ b/codex-rs/codex-backend-openapi-models/Cargo.toml
@@ -15,4 +15,3 @@ path = "src/lib.rs"
 [dependencies]
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-serde_with = "3"
--- a/codex-rs/codex-backend-openapi-models/src/models/mod.rs
+++ b/codex-rs/codex-backend-openapi-models/src/models/mod.rs
@@ -3,7 +3,6 @@
 // Currently export only the types referenced by the workspace
 // The process for this will change

-// Cloud Tasks
 pub mod code_task_details_response;
 pub use self::code_task_details_response::CodeTaskDetailsResponse;

@@ -21,14 +20,3 @@ pub use self::task_list_item::TaskListItem;

 pub mod paginated_list_task_list_item_;
 pub use self::paginated_list_task_list_item_::PaginatedListTaskListItem;
-
-// Rate Limits
-pub mod rate_limit_status_payload;
-pub use self::rate_limit_status_payload::PlanType;
-pub use self::rate_limit_status_payload::RateLimitStatusPayload;
-
-pub mod rate_limit_status_details;
-pub use self::rate_limit_status_details::RateLimitStatusDetails;
-
-pub mod rate_limit_window_snapshot;
-pub use self::rate_limit_window_snapshot::RateLimitWindowSnapshot;
--- a/codex-rs/codex-backend-openapi-models/src/models/rate_limit_status_details.rs
+++ b/codex-rs/codex-backend-openapi-models/src/models/rate_limit_status_details.rs
@@ -1,46 +0,0 @@
-/*
- * codex-backend
- *
- * codex-backend
- *
- * The version of the OpenAPI document: 0.0.1
- *
- * Generated by: https://openapi-generator.tech
- */
-
-use crate::models;
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
-pub struct RateLimitStatusDetails {
-    #[serde(rename = "allowed")]
-    pub allowed: bool,
-    #[serde(rename = "limit_reached")]
-    pub limit_reached: bool,
-    #[serde(
-        rename = "primary_window",
-        default,
-        with = "::serde_with::rust::double_option",
-        skip_serializing_if = "Option::is_none"
-    )]
-    pub primary_window: Option<Option<Box<models::RateLimitWindowSnapshot>>>,
-    #[serde(
-        rename = "secondary_window",
-        default,
-        with = "::serde_with::rust::double_option",
-        skip_serializing_if = "Option::is_none"
-    )]
-    pub secondary_window: Option<Option<Box<models::RateLimitWindowSnapshot>>>,
-}
-
-impl RateLimitStatusDetails {
-    pub fn new(allowed: bool, limit_reached: bool) -> RateLimitStatusDetails {
-        RateLimitStatusDetails {
-            allowed,
-            limit_reached,
-            primary_window: None,
-            secondary_window: None,
-        }
-    }
-}
--- a/codex-rs/codex-backend-openapi-models/src/models/rate_limit_status_payload.rs
+++ b/codex-rs/codex-backend-openapi-models/src/models/rate_limit_status_payload.rs
@@ -1,65 +0,0 @@
-/*
- * codex-backend
- *
- * codex-backend
- *
- * The version of the OpenAPI document: 0.0.1
- *
- * Generated by: https://openapi-generator.tech
- */
-
-use crate::models;
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
-pub struct RateLimitStatusPayload {
-    #[serde(rename = "plan_type")]
-    pub plan_type: PlanType,
-    #[serde(
-        rename = "rate_limit",
-        default,
-        with = "::serde_with::rust::double_option",
-        skip_serializing_if = "Option::is_none"
-    )]
-    pub rate_limit: Option<Option<Box<models::RateLimitStatusDetails>>>,
-}
-
-impl RateLimitStatusPayload {
-    pub fn new(plan_type: PlanType) -> RateLimitStatusPayload {
-        RateLimitStatusPayload {
-            plan_type,
-            rate_limit: None,
-        }
-    }
-}
-
-#[derive(Clone, Copy, Debug, Eq, PartialEq, Ord, PartialOrd, Hash, Serialize, Deserialize)]
-pub enum PlanType {
-    #[serde(rename = "free")]
-    Free,
-    #[serde(rename = "go")]
-    Go,
-    #[serde(rename = "plus")]
-    Plus,
-    #[serde(rename = "pro")]
-    Pro,
-    #[serde(rename = "team")]
-    Team,
-    #[serde(rename = "business")]
-    Business,
-    #[serde(rename = "education")]
-    Education,
-    #[serde(rename = "quorum")]
-    Quorum,
-    #[serde(rename = "enterprise")]
-    Enterprise,
-    #[serde(rename = "edu")]
-    Edu,
-}
-
-impl Default for PlanType {
-    fn default() -> PlanType {
-        Self::Free
-    }
-}
--- a/codex-rs/codex-backend-openapi-models/src/models/rate_limit_window_snapshot.rs
+++ b/codex-rs/codex-backend-openapi-models/src/models/rate_limit_window_snapshot.rs
@@ -1,40 +0,0 @@
-/*
- * codex-backend
- *
- * codex-backend
- *
- * The version of the OpenAPI document: 0.0.1
- *
- * Generated by: https://openapi-generator.tech
- */
-
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
-pub struct RateLimitWindowSnapshot {
-    #[serde(rename = "used_percent")]
-    pub used_percent: i32,
-    #[serde(rename = "limit_window_seconds")]
-    pub limit_window_seconds: i32,
-    #[serde(rename = "reset_after_seconds")]
-    pub reset_after_seconds: i32,
-    #[serde(rename = "reset_at")]
-    pub reset_at: i32,
-}
-
-impl RateLimitWindowSnapshot {
-    pub fn new(
-        used_percent: i32,
-        limit_window_seconds: i32,
-        reset_after_seconds: i32,
-        reset_at: i32,
-    ) -> RateLimitWindowSnapshot {
-        RateLimitWindowSnapshot {
-            used_percent,
-            limit_window_seconds,
-            reset_after_seconds,
-            reset_at,
-        }
-    }
-}
--- a/codex-rs/common/src/format_env_display.rs
+++ b/codex-rs/common/src/format_env_display.rs
@@ -6,11 +6,15 @@ pub fn format_env_display(env: Option<&HashMap<String, String>>, env_vars: &[Str
    if let Some(map) = env {
        let mut pairs: Vec<_> = map.iter().collect();
        pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
-        parts.extend(pairs.into_iter().map(|(key, _)| format!("{key}=*****")));
+        parts.extend(
+            pairs
+                .into_iter()
+                .map(|(key, value)| format!("{key}={value}")),
+        );
    }

    if !env_vars.is_empty() {
-        parts.extend(env_vars.iter().map(|var| format!("{var}=*****")));
+        parts.extend(env_vars.iter().map(|var| format!("{var}=${var}")));
    }

    if parts.is_empty() {
@@ -38,14 +42,14 @@ mod tests {
        env.insert("B".to_string(), "two".to_string());
        env.insert("A".to_string(), "one".to_string());

-        assert_eq!(format_env_display(Some(&env), &[]), "A=*****, B=*****");
+        assert_eq!(format_env_display(Some(&env), &[]), "A=one, B=two");
    }

    #[test]
    fn formats_env_vars_with_dollar_prefix() {
        let vars = vec!["TOKEN".to_string(), "PATH".to_string()];

-        assert_eq!(format_env_display(None, &vars), "TOKEN=*****, PATH=*****");
+        assert_eq!(format_env_display(None, &vars), "TOKEN=$TOKEN, PATH=$PATH");
    }

    #[test]
@@ -56,7 +60,7 @@ mod tests {

        assert_eq!(
            format_env_display(Some(&env), &vars),
-            "HOME=*****, TOKEN=*****"
+            "HOME=/tmp, TOKEN=$TOKEN"
        );
    }
 }
--- a/codex-rs/common/src/model_presets.rs
+++ b/codex-rs/common/src/model_presets.rs
@@ -1,96 +1,73 @@
 use codex_app_server_protocol::AuthMode;
 use codex_core::protocol_config_types::ReasoningEffort;

-/// A reasoning effort option that can be surfaced for a model.
-#[derive(Debug, Clone, Copy)]
-pub struct ReasoningEffortPreset {
-    /// Effort level that the model supports.
-    pub effort: ReasoningEffort,
-    /// Short human description shown next to the effort in UIs.
-    pub description: &'static str,
-}
-
-/// Metadata describing a Codex-supported model.
+/// A simple preset pairing a model slug with a reasoning effort.
 #[derive(Debug, Clone, Copy)]
 pub struct ModelPreset {
    /// Stable identifier for the preset.
    pub id: &'static str,
+    /// Display label shown in UIs.
+    pub label: &'static str,
+    /// Short human description shown next to the label in UIs.
+    pub description: &'static str,
    /// Model slug (e.g., "gpt-5").
    pub model: &'static str,
-    /// Display name shown in UIs.
-    pub display_name: &'static str,
-    /// Short human description shown in UIs.
-    pub description: &'static str,
-    /// Reasoning effort applied when none is explicitly chosen.
-    pub default_reasoning_effort: ReasoningEffort,
-    /// Supported reasoning effort options.
-    pub supported_reasoning_efforts: &'static [ReasoningEffortPreset],
-    /// Whether this is the default model for new users.
-    pub is_default: bool,
+    /// Reasoning effort to apply for this preset.
+    pub effort: Option<ReasoningEffort>,
 }

 const PRESETS: &[ModelPreset] = &[
    ModelPreset {
-        id: "gpt-5-codex",
+        id: "gpt-5-codex-low",
+        label: "gpt-5-codex low",
+        description: "Fastest responses with limited reasoning",
        model: "gpt-5-codex",
-        display_name: "gpt-5-codex",
-        description: "Optimized for coding tasks with many tools.",
-        default_reasoning_effort: ReasoningEffort::Medium,
-        supported_reasoning_efforts: &[
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Low,
-                description: "Fastest responses with limited reasoning",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Medium,
-                description: "Dynamically adjusts reasoning based on the task",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::High,
-                description: "Maximizes reasoning depth for complex or ambiguous problems",
-            },
-        ],
-        is_default: true,
+        effort: Some(ReasoningEffort::Low),
    },
    ModelPreset {
-        id: "gpt-5",
+        id: "gpt-5-codex-medium",
+        label: "gpt-5-codex medium",
+        description: "Dynamically adjusts reasoning based on the task",
+        model: "gpt-5-codex",
+        effort: Some(ReasoningEffort::Medium),
+    },
+    ModelPreset {
+        id: "gpt-5-codex-high",
+        label: "gpt-5-codex high",
+        description: "Maximizes reasoning depth for complex or ambiguous problems",
+        model: "gpt-5-codex",
+        effort: Some(ReasoningEffort::High),
+    },
+    ModelPreset {
+        id: "gpt-5-minimal",
+        label: "gpt-5 minimal",
+        description: "Fastest responses with little reasoning",
        model: "gpt-5",
-        display_name: "gpt-5",
-        description: "Broad world knowledge with strong general reasoning.",
-        default_reasoning_effort: ReasoningEffort::Medium,
-        supported_reasoning_efforts: &[
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Minimal,
-                description: "Fastest responses with little reasoning",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Low,
-                description: "Balances speed with some reasoning; useful for straightforward queries and short explanations",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::Medium,
-                description: "Provides a solid balance of reasoning depth and latency for general-purpose tasks",
-            },
-            ReasoningEffortPreset {
-                effort: ReasoningEffort::High,
-                description: "Maximizes reasoning depth for complex or ambiguous problems",
-            },
-        ],
-        is_default: false,
+        effort: Some(ReasoningEffort::Minimal),
+    },
+    ModelPreset {
+        id: "gpt-5-low",
+        label: "gpt-5 low",
+        description: "Balances speed with some reasoning; useful for straightforward queries and short explanations",
+        model: "gpt-5",
+        effort: Some(ReasoningEffort::Low),
+    },
+    ModelPreset {
+        id: "gpt-5-medium",
+        label: "gpt-5 medium",
+        description: "Provides a solid balance of reasoning depth and latency for general-purpose tasks",
+        model: "gpt-5",
+        effort: Some(ReasoningEffort::Medium),
+    },
+    ModelPreset {
+        id: "gpt-5-high",
+        label: "gpt-5 high",
+        description: "Maximizes reasoning depth for complex or ambiguous problems",
+        model: "gpt-5",
+        effort: Some(ReasoningEffort::High),
    },
 ];

 pub fn builtin_model_presets(_auth_mode: Option<AuthMode>) -> Vec<ModelPreset> {
    PRESETS.to_vec()
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn only_one_default_model_is_configured() {
-        let default_models = PRESETS.iter().filter(|preset| preset.is_default).count();
-        assert!(default_models == 1);
-    }
-}
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -22,19 +22,18 @@ chrono = { workspace = true, features = ["serde"] }
 codex-app-server-protocol = { workspace = true }
 codex-apply-patch = { workspace = true }
 codex-file-search = { workspace = true }
+codex-mcp-client = { workspace = true }
 codex-otel = { workspace = true, features = ["otel"] }
 codex-protocol = { workspace = true }
 codex-rmcp-client = { workspace = true }
 codex-async-utils = { workspace = true }
 codex-utils-string = { workspace = true }
 codex-utils-pty = { workspace = true }
-codex-utils-tokenizer = { workspace = true }
 dirs = { workspace = true }
 dunce = { workspace = true }
 env-flags = { workspace = true }
 eventsource-stream = { workspace = true }
 futures = { workspace = true }
-http = { workspace = true }
 indexmap = { workspace = true }
 libc = { workspace = true }
 mcp-types = { workspace = true }
--- a/codex-rs/core/src/apply_patch.rs
+++ b/codex-rs/core/src/apply_patch.rs
@@ -36,6 +36,7 @@ pub(crate) struct ApplyPatchExec {
 pub(crate) async fn apply_patch(
    sess: &Session,
    turn_context: &TurnContext,
+    sub_id: &str,
    call_id: &str,
    action: ApplyPatchAction,
 ) -> InternalApplyPatchInvocation {
@@ -61,7 +62,7 @@ pub(crate) async fn apply_patch(
            // that similar patches can be auto-approved in the future during
            // this session.
            let rx_approve = sess
-                .request_patch_approval(turn_context, call_id.to_owned(), &action, None, None)
+                .request_patch_approval(sub_id.to_owned(), call_id.to_owned(), &action, None, None)
                .await;
            match rx_approve.await.unwrap_or_default() {
                ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
--- a/codex-rs/core/src/auth.rs
+++ b/codex-rs/core/src/auth.rs
@@ -21,7 +21,6 @@ use codex_app_server_protocol::AuthMode;
 use codex_protocol::config_types::ForcedLoginMethod;

 use crate::config::Config;
-use crate::default_client::CodexHttpClient;
 use crate::token_data::PlanType;
 use crate::token_data::TokenData;
 use crate::token_data::parse_id_token;
@@ -33,7 +32,7 @@ pub struct CodexAuth {
    pub(crate) api_key: Option<String>,
    pub(crate) auth_dot_json: Arc<Mutex<Option<AuthDotJson>>>,
    pub(crate) auth_file: PathBuf,
-    pub(crate) client: CodexHttpClient,
+    pub(crate) client: reqwest::Client,
 }

 impl PartialEq for CodexAuth {
@@ -44,8 +43,6 @@ impl PartialEq for CodexAuth {

 impl CodexAuth {
    pub async fn refresh_token(&self) -> Result<String, std::io::Error> {
-        tracing::info!("Refreshing token");
-
        let token_data = self
            .get_current_token_data()
            .ok_or(std::io::Error::other("Token data is not available."))?;
@@ -183,7 +180,7 @@ impl CodexAuth {
        }
    }

-    fn from_api_key_with_client(api_key: &str, client: CodexHttpClient) -> Self {
+    fn from_api_key_with_client(api_key: &str, client: reqwest::Client) -> Self {
        Self {
            api_key: Some(api_key.to_owned()),
            mode: AuthMode::ApiKey,
@@ -403,7 +400,7 @@ async fn update_tokens(

 async fn try_refresh_token(
    refresh_token: String,
-    client: &CodexHttpClient,
+    client: &reqwest::Client,
 ) -> std::io::Result<RefreshResponse> {
    let refresh_request = RefreshRequest {
        client_id: CLIENT_ID,
@@ -545,7 +542,6 @@ mod tests {
    }

    #[tokio::test]
-    #[serial(codex_api_key)]
    async fn pro_account_with_no_api_key_uses_chatgpt_auth() {
        let codex_home = tempdir().unwrap();
        let fake_jwt = write_auth_file(
@@ -595,7 +591,6 @@ mod tests {
    }

    #[tokio::test]
-    #[serial(codex_api_key)]
    async fn loads_api_key_from_auth_json() {
        let dir = tempdir().unwrap();
        let auth_file = dir.path().join("auth.json");
@@ -747,7 +742,6 @@ mod tests {
    }

    #[tokio::test]
-    #[serial(codex_api_key)]
    async fn enforce_login_restrictions_logs_out_for_workspace_mismatch() {
        let codex_home = tempdir().unwrap();
        let _jwt = write_auth_file(
@@ -773,7 +767,6 @@ mod tests {
    }

    #[tokio::test]
-    #[serial(codex_api_key)]
    async fn enforce_login_restrictions_allows_matching_workspace() {
        let codex_home = tempdir().unwrap();
        let _jwt = write_auth_file(
@@ -919,10 +912,7 @@ impl AuthManager {
                self.reload();
                Ok(Some(token))
            }
-            Err(e) => {
-                tracing::error!("Failed to refresh token: {}", e);
-                Err(e)
-            }
+            Err(e) => Err(e),
        }
    }

--- a/codex-rs/core/src/bash.rs
+++ b/codex-rs/core/src/bash.rs
@@ -5,13 +5,13 @@ use tree_sitter_bash::LANGUAGE as BASH;

 /// Parse the provided bash source using tree-sitter-bash, returning a Tree on
 /// success or None if parsing failed.
-pub fn try_parse_shell(shell_lc_arg: &str) -> Option<Tree> {
+pub fn try_parse_bash(bash_lc_arg: &str) -> Option<Tree> {
    let lang = BASH.into();
    let mut parser = Parser::new();
    #[expect(clippy::expect_used)]
    parser.set_language(&lang).expect("load bash grammar");
    let old_tree: Option<&Tree> = None;
-    parser.parse(shell_lc_arg, old_tree)
+    parser.parse(bash_lc_arg, old_tree)
 }

 /// Parse a script which may contain multiple simple commands joined only by
@@ -88,19 +88,18 @@ pub fn try_parse_word_only_commands_sequence(tree: &Tree, src: &str) -> Option<V
    Some(commands)
 }

-/// Returns the sequence of plain commands within a `bash -lc "..."` or
-/// `zsh -lc "..."` invocation when the script only contains word-only commands
-/// joined by safe operators.
-pub fn parse_shell_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
-    let [shell, flag, script] = command else {
+/// Returns the sequence of plain commands within a `bash -lc "..."` invocation
+/// when the script only contains word-only commands joined by safe operators.
+pub fn parse_bash_lc_plain_commands(command: &[String]) -> Option<Vec<Vec<String>>> {
+    let [bash, flag, script] = command else {
        return None;
    };

-    if flag != "-lc" || !(shell == "bash" || shell == "zsh") {
+    if bash != "bash" || flag != "-lc" {
        return None;
    }

-    let tree = try_parse_shell(script)?;
+    let tree = try_parse_bash(script)?;
    try_parse_word_only_commands_sequence(&tree, script)
 }

@@ -155,7 +154,7 @@ mod tests {
    use super::*;

    fn parse_seq(src: &str) -> Option<Vec<Vec<String>>> {
-        let tree = try_parse_shell(src)?;
+        let tree = try_parse_bash(src)?;
        try_parse_word_only_commands_sequence(&tree, src)
    }

@@ -235,11 +234,4 @@ mod tests {
    fn rejects_trailing_operator_parse_error() {
        assert!(parse_seq("ls &&").is_none());
    }
-
-    #[test]
-    fn parse_zsh_lc_plain_commands() {
-        let command = vec!["zsh".to_string(), "-lc".to_string(), "ls".to_string()];
-        let parsed = parse_shell_lc_plain_commands(&command).unwrap();
-        assert_eq!(parsed, vec![vec!["ls".to_string()]]);
-    }
 }
--- a/codex-rs/core/src/chat_completions.rs
+++ b/codex-rs/core/src/chat_completions.rs
@@ -4,7 +4,6 @@ use crate::ModelProviderInfo;
 use crate::client_common::Prompt;
 use crate::client_common::ResponseEvent;
 use crate::client_common::ResponseStream;
-use crate::default_client::CodexHttpClient;
 use crate::error::CodexErr;
 use crate::error::ConnectionFailedError;
 use crate::error::ResponseStreamFailed;
@@ -37,7 +36,7 @@ use tracing::trace;
 pub(crate) async fn stream_chat_completions(
    prompt: &Prompt,
    model_family: &ModelFamily,
-    client: &CodexHttpClient,
+    client: &reqwest::Client,
    provider: &ModelProviderInfo,
    otel_event_manager: &OtelEventManager,
 ) -> Result<ResponseStream> {
@@ -105,10 +104,10 @@ pub(crate) async fn stream_chat_completions(
            } = item
            {
                let mut text = String::new();
-                for entry in items {
-                    match entry {
-                        ReasoningItemContent::ReasoningText { text: segment }
-                        | ReasoningItemContent::Text { text: segment } => text.push_str(segment),
+                for c in items {
+                    match c {
+                        ReasoningItemContent::ReasoningText { text: t }
+                        | ReasoningItemContent::Text { text: t } => text.push_str(t),
                    }
                }
                if text.trim().is_empty() {
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -1,18 +1,17 @@
 use std::io::BufRead;
 use std::path::Path;
-use std::sync::Arc;
 use std::sync::OnceLock;
 use std::time::Duration;

+use crate::AuthManager;
+use crate::auth::CodexAuth;
+use crate::error::ConnectionFailedError;
+use crate::error::ResponseStreamFailed;
+use crate::error::RetryLimitReachedError;
+use crate::error::UnexpectedResponseError;
 use bytes::Bytes;
-use chrono::DateTime;
-use chrono::Utc;
 use codex_app_server_protocol::AuthMode;
-use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::ConversationId;
-use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
-use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
-use codex_protocol::models::ResponseItem;
 use eventsource_stream::Eventsource;
 use futures::prelude::*;
 use regex_lite::Regex;
@@ -28,8 +27,6 @@ use tracing::debug;
 use tracing::trace;
 use tracing::warn;

-use crate::AuthManager;
-use crate::auth::CodexAuth;
 use crate::chat_completions::AggregateStreamExt;
 use crate::chat_completions::stream_chat_completions;
 use crate::client_common::Prompt;
@@ -39,14 +36,9 @@ use crate::client_common::ResponsesApiRequest;
 use crate::client_common::create_reasoning_param_for_request;
 use crate::client_common::create_text_param_for_request;
 use crate::config::Config;
-use crate::default_client::CodexHttpClient;
 use crate::default_client::create_client;
 use crate::error::CodexErr;
-use crate::error::ConnectionFailedError;
-use crate::error::ResponseStreamFailed;
 use crate::error::Result;
-use crate::error::RetryLimitReachedError;
-use crate::error::UnexpectedResponseError;
 use crate::error::UsageLimitReachedError;
 use crate::flags::CODEX_RS_SSE_FIXTURE;
 use crate::model_family::ModelFamily;
@@ -60,6 +52,13 @@ use crate::state::TaskKind;
 use crate::token_data::PlanType;
 use crate::tools::spec::create_tools_json_for_responses_api;
 use crate::util::backoff;
+use chrono::DateTime;
+use chrono::Utc;
+use codex_otel::otel_event_manager::OtelEventManager;
+use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
+use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
+use codex_protocol::models::ResponseItem;
+use std::sync::Arc;

 #[derive(Debug, Deserialize)]
 struct ErrorResponse {
@@ -82,7 +81,7 @@ pub struct ModelClient {
    config: Arc<Config>,
    auth_manager: Option<Arc<AuthManager>>,
    otel_event_manager: OtelEventManager,
-    client: CodexHttpClient,
+    client: reqwest::Client,
    provider: ModelProviderInfo,
    conversation_id: ConversationId,
    effort: Option<ReasoningEffortConfig>,
@@ -134,14 +133,6 @@ impl ModelClient {
        self.stream_with_task_kind(prompt, TaskKind::Regular).await
    }

-    pub fn config(&self) -> Arc<Config> {
-        Arc::clone(&self.config)
-    }
-
-    pub fn provider(&self) -> &ModelProviderInfo {
-        &self.provider
-    }
-
    pub(crate) async fn stream_with_task_kind(
        &self,
        prompt: &Prompt,
@@ -309,7 +300,6 @@ impl ModelClient {
            "POST to {}: {:?}",
            self.provider.get_full_url(&auth),
            serde_json::to_string(payload_json)
-                .unwrap_or("<unable to serialize payload>".to_string())
        );

        let mut req_builder = self
@@ -345,6 +335,12 @@ impl ModelClient {
                .headers()
                .get("cf-ray")
                .map(|v| v.to_str().unwrap_or_default().to_string());
+
+            trace!(
+                "Response status: {}, cf-ray: {:?}",
+                resp.status(),
+                request_id
+            );
        }

        match res {
@@ -632,13 +628,13 @@ fn parse_rate_limit_window(
    headers: &HeaderMap,
    used_percent_header: &str,
    window_minutes_header: &str,
-    resets_at_header: &str,
+    resets_header: &str,
 ) -> Option<RateLimitWindow> {
    let used_percent: Option<f64> = parse_header_f64(headers, used_percent_header);

    used_percent.and_then(|used_percent| {
        let window_minutes = parse_header_i64(headers, window_minutes_header);
-        let resets_at = parse_header_i64(headers, resets_at_header);
+        let resets_at = parse_header_i64(headers, resets_header);

        let has_data = used_percent != 0.0
            || window_minutes.is_some_and(|minutes| minutes != 0)
@@ -1097,7 +1093,6 @@ mod tests {
            base_url: Some("https://test.com".to_string()),
            env_key: Some("TEST_API_KEY".to_string()),
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Responses,
            query_params: None,
            http_headers: None,
@@ -1161,7 +1156,6 @@ mod tests {
            base_url: Some("https://test.com".to_string()),
            env_key: Some("TEST_API_KEY".to_string()),
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Responses,
            query_params: None,
            http_headers: None,
@@ -1198,7 +1192,6 @@ mod tests {
            base_url: Some("https://test.com".to_string()),
            env_key: Some("TEST_API_KEY".to_string()),
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Responses,
            query_params: None,
            http_headers: None,
@@ -1237,7 +1230,6 @@ mod tests {
            base_url: Some("https://test.com".to_string()),
            env_key: Some("TEST_API_KEY".to_string()),
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Responses,
            query_params: None,
            http_headers: None,
@@ -1272,7 +1264,6 @@ mod tests {
            base_url: Some("https://test.com".to_string()),
            env_key: Some("TEST_API_KEY".to_string()),
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Responses,
            query_params: None,
            http_headers: None,
@@ -1376,7 +1367,6 @@ mod tests {
                base_url: Some("https://test.com".to_string()),
                env_key: Some("TEST_API_KEY".to_string()),
                env_key_instructions: None,
-                experimental_bearer_token: None,
                wire_api: WireApi::Responses,
                query_params: None,
                http_headers: None,
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
--- a/codex-rs/core/src/codex/compact.rs
+++ b/codex-rs/core/src/codex/compact.rs
@@ -10,21 +10,21 @@ use crate::error::Result as CodexResult;
 use crate::protocol::AgentMessageEvent;
 use crate::protocol::CompactedItem;
 use crate::protocol::ErrorEvent;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use crate::protocol::InputItem;
+use crate::protocol::InputMessageKind;
 use crate::protocol::TaskStartedEvent;
 use crate::protocol::TurnContextItem;
 use crate::state::TaskKind;
 use crate::truncate::truncate_middle;
 use crate::util::backoff;
 use askama::Template;
-use codex_protocol::items::TurnItem;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseInputItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::RolloutItem;
-use codex_protocol::user_input::UserInput;
 use futures::prelude::*;
-use tracing::error;

 pub const SUMMARIZATION_PROMPT: &str = include_str!("../../templates/compact/prompt.md");
 const COMPACT_USER_MESSAGE_MAX_TOKENS: usize = 20_000;
@@ -40,35 +40,40 @@ pub(crate) async fn run_inline_auto_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
 ) {
-    let input = vec![UserInput::Text {
+    let sub_id = sess.next_internal_sub_id();
+    let input = vec![InputItem::Text {
        text: SUMMARIZATION_PROMPT.to_string(),
    }];
-    run_compact_task_inner(sess, turn_context, input).await;
+    run_compact_task_inner(sess, turn_context, sub_id, input).await;
 }

 pub(crate) async fn run_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
-    input: Vec<UserInput>,
+    sub_id: String,
+    input: Vec<InputItem>,
 ) -> Option<String> {
-    let start_event = EventMsg::TaskStarted(TaskStartedEvent {
-        model_context_window: turn_context.client.get_model_context_window(),
-    });
-    sess.send_event(&turn_context, start_event).await;
-    run_compact_task_inner(sess.clone(), turn_context, input).await;
+    let start_event = Event {
+        id: sub_id.clone(),
+        msg: EventMsg::TaskStarted(TaskStartedEvent {
+            model_context_window: turn_context.client.get_model_context_window(),
+        }),
+    };
+    sess.send_event(start_event).await;
+    run_compact_task_inner(sess.clone(), turn_context, sub_id.clone(), input).await;
    None
 }

 async fn run_compact_task_inner(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
-    input: Vec<UserInput>,
+    sub_id: String,
+    input: Vec<InputItem>,
 ) {
    let initial_input_for_turn: ResponseInputItem = ResponseInputItem::from(input);
-
-    let mut history = sess.clone_history().await;
-    history.record_items(&[initial_input_for_turn.into()]);
-
+    let mut turn_input = sess
+        .turn_input_with_history(vec![initial_input_for_turn.clone().into()])
+        .await;
    let mut truncated_count = 0usize;

    let max_retries = turn_context.client.get_provider().stream_max_retries();
@@ -85,18 +90,18 @@ async fn run_compact_task_inner(
    sess.persist_rollout_items(&[rollout_item]).await;

    loop {
-        let turn_input = history.get_history();
        let prompt = Prompt {
            input: turn_input.clone(),
            ..Default::default()
        };
-        let attempt_result = drain_to_completed(&sess, turn_context.as_ref(), &prompt).await;
+        let attempt_result =
+            drain_to_completed(&sess, turn_context.as_ref(), &sub_id, &prompt).await;

        match attempt_result {
            Ok(()) => {
                if truncated_count > 0 {
                    sess.notify_background_event(
-                        turn_context.as_ref(),
+                        &sub_id,
                        format!(
                            "Trimmed {truncated_count} older conversation item(s) before compacting so the prompt fits the model context window."
                        ),
@@ -110,20 +115,20 @@ async fn run_compact_task_inner(
            }
            Err(e @ CodexErr::ContextWindowExceeded) => {
                if turn_input.len() > 1 {
-                    // Trim from the beginning to preserve cache (prefix-based) and keep recent messages intact.
-                    error!(
-                        "Context window exceeded while compacting; removing oldest history item. Error: {e}"
-                    );
-                    history.remove_first_item();
+                    turn_input.remove(0);
                    truncated_count += 1;
                    retries = 0;
                    continue;
                }
-                sess.set_total_tokens_full(turn_context.as_ref()).await;
-                let event = EventMsg::Error(ErrorEvent {
-                    message: e.to_string(),
-                });
-                sess.send_event(&turn_context, event).await;
+                sess.set_total_tokens_full(&sub_id, turn_context.as_ref())
+                    .await;
+                let event = Event {
+                    id: sub_id.clone(),
+                    msg: EventMsg::Error(ErrorEvent {
+                        message: e.to_string(),
+                    }),
+                };
+                sess.send_event(event).await;
                return;
            }
            Err(e) => {
@@ -131,17 +136,20 @@ async fn run_compact_task_inner(
                    retries += 1;
                    let delay = backoff(retries);
                    sess.notify_stream_error(
-                        turn_context.as_ref(),
+                        &sub_id,
                        format!("Re-connecting... {retries}/{max_retries}"),
                    )
                    .await;
                    tokio::time::sleep(delay).await;
                    continue;
                } else {
-                    let event = EventMsg::Error(ErrorEvent {
-                        message: e.to_string(),
-                    });
-                    sess.send_event(&turn_context, event).await;
+                    let event = Event {
+                        id: sub_id.clone(),
+                        msg: EventMsg::Error(ErrorEvent {
+                            message: e.to_string(),
+                        }),
+                    };
+                    sess.send_event(event).await;
                    return;
                }
            }
@@ -160,10 +168,13 @@ async fn run_compact_task_inner(
    });
    sess.persist_rollout_items(&[rollout_item]).await;

-    let event = EventMsg::AgentMessage(AgentMessageEvent {
-        message: "Compact task completed".to_string(),
-    });
-    sess.send_event(&turn_context, event).await;
+    let event = Event {
+        id: sub_id.clone(),
+        msg: EventMsg::AgentMessage(AgentMessageEvent {
+            message: "Compact task completed".to_string(),
+        }),
+    };
+    sess.send_event(event).await;
 }

 pub fn content_items_to_text(content: &[ContentItem]) -> Option<String> {
@@ -188,32 +199,29 @@ pub fn content_items_to_text(content: &[ContentItem]) -> Option<String> {
 pub(crate) fn collect_user_messages(items: &[ResponseItem]) -> Vec<String> {
    items
        .iter()
-        .filter_map(|item| match crate::event_mapping::parse_turn_item(item) {
-            Some(TurnItem::UserMessage(user)) => Some(user.message()),
+        .filter_map(|item| match item {
+            ResponseItem::Message { role, content, .. } if role == "user" => {
+                content_items_to_text(content)
+            }
            _ => None,
        })
+        .filter(|text| !is_session_prefix_message(text))
        .collect()
 }

+pub fn is_session_prefix_message(text: &str) -> bool {
+    matches!(
+        InputMessageKind::from(("user", text)),
+        InputMessageKind::UserInstructions | InputMessageKind::EnvironmentContext
+    )
+}
+
 pub(crate) fn build_compacted_history(
    initial_context: Vec<ResponseItem>,
    user_messages: &[String],
    summary_text: &str,
 ) -> Vec<ResponseItem> {
-    build_compacted_history_with_limit(
-        initial_context,
-        user_messages,
-        summary_text,
-        COMPACT_USER_MESSAGE_MAX_TOKENS * 4,
-    )
-}
-
-fn build_compacted_history_with_limit(
-    mut history: Vec<ResponseItem>,
-    user_messages: &[String],
-    summary_text: &str,
-    max_bytes: usize,
-) -> Vec<ResponseItem> {
+    let mut history = initial_context;
    let mut user_messages_text = if user_messages.is_empty() {
        "(none)".to_string()
    } else {
@@ -221,6 +229,7 @@ fn build_compacted_history_with_limit(
    };
    // Truncate the concatenated prior user messages so the bridge message
    // stays well under the context window (approx. 4 bytes/token).
+    let max_bytes = COMPACT_USER_MESSAGE_MAX_TOKENS * 4;
    if user_messages_text.len() > max_bytes {
        user_messages_text = truncate_middle(&user_messages_text, max_bytes).0;
    }
@@ -247,6 +256,7 @@ fn build_compacted_history_with_limit(
 async fn drain_to_completed(
    sess: &Session,
    turn_context: &TurnContext,
+    sub_id: &str,
    prompt: &Prompt,
 ) -> CodexResult<()> {
    let mut stream = turn_context
@@ -267,10 +277,10 @@ async fn drain_to_completed(
                sess.record_into_history(std::slice::from_ref(&item)).await;
            }
            Ok(ResponseEvent::RateLimits(snapshot)) => {
-                sess.update_rate_limits(turn_context, snapshot).await;
+                sess.update_rate_limits(sub_id, snapshot).await;
            }
            Ok(ResponseEvent::Completed { token_usage, .. }) => {
-                sess.update_token_usage_info(turn_context, token_usage.as_ref())
+                sess.update_token_usage_info(sub_id, turn_context, token_usage.as_ref())
                    .await;
                return Ok(());
            }
@@ -328,16 +338,21 @@ mod tests {
            ResponseItem::Message {
                id: Some("user".to_string()),
                role: "user".to_string(),
-                content: vec![ContentItem::InputText {
-                    text: "first".to_string(),
-                }],
+                content: vec![
+                    ContentItem::InputText {
+                        text: "first".to_string(),
+                    },
+                    ContentItem::OutputText {
+                        text: "second".to_string(),
+                    },
+                ],
            },
            ResponseItem::Other,
        ];

        let collected = collect_user_messages(&items);

-        assert_eq!(vec!["first".to_string()], collected);
+        assert_eq!(vec!["first\nsecond".to_string()], collected);
    }

    #[test]
@@ -373,16 +388,11 @@ mod tests {

    #[test]
    fn build_compacted_history_truncates_overlong_user_messages() {
-        // Use a small truncation limit so the test remains fast while still validating
-        // that oversized user content is truncated.
-        let max_bytes = 128;
-        let big = "X".repeat(max_bytes + 50);
-        let history = super::build_compacted_history_with_limit(
-            Vec::new(),
-            std::slice::from_ref(&big),
-            "SUMMARY",
-            max_bytes,
-        );
+        // Prepare a very large prior user message so the aggregated
+        // `user_messages_text` exceeds the truncation threshold used by
+        // `build_compacted_history` (80k bytes).
+        let big = "X".repeat(200_000);
+        let history = build_compacted_history(Vec::new(), std::slice::from_ref(&big), "SUMMARY");

        // Expect exactly one bridge message added to history (plus any initial context we provided, which is none).
        assert_eq!(history.len(), 1);
--- a/codex-rs/core/src/command_safety/is_dangerous_command.rs
+++ b/codex-rs/core/src/command_safety/is_dangerous_command.rs
@@ -1,4 +1,4 @@
-use crate::bash::parse_shell_lc_plain_commands;
+use crate::bash::parse_bash_lc_plain_commands;

 pub fn command_might_be_dangerous(command: &[String]) -> bool {
    if is_dangerous_to_call_with_exec(command) {
@@ -6,7 +6,7 @@ pub fn command_might_be_dangerous(command: &[String]) -> bool {
    }

    // Support `bash -lc "<script>"` where the any part of the script might contain a dangerous command.
-    if let Some(all_commands) = parse_shell_lc_plain_commands(command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(command)
        && all_commands
            .iter()
            .any(|cmd| is_dangerous_to_call_with_exec(cmd))
@@ -57,15 +57,6 @@ mod tests {
        ])));
    }

-    #[test]
-    fn zsh_git_reset_is_dangerous() {
-        assert!(command_might_be_dangerous(&vec_str(&[
-            "zsh",
-            "-lc",
-            "git reset --hard"
-        ])));
-    }
-
    #[test]
    fn git_status_is_not_dangerous() {
        assert!(!command_might_be_dangerous(&vec_str(&["git", "status"])));
--- a/codex-rs/core/src/command_safety/is_safe_command.rs
+++ b/codex-rs/core/src/command_safety/is_safe_command.rs
@@ -1,4 +1,4 @@
-use crate::bash::parse_shell_lc_plain_commands;
+use crate::bash::parse_bash_lc_plain_commands;

 pub fn is_known_safe_command(command: &[String]) -> bool {
    let command: Vec<String> = command
@@ -29,7 +29,7 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
    // introduce side effects ( "&&", "||", ";", and "|" ). If every
    // individual command in the script is itself a known‑safe command, then
    // the composite expression is considered safe.
-    if let Some(all_commands) = parse_shell_lc_plain_commands(&command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(&command)
        && !all_commands.is_empty()
        && all_commands
            .iter()
@@ -201,11 +201,6 @@ mod tests {
        ])));
    }

-    #[test]
-    fn zsh_lc_safe_command_sequence() {
-        assert!(is_known_safe_command(&vec_str(&["zsh", "-lc", "ls"])));
-    }
-
    #[test]
    fn unknown_or_partial() {
        assert!(!is_safe_to_call_with_exec(&vec_str(&["foo"])));
--- a/codex-rs/core/src/config.rs
+++ b/codex-rs/core/src/config.rs
@@ -216,6 +216,9 @@ pub struct Config {
    /// When set, restricts the login mechanism users may use.
    pub forced_login_method: Option<ForcedLoginMethod>,

+    /// Include an experimental plan tool that the model can use to update its current plan and status of each step.
+    pub include_plan_tool: bool,
+
    /// Include the `apply_patch` tool for models that benefit from invoking
    /// file edits as a structured tool call. When unset, this falls back to the
    /// model family's default preference.
@@ -223,9 +226,6 @@ pub struct Config {

    pub tools_web_search_request: bool,

-    /// When `true`, run a model-based assessment for commands denied by the sandbox.
-    pub experimental_sandbox_command_assessment: bool,
-
    pub use_experimental_streamable_shell_tool: bool,

    /// If set to `true`, used only the experimental unified exec tool.
@@ -484,16 +484,6 @@ pub fn write_global_mcp_servers(
                entry["tool_timeout_sec"] = toml_edit::value(timeout.as_secs_f64());
            }

-            if let Some(enabled_tools) = &config.enabled_tools {
-                entry["enabled_tools"] =
-                    TomlItem::Value(enabled_tools.iter().collect::<TomlArray>().into());
-            }
-
-            if let Some(disabled_tools) = &config.disabled_tools {
-                entry["disabled_tools"] =
-                    TomlItem::Value(disabled_tools.iter().collect::<TomlArray>().into());
-            }
-
            doc["mcp_servers"][name.as_str()] = TomlItem::Table(entry);
        }
    }
@@ -961,7 +951,6 @@ pub struct ConfigToml {
    pub experimental_use_unified_exec_tool: Option<bool>,
    pub experimental_use_rmcp_client: Option<bool>,
    pub experimental_use_freeform_apply_patch: Option<bool>,
-    pub experimental_sandbox_command_assessment: Option<bool>,
 }

 impl From<ConfigToml> for UserSavedConfig {
@@ -1027,11 +1016,9 @@ impl ConfigToml {
    fn derive_sandbox_policy(
        &self,
        sandbox_mode_override: Option<SandboxMode>,
-        profile_sandbox_mode: Option<SandboxMode>,
        resolved_cwd: &Path,
    ) -> SandboxPolicy {
        let resolved_sandbox_mode = sandbox_mode_override
-            .or(profile_sandbox_mode)
            .or(self.sandbox_mode)
            .or_else(|| {
                // if no sandbox_mode is set, but user has marked directory as trusted, use WorkspaceWrite
@@ -1120,11 +1107,11 @@ pub struct ConfigOverrides {
    pub config_profile: Option<String>,
    pub codex_linux_sandbox_exe: Option<PathBuf>,
    pub base_instructions: Option<String>,
+    pub include_plan_tool: Option<bool>,
    pub include_apply_patch_tool: Option<bool>,
    pub include_view_image_tool: Option<bool>,
    pub show_raw_agent_reasoning: Option<bool>,
    pub tools_web_search_request: Option<bool>,
-    pub experimental_sandbox_command_assessment: Option<bool>,
    /// Additional directories that should be treated as writable roots for this session.
    pub additional_writable_roots: Vec<PathBuf>,
 }
@@ -1150,11 +1137,11 @@ impl Config {
            config_profile: config_profile_key,
            codex_linux_sandbox_exe,
            base_instructions,
+            include_plan_tool: include_plan_tool_override,
            include_apply_patch_tool: include_apply_patch_tool_override,
            include_view_image_tool: include_view_image_tool_override,
            show_raw_agent_reasoning,
            tools_web_search_request: override_tools_web_search_request,
-            experimental_sandbox_command_assessment: sandbox_command_assessment_override,
            additional_writable_roots,
        } = overrides;

@@ -1177,10 +1164,10 @@ impl Config {
        };

        let feature_overrides = FeatureOverrides {
+            include_plan_tool: include_plan_tool_override,
            include_apply_patch_tool: include_apply_patch_tool_override,
            include_view_image_tool: include_view_image_tool_override,
            web_search_request: override_tools_web_search_request,
-            experimental_sandbox_command_assessment: sandbox_command_assessment_override,
        };

        let features = Features::from_config(&cfg, &config_profile, feature_overrides);
@@ -1221,8 +1208,7 @@ impl Config {
            .get_active_project(&resolved_cwd)
            .unwrap_or(ProjectConfig { trust_level: None });

-        let mut sandbox_policy =
-            cfg.derive_sandbox_policy(sandbox_mode, config_profile.sandbox_mode, &resolved_cwd);
+        let mut sandbox_policy = cfg.derive_sandbox_policy(sandbox_mode, &resolved_cwd);
        if let SandboxPolicy::WorkspaceWrite { writable_roots, .. } = &mut sandbox_policy {
            for path in additional_writable_roots {
                if !writable_roots.iter().any(|existing| existing == &path) {
@@ -1230,7 +1216,7 @@ impl Config {
                }
            }
        }
-        let approval_policy = approval_policy_override
+        let mut approval_policy = approval_policy_override
            .or(config_profile.approval_policy)
            .or(cfg.approval_policy)
            .unwrap_or_else(|| {
@@ -1245,8 +1231,8 @@ impl Config {
            .is_some()
            || config_profile.approval_policy.is_some()
            || cfg.approval_policy.is_some()
+            // TODO(#3034): profile.sandbox_mode is not implemented
            || sandbox_mode.is_some()
-            || config_profile.sandbox_mode.is_some()
            || cfg.sandbox_mode.is_some();

        let mut model_providers = built_in_model_providers();
@@ -1273,14 +1259,13 @@ impl Config {

        let history = cfg.history.unwrap_or_default();

+        let include_plan_tool_flag = features.enabled(Feature::PlanTool);
        let include_apply_patch_tool_flag = features.enabled(Feature::ApplyPatchFreeform);
        let include_view_image_tool_flag = features.enabled(Feature::ViewImageTool);
        let tools_web_search_request = features.enabled(Feature::WebSearchRequest);
        let use_experimental_streamable_shell_tool = features.enabled(Feature::StreamableShell);
        let use_experimental_unified_exec_tool = features.enabled(Feature::UnifiedExec);
        let use_experimental_use_rmcp_client = features.enabled(Feature::RmcpClient);
-        let experimental_sandbox_command_assessment =
-            features.enabled(Feature::SandboxCommandAssessment);

        let forced_chatgpt_workspace_id =
            cfg.forced_chatgpt_workspace_id.as_ref().and_then(|value| {
@@ -1340,6 +1325,10 @@ impl Config {
            .or(cfg.review_model)
            .unwrap_or_else(default_review_model);

+        if features.enabled(Feature::ApproveAll) {
+            approval_policy = AskForApproval::OnRequest;
+        }
+
        let config = Self {
            model,
            review_model,
@@ -1400,9 +1389,9 @@ impl Config {
                .unwrap_or("https://chatgpt.com/backend-api/".to_string()),
            forced_chatgpt_workspace_id,
            forced_login_method,
+            include_plan_tool: include_plan_tool_flag,
            include_apply_patch_tool: include_apply_patch_tool_flag,
            tools_web_search_request,
-            experimental_sandbox_command_assessment,
            use_experimental_streamable_shell_tool,
            use_experimental_unified_exec_tool,
            use_experimental_use_rmcp_client,
@@ -1606,11 +1595,8 @@ network_access = false  # This should be ignored.
        let sandbox_mode_override = None;
        assert_eq!(
            SandboxPolicy::DangerFullAccess,
-            sandbox_full_access_cfg.derive_sandbox_policy(
-                sandbox_mode_override,
-                None,
-                &PathBuf::from("/tmp/test")
-            )
+            sandbox_full_access_cfg
+                .derive_sandbox_policy(sandbox_mode_override, &PathBuf::from("/tmp/test"))
        );

        let sandbox_read_only = r#"
@@ -1625,11 +1611,8 @@ network_access = true  # This should be ignored.
        let sandbox_mode_override = None;
        assert_eq!(
            SandboxPolicy::ReadOnly,
-            sandbox_read_only_cfg.derive_sandbox_policy(
-                sandbox_mode_override,
-                None,
-                &PathBuf::from("/tmp/test")
-            )
+            sandbox_read_only_cfg
+                .derive_sandbox_policy(sandbox_mode_override, &PathBuf::from("/tmp/test"))
        );

        let sandbox_workspace_write = r#"
@@ -1653,11 +1636,8 @@ exclude_slash_tmp = true
                exclude_tmpdir_env_var: true,
                exclude_slash_tmp: true,
            },
-            sandbox_workspace_write_cfg.derive_sandbox_policy(
-                sandbox_mode_override,
-                None,
-                &PathBuf::from("/tmp/test")
-            )
+            sandbox_workspace_write_cfg
+                .derive_sandbox_policy(sandbox_mode_override, &PathBuf::from("/tmp/test"))
        );

        let sandbox_workspace_write = r#"
@@ -1684,11 +1664,8 @@ trust_level = "trusted"
                exclude_tmpdir_env_var: true,
                exclude_slash_tmp: true,
            },
-            sandbox_workspace_write_cfg.derive_sandbox_policy(
-                sandbox_mode_override,
-                None,
-                &PathBuf::from("/tmp/test")
-            )
+            sandbox_workspace_write_cfg
+                .derive_sandbox_policy(sandbox_mode_override, &PathBuf::from("/tmp/test"))
        );
    }

@@ -1732,6 +1709,26 @@ trust_level = "trusted"
        Ok(())
    }

+    #[test]
+    fn approve_all_feature_forces_on_request_policy() -> std::io::Result<()> {
+        let cfg = r#"
+[features]
+approve_all = true
+"#;
+        let parsed = toml::from_str::<ConfigToml>(cfg)
+            .expect("TOML deserialization should succeed for approve_all feature");
+        let temp_dir = TempDir::new()?;
+        let config = Config::load_from_base_config_with_overrides(
+            parsed,
+            ConfigOverrides::default(),
+            temp_dir.path().to_path_buf(),
+        )?;
+
+        assert!(config.features.enabled(Feature::ApproveAll));
+        assert_eq!(config.approval_policy, AskForApproval::OnRequest);
+        Ok(())
+    }
+
    #[test]
    fn config_defaults_to_auto_oauth_store_mode() -> std::io::Result<()> {
        let codex_home = TempDir::new()?;
@@ -1758,6 +1755,7 @@ trust_level = "trusted"
        profiles.insert(
            "work".to_string(),
            ConfigProfile {
+                include_plan_tool: Some(true),
                include_view_image_tool: Some(false),
                ..Default::default()
            },
@@ -1774,85 +1772,19 @@ trust_level = "trusted"
            codex_home.path().to_path_buf(),
        )?;

+        assert!(config.features.enabled(Feature::PlanTool));
        assert!(!config.features.enabled(Feature::ViewImageTool));
+        assert!(config.include_plan_tool);
        assert!(!config.include_view_image_tool);

        Ok(())
    }

-    #[test]
-    fn profile_sandbox_mode_overrides_base() -> std::io::Result<()> {
-        let codex_home = TempDir::new()?;
-        let mut profiles = HashMap::new();
-        profiles.insert(
-            "work".to_string(),
-            ConfigProfile {
-                sandbox_mode: Some(SandboxMode::DangerFullAccess),
-                ..Default::default()
-            },
-        );
-        let cfg = ConfigToml {
-            profiles,
-            profile: Some("work".to_string()),
-            sandbox_mode: Some(SandboxMode::ReadOnly),
-            ..Default::default()
-        };
-
-        let config = Config::load_from_base_config_with_overrides(
-            cfg,
-            ConfigOverrides::default(),
-            codex_home.path().to_path_buf(),
-        )?;
-
-        assert!(matches!(
-            config.sandbox_policy,
-            SandboxPolicy::DangerFullAccess
-        ));
-        assert!(config.did_user_set_custom_approval_policy_or_sandbox_mode);
-
-        Ok(())
-    }
-
-    #[test]
-    fn cli_override_takes_precedence_over_profile_sandbox_mode() -> std::io::Result<()> {
-        let codex_home = TempDir::new()?;
-        let mut profiles = HashMap::new();
-        profiles.insert(
-            "work".to_string(),
-            ConfigProfile {
-                sandbox_mode: Some(SandboxMode::DangerFullAccess),
-                ..Default::default()
-            },
-        );
-        let cfg = ConfigToml {
-            profiles,
-            profile: Some("work".to_string()),
-            ..Default::default()
-        };
-
-        let overrides = ConfigOverrides {
-            sandbox_mode: Some(SandboxMode::WorkspaceWrite),
-            ..Default::default()
-        };
-
-        let config = Config::load_from_base_config_with_overrides(
-            cfg,
-            overrides,
-            codex_home.path().to_path_buf(),
-        )?;
-
-        assert!(matches!(
-            config.sandbox_policy,
-            SandboxPolicy::WorkspaceWrite { .. }
-        ));
-
-        Ok(())
-    }
-
    #[test]
    fn feature_table_overrides_legacy_flags() -> std::io::Result<()> {
        let codex_home = TempDir::new()?;
        let mut entries = BTreeMap::new();
+        entries.insert("plan_tool".to_string(), false);
        entries.insert("apply_patch_freeform".to_string(), false);
        let cfg = ConfigToml {
            features: Some(crate::features::FeaturesToml { entries }),
@@ -1865,7 +1797,9 @@ trust_level = "trusted"
            codex_home.path().to_path_buf(),
        )?;

+        assert!(!config.features.enabled(Feature::PlanTool));
        assert!(!config.features.enabled(Feature::ApplyPatchFreeform));
+        assert!(!config.include_plan_tool);
        assert!(!config.include_apply_patch_tool);

        Ok(())
@@ -1989,8 +1923,6 @@ trust_level = "trusted"
                enabled: true,
                startup_timeout_sec: Some(Duration::from_secs(3)),
                tool_timeout_sec: Some(Duration::from_secs(5)),
-                enabled_tools: None,
-                disabled_tools: None,
            },
        );

@@ -2127,8 +2059,6 @@ bearer_token = "secret"
                enabled: true,
                startup_timeout_sec: None,
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        )]);

@@ -2191,8 +2121,6 @@ ZIG_VAR = "3"
                enabled: true,
                startup_timeout_sec: None,
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        )]);

@@ -2235,8 +2163,6 @@ ZIG_VAR = "3"
                enabled: true,
                startup_timeout_sec: None,
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        )]);

@@ -2278,8 +2204,6 @@ ZIG_VAR = "3"
                enabled: true,
                startup_timeout_sec: Some(Duration::from_secs(2)),
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        )]);

@@ -2337,8 +2261,6 @@ startup_timeout_sec = 2.0
                enabled: true,
                startup_timeout_sec: Some(Duration::from_secs(2)),
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        )]);
        write_global_mcp_servers(codex_home.path(), &servers)?;
@@ -2408,8 +2330,6 @@ X-Auth = "DOCS_AUTH"
                enabled: true,
                startup_timeout_sec: Some(Duration::from_secs(2)),
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        )]);

@@ -2431,8 +2351,6 @@ X-Auth = "DOCS_AUTH"
                enabled: true,
                startup_timeout_sec: None,
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        );
        write_global_mcp_servers(codex_home.path(), &servers)?;
@@ -2492,8 +2410,6 @@ url = "https://example.com/mcp"
                    enabled: true,
                    startup_timeout_sec: Some(Duration::from_secs(2)),
                    tool_timeout_sec: None,
-                    enabled_tools: None,
-                    disabled_tools: None,
                },
            ),
            (
@@ -2509,8 +2425,6 @@ url = "https://example.com/mcp"
                    enabled: true,
                    startup_timeout_sec: None,
                    tool_timeout_sec: None,
-                    enabled_tools: None,
-                    disabled_tools: None,
                },
            ),
        ]);
@@ -2585,8 +2499,6 @@ url = "https://example.com/mcp"
                enabled: false,
                startup_timeout_sec: None,
                tool_timeout_sec: None,
-                enabled_tools: None,
-                disabled_tools: None,
            },
        )]);

@@ -2606,49 +2518,6 @@ url = "https://example.com/mcp"
        Ok(())
    }

-    #[tokio::test]
-    async fn write_global_mcp_servers_serializes_tool_filters() -> anyhow::Result<()> {
-        let codex_home = TempDir::new()?;
-
-        let servers = BTreeMap::from([(
-            "docs".to_string(),
-            McpServerConfig {
-                transport: McpServerTransportConfig::Stdio {
-                    command: "docs-server".to_string(),
-                    args: Vec::new(),
-                    env: None,
-                    env_vars: Vec::new(),
-                    cwd: None,
-                },
-                enabled: true,
-                startup_timeout_sec: None,
-                tool_timeout_sec: None,
-                enabled_tools: Some(vec!["allowed".to_string()]),
-                disabled_tools: Some(vec!["blocked".to_string()]),
-            },
-        )]);
-
-        write_global_mcp_servers(codex_home.path(), &servers)?;
-
-        let config_path = codex_home.path().join(CONFIG_TOML_FILE);
-        let serialized = std::fs::read_to_string(&config_path)?;
-        assert!(serialized.contains(r#"enabled_tools = ["allowed"]"#));
-        assert!(serialized.contains(r#"disabled_tools = ["blocked"]"#));
-
-        let loaded = load_global_mcp_servers(codex_home.path()).await?;
-        let docs = loaded.get("docs").expect("docs entry");
-        assert_eq!(
-            docs.enabled_tools.as_ref(),
-            Some(&vec!["allowed".to_string()])
-        );
-        assert_eq!(
-            docs.disabled_tools.as_ref(),
-            Some(&vec!["blocked".to_string()])
-        );
-
-        Ok(())
-    }
-
    #[tokio::test]
    async fn persist_model_selection_updates_defaults() -> anyhow::Result<()> {
        let codex_home = TempDir::new()?;
@@ -2871,7 +2740,6 @@ model_verbosity = "high"
            env_key: Some("OPENAI_API_KEY".to_string()),
            wire_api: crate::WireApi::Chat,
            env_key_instructions: None,
-            experimental_bearer_token: None,
            query_params: None,
            http_headers: None,
            env_http_headers: None,
@@ -2965,9 +2833,9 @@ model_verbosity = "high"
                base_instructions: None,
                forced_chatgpt_workspace_id: None,
                forced_login_method: None,
+                include_plan_tool: false,
                include_apply_patch_tool: false,
                tools_web_search_request: false,
-                experimental_sandbox_command_assessment: false,
                use_experimental_streamable_shell_tool: false,
                use_experimental_unified_exec_tool: false,
                use_experimental_use_rmcp_client: false,
@@ -3034,9 +2902,9 @@ model_verbosity = "high"
            base_instructions: None,
            forced_chatgpt_workspace_id: None,
            forced_login_method: None,
+            include_plan_tool: false,
            include_apply_patch_tool: false,
            tools_web_search_request: false,
-            experimental_sandbox_command_assessment: false,
            use_experimental_streamable_shell_tool: false,
            use_experimental_unified_exec_tool: false,
            use_experimental_use_rmcp_client: false,
@@ -3118,9 +2986,9 @@ model_verbosity = "high"
            base_instructions: None,
            forced_chatgpt_workspace_id: None,
            forced_login_method: None,
+            include_plan_tool: false,
            include_apply_patch_tool: false,
            tools_web_search_request: false,
-            experimental_sandbox_command_assessment: false,
            use_experimental_streamable_shell_tool: false,
            use_experimental_unified_exec_tool: false,
            use_experimental_use_rmcp_client: false,
@@ -3188,9 +3056,9 @@ model_verbosity = "high"
            base_instructions: None,
            forced_chatgpt_workspace_id: None,
            forced_login_method: None,
+            include_plan_tool: false,
            include_apply_patch_tool: false,
            tools_web_search_request: false,
-            experimental_sandbox_command_assessment: false,
            use_experimental_streamable_shell_tool: false,
            use_experimental_unified_exec_tool: false,
            use_experimental_use_rmcp_client: false,
--- a/codex-rs/core/src/config_profile.rs
+++ b/codex-rs/core/src/config_profile.rs
@@ -4,7 +4,6 @@ use std::path::PathBuf;
 use crate::protocol::AskForApproval;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
-use codex_protocol::config_types::SandboxMode;
 use codex_protocol::config_types::Verbosity;

 /// Collection of common configuration options that a user can define as a unit
@@ -16,19 +15,18 @@ pub struct ConfigProfile {
    /// [`ModelProviderInfo`] to use.
    pub model_provider: Option<String>,
    pub approval_policy: Option<AskForApproval>,
-    pub sandbox_mode: Option<SandboxMode>,
    pub model_reasoning_effort: Option<ReasoningEffort>,
    pub model_reasoning_summary: Option<ReasoningSummary>,
    pub model_verbosity: Option<Verbosity>,
    pub chatgpt_base_url: Option<String>,
    pub experimental_instructions_file: Option<PathBuf>,
+    pub include_plan_tool: Option<bool>,
    pub include_apply_patch_tool: Option<bool>,
    pub include_view_image_tool: Option<bool>,
    pub experimental_use_unified_exec_tool: Option<bool>,
    pub experimental_use_exec_command_tool: Option<bool>,
    pub experimental_use_rmcp_client: Option<bool>,
    pub experimental_use_freeform_apply_patch: Option<bool>,
-    pub experimental_sandbox_command_assessment: Option<bool>,
    pub tools_web_search: Option<bool>,
    pub tools_view_image: Option<bool>,
    /// Optional feature toggles scoped to this profile.
--- a/codex-rs/core/src/config_types.rs
+++ b/codex-rs/core/src/config_types.rs
@@ -35,14 +35,6 @@ pub struct McpServerConfig {
    /// Default timeout for MCP tool calls initiated via this server.
    #[serde(default, with = "option_duration_secs")]
    pub tool_timeout_sec: Option<Duration>,
-
-    /// Explicit allow-list of tools exposed from this server. When set, only these tools will be registered.
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub enabled_tools: Option<Vec<String>>,
-
-    /// Explicit deny-list of tools. These tools will be removed after applying `enabled_tools`.
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub disabled_tools: Option<Vec<String>>,
 }

 impl<'de> Deserialize<'de> for McpServerConfig {
@@ -50,7 +42,7 @@ impl<'de> Deserialize<'de> for McpServerConfig {
    where
        D: Deserializer<'de>,
    {
-        #[derive(Deserialize, Clone)]
+        #[derive(Deserialize)]
        struct RawMcpServerConfig {
            // stdio
            command: Option<String>,
@@ -80,13 +72,9 @@ impl<'de> Deserialize<'de> for McpServerConfig {
            tool_timeout_sec: Option<Duration>,
            #[serde(default)]
            enabled: Option<bool>,
-            #[serde(default)]
-            enabled_tools: Option<Vec<String>>,
-            #[serde(default)]
-            disabled_tools: Option<Vec<String>>,
        }

-        let mut raw = RawMcpServerConfig::deserialize(deserializer)?;
+        let raw = RawMcpServerConfig::deserialize(deserializer)?;

        let startup_timeout_sec = match (raw.startup_timeout_sec, raw.startup_timeout_ms) {
            (Some(sec), _) => {
@@ -96,10 +84,6 @@ impl<'de> Deserialize<'de> for McpServerConfig {
            (None, Some(ms)) => Some(Duration::from_millis(ms)),
            (None, None) => None,
        };
-        let tool_timeout_sec = raw.tool_timeout_sec;
-        let enabled = raw.enabled.unwrap_or_else(default_enabled);
-        let enabled_tools = raw.enabled_tools.clone();
-        let disabled_tools = raw.disabled_tools.clone();

        fn throw_if_set<E, T>(transport: &str, field: &str, value: Option<&T>) -> Result<(), E>
        where
@@ -113,46 +97,72 @@ impl<'de> Deserialize<'de> for McpServerConfig {
            )))
        }

-        let transport = if let Some(command) = raw.command.clone() {
-            throw_if_set("stdio", "url", raw.url.as_ref())?;
-            throw_if_set(
-                "stdio",
-                "bearer_token_env_var",
-                raw.bearer_token_env_var.as_ref(),
-            )?;
-            throw_if_set("stdio", "bearer_token", raw.bearer_token.as_ref())?;
-            throw_if_set("stdio", "http_headers", raw.http_headers.as_ref())?;
-            throw_if_set("stdio", "env_http_headers", raw.env_http_headers.as_ref())?;
-            McpServerTransportConfig::Stdio {
-                command,
-                args: raw.args.clone().unwrap_or_default(),
-                env: raw.env.clone(),
-                env_vars: raw.env_vars.clone().unwrap_or_default(),
-                cwd: raw.cwd.take(),
-            }
-        } else if let Some(url) = raw.url.clone() {
-            throw_if_set("streamable_http", "args", raw.args.as_ref())?;
-            throw_if_set("streamable_http", "env", raw.env.as_ref())?;
-            throw_if_set("streamable_http", "env_vars", raw.env_vars.as_ref())?;
-            throw_if_set("streamable_http", "cwd", raw.cwd.as_ref())?;
-            throw_if_set("streamable_http", "bearer_token", raw.bearer_token.as_ref())?;
-            McpServerTransportConfig::StreamableHttp {
+        let transport = match raw {
+            RawMcpServerConfig {
+                command: Some(command),
+                args,
+                env,
+                env_vars,
+                cwd,
                url,
-                bearer_token_env_var: raw.bearer_token_env_var.clone(),
-                http_headers: raw.http_headers.clone(),
-                env_http_headers: raw.env_http_headers.take(),
+                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
+                ..
+            } => {
+                throw_if_set("stdio", "url", url.as_ref())?;
+                throw_if_set(
+                    "stdio",
+                    "bearer_token_env_var",
+                    bearer_token_env_var.as_ref(),
+                )?;
+                throw_if_set("stdio", "http_headers", http_headers.as_ref())?;
+                throw_if_set("stdio", "env_http_headers", env_http_headers.as_ref())?;
+                McpServerTransportConfig::Stdio {
+                    command,
+                    args: args.unwrap_or_default(),
+                    env,
+                    env_vars: env_vars.unwrap_or_default(),
+                    cwd,
+                }
            }
-        } else {
-            return Err(SerdeError::custom("invalid transport"));
+            RawMcpServerConfig {
+                url: Some(url),
+                bearer_token,
+                bearer_token_env_var,
+                command,
+                args,
+                env,
+                env_vars,
+                cwd,
+                http_headers,
+                env_http_headers,
+                startup_timeout_sec: _,
+                tool_timeout_sec: _,
+                startup_timeout_ms: _,
+                enabled: _,
+            } => {
+                throw_if_set("streamable_http", "command", command.as_ref())?;
+                throw_if_set("streamable_http", "args", args.as_ref())?;
+                throw_if_set("streamable_http", "env", env.as_ref())?;
+                throw_if_set("streamable_http", "env_vars", env_vars.as_ref())?;
+                throw_if_set("streamable_http", "cwd", cwd.as_ref())?;
+                throw_if_set("streamable_http", "bearer_token", bearer_token.as_ref())?;
+                McpServerTransportConfig::StreamableHttp {
+                    url,
+                    bearer_token_env_var,
+                    http_headers,
+                    env_http_headers,
+                }
+            }
+            _ => return Err(SerdeError::custom("invalid transport")),
        };

        Ok(Self {
            transport,
            startup_timeout_sec,
-            tool_timeout_sec,
-            enabled,
-            enabled_tools,
-            disabled_tools,
+            tool_timeout_sec: raw.tool_timeout_sec,
+            enabled: raw.enabled.unwrap_or_else(default_enabled),
        })
    }
 }
@@ -517,8 +527,6 @@ mod tests {
            }
        );
        assert!(cfg.enabled);
-        assert!(cfg.enabled_tools.is_none());
-        assert!(cfg.disabled_tools.is_none());
    }

    #[test]
@@ -693,21 +701,6 @@ mod tests {
        );
    }

-    #[test]
-    fn deserialize_server_config_with_tool_filters() {
-        let cfg: McpServerConfig = toml::from_str(
-            r#"
-            command = "echo"
-            enabled_tools = ["allowed"]
-            disabled_tools = ["blocked"]
-        "#,
-        )
-        .expect("should deserialize tool filters");
-
-        assert_eq!(cfg.enabled_tools, Some(vec!["allowed".to_string()]));
-        assert_eq!(cfg.disabled_tools, Some(vec!["blocked".to_string()]));
-    }
-
    #[test]
    fn deserialize_rejects_command_and_url() {
        toml::from_str::<McpServerConfig>(
--- a/codex-rs/core/src/conversation_history.rs
+++ b/codex-rs/core/src/conversation_history.rs
@@ -1,36 +1,20 @@
-use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::TokenUsage;
-use codex_protocol::protocol::TokenUsageInfo;
-use tracing::error;

 /// Transcript of conversation history
 #[derive(Debug, Clone, Default)]
 pub(crate) struct ConversationHistory {
    /// The oldest items are at the beginning of the vector.
    items: Vec<ResponseItem>,
-    token_info: Option<TokenUsageInfo>,
 }

 impl ConversationHistory {
    pub(crate) fn new() -> Self {
-        Self {
-            items: Vec::new(),
-            token_info: TokenUsageInfo::new_or_append(&None, &None, None),
-        }
+        Self { items: Vec::new() }
    }

-    pub(crate) fn token_info(&self) -> Option<TokenUsageInfo> {
-        self.token_info.clone()
-    }
-
-    pub(crate) fn set_token_usage_full(&mut self, context_window: i64) {
-        match &mut self.token_info {
-            Some(info) => info.fill_to_context_window(context_window),
-            None => {
-                self.token_info = Some(TokenUsageInfo::full_context_window(context_window));
-            }
-        }
+    /// Returns a clone of the contents in the transcript.
+    pub(crate) fn contents(&self) -> Vec<ResponseItem> {
+        self.items.clone()
    }

    /// `items` is ordered from oldest to newest.
@@ -48,299 +32,9 @@ impl ConversationHistory {
        }
    }

-    pub(crate) fn get_history(&mut self) -> Vec<ResponseItem> {
-        self.normalize_history();
-        self.contents()
-    }
-
-    pub(crate) fn remove_first_item(&mut self) {
-        if !self.items.is_empty() {
-            // Remove the oldest item (front of the list). Items are ordered from
-            // oldest → newest, so index 0 is the first entry recorded.
-            let removed = self.items.remove(0);
-            // If the removed item participates in a call/output pair, also remove
-            // its corresponding counterpart to keep the invariants intact without
-            // running a full normalization pass.
-            self.remove_corresponding_for(&removed);
-        }
-    }
-
-    /// This function enforces a couple of invariants on the in-memory history:
-    /// 1. every call (function/custom) has a corresponding output entry
-    /// 2. every output has a corresponding call entry
-    fn normalize_history(&mut self) {
-        // all function/tool calls must have a corresponding output
-        self.ensure_call_outputs_present();
-
-        // all outputs must have a corresponding function/tool call
-        self.remove_orphan_outputs();
-    }
-
-    /// Returns a clone of the contents in the transcript.
-    fn contents(&self) -> Vec<ResponseItem> {
-        self.items.clone()
-    }
-
-    fn ensure_call_outputs_present(&mut self) {
-        // Collect synthetic outputs to insert immediately after their calls.
-        // Store the insertion position (index of call) alongside the item so
-        // we can insert in reverse order and avoid index shifting.
-        let mut missing_outputs_to_insert: Vec<(usize, ResponseItem)> = Vec::new();
-
-        for (idx, item) in self.items.iter().enumerate() {
-            match item {
-                ResponseItem::FunctionCall { call_id, .. } => {
-                    let has_output = self.items.iter().any(|i| match i {
-                        ResponseItem::FunctionCallOutput {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_output {
-                        error_or_panic(format!(
-                            "Function call output is missing for call id: {call_id}"
-                        ));
-                        missing_outputs_to_insert.push((
-                            idx,
-                            ResponseItem::FunctionCallOutput {
-                                call_id: call_id.clone(),
-                                output: FunctionCallOutputPayload {
-                                    content: "aborted".to_string(),
-                                    success: None,
-                                },
-                            },
-                        ));
-                    }
-                }
-                ResponseItem::CustomToolCall { call_id, .. } => {
-                    let has_output = self.items.iter().any(|i| match i {
-                        ResponseItem::CustomToolCallOutput {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_output {
-                        error_or_panic(format!(
-                            "Custom tool call output is missing for call id: {call_id}"
-                        ));
-                        missing_outputs_to_insert.push((
-                            idx,
-                            ResponseItem::CustomToolCallOutput {
-                                call_id: call_id.clone(),
-                                output: "aborted".to_string(),
-                            },
-                        ));
-                    }
-                }
-                // LocalShellCall is represented in upstream streams by a FunctionCallOutput
-                ResponseItem::LocalShellCall { call_id, .. } => {
-                    if let Some(call_id) = call_id.as_ref() {
-                        let has_output = self.items.iter().any(|i| match i {
-                            ResponseItem::FunctionCallOutput {
-                                call_id: existing, ..
-                            } => existing == call_id,
-                            _ => false,
-                        });
-
-                        if !has_output {
-                            error_or_panic(format!(
-                                "Local shell call output is missing for call id: {call_id}"
-                            ));
-                            missing_outputs_to_insert.push((
-                                idx,
-                                ResponseItem::FunctionCallOutput {
-                                    call_id: call_id.clone(),
-                                    output: FunctionCallOutputPayload {
-                                        content: "aborted".to_string(),
-                                        success: None,
-                                    },
-                                },
-                            ));
-                        }
-                    }
-                }
-                ResponseItem::Reasoning { .. }
-                | ResponseItem::WebSearchCall { .. }
-                | ResponseItem::FunctionCallOutput { .. }
-                | ResponseItem::CustomToolCallOutput { .. }
-                | ResponseItem::Other
-                | ResponseItem::Message { .. } => {
-                    // nothing to do for these variants
-                }
-            }
-        }
-
-        if !missing_outputs_to_insert.is_empty() {
-            // Insert from the end to avoid shifting subsequent indices.
-            missing_outputs_to_insert.sort_by_key(|(i, _)| *i);
-            for (idx, item) in missing_outputs_to_insert.into_iter().rev() {
-                let insert_pos = idx + 1; // place immediately after the call
-                if insert_pos <= self.items.len() {
-                    self.items.insert(insert_pos, item);
-                } else {
-                    self.items.push(item);
-                }
-            }
-        }
-    }
-
-    fn remove_orphan_outputs(&mut self) {
-        // Work on a snapshot to avoid borrowing `self.items` while mutating it.
-        let snapshot = self.items.clone();
-        let mut orphan_output_call_ids: std::collections::HashSet<String> =
-            std::collections::HashSet::new();
-
-        for item in &snapshot {
-            match item {
-                ResponseItem::FunctionCallOutput { call_id, .. } => {
-                    let has_call = snapshot.iter().any(|i| match i {
-                        ResponseItem::FunctionCall {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        ResponseItem::LocalShellCall {
-                            call_id: Some(existing),
-                            ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_call {
-                        error_or_panic(format!("Function call is missing for call id: {call_id}"));
-                        orphan_output_call_ids.insert(call_id.clone());
-                    }
-                }
-                ResponseItem::CustomToolCallOutput { call_id, .. } => {
-                    let has_call = snapshot.iter().any(|i| match i {
-                        ResponseItem::CustomToolCall {
-                            call_id: existing, ..
-                        } => existing == call_id,
-                        _ => false,
-                    });
-
-                    if !has_call {
-                        error_or_panic(format!(
-                            "Custom tool call is missing for call id: {call_id}"
-                        ));
-                        orphan_output_call_ids.insert(call_id.clone());
-                    }
-                }
-                ResponseItem::FunctionCall { .. }
-                | ResponseItem::CustomToolCall { .. }
-                | ResponseItem::LocalShellCall { .. }
-                | ResponseItem::Reasoning { .. }
-                | ResponseItem::WebSearchCall { .. }
-                | ResponseItem::Other
-                | ResponseItem::Message { .. } => {
-                    // nothing to do for these variants
-                }
-            }
-        }
-
-        if !orphan_output_call_ids.is_empty() {
-            let ids = orphan_output_call_ids;
-            self.items.retain(|i| match i {
-                ResponseItem::FunctionCallOutput { call_id, .. }
-                | ResponseItem::CustomToolCallOutput { call_id, .. } => !ids.contains(call_id),
-                _ => true,
-            });
-        }
-    }
-
    pub(crate) fn replace(&mut self, items: Vec<ResponseItem>) {
        self.items = items;
    }
-
-    /// Removes the corresponding paired item for the provided `item`, if any.
-    ///
-    /// Pairs:
-    /// - FunctionCall <-> FunctionCallOutput
-    /// - CustomToolCall <-> CustomToolCallOutput
-    /// - LocalShellCall(call_id: Some) <-> FunctionCallOutput
-    fn remove_corresponding_for(&mut self, item: &ResponseItem) {
-        match item {
-            ResponseItem::FunctionCall { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::FunctionCallOutput {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::CustomToolCall { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::CustomToolCallOutput {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::LocalShellCall {
-                call_id: Some(call_id),
-                ..
-            } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::FunctionCallOutput {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::FunctionCallOutput { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::FunctionCall {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    ResponseItem::LocalShellCall {
-                        call_id: Some(existing),
-                        ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            ResponseItem::CustomToolCallOutput { call_id, .. } => {
-                self.remove_first_matching(|i| match i {
-                    ResponseItem::CustomToolCall {
-                        call_id: existing, ..
-                    } => existing == call_id,
-                    _ => false,
-                });
-            }
-            _ => {}
-        }
-    }
-
-    /// Remove the first item matching the predicate.
-    fn remove_first_matching<F>(&mut self, predicate: F)
-    where
-        F: FnMut(&ResponseItem) -> bool,
-    {
-        if let Some(pos) = self.items.iter().position(predicate) {
-            self.items.remove(pos);
-        }
-    }
-
-    pub(crate) fn update_token_info(
-        &mut self,
-        usage: &TokenUsage,
-        model_context_window: Option<i64>,
-    ) {
-        self.token_info = TokenUsageInfo::new_or_append(
-            &self.token_info,
-            &Some(usage.clone()),
-            model_context_window,
-        );
-    }
-}
-
-#[inline]
-fn error_or_panic(message: String) {
-    if cfg!(debug_assertions) || env!("CARGO_PKG_VERSION").contains("alpha") {
-        panic!("{message}");
-    } else {
-        error!("{message}");
-    }
 }

 /// Anything that is not a system message or "reasoning" message is considered
@@ -363,11 +57,6 @@ fn is_api_message(message: &ResponseItem) -> bool {
 mod tests {
    use super::*;
    use codex_protocol::models::ContentItem;
-    use codex_protocol::models::FunctionCallOutputPayload;
-    use codex_protocol::models::LocalShellAction;
-    use codex_protocol::models::LocalShellExecAction;
-    use codex_protocol::models::LocalShellStatus;
-    use pretty_assertions::assert_eq;

    fn assistant_msg(text: &str) -> ResponseItem {
        ResponseItem::Message {
@@ -379,12 +68,6 @@ mod tests {
        }
    }

-    fn create_history_with_items(items: Vec<ResponseItem>) -> ConversationHistory {
-        let mut h = ConversationHistory::new();
-        h.record_items(items.iter());
-        h
-    }
-
    fn user_msg(text: &str) -> ResponseItem {
        ResponseItem::Message {
            id: None,
@@ -434,452 +117,4 @@ mod tests {
            ]
        );
    }
-
-    #[test]
-    fn remove_first_item_removes_matching_output_for_function_call() {
-        let items = vec![
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "do_it".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "call-1".to_string(),
-            },
-            ResponseItem::FunctionCallOutput {
-                call_id: "call-1".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[test]
-    fn remove_first_item_removes_matching_call_for_output() {
-        let items = vec![
-            ResponseItem::FunctionCallOutput {
-                call_id: "call-2".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "do_it".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "call-2".to_string(),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[test]
-    fn remove_first_item_handles_local_shell_pair() {
-        let items = vec![
-            ResponseItem::LocalShellCall {
-                id: None,
-                call_id: Some("call-3".to_string()),
-                status: LocalShellStatus::Completed,
-                action: LocalShellAction::Exec(LocalShellExecAction {
-                    command: vec!["echo".to_string(), "hi".to_string()],
-                    timeout_ms: None,
-                    working_directory: None,
-                    env: None,
-                    user: None,
-                }),
-            },
-            ResponseItem::FunctionCallOutput {
-                call_id: "call-3".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[test]
-    fn remove_first_item_handles_custom_tool_pair() {
-        let items = vec![
-            ResponseItem::CustomToolCall {
-                id: None,
-                status: None,
-                call_id: "tool-1".to_string(),
-                name: "my_tool".to_string(),
-                input: "{}".to_string(),
-            },
-            ResponseItem::CustomToolCallOutput {
-                call_id: "tool-1".to_string(),
-                output: "ok".to_string(),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.remove_first_item();
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    //TODO(aibrahim): run CI in release mode.
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_adds_missing_output_for_function_call() {
-        let items = vec![ResponseItem::FunctionCall {
-            id: None,
-            name: "do_it".to_string(),
-            arguments: "{}".to_string(),
-            call_id: "call-x".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::FunctionCall {
-                    id: None,
-                    name: "do_it".to_string(),
-                    arguments: "{}".to_string(),
-                    call_id: "call-x".to_string(),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "call-x".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-            ]
-        );
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_adds_missing_output_for_custom_tool_call() {
-        let items = vec![ResponseItem::CustomToolCall {
-            id: None,
-            status: None,
-            call_id: "tool-x".to_string(),
-            name: "custom".to_string(),
-            input: "{}".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::CustomToolCall {
-                    id: None,
-                    status: None,
-                    call_id: "tool-x".to_string(),
-                    name: "custom".to_string(),
-                    input: "{}".to_string(),
-                },
-                ResponseItem::CustomToolCallOutput {
-                    call_id: "tool-x".to_string(),
-                    output: "aborted".to_string(),
-                },
-            ]
-        );
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_adds_missing_output_for_local_shell_call_with_id() {
-        let items = vec![ResponseItem::LocalShellCall {
-            id: None,
-            call_id: Some("shell-1".to_string()),
-            status: LocalShellStatus::Completed,
-            action: LocalShellAction::Exec(LocalShellExecAction {
-                command: vec!["echo".to_string(), "hi".to_string()],
-                timeout_ms: None,
-                working_directory: None,
-                env: None,
-                user: None,
-            }),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::LocalShellCall {
-                    id: None,
-                    call_id: Some("shell-1".to_string()),
-                    status: LocalShellStatus::Completed,
-                    action: LocalShellAction::Exec(LocalShellExecAction {
-                        command: vec!["echo".to_string(), "hi".to_string()],
-                        timeout_ms: None,
-                        working_directory: None,
-                        env: None,
-                        user: None,
-                    }),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "shell-1".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-            ]
-        );
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_removes_orphan_function_call_output() {
-        let items = vec![ResponseItem::FunctionCallOutput {
-            call_id: "orphan-1".to_string(),
-            output: FunctionCallOutputPayload {
-                content: "ok".to_string(),
-                success: None,
-            },
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_removes_orphan_custom_tool_call_output() {
-        let items = vec![ResponseItem::CustomToolCallOutput {
-            call_id: "orphan-2".to_string(),
-            output: "ok".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(h.contents(), vec![]);
-    }
-
-    #[cfg(not(debug_assertions))]
-    #[test]
-    fn normalize_mixed_inserts_and_removals() {
-        let items = vec![
-            // Will get an inserted output
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "f1".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "c1".to_string(),
-            },
-            // Orphan output that should be removed
-            ResponseItem::FunctionCallOutput {
-                call_id: "c2".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-            // Will get an inserted custom tool output
-            ResponseItem::CustomToolCall {
-                id: None,
-                status: None,
-                call_id: "t1".to_string(),
-                name: "tool".to_string(),
-                input: "{}".to_string(),
-            },
-            // Local shell call also gets an inserted function call output
-            ResponseItem::LocalShellCall {
-                id: None,
-                call_id: Some("s1".to_string()),
-                status: LocalShellStatus::Completed,
-                action: LocalShellAction::Exec(LocalShellExecAction {
-                    command: vec!["echo".to_string()],
-                    timeout_ms: None,
-                    working_directory: None,
-                    env: None,
-                    user: None,
-                }),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-
-        h.normalize_history();
-
-        assert_eq!(
-            h.contents(),
-            vec![
-                ResponseItem::FunctionCall {
-                    id: None,
-                    name: "f1".to_string(),
-                    arguments: "{}".to_string(),
-                    call_id: "c1".to_string(),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "c1".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-                ResponseItem::CustomToolCall {
-                    id: None,
-                    status: None,
-                    call_id: "t1".to_string(),
-                    name: "tool".to_string(),
-                    input: "{}".to_string(),
-                },
-                ResponseItem::CustomToolCallOutput {
-                    call_id: "t1".to_string(),
-                    output: "aborted".to_string(),
-                },
-                ResponseItem::LocalShellCall {
-                    id: None,
-                    call_id: Some("s1".to_string()),
-                    status: LocalShellStatus::Completed,
-                    action: LocalShellAction::Exec(LocalShellExecAction {
-                        command: vec!["echo".to_string()],
-                        timeout_ms: None,
-                        working_directory: None,
-                        env: None,
-                        user: None,
-                    }),
-                },
-                ResponseItem::FunctionCallOutput {
-                    call_id: "s1".to_string(),
-                    output: FunctionCallOutputPayload {
-                        content: "aborted".to_string(),
-                        success: None,
-                    },
-                },
-            ]
-        );
-    }
-
-    // In debug builds we panic on normalization errors instead of silently fixing them.
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_adds_missing_output_for_function_call_panics_in_debug() {
-        let items = vec![ResponseItem::FunctionCall {
-            id: None,
-            name: "do_it".to_string(),
-            arguments: "{}".to_string(),
-            call_id: "call-x".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_adds_missing_output_for_custom_tool_call_panics_in_debug() {
-        let items = vec![ResponseItem::CustomToolCall {
-            id: None,
-            status: None,
-            call_id: "tool-x".to_string(),
-            name: "custom".to_string(),
-            input: "{}".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_adds_missing_output_for_local_shell_call_with_id_panics_in_debug() {
-        let items = vec![ResponseItem::LocalShellCall {
-            id: None,
-            call_id: Some("shell-1".to_string()),
-            status: LocalShellStatus::Completed,
-            action: LocalShellAction::Exec(LocalShellExecAction {
-                command: vec!["echo".to_string(), "hi".to_string()],
-                timeout_ms: None,
-                working_directory: None,
-                env: None,
-                user: None,
-            }),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_removes_orphan_function_call_output_panics_in_debug() {
-        let items = vec![ResponseItem::FunctionCallOutput {
-            call_id: "orphan-1".to_string(),
-            output: FunctionCallOutputPayload {
-                content: "ok".to_string(),
-                success: None,
-            },
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_removes_orphan_custom_tool_call_output_panics_in_debug() {
-        let items = vec![ResponseItem::CustomToolCallOutput {
-            call_id: "orphan-2".to_string(),
-            output: "ok".to_string(),
-        }];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
-
-    #[cfg(debug_assertions)]
-    #[test]
-    #[should_panic]
-    fn normalize_mixed_inserts_and_removals_panics_in_debug() {
-        let items = vec![
-            ResponseItem::FunctionCall {
-                id: None,
-                name: "f1".to_string(),
-                arguments: "{}".to_string(),
-                call_id: "c1".to_string(),
-            },
-            ResponseItem::FunctionCallOutput {
-                call_id: "c2".to_string(),
-                output: FunctionCallOutputPayload {
-                    content: "ok".to_string(),
-                    success: None,
-                },
-            },
-            ResponseItem::CustomToolCall {
-                id: None,
-                status: None,
-                call_id: "t1".to_string(),
-                name: "tool".to_string(),
-                input: "{}".to_string(),
-            },
-            ResponseItem::LocalShellCall {
-                id: None,
-                call_id: Some("s1".to_string()),
-                status: LocalShellStatus::Completed,
-                action: LocalShellAction::Exec(LocalShellExecAction {
-                    command: vec!["echo".to_string()],
-                    timeout_ms: None,
-                    working_directory: None,
-                    env: None,
-                    user: None,
-                }),
-            },
-        ];
-        let mut h = create_history_with_items(items);
-        h.normalize_history();
-    }
 }
--- a/codex-rs/core/src/conversation_manager.rs
+++ b/codex-rs/core/src/conversation_manager.rs
@@ -3,6 +3,8 @@ use crate::CodexAuth;
 use crate::codex::Codex;
 use crate::codex::CodexSpawnOk;
 use crate::codex::INITIAL_SUBMIT_ID;
+use crate::codex::compact::content_items_to_text;
+use crate::codex::compact::is_session_prefix_message;
 use crate::codex_conversation::CodexConversation;
 use crate::config::Config;
 use crate::error::CodexErr;
@@ -12,7 +14,6 @@ use crate::protocol::EventMsg;
 use crate::protocol::SessionConfiguredEvent;
 use crate::rollout::RolloutRecorder;
 use codex_protocol::ConversationId;
-use codex_protocol::items::TurnItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::protocol::RolloutItem;
@@ -181,11 +182,9 @@ fn truncate_before_nth_user_message(history: InitialHistory, n: usize) -> Initia
    // Find indices of user message inputs in rollout order.
    let mut user_positions: Vec<usize> = Vec::new();
    for (idx, item) in items.iter().enumerate() {
-        if let RolloutItem::ResponseItem(item @ ResponseItem::Message { .. }) = item
-            && matches!(
-                crate::event_mapping::parse_turn_item(item),
-                Some(TurnItem::UserMessage(_))
-            )
+        if let RolloutItem::ResponseItem(ResponseItem::Message { role, content, .. }) = item
+            && role == "user"
+            && content_items_to_text(content).is_some_and(|text| !is_session_prefix_message(&text))
        {
            user_positions.push(idx);
        }
--- a/codex-rs/core/src/default_client.rs
+++ b/codex-rs/core/src/default_client.rs
@@ -1,13 +1,5 @@
 use crate::spawn::CODEX_SANDBOX_ENV_VAR;
-use http::Error as HttpError;
-use reqwest::IntoUrl;
-use reqwest::Method;
-use reqwest::Response;
-use reqwest::header::HeaderName;
 use reqwest::header::HeaderValue;
-use serde::Serialize;
-use std::collections::HashMap;
-use std::fmt::Display;
 use std::sync::LazyLock;
 use std::sync::Mutex;
 use std::sync::OnceLock;
@@ -30,130 +22,6 @@ use std::sync::OnceLock;
 pub static USER_AGENT_SUFFIX: LazyLock<Mutex<Option<String>>> = LazyLock::new(|| Mutex::new(None));
 pub const DEFAULT_ORIGINATOR: &str = "codex_cli_rs";
 pub const CODEX_INTERNAL_ORIGINATOR_OVERRIDE_ENV_VAR: &str = "CODEX_INTERNAL_ORIGINATOR_OVERRIDE";
-
-#[derive(Clone, Debug)]
-pub struct CodexHttpClient {
-    inner: reqwest::Client,
-}
-
-impl CodexHttpClient {
-    fn new(inner: reqwest::Client) -> Self {
-        Self { inner }
-    }
-
-    pub fn get<U>(&self, url: U) -> CodexRequestBuilder
-    where
-        U: IntoUrl,
-    {
-        self.request(Method::GET, url)
-    }
-
-    pub fn post<U>(&self, url: U) -> CodexRequestBuilder
-    where
-        U: IntoUrl,
-    {
-        self.request(Method::POST, url)
-    }
-
-    pub fn request<U>(&self, method: Method, url: U) -> CodexRequestBuilder
-    where
-        U: IntoUrl,
-    {
-        let url_str = url.as_str().to_string();
-        CodexRequestBuilder::new(self.inner.request(method.clone(), url), method, url_str)
-    }
-}
-
-#[must_use = "requests are not sent unless `send` is awaited"]
-#[derive(Debug)]
-pub struct CodexRequestBuilder {
-    builder: reqwest::RequestBuilder,
-    method: Method,
-    url: String,
-}
-
-impl CodexRequestBuilder {
-    fn new(builder: reqwest::RequestBuilder, method: Method, url: String) -> Self {
-        Self {
-            builder,
-            method,
-            url,
-        }
-    }
-
-    fn map(self, f: impl FnOnce(reqwest::RequestBuilder) -> reqwest::RequestBuilder) -> Self {
-        Self {
-            builder: f(self.builder),
-            method: self.method,
-            url: self.url,
-        }
-    }
-
-    pub fn header<K, V>(self, key: K, value: V) -> Self
-    where
-        HeaderName: TryFrom<K>,
-        <HeaderName as TryFrom<K>>::Error: Into<HttpError>,
-        HeaderValue: TryFrom<V>,
-        <HeaderValue as TryFrom<V>>::Error: Into<HttpError>,
-    {
-        self.map(|builder| builder.header(key, value))
-    }
-
-    pub fn bearer_auth<T>(self, token: T) -> Self
-    where
-        T: Display,
-    {
-        self.map(|builder| builder.bearer_auth(token))
-    }
-
-    pub fn json<T>(self, value: &T) -> Self
-    where
-        T: ?Sized + Serialize,
-    {
-        self.map(|builder| builder.json(value))
-    }
-
-    pub async fn send(self) -> Result<Response, reqwest::Error> {
-        match self.builder.send().await {
-            Ok(response) => {
-                let request_ids = Self::extract_request_ids(&response);
-                tracing::debug!(
-                    method = %self.method,
-                    url = %self.url,
-                    status = %response.status(),
-                    request_ids = ?request_ids,
-                    version = ?response.version(),
-                    "Request completed"
-                );
-
-                Ok(response)
-            }
-            Err(error) => {
-                let status = error.status();
-                tracing::debug!(
-                    method = %self.method,
-                    url = %self.url,
-                    status = status.map(|s| s.as_u16()),
-                    error = %error,
-                    "Request failed"
-                );
-                Err(error)
-            }
-        }
-    }
-
-    fn extract_request_ids(response: &Response) -> HashMap<String, String> {
-        ["cf-ray", "x-request-id", "x-oai-request-id"]
-            .iter()
-            .filter_map(|&name| {
-                let header_name = HeaderName::from_static(name);
-                let value = response.headers().get(header_name)?;
-                let value = value.to_str().ok()?.to_owned();
-                Some((name.to_owned(), value))
-            })
-            .collect()
-    }
-}
 #[derive(Debug, Clone)]
 pub struct Originator {
    pub value: String,
@@ -256,8 +124,8 @@ fn sanitize_user_agent(candidate: String, fallback: &str) -> String {
    }
 }

-/// Create an HTTP client with default `originator` and `User-Agent` headers set.
-pub fn create_client() -> CodexHttpClient {
+/// Create a reqwest client with default `originator` and `User-Agent` headers set.
+pub fn create_client() -> reqwest::Client {
    use reqwest::header::HeaderMap;

    let mut headers = HeaderMap::new();
@@ -272,8 +140,7 @@ pub fn create_client() -> CodexHttpClient {
        builder = builder.no_proxy();
    }

-    let inner = builder.build().unwrap_or_else(|_| reqwest::Client::new());
-    CodexHttpClient::new(inner)
+    builder.build().unwrap_or_else(|_| reqwest::Client::new())
 }

 fn is_sandboxed() -> bool {
--- a/codex-rs/core/src/error.rs
+++ b/codex-rs/core/src/error.rs
@@ -1,4 +1,3 @@
-use crate::codex::ProcessedResponseItem;
 use crate::exec::ExecToolCallOutput;
 use crate::token_data::KnownPlan;
 use crate::token_data::PlanType;
@@ -54,11 +53,8 @@ pub enum SandboxErr {

 #[derive(Error, Debug)]
 pub enum CodexErr {
-    // todo(aibrahim): git rid of this error carrying the dangling artifacts
-    #[error("turn aborted. Something went wrong? Hit `/feedback` to report the issue.")]
-    TurnAborted {
-        dangling_artifacts: Vec<ProcessedResponseItem>,
-    },
+    #[error("turn aborted")]
+    TurnAborted,

    /// Returned by ResponsesClient when the SSE stream disconnects or errors out **after** the HTTP
    /// handshake has succeeded but **before** it finished emitting `response.completed`.
@@ -91,7 +87,7 @@ pub enum CodexErr {

    /// Returned by run_command_stream when the user pressed Ctrl‑C (SIGINT). Session uses this to
    /// surface a polite FunctionCallOutput back to the model instead of crashing the CLI.
-    #[error("interrupted (Ctrl-C). Something went wrong? Hit `/feedback` to report the issue.")]
+    #[error("interrupted (Ctrl-C)")]
    Interrupted,

    /// Unexpected HTTP status code.
@@ -162,9 +158,7 @@ pub enum CodexErr {

 impl From<CancelErr> for CodexErr {
    fn from(_: CancelErr) -> Self {
-        CodexErr::TurnAborted {
-            dangling_artifacts: Vec::new(),
-        }
+        CodexErr::TurnAborted
    }
 }

--- a/codex-rs/core/src/event_mapping.rs
+++ b/codex-rs/core/src/event_mapping.rs
@@ -1,131 +1,139 @@
-use codex_protocol::items::AgentMessageContent;
-use codex_protocol::items::AgentMessageItem;
-use codex_protocol::items::ReasoningItem;
-use codex_protocol::items::TurnItem;
-use codex_protocol::items::UserMessageItem;
-use codex_protocol::items::WebSearchItem;
+use crate::protocol::AgentMessageEvent;
+use crate::protocol::AgentReasoningEvent;
+use crate::protocol::AgentReasoningRawContentEvent;
+use crate::protocol::EventMsg;
+use crate::protocol::InputMessageKind;
+use crate::protocol::UserMessageEvent;
+use crate::protocol::WebSearchEndEvent;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ReasoningItemContent;
 use codex_protocol::models::ReasoningItemReasoningSummary;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::models::WebSearchAction;
-use codex_protocol::user_input::UserInput;
-use tracing::warn;

-fn is_session_prefix(text: &str) -> bool {
-    let trimmed = text.trim_start();
-    let lowered = trimmed.to_ascii_lowercase();
-    lowered.starts_with("<environment_context>") || lowered.starts_with("<user_instructions>")
-}
-
-fn parse_user_message(message: &[ContentItem]) -> Option<UserMessageItem> {
-    let mut content: Vec<UserInput> = Vec::new();
-
-    for content_item in message.iter() {
-        match content_item {
-            ContentItem::InputText { text } => {
-                if is_session_prefix(text) {
-                    return None;
-                }
-                content.push(UserInput::Text { text: text.clone() });
-            }
-            ContentItem::InputImage { image_url } => {
-                content.push(UserInput::Image {
-                    image_url: image_url.clone(),
-                });
-            }
-            ContentItem::OutputText { text } => {
-                if is_session_prefix(text) {
-                    return None;
-                }
-                warn!("Output text in user message: {}", text);
-            }
-        }
-    }
-
-    Some(UserMessageItem::new(&content))
-}
-
-fn parse_agent_message(message: &[ContentItem]) -> AgentMessageItem {
-    let mut content: Vec<AgentMessageContent> = Vec::new();
-    for content_item in message.iter() {
-        match content_item {
-            ContentItem::OutputText { text } => {
-                content.push(AgentMessageContent::Text { text: text.clone() });
-            }
-            _ => {
-                warn!(
-                    "Unexpected content item in agent message: {:?}",
-                    content_item
-                );
-            }
-        }
-    }
-    AgentMessageItem::new(&content)
-}
-
-pub fn parse_turn_item(item: &ResponseItem) -> Option<TurnItem> {
+/// Convert a `ResponseItem` into zero or more `EventMsg` values that the UI can render.
+///
+/// When `show_raw_agent_reasoning` is false, raw reasoning content events are omitted.
+pub(crate) fn map_response_item_to_event_messages(
+    item: &ResponseItem,
+    show_raw_agent_reasoning: bool,
+) -> Vec<EventMsg> {
    match item {
-        ResponseItem::Message { role, content, .. } => match role.as_str() {
-            "user" => parse_user_message(content).map(TurnItem::UserMessage),
-            "assistant" => Some(TurnItem::AgentMessage(parse_agent_message(content))),
-            "system" => None,
-            _ => None,
-        },
-        ResponseItem::Reasoning {
-            id,
-            summary,
-            content,
-            ..
-        } => {
-            let summary_text = summary
-                .iter()
-                .map(|entry| match entry {
-                    ReasoningItemReasoningSummary::SummaryText { text } => text.clone(),
-                })
-                .collect();
-            let raw_content = content
-                .clone()
-                .unwrap_or_default()
-                .into_iter()
-                .map(|entry| match entry {
-                    ReasoningItemContent::ReasoningText { text }
-                    | ReasoningItemContent::Text { text } => text,
-                })
-                .collect();
-            Some(TurnItem::Reasoning(ReasoningItem {
-                id: id.clone(),
-                summary_text,
-                raw_content,
-            }))
+        ResponseItem::Message { role, content, .. } => {
+            // Do not surface system messages as user events.
+            if role == "system" {
+                return Vec::new();
+            }
+
+            let mut events: Vec<EventMsg> = Vec::new();
+            let mut message_parts: Vec<String> = Vec::new();
+            let mut images: Vec<String> = Vec::new();
+            let mut kind: Option<InputMessageKind> = None;
+
+            for content_item in content.iter() {
+                match content_item {
+                    ContentItem::InputText { text } => {
+                        if kind.is_none() {
+                            let trimmed = text.trim_start();
+                            kind = if trimmed.starts_with("<environment_context>") {
+                                Some(InputMessageKind::EnvironmentContext)
+                            } else if trimmed.starts_with("<user_instructions>") {
+                                Some(InputMessageKind::UserInstructions)
+                            } else {
+                                Some(InputMessageKind::Plain)
+                            };
+                        }
+                        message_parts.push(text.clone());
+                    }
+                    ContentItem::InputImage { image_url } => {
+                        images.push(image_url.clone());
+                    }
+                    ContentItem::OutputText { text } => {
+                        events.push(EventMsg::AgentMessage(AgentMessageEvent {
+                            message: text.clone(),
+                        }));
+                    }
+                }
+            }
+
+            if !message_parts.is_empty() || !images.is_empty() {
+                let message = if message_parts.is_empty() {
+                    String::new()
+                } else {
+                    message_parts.join("")
+                };
+                let images = if images.is_empty() {
+                    None
+                } else {
+                    Some(images)
+                };
+
+                events.push(EventMsg::UserMessage(UserMessageEvent {
+                    message,
+                    kind,
+                    images,
+                }));
+            }
+
+            events
        }
-        ResponseItem::WebSearchCall {
-            id,
-            action: WebSearchAction::Search { query },
-            ..
-        } => Some(TurnItem::WebSearch(WebSearchItem {
-            id: id.clone().unwrap_or_default(),
-            query: query.clone(),
-        })),
-        _ => None,
+
+        ResponseItem::Reasoning {
+            summary, content, ..
+        } => {
+            let mut events = Vec::new();
+            for ReasoningItemReasoningSummary::SummaryText { text } in summary {
+                events.push(EventMsg::AgentReasoning(AgentReasoningEvent {
+                    text: text.clone(),
+                }));
+            }
+            if let Some(items) = content.as_ref().filter(|_| show_raw_agent_reasoning) {
+                for c in items {
+                    let text = match c {
+                        ReasoningItemContent::ReasoningText { text }
+                        | ReasoningItemContent::Text { text } => text,
+                    };
+                    events.push(EventMsg::AgentReasoningRawContent(
+                        AgentReasoningRawContentEvent { text: text.clone() },
+                    ));
+                }
+            }
+            events
+        }
+
+        ResponseItem::WebSearchCall { id, action, .. } => match action {
+            WebSearchAction::Search { query } => {
+                let call_id = id.clone().unwrap_or_else(|| "".to_string());
+                vec![EventMsg::WebSearchEnd(WebSearchEndEvent {
+                    call_id,
+                    query: query.clone(),
+                })]
+            }
+            WebSearchAction::Other => Vec::new(),
+        },
+
+        // Variants that require side effects are handled by higher layers and do not emit events here.
+        ResponseItem::FunctionCall { .. }
+        | ResponseItem::FunctionCallOutput { .. }
+        | ResponseItem::LocalShellCall { .. }
+        | ResponseItem::CustomToolCall { .. }
+        | ResponseItem::CustomToolCallOutput { .. }
+        | ResponseItem::Other => Vec::new(),
    }
 }

 #[cfg(test)]
 mod tests {
-    use super::parse_turn_item;
-    use codex_protocol::items::AgentMessageContent;
-    use codex_protocol::items::TurnItem;
+    use super::map_response_item_to_event_messages;
+    use crate::protocol::EventMsg;
+    use crate::protocol::InputMessageKind;
+    use assert_matches::assert_matches;
    use codex_protocol::models::ContentItem;
-    use codex_protocol::models::ReasoningItemContent;
-    use codex_protocol::models::ReasoningItemReasoningSummary;
    use codex_protocol::models::ResponseItem;
-    use codex_protocol::models::WebSearchAction;
-    use codex_protocol::user_input::UserInput;
    use pretty_assertions::assert_eq;

    #[test]
-    fn parses_user_message_with_text_and_two_images() {
+    fn maps_user_message_with_text_and_two_images() {
        let img1 = "https://example.com/one.png".to_string();
        let img2 = "https://example.com/two.jpg".to_string();

@@ -145,128 +153,16 @@ mod tests {
            ],
        };

-        let turn_item = parse_turn_item(&item).expect("expected user message turn item");
+        let events = map_response_item_to_event_messages(&item, false);
+        assert_eq!(events.len(), 1, "expected a single user message event");

-        match turn_item {
-            TurnItem::UserMessage(user) => {
-                let expected_content = vec![
-                    UserInput::Text {
-                        text: "Hello world".to_string(),
-                    },
-                    UserInput::Image { image_url: img1 },
-                    UserInput::Image { image_url: img2 },
-                ];
-                assert_eq!(user.content, expected_content);
+        match &events[0] {
+            EventMsg::UserMessage(user) => {
+                assert_eq!(user.message, "Hello world");
+                assert_matches!(user.kind, Some(InputMessageKind::Plain));
+                assert_eq!(user.images, Some(vec![img1, img2]));
            }
-            other => panic!("expected TurnItem::UserMessage, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_agent_message() {
-        let item = ResponseItem::Message {
-            id: Some("msg-1".to_string()),
-            role: "assistant".to_string(),
-            content: vec![ContentItem::OutputText {
-                text: "Hello from Codex".to_string(),
-            }],
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected agent message turn item");
-
-        match turn_item {
-            TurnItem::AgentMessage(message) => {
-                let Some(AgentMessageContent::Text { text }) = message.content.first() else {
-                    panic!("expected agent message text content");
-                };
-                assert_eq!(text, "Hello from Codex");
-            }
-            other => panic!("expected TurnItem::AgentMessage, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_reasoning_summary_and_raw_content() {
-        let item = ResponseItem::Reasoning {
-            id: "reasoning_1".to_string(),
-            summary: vec![
-                ReasoningItemReasoningSummary::SummaryText {
-                    text: "Step 1".to_string(),
-                },
-                ReasoningItemReasoningSummary::SummaryText {
-                    text: "Step 2".to_string(),
-                },
-            ],
-            content: Some(vec![ReasoningItemContent::ReasoningText {
-                text: "raw details".to_string(),
-            }]),
-            encrypted_content: None,
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected reasoning turn item");
-
-        match turn_item {
-            TurnItem::Reasoning(reasoning) => {
-                assert_eq!(
-                    reasoning.summary_text,
-                    vec!["Step 1".to_string(), "Step 2".to_string()]
-                );
-                assert_eq!(reasoning.raw_content, vec!["raw details".to_string()]);
-            }
-            other => panic!("expected TurnItem::Reasoning, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_reasoning_including_raw_content() {
-        let item = ResponseItem::Reasoning {
-            id: "reasoning_2".to_string(),
-            summary: vec![ReasoningItemReasoningSummary::SummaryText {
-                text: "Summarized step".to_string(),
-            }],
-            content: Some(vec![
-                ReasoningItemContent::ReasoningText {
-                    text: "raw step".to_string(),
-                },
-                ReasoningItemContent::Text {
-                    text: "final thought".to_string(),
-                },
-            ]),
-            encrypted_content: None,
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected reasoning turn item");
-
-        match turn_item {
-            TurnItem::Reasoning(reasoning) => {
-                assert_eq!(reasoning.summary_text, vec!["Summarized step".to_string()]);
-                assert_eq!(
-                    reasoning.raw_content,
-                    vec!["raw step".to_string(), "final thought".to_string()]
-                );
-            }
-            other => panic!("expected TurnItem::Reasoning, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn parses_web_search_call() {
-        let item = ResponseItem::WebSearchCall {
-            id: Some("ws_1".to_string()),
-            status: Some("completed".to_string()),
-            action: WebSearchAction::Search {
-                query: "weather".to_string(),
-            },
-        };
-
-        let turn_item = parse_turn_item(&item).expect("expected web search turn item");
-
-        match turn_item {
-            TurnItem::WebSearch(search) => {
-                assert_eq!(search.id, "ws_1");
-                assert_eq!(search.query, "weather");
-            }
-            other => panic!("expected TurnItem::WebSearch, got {other:?}"),
+            other => panic!("expected UserMessage, got {other:?}"),
        }
    }
 }
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -31,16 +31,18 @@ pub enum Feature {
    UnifiedExec,
    /// Use the streamable exec-command/write-stdin tool pair.
    StreamableShell,
-    /// Enable experimental RMCP features such as OAuth login.
+    /// Use the official Rust MCP client (rmcp).
    RmcpClient,
+    /// Include the plan tool.
+    PlanTool,
    /// Include the freeform apply_patch tool.
    ApplyPatchFreeform,
    /// Include the view_image tool.
    ViewImageTool,
    /// Allow the model to request web searches.
    WebSearchRequest,
-    /// Enable the model-based risk assessments for sandboxed commands.
-    SandboxCommandAssessment,
+    /// Automatically approve all approval requests from the harness.
+    ApproveAll,
 }

 impl Feature {
@@ -72,15 +74,16 @@ pub struct Features {

 #[derive(Debug, Clone, Default)]
 pub struct FeatureOverrides {
+    pub include_plan_tool: Option<bool>,
    pub include_apply_patch_tool: Option<bool>,
    pub include_view_image_tool: Option<bool>,
    pub web_search_request: Option<bool>,
-    pub experimental_sandbox_command_assessment: Option<bool>,
 }

 impl FeatureOverrides {
    fn apply(self, features: &mut Features) {
        LegacyFeatureToggles {
+            include_plan_tool: self.include_plan_tool,
            include_apply_patch_tool: self.include_apply_patch_tool,
            include_view_image_tool: self.include_view_image_tool,
            tools_web_search: self.web_search_request,
@@ -140,7 +143,6 @@ impl Features {
        let mut features = Features::with_defaults();

        let base_legacy = LegacyFeatureToggles {
-            experimental_sandbox_command_assessment: cfg.experimental_sandbox_command_assessment,
            experimental_use_freeform_apply_patch: cfg.experimental_use_freeform_apply_patch,
            experimental_use_exec_command_tool: cfg.experimental_use_exec_command_tool,
            experimental_use_unified_exec_tool: cfg.experimental_use_unified_exec_tool,
@@ -156,10 +158,9 @@ impl Features {
        }

        let profile_legacy = LegacyFeatureToggles {
+            include_plan_tool: config_profile.include_plan_tool,
            include_apply_patch_tool: config_profile.include_apply_patch_tool,
            include_view_image_tool: config_profile.include_view_image_tool,
-            experimental_sandbox_command_assessment: config_profile
-                .experimental_sandbox_command_assessment,
            experimental_use_freeform_apply_patch: config_profile
                .experimental_use_freeform_apply_patch,
            experimental_use_exec_command_tool: config_profile.experimental_use_exec_command_tool,
@@ -224,6 +225,12 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Experimental,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::PlanTool,
+        key: "plan_tool",
+        stage: Stage::Stable,
+        default_enabled: false,
+    },
    FeatureSpec {
        id: Feature::ApplyPatchFreeform,
        key: "apply_patch_freeform",
@@ -243,8 +250,8 @@ pub const FEATURES: &[FeatureSpec] = &[
        default_enabled: false,
    },
    FeatureSpec {
-        id: Feature::SandboxCommandAssessment,
-        key: "experimental_sandbox_command_assessment",
+        id: Feature::ApproveAll,
+        key: "approve_all",
        stage: Stage::Experimental,
        default_enabled: false,
    },
--- a/codex-rs/core/src/features/legacy.rs
+++ b/codex-rs/core/src/features/legacy.rs
@@ -9,10 +9,6 @@ struct Alias {
 }

 const ALIASES: &[Alias] = &[
-    Alias {
-        legacy_key: "experimental_sandbox_command_assessment",
-        feature: Feature::SandboxCommandAssessment,
-    },
    Alias {
        legacy_key: "experimental_use_unified_exec_tool",
        feature: Feature::UnifiedExec,
@@ -33,6 +29,10 @@ const ALIASES: &[Alias] = &[
        legacy_key: "include_apply_patch_tool",
        feature: Feature::ApplyPatchFreeform,
    },
+    Alias {
+        legacy_key: "include_plan_tool",
+        feature: Feature::PlanTool,
+    },
    Alias {
        legacy_key: "include_view_image_tool",
        feature: Feature::ViewImageTool,
@@ -55,9 +55,9 @@ pub(crate) fn feature_for_key(key: &str) -> Option<Feature> {

 #[derive(Debug, Default)]
 pub struct LegacyFeatureToggles {
+    pub include_plan_tool: Option<bool>,
    pub include_apply_patch_tool: Option<bool>,
    pub include_view_image_tool: Option<bool>,
-    pub experimental_sandbox_command_assessment: Option<bool>,
    pub experimental_use_freeform_apply_patch: Option<bool>,
    pub experimental_use_exec_command_tool: Option<bool>,
    pub experimental_use_unified_exec_tool: Option<bool>,
@@ -70,15 +70,15 @@ impl LegacyFeatureToggles {
    pub fn apply(self, features: &mut Features) {
        set_if_some(
            features,
-            Feature::ApplyPatchFreeform,
-            self.include_apply_patch_tool,
-            "include_apply_patch_tool",
+            Feature::PlanTool,
+            self.include_plan_tool,
+            "include_plan_tool",
        );
        set_if_some(
            features,
-            Feature::SandboxCommandAssessment,
-            self.experimental_sandbox_command_assessment,
-            "experimental_sandbox_command_assessment",
+            Feature::ApplyPatchFreeform,
+            self.include_apply_patch_tool,
+            "include_apply_patch_tool",
        );
        set_if_some(
            features,
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -36,7 +36,6 @@ mod mcp_tool_call;
 mod message_history;
 mod model_provider_info;
 pub mod parse_command;
-mod response_processing;
 pub mod sandboxing;
 pub mod token_data;
 mod truncate;
@@ -99,10 +98,11 @@ pub use client_common::REVIEW_PROMPT;
 pub use client_common::ResponseEvent;
 pub use client_common::ResponseStream;
 pub use codex::compact::content_items_to_text;
+pub use codex::compact::is_session_prefix_message;
 pub use codex_protocol::models::ContentItem;
 pub use codex_protocol::models::LocalShellAction;
 pub use codex_protocol::models::LocalShellExecAction;
 pub use codex_protocol::models::LocalShellStatus;
+pub use codex_protocol::models::ReasoningItemContent;
 pub use codex_protocol::models::ResponseItem;
-pub use event_mapping::parse_turn_item;
 pub mod otel_init;
--- a/codex-rs/core/src/mcp/auth.rs
+++ b/codex-rs/core/src/mcp/auth.rs
@@ -10,16 +10,10 @@ use tracing::warn;
 use crate::config_types::McpServerConfig;
 use crate::config_types::McpServerTransportConfig;

-#[derive(Debug, Clone)]
-pub struct McpAuthStatusEntry {
-    pub config: McpServerConfig,
-    pub auth_status: McpAuthStatus,
-}
-
 pub async fn compute_auth_statuses<'a, I>(
    servers: I,
    store_mode: OAuthCredentialsStoreMode,
-) -> HashMap<String, McpAuthStatusEntry>
+) -> HashMap<String, McpAuthStatus>
 where
    I: IntoIterator<Item = (&'a String, &'a McpServerConfig)>,
 {
@@ -27,18 +21,14 @@ where
        let name = name.clone();
        let config = config.clone();
        async move {
-            let auth_status = match compute_auth_status(&name, &config, store_mode).await {
+            let status = match compute_auth_status(&name, &config, store_mode).await {
                Ok(status) => status,
                Err(error) => {
                    warn!("failed to determine auth status for MCP server `{name}`: {error:?}");
                    McpAuthStatus::Unsupported
                }
            };
-            let entry = McpAuthStatusEntry {
-                config,
-                auth_status,
-            };
-            (name, entry)
+            (name, status)
        }
    });

--- a/codex-rs/core/src/mcp_connection_manager.rs
+++ b/codex-rs/core/src/mcp_connection_manager.rs
@@ -1,6 +1,6 @@
 //! Connection manager for Model Context Protocol (MCP) servers.
 //!
-//! The [`McpConnectionManager`] owns one [`codex_rmcp_client::RmcpClient`] per
+//! The [`McpConnectionManager`] owns one [`codex_mcp_client::McpClient`] per
 //! configured server (keyed by the *server name*). It offers convenience
 //! helpers to query the available tools across *all* servers and returns them
 //! in a single aggregated map using the fully-qualified tool name
@@ -10,12 +10,14 @@ use std::collections::HashMap;
 use std::collections::HashSet;
 use std::env;
 use std::ffi::OsString;
+use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;

 use anyhow::Context;
 use anyhow::Result;
 use anyhow::anyhow;
+use codex_mcp_client::McpClient;
 use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_rmcp_client::RmcpClient;
 use mcp_types::ClientCapabilities;
@@ -49,7 +51,7 @@ const MCP_TOOL_NAME_DELIMITER: &str = "__";
 const MAX_TOOL_NAME_LENGTH: usize = 64;

 /// Default timeout for initializing MCP server & initially listing tools.
-pub const DEFAULT_STARTUP_TIMEOUT: Duration = Duration::from_secs(10);
+const DEFAULT_STARTUP_TIMEOUT: Duration = Duration::from_secs(10);

 /// Default timeout for individual tool calls.
 const DEFAULT_TOOL_TIMEOUT: Duration = Duration::from_secs(60);
@@ -97,12 +99,134 @@ struct ToolInfo {
 }

 struct ManagedClient {
-    client: Arc<RmcpClient>,
+    client: McpClientAdapter,
    startup_timeout: Duration,
    tool_timeout: Option<Duration>,
 }

-/// A thin wrapper around a set of running [`RmcpClient`] instances.
+#[derive(Clone)]
+enum McpClientAdapter {
+    Legacy(Arc<McpClient>),
+    Rmcp(Arc<RmcpClient>),
+}
+
+impl McpClientAdapter {
+    #[allow(clippy::too_many_arguments)]
+    async fn new_stdio_client(
+        use_rmcp_client: bool,
+        program: OsString,
+        args: Vec<OsString>,
+        env: Option<HashMap<String, String>>,
+        env_vars: Vec<String>,
+        cwd: Option<PathBuf>,
+        params: mcp_types::InitializeRequestParams,
+        startup_timeout: Duration,
+    ) -> Result<Self> {
+        if use_rmcp_client {
+            let client =
+                Arc::new(RmcpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
+            client.initialize(params, Some(startup_timeout)).await?;
+            Ok(McpClientAdapter::Rmcp(client))
+        } else {
+            let client =
+                Arc::new(McpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
+            client.initialize(params, Some(startup_timeout)).await?;
+            Ok(McpClientAdapter::Legacy(client))
+        }
+    }
+
+    #[allow(clippy::too_many_arguments)]
+    async fn new_streamable_http_client(
+        server_name: String,
+        url: String,
+        bearer_token: Option<String>,
+        http_headers: Option<HashMap<String, String>>,
+        env_http_headers: Option<HashMap<String, String>>,
+        params: mcp_types::InitializeRequestParams,
+        startup_timeout: Duration,
+        store_mode: OAuthCredentialsStoreMode,
+    ) -> Result<Self> {
+        let client = Arc::new(
+            RmcpClient::new_streamable_http_client(
+                &server_name,
+                &url,
+                bearer_token,
+                http_headers,
+                env_http_headers,
+                store_mode,
+            )
+            .await?,
+        );
+        client.initialize(params, Some(startup_timeout)).await?;
+        Ok(McpClientAdapter::Rmcp(client))
+    }
+
+    async fn list_tools(
+        &self,
+        params: Option<mcp_types::ListToolsRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListToolsResult> {
+        match self {
+            McpClientAdapter::Legacy(client) => client.list_tools(params, timeout).await,
+            McpClientAdapter::Rmcp(client) => client.list_tools(params, timeout).await,
+        }
+    }
+
+    async fn list_resources(
+        &self,
+        params: Option<mcp_types::ListResourcesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourcesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourcesResult {
+                next_cursor: None,
+                resources: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resources(params, timeout).await,
+        }
+    }
+
+    async fn read_resource(
+        &self,
+        params: mcp_types::ReadResourceRequestParams,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ReadResourceResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Err(anyhow!(
+                "resources/read is not supported by legacy MCP clients"
+            )),
+            McpClientAdapter::Rmcp(client) => client.read_resource(params, timeout).await,
+        }
+    }
+
+    async fn list_resource_templates(
+        &self,
+        params: Option<mcp_types::ListResourceTemplatesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourceTemplatesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourceTemplatesResult {
+                next_cursor: None,
+                resource_templates: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resource_templates(params, timeout).await,
+        }
+    }
+
+    async fn call_tool(
+        &self,
+        name: String,
+        arguments: Option<serde_json::Value>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::CallToolResult> {
+        match self {
+            McpClientAdapter::Legacy(client) => client.call_tool(name, arguments, timeout).await,
+            McpClientAdapter::Rmcp(client) => client.call_tool(name, arguments, timeout).await,
+        }
+    }
+}
+
+/// A thin wrapper around a set of running [`McpClient`] instances.
 #[derive(Default)]
 pub(crate) struct McpConnectionManager {
    /// Server-name -> client instance.
@@ -113,13 +237,10 @@ pub(crate) struct McpConnectionManager {

    /// Fully qualified tool name -> tool instance.
    tools: HashMap<String, ToolInfo>,
-
-    /// Server-name -> configured tool filters.
-    tool_filters: HashMap<String, ToolFilter>,
 }

 impl McpConnectionManager {
-    /// Spawn a [`RmcpClient`] for each configured server.
+    /// Spawn a [`McpClient`] for each configured server.
    ///
    /// * `mcp_servers` – Map loaded from the user configuration where *keys*
    ///   are human-readable server identifiers and *values* are the spawn
@@ -129,6 +250,7 @@ impl McpConnectionManager {
    /// user should be informed about these errors.
    pub async fn new(
        mcp_servers: HashMap<String, McpServerConfig>,
+        use_rmcp_client: bool,
        store_mode: OAuthCredentialsStoreMode,
    ) -> Result<(Self, ClientStartErrors)> {
        // Early exit if no servers are configured.
@@ -139,7 +261,6 @@ impl McpConnectionManager {
        // Launch all configured servers concurrently.
        let mut join_set = JoinSet::new();
        let mut errors = ClientStartErrors::new();
-        let mut tool_filters: HashMap<String, ToolFilter> = HashMap::new();

        for (server_name, cfg) in mcp_servers {
            // Validate server name before spawning
@@ -152,13 +273,11 @@ impl McpConnectionManager {
            }

            if !cfg.enabled {
-                tool_filters.insert(server_name, ToolFilter::from_config(&cfg));
                continue;
            }

            let startup_timeout = cfg.startup_timeout_sec.unwrap_or(DEFAULT_STARTUP_TIMEOUT);
            let tool_timeout = cfg.tool_timeout_sec.unwrap_or(DEFAULT_TOOL_TIMEOUT);
-            tool_filters.insert(server_name.clone(), ToolFilter::from_config(&cfg));

            let resolved_bearer_token = match &cfg.transport {
                McpServerTransportConfig::StreamableHttp {
@@ -191,8 +310,7 @@ impl McpConnectionManager {
                    protocol_version: mcp_types::MCP_SCHEMA_VERSION.to_owned(),
                };

-                let resolved_bearer_token = resolved_bearer_token.unwrap_or_default();
-                let client_result = match transport {
+                let client = match transport {
                    McpServerTransportConfig::Stdio {
                        command,
                        args,
@@ -202,18 +320,17 @@ impl McpConnectionManager {
                    } => {
                        let command_os: OsString = command.into();
                        let args_os: Vec<OsString> = args.into_iter().map(Into::into).collect();
-                        match RmcpClient::new_stdio_client(command_os, args_os, env, &env_vars, cwd)
-                            .await
-                        {
-                            Ok(client) => {
-                                let client = Arc::new(client);
-                                client
-                                    .initialize(params.clone(), Some(startup_timeout))
-                                    .await
-                                    .map(|_| client)
-                            }
-                            Err(err) => Err(err.into()),
-                        }
+                        McpClientAdapter::new_stdio_client(
+                            use_rmcp_client,
+                            command_os,
+                            args_os,
+                            env,
+                            env_vars,
+                            cwd,
+                            params,
+                            startup_timeout,
+                        )
+                        .await
                    }
                    McpServerTransportConfig::StreamableHttp {
                        url,
@@ -221,32 +338,22 @@ impl McpConnectionManager {
                        env_http_headers,
                        ..
                    } => {
-                        match RmcpClient::new_streamable_http_client(
-                            &server_name,
-                            &url,
-                            resolved_bearer_token.clone(),
+                        McpClientAdapter::new_streamable_http_client(
+                            server_name.clone(),
+                            url,
+                            resolved_bearer_token.unwrap_or_default(),
                            http_headers,
                            env_http_headers,
+                            params,
+                            startup_timeout,
                            store_mode,
                        )
                        .await
-                        {
-                            Ok(client) => {
-                                let client = Arc::new(client);
-                                client
-                                    .initialize(params.clone(), Some(startup_timeout))
-                                    .await
-                                    .map(|_| client)
-                            }
-                            Err(err) => Err(err),
-                        }
                    }
-                };
+                }
+                .map(|c| (c, startup_timeout));

-                (
-                    (server_name, tool_timeout),
-                    client_result.map(|client| (client, startup_timeout)),
-                )
+                ((server_name, tool_timeout), client)
            });
        }

@@ -286,17 +393,9 @@ impl McpConnectionManager {
            }
        };

-        let filtered_tools = filter_tools(all_tools, &tool_filters);
-        let tools = qualify_tools(filtered_tools);
+        let tools = qualify_tools(all_tools);

-        Ok((
-            Self {
-                clients,
-                tools,
-                tool_filters,
-            },
-            errors,
-        ))
+        Ok((Self { clients, tools }, errors))
    }

    /// Returns a single map that contains all tools. Each key is the
@@ -442,13 +541,6 @@ impl McpConnectionManager {
        tool: &str,
        arguments: Option<serde_json::Value>,
    ) -> Result<mcp_types::CallToolResult> {
-        if let Some(filter) = self.tool_filters.get(server)
-            && !filter.allows(tool)
-        {
-            return Err(anyhow!(
-                "tool '{tool}' is disabled for MCP server '{server}'"
-            ));
-        }
        let managed = self
            .clients
            .get(server)
@@ -527,52 +619,6 @@ impl McpConnectionManager {
    }
 }

-/// A tool is allowed to be used if both are true:
-/// 1. enabled is None (no allowlist is set) or the tool is explicitly enabled.
-/// 2. The tool is not explicitly disabled.
-#[derive(Default, Clone)]
-struct ToolFilter {
-    enabled: Option<HashSet<String>>,
-    disabled: HashSet<String>,
-}
-
-impl ToolFilter {
-    fn from_config(cfg: &McpServerConfig) -> Self {
-        let enabled = cfg
-            .enabled_tools
-            .as_ref()
-            .map(|tools| tools.iter().cloned().collect::<HashSet<_>>());
-        let disabled = cfg
-            .disabled_tools
-            .as_ref()
-            .map(|tools| tools.iter().cloned().collect::<HashSet<_>>())
-            .unwrap_or_default();
-
-        Self { enabled, disabled }
-    }
-
-    fn allows(&self, tool_name: &str) -> bool {
-        if let Some(enabled) = &self.enabled
-            && !enabled.contains(tool_name)
-        {
-            return false;
-        }
-
-        !self.disabled.contains(tool_name)
-    }
-}
-
-fn filter_tools(tools: Vec<ToolInfo>, filters: &HashMap<String, ToolFilter>) -> Vec<ToolInfo> {
-    tools
-        .into_iter()
-        .filter(|tool| {
-            filters
-                .get(&tool.server_name)
-                .is_none_or(|filter| filter.allows(&tool.tool_name))
-        })
-        .collect()
-}
-
 fn resolve_bearer_token(
    server_name: &str,
    bearer_token_env_var: Option<&str>,
@@ -665,7 +711,6 @@ fn is_valid_mcp_server_name(server_name: &str) -> bool {
 mod tests {
    use super::*;
    use mcp_types::ToolInputSchema;
-    use std::collections::HashSet;

    fn create_test_tool(server_name: &str, tool_name: &str) -> ToolInfo {
        ToolInfo {
@@ -748,75 +793,4 @@ mod tests {
            "mcp__my_server__yet_anot419a82a89325c1b477274a41f8c65ea5f3a7f341"
        );
    }
-
-    #[test]
-    fn tool_filter_allows_by_default() {
-        let filter = ToolFilter::default();
-
-        assert!(filter.allows("any"));
-    }
-
-    #[test]
-    fn tool_filter_applies_enabled_list() {
-        let filter = ToolFilter {
-            enabled: Some(HashSet::from(["allowed".to_string()])),
-            disabled: HashSet::new(),
-        };
-
-        assert!(filter.allows("allowed"));
-        assert!(!filter.allows("denied"));
-    }
-
-    #[test]
-    fn tool_filter_applies_disabled_list() {
-        let filter = ToolFilter {
-            enabled: None,
-            disabled: HashSet::from(["blocked".to_string()]),
-        };
-
-        assert!(!filter.allows("blocked"));
-        assert!(filter.allows("open"));
-    }
-
-    #[test]
-    fn tool_filter_applies_enabled_then_disabled() {
-        let filter = ToolFilter {
-            enabled: Some(HashSet::from(["keep".to_string(), "remove".to_string()])),
-            disabled: HashSet::from(["remove".to_string()]),
-        };
-
-        assert!(filter.allows("keep"));
-        assert!(!filter.allows("remove"));
-        assert!(!filter.allows("unknown"));
-    }
-
-    #[test]
-    fn filter_tools_applies_per_server_filters() {
-        let tools = vec![
-            create_test_tool("server1", "tool_a"),
-            create_test_tool("server1", "tool_b"),
-            create_test_tool("server2", "tool_a"),
-        ];
-        let mut filters = HashMap::new();
-        filters.insert(
-            "server1".to_string(),
-            ToolFilter {
-                enabled: Some(HashSet::from(["tool_a".to_string(), "tool_b".to_string()])),
-                disabled: HashSet::from(["tool_b".to_string()]),
-            },
-        );
-        filters.insert(
-            "server2".to_string(),
-            ToolFilter {
-                enabled: None,
-                disabled: HashSet::from(["tool_a".to_string()]),
-            },
-        );
-
-        let filtered = filter_tools(tools, &filters);
-
-        assert_eq!(filtered.len(), 1);
-        assert_eq!(filtered[0].server_name, "server1");
-        assert_eq!(filtered[0].tool_name, "tool_a");
-    }
 }
--- a/codex-rs/core/src/mcp_tool_call.rs
+++ b/codex-rs/core/src/mcp_tool_call.rs
@@ -3,7 +3,7 @@ use std::time::Instant;
 use tracing::error;

 use crate::codex::Session;
-use crate::codex::TurnContext;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
@@ -15,7 +15,7 @@ use codex_protocol::models::ResponseInputItem;
 /// `McpToolCallBegin` and `McpToolCallEnd` events to the `Session`.
 pub(crate) async fn handle_mcp_tool_call(
    sess: &Session,
-    turn_context: &TurnContext,
+    sub_id: &str,
    call_id: String,
    server: String,
    tool_name: String,
@@ -51,7 +51,7 @@ pub(crate) async fn handle_mcp_tool_call(
        call_id: call_id.clone(),
        invocation: invocation.clone(),
    });
-    notify_mcp_tool_call_event(sess, turn_context, tool_call_begin_event).await;
+    notify_mcp_tool_call_event(sess, sub_id, tool_call_begin_event).await;

    let start = Instant::now();
    // Perform the tool call.
@@ -69,11 +69,15 @@ pub(crate) async fn handle_mcp_tool_call(
        result: result.clone(),
    });

-    notify_mcp_tool_call_event(sess, turn_context, tool_call_end_event.clone()).await;
+    notify_mcp_tool_call_event(sess, sub_id, tool_call_end_event.clone()).await;

    ResponseInputItem::McpToolCallOutput { call_id, result }
 }

-async fn notify_mcp_tool_call_event(sess: &Session, turn_context: &TurnContext, event: EventMsg) {
-    sess.send_event(turn_context, event).await;
+async fn notify_mcp_tool_call_event(sess: &Session, sub_id: &str, event: EventMsg) {
+    sess.send_event(Event {
+        id: sub_id.to_string(),
+        msg: event,
+    })
+    .await;
 }
--- a/codex-rs/core/src/model_family.rs
+++ b/codex-rs/core/src/model_family.rs
@@ -84,7 +84,11 @@ macro_rules! model_family {

 /// Returns a `ModelFamily` for the given model slug, or `None` if the slug
 /// does not match any known model family.
-pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
+pub fn find_family_for_model(mut slug: &str) -> Option<ModelFamily> {
+    // TODO(jif) clean once we have proper feature flags
+    if matches!(std::env::var("CODEX_EXPERIMENTAL").as_deref(), Ok("1")) {
+        slug = "codex-experimental";
+    }
    if slug.starts_with("o3") {
        model_family!(
            slug, "o3",
--- a/codex-rs/core/src/model_provider_info.rs
+++ b/codex-rs/core/src/model_provider_info.rs
@@ -6,8 +6,6 @@
 //!      key. These override or extend the defaults at runtime.

 use crate::CodexAuth;
-use crate::default_client::CodexHttpClient;
-use crate::default_client::CodexRequestBuilder;
 use codex_app_server_protocol::AuthMode;
 use serde::Deserialize;
 use serde::Serialize;
@@ -55,11 +53,6 @@ pub struct ModelProviderInfo {
    /// variable and set it.
    pub env_key_instructions: Option<String>,

-    /// Value to use with `Authorization: Bearer <token>` header. Use of this
-    /// config is discouraged in favor of `env_key` for security reasons, but
-    /// this may be necessary when using this programmatically.
-    pub experimental_bearer_token: Option<String>,
-
    /// Which wire protocol this provider expects.
    #[serde(default)]
    pub wire_api: WireApi,
@@ -97,7 +90,7 @@ pub struct ModelProviderInfo {

 impl ModelProviderInfo {
    /// Construct a `POST` RequestBuilder for the given URL using the provided
-    /// [`CodexHttpClient`] applying:
+    /// reqwest Client applying:
    ///   • provider-specific headers (static + env based)
    ///   • Bearer auth header when an API key is available.
    ///   • Auth token for OAuth.
@@ -106,21 +99,17 @@ impl ModelProviderInfo {
    /// one produced by [`ModelProviderInfo::api_key`].
    pub async fn create_request_builder<'a>(
        &'a self,
-        client: &'a CodexHttpClient,
+        client: &'a reqwest::Client,
        auth: &Option<CodexAuth>,
-    ) -> crate::error::Result<CodexRequestBuilder> {
-        let effective_auth = if let Some(secret_key) = &self.experimental_bearer_token {
-            Some(CodexAuth::from_api_key(secret_key))
-        } else {
-            match self.api_key() {
-                Ok(Some(key)) => Some(CodexAuth::from_api_key(&key)),
-                Ok(None) => auth.clone(),
-                Err(err) => {
-                    if auth.is_some() {
-                        auth.clone()
-                    } else {
-                        return Err(err);
-                    }
+    ) -> crate::error::Result<reqwest::RequestBuilder> {
+        let effective_auth = match self.api_key() {
+            Ok(Some(key)) => Some(CodexAuth::from_api_key(&key)),
+            Ok(None) => auth.clone(),
+            Err(err) => {
+                if auth.is_some() {
+                    auth.clone()
+                } else {
+                    return Err(err);
                }
            }
        };
@@ -189,9 +178,9 @@ impl ModelProviderInfo {
    }

    /// Apply provider-specific HTTP headers (both static and environment-based)
-    /// onto an existing [`CodexRequestBuilder`] and return the updated
+    /// onto an existing `reqwest::RequestBuilder` and return the updated
    /// builder.
-    fn apply_http_headers(&self, mut builder: CodexRequestBuilder) -> CodexRequestBuilder {
+    fn apply_http_headers(&self, mut builder: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
        if let Some(extra) = &self.http_headers {
            for (k, v) in extra {
                builder = builder.header(k, v);
@@ -285,7 +274,6 @@ pub fn built_in_model_providers() -> HashMap<String, ModelProviderInfo> {
                    .filter(|v| !v.trim().is_empty()),
                env_key: None,
                env_key_instructions: None,
-                experimental_bearer_token: None,
                wire_api: WireApi::Responses,
                query_params: None,
                http_headers: Some(
@@ -345,7 +333,6 @@ pub fn create_oss_provider_with_base_url(base_url: &str) -> ModelProviderInfo {
        base_url: Some(base_url.into()),
        env_key: None,
        env_key_instructions: None,
-        experimental_bearer_token: None,
        wire_api: WireApi::Chat,
        query_params: None,
        http_headers: None,
@@ -385,7 +372,6 @@ base_url = "http://localhost:11434/v1"
            base_url: Some("http://localhost:11434/v1".into()),
            env_key: None,
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Chat,
            query_params: None,
            http_headers: None,
@@ -413,7 +399,6 @@ query_params = { api-version = "2025-04-01-preview" }
            base_url: Some("https://xxxxx.openai.azure.com/openai".into()),
            env_key: Some("AZURE_OPENAI_API_KEY".into()),
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Chat,
            query_params: Some(maplit::hashmap! {
                "api-version".to_string() => "2025-04-01-preview".to_string(),
@@ -444,7 +429,6 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
            base_url: Some("https://example.com".into()),
            env_key: Some("API_KEY".into()),
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Chat,
            query_params: None,
            http_headers: Some(maplit::hashmap! {
@@ -471,7 +455,6 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
                base_url: Some(base_url.into()),
                env_key: None,
                env_key_instructions: None,
-                experimental_bearer_token: None,
                wire_api: WireApi::Responses,
                query_params: None,
                http_headers: None,
@@ -504,7 +487,6 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
            base_url: Some("https://example.com".into()),
            env_key: None,
            env_key_instructions: None,
-            experimental_bearer_token: None,
            wire_api: WireApi::Responses,
            query_params: None,
            http_headers: None,
--- a/codex-rs/core/src/parse_command.rs
+++ b/codex-rs/core/src/parse_command.rs
@@ -1,4 +1,4 @@
-use crate::bash::try_parse_shell;
+use crate::bash::try_parse_bash;
 use crate::bash::try_parse_word_only_commands_sequence;
 use codex_protocol::parse_command::ParsedCommand;
 use shlex::split as shlex_split;
@@ -193,19 +193,6 @@ mod tests {
        );
    }

-    #[test]
-    fn zsh_lc_supports_cat() {
-        let inner = "cat README.md";
-        assert_parsed(
-            &vec_str(&["zsh", "-lc", inner]),
-            vec![ParsedCommand::Read {
-                cmd: inner.to_string(),
-                name: "README.md".to_string(),
-                path: PathBuf::from("README.md"),
-            }],
-        );
-    }
-
    #[test]
    fn cd_then_cat_is_single_read() {
        assert_parsed(
@@ -856,7 +843,7 @@ mod tests {
 }

 pub fn parse_command_impl(command: &[String]) -> Vec<ParsedCommand> {
-    if let Some(commands) = parse_shell_lc_commands(command) {
+    if let Some(commands) = parse_bash_lc_commands(command) {
        return commands;
    }

@@ -994,7 +981,7 @@ fn is_valid_sed_n_arg(arg: Option<&str>) -> bool {
 }

 /// Normalize a command by:
-/// - Removing `yes`/`no`/`bash -c`/`bash -lc`/`zsh -c`/`zsh -lc` prefixes.
+/// - Removing `yes`/`no`/`bash -c`/`bash -lc` prefixes.
 /// - Splitting on `|` and `&&`/`||`/`;
 fn normalize_tokens(cmd: &[String]) -> Vec<String> {
    match cmd {
@@ -1006,10 +993,9 @@ fn normalize_tokens(cmd: &[String]) -> Vec<String> {
            // Do not re-shlex already-tokenized input; just drop the prefix.
            rest.to_vec()
        }
-        [shell, flag, script]
-            if (shell == "bash" || shell == "zsh") && (flag == "-c" || flag == "-lc") =>
-        {
-            shlex_split(script).unwrap_or_else(|| vec![shell.clone(), flag.clone(), script.clone()])
+        [bash, flag, script] if bash == "bash" && (flag == "-c" || flag == "-lc") => {
+            shlex_split(script)
+                .unwrap_or_else(|| vec!["bash".to_string(), flag.clone(), script.clone()])
        }
        _ => cmd.to_vec(),
    }
@@ -1165,19 +1151,19 @@ fn parse_find_query_and_path(tail: &[String]) -> (Option<String>, Option<String>
    (query, path)
 }

-fn parse_shell_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
-    let [shell, flag, script] = original else {
+fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
+    let [bash, flag, script] = original else {
        return None;
    };
-    if flag != "-lc" || !(shell == "bash" || shell == "zsh") {
+    if bash != "bash" || flag != "-lc" {
        return None;
    }
-    if let Some(tree) = try_parse_shell(script)
+    if let Some(tree) = try_parse_bash(script)
        && let Some(all_commands) = try_parse_word_only_commands_sequence(&tree, script)
        && !all_commands.is_empty()
    {
        let script_tokens = shlex_split(script)
-            .unwrap_or_else(|| vec![shell.clone(), flag.clone(), script.clone()]);
+            .unwrap_or_else(|| vec!["bash".to_string(), flag.clone(), script.clone()]);
        // Strip small formatting helpers (e.g., head/tail/awk/wc/etc) so we
        // bias toward the primary command when pipelines are present.
        // First, drop obvious small formatting helpers (e.g., wc/awk/etc).
--- a/codex-rs/core/src/response_processing.rs
+++ b/codex-rs/core/src/response_processing.rs
@@ -1,114 +0,0 @@
-use crate::codex::Session;
-use crate::codex::TurnContext;
-use crate::conversation_history::ConversationHistory;
-use codex_protocol::models::FunctionCallOutputPayload;
-use codex_protocol::models::ResponseInputItem;
-use codex_protocol::models::ResponseItem;
-use tracing::warn;
-
-/// Process streamed `ResponseItem`s from the model into the pair of:
-/// - items we should record in conversation history; and
-/// - `ResponseInputItem`s to send back to the model on the next turn.
-pub(crate) async fn process_items(
-    processed_items: Vec<crate::codex::ProcessedResponseItem>,
-    is_review_mode: bool,
-    review_thread_history: &mut ConversationHistory,
-    sess: &Session,
-    turn_context: &TurnContext,
-) -> (Vec<ResponseInputItem>, Vec<ResponseItem>) {
-    let mut items_to_record_in_conversation_history = Vec::<ResponseItem>::new();
-    let mut responses = Vec::<ResponseInputItem>::new();
-    for processed_response_item in processed_items {
-        let crate::codex::ProcessedResponseItem { item, response } = processed_response_item;
-        match (&item, &response) {
-            (ResponseItem::Message { role, .. }, None) if role == "assistant" => {
-                // If the model returned a message, we need to record it.
-                items_to_record_in_conversation_history.push(item);
-            }
-            (
-                ResponseItem::LocalShellCall { .. },
-                Some(ResponseInputItem::FunctionCallOutput { call_id, output }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                items_to_record_in_conversation_history.push(ResponseItem::FunctionCallOutput {
-                    call_id: call_id.clone(),
-                    output: output.clone(),
-                });
-            }
-            (
-                ResponseItem::FunctionCall { .. },
-                Some(ResponseInputItem::FunctionCallOutput { call_id, output }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                items_to_record_in_conversation_history.push(ResponseItem::FunctionCallOutput {
-                    call_id: call_id.clone(),
-                    output: output.clone(),
-                });
-            }
-            (
-                ResponseItem::CustomToolCall { .. },
-                Some(ResponseInputItem::CustomToolCallOutput { call_id, output }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                items_to_record_in_conversation_history.push(ResponseItem::CustomToolCallOutput {
-                    call_id: call_id.clone(),
-                    output: output.clone(),
-                });
-            }
-            (
-                ResponseItem::FunctionCall { .. },
-                Some(ResponseInputItem::McpToolCallOutput { call_id, result }),
-            ) => {
-                items_to_record_in_conversation_history.push(item);
-                let output = match result {
-                    Ok(call_tool_result) => {
-                        crate::codex::convert_call_tool_result_to_function_call_output_payload(
-                            call_tool_result,
-                        )
-                    }
-                    Err(err) => FunctionCallOutputPayload {
-                        content: err.clone(),
-                        success: Some(false),
-                    },
-                };
-                items_to_record_in_conversation_history.push(ResponseItem::FunctionCallOutput {
-                    call_id: call_id.clone(),
-                    output,
-                });
-            }
-            (
-                ResponseItem::Reasoning {
-                    id,
-                    summary,
-                    content,
-                    encrypted_content,
-                },
-                None,
-            ) => {
-                items_to_record_in_conversation_history.push(ResponseItem::Reasoning {
-                    id: id.clone(),
-                    summary: summary.clone(),
-                    content: content.clone(),
-                    encrypted_content: encrypted_content.clone(),
-                });
-            }
-            _ => {
-                warn!("Unexpected response item: {item:?} with response: {response:?}");
-            }
-        };
-        if let Some(response) = response {
-            responses.push(response);
-        }
-    }
-
-    // Only attempt to take the lock if there is something to record.
-    if !items_to_record_in_conversation_history.is_empty() {
-        if is_review_mode {
-            review_thread_history.record_items(items_to_record_in_conversation_history.iter());
-        } else {
-            sess.record_conversation_items(turn_context, &items_to_record_in_conversation_history)
-                .await;
-        }
-    }
-    (responses, items_to_record_in_conversation_history)
-}
--- a/codex-rs/core/src/rollout/list.rs
+++ b/codex-rs/core/src/rollout/list.rs
@@ -1,11 +1,12 @@
 use std::cmp::Reverse;
 use std::io::{self};
-use std::num::NonZero;
 use std::path::Path;
 use std::path::PathBuf;
+
+use codex_file_search as file_search;
+use std::num::NonZero;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
-
 use time::OffsetDateTime;
 use time::PrimitiveDateTime;
 use time::format_description::FormatItem;
@@ -14,7 +15,6 @@ use uuid::Uuid;

 use super::SESSIONS_SUBDIR;
 use crate::protocol::EventMsg;
-use codex_file_search as file_search;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::RolloutLine;
 use codex_protocol::protocol::SessionSource;
@@ -515,7 +515,6 @@ pub async fn find_conversation_path_by_id_str(
        threads,
        cancel,
        compute_indices,
-        false,
    )
    .map_err(|e| io::Error::other(format!("file search failed: {e}")))?;

--- a/codex-rs/core/src/rollout/policy.rs
+++ b/codex-rs/core/src/rollout/policy.rs
@@ -50,7 +50,6 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
        | EventMsg::AgentReasoningDelta(_)
        | EventMsg::AgentReasoningRawContentDelta(_)
        | EventMsg::AgentReasoningSectionBreak(_)
-        | EventMsg::RawResponseItem(_)
        | EventMsg::SessionConfigured(_)
        | EventMsg::McpToolCallBegin(_)
        | EventMsg::McpToolCallEnd(_)
@@ -72,8 +71,6 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
        | EventMsg::PlanUpdate(_)
        | EventMsg::ShutdownComplete
        | EventMsg::ViewImageToolCall(_)
-        | EventMsg::ConversationPath(_)
-        | EventMsg::ItemStarted(_)
-        | EventMsg::ItemCompleted(_) => false,
+        | EventMsg::ConversationPath(_) => false,
    }
 }
--- a/codex-rs/core/src/rollout/tests.rs
+++ b/codex-rs/core/src/rollout/tests.rs
@@ -24,6 +24,7 @@ use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::CompactedItem;
 use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::InputMessageKind;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::RolloutLine;
 use codex_protocol::protocol::SessionMeta;
@@ -542,6 +543,7 @@ async fn test_tail_includes_last_response_items() -> Result<()> {
        timestamp: ts.to_string(),
        item: RolloutItem::EventMsg(EventMsg::UserMessage(UserMessageEvent {
            message: "hello".into(),
+            kind: Some(InputMessageKind::Plain),
            images: None,
        })),
    };
@@ -625,6 +627,7 @@ async fn test_tail_handles_short_sessions() -> Result<()> {
        timestamp: ts.to_string(),
        item: RolloutItem::EventMsg(EventMsg::UserMessage(UserMessageEvent {
            message: "hi".into(),
+            kind: Some(InputMessageKind::Plain),
            images: None,
        })),
    };
@@ -709,6 +712,7 @@ async fn test_tail_skips_trailing_non_responses() -> Result<()> {
        timestamp: ts.to_string(),
        item: RolloutItem::EventMsg(EventMsg::UserMessage(UserMessageEvent {
            message: "hello".into(),
+            kind: Some(InputMessageKind::Plain),
            images: None,
        })),
    };
--- a/codex-rs/core/src/sandboxing/assessment.rs
+++ b/codex-rs/core/src/sandboxing/assessment.rs
@@ -1,275 +0,0 @@
-use std::path::Path;
-use std::path::PathBuf;
-use std::sync::Arc;
-use std::time::Duration;
-use std::time::Instant;
-
-use crate::AuthManager;
-use crate::ModelProviderInfo;
-use crate::client::ModelClient;
-use crate::client_common::Prompt;
-use crate::client_common::ResponseEvent;
-use crate::config::Config;
-use crate::protocol::SandboxPolicy;
-use askama::Template;
-use codex_otel::otel_event_manager::OtelEventManager;
-use codex_protocol::ConversationId;
-use codex_protocol::models::ContentItem;
-use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::SandboxCommandAssessment;
-use futures::StreamExt;
-use serde_json::json;
-use tokio::time::timeout;
-use tracing::warn;
-
-const SANDBOX_ASSESSMENT_TIMEOUT: Duration = Duration::from_secs(5);
-
-const SANDBOX_RISK_CATEGORY_VALUES: &[&str] = &[
-    "data_deletion",
-    "data_exfiltration",
-    "privilege_escalation",
-    "system_modification",
-    "network_access",
-    "resource_exhaustion",
-    "compliance",
-];
-
-#[derive(Template)]
-#[template(path = "sandboxing/assessment_prompt.md", escape = "none")]
-struct SandboxAssessmentPromptTemplate<'a> {
-    platform: &'a str,
-    sandbox_policy: &'a str,
-    filesystem_roots: Option<&'a str>,
-    working_directory: &'a str,
-    command_argv: &'a str,
-    command_joined: &'a str,
-    sandbox_failure_message: Option<&'a str>,
-}
-
-#[allow(clippy::too_many_arguments)]
-pub(crate) async fn assess_command(
-    config: Arc<Config>,
-    provider: ModelProviderInfo,
-    auth_manager: Arc<AuthManager>,
-    parent_otel: &OtelEventManager,
-    conversation_id: ConversationId,
-    call_id: &str,
-    command: &[String],
-    sandbox_policy: &SandboxPolicy,
-    cwd: &Path,
-    failure_message: Option<&str>,
-) -> Option<SandboxCommandAssessment> {
-    if !config.experimental_sandbox_command_assessment || command.is_empty() {
-        return None;
-    }
-
-    let command_json = serde_json::to_string(command).unwrap_or_else(|_| "[]".to_string());
-    let command_joined =
-        shlex::try_join(command.iter().map(String::as_str)).unwrap_or_else(|_| command.join(" "));
-    let failure = failure_message
-        .map(str::trim)
-        .filter(|msg| !msg.is_empty())
-        .map(str::to_string);
-
-    let cwd_str = cwd.to_string_lossy().to_string();
-    let sandbox_summary = summarize_sandbox_policy(sandbox_policy);
-    let mut roots = sandbox_roots_for_prompt(sandbox_policy, cwd);
-    roots.sort();
-    roots.dedup();
-
-    let platform = std::env::consts::OS;
-    let roots_formatted = roots.iter().map(|root| root.to_string_lossy().to_string());
-    let filesystem_roots = match roots_formatted.collect::<Vec<_>>() {
-        collected if collected.is_empty() => None,
-        collected => Some(collected.join(", ")),
-    };
-
-    let prompt_template = SandboxAssessmentPromptTemplate {
-        platform,
-        sandbox_policy: sandbox_summary.as_str(),
-        filesystem_roots: filesystem_roots.as_deref(),
-        working_directory: cwd_str.as_str(),
-        command_argv: command_json.as_str(),
-        command_joined: command_joined.as_str(),
-        sandbox_failure_message: failure.as_deref(),
-    };
-    let rendered_prompt = match prompt_template.render() {
-        Ok(rendered) => rendered,
-        Err(err) => {
-            warn!("failed to render sandbox assessment prompt: {err}");
-            return None;
-        }
-    };
-    let (system_prompt_section, user_prompt_section) = match rendered_prompt.split_once("\n---\n") {
-        Some(split) => split,
-        None => {
-            warn!("rendered sandbox assessment prompt missing separator");
-            return None;
-        }
-    };
-    let system_prompt = system_prompt_section
-        .strip_prefix("System Prompt:\n")
-        .unwrap_or(system_prompt_section)
-        .trim()
-        .to_string();
-    let user_prompt = user_prompt_section
-        .strip_prefix("User Prompt:\n")
-        .unwrap_or(user_prompt_section)
-        .trim()
-        .to_string();
-
-    let prompt = Prompt {
-        input: vec![ResponseItem::Message {
-            id: None,
-            role: "user".to_string(),
-            content: vec![ContentItem::InputText { text: user_prompt }],
-        }],
-        tools: Vec::new(),
-        parallel_tool_calls: false,
-        base_instructions_override: Some(system_prompt),
-        output_schema: Some(sandbox_assessment_schema()),
-    };
-
-    let child_otel =
-        parent_otel.with_model(config.model.as_str(), config.model_family.slug.as_str());
-
-    let client = ModelClient::new(
-        Arc::clone(&config),
-        Some(auth_manager),
-        child_otel,
-        provider,
-        config.model_reasoning_effort,
-        config.model_reasoning_summary,
-        conversation_id,
-    );
-
-    let start = Instant::now();
-    let assessment_result = timeout(SANDBOX_ASSESSMENT_TIMEOUT, async move {
-        let mut stream = client.stream(&prompt).await?;
-        let mut last_json: Option<String> = None;
-        while let Some(event) = stream.next().await {
-            match event {
-                Ok(ResponseEvent::OutputItemDone(item)) => {
-                    if let Some(text) = response_item_text(&item) {
-                        last_json = Some(text);
-                    }
-                }
-                Ok(ResponseEvent::RateLimits(_)) => {}
-                Ok(ResponseEvent::Completed { .. }) => break,
-                Ok(_) => continue,
-                Err(err) => return Err(err),
-            }
-        }
-        Ok(last_json)
-    })
-    .await;
-    let duration = start.elapsed();
-    parent_otel.sandbox_assessment_latency(call_id, duration);
-
-    match assessment_result {
-        Ok(Ok(Some(raw))) => match serde_json::from_str::<SandboxCommandAssessment>(raw.trim()) {
-            Ok(assessment) => {
-                parent_otel.sandbox_assessment(
-                    call_id,
-                    "success",
-                    Some(assessment.risk_level),
-                    &assessment.risk_categories,
-                    duration,
-                );
-                return Some(assessment);
-            }
-            Err(err) => {
-                warn!("failed to parse sandbox assessment JSON: {err}");
-                parent_otel.sandbox_assessment(call_id, "parse_error", None, &[], duration);
-            }
-        },
-        Ok(Ok(None)) => {
-            warn!("sandbox assessment response did not include any message");
-            parent_otel.sandbox_assessment(call_id, "no_output", None, &[], duration);
-        }
-        Ok(Err(err)) => {
-            warn!("sandbox assessment failed: {err}");
-            parent_otel.sandbox_assessment(call_id, "model_error", None, &[], duration);
-        }
-        Err(_) => {
-            warn!("sandbox assessment timed out");
-            parent_otel.sandbox_assessment(call_id, "timeout", None, &[], duration);
-        }
-    }
-
-    None
-}
-
-fn summarize_sandbox_policy(policy: &SandboxPolicy) -> String {
-    match policy {
-        SandboxPolicy::DangerFullAccess => "danger-full-access".to_string(),
-        SandboxPolicy::ReadOnly => "read-only".to_string(),
-        SandboxPolicy::WorkspaceWrite { network_access, .. } => {
-            let network = if *network_access {
-                "network"
-            } else {
-                "no-network"
-            };
-            format!("workspace-write (network_access={network})")
-        }
-    }
-}
-
-fn sandbox_roots_for_prompt(policy: &SandboxPolicy, cwd: &Path) -> Vec<PathBuf> {
-    let mut roots = vec![cwd.to_path_buf()];
-    if let SandboxPolicy::WorkspaceWrite { writable_roots, .. } = policy {
-        roots.extend(writable_roots.iter().cloned());
-    }
-    roots
-}
-
-fn sandbox_assessment_schema() -> serde_json::Value {
-    json!({
-        "type": "object",
-        "required": ["description", "risk_level", "risk_categories"],
-        "properties": {
-            "description": {
-                "type": "string",
-                "minLength": 1,
-                "maxLength": 500
-            },
-            "risk_level": {
-                "type": "string",
-                "enum": ["low", "medium", "high"]
-            },
-            "risk_categories": {
-                "type": "array",
-                "items": {
-                    "type": "string",
-                    "enum": SANDBOX_RISK_CATEGORY_VALUES
-                }
-            }
-        },
-        "additionalProperties": false
-    })
-}
-
-fn response_item_text(item: &ResponseItem) -> Option<String> {
-    match item {
-        ResponseItem::Message { content, .. } => {
-            let mut buffers: Vec<&str> = Vec::new();
-            for segment in content {
-                match segment {
-                    ContentItem::InputText { text } | ContentItem::OutputText { text } => {
-                        if !text.is_empty() {
-                            buffers.push(text);
-                        }
-                    }
-                    ContentItem::InputImage { .. } => {}
-                }
-            }
-            if buffers.is_empty() {
-                None
-            } else {
-                Some(buffers.join("\n"))
-            }
-        }
-        ResponseItem::FunctionCallOutput { output, .. } => Some(output.content.clone()),
-        _ => None,
-    }
-}
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -5,9 +5,6 @@ Build platform wrappers and produce ExecEnv for execution. Owns low‑level
 sandbox placement and transformation of portable CommandSpec into a
 ready‑to‑spawn environment.
 */
-
-pub mod assessment;
-
 use crate::exec::ExecToolCallOutput;
 use crate::exec::SandboxType;
 use crate::exec::StdoutStream;
--- a/codex-rs/core/src/state/session.rs
+++ b/codex-rs/core/src/state/session.rs
@@ -12,6 +12,7 @@ use crate::protocol::TokenUsageInfo;
 pub(crate) struct SessionState {
    pub(crate) session_configuration: SessionConfiguration,
    pub(crate) history: ConversationHistory,
+    pub(crate) token_info: Option<TokenUsageInfo>,
    pub(crate) latest_rate_limits: Option<RateLimitSnapshot>,
 }

@@ -21,6 +22,7 @@ impl SessionState {
        Self {
            session_configuration,
            history: ConversationHistory::new(),
+            token_info: None,
            latest_rate_limits: None,
        }
    }
@@ -34,12 +36,8 @@ impl SessionState {
        self.history.record_items(items)
    }

-    pub(crate) fn history_snapshot(&mut self) -> Vec<ResponseItem> {
-        self.history.get_history()
-    }
-
-    pub(crate) fn clone_history(&self) -> ConversationHistory {
-        self.history.clone()
+    pub(crate) fn history_snapshot(&self) -> Vec<ResponseItem> {
+        self.history.contents()
    }

    pub(crate) fn replace_history(&mut self, items: Vec<ResponseItem>) {
@@ -52,11 +50,11 @@ impl SessionState {
        usage: &TokenUsage,
        model_context_window: Option<i64>,
    ) {
-        self.history.update_token_info(usage, model_context_window);
-    }
-
-    pub(crate) fn token_info(&self) -> Option<TokenUsageInfo> {
-        self.history.token_info()
+        self.token_info = TokenUsageInfo::new_or_append(
+            &self.token_info,
+            &Some(usage.clone()),
+            model_context_window,
+        );
    }

    pub(crate) fn set_rate_limits(&mut self, snapshot: RateLimitSnapshot) {
@@ -66,10 +64,17 @@ impl SessionState {
    pub(crate) fn token_info_and_rate_limits(
        &self,
    ) -> (Option<TokenUsageInfo>, Option<RateLimitSnapshot>) {
-        (self.token_info(), self.latest_rate_limits.clone())
+        (self.token_info.clone(), self.latest_rate_limits.clone())
    }

    pub(crate) fn set_token_usage_full(&mut self, context_window: i64) {
-        self.history.set_token_usage_full(context_window);
+        match &mut self.token_info {
+            Some(info) => info.fill_to_context_window(context_window),
+            None => {
+                self.token_info = Some(TokenUsageInfo::full_context_window(context_window));
+            }
+        }
    }
+
+    // Pending input/approval moved to TurnState.
 }
--- a/codex-rs/core/src/state/turn.rs
+++ b/codex-rs/core/src/state/turn.rs
@@ -11,7 +11,6 @@ use tokio_util::task::AbortOnDropHandle;
 use codex_protocol::models::ResponseInputItem;
 use tokio::sync::oneshot;

-use crate::codex::TurnContext;
 use crate::protocol::ReviewDecision;
 use crate::tasks::SessionTask;

@@ -54,12 +53,10 @@ pub(crate) struct RunningTask {
    pub(crate) task: Arc<dyn SessionTask>,
    pub(crate) cancellation_token: CancellationToken,
    pub(crate) handle: Arc<AbortOnDropHandle<()>>,
-    pub(crate) turn_context: Arc<TurnContext>,
 }

 impl ActiveTurn {
-    pub(crate) fn add_task(&mut self, task: RunningTask) {
-        let sub_id = task.turn_context.sub_id.clone();
+    pub(crate) fn add_task(&mut self, sub_id: String, task: RunningTask) {
        self.tasks.insert(sub_id, task);
    }

@@ -68,8 +65,8 @@ impl ActiveTurn {
        self.tasks.is_empty()
    }

-    pub(crate) fn drain_tasks(&mut self) -> Vec<RunningTask> {
-        self.tasks.drain(..).map(|(_, task)| task).collect()
+    pub(crate) fn drain_tasks(&mut self) -> IndexMap<String, RunningTask> {
+        std::mem::take(&mut self.tasks)
    }
 }

--- a/codex-rs/core/src/tasks/compact.rs
+++ b/codex-rs/core/src/tasks/compact.rs
@@ -5,8 +5,8 @@ use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::compact;
+use crate::protocol::InputItem;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;

 use super::SessionTask;
 use super::SessionTaskContext;
@@ -24,9 +24,10 @@ impl SessionTask for CompactTask {
        self: Arc<Self>,
        session: Arc<SessionTaskContext>,
        ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
        _cancellation_token: CancellationToken,
    ) -> Option<String> {
-        compact::run_compact_task(session.clone_session(), ctx, input).await
+        compact::run_compact_task(session.clone_session(), ctx, sub_id, input).await
    }
 }
--- a/codex-rs/core/src/tasks/mod.rs
+++ b/codex-rs/core/src/tasks/mod.rs
@@ -15,14 +15,15 @@ use tracing::warn;

 use crate::codex::Session;
 use crate::codex::TurnContext;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use crate::protocol::InputItem;
 use crate::protocol::TaskCompleteEvent;
 use crate::protocol::TurnAbortReason;
 use crate::protocol::TurnAbortedEvent;
 use crate::state::ActiveTurn;
 use crate::state::RunningTask;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;

 pub(crate) use compact::CompactTask;
 pub(crate) use regular::RegularTask;
@@ -54,12 +55,13 @@ pub(crate) trait SessionTask: Send + Sync + 'static {
        self: Arc<Self>,
        session: Arc<SessionTaskContext>,
        ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
        cancellation_token: CancellationToken,
    ) -> Option<String>;

-    async fn abort(&self, session: Arc<SessionTaskContext>, ctx: Arc<TurnContext>) {
-        let _ = (session, ctx);
+    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
+        let _ = (session, sub_id);
    }
 }

@@ -67,7 +69,8 @@ impl Session {
    pub async fn spawn_task<T: SessionTask>(
        self: &Arc<Self>,
        turn_context: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
        task: T,
    ) {
        self.abort_all_tasks(TurnAbortReason::Replaced).await;
@@ -83,13 +86,14 @@ impl Session {
            let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
            let ctx = Arc::clone(&turn_context);
            let task_for_run = Arc::clone(&task);
+            let sub_clone = sub_id.clone();
            let task_cancellation_token = cancellation_token.child_token();
            tokio::spawn(async move {
-                let ctx_for_finish = Arc::clone(&ctx);
                let last_agent_message = task_for_run
                    .run(
                        Arc::clone(&session_ctx),
                        ctx,
+                        sub_clone.clone(),
                        input,
                        task_cancellation_token.child_token(),
                    )
@@ -98,8 +102,7 @@ impl Session {
                if !task_cancellation_token.is_cancelled() {
                    // Emit completion uniformly from spawn site so all tasks share the same lifecycle.
                    let sess = session_ctx.clone_session();
-                    sess.on_task_finished(ctx_for_finish, last_agent_message)
-                        .await;
+                    sess.on_task_finished(sub_clone, last_agent_message).await;
                }
                done_clone.notify_waiters();
            })
@@ -111,54 +114,60 @@ impl Session {
            kind: task_kind,
            task,
            cancellation_token,
-            turn_context: Arc::clone(&turn_context),
        };
-        self.register_new_active_task(running_task).await;
+        self.register_new_active_task(sub_id, running_task).await;
    }

    pub async fn abort_all_tasks(self: &Arc<Self>, reason: TurnAbortReason) {
-        for task in self.take_all_running_tasks().await {
-            self.handle_task_abort(task, reason.clone()).await;
+        for (sub_id, task) in self.take_all_running_tasks().await {
+            self.handle_task_abort(sub_id, task, reason.clone()).await;
        }
    }

    pub async fn on_task_finished(
        self: &Arc<Self>,
-        turn_context: Arc<TurnContext>,
+        sub_id: String,
        last_agent_message: Option<String>,
    ) {
        let mut active = self.active_turn.lock().await;
        if let Some(at) = active.as_mut()
-            && at.remove_task(&turn_context.sub_id)
+            && at.remove_task(&sub_id)
        {
            *active = None;
        }
        drop(active);
-        let event = EventMsg::TaskComplete(TaskCompleteEvent { last_agent_message });
-        self.send_event(turn_context.as_ref(), event).await;
+        let event = Event {
+            id: sub_id,
+            msg: EventMsg::TaskComplete(TaskCompleteEvent { last_agent_message }),
+        };
+        self.send_event(event).await;
    }

-    async fn register_new_active_task(&self, task: RunningTask) {
+    async fn register_new_active_task(&self, sub_id: String, task: RunningTask) {
        let mut active = self.active_turn.lock().await;
        let mut turn = ActiveTurn::default();
-        turn.add_task(task);
+        turn.add_task(sub_id, task);
        *active = Some(turn);
    }

-    async fn take_all_running_tasks(&self) -> Vec<RunningTask> {
+    async fn take_all_running_tasks(&self) -> Vec<(String, RunningTask)> {
        let mut active = self.active_turn.lock().await;
        match active.take() {
            Some(mut at) => {
                at.clear_pending().await;
-
-                at.drain_tasks()
+                let tasks = at.drain_tasks();
+                tasks.into_iter().collect()
            }
            None => Vec::new(),
        }
    }

-    async fn handle_task_abort(self: &Arc<Self>, task: RunningTask, reason: TurnAbortReason) {
-        let sub_id = task.turn_context.sub_id.clone();
+    async fn handle_task_abort(
+        self: &Arc<Self>,
+        sub_id: String,
+        task: RunningTask,
+        reason: TurnAbortReason,
+    ) {
        if task.cancellation_token.is_cancelled() {
            return;
        }
@@ -178,12 +187,13 @@ impl Session {
        task.handle.abort();

        let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
-        session_task
-            .abort(session_ctx, Arc::clone(&task.turn_context))
-            .await;
+        session_task.abort(session_ctx, &sub_id).await;

-        let event = EventMsg::TurnAborted(TurnAbortedEvent { reason });
-        self.send_event(task.turn_context.as_ref(), event).await;
+        let event = Event {
+            id: sub_id.clone(),
+            msg: EventMsg::TurnAborted(TurnAbortedEvent { reason }),
+        };
+        self.send_event(event).await;
    }
 }

--- a/codex-rs/core/src/tasks/regular.rs
+++ b/codex-rs/core/src/tasks/regular.rs
@@ -5,8 +5,8 @@ use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::run_task;
+use crate::protocol::InputItem;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;

 use super::SessionTask;
 use super::SessionTaskContext;
@@ -24,10 +24,19 @@ impl SessionTask for RegularTask {
        self: Arc<Self>,
        session: Arc<SessionTaskContext>,
        ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
        cancellation_token: CancellationToken,
    ) -> Option<String> {
        let sess = session.clone_session();
-        run_task(sess, ctx, input, TaskKind::Regular, cancellation_token).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Regular,
+            cancellation_token,
+        )
+        .await
    }
 }
--- a/codex-rs/core/src/tasks/review.rs
+++ b/codex-rs/core/src/tasks/review.rs
@@ -6,8 +6,8 @@ use tokio_util::sync::CancellationToken;
 use crate::codex::TurnContext;
 use crate::codex::exit_review_mode;
 use crate::codex::run_task;
+use crate::protocol::InputItem;
 use crate::state::TaskKind;
-use codex_protocol::user_input::UserInput;

 use super::SessionTask;
 use super::SessionTaskContext;
@@ -25,14 +25,23 @@ impl SessionTask for ReviewTask {
        self: Arc<Self>,
        session: Arc<SessionTaskContext>,
        ctx: Arc<TurnContext>,
-        input: Vec<UserInput>,
+        sub_id: String,
+        input: Vec<InputItem>,
        cancellation_token: CancellationToken,
    ) -> Option<String> {
        let sess = session.clone_session();
-        run_task(sess, ctx, input, TaskKind::Review, cancellation_token).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Review,
+            cancellation_token,
+        )
+        .await
    }

-    async fn abort(&self, session: Arc<SessionTaskContext>, ctx: Arc<TurnContext>) {
-        exit_review_mode(session.clone_session(), ctx, None).await;
+    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
+        exit_review_mode(session.clone_session(), sub_id.to_string(), None).await;
    }
 }
--- a/codex-rs/core/src/tools/context.rs
+++ b/codex-rs/core/src/tools/context.rs
@@ -24,6 +24,7 @@ pub struct ToolInvocation {
    pub session: Arc<Session>,
    pub turn: Arc<TurnContext>,
    pub tracker: SharedTurnDiffTracker,
+    pub sub_id: String,
    pub call_id: String,
    pub tool_name: String,
    pub payload: ToolPayload,
@@ -233,7 +234,7 @@ mod tests {
 #[derive(Clone, Debug)]
 #[allow(dead_code)]
 pub(crate) struct ExecCommandContext {
-    pub(crate) turn: Arc<TurnContext>,
+    pub(crate) sub_id: String,
    pub(crate) call_id: String,
    pub(crate) command_for_display: Vec<String>,
    pub(crate) cwd: PathBuf,
--- a/codex-rs/core/src/tools/events.rs
+++ b/codex-rs/core/src/tools/events.rs
@@ -1,10 +1,7 @@
 use crate::codex::Session;
-use crate::codex::TurnContext;
-use crate::error::CodexErr;
-use crate::error::SandboxErr;
 use crate::exec::ExecToolCallOutput;
-use crate::function_tool::FunctionCallError;
 use crate::parse_command::parse_command;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecCommandBeginEvent;
 use crate::protocol::ExecCommandEndEvent;
@@ -13,9 +10,7 @@ use crate::protocol::PatchApplyBeginEvent;
 use crate::protocol::PatchApplyEndEvent;
 use crate::protocol::TurnDiffEvent;
 use crate::tools::context::SharedTurnDiffTracker;
-use crate::tools::sandboxing::ToolError;
 use std::collections::HashMap;
-use std::path::Path;
 use std::path::PathBuf;
 use std::time::Duration;

@@ -25,7 +20,7 @@ use super::format_exec_output_str;
 #[derive(Clone, Copy)]
 pub(crate) struct ToolEventCtx<'a> {
    pub session: &'a Session,
-    pub turn: &'a TurnContext,
+    pub sub_id: &'a str,
    pub call_id: &'a str,
    pub turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
 }
@@ -33,13 +28,13 @@ pub(crate) struct ToolEventCtx<'a> {
 impl<'a> ToolEventCtx<'a> {
    pub fn new(
        session: &'a Session,
-        turn: &'a TurnContext,
+        sub_id: &'a str,
        call_id: &'a str,
        turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
    ) -> Self {
        Self {
            session,
-            turn,
+            sub_id,
            call_id,
            turn_diff_tracker,
        }
@@ -56,20 +51,6 @@ pub(crate) enum ToolEventFailure {
    Output(ExecToolCallOutput),
    Message(String),
 }
-
-pub(crate) async fn emit_exec_command_begin(ctx: ToolEventCtx<'_>, command: &[String], cwd: &Path) {
-    ctx.session
-        .send_event(
-            ctx.turn,
-            EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
-                call_id: ctx.call_id.to_string(),
-                command: command.to_vec(),
-                cwd: cwd.to_path_buf(),
-                parsed_cmd: parse_command(command),
-            }),
-        )
-        .await;
-}
 // Concrete, allocation-free emitter: avoid trait objects and boxed futures.
 pub(crate) enum ToolEmitter {
    Shell {
@@ -80,13 +61,6 @@ pub(crate) enum ToolEmitter {
        changes: HashMap<PathBuf, FileChange>,
        auto_approved: bool,
    },
-    UnifiedExec {
-        command: String,
-        cwd: PathBuf,
-        // True for `exec_command` and false for `write_stdin`.
-        #[allow(dead_code)]
-        is_startup_command: bool,
-    },
 }

 impl ToolEmitter {
@@ -101,18 +75,20 @@ impl ToolEmitter {
        }
    }

-    pub fn unified_exec(command: String, cwd: PathBuf, is_startup_command: bool) -> Self {
-        Self::UnifiedExec {
-            command,
-            cwd,
-            is_startup_command,
-        }
-    }
-
    pub async fn emit(&self, ctx: ToolEventCtx<'_>, stage: ToolEventStage) {
        match (self, stage) {
            (Self::Shell { command, cwd }, ToolEventStage::Begin) => {
-                emit_exec_command_begin(ctx, command, cwd.as_path()).await;
+                ctx.session
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
+                            call_id: ctx.call_id.to_string(),
+                            command: command.clone(),
+                            cwd: cwd.clone(),
+                            parsed_cmd: parse_command(command),
+                        }),
+                    })
+                    .await;
            }
            (Self::Shell { .. }, ToolEventStage::Success(output)) => {
                emit_exec_end(
@@ -163,14 +139,14 @@ impl ToolEmitter {
                    guard.on_patch_begin(changes);
                }
                ctx.session
-                    .send_event(
-                        ctx.turn,
-                        EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
                            call_id: ctx.call_id.to_string(),
                            auto_approved: *auto_approved,
                            changes: changes.clone(),
                        }),
-                    )
+                    })
                    .await;
            }
            (Self::ApplyPatch { .. }, ToolEventStage::Success(output)) => {
@@ -200,103 +176,8 @@ impl ToolEmitter {
            ) => {
                emit_patch_end(ctx, String::new(), (*message).to_string(), false).await;
            }
-            (Self::UnifiedExec { command, cwd, .. }, ToolEventStage::Begin) => {
-                emit_exec_command_begin(ctx, &[command.to_string()], cwd.as_path()).await;
-            }
-            (Self::UnifiedExec { .. }, ToolEventStage::Success(output)) => {
-                emit_exec_end(
-                    ctx,
-                    output.stdout.text.clone(),
-                    output.stderr.text.clone(),
-                    output.aggregated_output.text.clone(),
-                    output.exit_code,
-                    output.duration,
-                    format_exec_output_str(&output),
-                )
-                .await;
-            }
-            (
-                Self::UnifiedExec { .. },
-                ToolEventStage::Failure(ToolEventFailure::Output(output)),
-            ) => {
-                emit_exec_end(
-                    ctx,
-                    output.stdout.text.clone(),
-                    output.stderr.text.clone(),
-                    output.aggregated_output.text.clone(),
-                    output.exit_code,
-                    output.duration,
-                    format_exec_output_str(&output),
-                )
-                .await;
-            }
-            (
-                Self::UnifiedExec { .. },
-                ToolEventStage::Failure(ToolEventFailure::Message(message)),
-            ) => {
-                emit_exec_end(
-                    ctx,
-                    String::new(),
-                    (*message).to_string(),
-                    (*message).to_string(),
-                    -1,
-                    Duration::ZERO,
-                    format_exec_output(&message),
-                )
-                .await;
-            }
        }
    }
-
-    pub async fn begin(&self, ctx: ToolEventCtx<'_>) {
-        self.emit(ctx, ToolEventStage::Begin).await;
-    }
-
-    pub async fn finish(
-        &self,
-        ctx: ToolEventCtx<'_>,
-        out: Result<ExecToolCallOutput, ToolError>,
-    ) -> Result<String, FunctionCallError> {
-        let event;
-        let result = match out {
-            Ok(output) => {
-                let content = super::format_exec_output_for_model(&output);
-                let exit_code = output.exit_code;
-                event = ToolEventStage::Success(output);
-                if exit_code == 0 {
-                    Ok(content)
-                } else {
-                    Err(FunctionCallError::RespondToModel(content))
-                }
-            }
-            Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output })))
-            | Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
-                let response = super::format_exec_output_for_model(&output);
-                event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
-                Err(FunctionCallError::RespondToModel(response))
-            }
-            Err(ToolError::Codex(err)) => {
-                let message = format!("execution error: {err:?}");
-                let response = super::format_exec_output(&message);
-                event = ToolEventStage::Failure(ToolEventFailure::Message(message));
-                Err(FunctionCallError::RespondToModel(response))
-            }
-            Err(ToolError::Rejected(msg)) | Err(ToolError::SandboxDenied(msg)) => {
-                // Normalize common rejection messages for exec tools so tests and
-                // users see a clear, consistent phrase.
-                let normalized = if msg == "rejected by user" {
-                    "exec command rejected by user".to_string()
-                } else {
-                    msg
-                };
-                let response = super::format_exec_output(&normalized);
-                event = ToolEventStage::Failure(ToolEventFailure::Message(normalized));
-                Err(FunctionCallError::RespondToModel(response))
-            }
-        };
-        self.emit(ctx, event).await;
-        result
-    }
 }

 async fn emit_exec_end(
@@ -309,9 +190,9 @@ async fn emit_exec_end(
    formatted_output: String,
 ) {
    ctx.session
-        .send_event(
-            ctx.turn,
-            EventMsg::ExecCommandEnd(ExecCommandEndEvent {
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::ExecCommandEnd(ExecCommandEndEvent {
                call_id: ctx.call_id.to_string(),
                stdout,
                stderr,
@@ -320,21 +201,21 @@ async fn emit_exec_end(
                duration,
                formatted_output,
            }),
-        )
+        })
        .await;
 }

 async fn emit_patch_end(ctx: ToolEventCtx<'_>, stdout: String, stderr: String, success: bool) {
    ctx.session
-        .send_event(
-            ctx.turn,
-            EventMsg::PatchApplyEnd(PatchApplyEndEvent {
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::PatchApplyEnd(PatchApplyEndEvent {
                call_id: ctx.call_id.to_string(),
                stdout,
                stderr,
                success,
            }),
-        )
+        })
        .await;

    if let Some(tracker) = ctx.turn_diff_tracker {
@@ -344,7 +225,10 @@ async fn emit_patch_end(ctx: ToolEventCtx<'_>, stdout: String, stderr: String, s
        };
        if let Ok(Some(unified_diff)) = unified_diff {
            ctx.session
-                .send_event(ctx.turn, EventMsg::TurnDiff(TurnDiffEvent { unified_diff }))
+                .send_event(Event {
+                    id: ctx.sub_id.to_string(),
+                    msg: EventMsg::TurnDiff(TurnDiffEvent { unified_diff }),
+                })
                .await;
        }
    }
--- a/codex-rs/core/src/tools/handlers/apply_patch.rs
+++ b/codex-rs/core/src/tools/handlers/apply_patch.rs
@@ -1,24 +1,19 @@
 use std::collections::BTreeMap;
+use std::collections::HashMap;
+use std::sync::Arc;

-use crate::apply_patch;
-use crate::apply_patch::InternalApplyPatchInvocation;
-use crate::apply_patch::convert_apply_patch_to_protocol;
 use crate::client_common::tools::FreeformTool;
 use crate::client_common::tools::FreeformToolFormat;
 use crate::client_common::tools::ResponsesApiTool;
 use crate::client_common::tools::ToolSpec;
+use crate::exec::ExecParams;
 use crate::function_tool::FunctionCallError;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
-use crate::tools::events::ToolEmitter;
-use crate::tools::events::ToolEventCtx;
-use crate::tools::orchestrator::ToolOrchestrator;
+use crate::tools::handle_container_exec_with_params;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use crate::tools::runtimes::apply_patch::ApplyPatchRequest;
-use crate::tools::runtimes::apply_patch::ApplyPatchRuntime;
-use crate::tools::sandboxing::ToolCtx;
 use crate::tools::spec::ApplyPatchToolArgs;
 use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
@@ -47,6 +42,7 @@ impl ToolHandler for ApplyPatchHandler {
            session,
            turn,
            tracker,
+            sub_id,
            call_id,
            tool_name,
            payload,
@@ -69,85 +65,31 @@ impl ToolHandler for ApplyPatchHandler {
            }
        };

-        // Re-parse and verify the patch so we can compute changes and approval.
-        // Avoid building temporary ExecParams/command vectors; derive directly from inputs.
-        let cwd = turn.cwd.clone();
-        let command = vec!["apply_patch".to_string(), patch_input.clone()];
-        match codex_apply_patch::maybe_parse_apply_patch_verified(&command, &cwd) {
-            codex_apply_patch::MaybeApplyPatchVerified::Body(changes) => {
-                match apply_patch::apply_patch(session.as_ref(), turn.as_ref(), &call_id, changes)
-                    .await
-                {
-                    InternalApplyPatchInvocation::Output(item) => {
-                        let content = item?;
-                        Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        })
-                    }
-                    InternalApplyPatchInvocation::DelegateToExec(apply) => {
-                        let emitter = ToolEmitter::apply_patch(
-                            convert_apply_patch_to_protocol(&apply.action),
-                            !apply.user_explicitly_approved_this_action,
-                        );
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        emitter.begin(event_ctx).await;
+        let exec_params = ExecParams {
+            command: vec!["apply_patch".to_string(), patch_input.clone()],
+            cwd: turn.cwd.clone(),
+            timeout_ms: None,
+            env: HashMap::new(),
+            with_escalated_permissions: None,
+            justification: None,
+            arg0: None,
+        };

-                        let req = ApplyPatchRequest {
-                            patch: apply.action.patch.clone(),
-                            cwd: apply.action.cwd.clone(),
-                            timeout_ms: None,
-                            user_explicitly_approved: apply.user_explicitly_approved_this_action,
-                            codex_exe: turn.codex_linux_sandbox_exe.clone(),
-                        };
+        let content = handle_container_exec_with_params(
+            tool_name.as_str(),
+            exec_params,
+            Arc::clone(&session),
+            Arc::clone(&turn),
+            Arc::clone(&tracker),
+            sub_id.clone(),
+            call_id.clone(),
+        )
+        .await?;

-                        let mut orchestrator = ToolOrchestrator::new();
-                        let mut runtime = ApplyPatchRuntime::new();
-                        let tool_ctx = ToolCtx {
-                            session: session.as_ref(),
-                            turn: turn.as_ref(),
-                            call_id: call_id.clone(),
-                            tool_name: tool_name.to_string(),
-                        };
-                        let out = orchestrator
-                            .run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
-                            .await;
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        let content = emitter.finish(event_ctx, out).await?;
-                        Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        })
-                    }
-                }
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::CorrectnessError(parse_error) => {
-                Err(FunctionCallError::RespondToModel(format!(
-                    "apply_patch verification failed: {parse_error}"
-                )))
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::ShellParseError(error) => {
-                tracing::trace!("Failed to parse apply_patch input, {error:?}");
-                Err(FunctionCallError::RespondToModel(
-                    "apply_patch handler received invalid patch input".to_string(),
-                ))
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::NotApplyPatch => {
-                Err(FunctionCallError::RespondToModel(
-                    "apply_patch handler received non-apply_patch input".to_string(),
-                ))
-            }
-        }
+        Ok(ToolOutput::Function {
+            content,
+            success: Some(true),
+        })
    }
 }

--- a/codex-rs/core/src/tools/handlers/mcp.rs
+++ b/codex-rs/core/src/tools/handlers/mcp.rs
@@ -19,7 +19,7 @@ impl ToolHandler for McpHandler {
    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
        let ToolInvocation {
            session,
-            turn,
+            sub_id,
            call_id,
            payload,
            ..
@@ -43,7 +43,7 @@ impl ToolHandler for McpHandler {

        let response = handle_mcp_tool_call(
            session.as_ref(),
-            turn.as_ref(),
+            &sub_id,
            call_id.clone(),
            server,
            tool,
--- a/codex-rs/core/src/tools/handlers/mcp_resource.rs
+++ b/codex-rs/core/src/tools/handlers/mcp_resource.rs
@@ -21,8 +21,8 @@ use serde::de::DeserializeOwned;
 use serde_json::Value;

 use crate::codex::Session;
-use crate::codex::TurnContext;
 use crate::function_tool::FunctionCallError;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
@@ -189,7 +189,7 @@ impl ToolHandler for McpResourceHandler {
    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
        let ToolInvocation {
            session,
-            turn,
+            sub_id,
            call_id,
            tool_name,
            payload,
@@ -211,7 +211,7 @@ impl ToolHandler for McpResourceHandler {
            "list_mcp_resources" => {
                handle_list_resources(
                    Arc::clone(&session),
-                    Arc::clone(&turn),
+                    sub_id.clone(),
                    call_id.clone(),
                    arguments_value.clone(),
                )
@@ -220,20 +220,14 @@ impl ToolHandler for McpResourceHandler {
            "list_mcp_resource_templates" => {
                handle_list_resource_templates(
                    Arc::clone(&session),
-                    Arc::clone(&turn),
+                    sub_id.clone(),
                    call_id.clone(),
                    arguments_value.clone(),
                )
                .await
            }
            "read_mcp_resource" => {
-                handle_read_resource(
-                    Arc::clone(&session),
-                    Arc::clone(&turn),
-                    call_id,
-                    arguments_value,
-                )
-                .await
+                handle_read_resource(Arc::clone(&session), sub_id, call_id, arguments_value).await
            }
            other => Err(FunctionCallError::RespondToModel(format!(
                "unsupported MCP resource tool: {other}"
@@ -244,7 +238,7 @@ impl ToolHandler for McpResourceHandler {

 async fn handle_list_resources(
    session: Arc<Session>,
-    turn: Arc<TurnContext>,
+    sub_id: String,
    call_id: String,
    arguments: Option<Value>,
 ) -> Result<ToolOutput, FunctionCallError> {
@@ -259,7 +253,7 @@ async fn handle_list_resources(
        arguments: arguments.clone(),
    };

-    emit_tool_call_begin(&session, turn.as_ref(), &call_id, invocation.clone()).await;
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
    let start = Instant::now();

    let payload_result: Result<ListResourcesPayload, FunctionCallError> = async {
@@ -303,7 +297,7 @@ async fn handle_list_resources(
                let duration = start.elapsed();
                emit_tool_call_end(
                    &session,
-                    turn.as_ref(),
+                    &sub_id,
                    &call_id,
                    invocation,
                    duration,
@@ -317,7 +311,7 @@ async fn handle_list_resources(
                let message = err.to_string();
                emit_tool_call_end(
                    &session,
-                    turn.as_ref(),
+                    &sub_id,
                    &call_id,
                    invocation,
                    duration,
@@ -332,7 +326,7 @@ async fn handle_list_resources(
            let message = err.to_string();
            emit_tool_call_end(
                &session,
-                turn.as_ref(),
+                &sub_id,
                &call_id,
                invocation,
                duration,
@@ -346,7 +340,7 @@ async fn handle_list_resources(

 async fn handle_list_resource_templates(
    session: Arc<Session>,
-    turn: Arc<TurnContext>,
+    sub_id: String,
    call_id: String,
    arguments: Option<Value>,
 ) -> Result<ToolOutput, FunctionCallError> {
@@ -361,7 +355,7 @@ async fn handle_list_resource_templates(
        arguments: arguments.clone(),
    };

-    emit_tool_call_begin(&session, turn.as_ref(), &call_id, invocation.clone()).await;
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
    let start = Instant::now();

    let payload_result: Result<ListResourceTemplatesPayload, FunctionCallError> = async {
@@ -409,7 +403,7 @@ async fn handle_list_resource_templates(
                let duration = start.elapsed();
                emit_tool_call_end(
                    &session,
-                    turn.as_ref(),
+                    &sub_id,
                    &call_id,
                    invocation,
                    duration,
@@ -423,7 +417,7 @@ async fn handle_list_resource_templates(
                let message = err.to_string();
                emit_tool_call_end(
                    &session,
-                    turn.as_ref(),
+                    &sub_id,
                    &call_id,
                    invocation,
                    duration,
@@ -438,7 +432,7 @@ async fn handle_list_resource_templates(
            let message = err.to_string();
            emit_tool_call_end(
                &session,
-                turn.as_ref(),
+                &sub_id,
                &call_id,
                invocation,
                duration,
@@ -452,7 +446,7 @@ async fn handle_list_resource_templates(

 async fn handle_read_resource(
    session: Arc<Session>,
-    turn: Arc<TurnContext>,
+    sub_id: String,
    call_id: String,
    arguments: Option<Value>,
 ) -> Result<ToolOutput, FunctionCallError> {
@@ -467,7 +461,7 @@ async fn handle_read_resource(
        arguments: arguments.clone(),
    };

-    emit_tool_call_begin(&session, turn.as_ref(), &call_id, invocation.clone()).await;
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
    let start = Instant::now();

    let payload_result: Result<ReadResourcePayload, FunctionCallError> = async {
@@ -495,7 +489,7 @@ async fn handle_read_resource(
                let duration = start.elapsed();
                emit_tool_call_end(
                    &session,
-                    turn.as_ref(),
+                    &sub_id,
                    &call_id,
                    invocation,
                    duration,
@@ -509,7 +503,7 @@ async fn handle_read_resource(
                let message = err.to_string();
                emit_tool_call_end(
                    &session,
-                    turn.as_ref(),
+                    &sub_id,
                    &call_id,
                    invocation,
                    duration,
@@ -524,7 +518,7 @@ async fn handle_read_resource(
            let message = err.to_string();
            emit_tool_call_end(
                &session,
-                turn.as_ref(),
+                &sub_id,
                &call_id,
                invocation,
                duration,
@@ -550,39 +544,39 @@ fn call_tool_result_from_content(content: &str, success: Option<bool>) -> CallTo

 async fn emit_tool_call_begin(
    session: &Arc<Session>,
-    turn: &TurnContext,
+    sub_id: &str,
    call_id: &str,
    invocation: McpInvocation,
 ) {
    session
-        .send_event(
-            turn,
-            EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
                call_id: call_id.to_string(),
                invocation,
            }),
-        )
+        })
        .await;
 }

 async fn emit_tool_call_end(
    session: &Arc<Session>,
-    turn: &TurnContext,
+    sub_id: &str,
    call_id: &str,
    invocation: McpInvocation,
    duration: Duration,
    result: Result<CallToolResult, String>,
 ) {
    session
-        .send_event(
-            turn,
-            EventMsg::McpToolCallEnd(McpToolCallEndEvent {
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallEnd(McpToolCallEndEvent {
                call_id: call_id.to_string(),
                invocation,
                duration,
                result,
            }),
-        )
+        })
        .await;
 }

--- a/codex-rs/core/src/tools/handlers/plan.rs
+++ b/codex-rs/core/src/tools/handlers/plan.rs
@@ -1,7 +1,6 @@
 use crate::client_common::tools::ResponsesApiTool;
 use crate::client_common::tools::ToolSpec;
 use crate::codex::Session;
-use crate::codex::TurnContext;
 use crate::function_tool::FunctionCallError;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
@@ -11,6 +10,7 @@ use crate::tools::registry::ToolKind;
 use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
 use codex_protocol::plan_tool::UpdatePlanArgs;
+use codex_protocol::protocol::Event;
 use codex_protocol::protocol::EventMsg;
 use std::collections::BTreeMap;
 use std::sync::LazyLock;
@@ -68,7 +68,7 @@ impl ToolHandler for PlanHandler {
    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
        let ToolInvocation {
            session,
-            turn,
+            sub_id,
            call_id,
            payload,
            ..
@@ -84,7 +84,7 @@ impl ToolHandler for PlanHandler {
        };

        let content =
-            handle_update_plan(session.as_ref(), turn.as_ref(), arguments, call_id).await?;
+            handle_update_plan(session.as_ref(), arguments, sub_id.clone(), call_id).await?;

        Ok(ToolOutput::Function {
            content,
@@ -98,13 +98,16 @@ impl ToolHandler for PlanHandler {
 /// than forcing it to come up and document a plan (TBD how that affects performance).
 pub(crate) async fn handle_update_plan(
    session: &Session,
-    turn_context: &TurnContext,
    arguments: String,
+    sub_id: String,
    _call_id: String,
 ) -> Result<String, FunctionCallError> {
    let args = parse_update_plan_arguments(&arguments)?;
    session
-        .send_event(turn_context, EventMsg::PlanUpdate(args))
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::PlanUpdate(args),
+        })
        .await;
    Ok("Plan updated".to_string())
 }
--- a/codex-rs/core/src/tools/handlers/shell.rs
+++ b/codex-rs/core/src/tools/handlers/shell.rs
@@ -2,9 +2,6 @@ use async_trait::async_trait;
 use codex_protocol::models::ShellToolCallParams;
 use std::sync::Arc;

-use crate::apply_patch;
-use crate::apply_patch::InternalApplyPatchInvocation;
-use crate::apply_patch::convert_apply_patch_to_protocol;
 use crate::codex::TurnContext;
 use crate::exec::ExecParams;
 use crate::exec_env::create_env;
@@ -12,16 +9,9 @@ use crate::function_tool::FunctionCallError;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
-use crate::tools::events::ToolEmitter;
-use crate::tools::events::ToolEventCtx;
-use crate::tools::orchestrator::ToolOrchestrator;
+use crate::tools::handle_container_exec_with_params;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use crate::tools::runtimes::apply_patch::ApplyPatchRequest;
-use crate::tools::runtimes::apply_patch::ApplyPatchRuntime;
-use crate::tools::runtimes::shell::ShellRequest;
-use crate::tools::runtimes::shell::ShellRuntime;
-use crate::tools::sandboxing::ToolCtx;

 pub struct ShellHandler;

@@ -57,6 +47,7 @@ impl ToolHandler for ShellHandler {
            session,
            turn,
            tracker,
+            sub_id,
            call_id,
            tool_name,
            payload,
@@ -71,27 +62,37 @@ impl ToolHandler for ShellHandler {
                        ))
                    })?;
                let exec_params = Self::to_exec_params(params, turn.as_ref());
-                Self::run_exec_like(
+                let content = handle_container_exec_with_params(
                    tool_name.as_str(),
                    exec_params,
-                    session,
-                    turn,
-                    tracker,
-                    call_id,
+                    Arc::clone(&session),
+                    Arc::clone(&turn),
+                    Arc::clone(&tracker),
+                    sub_id.clone(),
+                    call_id.clone(),
                )
-                .await
+                .await?;
+                Ok(ToolOutput::Function {
+                    content,
+                    success: Some(true),
+                })
            }
            ToolPayload::LocalShell { params } => {
                let exec_params = Self::to_exec_params(params, turn.as_ref());
-                Self::run_exec_like(
+                let content = handle_container_exec_with_params(
                    tool_name.as_str(),
                    exec_params,
-                    session,
-                    turn,
-                    tracker,
-                    call_id,
+                    Arc::clone(&session),
+                    Arc::clone(&turn),
+                    Arc::clone(&tracker),
+                    sub_id.clone(),
+                    call_id.clone(),
                )
-                .await
+                .await?;
+                Ok(ToolOutput::Function {
+                    content,
+                    success: Some(true),
+                })
            }
            _ => Err(FunctionCallError::RespondToModel(format!(
                "unsupported payload for shell handler: {tool_name}"
@@ -99,134 +100,3 @@ impl ToolHandler for ShellHandler {
        }
    }
 }
-
-impl ShellHandler {
-    async fn run_exec_like(
-        tool_name: &str,
-        exec_params: ExecParams,
-        session: Arc<crate::codex::Session>,
-        turn: Arc<TurnContext>,
-        tracker: crate::tools::context::SharedTurnDiffTracker,
-        call_id: String,
-    ) -> Result<ToolOutput, FunctionCallError> {
-        // Approval policy guard for explicit escalation in non-OnRequest modes.
-        if exec_params.with_escalated_permissions.unwrap_or(false)
-            && !matches!(
-                turn.approval_policy,
-                codex_protocol::protocol::AskForApproval::OnRequest
-            )
-        {
-            return Err(FunctionCallError::RespondToModel(format!(
-                "approval policy is {policy:?}; reject command — you should not ask for escalated permissions if the approval policy is {policy:?}",
-                policy = turn.approval_policy
-            )));
-        }
-
-        // Intercept apply_patch if present.
-        match codex_apply_patch::maybe_parse_apply_patch_verified(
-            &exec_params.command,
-            &exec_params.cwd,
-        ) {
-            codex_apply_patch::MaybeApplyPatchVerified::Body(changes) => {
-                match apply_patch::apply_patch(session.as_ref(), turn.as_ref(), &call_id, changes)
-                    .await
-                {
-                    InternalApplyPatchInvocation::Output(item) => {
-                        // Programmatic apply_patch path; return its result.
-                        let content = item?;
-                        return Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        });
-                    }
-                    InternalApplyPatchInvocation::DelegateToExec(apply) => {
-                        let emitter = ToolEmitter::apply_patch(
-                            convert_apply_patch_to_protocol(&apply.action),
-                            !apply.user_explicitly_approved_this_action,
-                        );
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        emitter.begin(event_ctx).await;
-
-                        let req = ApplyPatchRequest {
-                            patch: apply.action.patch.clone(),
-                            cwd: apply.action.cwd.clone(),
-                            timeout_ms: exec_params.timeout_ms,
-                            user_explicitly_approved: apply.user_explicitly_approved_this_action,
-                            codex_exe: turn.codex_linux_sandbox_exe.clone(),
-                        };
-                        let mut orchestrator = ToolOrchestrator::new();
-                        let mut runtime = ApplyPatchRuntime::new();
-                        let tool_ctx = ToolCtx {
-                            session: session.as_ref(),
-                            turn: turn.as_ref(),
-                            call_id: call_id.clone(),
-                            tool_name: tool_name.to_string(),
-                        };
-                        let out = orchestrator
-                            .run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
-                            .await;
-                        let event_ctx = ToolEventCtx::new(
-                            session.as_ref(),
-                            turn.as_ref(),
-                            &call_id,
-                            Some(&tracker),
-                        );
-                        let content = emitter.finish(event_ctx, out).await?;
-                        return Ok(ToolOutput::Function {
-                            content,
-                            success: Some(true),
-                        });
-                    }
-                }
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::CorrectnessError(parse_error) => {
-                return Err(FunctionCallError::RespondToModel(format!(
-                    "apply_patch verification failed: {parse_error}"
-                )));
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::ShellParseError(error) => {
-                tracing::trace!("Failed to parse shell command, {error:?}");
-                // Fall through to regular shell execution.
-            }
-            codex_apply_patch::MaybeApplyPatchVerified::NotApplyPatch => {
-                // Fall through to regular shell execution.
-            }
-        }
-
-        // Regular shell execution path.
-        let emitter = ToolEmitter::shell(exec_params.command.clone(), exec_params.cwd.clone());
-        let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
-        emitter.begin(event_ctx).await;
-
-        let req = ShellRequest {
-            command: exec_params.command.clone(),
-            cwd: exec_params.cwd.clone(),
-            timeout_ms: exec_params.timeout_ms,
-            env: exec_params.env.clone(),
-            with_escalated_permissions: exec_params.with_escalated_permissions,
-            justification: exec_params.justification.clone(),
-        };
-        let mut orchestrator = ToolOrchestrator::new();
-        let mut runtime = ShellRuntime::new();
-        let tool_ctx = ToolCtx {
-            session: session.as_ref(),
-            turn: turn.as_ref(),
-            call_id: call_id.clone(),
-            tool_name: tool_name.to_string(),
-        };
-        let out = orchestrator
-            .run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
-            .await;
-        let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
-        let content = emitter.finish(event_ctx, out).await?;
-        Ok(ToolOutput::Function {
-            content,
-            success: Some(true),
-        })
-    }
-}
--- a/codex-rs/core/src/tools/handlers/unified_exec.rs
+++ b/codex-rs/core/src/tools/handlers/unified_exec.rs
@@ -1,71 +1,35 @@
-use std::time::Duration;
-
 use async_trait::async_trait;
 use serde::Deserialize;
-use serde::Serialize;

 use crate::function_tool::FunctionCallError;
-use crate::protocol::EventMsg;
-use crate::protocol::ExecCommandOutputDeltaEvent;
-use crate::protocol::ExecOutputStream;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
-use crate::tools::events::ToolEmitter;
-use crate::tools::events::ToolEventCtx;
-use crate::tools::events::ToolEventStage;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use crate::unified_exec::ExecCommandRequest;
-use crate::unified_exec::UnifiedExecContext;
-use crate::unified_exec::UnifiedExecResponse;
-use crate::unified_exec::UnifiedExecSessionManager;
-use crate::unified_exec::WriteStdinRequest;
+use crate::unified_exec::UnifiedExecRequest;

 pub struct UnifiedExecHandler;

-#[derive(Debug, Deserialize)]
-struct ExecCommandArgs {
-    cmd: String,
-    #[serde(default = "default_shell")]
-    shell: String,
-    #[serde(default = "default_login")]
-    login: bool,
+#[derive(Deserialize)]
+struct UnifiedExecArgs {
+    input: Vec<String>,
    #[serde(default)]
-    yield_time_ms: Option<u64>,
+    session_id: Option<String>,
    #[serde(default)]
-    max_output_tokens: Option<usize>,
-}
-
-#[derive(Debug, Deserialize)]
-struct WriteStdinArgs {
-    session_id: i32,
-    #[serde(default)]
-    chars: String,
-    #[serde(default)]
-    yield_time_ms: Option<u64>,
-    #[serde(default)]
-    max_output_tokens: Option<usize>,
-}
-
-fn default_shell() -> String {
-    "/bin/bash".to_string()
-}
-
-fn default_login() -> bool {
-    true
+    timeout_ms: Option<u64>,
 }

 #[async_trait]
 impl ToolHandler for UnifiedExecHandler {
    fn kind(&self) -> ToolKind {
-        ToolKind::Function
+        ToolKind::UnifiedExec
    }

    fn matches_kind(&self, payload: &ToolPayload) -> bool {
        matches!(
            payload,
-            ToolPayload::Function { .. } | ToolPayload::UnifiedExec { .. }
+            ToolPayload::UnifiedExec { .. } | ToolPayload::Function { .. }
        )
    }

@@ -73,15 +37,21 @@ impl ToolHandler for UnifiedExecHandler {
        let ToolInvocation {
            session,
            turn,
+            sub_id,
            call_id,
-            tool_name,
+            tool_name: _tool_name,
            payload,
            ..
        } = invocation;

-        let arguments = match payload {
-            ToolPayload::Function { arguments } => arguments,
-            ToolPayload::UnifiedExec { arguments } => arguments,
+        let args = match payload {
+            ToolPayload::UnifiedExec { arguments } | ToolPayload::Function { arguments } => {
+                serde_json::from_str::<UnifiedExecArgs>(&arguments).map_err(|err| {
+                    FunctionCallError::RespondToModel(format!(
+                        "failed to parse function arguments: {err:?}"
+                    ))
+                })?
+            }
            _ => {
                return Err(FunctionCallError::RespondToModel(
                    "unified_exec handler received unsupported payload".to_string(),
@@ -89,81 +59,59 @@ impl ToolHandler for UnifiedExecHandler {
            }
        };

-        let manager: &UnifiedExecSessionManager = &session.services.unified_exec_manager;
-        let context = UnifiedExecContext::new(session.clone(), turn.clone(), call_id.clone());
+        let UnifiedExecArgs {
+            input,
+            session_id,
+            timeout_ms,
+        } = args;

-        let response = match tool_name.as_str() {
-            "exec_command" => {
-                let args: ExecCommandArgs = serde_json::from_str(&arguments).map_err(|err| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse exec_command arguments: {err:?}"
-                    ))
-                })?;
-
-                let event_ctx = ToolEventCtx::new(
-                    context.session.as_ref(),
-                    context.turn.as_ref(),
-                    &context.call_id,
-                    None,
-                );
-                let emitter =
-                    ToolEmitter::unified_exec(args.cmd.clone(), context.turn.cwd.clone(), true);
-                emitter.emit(event_ctx, ToolEventStage::Begin).await;
-
-                manager
-                    .exec_command(
-                        ExecCommandRequest {
-                            command: &args.cmd,
-                            shell: &args.shell,
-                            login: args.login,
-                            yield_time_ms: args.yield_time_ms,
-                            max_output_tokens: args.max_output_tokens,
-                        },
-                        &context,
-                    )
-                    .await
-                    .map_err(|err| {
-                        FunctionCallError::RespondToModel(format!("exec_command failed: {err:?}"))
-                    })?
-            }
-            "write_stdin" => {
-                let args: WriteStdinArgs = serde_json::from_str(&arguments).map_err(|err| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse write_stdin arguments: {err:?}"
-                    ))
-                })?;
-                manager
-                    .write_stdin(WriteStdinRequest {
-                        session_id: args.session_id,
-                        input: &args.chars,
-                        yield_time_ms: args.yield_time_ms,
-                        max_output_tokens: args.max_output_tokens,
-                    })
-                    .await
-                    .map_err(|err| {
-                        FunctionCallError::RespondToModel(format!("write_stdin failed: {err:?}"))
-                    })?
-            }
-            other => {
-                return Err(FunctionCallError::RespondToModel(format!(
-                    "unsupported unified exec function {other}"
-                )));
+        let parsed_session_id = if let Some(session_id) = session_id {
+            match session_id.parse::<i32>() {
+                Ok(parsed) => Some(parsed),
+                Err(output) => {
+                    return Err(FunctionCallError::RespondToModel(format!(
+                        "invalid session_id: {session_id} due to error {output:?}"
+                    )));
+                }
            }
+        } else {
+            None
        };

-        // Emit a delta event with the chunk of output we just produced, if any.
-        if !response.output.is_empty() {
-            let delta = ExecCommandOutputDeltaEvent {
-                call_id: response.event_call_id.clone(),
-                stream: ExecOutputStream::Stdout,
-                chunk: response.output.as_bytes().to_vec(),
-            };
-            session
-                .send_event(turn.as_ref(), EventMsg::ExecCommandOutputDelta(delta))
-                .await;
+        let request = UnifiedExecRequest {
+            input_chunks: &input,
+            timeout_ms,
+        };
+
+        let value = session
+            .services
+            .unified_exec_manager
+            .handle_request(
+                request,
+                crate::unified_exec::UnifiedExecContext {
+                    session: &session,
+                    turn: turn.as_ref(),
+                    sub_id: &sub_id,
+                    call_id: &call_id,
+                    session_id: parsed_session_id,
+                },
+            )
+            .await
+            .map_err(|err| {
+                FunctionCallError::RespondToModel(format!("unified exec failed: {err:?}"))
+            })?;
+
+        #[derive(serde::Serialize)]
+        struct SerializedUnifiedExecResult {
+            session_id: Option<String>,
+            output: String,
        }

-        let content = serialize_response(&response).map_err(|err| {
+        let content = serde_json::to_string(&SerializedUnifiedExecResult {
+            session_id: value.session_id.map(|id| id.to_string()),
+            output: value.output,
+        })
+        .map_err(|err| {
            FunctionCallError::RespondToModel(format!(
                "failed to serialize unified exec output: {err:?}"
            ))
@@ -175,33 +123,3 @@ impl ToolHandler for UnifiedExecHandler {
        })
    }
 }
-
-#[derive(Serialize)]
-struct SerializedUnifiedExecResponse<'a> {
-    chunk_id: &'a str,
-    wall_time_seconds: f64,
-    output: &'a str,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    session_id: Option<i32>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    exit_code: Option<i32>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    original_token_count: Option<usize>,
-}
-
-fn serialize_response(response: &UnifiedExecResponse) -> Result<String, serde_json::Error> {
-    let payload = SerializedUnifiedExecResponse {
-        chunk_id: &response.chunk_id,
-        wall_time_seconds: duration_to_seconds(response.wall_time),
-        output: &response.output,
-        session_id: response.session_id,
-        exit_code: response.exit_code,
-        original_token_count: response.original_token_count,
-    };
-
-    serde_json::to_string(&payload)
-}
-
-fn duration_to_seconds(duration: Duration) -> f64 {
-    duration.as_secs_f64()
-}
--- a/codex-rs/core/src/tools/handlers/view_image.rs
+++ b/codex-rs/core/src/tools/handlers/view_image.rs
@@ -3,14 +3,15 @@ use serde::Deserialize;
 use tokio::fs;

 use crate::function_tool::FunctionCallError;
+use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use crate::protocol::InputItem;
 use crate::protocol::ViewImageToolCallEvent;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
-use codex_protocol::user_input::UserInput;

 pub struct ViewImageHandler;

@@ -30,6 +31,7 @@ impl ToolHandler for ViewImageHandler {
            session,
            turn,
            payload,
+            sub_id,
            call_id,
            ..
        } = invocation;
@@ -65,7 +67,7 @@ impl ToolHandler for ViewImageHandler {
        let event_path = abs_path.clone();

        session
-            .inject_input(vec![UserInput::LocalImage { path: abs_path }])
+            .inject_input(vec![InputItem::LocalImage { path: abs_path }])
            .await
            .map_err(|_| {
                FunctionCallError::RespondToModel(
@@ -74,13 +76,13 @@ impl ToolHandler for ViewImageHandler {
            })?;

        session
-            .send_event(
-                turn.as_ref(),
-                EventMsg::ViewImageToolCall(ViewImageToolCallEvent {
+            .send_event(Event {
+                id: sub_id.to_string(),
+                msg: EventMsg::ViewImageToolCall(ViewImageToolCallEvent {
                    call_id,
                    path: event_path,
                }),
-            )
+            })
            .await;

        Ok(ToolOutput::Function {
--- a/codex-rs/core/src/tools/mod.rs
+++ b/codex-rs/core/src/tools/mod.rs
@@ -9,11 +9,37 @@ pub mod runtimes;
 pub mod sandboxing;
 pub mod spec;

+use crate::apply_patch;
+use crate::apply_patch::InternalApplyPatchInvocation;
+use crate::apply_patch::convert_apply_patch_to_protocol;
+use crate::codex::Session;
+use crate::codex::TurnContext;
+use crate::error::CodexErr;
+use crate::error::SandboxErr;
+use crate::exec::ExecParams;
 use crate::exec::ExecToolCallOutput;
+use crate::function_tool::FunctionCallError;
+use crate::tools::context::SharedTurnDiffTracker;
+use crate::tools::events::ToolEmitter;
+use crate::tools::events::ToolEventCtx;
+use crate::tools::events::ToolEventFailure;
+use crate::tools::events::ToolEventStage;
+use crate::tools::orchestrator::ToolOrchestrator;
+use crate::tools::runtimes::apply_patch::ApplyPatchRequest;
+use crate::tools::runtimes::apply_patch::ApplyPatchRuntime;
+use crate::tools::runtimes::shell::ShellRequest;
+use crate::tools::runtimes::shell::ShellRuntime;
+use crate::tools::sandboxing::ToolCtx;
+use crate::tools::sandboxing::ToolError;
+use codex_apply_patch::MaybeApplyPatchVerified;
+use codex_apply_patch::maybe_parse_apply_patch_verified;
+use codex_protocol::protocol::AskForApproval;
 use codex_utils_string::take_bytes_at_char_boundary;
 use codex_utils_string::take_last_bytes_at_char_boundary;
 pub use router::ToolRouter;
 use serde::Serialize;
+use std::sync::Arc;
+use tracing::trace;

 // Model-formatting limits: clients get full streams; only content sent to the model is truncated.
 pub(crate) const MODEL_FORMAT_MAX_BYTES: usize = 10 * 1024; // 10 KiB
@@ -28,6 +54,193 @@ pub(crate) const TELEMETRY_PREVIEW_MAX_LINES: usize = 64; // lines
 pub(crate) const TELEMETRY_PREVIEW_TRUNCATION_NOTICE: &str =
    "[... telemetry preview truncated ...]";

+// TODO(jif) break this down
+pub(crate) async fn handle_container_exec_with_params(
+    tool_name: &str,
+    params: ExecParams,
+    sess: Arc<Session>,
+    turn_context: Arc<TurnContext>,
+    turn_diff_tracker: SharedTurnDiffTracker,
+    sub_id: String,
+    call_id: String,
+) -> Result<String, FunctionCallError> {
+    let _otel_event_manager = turn_context.client.get_otel_event_manager();
+
+    if params.with_escalated_permissions.unwrap_or(false)
+        && !matches!(turn_context.approval_policy, AskForApproval::OnRequest)
+    {
+        return Err(FunctionCallError::RespondToModel(format!(
+            "approval policy is {policy:?}; reject command — you should not ask for escalated permissions if the approval policy is {policy:?}",
+            policy = turn_context.approval_policy
+        )));
+    }
+
+    // check if this was a patch, and apply it if so
+    let apply_patch_exec = match maybe_parse_apply_patch_verified(&params.command, &params.cwd) {
+        MaybeApplyPatchVerified::Body(changes) => {
+            match apply_patch::apply_patch(
+                sess.as_ref(),
+                turn_context.as_ref(),
+                &sub_id,
+                &call_id,
+                changes,
+            )
+            .await
+            {
+                InternalApplyPatchInvocation::Output(item) => return item,
+                InternalApplyPatchInvocation::DelegateToExec(apply_patch_exec) => {
+                    Some(apply_patch_exec)
+                }
+            }
+        }
+        MaybeApplyPatchVerified::CorrectnessError(parse_error) => {
+            // It looks like an invocation of `apply_patch`, but we
+            // could not resolve it into a patch that would apply
+            // cleanly. Return to model for resample.
+            return Err(FunctionCallError::RespondToModel(format!(
+                "apply_patch verification failed: {parse_error}"
+            )));
+        }
+        MaybeApplyPatchVerified::ShellParseError(error) => {
+            trace!("Failed to parse shell command, {error:?}");
+            None
+        }
+        MaybeApplyPatchVerified::NotApplyPatch => None,
+    };
+
+    let (event_emitter, diff_opt) = match apply_patch_exec.as_ref() {
+        Some(exec) => (
+            ToolEmitter::apply_patch(
+                convert_apply_patch_to_protocol(&exec.action),
+                !exec.user_explicitly_approved_this_action,
+            ),
+            Some(&turn_diff_tracker),
+        ),
+        None => (
+            ToolEmitter::shell(params.command.clone(), params.cwd.clone()),
+            None,
+        ),
+    };
+
+    let event_ctx = ToolEventCtx::new(sess.as_ref(), &sub_id, &call_id, diff_opt);
+    event_emitter.emit(event_ctx, ToolEventStage::Begin).await;
+
+    // Build runtime contexts only when needed (shell/apply_patch below).
+
+    if let Some(exec) = apply_patch_exec {
+        // Route apply_patch execution through the new orchestrator/runtime.
+        let req = ApplyPatchRequest {
+            patch: exec.action.patch.clone(),
+            cwd: params.cwd.clone(),
+            timeout_ms: params.timeout_ms,
+            user_explicitly_approved: exec.user_explicitly_approved_this_action,
+            codex_exe: turn_context.codex_linux_sandbox_exe.clone(),
+        };
+
+        let mut orchestrator = ToolOrchestrator::new();
+        let mut runtime = ApplyPatchRuntime::new();
+        let tool_ctx = ToolCtx {
+            session: sess.as_ref(),
+            sub_id: sub_id.clone(),
+            call_id: call_id.clone(),
+            tool_name: tool_name.to_string(),
+        };
+
+        let out = orchestrator
+            .run(
+                &mut runtime,
+                &req,
+                &tool_ctx,
+                &turn_context,
+                turn_context.approval_policy,
+            )
+            .await;
+
+        handle_exec_outcome(&event_emitter, event_ctx, out).await
+    } else {
+        // Route shell execution through the new orchestrator/runtime.
+        let req = ShellRequest {
+            command: params.command.clone(),
+            cwd: params.cwd.clone(),
+            timeout_ms: params.timeout_ms,
+            env: params.env.clone(),
+            with_escalated_permissions: params.with_escalated_permissions,
+            justification: params.justification.clone(),
+        };
+
+        let mut orchestrator = ToolOrchestrator::new();
+        let mut runtime = ShellRuntime::new();
+        let tool_ctx = ToolCtx {
+            session: sess.as_ref(),
+            sub_id: sub_id.clone(),
+            call_id: call_id.clone(),
+            tool_name: tool_name.to_string(),
+        };
+
+        let out = orchestrator
+            .run(
+                &mut runtime,
+                &req,
+                &tool_ctx,
+                &turn_context,
+                turn_context.approval_policy,
+            )
+            .await;
+
+        handle_exec_outcome(&event_emitter, event_ctx, out).await
+    }
+}
+
+async fn handle_exec_outcome(
+    event_emitter: &ToolEmitter,
+    event_ctx: ToolEventCtx<'_>,
+    out: Result<ExecToolCallOutput, ToolError>,
+) -> Result<String, FunctionCallError> {
+    let event;
+    let result = match out {
+        Ok(output) => {
+            let content = format_exec_output_for_model(&output);
+            let exit_code = output.exit_code;
+            event = ToolEventStage::Success(output);
+            if exit_code == 0 {
+                Ok(content)
+            } else {
+                Err(FunctionCallError::RespondToModel(content))
+            }
+        }
+        Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output })))
+        | Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
+            let response = format_exec_output_for_model(&output);
+            event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
+            Err(FunctionCallError::RespondToModel(response))
+        }
+        Err(ToolError::Codex(err)) => {
+            let message = format!("execution error: {err:?}");
+            let response = format_exec_output(&message);
+            event = ToolEventStage::Failure(ToolEventFailure::Message(message));
+            Err(FunctionCallError::RespondToModel(format_exec_output(
+                &response,
+            )))
+        }
+        Err(ToolError::Rejected(msg)) | Err(ToolError::SandboxDenied(msg)) => {
+            // Normalize common rejection messages for exec tools so tests and
+            // users see a clear, consistent phrase.
+            let normalized = if msg == "rejected by user" {
+                "exec command rejected by user".to_string()
+            } else {
+                msg
+            };
+            let response = format_exec_output(&normalized);
+            event = ToolEventStage::Failure(ToolEventFailure::Message(normalized));
+            Err(FunctionCallError::RespondToModel(format_exec_output(
+                &response,
+            )))
+        }
+    };
+    event_emitter.emit(event_ctx, event).await;
+    result
+}
+
 /// Format the combined exec output for sending back to the model.
 /// Includes exit code and duration metadata; truncates large bodies safely.
 pub fn format_exec_output_for_model(exec_output: &ExecToolCallOutput) -> String {
@@ -117,37 +330,33 @@ fn truncate_formatted_exec_output(content: &str, total_lines: usize) -> String {
                .map(|segment| segment.len())
                .sum::<usize>()
    };
-    let head_slice = &content[..head_slice_end];
-    let tail_slice = &content[tail_slice_start..];
-    let truncated_by_bytes = content.len() > MODEL_FORMAT_MAX_BYTES;
-    let marker = if omitted > 0 {
-        Some(format!(
-            "\n[... omitted {omitted} of {total_lines} lines ...]\n\n"
-        ))
-    } else if truncated_by_bytes {
-        Some(format!(
-            "\n[... output truncated to fit {MODEL_FORMAT_MAX_BYTES} bytes ...]\n\n"
-        ))
-    } else {
-        None
-    };
+    let marker = format!("\n[... omitted {omitted} of {total_lines} lines ...]\n\n");

-    let marker_len = marker.as_ref().map_or(0, String::len);
-    let base_head_budget = MODEL_FORMAT_HEAD_BYTES.min(MODEL_FORMAT_MAX_BYTES);
-    let head_budget = base_head_budget.min(MODEL_FORMAT_MAX_BYTES.saturating_sub(marker_len));
+    // Byte budgets for head/tail around the marker
+    let mut head_budget = MODEL_FORMAT_HEAD_BYTES.min(MODEL_FORMAT_MAX_BYTES);
+    let tail_budget = MODEL_FORMAT_MAX_BYTES.saturating_sub(head_budget + marker.len());
+    if tail_budget == 0 && marker.len() >= MODEL_FORMAT_MAX_BYTES {
+        // Degenerate case: marker alone exceeds budget; return a clipped marker
+        return take_bytes_at_char_boundary(&marker, MODEL_FORMAT_MAX_BYTES).to_string();
+    }
+    if tail_budget == 0 {
+        // Make room for the marker by shrinking head
+        head_budget = MODEL_FORMAT_MAX_BYTES.saturating_sub(marker.len());
+    }
+
+    let head_slice = &content[..head_slice_end];
    let head_part = take_bytes_at_char_boundary(head_slice, head_budget);
    let mut result = String::with_capacity(MODEL_FORMAT_MAX_BYTES.min(content.len()));

    result.push_str(head_part);
-    if let Some(marker_text) = marker.as_ref() {
-        result.push_str(marker_text);
-    }
+    result.push_str(&marker);

    let remaining = MODEL_FORMAT_MAX_BYTES.saturating_sub(result.len());
    if remaining == 0 {
        return result;
    }

+    let tail_slice = &content[tail_slice_start..];
    let tail_part = take_last_bytes_at_char_boundary(tail_slice, remaining);
    result.push_str(tail_part);

@@ -157,7 +366,6 @@ fn truncate_formatted_exec_output(content: &str, total_lines: usize) -> String {
 #[cfg(test)]
 mod tests {
    use super::*;
-    use crate::function_tool::FunctionCallError;
    use regex_lite::Regex;

    fn truncate_function_error(err: FunctionCallError) -> FunctionCallError {
@@ -195,11 +403,6 @@ mod tests {
        let tail_take = MODEL_FORMAT_TAIL_LINES.min(total_lines.saturating_sub(head_take));
        let omitted = total_lines.saturating_sub(head_take + tail_take);
        let escaped_line = regex_lite::escape(line);
-        if omitted == 0 {
-            return format!(
-                r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} output truncated to fit {MODEL_FORMAT_MAX_BYTES} bytes \.{{3}}]\n\n.*)$",
-            );
-        }
        format!(
            r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} omitted {omitted} of {total_lines} lines \.{{3}}]\n\n.*)$",
        )
@@ -246,76 +449,4 @@ mod tests {
            other => panic!("unexpected error variant: {other:?}"),
        }
    }
-
-    #[test]
-    fn truncate_formatted_exec_output_marks_byte_truncation_without_omitted_lines() {
-        let long_line = "a".repeat(MODEL_FORMAT_MAX_BYTES + 50);
-        let truncated = format_exec_output(&long_line);
-
-        assert_ne!(truncated, long_line);
-        let marker_line =
-            format!("[... output truncated to fit {MODEL_FORMAT_MAX_BYTES} bytes ...]");
-        assert!(
-            truncated.contains(&marker_line),
-            "missing byte truncation marker: {truncated}"
-        );
-        assert!(
-            !truncated.contains("omitted"),
-            "line omission marker should not appear when no lines were dropped: {truncated}"
-        );
-    }
-
-    #[test]
-    fn truncate_formatted_exec_output_returns_original_when_within_limits() {
-        let content = "example output\n".repeat(10);
-
-        assert_eq!(format_exec_output(&content), content);
-    }
-
-    #[test]
-    fn truncate_formatted_exec_output_reports_omitted_lines_and_keeps_head_and_tail() {
-        let total_lines = MODEL_FORMAT_MAX_LINES + 100;
-        let content: String = (0..total_lines)
-            .map(|idx| format!("line-{idx}\n"))
-            .collect();
-
-        let truncated = format_exec_output(&content);
-        let omitted = total_lines - MODEL_FORMAT_MAX_LINES;
-        let expected_marker = format!("[... omitted {omitted} of {total_lines} lines ...]");
-
-        assert!(
-            truncated.contains(&expected_marker),
-            "missing omitted marker: {truncated}"
-        );
-        assert!(
-            truncated.contains("line-0\n"),
-            "expected head line to remain: {truncated}"
-        );
-
-        let last_line = format!("line-{}\n", total_lines - 1);
-        assert!(
-            truncated.contains(&last_line),
-            "expected tail line to remain: {truncated}"
-        );
-    }
-
-    #[test]
-    fn truncate_formatted_exec_output_prefers_line_marker_when_both_limits_exceeded() {
-        let total_lines = MODEL_FORMAT_MAX_LINES + 42;
-        let long_line = "x".repeat(256);
-        let content: String = (0..total_lines)
-            .map(|idx| format!("line-{idx}-{long_line}\n"))
-            .collect();
-
-        let truncated = format_exec_output(&content);
-
-        assert!(
-            truncated.contains("[... omitted 42 of 298 lines ...]"),
-            "expected omitted marker when line count exceeds limit: {truncated}"
-        );
-        assert!(
-            !truncated.contains("output truncated to fit"),
-            "line omission marker should take precedence over byte marker: {truncated}"
-        );
-    }
 }
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -7,11 +7,9 @@ retry without sandbox on denial (no re‑approval thanks to caching).
 */
 use crate::error::CodexErr;
 use crate::error::SandboxErr;
-use crate::error::get_error_message_ui;
 use crate::exec::ExecToolCallOutput;
 use crate::sandboxing::SandboxManager;
 use crate::tools::sandboxing::ApprovalCtx;
-use crate::tools::sandboxing::ProvidesSandboxRetryData;
 use crate::tools::sandboxing::SandboxAttempt;
 use crate::tools::sandboxing::ToolCtx;
 use crate::tools::sandboxing::ToolError;
@@ -40,7 +38,6 @@ impl ToolOrchestrator {
    ) -> Result<Out, ToolError>
    where
        T: ToolRuntime<Rq, Out>,
-        Rq: ProvidesSandboxRetryData,
    {
        let otel = turn_ctx.client.get_otel_event_manager();
        let otel_tn = &tool_ctx.tool_name;
@@ -56,10 +53,9 @@ impl ToolOrchestrator {
        if needs_initial_approval {
            let approval_ctx = ApprovalCtx {
                session: tool_ctx.session,
-                turn: turn_ctx,
+                sub_id: &tool_ctx.sub_id,
                call_id: &tool_ctx.call_id,
                retry_reason: None,
-                risk: None,
            };
            let decision = tool.start_approval_async(req, approval_ctx).await;

@@ -102,42 +98,21 @@ impl ToolOrchestrator {
                        "sandbox denied and no retry".to_string(),
                    ));
                }
-                // Under `Never` or `OnRequest`, do not retry without sandbox; surface a concise message
+                // Under `Never`, do not retry without sandbox; surface a concise message
                // derived from the actual output (platform-agnostic).
-                if !tool.wants_no_sandbox_approval(approval_policy) {
+                if matches!(approval_policy, AskForApproval::Never) {
                    let msg = build_never_denied_message_from_output(output.as_ref());
                    return Err(ToolError::SandboxDenied(msg));
                }

                // Ask for approval before retrying without sandbox.
                if !tool.should_bypass_approval(approval_policy, already_approved) {
-                    let mut risk = None;
-
-                    if let Some(metadata) = req.sandbox_retry_data() {
-                        let err = SandboxErr::Denied {
-                            output: output.clone(),
-                        };
-                        let friendly = get_error_message_ui(&CodexErr::Sandbox(err));
-                        let failure_summary = format!("failed in sandbox: {friendly}");
-
-                        risk = tool_ctx
-                            .session
-                            .assess_sandbox_command(
-                                turn_ctx,
-                                &tool_ctx.call_id,
-                                &metadata.command,
-                                Some(failure_summary.as_str()),
-                            )
-                            .await;
-                    }
-
                    let reason_msg = build_denial_reason_from_output(output.as_ref());
                    let approval_ctx = ApprovalCtx {
                        session: tool_ctx.session,
-                        turn: turn_ctx,
+                        sub_id: &tool_ctx.sub_id,
                        call_id: &tool_ctx.call_id,
                        retry_reason: Some(reason_msg),
-                        risk,
                    };

                    let decision = tool.start_approval_async(req, approval_ctx).await;
--- a/codex-rs/core/src/tools/parallel.rs
+++ b/codex-rs/core/src/tools/parallel.rs
@@ -2,7 +2,6 @@ use std::sync::Arc;

 use tokio::sync::RwLock;
 use tokio_util::either::Either;
-use tokio_util::sync::CancellationToken;
 use tokio_util::task::AbortOnDropHandle;

 use crate::codex::Session;
@@ -10,10 +9,8 @@ use crate::codex::TurnContext;
 use crate::error::CodexErr;
 use crate::function_tool::FunctionCallError;
 use crate::tools::context::SharedTurnDiffTracker;
-use crate::tools::context::ToolPayload;
 use crate::tools::router::ToolCall;
 use crate::tools::router::ToolRouter;
-use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseInputItem;

 pub(crate) struct ToolCallRuntime {
@@ -21,6 +18,7 @@ pub(crate) struct ToolCallRuntime {
    session: Arc<Session>,
    turn_context: Arc<TurnContext>,
    tracker: SharedTurnDiffTracker,
+    sub_id: String,
    parallel_execution: Arc<RwLock<()>>,
 }

@@ -30,12 +28,14 @@ impl ToolCallRuntime {
        session: Arc<Session>,
        turn_context: Arc<TurnContext>,
        tracker: SharedTurnDiffTracker,
+        sub_id: String,
    ) -> Self {
        Self {
            router,
            session,
            turn_context,
            tracker,
+            sub_id,
            parallel_execution: Arc::new(RwLock::new(())),
        }
    }
@@ -43,7 +43,6 @@ impl ToolCallRuntime {
    pub(crate) fn handle_tool_call(
        &self,
        call: ToolCall,
-        cancellation_token: CancellationToken,
    ) -> impl std::future::Future<Output = Result<ResponseInputItem, CodexErr>> {
        let supports_parallel = self.router.tool_supports_parallel(&call.tool_name);

@@ -51,25 +50,20 @@ impl ToolCallRuntime {
        let session = Arc::clone(&self.session);
        let turn = Arc::clone(&self.turn_context);
        let tracker = Arc::clone(&self.tracker);
+        let sub_id = self.sub_id.clone();
        let lock = Arc::clone(&self.parallel_execution);
-        let aborted_response = Self::aborted_response(&call);

        let handle: AbortOnDropHandle<Result<ResponseInputItem, FunctionCallError>> =
            AbortOnDropHandle::new(tokio::spawn(async move {
-                tokio::select! {
-                    _ = cancellation_token.cancelled() => Ok(aborted_response),
-                    res = async {
-                        let _guard = if supports_parallel {
-                            Either::Left(lock.read().await)
-                        } else {
-                            Either::Right(lock.write().await)
-                        };
+                let _guard = if supports_parallel {
+                    Either::Left(lock.read().await)
+                } else {
+                    Either::Right(lock.write().await)
+                };

-                        router
-                            .dispatch_tool_call(session, turn, tracker, call)
-                            .await
-                    } => res,
-                }
+                router
+                    .dispatch_tool_call(session, turn, tracker, sub_id, call)
+                    .await
            }));

        async move {
@@ -84,25 +78,3 @@ impl ToolCallRuntime {
        }
    }
 }
-
-impl ToolCallRuntime {
-    fn aborted_response(call: &ToolCall) -> ResponseInputItem {
-        match &call.payload {
-            ToolPayload::Custom { .. } => ResponseInputItem::CustomToolCallOutput {
-                call_id: call.call_id.clone(),
-                output: "aborted".to_string(),
-            },
-            ToolPayload::Mcp { .. } => ResponseInputItem::McpToolCallOutput {
-                call_id: call.call_id.clone(),
-                result: Err("aborted".to_string()),
-            },
-            _ => ResponseInputItem::FunctionCallOutput {
-                call_id: call.call_id.clone(),
-                output: FunctionCallOutputPayload {
-                    content: "aborted".to_string(),
-                    success: None,
-                },
-            },
-        }
-    }
-}
--- a/codex-rs/core/src/tools/registry.rs
+++ b/codex-rs/core/src/tools/registry.rs
@@ -15,6 +15,7 @@ use crate::tools::context::ToolPayload;
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
 pub enum ToolKind {
    Function,
+    UnifiedExec,
    Mcp,
 }

@@ -26,6 +27,7 @@ pub trait ToolHandler: Send + Sync {
        matches!(
            (self.kind(), payload),
            (ToolKind::Function, ToolPayload::Function { .. })
+                | (ToolKind::UnifiedExec, ToolPayload::UnifiedExec { .. })
                | (ToolKind::Mcp, ToolPayload::Mcp { .. })
        )
    }
--- a/codex-rs/core/src/tools/router.rs
+++ b/codex-rs/core/src/tools/router.rs
@@ -134,6 +134,7 @@ impl ToolRouter {
        session: Arc<Session>,
        turn: Arc<TurnContext>,
        tracker: SharedTurnDiffTracker,
+        sub_id: String,
        call: ToolCall,
    ) -> Result<ResponseInputItem, FunctionCallError> {
        let ToolCall {
@@ -148,6 +149,7 @@ impl ToolRouter {
            session,
            turn,
            tracker,
+            sub_id,
            call_id,
            tool_name,
            payload,
--- a/codex-rs/core/src/tools/runtimes/apply_patch.rs
+++ b/codex-rs/core/src/tools/runtimes/apply_patch.rs
@@ -10,16 +10,13 @@ use crate::sandboxing::CommandSpec;
 use crate::sandboxing::execute_env;
 use crate::tools::sandboxing::Approvable;
 use crate::tools::sandboxing::ApprovalCtx;
-use crate::tools::sandboxing::ProvidesSandboxRetryData;
 use crate::tools::sandboxing::SandboxAttempt;
-use crate::tools::sandboxing::SandboxRetryData;
 use crate::tools::sandboxing::Sandboxable;
 use crate::tools::sandboxing::SandboxablePreference;
 use crate::tools::sandboxing::ToolCtx;
 use crate::tools::sandboxing::ToolError;
 use crate::tools::sandboxing::ToolRuntime;
 use crate::tools::sandboxing::with_cached_approval;
-use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::ReviewDecision;
 use futures::future::BoxFuture;
 use std::collections::HashMap;
@@ -34,12 +31,6 @@ pub struct ApplyPatchRequest {
    pub codex_exe: Option<PathBuf>,
 }

-impl ProvidesSandboxRetryData for ApplyPatchRequest {
-    fn sandbox_retry_data(&self) -> Option<SandboxRetryData> {
-        None
-    }
-}
-
 #[derive(Default)]
 pub struct ApplyPatchRuntime;

@@ -77,7 +68,7 @@ impl ApplyPatchRuntime {

    fn stdout_stream(ctx: &ToolCtx<'_>) -> Option<crate::exec::StdoutStream> {
        Some(crate::exec::StdoutStream {
-            sub_id: ctx.turn.sub_id.clone(),
+            sub_id: ctx.sub_id.clone(),
            call_id: ctx.call_id.clone(),
            tx_event: ctx.session.get_tx_event(),
        })
@@ -110,23 +101,21 @@ impl Approvable<ApplyPatchRequest> for ApplyPatchRuntime {
    ) -> BoxFuture<'a, ReviewDecision> {
        let key = self.approval_key(req);
        let session = ctx.session;
-        let turn = ctx.turn;
+        let sub_id = ctx.sub_id.to_string();
        let call_id = ctx.call_id.to_string();
        let cwd = req.cwd.clone();
        let retry_reason = ctx.retry_reason.clone();
-        let risk = ctx.risk.clone();
        let user_explicitly_approved = req.user_explicitly_approved;
        Box::pin(async move {
-            with_cached_approval(&session.services, key, move || async move {
+            with_cached_approval(&session.services, key, || async move {
                if let Some(reason) = retry_reason {
                    session
                        .request_command_approval(
-                            turn,
+                            sub_id,
                            call_id,
                            vec!["apply_patch".to_string()],
                            cwd,
                            Some(reason),
-                            risk,
                        )
                        .await
                } else if user_explicitly_approved {
@@ -138,10 +127,6 @@ impl Approvable<ApplyPatchRequest> for ApplyPatchRuntime {
            .await
        })
    }
-
-    fn wants_no_sandbox_approval(&self, policy: AskForApproval) -> bool {
-        !matches!(policy, AskForApproval::Never)
-    }
 }

 impl ToolRuntime<ApplyPatchRequest, ExecToolCallOutput> for ApplyPatchRuntime {
--- a/codex-rs/core/src/tools/runtimes/shell.rs
+++ b/codex-rs/core/src/tools/runtimes/shell.rs
@@ -12,9 +12,7 @@ use crate::sandboxing::execute_env;
 use crate::tools::runtimes::build_command_spec;
 use crate::tools::sandboxing::Approvable;
 use crate::tools::sandboxing::ApprovalCtx;
-use crate::tools::sandboxing::ProvidesSandboxRetryData;
 use crate::tools::sandboxing::SandboxAttempt;
-use crate::tools::sandboxing::SandboxRetryData;
 use crate::tools::sandboxing::Sandboxable;
 use crate::tools::sandboxing::SandboxablePreference;
 use crate::tools::sandboxing::ToolCtx;
@@ -36,15 +34,6 @@ pub struct ShellRequest {
    pub justification: Option<String>,
 }

-impl ProvidesSandboxRetryData for ShellRequest {
-    fn sandbox_retry_data(&self) -> Option<SandboxRetryData> {
-        Some(SandboxRetryData {
-            command: self.command.clone(),
-            cwd: self.cwd.clone(),
-        })
-    }
-}
-
 #[derive(Default)]
 pub struct ShellRuntime;

@@ -62,7 +51,7 @@ impl ShellRuntime {

    fn stdout_stream(ctx: &ToolCtx<'_>) -> Option<crate::exec::StdoutStream> {
        Some(crate::exec::StdoutStream {
-            sub_id: ctx.turn.sub_id.clone(),
+            sub_id: ctx.sub_id.clone(),
            call_id: ctx.call_id.clone(),
            tx_event: ctx.session.get_tx_event(),
        })
@@ -101,14 +90,13 @@ impl Approvable<ShellRequest> for ShellRuntime {
            .retry_reason
            .clone()
            .or_else(|| req.justification.clone());
-        let risk = ctx.risk.clone();
        let session = ctx.session;
-        let turn = ctx.turn;
+        let sub_id = ctx.sub_id.to_string();
        let call_id = ctx.call_id.to_string();
        Box::pin(async move {
-            with_cached_approval(&session.services, key, move || async move {
+            with_cached_approval(&session.services, key, || async move {
                session
-                    .request_command_approval(turn, call_id, command, cwd, reason, risk)
+                    .request_command_approval(sub_id, call_id, command, cwd, reason)
                    .await
            })
            .await
--- a/codex-rs/core/src/tools/runtimes/unified_exec.rs
+++ b/codex-rs/core/src/tools/runtimes/unified_exec.rs
@@ -9,9 +9,7 @@ use crate::error::SandboxErr;
 use crate::tools::runtimes::build_command_spec;
 use crate::tools::sandboxing::Approvable;
 use crate::tools::sandboxing::ApprovalCtx;
-use crate::tools::sandboxing::ProvidesSandboxRetryData;
 use crate::tools::sandboxing::SandboxAttempt;
-use crate::tools::sandboxing::SandboxRetryData;
 use crate::tools::sandboxing::Sandboxable;
 use crate::tools::sandboxing::SandboxablePreference;
 use crate::tools::sandboxing::ToolCtx;
@@ -33,15 +31,6 @@ pub struct UnifiedExecRequest {
    pub env: HashMap<String, String>,
 }

-impl ProvidesSandboxRetryData for UnifiedExecRequest {
-    fn sandbox_retry_data(&self) -> Option<SandboxRetryData> {
-        Some(SandboxRetryData {
-            command: self.command.clone(),
-            cwd: self.cwd.clone(),
-        })
-    }
-}
-
 #[derive(serde::Serialize, Clone, Debug, Eq, PartialEq, Hash)]
 pub struct UnifiedExecApprovalKey {
    pub command: Vec<String>,
@@ -91,16 +80,15 @@ impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
    ) -> BoxFuture<'b, ReviewDecision> {
        let key = self.approval_key(req);
        let session = ctx.session;
-        let turn = ctx.turn;
+        let sub_id = ctx.sub_id.to_string();
        let call_id = ctx.call_id.to_string();
        let command = req.command.clone();
        let cwd = req.cwd.clone();
        let reason = ctx.retry_reason.clone();
-        let risk = ctx.risk.clone();
        Box::pin(async move {
            with_cached_approval(&session.services, key, || async move {
                session
-                    .request_command_approval(turn, call_id, command, cwd, reason, risk)
+                    .request_command_approval(sub_id, call_id, command, cwd, reason)
                    .await
            })
            .await
--- a/codex-rs/core/src/tools/sandboxing.rs
+++ b/codex-rs/core/src/tools/sandboxing.rs
@@ -5,9 +5,7 @@
 //! and helpers (`Sandboxable`, `ToolRuntime`, `SandboxAttempt`, etc.).

 use crate::codex::Session;
-use crate::codex::TurnContext;
 use crate::error::CodexErr;
-use crate::protocol::SandboxCommandAssessment;
 use crate::protocol::SandboxPolicy;
 use crate::sandboxing::CommandSpec;
 use crate::sandboxing::SandboxManager;
@@ -19,7 +17,6 @@ use std::collections::HashMap;
 use std::fmt::Debug;
 use std::hash::Hash;
 use std::path::Path;
-use std::path::PathBuf;

 use futures::Future;
 use futures::future::BoxFuture;
@@ -80,10 +77,9 @@ where
 #[derive(Clone)]
 pub(crate) struct ApprovalCtx<'a> {
    pub session: &'a Session,
-    pub turn: &'a TurnContext,
+    pub sub_id: &'a str,
    pub call_id: &'a str,
    pub retry_reason: Option<String>,
-    pub risk: Option<SandboxCommandAssessment>,
 }

 pub(crate) trait Approvable<Req> {
@@ -124,11 +120,6 @@ pub(crate) trait Approvable<Req> {
        }
    }

-    /// Decide we can request an approval for no-sandbox execution.
-    fn wants_no_sandbox_approval(&self, policy: AskForApproval) -> bool {
-        !matches!(policy, AskForApproval::Never | AskForApproval::OnRequest)
-    }
-
    fn start_approval_async<'a>(
        &'a mut self,
        req: &'a Req,
@@ -154,22 +145,11 @@ pub(crate) trait Sandboxable {

 pub(crate) struct ToolCtx<'a> {
    pub session: &'a Session,
-    pub turn: &'a TurnContext,
+    pub sub_id: String,
    pub call_id: String,
    pub tool_name: String,
 }

-/// Captures the command metadata needed to re-run a tool request without sandboxing.
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub(crate) struct SandboxRetryData {
-    pub command: Vec<String>,
-    pub cwd: PathBuf,
-}
-
-pub(crate) trait ProvidesSandboxRetryData {
-    fn sandbox_retry_data(&self) -> Option<SandboxRetryData>;
-}
-
 #[derive(Debug)]
 pub(crate) enum ToolError {
    Rejected(String),
--- a/codex-rs/core/src/tools/spec.rs
+++ b/codex-rs/core/src/tools/spec.rs
@@ -25,6 +25,7 @@ pub enum ConfigShellToolType {
 #[derive(Debug, Clone)]
 pub(crate) struct ToolsConfig {
    pub shell_type: ConfigShellToolType,
+    pub plan_tool: bool,
    pub apply_patch_tool_type: Option<ApplyPatchToolType>,
    pub web_search_request: bool,
    pub include_view_image_tool: bool,
@@ -45,6 +46,7 @@ impl ToolsConfig {
        } = params;
        let use_streamable_shell_tool = features.enabled(Feature::StreamableShell);
        let experimental_unified_exec_tool = features.enabled(Feature::UnifiedExec);
+        let include_plan_tool = features.enabled(Feature::PlanTool);
        let include_apply_patch_tool = features.enabled(Feature::ApplyPatchFreeform);
        let include_web_search_request = features.enabled(Feature::WebSearchRequest);
        let include_view_image_tool = features.enabled(Feature::ViewImageTool);
@@ -71,6 +73,7 @@ impl ToolsConfig {

        Self {
            shell_type,
+            plan_tool: include_plan_tool,
            apply_patch_tool_type,
            web_search_request: include_web_search_request,
            include_view_image_tool,
@@ -136,99 +139,48 @@ impl From<JsonSchema> for AdditionalProperties {
    }
 }

-fn create_exec_command_tool() -> ToolSpec {
+fn create_unified_exec_tool() -> ToolSpec {
    let mut properties = BTreeMap::new();
    properties.insert(
-        "cmd".to_string(),
-        JsonSchema::String {
-            description: Some("Shell command to execute.".to_string()),
-        },
-    );
-    properties.insert(
-        "shell".to_string(),
-        JsonSchema::String {
-            description: Some("Shell binary to launch. Defaults to /bin/bash.".to_string()),
-        },
-    );
-    properties.insert(
-        "login".to_string(),
-        JsonSchema::Boolean {
+        "input".to_string(),
+        JsonSchema::Array {
+            items: Box::new(JsonSchema::String { description: None }),
            description: Some(
-                "Whether to run the shell with -l/-i semantics. Defaults to true.".to_string(),
+                "When no session_id is provided, treat the array as the command and arguments \
+                 to launch. When session_id is set, concatenate the strings (in order) and write \
+                 them to the session's stdin."
+                    .to_string(),
            ),
        },
    );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
-            description: Some(
-                "How long to wait (in milliseconds) for output before yielding.".to_string(),
-            ),
-        },
-    );
-    properties.insert(
-        "max_output_tokens".to_string(),
-        JsonSchema::Number {
-            description: Some(
-                "Maximum number of tokens to return. Excess output will be truncated.".to_string(),
-            ),
-        },
-    );
-
-    ToolSpec::Function(ResponsesApiTool {
-        name: "exec_command".to_string(),
-        description:
-            "Runs a command in a PTY, returning output or a session ID for ongoing interaction."
-                .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["cmd".to_string()]),
-            additional_properties: Some(false.into()),
-        },
-    })
-}
-
-fn create_write_stdin_tool() -> ToolSpec {
-    let mut properties = BTreeMap::new();
    properties.insert(
        "session_id".to_string(),
-        JsonSchema::Number {
-            description: Some("Identifier of the running unified exec session.".to_string()),
-        },
-    );
-    properties.insert(
-        "chars".to_string(),
        JsonSchema::String {
-            description: Some("Bytes to write to stdin (may be empty to poll).".to_string()),
-        },
-    );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
            description: Some(
-                "How long to wait (in milliseconds) for output before yielding.".to_string(),
+                "Identifier for an existing interactive session. If omitted, a new command \
+                 is spawned."
+                    .to_string(),
            ),
        },
    );
    properties.insert(
-        "max_output_tokens".to_string(),
+        "timeout_ms".to_string(),
        JsonSchema::Number {
            description: Some(
-                "Maximum number of tokens to return. Excess output will be truncated.".to_string(),
+                "Maximum time in milliseconds to wait for output after writing the input."
+                    .to_string(),
            ),
        },
    );

    ToolSpec::Function(ResponsesApiTool {
-        name: "write_stdin".to_string(),
+        name: "unified_exec".to_string(),
        description:
-            "Writes characters to an existing unified exec session and returns recent output."
-                .to_string(),
+            "Runs a command in a PTY. Provide a session_id to reuse an existing interactive session.".to_string(),
        strict: false,
        parameters: JsonSchema::Object {
            properties,
-            required: Some(vec!["session_id".to_string()]),
+            required: Some(vec!["input".to_string()]),
            additional_properties: Some(false.into()),
        },
    })
@@ -890,20 +842,19 @@ pub(crate) fn build_specs(
        || matches!(config.shell_type, ConfigShellToolType::Streamable);

    if use_unified_exec {
-        builder.push_spec(create_exec_command_tool());
-        builder.push_spec(create_write_stdin_tool());
-        builder.register_handler("exec_command", unified_exec_handler.clone());
-        builder.register_handler("write_stdin", unified_exec_handler);
-    }
-    match &config.shell_type {
-        ConfigShellToolType::Default => {
-            builder.push_spec(create_shell_tool());
-        }
-        ConfigShellToolType::Local => {
-            builder.push_spec(ToolSpec::LocalShell {});
-        }
-        ConfigShellToolType::Streamable => {
-            // Already handled by use_unified_exec.
+        builder.push_spec(create_unified_exec_tool());
+        builder.register_handler("unified_exec", unified_exec_handler);
+    } else {
+        match &config.shell_type {
+            ConfigShellToolType::Default => {
+                builder.push_spec(create_shell_tool());
+            }
+            ConfigShellToolType::Local => {
+                builder.push_spec(ToolSpec::LocalShell {});
+            }
+            ConfigShellToolType::Streamable => {
+                // Already handled by use_unified_exec.
+            }
        }
    }

@@ -919,8 +870,10 @@ pub(crate) fn build_specs(
    builder.register_handler("list_mcp_resource_templates", mcp_resource_handler.clone());
    builder.register_handler("read_mcp_resource", mcp_resource_handler);

-    builder.push_spec(PLAN_TOOL.clone());
-    builder.register_handler("update_plan", plan_handler);
+    if config.plan_tool {
+        builder.push_spec(PLAN_TOOL.clone());
+        builder.register_handler("update_plan", plan_handler);
+    }

    if let Some(apply_patch_tool_type) = &config.apply_patch_tool_type {
        match apply_patch_tool_type {
@@ -1019,33 +972,22 @@ mod tests {
        }
    }

-    // Avoid order-based assertions; compare via set containment instead.
-    fn assert_contains_tool_names(tools: &[ConfiguredToolSpec], expected_subset: &[&str]) {
-        use std::collections::HashSet;
-        let mut names = HashSet::new();
-        let mut duplicates = Vec::new();
-        for name in tools.iter().map(|t| tool_name(&t.spec)) {
-            if !names.insert(name) {
-                duplicates.push(name);
-            }
-        }
-        assert!(
-            duplicates.is_empty(),
-            "duplicate tool entries detected: {duplicates:?}"
-        );
-        for expected in expected_subset {
-            assert!(
-                names.contains(expected),
-                "expected tool {expected} to be present; had: {names:?}"
-            );
-        }
-    }
+    fn assert_eq_tool_names(tools: &[ConfiguredToolSpec], expected_names: &[&str]) {
+        let tool_names = tools
+            .iter()
+            .map(|tool| tool_name(&tool.spec))
+            .collect::<Vec<_>>();

-    fn shell_tool_name(config: &ToolsConfig) -> Option<&'static str> {
-        match config.shell_type {
-            ConfigShellToolType::Default => Some("shell"),
-            ConfigShellToolType::Local => Some("local_shell"),
-            ConfigShellToolType::Streamable => None,
+        assert_eq!(
+            tool_names.len(),
+            expected_names.len(),
+            "tool_name mismatch, {tool_names:?}, {expected_names:?}",
+        );
+        for (name, expected_name) in tool_names.iter().zip(expected_names.iter()) {
+            assert_eq!(
+                name, expected_name,
+                "tool_name mismatch, {name:?}, {expected_name:?}"
+            );
        }
    }

@@ -1059,108 +1001,12 @@ mod tests {
            .unwrap_or_else(|| panic!("expected tool {expected_name}"))
    }

-    fn strip_descriptions_schema(schema: &mut JsonSchema) {
-        match schema {
-            JsonSchema::Boolean { description }
-            | JsonSchema::String { description }
-            | JsonSchema::Number { description } => {
-                *description = None;
-            }
-            JsonSchema::Array { items, description } => {
-                strip_descriptions_schema(items);
-                *description = None;
-            }
-            JsonSchema::Object {
-                properties,
-                required: _,
-                additional_properties,
-            } => {
-                for v in properties.values_mut() {
-                    strip_descriptions_schema(v);
-                }
-                if let Some(AdditionalProperties::Schema(s)) = additional_properties {
-                    strip_descriptions_schema(s);
-                }
-            }
-        }
-    }
-
-    fn strip_descriptions_tool(spec: &mut ToolSpec) {
-        match spec {
-            ToolSpec::Function(ResponsesApiTool { parameters, .. }) => {
-                strip_descriptions_schema(parameters);
-            }
-            ToolSpec::Freeform(_) | ToolSpec::LocalShell {} | ToolSpec::WebSearch {} => {}
-        }
-    }
-
    #[test]
-    fn test_full_toolset_specs_for_gpt5_codex() {
-        let model_family = find_family_for_model("gpt-5-codex")
-            .expect("gpt-5-codex should be a valid model family");
-        let mut features = Features::with_defaults();
-        features.enable(Feature::UnifiedExec);
-        features.enable(Feature::WebSearchRequest);
-        features.enable(Feature::ViewImageTool);
-        let config = ToolsConfig::new(&ToolsConfigParams {
-            model_family: &model_family,
-            features: &features,
-        });
-        let (tools, _) = build_specs(&config, None).build();
-
-        // Build actual map name -> spec
-        use std::collections::BTreeMap;
-        use std::collections::HashSet;
-        let mut actual: BTreeMap<String, ToolSpec> = BTreeMap::new();
-        let mut duplicate_names = Vec::new();
-        for t in &tools {
-            let name = tool_name(&t.spec).to_string();
-            if actual.insert(name.clone(), t.spec.clone()).is_some() {
-                duplicate_names.push(name);
-            }
-        }
-        assert!(
-            duplicate_names.is_empty(),
-            "duplicate tool entries detected: {duplicate_names:?}"
-        );
-
-        // Build expected from the same helpers used by the builder.
-        let mut expected: BTreeMap<String, ToolSpec> = BTreeMap::new();
-        for spec in [
-            create_exec_command_tool(),
-            create_write_stdin_tool(),
-            create_shell_tool(),
-            create_list_mcp_resources_tool(),
-            create_list_mcp_resource_templates_tool(),
-            create_read_mcp_resource_tool(),
-            PLAN_TOOL.clone(),
-            create_apply_patch_freeform_tool(),
-            ToolSpec::WebSearch {},
-            create_view_image_tool(),
-        ] {
-            expected.insert(tool_name(&spec).to_string(), spec);
-        }
-
-        // Exact name set match — this is the only test allowed to fail when tools change.
-        let actual_names: HashSet<_> = actual.keys().cloned().collect();
-        let expected_names: HashSet<_> = expected.keys().cloned().collect();
-        assert_eq!(actual_names, expected_names, "tool name set mismatch");
-
-        // Compare specs ignoring human-readable descriptions.
-        for name in expected.keys() {
-            let mut a = actual.get(name).expect("present").clone();
-            let mut e = expected.get(name).expect("present").clone();
-            strip_descriptions_tool(&mut a);
-            strip_descriptions_tool(&mut e);
-            assert_eq!(a, e, "spec mismatch for {name}");
-        }
-    }
-
-    #[test]
-    fn test_build_specs_contains_expected_basics() {
+    fn test_build_specs() {
        let model_family = find_family_for_model("codex-mini-latest")
            .expect("codex-mini-latest should be a valid model family");
        let mut features = Features::with_defaults();
+        features.enable(Feature::PlanTool);
        features.enable(Feature::WebSearchRequest);
        features.enable(Feature::UnifiedExec);
        let config = ToolsConfig::new(&ToolsConfigParams {
@@ -1168,27 +1014,26 @@ mod tests {
            features: &features,
        });
        let (tools, _) = build_specs(&config, Some(HashMap::new())).build();
-        let tool_names = tools.iter().map(|t| t.spec.name()).collect::<Vec<_>>();
-        assert_eq!(
-            &tool_names,
+
+        assert_eq_tool_names(
+            &tools,
            &[
-                "exec_command",
-                "write_stdin",
-                "local_shell",
+                "unified_exec",
                "list_mcp_resources",
                "list_mcp_resource_templates",
                "read_mcp_resource",
                "update_plan",
                "web_search",
                "view_image",
-            ]
+            ],
        );
    }

    #[test]
-    fn test_build_specs_default_shell_present() {
+    fn test_build_specs_default_shell() {
        let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
        let mut features = Features::with_defaults();
+        features.enable(Feature::PlanTool);
        features.enable(Feature::WebSearchRequest);
        features.enable(Feature::UnifiedExec);
        let config = ToolsConfig::new(&ToolsConfigParams {
@@ -1197,12 +1042,18 @@ mod tests {
        });
        let (tools, _) = build_specs(&config, Some(HashMap::new())).build();

-        // Only check the shell variant and a couple of core tools.
-        let mut subset = vec!["exec_command", "write_stdin", "update_plan"];
-        if let Some(shell_tool) = shell_tool_name(&config) {
-            subset.push(shell_tool);
-        }
-        assert_contains_tool_names(&tools, &subset);
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "web_search",
+                "view_image",
+            ],
+        );
    }

    #[test]
@@ -1219,8 +1070,7 @@ mod tests {
        });
        let (tools, _) = build_specs(&config, None).build();

-        assert!(!find_tool(&tools, "exec_command").supports_parallel_tool_calls);
-        assert!(!find_tool(&tools, "write_stdin").supports_parallel_tool_calls);
+        assert!(!find_tool(&tools, "unified_exec").supports_parallel_tool_calls);
        assert!(find_tool(&tools, "grep_files").supports_parallel_tool_calls);
        assert!(find_tool(&tools, "list_dir").supports_parallel_tool_calls);
        assert!(find_tool(&tools, "read_file").supports_parallel_tool_calls);
@@ -1257,7 +1107,7 @@ mod tests {
    }

    #[test]
-    fn test_build_specs_mcp_tools_converted() {
+    fn test_build_specs_mcp_tools() {
        let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
        let mut features = Features::with_defaults();
        features.enable(Feature::UnifiedExec);
@@ -1305,6 +1155,19 @@ mod tests {
        )
        .build();

+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "web_search",
+                "view_image",
+                "test_server/do_something_cool",
+            ],
+        );
+
        let tool = find_tool(&tools, "test_server/do_something_cool");
        assert_eq!(
            &tool.spec,
@@ -1410,19 +1273,20 @@ mod tests {
        ]);

        let (tools, _) = build_specs(&config, Some(tools_map)).build();
-
-        // Only assert that the MCP tools themselves are sorted by fully-qualified name.
-        let mcp_names: Vec<_> = tools
-            .iter()
-            .map(|t| tool_name(&t.spec).to_string())
-            .filter(|n| n.starts_with("test_server/"))
-            .collect();
-        let expected = vec![
-            "test_server/cool".to_string(),
-            "test_server/do".to_string(),
-            "test_server/something".to_string(),
-        ];
-        assert_eq!(mcp_names, expected);
+        // Expect unified_exec first, followed by MCP tools sorted by fully-qualified name.
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "view_image",
+                "test_server/cool",
+                "test_server/do",
+                "test_server/something",
+            ],
+        );
    }

    #[test]
@@ -1461,9 +1325,22 @@ mod tests {
        )
        .build();

-        let tool = find_tool(&tools, "dash/search");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/search",
+            ],
+        );
+
        assert_eq!(
-            tool.spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/search".to_string(),
                parameters: JsonSchema::Object {
@@ -1516,9 +1393,21 @@ mod tests {
        )
        .build();

-        let tool = find_tool(&tools, "dash/paginate");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/paginate",
+            ],
+        );
        assert_eq!(
-            tool.spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/paginate".to_string(),
                parameters: JsonSchema::Object {
@@ -1570,9 +1459,21 @@ mod tests {
        )
        .build();

-        let tool = find_tool(&tools, "dash/tags");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/tags",
+            ],
+        );
        assert_eq!(
-            tool.spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/tags".to_string(),
                parameters: JsonSchema::Object {
@@ -1626,9 +1527,21 @@ mod tests {
        )
        .build();

-        let tool = find_tool(&tools, "dash/value");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "dash/value",
+            ],
+        );
        assert_eq!(
-            tool.spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/value".to_string(),
                parameters: JsonSchema::Object {
@@ -1719,9 +1632,22 @@ mod tests {
        )
        .build();

-        let tool = find_tool(&tools, "test_server/do_something_cool");
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "apply_patch",
+                "web_search",
+                "view_image",
+                "test_server/do_something_cool",
+            ],
+        );
+
        assert_eq!(
-            tool.spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "test_server/do_something_cool".to_string(),
                parameters: JsonSchema::Object {
--- a/codex-rs/core/src/truncate.rs
+++ b/codex-rs/core/src/truncate.rs
@@ -1,35 +1,18 @@
 //! Utilities for truncating large chunks of output while preserving a prefix
 //! and suffix on UTF-8 boundaries.

-use codex_utils_tokenizer::Tokenizer;
-
 /// Truncate the middle of a UTF-8 string to at most `max_bytes` bytes,
 /// preserving the beginning and the end. Returns the possibly truncated
-/// string and `Some(original_token_count)` (counted with the local tokenizer;
-/// falls back to a 4-bytes-per-token estimate if the tokenizer cannot load)
+/// string and `Some(original_token_count)` (estimated at 4 bytes/token)
 /// if truncation occurred; otherwise returns the original string and `None`.
 pub(crate) fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>) {
    if s.len() <= max_bytes {
        return (s.to_string(), None);
    }

-    // Build a tokenizer for counting (default to o200k_base; fall back to cl100k_base).
-    // If both fail, fall back to a 4-bytes-per-token estimate.
-    let tok = Tokenizer::try_default().ok();
-    let token_count = |text: &str| -> u64 {
-        if let Some(ref t) = tok {
-            t.count(text) as u64
-        } else {
-            (text.len() as u64).div_ceil(4)
-        }
-    };
-
-    let total_tokens = token_count(s);
+    let est_tokens = (s.len() as u64).div_ceil(4);
    if max_bytes == 0 {
-        return (
-            format!("…{total_tokens} tokens truncated…"),
-            Some(total_tokens),
-        );
+        return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
    }

    fn truncate_on_boundary(input: &str, max_len: usize) -> &str {
@@ -67,17 +50,13 @@ pub(crate) fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>
        idx
    }

-    // Iterate to stabilize marker length → keep budget → boundaries.
-    let mut guess_tokens: u64 = 1;
+    let mut guess_tokens = est_tokens;
    for _ in 0..4 {
        let marker = format!("…{guess_tokens} tokens truncated…");
        let marker_len = marker.len();
        let keep_budget = max_bytes.saturating_sub(marker_len);
        if keep_budget == 0 {
-            return (
-                format!("…{total_tokens} tokens truncated…"),
-                Some(total_tokens),
-            );
+            return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
        }

        let left_budget = keep_budget / 2;
@@ -88,72 +67,59 @@ pub(crate) fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>
            suffix_start = prefix_end;
        }

-        // Tokens actually removed (middle slice) using the real tokenizer.
-        let removed_tokens = token_count(&s[prefix_end..suffix_start]);
+        let kept_content_bytes = prefix_end + (s.len() - suffix_start);
+        let truncated_content_bytes = s.len().saturating_sub(kept_content_bytes);
+        let new_tokens = (truncated_content_bytes as u64).div_ceil(4);

-        // If the number of digits in the token count does not change the marker length,
-        // we can finalize output.
-        let final_marker = format!("…{removed_tokens} tokens truncated…");
-        if final_marker.len() == marker_len {
-            let kept_content_bytes = prefix_end + (s.len() - suffix_start);
-            let mut out = String::with_capacity(final_marker.len() + kept_content_bytes + 1);
+        if new_tokens == guess_tokens {
+            let mut out = String::with_capacity(marker_len + kept_content_bytes + 1);
            out.push_str(&s[..prefix_end]);
-            out.push_str(&final_marker);
+            out.push_str(&marker);
            out.push('\n');
            out.push_str(&s[suffix_start..]);
-            return (out, Some(total_tokens));
+            return (out, Some(est_tokens));
        }

-        guess_tokens = removed_tokens;
+        guess_tokens = new_tokens;
    }

-    // Fallback build after iterations: compute with the last guess.
    let marker = format!("…{guess_tokens} tokens truncated…");
    let marker_len = marker.len();
    let keep_budget = max_bytes.saturating_sub(marker_len);
    if keep_budget == 0 {
-        return (
-            format!("…{total_tokens} tokens truncated…"),
-            Some(total_tokens),
-        );
+        return (format!("…{est_tokens} tokens truncated…"), Some(est_tokens));
    }

    let left_budget = keep_budget / 2;
    let right_budget = keep_budget - left_budget;
    let prefix_end = pick_prefix_end(s, left_budget);
-    let mut suffix_start = pick_suffix_start(s, right_budget);
-    if suffix_start < prefix_end {
-        suffix_start = prefix_end;
-    }
+    let suffix_start = pick_suffix_start(s, right_budget);

    let mut out = String::with_capacity(marker_len + prefix_end + (s.len() - suffix_start) + 1);
    out.push_str(&s[..prefix_end]);
    out.push_str(&marker);
    out.push('\n');
    out.push_str(&s[suffix_start..]);
-    (out, Some(total_tokens))
+    (out, Some(est_tokens))
 }

 #[cfg(test)]
 mod tests {
    use super::truncate_middle;
-    use codex_utils_tokenizer::Tokenizer;

    #[test]
    fn truncate_middle_no_newlines_fallback() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
        let s = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ*";
        let max_bytes = 32;
        let (out, original) = truncate_middle(s, max_bytes);
        assert!(out.starts_with("abc"));
        assert!(out.contains("tokens truncated"));
        assert!(out.ends_with("XYZ*"));
-        assert_eq!(original, Some(tok.count(s) as u64));
+        assert_eq!(original, Some((s.len() as u64).div_ceil(4)));
    }

    #[test]
    fn truncate_middle_prefers_newline_boundaries() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
        let mut s = String::new();
        for i in 1..=20 {
            s.push_str(&format!("{i:03}\n"));
@@ -165,36 +131,50 @@ mod tests {
        assert!(out.starts_with("001\n002\n003\n004\n"));
        assert!(out.contains("tokens truncated"));
        assert!(out.ends_with("017\n018\n019\n020\n"));
-        assert_eq!(tokens, Some(tok.count(&s) as u64));
+        assert_eq!(tokens, Some(20));
    }

    #[test]
    fn truncate_middle_handles_utf8_content() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
        let s = "😀😀😀😀😀😀😀😀😀😀\nsecond line with ascii text\n";
        let max_bytes = 32;
        let (out, tokens) = truncate_middle(s, max_bytes);

        assert!(out.contains("tokens truncated"));
        assert!(!out.contains('\u{fffd}'));
-        assert_eq!(tokens, Some(tok.count(s) as u64));
+        assert_eq!(tokens, Some((s.len() as u64).div_ceil(4)));
    }

    #[test]
    fn truncate_middle_prefers_newline_boundaries_2() {
-        let tok = Tokenizer::try_default().expect("load tokenizer");
        // Build a multi-line string of 20 numbered lines (each "NNN\n").
        let mut s = String::new();
        for i in 1..=20 {
            s.push_str(&format!("{i:03}\n"));
        }
+        // Total length: 20 lines * 4 bytes per line = 80 bytes.
        assert_eq!(s.len(), 80);

+        // Choose a cap that forces truncation while leaving room for
+        // a few lines on each side after accounting for the marker.
        let max_bytes = 64;
-        let (out, total) = truncate_middle(&s, max_bytes);
-        assert!(out.starts_with("001\n002\n003\n004\n"));
-        assert!(out.contains("tokens truncated"));
-        assert!(out.ends_with("017\n018\n019\n020\n"));
-        assert_eq!(total, Some(tok.count(&s) as u64));
+        // Expect exact output: first 4 lines, marker, last 4 lines, and correct token estimate (80/4 = 20).
+        assert_eq!(
+            truncate_middle(&s, max_bytes),
+            (
+                r#"001
+002
+003
+004
+…12 tokens truncated…
+017
+018
+019
+020
+"#
+                .to_string(),
+                Some(20)
+            )
+        );
    }
 }
--- a/Show More
+++ b/Show More